March 2024 Threat Advisory – Top 5

SecurityHQ’s Monthly Threat Report, Top 5, Drawn from Recent Advisories of March 2024.

Continued Exploitation of ConnectWise ScreenConnect Vulnerabilities, Leading to Initial Access

Threat Reference: Global

Risks: Authentication Bypass and Path Traversal Vulnerability.

Advisory Type: Updates/Patches

Priority: Elevated

SecurityHQ is aware of various threat actors that are actively exploiting a critical severity authentication bypass vulnerability (CVE-2024-1709), and a high-severity path traversal vulnerability (CVE-2024-1708) found in ConnectWise ScreenConnect servers.

ConnectWise, a prominent software company, recently addressed two Critical vulnerabilities. These vulnerabilities impact ScreenConnect versions 23.9.7 and earlier. Successful exploitation of these vulnerability results in Authentication Bypass and Path Traversal Attack.

A remote attacker has the capability to compromise the confidentiality, integrity, and availability of a targeted device.

Affected CVE’s:

• [Critical] CVE-2024-1709 – A Critical Authentication Bypass Vulnerability with the highest possible CVSS severity score of 10. If successfully exploited it may allow a remote attacker direct access to confidential information.

This vulnerability originates from a path issue in the SetupModule of ScreenConnect.Web.dll. To be more specific, there’s an issue with how the onPostMapRequestHandler function deals with the .NET HttpRequest.Path property.

In .NET, the path is made by combining FilePath and PathInfo. An attacker can easily add a PathInfo trailer in the SetupWizard.aspx HTTP POST request. By doing this, the attacker can initiate the ScreenConnect SetupWizard and bypass authentication.

• [Critical] CVE-2024-1709 is especially alarming in that it is very easy to exploit. If an attacker successfully adds unauthorized accounts into the Connectwise Server, those accounts can be abused to execute code.

• [Critical] CVE-2024-1708 – Path Traversal Vulnerability with the high possible CVSS severity score of 8.4. Successful exploitation may allow a remote attacker the ability to execute remote code or directly impact confidential data.

This vulnerability originates from an issue in the ScreenConnect.ZipFile.ExtractAllEntries function in ScreenConnect.Core.dll. This issue comes from not validating user-provided file paths correctly, which allows an attacker to access and modify files.

An attacker can leverage this vulnerability to upload malicious files such as web shells on infected machines.

SecurityHQ have observed these vulnerabilities being actively exploited by threat actors including Ransomware groups including, Black Basta, Bloody Ransomware Gangs, Conti, XWorm, AsysncRAT, LockBit and TrickBot. Exploitation is leading to deployment of ransomware payloads and cryptocurrency miners.

Additionally, we have observed Black Basta ransomware group use remote access tools such as Cobalt Strike Beacon after gaining access to compromised devices.

Recommendation: Update ScreenConnect servers to version 23.9.8 or newer without delay. It is important to verify that the patch has been fully and correctly implemented across all servers that are potentially at risk.

• For self-hosted users: It is recommended to update Screen-Connect to the latest available version. (version 23.9.10.8817).

• For cloud users: ConnectWise’s cloud hosting (screenconnect[.]com or hostedrmm[.]com) are already protected. No further action is required.

SecurityHQ strongly recommend employing remote desktop tools which can be completely audited for the usage of the same. Punching direct holes in your perimeter to access servers/endpoints remotely is not advisable.We recommend doing this via a secure landing zone over VPN and then follow on access to specific resources, whilst auditing and monitoring all these activities.

60 Flaws & 18 Remote Code Execution Vulnerabilities in Microsoft Patch Tuesday.

Threat Reference: Global

Risks: Remote Code Execution, Elevation of Privilege, Security Feature Bypass, Information Disclosure, Spoofing and Denial of Service.

Advisory Type: Updates/Patches

Priority: Standard

Microsoft has released its Patch Tuesday for March 2024 with security updates for 60 flaws, including 18 Remote code Execution Vulnerabilities.

Successful exploitation of these vulnerabilities could result in Remote Code Execution, Elevation of Privilege, Security Feature Bypass, Information Disclosure, Spoofing and Denial of Service.

Affected Products include Windows, Azure, Skype, SQL Server, Visual Studio Code, Microsoft Dynamics, Microsoft Office, and Microsoft Exchange Server.

