Monthly Advisory • 10 MIN READ
February 2024 Threat Advisory – Top 5
by Eleanor Barlow • Feb 2024
SecurityHQ’s Monthly Threat Report, Drawn from Recent Advisories of February 2024.
Ivanti Addresses Two Zero Day Vulnerabilities in Ivanti Connect Secure and ZTA Versions
Threat Reference: Global
Risks: Server-side request forgery (SSRF), Privilege escalation
Advisory Type: Updates/Patches
Priority: Elevated
Ivanti has released a patch to fix two zero-day vulnerabilities affecting Ivanti Connect Secure, Policy Secure, and ZTA gateways. If exploit is successful, this could allow an unauthenticated attacker to execute server-side request forgery (SSRF) and privilege escalation.
Affected products include Ivanti Connect Secure, ZTA versions, Policy Secure.
This Vulnerability can be mitigated by importing mitigation.release.20240126.5.xml file available to customers via Ivanti’s download portal
Notable CVEs Include:
- [Zero day] – CVE-2024-21893 (CVSS score: 8.2) – An authenticated attacker can bypass authentication of SAML component and access restricted resources by performing SSRF attack.
- [High] – CVE-2024-21888 (CVSS score: 8.8) – A privilege escalation vulnerability in the web component of Ivanti allows a user to elevate their privileges to administrator level
Recommendation: Update affected Ivanti products to the latest patch/version.
Cisco Released Security Updates for Critical and High Severity Vulnerabilities in Cisco Products
Threat Reference: Global
Risks: Cross-site Request Forgery (CSRF), Denial of Service (DoS), Privilege Escalation, Arbitrary Code Execution
Advisory Type: Updates/Patches
Priority: Standard
Cisco has released security updates for critical and high severity vulnerabilities in Cisco Products. Successful exploitation of these vulnerabilities could allow an unauthenticated remote attacker to execute cross-site request forgery (CSRF) attacks, which could allow the user to execute Arbitrary Code Execution.
Affected products include Cisco Expressway Control (Expressway-C) devices, and Cisco Expressway Edge (Expressway-E) devices.
Notable CVEs Include: Cisco Expressway Series Cross-Site Request Forgery Vulnerabilities:
- [Critical] – CVE-2024-20252 and CVE-2024-20254: An attacker could exploit these vulnerabilities by tricking a user into clicking on a maliciously crafted link. Successful exploitation can cause Arbitrary Code Execution.
- [High] – CVE-2024-20255: Successful exploitation could allow the attacker to perform arbitrary actions with the privileges of the affected user, including overwriting system configurations, potentially leading to a denial of service (DoS) condition.
Recommendation: Update all affected products to the latest available patch version.
F5 Fixes Multiple High Severity Vulnerabilities in BIG-IP Systems
Threat Reference: Global
Risks: Denial of Service (DOS) Attack.
Advisory Type: Updates/Patches
Priority: Standard
SecurityHQ has observed that F5 recently fixed multiple high severity vulnerabilities affecting BIG-IP modules. Majority of the fixed vulnerabilities allow remote unauthenticated attacker to perform DOS (Denial of service) attack on BIG-IP modules.
Affected Products include BIG-IP Next SPK, BIG-IP (all modules), BIG-IP (PEM), BIG-IP (Advanced WAF/ASM), Application Visibility and Reporting module and BIG-IP (Advanced WAF/ASM), and BIG-IP (AFM). Please refer to this link for the full list of affected products.
Notable CVEs Include:
- [High] – CVE-2024-22093 – [CVSS:8.7] An authenticated attacker with administrator privileges and network access to the iControl REST endpoint on BIG-IP systems can execute arbitrary system commands and bypass appliance mode security.
- [High] – CVE-2024-23314 – [CVSS:7.5] Traffic Management Microkernel (TMM) process restart disrupts the traffic and allows a remote unauthenticated attacker to cause Denial of Service (DOS) on Big-IP system.
- [High] – CVE-2024-23982 – [CVSS:7.5] Traffic Management Microkernel (TMM) process restart disrupts the traffic and allows a remote unauthenticated attacker to cause Denial of Service (DOS) on Big-IP system.
- [High] – CVE-2024-24775 – [CVSS:7.5] Traffic Management Microkernel (TMM) process restart disrupts the traffic and allows a remote unauthenticated attacker to cause Denial of Service (DOS) on Big-IP system.
- [High] – CVE-2024-21789 – [CVSS:7.5] This vulnerability can degrade system performance until the Behavioural DoS (BD) process is restarted, allowing a remote unauthenticated attacker to potentially cause a denial-of-service (DoS) on the BIG-IP system.
- [High] – CVE-2024-23805 – [CVSS:7.5] Traffic Management Microkernel (TMM) process restart disrupts the traffic and allows a remote unauthenticated attacker to cause Denial of Service (DOS) on Big-IP system.
- [High] – CVE-2024-21763 – [CVSS:7.5] Traffic Management Microkernel (TMM) process restart disrupts the traffic and allows a remote unauthenticated attacker to cause Denial of Service (DOS) on Big-IP system.
