CISA Adds Three Critical Vulnerabilities to Exploited Vulnerabilities Catalog
On September 13 and 16, 2024, the Cybersecurity and Infrastructure Security Agency (CISA) added three new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog.
Introduction
On September 13 and 16, 2024, the Cybersecurity and Infrastructure Security Agency (CISA) added three new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog. These vulnerabilities, which affect widely-used software, have been identified as actively exploited, posing significant risks to both federal and private sector organizations.
Report Overview
CVE-2024-8190: Ivanti Cloud Services Appliance OS Command Injection Vulnerability
Date Added: September 13, 2024
The first vulnerability, CVE-2024-8190, affects Ivanti’s Cloud Services Appliance. This OS command injection flaw allows unauthenticated attackers to execute arbitrary commands on the affected system. The vulnerability arises from insufficient validation of user input, enabling malicious actors to send crafted requests to exploit the system. If successful, attackers can gain full control of the device, potentially leading to data exfiltration, unauthorized access, and disruption of services.
Ivanti has issued patches for this vulnerability, and organizations are urged to apply these updates immediately. CISA has mandated that all Federal Civilian Executive Branch (FCEB) agencies remediate the issue by the specified deadline, while all other organizations are strongly advised to do the same.
CVE-2024-43461: Microsoft Windows MSHTML Platform Spoofing Vulnerability
Date Added: September 16, 2024
CVE-2024-43461 targets the MSHTML platform in Microsoft Windows. This spoofing vulnerability allows attackers to craft malicious websites or emails that can bypass security measures and trick users into interacting with fraudulent content. By exploiting this vulnerability, attackers can spoof legitimate web pages or applications, making phishing attacks more convincing and increasing the likelihood of credential theft.
Microsoft has been aware of active exploitation and released patches. CISA added this vulnerability to the KEV Catalog due to its significant risk, especially in environments where users are prone to phishing attacks.
CVE-2024-6670: Progress WhatsUp Gold SQL Injection Vulnerability
Date Added: September 16, 2024
The third vulnerability, CVE-2024-6670, affects Progress Software's WhatsUp Gold network monitoring tool. This SQL injection vulnerability allows attackers to send specially crafted SQL queries to the application's database, potentially leading to the compromise of sensitive information, database manipulation, or even full administrative control of the affected system.
Progress Software has released patches to mitigate this vulnerability. Organizations using WhatsUp Gold are advised to update their systems promptly, as this type of vulnerability is a popular target for cybercriminals due to the level of access it provides.
Insights and Analysis
These three vulnerabilities pose significant risks to organizations that rely on Ivanti, Microsoft Windows, or Progress WhatsUp Gold. Active exploitation of these vulnerabilities can result in system compromise, data breaches, and severe service disruptions. The inclusion of these vulnerabilities in CISA's KEV Catalog underscores their importance and the need for immediate action.
CISA urges all organizations, not just federal agencies, to prioritize patching and remediation of these vulnerabilities. Keeping systems updated and conducting regular vulnerability assessments are essential steps in minimizing the risk of exploitation.
Failure to address these vulnerabilities could lead to widespread attacks, impacting both critical infrastructure and private sector enterprises. Immediate action is necessary to prevent potential fallout from these active exploits.
Indicators of Compromise (IOCs)
No specific Indicators of Compromise (IOCs) were provided in the source material.
MITRE ATT&CK Techniques
| Tactic | Technique | ID | Description |
|---|---|---|---|
| Execution | Command and Scripting Interpreter | T1059 | Exploited in CVE-2024-8190 for arbitrary OS command execution on Ivanti devices. |
| Initial Access | Phishing | T1566 | Spoofing vulnerability in CVE-2024-43461, allowing phishing attacks via MSHTML. |
| Credential Access | Input Capture | T1056.004 | Likely result of exploiting CVE-2024-43461 to capture credentials from users interacting with spoofed content. |
| Impact | Data Manipulation | T1565 | SQL injection vulnerability in CVE-2024-6670 could lead to unauthorized modification of databases. |
References:
Comments ()