Notable CVE’s:

• [Critical] CVE-2024-21407 – Windows Hyper-V Remote Code Execution Vulnerability
• [Critical] CVE-2024-21408 – Windows Hyper-V Denial of Service Vulnerability
• [Important] CVE-2024-26199 – Microsoft Office Elevation of Privilege Vulnerability
• [Important] CVE-2024-20671 – Microsoft Defender Security Feature Bypass Vulnerability
• [Important] CVE-2024-21411 – Skype for Consumer Remote Code Execution Vulnerability
• [Important] CVE-2024-21330 – Open Management Infrastructure (OMI) Elevation of Privilege Vulnerability
• [Important] CVE-2024-21334 – Open Management Infrastructure (OMI) Remote Code Execution Vulnerability
• [Important] CVE-2024-21390 – Microsoft Authenticator Elevation of Privilege Vulnerability
• [Important] CVE-2024-21392 – .NET and Visual Studio Denial of Service Vulnerability
• [Important] CVE-2024-21400 – Microsoft Azure Kubernetes Service Confidential Container Elevation of Privilege Vulnerability
• [Important] CVE-2024-21418 – Software for Open Networking in the Cloud (SONiC) Elevation of Privilege Vulnerability
• [Important] CVE-2024-21419 – Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability
• [Important] CVE-2024-21421 – Azure SDK Spoofing Vulnerability
• [Important] CVE-2024-21426 – Microsoft SharePoint Server Remote Code Execution Vulnerability
• [Important] CVE-2024-21427 – Windows Kerberos Security Feature Bypass Vulnerability
• [Important] CVE-2024-21429 – Windows USB Hub Driver Remote Code Execution Vulnerability
• [Important] CVE-2024-21430 – Windows USB Attached SCSI (UAS) Protocol Remote Code Execution Vulnerability
• [Important] CVE-2024-21431 – Hypervisor-Protected Code Integrity (HVCI) Security Feature Bypass Vulnerability
• [Important] CVE-2024-21432 – Windows Update Stack Elevation of Privilege Vulnerability
• [Important] CVE-2024-21433 – Windows Print Spooler Elevation of Privilege Vulnerability
• [Important] CVE-2024-21434 – Microsoft Windows SCSI Class System File Elevation of Privilege Vulnerability
• [Important] CVE-2024-21435 – Windows OLE Remote Code Execution Vulnerability
• [Important] CVE-2024-21436 – Windows Installer Elevation of Privilege Vulnerability
• [Important] CVE-2024-21437 – Windows Graphics Component Elevation of Privilege Vulnerability
• [Important] CVE-2024-21438 – Microsoft AllJoyn API Denial of Service Vulnerability
• [Important] CVE-2024-21439 – Windows Telephony Server Elevation of Privilege Vulnerability
• [Important] CVE-2024-21440 – Microsoft ODBC Driver Remote Code Execution Vulnerability
• [Important] CVE-2024-21441 – Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability
• [Important] CVE-2024-21442 – Windows USB Print Driver Elevation of Privilege Vulnerability
• [Important] CVE-2024-21443 – Windows Kernel Elevation of Privilege Vulnerability
• [Important] CVE-2024-21444 – Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability
• [Important] CVE-2024-21445 – Windows USB Print Driver Elevation of Privilege Vulnerability
• [Important] CVE-2024-21446 – NTFS Elevation of Privilege Vulnerability
• [Important] CVE-2024-21448 – Microsoft Teams for Android Information Disclosure Vulnerability
• [Important] CVE-2024-21450 – Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability
• [Important] CVE-2024-21451 – Microsoft ODBC Driver Remote Code Execution Vulnerability
• [Important] CVE-2024-26159 – Microsoft ODBC Driver Remote Code Execution Vulnerability
• [Important] CVE-2024-26160 – Windows Cloud Files Mini Filter Driver Information Disclosure Vulnerability
• [Important] CVE-2024-26161 – Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability
• [Important] CVE-2024-26162 – Microsoft ODBC Driver Remote Code Execution Vulnerability
• [Important] CVE-2024-26164 – Microsoft Django Backend for SQL Server Remote Code Execution Vulnerability
• [Important] CVE-2024-26165 – Visual Studio Code Elevation of Privilege Vulnerability
• [Important] CVE-2024-26166 – Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability
• [Important] CVE-2024-26169 – Windows Error Reporting Service Elevation of Privilege Vulnerability
• [Important] CVE-2024-26170 – Windows Composite Image File System (CimFS) Elevation of Privilege Vulnerability
• [Important] CVE-2024-26173 – Windows Kernel Elevation of Privilege Vulnerability
• [Important] CVE-2024-26174 – Windows Kernel Information Disclosure Vulnerability
• [Important] CVE-2024-26176 – Windows Kernel Elevation of Privilege Vulnerability
• [Important] CVE-2024-26177 – Windows Kernel Information Disclosure Vulnerability
• [Important] CVE-2024-26178 – Windows Kernel Elevation of Privilege Vulnerability
• [Important] CVE-2024-26181 – Windows Kernel Denial of Service Vulnerability
• [Important] CVE-2024-26182 – Windows Kernel Elevation of Privilege Vulnerability
• [Important] CVE-2024-26185 – Windows Compressed Folder Tampering Vulnerability
• [Important] CVE-2024-26190 – Microsoft QUIC Denial of Service Vulnerability
• [Important] CVE-2024-26197 – Windows Standards-Based Storage Management Service Denial of Service Vulnerability
• [Important] CVE-2024-26198 – Microsoft Exchange Server Remote Code Execution Vulnerability
• [Important] CVE-2024-26201 – Microsoft Intune Linux Agent Elevation of Privilege Vulnerability
• [Important] CVE-2024-26203 – Azure Data Studio Elevation of Privilege Vulnerability
• [Important] CVE-2024-26204 – Outlook for Android Information Disclosure Vulnerability
• [Low] CVE-2024-26167 – Microsoft Edge for Android Spoofing Vulnerability

