The CyberScotland Technical Bulletin is designed to provide you with information about updates, exploits and countermeasures.
Please subscribe to our CyberScotland mailing list to be notified by email when a new bulletin is published.
Microsoft Patch Tuesday
This month’s Microsoft Patch Tuesday has fixed a total of 142 flaws, including 5 critical vulnerabilities all Remote Code Execution. Here are the number of vulnerabilities with the various categories:
- 26 Elevation of privilege
- 24 Security Feature Bypass
- 59 Remote Code Execution
- 9 Information Disclosure
- 17 Denial of Service
- 7 Spoofing
This month’s Patch Tuesday also fixed four zero-days, two of them actively exploited and another two that were publicly disclosed. A zero-day vulnerability is a vulnerability that has been publicly disclosed without an official fix made available.
The two actively exploited vulnerabilities were:
- CVE-2024-3808: A Hyper-V elevation of privileges that gives attackers SYSTEM privileges.
- CVE-2024-38112: Actively exploited Windows MSHTML spoofing vulnerability. Could be used to prepare the target environment prior to exploitation.
The two unexploited and publicly disclosed vulnerabilities were:
- CVE-2024-35264: A publicly disclosed .NET and Visual Studio RCE. This vulnerability could result in a remote code execution by closing an http/3 stream while the request body is being processed leading to a race condition.
- CVE-2024-37985: Previously disclosed “FetchBench” side-channel attack that can be used to steal “secret information”. Exploiting this vulnerability could allow an attacker to view heap memory.
Vulnerability in the Modern Events Calendar WordPress plugin
Cyber criminals have been known to exploit a vulnerability called CVE-2024-5441, it is present in the WordPress plugin called Modern Events Calendar, developed by Webnus. The security issue stems from lack of file type validation in the uploading and setting of featured images for events. This allowed for the upload of malicious and potentially dangerous .PHP files which once uploaded can be accessed and executed. This would lead to remote code execution on the server and potentially even a complete website takeover.
This vulnerability can be exploited by any authenticated user, including subscribers. If an event is set to allow for event submissions from non-members (visitors without accounts) then the vulnerability can be exploited by non-authenticated users.
This vulnerability is affects versions up to and including v7.11.0. To mitigate this vulnerability, you should update the plugin to the latest version.
Find more information here
RCE bug present in OpenSSH gives root privileges on Linux servers
OpenSSH is a suite of networking utilities used for secure remote login, remote server management, administration and file transfers. It was recently found that there was the presence of a remote code execution on glibc-based Linux systems. The CVE-2024-6387, dubbed “regreSSHion” vulnerability is due to a signal handler race condition in sshd that allows unauthenticated remote attackers to execute arbitrary code. This could allow an attacker to execute arbitrary code as root, which could lead to complete system takeover.
The versions of OpenSSH that are affected are from v8.5p1 up to and not including v9.8p1. While currently only known to affect Linux, it likely also exists on macOS and Windows, although that would need a separate analysis. To mitigate this vulnerability, it is recommended to:
- Apply latest available for the OpenSSH server (v9.8p1).
- Restrict SSH access using network-based controls such as firewalls and implement network segmentation to prevent lateral movement.
- If OpenSSH cannot be updated immediately, set ‘LoginGraceTime’ to 0 in sshd config file. However, this could expose the server to Denial-of-Service.
Find more information here