Peek into Monthly Vulnerabilities: July 2024

July 2024 is not a normal reporting month as 22,254 Common Vulnerabilities and Exposures (CVEs) were reported in the middle of it, but only %0.91 had been weaponized. There were 79,000 new vulnerabilities reported in the first six months of 2024, which isn’t the actual number, but even if it is, it’s a staggering %12 of last year’s number for the whole calendar year

• Total CVEs Reported: Our approximate records show that 22,254 vulnerabilities have been recorded till July in the year 2024, which also means a quite huge figure of security problems that need to be dealt with. 
• Patch Tuesday: Microsoft released 138 CVEs in its July 2024 Patch Tuesday update. This included:
  • 5 were rated critical
  • 132 were classified as important
  • 1 was rated moderate
  • Interestingly enough, three of those vulnerabilities were zero-days, with two of them actively exploited in the wild. 

• 386 Oracle security patches, including 240 unique CVEs. More than 260 of these vulnerabilities were remotely exploitable and required no privileged access.

Vulnerability Types and Trends

Remote code execution (RCE): Many of the reported vulnerabilities fell into the above-mentioned subcategory of Remote Code Execution (RCE). It is no coincidence that RCE vulnerabilities are the dominant subcategory of vulnerabilities, as they allow a malicious actor to remotely execute code on the affected system.

Exploitation Trends: 0 days from February to July 2024, there were 20 entirely disclosed Proofs of Concept (PoCs) and 16 known vulnerabilities exploited by the threat actors. We may have discovered one exploitation trend: 0 days are usually found in the Windows and Browser-based services.

Severity Ratings: High-severity vulnerabilities (that enable a serious breach) are skewed towards a wider set of flaws. ServiceNow and SolarWinds are both high-severity vulnerabilities categorized by giving unauthorized access and running code while not validating bad input and maintaining low access restrictions.

Top 10 Vulnerabilities in July 2024

The top 10 vulnerabilities that organizations need to understand and prioritize addressing are: 

1. CVE-2024-21687: File Inclusion in Bamboo Data Center and Server

Summary: This is an intense flaw in Bamboo Data Centers and Servers. It grants to attackers who can authenticate themselves (themselves) for the execution of any PHP file on the server. With this flaw, an intruder can execute arbitrary code, breach sensitive data, compromise a system, or a denial of service (DoS).

Impact: If the exploitation is successful, the attacker can take control of the entire system, potentially exfiltrating sensitive data, taking critical services offline, and/or directing traffic to a botnet of many other systems. 

Mitigation: Upgrade to the newest Bamboo Data Center and Server version and apply all security patches. 

2. CVE-2024-4879: Unrestricted Remote Code Execution in ServiceNow

Summary: A critical vulnerability has been identified in the ServiceNow Platform with a potential impact of arbitrary remote code execution (RCE) in the preferred context of any privileged user on the targeted system. The exploitation vector lies in the failure to sanitize input data during the processing of the relevant API requests. An attacker can exploit this vulnerability to achieve arbitrary RCE by injecting specially crafted requests. 

Impact: With access comes power; the attacker can do whatever they want with your system—read the information they’re after, shut down your service, or spread itself to other machines in your network.

Mitigation: For the ServiceNow users who are failing, the patches need to be applied, and we can propose mitigations, such as limiting access to the API, to work around the underlying cause of the issue. 

3. CVE-2024-21686: Stored Cross-Site Scripting (XSS) in Confluence Data Center and Server

Summary: It is possible for an authenticated attacker to leverage this path in order to arbitrarily inject script within the context of a Confluence instance, and such script will be executed under the privileges of the user’s browser when later invoked in the context of a web page the user visits. This yields various risks to the affected user, including theft of sensitive information, session hijacking and further abuse. 

Impact: Stored XSS issues are doubly bad, due to the ‘time bomb’ nature of this class of vulnerabilities (they can potentially affect potentially thousands of users), and because they are almost always successfully exploited multiple times before a patch is issued. 

Mitigation: Upgrade to the latest version of ConfluenceInput validation and sanitization mechanisms must be implemented. 

4. CVE-2024-38060: Windows Imaging Component Remote Code Execution Vulnerability

Summary: One of at least 59 remote code execution (RCE) vulnerabilities fixed by Microsoft in July 2024. RCE exploit – attacker control of the affected system via the vulnerability, in this case through an image file. 

Impact: If exploitation is successful, the single outgoing connection installed on the targeted system will allow the attacker to later run malware on the target machine, exfiltrate data out of its memory and hard disk, or act as a beachhead for the network. 

Mitigation: Of course, always install all the latest Windows updates, but in this particular case, it’d be wise to zoom in on the updates concerned with RCE vulnerabilities, such as this one. 

5. CVE-2024-38074: Windows Remote Desktop Licensing Service Remote Code Execution Vulnerability

Summary: This critical vulnerability allows remote code execution on the target system because the integrity of the Windows Remote Desktop Licensing Service could not be maintained. Remote Desktop is really popular as a remote access tool in enterprise environments.