Recommendation: It is recommended to update all the affected products to the latest available patch version.

Fortinet Fixes Two Critical and a Medium Severity Vulnerabilities in FortiProxy and FortiOS.

Threat Reference: Global

Risks: Privilege Escalation, Improper access control and Arbitrary Code Execution.

Advisory Type: Updates/Patches

Priority: Standard

Fortinet has released patches to fix two critical and one high severity vulnerabilities affecting FortiProxy and FortiOS.

A Successful Exploitation of these vulnerabilities could lead to Privilege Escalation, Improper access control and Arbitrary Code Execution.

Notable CVE: –

• [Critical] – CVE-2023-42789 – [CVSS Score: 9.3] – An out-of-bounds vulnerability could allow an inside attacker with captive portal access to write data beyond the boundaries of allocated memory. This could lead to unauthorized code and command execution.

• [Critical] – CVE-2023-42790 – [CVSS Score: 9.3] – A stack-based buffer overflow vulnerability may enable an inside attacker who already has access to the captive portal to execute arbitrary code or commands via specially crafted HTTP requests.

• [Medium] – CVE-2023-46717 – [CVSS Score:6.7] – An improper authentication vulnerability has been identified in FortiOS when it is configured with FortiAuthenticator in High Availability (HA) mode. An authenticated attacker with read-only permission can escalate their privileges to read-write access via repeated login attempts.

SecurityHQ has not observed any publicly available exploit for the above-mentioned vulnerabilities and neither has seen exploitation by threat actor or malware variants.

Affected products include:

• FortiOS version 7.4.0 through 7.4.1
• FortiOS version 7.2.0 through 7.2.5
• FortiOS version 7.0.0 through 7.0.12
• FortiOS version 7.0.1 through 7.0.13
• FortiOS version 6.4.0 through 6.4.14
• FortiOS version 6.2.0 through 6.2.15
• FortiProxy version 7.4.0 through 7.4.1
• FortiProxy version 7.2.0 through 7.2.6
• FortiProxy version 7.0.0 through 7.0.12
• FortiProxy version 2.0.0 through 2.0.13
• FortiProxy version 7.0.0 through 7.0.14

Recommendation: It is recommended to update all the affected products to the latest available patch version.

Mozilla Has Patched Critical, High and Moderate Severities in Firefox

Threat Reference: Global

Risks: Arbitrary code, Out-of-Bounds Memory Read, Memory Corruption, Timing Side-Channel and Clickjacking.

Advisory Type: Updates/Patches

Priority: Standard

Mozilla has released updates for multiple severity vulnerabilities in Firefox which, after successful exploitation, can lead to arbitrary code, out-of-bounds memory read, memory corruption, timing side-channel attack and Clickjacking.

