This past week was Patch Tuesday: Microsoft released CVEs for 90 new vulnerabilities. But that wasn\u2019t the vendor\u2019s only contribution to our list \u2014 Entra ID, Microsoft\u2019s cloud directory product, also had a recent snag. Additionally, I looked at Linux, SolarWinds, and Android vulnerabilities. Ivanti continues to have issues, this time with its Virtual Traffic Manager product. Happy patching, and don\u2019t forget to watch your vendors\u2019 security feeds consistently.<\/p>\n\n\n\n
Type of vulnerability:<\/strong> Authentication bypass. <\/p>\n\n\n\n The problem:<\/strong> Ivanti Virtual Traffic Manager has a vulnerability that could lead to authentication bypass and subsequent creation of an administrator when exploited. According to the National Institute of Standards and Technology, the vulnerability stems from an incorrect implementation of authentication algorithms and exists in all vTM versions except 22.2R1 and 22.7R2.<\/p>\n\n\n\n \u201cCustomers who have ensured their management interface is bound to an internal network or private IP address have significantly reduced their attack surface,\u201d the Ivanti notice reads<\/a>. The vendor didn\u2019t notice any active exploits when it released the security notice.<\/p>\n\n\n\n The flaw is tracked as CVE-2024-7593<\/a> and has a CVSS score of 9.8, a critical rating.\u00a0<\/p>\n\n\n\n The fix:<\/strong> Ivanti recommends updating Virtual Traffic Manager to the latest version, which you can do by logging into the Ivanti standard downloads portal.<\/p>\n\n\n\n Type of vulnerability:<\/strong> Multiple, including elevation of privilege.<\/p>\n\n\n\n The problem:<\/strong> Last week, Microsoft\u2019s monthly Patch Tuesday announced 90 new CVEs<\/a>, including multiple zero-day vulnerabilities. According to Trend Micro Zero Day Initiative researcher Dustin Childs, Microsoft listed four of the CVEs as public, and six are being actively exploited<\/a>. That\u2019s unusual for a single release, he said.<\/p>\n\n\n\n One of the vulnerabilities highlighted in Patch Tuesday was an elevation-of-privilege flaw in Windows Update. According to Microsoft<\/a>, the vulnerability allows a threat actor with basic privileges to reintroduce old vulnerabilities that had already been mitigated. The attack would also need \u201cadditional interaction by a privileged user to be successful.\u201d<\/p>\n\n\n\n The vulnerability is tracked as CVE-2024-38202<\/a> and has a severity score of 7.3.<\/p>\n\n\n\n The fix:<\/strong> There isn\u2019t an official mitigation strategy for the EoP vulnerability yet; Microsoft will update its security notice<\/a> whenever it releases a patch or other fix.<\/p>\n\n\n\n Type of vulnerability:<\/strong> Remote code execution.<\/p>\n\n\n\n The problem:<\/strong> Microsoft discovered a vulnerability in Transmission Control Protocol (TCP) \/ Internet Protocol (IP) that affects Windows machines running IPv6. This vulnerability also belonged to the month\u2019s Patch Tuesday roundup and is one of the more severe flaws patched recently, with a CVSS score of 9.8.<\/p>\n\n\n\n \u201cAn unauthenticated attacker could repeatedly send IPv6 packets, that include specially crafted packets, to a Windows machine which could enable remote code execution,\u201d the notice said<\/a>. Microsoft Security Response Center announced the vulnerability and instructed users to patch it. The flaw affects Windows Server, Windows 10, and Windows 11.<\/p>\n\n\n\n The fix:<\/strong> Install the most recent Windows security updates, which have the vulnerability patched. While disabling IPv6 is a possible fix, it\u2019s not recommended, since that could stop other Windows components from working<\/a> properly.<\/p>\n\n\n\n If your team is overwhelmed by new vulnerabilities, check out our guide to the best vulnerability scanners<\/a>. These products automatically search your systems for flaws, based on known vulnerabilities.<\/strong><\/p>\n\n\n\n Type of vulnerability:<\/strong> Deserialization, leading to remote code execution.<\/p>\n\n\n\n The problem:<\/strong> SolarWinds Web Help Desk is vulnerable to a Java deserialization flaw that allows remote threat actors to execute code on hosts. Researchers reported the issue to SolarWinds as an unauthenticated vulnerability, but according to Tenable<\/a>, SolarWinds hasn\u2019t been able to recreate the exploit without authentication, so it\u2019s likely a difficult flaw to exploit. The vulnerability is tracked as CVE-2024-28986 and has a base CVSS score of 9.8.<\/p>\n\n\n\n The fix:<\/strong> Tenable recommends<\/a> patching your instance of Web Help Desk despite SolarWinds\u2019 inability to reproduce the exploit without authentication. Install Web Help Desk version 12.8.3<\/a> first, and then install the hotfix once you\u2019ve updated the software.