If you updated Chrome and SolarWinds Web Help Desk in the last couple of weeks due to vulnerabilities, get ready to update them again \u2014 each has a new flaw. Additionally, a popular WordPress plugin has a critical issue, and AWS\u2019s Application Load Balancer feature has a configuration vulnerability.<\/p>\n\n\n\n
As always, the best way to get flaws quickly patched is to scan for vulnerabilities frequently and have a plan for fixing and documenting them. Make sure your security teams know their specific role in that process, and have frequent conversations about vulnerabilities so everyone knows what\u2019s going on both in your infrastructure and in the industry overall.<\/p>\n\n\n\n
Type of vulnerability:<\/strong> Privilege escalation.<\/p>\n\n\n\n The problem:<\/strong> LiteSpeed Cache, a WordPress plugin designed to reduce caching speeds and optimize page loads, has a vulnerability<\/a> that affects at least 5 million WordPress instances. A member of security provider PatchStack\u2019s Alliance community discovered the vulnerability and reported it to PatchStack, who then notified LiteSpeed Technologies, the plugin\u2019s developer.<\/p>\n\n\n\n The plugin has a feature that creates a temporary user to crawl sites and cache web pages. \u201cThe vulnerability exploits a user simulation feature in the plugin which is protected by a weak security hash that uses known values,\u201d PatchStack said<\/a>. Unauthenticated users can exploit the weak hashes to escalate their privileges and upload malicious plugins or files.<\/p>\n\n\n\n The fix:<\/strong> Upgrade your LiteSpeed plugin to version 6.4.1, which includes the patch.<\/p>\n\n\n\n Type of vulnerability:<\/strong> Configuration issue leading to authentication bypass.<\/p>\n\n\n\n The problem:<\/strong> Application detection and response provider Miggo discovered a configuration vulnerability in Amazon Web Services\u2019 Application Load Balancer (ALB) authentication feature. If an application is misconfigured as an ALB target group and is directly accessible, a threat actor could bypass ALB and use a shared public key server to set an arbitrary key ID, according to Liad Eliyahu <\/a>from Miggo. The threat has been nicknamed ALBeast.<\/p>\n\n\n\n Aside from misconfiguration, misimplementation and issuer forgery also put AWS authentication processes at risk. \u201cUntil recently, the AWS ALB user authentication docs<\/a> did not include guidance on validating a token\u2019s signer\u2014a crucial field for ensuring that the token was signed by the trusted ALB,\u201d Eliyahu said. \u201cWithout this validation, applications might trust an attacker-crafted token.\u201d An attacker could also forge an authentic token signed by ALBeast.<\/p>\n\n\n\n Applications that are exposed to the internet are particularly vulnerable to this flaw.<\/p>\n\n\n\n AWS updated its documentation after Miggo disclosed the vulnerability to its researchers. Now, an authentication signature needs to be verified and validated. AWS added new code that\u2019s designed to validate the signer \u2014 the ALB instance that signs the token \u2014 according to Miggo.<\/p>\n\n\n\n The fix:<\/strong> Comply with all relevant documentation from AWS \u2014 use the new code they\u2019ve provided to validate signatures. Miggo noted that AWS doesn\u2019t consider issue forgery a formal vulnerability and has decided to reach out to customers with suboptimal configurations instead of changing the entire ALB component.<\/p>\n\n\n\n Learning about vulnerabilities as soon as possible is critical to protect your computer systems and networks, but it can be difficult to do manually. I recommend using a comprehensive vulnerability scanning product<\/a> to find issues that must be fixed quickly.<\/strong><\/p>\n\n\n\n Type of vulnerability:<\/strong> Type confusion.<\/p>\n\n\n\n The problem:<\/strong> A bug in the V8 JavaScript and Web Assembly engine affects Google Chrome on personal computers. The vulnerability allows remote threat actors to use specifically crafted HTML pages<\/a> to exploit heap correction. They could potentially use the falsified HTML page to take control of your Chrome instance.<\/p>\n\n\n\n The vulnerability is tracked as CVE-2024-7971<\/a>. It exists in versions of Chrome prior to 128.0.6613.84.