Affected Products include Firefox ESR 115.9 and  Firefox 124.

Notable CVEs:

• [Critical] – CVE-2024-2615: Memory safety bugs present in Firefox 123. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.
• [High] – CVE-2024-0743: An unchecked return value in TLS handshake code could have caused a potentially exploitable crash.
• [High] – CVE-2024-2605: An attacker could have leveraged the Windows Error Reporter to run arbitrary code on the system escaping the sandbox.
• [High] – CVE-2024-2606: Passing invalid data could have led to invalid wasm values being created, such as arbitrary integers turning into pointer values.
• [High] – CVE-2024-2607: Return registers were overwritten which could have allowed an attacker to execute arbitrary code.
• [High] – CVE-2024-2608: Integer overflows could have led to insufficient buffer allocation, causing out-of-bounds writes.
• [High] – CVE-2024-2616: To harden ICU against exploitation, the behavior for out-of-memory conditions was changed to crash instead of attempt to continue.
• [High] – CVE-2024-2614: Memory safe bugs identified in Firefox components can result in memory corruption and can be used in arbitrary code execution exploits.
• [Moderate] – CVE-2024-2609: The permission prompt input delay could have expired while the window is not in focus, which made the prompt vulnerable to clickjacking by malicious websites.
• [Moderate] – CVE-2024-2610: Using a markup injection an attacker could have stolen nonce values. This could have been used to bypass strict content security policies.
• [Moderate] – CVE-2024-2611: A missing delay on when pointer lock was used could have allowed a malicious page to trick a user into granting permissions.
• [Moderate] – CVE-2024-2612: If an attacker could find a way to trigger a particular code path to ‘SafeRefPtr’, which could have triggered a crash or potentially be leveraged to achieve code execution.

SecurityHQ has not seen any publicly available exploit for above mentioned vulnerabilities and neither has seen exploitation by threat actor or malware variants.

Recommendation: Update the affected products to their latest available versions/patch level.

VMWare Fixes Critical and High Severity Vulnerabilities in VMWare ESXi, Workstation, and Fusion.

Threat Reference: Global

Risks: Code Execution, Unauthorized Access, and Memory Leak.

Advisory Type: Updates/Patches

Priority: Standard

VMware has released patches to address Critical and High severity vulnerabilities, Impacting ESXi, Workstation and Fusion. An attacker with local administrative privileges on virtual machine could allow to escape virtual machines and access the host operating system.

On ESXi, the exploitation is limited to the virtual machine area, but on Workstation and Fusion, it could make harmful code run on the computer where Workstation or Fusion is set up.

Affected Products include VMware ESXi, VMware Workstation Pro / Player (Workstation), VMware Fusion Pro / Fusion (Fusion), VMware Cloud Foundation (Cloud Foundation).

Notable CVEs:

• [Critical] – CVE-2024-22252 & CVE-2024-22253 – CVSS Score: 9.3 – Use-after free bugs in the XHCI and UHCI USB controllers. An attacker with local administrative privileges on virtual machine could exploit this vulnerability to execute code as the virtual machines VMX process running on the host.

• [High] – CVE-2024-22254 – CVSS Score: 7.9 – Out-of-bounds write flaw in ESXi. An attacker with VMX process privileges can lead to sandbox escape by writing outside the pre-determined memory region.

• [High] – CVE-2024-22255 – CVSS Score: 7.1 – Information disclosure vulnerability in the UHCI USB controller. An attacker with administrative access to VM could allow to leak memory from VMX process.

SecurityHQ has not observed any publicly available exploit for above mentioned vulnerabilities and neither has seen exploitation by threat actor or malware variants.

Recommendation: It is recommended to update all the affected products to the latest available patch version.

Threat Intelligence for the Future

SecurityHQ’s Threat Intelligence team is a cohesive global unit dedicated to Cyber Threat Intelligence. Our team is focused on researching emerging threats, tracking activities of threat-actors, ransomware groups, and campaigns, to ensure that they stay ahead of potential risks. Beyond their investigative work, the Intelligence team provides actionable threat intelligence and research, enriching the understanding of SecurityHQ’s customers worldwide. United by a common commitment, the SecurityHQ Threat Intelligence team delivers the insights needed to confidently navigate the intricacies of the cyber security threat landscape.

For more information on these threats, speak to an expert here. Or if you suspect a security incident, you can report an incident here.