Impact: A successful exploitation of this vulnerability could allow remote code execution in the context of could lead to the complete control of a remote system, the download and execution of malware, and moving laterally to other systems in an enterprise. 

Mitigation: Addressing this vulnerability through a patch provided by Microsoft, this should be immediately installed. Access to Remote Desktop Licensing Service: Access to remote desktop licensing service should be blocked as much as possible. 

6. CVE-2024-23663: Improper Access Control in FortiExtender

Summary: A vulnerability exists in the FortiExtender authentication processing component that could allow a remote, authenticated attacker to create users with elevated privileges. The flaw is due to a deficient access-control mechanism that fails to verify the validity of user permissions.

Impact: Exploitation can lead to unauthorised access to critical components of the network, which in turn may result in the leak of data, denial-of-service attacks, and further compromise of the system.

Mitigation: Make sure that FortiExtender is updated to the most recent version and that access control has been set up to ensure that only a select few users have elevated access. 

7. CVE-2023-50178: Improper Certificate Validation in FortiADC

Summary: FortiADC is affected by a vulnerability that allows a remote authenticated attacker to bypass SSL certificate validation and perform a MitM attack. This could allow the attacker to hijack and manipulate sessions between the device and remote servers. 

Impact: A MitM attack would be considered successful because the recipient would be fooled into accepting malicious information and because any compromise during the MitM connection would potentially lead to the compromise of the entire network. 

Mitigation: Organizations should keep FortiADC up to date with the latest versions and construct valid certificates. Organizations should also make sure that they are using HTTPS (encrypted web traffic) and have strong encryption protocols (such as AES). 

8. CVE-2024-27784: Exposure of Sensitive Information in FortiAIOps

Summary: By abusing the API endpoint or by reading the FortiAIOps logs as an authenticated illicit attacker, this vulnerability allows exfiltration of sensitive server information. Mean: Exploiting this weakness would lead to the exfiltration of sensitive server information because data sanitization and access control were not accounted for in the API/system.

Impact: The target of the exploit might be revealed, together with configuration files, usernames, and other important information, which can then be leveraged in subsequent attacks.

Mitigation: Upgrade to the latest FortiAIOps and review API access policies to mitigate this vulnerability. 

9. CVE-2024-27782: Insufficient Session Expiration in FortiAIOps

Summary: Flaw: An attacker could reuse a stolen session token, impersonating a user to gain unauthorized access, such as updating sensitive information or modifying system configurations. 

Impact: If an attacker gains access to valid session tokens, they will still be able to access the system weeks, months, or even years later, after the normal user has logged out – allowing them unauthorized access to the system, dumping data, and modifying values.) 

Mitigation: a) Confirmation that session tokens are revoked after the user logs out, and b) strict session refresh policies, as any session time that exceeds two days’ timeframe is unsafe. The updated version of FortiAIOps is highly recommended. 

10. CVE-2024-27783: Cross-Site Request Forgery (CSRF) in FortiAIOps

Summary: An unauthenticated, remote attacker with a social engineering vector can leverage the existence of Gentoo Linux in FortiAIOps to induce an authenticated user into clicking on a malicious link or loading a malicious page, resulting in arbitrary actions on behalf of that user. 

Impact: If successfully exploited, this could allow a remote, unauthenticated attacker to perform actions that are within the user’s context (e.g., change configurations, steal data, gain access to unauthorized sensitive areas) via a web browser using JavaScript.

Mitigation: Organizations need to ensure that CSRF attacks against their systems are mitigated. All forms and other sensitive actions should only be reachable with a CSRF token incorporated in a protected way, and the corresponding server-side validation should be performed carefully. Fortinet has released a new version (up to 6.0.6), which patches this issue.

Mitigating the Risks

To effectively mitigate the risks posed by these vulnerabilities, organizations should:

1. Patch First: Apply all published security patches to the affected software. Start with the highest-impact patches.
2. Strict Input Validation: All user input has to be sanitised and properly validated before it is used – for example, to avoid injection attacks and other ill-intentioned inputs.
3. Keep Your System Safe: Tracking exploited vulnerabilities and emerging threats results in proactive security actions. Identify the critical vulnerabilities and threats now! Protect your system in seconds! Get your indexed vulnerability and keep it safe. Use ThreatMon, the best vendor-neutral solution. A Free Subscription is waiting for you. 
4. Scan Often: Implement a schedule for vulnerability scans to reveal and address newly found flaws.
5. Implement a Vulnerability Management Tool: Use threat intelligence-driven vulnerability management tools to prioritize fixing your security vulnerabilities based on the risks they pose to your business.
6. Train Users: Whatever you do, train your users to spot phishing attacks or suspicious URLs or other common attack vectors that can be circumvented by exploiting weaknesses of the target.

However, if a security-minded organization addresses these vulnerabilities before bad actors have a chance to do so, it will lower the risk of compromise and likely minimize the degree to which it or other parts of its system are compromised.