- [High] – CVE-2024-23979 – [CVSS:7.5] Traffic Management Microkernel (TTM) process either forced to restart or manually restart can allow an unauthenticated remote attacker to cause Denial of Service (DOS) on Big-IP system.
- [High] – CVE-2024-21849 – [CVSS:7.5] Traffic Management Microkernel (TMM) process restart disrupts the traffic and allows a remote unauthenticated attacker to cause Denial of Service (DOS) on Big-IP system.
- [High] – CVE-2024-23308– [CVSS:7.5] This vulnerability can degrade system performance until the Behavioural DoS (BD) process is restarted, allowing a remote unauthenticated attacker to potentially cause a denial-of-service (DoS) on the BIG-IP system.
- [High] – CVE-2024-21771– [CVSS:7.5] When exploited, this vulnerability causes Traffic Management Microkernel (TMM) to restart, temporarily halting traffic processing on the BIG-IP system.
At the time of writing advisory, SecurityHQ did not observe any active exploitation of the above-mentioned vulnerabilities or publicly available exploit.
Recommendation: Update all affected products to the latest available patch version.
Fortinet Fixed Critical and Medium Severity Vulnerabilities
Threat Reference: Global
Risks: Remote Code Execution, Man-in-the-middle Attack, Denial of Service, Arbitrary Code and Command Execution.
Advisory Type: Updates/Patches
Priority: Standard
Fortinet has released security update to fix critical and high severity vulnerability in FortiOS SSL VPN. Successful exploitation of this vulnerability can lead to RCE (Remote Code Execution), arbitrary code and command execution, man-in-the-middle attack, and denial of service.
Affected products include FortiOS 7.4, FortiOS 7.2, FortiOS 7.0, FortiProxy 7.4, FortiProxy 7.2, FortiProxy 7.0, FortiOS 7.6, FortiOS 6.4, FortiOS 6.2, and FortiOS 6.0.
Notable CVEs Include:
- [Critical] – CVE-2024-23113– CVSS-Score:9.8 – Use of externally-controlled format string vulnerability allows unauthenticated attacker to execute arbitrary code and commands via specially crafted HTTP request.
- [Critical] – CVE-2024-21762– CVSS-Score:9.6 – Out-of-bounds vulnerability allows unauthenticated remote attacker to execute Arbitrary code and Command via specially crafted HTTP request.
- [Medium] – CVE-2023-44487 – HTTP/2 protocol allows denial of service attack because request cancellation can reset multiple streams quickly.
- [Medium] – CVE-2023-47537 – Improper certificate validation vulnerability allows an unauthenticated attacker to perform man-in-middle attack.
Recommendation: Update all affected products to the latest available patch version.
Microsoft Released February 2024 Patch Tuesday for 73 Flaws including 02 Zero-Days
Threat Reference: Global
Risks: Remote Code Execution, Elevation of Privilege, Security Feature Bypass, Information Disclosure, Spoofing and Denial of Service.
Advisory Type: Updates/Patches
Priority: Standard
Microsoft has released Patch Tuesday for February 2024 with Security Updates for seventy-three flaws, including 02 actively exploited vulnerability. Successful exploitation of these vulnerabilities could result in Remote Code Execution, Elevation of Privilege, Security Feature Bypass, Information Disclosure, Spoofing and Denial of Service.
Affected products include Azure, Windows, Microsoft Dynamics, Microsoft Office, Microsoft, Bluetooth Driver, Windows USB Serial Driver, Windows Internet Connection Sharing (ICS), Microsoft Exchange Server, and SQL Server.