<\/p>\n\n\n\n The fix:<\/strong> Chrome stable channel updates<\/a> from Google include 128.0.6613.84\/.85 for Windows and Mac devices and 128.0.6613.84 for Linux machines. To update to these versions:<\/p>\n\n\n\n Type of vulnerability:<\/strong> Hardcoded credential.<\/p>\n\n\n\n The problem:<\/strong> Last week, I mentioned a Java deserialization flaw<\/a> in SolarWinds Web Help Desk. This week, researchers have discovered another vulnerability in WHD, this one a hardcoded credential issue. If exploited, it allows an unauthenticated remote user to access the Web Help Desk\u2019s controls and modify its data. Zach Hanley of Horizon3.ai discovered and reported the vulnerability. <\/p>\n\n\n\n The flaw is tracked as CVE-2024-28987<\/a> and has a CVSS score of 9.1.<\/p>\n\n\n\n The fix:<\/strong> SolarWinds has released a hotfix<\/a>, 12.8.3 number 2, that solves both last week\u2019s remote code execution vulnerability and this week\u2019s credential one.<\/p>\n\n\n\n Type of vulnerability:<\/strong> Dangerous file type upload vulnerability. <\/p>\n\n\n\n The problem: Versa Networks\u2019 Director product has GUI customization options available for users who have Provider-Data-Center-Admin or Provider-Data-Center-System-Admin permissions. According to NIST<\/a>, a malicious user with those privileges could use the \u201cChange Favicon\u201d option within the GUI to upload a malicious file that has a .png extension.<\/p>\n\n\n\n The file would masquerade as an image file, according to NIST. The exploit is only possible after a user with the correct privileges has logged into the Versa Director GUI successfully. Versa Networks noted that managed service providers are likely to be the main targets.<\/p>\n\n\n\n The vulnerability is tracked as CVE-2024-39717<\/a> and has a severity rating of 6.6.<\/p>\n\n\n\n The CISA has added this vulnerability<\/a> to its catalog of Known Exploited Vulnerabilities (KEV). It has a High severity rating. According to NIST, Versa Networks is aware of one instance where the vulnerability was exploited because the customer didn\u2019t implement older firewall guidelines.<\/p>\n\n\n\n The fix:<\/strong> To remediate CVE-2024-39717, upgrade to one of the following updated versions, with links to the download page provided by Versa Networks:<\/p>\n\n\n\n Additionally, follow all of Versa Networks\u2019<\/a> firewall guidelines and hardening best practices.<\/p>\n\n\n\n Type of vulnerability:<\/strong> Path traversal leading to potential remote code execution.<\/p>\n\n\n\n The problem:<\/strong> Open-source GPS tracking solution Traccar has two path traversal vulnerabilities that could allow unauthenticated threat actors to execute code remotely. According to Horizon3.ai researcher Naven Sunkavally, Traccar is vulnerable<\/a> when guest registration is enabled, which is its default configuration.<\/p>\n\n\n\n Traccar allows users to register their devices to be tracked, and Traccar shows their location when the devices communicate with the Traccar server. In version 5.1 of the solution, an image upload feature allows users to upload a picture of their device, but Traccar\u2019s code has vulnerabilities in managing image file uploads.<\/p>\n\n\n\n The first vulnerability is tracked as CVE-2024-24809<\/a> and has a CVSS score of 8.5, with a high rating. The second is tracked as CVE-2024-31214<\/a> and has a critical CVSS score of 9.7. Both allow remote code execution if exploited.<\/p>\n\n\n\n \u201cThe net result of CVE-2024-31214 and CVE-2024-24809 is that an attacker can place files with arbitrary content anywhere on the file system,\u201d Sunkavally said. \u201cHowever, an attacker only has partial control over the filename.\u201d The filename has to be a particular structure for the attackers to be successful.<\/p>\n\n\n\n The fix:<\/strong> Sunkavally recommends upgrading to Traccar 6. Alternatively, you can switch the registration setting to false so user self-registration isn\u2019t automatically enabled.<\/p>\n\n\n\n Read next:<\/strong><\/p>\n\n\n\nAugust 20, 2024<\/h2>\n\n\n\n
AWS Application Load Balancer Sees Configuration Issues<\/h3>\n\n\n\n
August 21, 2024<\/h2>\n\n\n\n
Upgrade Chrome As Soon As Possible<\/h3>\n\n\n\n
\n
August 23, 2024<\/h2>\n\n\n\n
Another SolarWinds Web Help Desk Flaw Emerges<\/h3>\n\n\n\n
CISA Adds Versa Director Vulnerability to Catalog<\/h3>\n\n\n\n
\n
Double RCE Vulnerabilities Affect GPS Tracking Tool Traccar<\/h3>\n\n\n\n