July 2024 is not a normal reporting month as 22,254 Common Vulnerabilities and Exposures (CVEs) were reported in the middle of it, but only %0.91 had been weaponized. There were 79,000 new vulnerabilities reported in the first six months of 2024, which isn’t the actual number, but even if it is, it’s a staggering %12 of last year’s number for the whole calendar year
Remote code execution (RCE): Many of the reported vulnerabilities fell into the above-mentioned subcategory of Remote Code Execution (RCE). It is no coincidence that RCE vulnerabilities are the dominant subcategory of vulnerabilities, as they allow a malicious actor to remotely execute code on the affected system.
Exploitation Trends: 0 days from February to July 2024, there were 20 entirely disclosed Proofs of Concept (PoCs) and 16 known vulnerabilities exploited by the threat actors. We may have discovered one exploitation trend: 0 days are usually found in the Windows and Browser-based services.
Severity Ratings: High-severity vulnerabilities (that enable a serious breach) are skewed towards a wider set of flaws. ServiceNow and SolarWinds are both high-severity vulnerabilities categorized by giving unauthorized access and running code while not validating bad input and maintaining low access restrictions.
The top 10 vulnerabilities that organizations need to understand and prioritize addressing are:
Summary: This is an intense flaw in Bamboo Data Centers and Servers. It grants to attackers who can authenticate themselves (themselves) for the execution of any PHP file on the server. With this flaw, an intruder can execute arbitrary code, breach sensitive data, compromise a system, or a denial of service (DoS).
Impact: If the exploitation is successful, the attacker can take control of the entire system, potentially exfiltrating sensitive data, taking critical services offline, and/or directing traffic to a botnet of many other systems.
Mitigation: Upgrade to the newest Bamboo Data Center and Server version and apply all security patches.
Summary: A critical vulnerability has been identified in the ServiceNow Platform with a potential impact of arbitrary remote code execution (RCE) in the preferred context of any privileged user on the targeted system. The exploitation vector lies in the failure to sanitize input data during the processing of the relevant API requests. An attacker can exploit this vulnerability to achieve arbitrary RCE by injecting specially crafted requests.
Impact: With access comes power; the attacker can do whatever they want with your system—read the information they’re after, shut down your service, or spread itself to other machines in your network.
Mitigation: For the ServiceNow users who are failing, the patches need to be applied, and we can propose mitigations, such as limiting access to the API, to work around the underlying cause of the issue.
Summary: It is possible for an authenticated attacker to leverage this path in order to arbitrarily inject script within the context of a Confluence instance, and such script will be executed under the privileges of the user’s browser when later invoked in the context of a web page the user visits. This yields various risks to the affected user, including theft of sensitive information, session hijacking and further abuse.
Impact: Stored XSS issues are doubly bad, due to the ‘time bomb’ nature of this class of vulnerabilities (they can potentially affect potentially thousands of users), and because they are almost always successfully exploited multiple times before a patch is issued.
Mitigation: Upgrade to the latest version of ConfluenceInput validation and sanitization mechanisms must be implemented.
Get Free Trial of ThreatMon End-to-End Threat Intelligence Platform
Summary: One of at least 59 remote code execution (RCE) vulnerabilities fixed by Microsoft in July 2024. RCE exploit – attacker control of the affected system via the vulnerability, in this case through an image file.
Impact: If exploitation is successful, the single outgoing connection installed on the targeted system will allow the attacker to later run malware on the target machine, exfiltrate data out of its memory and hard disk, or act as a beachhead for the network.
Mitigation: Of course, always install all the latest Windows updates, but in this particular case, it’d be wise to zoom in on the updates concerned with RCE vulnerabilities, such as this one.
Summary: This critical vulnerability allows remote code execution on the target system because the integrity of the Windows Remote Desktop Licensing Service could not be maintained. Remote Desktop is really popular as a remote access tool in enterprise environments.
Impact: A successful exploitation of this vulnerability could allow remote code execution in the context of could lead to the complete control of a remote system, the download and execution of malware, and moving laterally to other systems in an enterprise.
Mitigation: Addressing this vulnerability through a patch provided by Microsoft, this should be immediately installed. Access to Remote Desktop Licensing Service: Access to remote desktop licensing service should be blocked as much as possible.
Summary: A vulnerability exists in the FortiExtender authentication processing component that could allow a remote, authenticated attacker to create users with elevated privileges. The flaw is due to a deficient access-control mechanism that fails to verify the validity of user permissions.
Impact: Exploitation can lead to unauthorised access to critical components of the network, which in turn may result in the leak of data, denial-of-service attacks, and further compromise of the system.
Mitigation: Make sure that FortiExtender is updated to the most recent version and that access control has been set up to ensure that only a select few users have elevated access.
Summary: FortiADC is affected by a vulnerability that allows a remote authenticated attacker to bypass SSL certificate validation and perform a MitM attack. This could allow the attacker to hijack and manipulate sessions between the device and remote servers.
Impact: A MitM attack would be considered successful because the recipient would be fooled into accepting malicious information and because any compromise during the MitM connection would potentially lead to the compromise of the entire network.
Mitigation: Organizations should keep FortiADC up to date with the latest versions and construct valid certificates. Organizations should also make sure that they are using HTTPS (encrypted web traffic) and have strong encryption protocols (such as AES).
Summary: By abusing the API endpoint or by reading the FortiAIOps logs as an authenticated illicit attacker, this vulnerability allows exfiltration of sensitive server information. Mean: Exploiting this weakness would lead to the exfiltration of sensitive server information because data sanitization and access control were not accounted for in the API/system.
Impact: The target of the exploit might be revealed, together with configuration files, usernames, and other important information, which can then be leveraged in subsequent attacks.
Mitigation: Upgrade to the latest FortiAIOps and review API access policies to mitigate this vulnerability.
Summary: Flaw: An attacker could reuse a stolen session token, impersonating a user to gain unauthorized access, such as updating sensitive information or modifying system configurations.
Impact: If an attacker gains access to valid session tokens, they will still be able to access the system weeks, months, or even years later, after the normal user has logged out – allowing them unauthorized access to the system, dumping data, and modifying values.)
Mitigation: a) Confirmation that session tokens are revoked after the user logs out, and b) strict session refresh policies, as any session time that exceeds two days’ timeframe is unsafe. The updated version of FortiAIOps is highly recommended.
Summary: An unauthenticated, remote attacker with a social engineering vector can leverage the existence of Gentoo Linux in FortiAIOps to induce an authenticated user into clicking on a malicious link or loading a malicious page, resulting in arbitrary actions on behalf of that user.
Impact: If successfully exploited, this could allow a remote, unauthenticated attacker to perform actions that are within the user’s context (e.g., change configurations, steal data, gain access to unauthorized sensitive areas) via a web browser using JavaScript.
Mitigation: Organizations need to ensure that CSRF attacks against their systems are mitigated. All forms and other sensitive actions should only be reachable with a CSRF token incorporated in a protected way, and the corresponding server-side validation should be performed carefully. Fortinet has released a new version (up to 6.0.6), which patches this issue.
To effectively mitigate the risks posed by these vulnerabilities, organizations should:
However, if a security-minded organization addresses these vulnerabilities before bad actors have a chance to do so, it will lower the risk of compromise and likely minimize the degree to which it or other parts of its system are compromised.
