Key Takeaways
- CVE-2024-6800 (GitHub Enterprise Server) poses the risk of data breaches and supply chain attacks.
- CVE-2024-38063, a critical Remote Code Execution (RCE) vulnerability in Windows, may enable cyber attacks on a mass scale, affecting both government and private entities.
Overview
Cyble Research and Intelligence Labs (CRIL) researchers investigated 12 vulnerabilities from August 14 to August 20, ranging in severity from medium to critical.
CRIL researchers also observed five instances of vulnerabilities and Proof of Concept (POC) exploits discussed on underground channels and cybercrime forums during that period.
Based on Cyble’s assessments of the relative cyber threats presented by the vulnerabilities and exploits, five vulnerabilities stand out as warranting priority attention by security teams.
The Week’s Top Vulnerabilities
Here is a deeper analysis of those five vulnerabilities identified by Cyble researchers.
1. CVE-2024-6800: XML Signature Wrapping Vulnerability in GitHub Enterprise Server
This XML signature wrapping vulnerability in GitHub Enterprise Server (GHES) has significant implications for organizations that use this platform for source code management and collaboration. An attacker with direct network access can forge a SAML response to provision and/or gain access to a user with site administrator privileges, resulting in unauthorized access to the instance without prior authentication. This vulnerability affects GHES, a widely used platform for managing source code, making it a high-priority fix. Since GHES is used by organizations to manage the source code of their applications, an attacker could exploit a vulnerability by stealing sensitive information or leveraging unauthorized admin privileges to carry out supply chain attacks.
Internet Exposure? Yes
Patch Available? This vulnerability affected all versions of GitHub Enterprise Server prior to 3.14 and was fixed in versions 3.13.3, 3.12.8, 3.11.14, and 3.10.16.
2. CVE-2024-4577: Critical Vulnerability in PHP
CVE-2024-4577, a widespread critical vulnerability was initially discovered in May and affects PHP when using Apache and PHP-CGI on Windows. The PHP CGI module may misinterpret characters as PHP options, allowing a malicious user to pass options to the PHP binary being run, revealing the source code of scripts, and running arbitrary PHP code on the server. Recently, researchers discovered that unknown attackers had deployed a newly discovered backdoor dubbed Msupedge on an educational institute’s Windows systems in Taiwan, likely by exploiting this vulnerability.
Internet Exposure? Yes
Patch Available? Yes
3. CVE-2024-38193: Elevation of Privilege Vulnerability in Windows Ancillary Function Driver
The Windows Ancillary Function Driver is an entry point into the Windows Kernel for the Winsock protocol. A high-severity elevation of privilege vulnerability in this driver was disclosed, and researchers believe the Lazarus hacking group may have leveraged it to elevate privileges and install the FUDModule rootkit.
Internet Exposure? No
Patch Available? Yes
4. CVE-2024-38063: Critical TCP/IP Remote Code Execution Vulnerability in Windows
A critical TCP/IP remote code execution vulnerability in Windows was identified, allowing attackers to trigger buffer overflows that can be used to execute arbitrary code on vulnerable Windows 10, Windows 11, and Windows Server systems. This vulnerability is considered wormable, allowing a remote, unauthenticated attacker to gain elevated code execution by sending specially crafted IPv6 packets to an affected target.
Internet Exposure? No
Patch Available? Yes
5. CVE-2024-41730: SAP BusinessObjects Business Intelligence Vulnerability
A critical vulnerability in SAP BusinessObjects Business Intelligence (SAP BO) affects organizations that use this centralized suite of reporting and analytics tools for business intelligence. An unauthorized user can obtain a logon token using a REST endpoint, resulting in a high impact on confidentiality, integrity, and availability.
Internet Exposure? No
Patch Available? Yes
Vulnerabilities and Exploits Discussed in the Underground
In addition to the top vulnerabilities, Cyble researchers observed several other vulnerabilities being discussed in underground forums and channels, raising the profile of these vulnerabilities among attackers. These include:
- CVE-2024-40348: A high-severity vulnerability in the Bazaar API, allowing unauthenticated attackers to execute directory traversal.
- CVE-2024-30088: A high-severity elevation of privilege vulnerability in the Windows Kernel.
- CVE-2024-38856: An incorrect authorization vulnerability in Apache OFBiz, allowing unauthenticated endpoints to execute screen rendering code of screens if certain preconditions are met.
- CVE-2024-38213: A Windows Mark of the Web security feature bypass vulnerability.
- CVE-2024-2212: An Eclipse ThreadX vulnerability that can lead to integer wraparound, under-allocations, and heap buffer overflows.
Our Recommendations
To protect against these vulnerabilities and exploits, organizations should implement the following cybersecurity best practices:
1. Implement the Latest Patches
To mitigate vulnerabilities and protect against exploits, regularly update all software and hardware systems with the latest patches from official vendors.
2. Implement a Robust Patch Management Process
Develop a comprehensive patch management strategy that includes inventory management, patch assessment, testing, deployment, and verification. Automate the process where possible to ensure consistency and efficiency.
3. Implement Proper Network Segmentation
Divide your network into distinct segments to isolate critical assets from less secure areas. Use firewalls, VLANs, and access controls to limit access and reduce the attack surface exposed to potential threats.
4. Incident Response and Recovery Plan
Create and maintain an incident response plan that outlines procedures for detecting, responding to, and recovering from security incidents. Regularly test and update the plan to ensure its effectiveness and alignment with current threats.
5. Monitoring and Logging Malicious Activities
Implement comprehensive monitoring and logging solutions to detect and analyze suspicious activities. Use SIEM (Security Information and Event Management) systems to aggregate and correlate logs for real-time threat detection and response.
6. Keep Track of Security Alerts
Subscribe to security advisories and alerts from official vendors, CERTs, and other authoritative sources. Regularly review and assess the impact of these alerts on your systems and take appropriate actions.
7. Visibility into Assets
Maintain an up-to-date inventory of all internal and external assets, including hardware, software, and network components. Use asset management tools and continuous monitoring to ensure comprehensive visibility and control over your IT environment.
8. Strong Password Policy
Change default passwords immediately and enforce a strong password policy across the organization. Implement multi-factor authentication (MFA) to provide an extra layer of security and significantly reduce the risk of unauthorized access.