<\/p>\n\n\n\n Type of vulnerability:<\/strong> Third-party application package installed on Pixel device firmware, with insufficient security controls.<\/p>\n\n\n\n The problem:<\/strong> Mobile security vendor iVerify\u2019s EDR product discovered an unsecured Android device at data analytics firm Palantir Technologies. Researchers investigating the threat found an Android application package, Showcase.apk, that\u2019s part of the device firmware. When it\u2019s enabled, the package allows threat actors to access the operating system.<\/p>\n\n\n\n This vulnerability also opens Androids to code injection, man-in-the-middle attacks, and spyware, according to iVerify\u2019s blog post<\/a> about the vulnerability. The application runs with too-high privileges, and it\u2019s installed on many Pixel devices that have been shipped for the past seven years.<\/p>\n\n\n\n iVerify notified Google about the vulnerability, and Google plans to release an update that removes Showcase.apk from its Pixel phones. Palantir Technologies plans to phase out Android phones and begin using Apple devices after performing the investigation.<\/p>\n\n\n\n The fix:<\/strong> If you have a Pixel phone, update to the newest operating system as soon as Google releases it. If you have a different Android phone, watch for new versions and update your phone immediately when the next version is released.<\/p>\n\n\n\n Type of vulnerability:<\/strong> Authentication bypass.<\/p>\n\n\n\n The problem:<\/strong> Researchers at security firm Cymulate have discovered a vulnerability within Microsoft Entra ID, the product recently known as Azure Active Directory (AAD). This is the cloud-based version of Active Directory, not the on-premises one (which is known simply as Active Directory). The flaw occurs when Entra ID users are syncing multiple on-prem Active Directory domains to one Microsoft Azure tenant, which is in the cloud.<\/p>\n\n\n\n \u201cThis issue arises when authentication requests are mishandled by pass-through authentication (PTA) agents for different on-prem domains, leading to potential unauthorized access,\u201d Cymulate\u2019s report said<\/a>. Threat actors manipulate credential validation and then don\u2019t have to submit to typical security checks.\u00a0<\/p>\n\n\n\n \u201cThis vulnerability effectively turns the PTA agent into a double agent, allowing attackers to log in as any synced AD user without knowing their actual password; this could potentially grant access to a global admin user if such privileges were assigned.\u201d<\/p>\n\n\n\n This can happen regardless of the threat actor\u2019s initial Active Directory domain and allow them to move to another on-prem domain, Cymulate researchers Ilan Kalendarov and Elad Beber said. The researchers reported the issue to Microsoft in July. As of the release of Cymulate\u2019s report, there\u2019s no current estimated timeline for the fix.<\/p>\n\n\n\n The fix:<\/strong> Despite that, Cymulate recommends some mitigation strategies for this vulnerability, including enabling two-factor authentication for all synced users. They also remind customers that following Microsoft\u2019s Secure Privilege Access guide<\/a> helps harden the Microsoft Entra Connect Server.<\/p>\n\n\n\n Type of vulnerability:<\/strong> Linux DMA allocation.<\/p>\n\n\n\n The problem:<\/strong> Researchers discovered and fixed a vulnerability within the Linux kernel\u2019s Direct Memory Access (DMA) allocation process. The flaw exists in the dmam_free_coherent() function and requires the call order to be fixed.<\/p>\n\n\n\n The dmam_free_coherent() function frees a DMA allocation. The freed vaddr is then available to be reused and then calls the devres_destroy() function to remove and free the data structure that tracks the DMA allocation. Between the two calls, a concurrent task could make an allocation with the same vaddr and add it to the devres list.<\/p>\n\n\n\n \u201cIf this happens, there will be two entries in the devres list with the same vaddr and devres_destroy() can free the wrong entry, triggering the WARN_ON() in dmam_match,\u201d said the advisory<\/a>.<\/p>\n\n\n\n The fix:<\/strong> This vulnerability is solved by destroying the devres entry before freeing the DMA allocation, according to the GitHub advisory<\/a> posted for the vulnerability.<\/p>\n\n\n\n Read next:<\/strong><\/p>\n\n\n\nAugust 13, 2024<\/h2>\n\n\n\n
Microsoft Patch Tuesday Sees Elevation of Privilege Vulnerability<\/h3>\n\n\n\n
Patch Tuesday Lineup Also Includes RCE Flaw<\/h3>\n\n\n\n
August 15, 2024<\/h2>\n\n\n\n
SolarWinds Flaw Should Be Immediately Patched<\/h3>\n\n\n\n
Third-Party Application Package Installed on Pixel Devices<\/h3>\n\n\n\n
Entra ID Vulnerability Affects Hybrid Environments<\/h3>\n\n\n\n
August 17, 2024<\/h2>\n\n\n\n
Linux Vulnerability Affects Kernel\u2019s Memory Allocation<\/h3>\n\n\n\n