Notable CVEs Include:
- [Zero-Day] – CVE-2024-21351 – Windows SmartScreen Security Feature Bypass Vulnerability
- [Zero-Day] – CVE-2024-21412 – Internet Shortcut Files Security Feature Bypass Vulnerability
- [Critical] – CVE-2024-21380 – Microsoft Dynamics Business Central/NAV Information Disclosure Vulnerability
- [Critical] – CVE-2024-21410 – Microsoft Exchange Server Elevation of Privilege Vulnerability
- [Important]CVE-2024-20667 – Azure DevOps Server Remote Code Execution Vulnerability
- [Important]CVE-2024-20673 – Microsoft Office Remote Code Execution Vulnerability
- [Important]CVE-2024-21315 – Microsoft Defender for Endpoint Protection Elevation of Privilege Vulnerability
- [Important] CVE-2024-21327 – Microsoft Dynamics 365 Customer Engagement Cross-Site Scripting Vulnerability
- [Important] CVE-2024-21328 – Dynamics 365 Sales Spoofing Vulnerability
- [Important] CVE-2024-21329 – Azure Connected Machine Agent Elevation of Privilege Vulnerability
- [Important] CVE-2024-21338 – Windows Kernel Elevation of Privilege Vulnerability
- [Important] CVE-2024-21342 – Windows DNS Client Denial of Service Vulnerability
- [Important] CVE-2024-21345 – Windows Kernel Elevation of Privilege Vulnerability
- [Important] CVE-2024-21346 – Win32k Elevation of Privilege Vulnerability
- [Important] CVE-2024-21347 – Microsoft ODBC Driver Remote Code Execution Vulnerability
- [Important] CVE-2024-21348 – Internet Connection Sharing (ICS) Denial of Service Vulnerability
- [Important] CVE-2024-21349 – Microsoft ActiveX Data Objects Remote Code Execution Vulnerability
- [Important] CVE-2024-21350 – Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability
- [Important] CVE-2024-21351 – Windows SmartScreen Security Feature Bypass Vulnerability
- [Important] CVE-2024-21352 – Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability
- [Important] CVE-2024-21354 – Microsoft Message Queuing (MSMQ) Elevation of Privilege Vulnerability
- [Important] CVE-2024-21355 – Microsoft Message Queuing (MSMQ) Elevation of Privilege Vulnerability
- [Important] CVE-2024-21357 – Windows Pragmatic General Multicast (PGM) Remote Code Execution Vulnerability
- [Important] CVE-2024-21358 – Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability
- [Important] CVE-2024-21359 – Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability
- [Important] CVE-2024-21360 – Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability
- [Important] CVE-2024-21361 – Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability
- [Important] CVE-2024-21363 – Microsoft Message Queuing (MSMQ) Remote Code Execution Vulnerability
- [Important] CVE-2024-21365 – Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability
- [Important] CVE-2024-21366 – Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability
- [Important] CVE-2024-21368 – Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability
- [Important] CVE-2024-21369 – Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability
- [Important] CVE-2024-21370 – Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability
- [Important] CVE-2024-21371 – Windows Kernel Elevation of Privilege Vulnerability
- [Important] CVE-2024-21372 – Windows OLE Remote Code Execution Vulnerability
- [Important] CVE-2024-21375 – Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability
- [Important] CVE-2024-21376 – Microsoft Azure Kubernetes Service Confidential Container Remote Code Execution Vulnerability
- [Important] CVE-2024-21377 – Windows DNS Information Disclosure Vulnerability
- [Important] CVE-2024-21378 – Microsoft Outlook Remote Code Execution Vulnerability
- [Important] CVE-2024-21379 – Microsoft Word Remote Code Execution Vulnerability
- [Important] CVE-2024-21384 – Microsoft Office OneNote Remote Code Execution Vulnerability
- [Important] CVE-2024-21386 – .NET Denial of Service Vulnerability
- [Important] CVE-2024-21389 – Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability
- [Important] CVE-2024-21391 – Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability
- [Important] CVE-2024-21393 – Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability
- [Important] CVE-2024-21394 – Dynamics 365 Field Service Spoofing Vulnerability
- [Important] CVE-2024-21395 – Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability
- [Important] CVE-2024-21396 – Dynamics 365 Sales Spoofing Vulnerability
- [Important] CVE-2024-21399 – Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability
- [Important] CVE-2024-21401 – Microsoft Entra Jira Single-Sign-On Plugin Elevation of Privilege Vulnerability
- [Important] CVE-2024-21402 – Microsoft Outlook Elevation of Privilege Vulnerability
- [Important] CVE-2024-21403 – Microsoft Azure Kubernetes Service Confidential Container Elevation of Privilege Vulnerability
- [Important] CVE-2024-21404 .NET Denial of Service Vulnerability
- [Important] CVE-2024-21405 – Microsoft Message Queuing (MSMQ) Elevation of Privilege Vulnerability
- [Important] CVE-2024-21406 – Windows Printing Service Spoofing Vulnerability
- [Important] – CVE-2024-21420 – Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability
Recommendation: Update all affected products to the latest available patch version.
Threat Intelligence for the Future
SecurityHQ’s Threat Intelligence team is a cohesive global unit dedicated to Cyber Threat Intelligence. Our team is focused on researching emerging threats, tracking activities of threat-actors, ransomware groups, and campaigns, to ensure that they stay ahead of potential risks. Beyond their investigative work, the Intelligence team provides actionable threat intelligence and research, enriching the understanding of SecurityHQ’s customers worldwide. United by a common commitment, the SecurityHQ Threat Intelligence team delivers the insights needed to confidently navigate the intricacies of the cyber security threat landscape.
For more information on these threats, speak to an expert here. Or if you suspect a security incident, you can report an incident here.
Related Content
January 2024 Threat Advisory – Top 5
SecurityHQ’s Monthly Threat Report, Drawn from Recent Advisories of January 2024.
SHQ Response Rewrites the Rules on Cyber Risk Visualisation & Collaboration
LONDON, January 16th, 2024 -- SecurityHQ Rewrites the Rule Book with Latest Risk and Incident Management Capabilities for Award Winning SHQ Response Platform.
A CISO’s Guide to Navigating the Threat Landscape
Being at the helm of cybersecurity strategies, the responsibilities of a CISO extend far beyond implementing strategic cybersecurity measures. Rather, CISOs are responsible for ensuring the integrity of the organization and driving innovation while building a resilient future.
