Exposures, Exposed! Weekly Round-up April 8 – April 14

In the realm of 'Exposures, Exposed!'

Shadows dance and fears implode,

As we weekly voyage through cyber lore,

Uncovering vulnerabilities galore.

Within this cryptic cyber domain,

Our experts delve, not for fame or gain,

Their vigilance, a relentless quest,

To reveal the secrets that manifest.

Here's what we’ve got for you this week:

Microsoft Addresses Record 149 Flaws, Patches Actively Exploited Vulnerabilities

Microsoft released security updates for April 2024 addressing a record 149 vulnerabilities, including two actively exploited in the wild. These flaws impact various Microsoft products, including Windows, Microsoft Defender SmartScreen, and Microsoft Azure Kubernetes Service.

Three of the addressed vulnerabilities are classified as "critical," with the remaining ranging from "important" to "low" severity. One critical flaw (CVE-2024-26234) resides in the Windows Proxy Driver and could allow attackers to intercept network traffic on vulnerable systems. This vulnerability was exploited through a malicious file disguised as a legitimate authentication service.

Another critical flaw (CVE-2024-29988) lets attackers bypass Microsoft Defender SmartScreen protections when opening malicious files. Attackers could leverage this flaw in phishing emails or instant message attacks.

A high-severity vulnerability (CVE-2024-29990) impacting Microsoft Azure Kubernetes Service Confidential Container could allow attackers to escalate privileges and potentially steal credentials.

The update also addresses numerous remote code execution vulnerabilities, privilege escalation vulnerabilities, and security bypass vulnerabilities. Notably, 24 of the security bypass flaws are related to the Windows Secure Boot feature.

The Takeaway: Microsoft users, particularly those using Windows, Microsoft Defender SmartScreen, and Microsoft Azure Kubernetes Service, should install the April 2024 security updates to address these critical and high-severity vulnerabilities.

Fortinet Discloses Critical Vulnerabilities in FortiOS, FortiProxy, and FortiClient Products

Fortinet, a cybersecurity vendor, disclosed new vulnerabilities this week that affect several of its products, including FortiOS, FortiProxy, FortiClient Linux, and FortiClientMac. One of the vulnerabilities is classified as "critical" and could allow attackers to remotely take control of affected systems.

The critical vulnerability impacts FortiClient Linux and can be exploited through a specially crafted website that tricks a user into visiting it. This flaw could allow an attacker to run any code they choose on the victim's machine. Fortinet has assigned this vulnerability a severity score of 9.4 out of 10. 

The remaining vulnerabilities are rated as "high" severity. One of these vulnerabilities affects both FortiOS and FortiProxy and could allow attackers to steal administrator credentials under specific circumstances. Another high-severity vulnerability resides in FortiClientMac and is related to improper validation of configuration files.

Fortinet has released patches to address all of these vulnerabilities and has advised customers to update their systems as soon as possible. The Cybersecurity and Infrastructure Security Agency (CISA) has also issued a warning about these vulnerabilities.

The Takeaway: Fortinet users should patch their systems immediately to address these critical and high-severity vulnerabilities.

LG Patches Vulnerabilities in WebOS TVs That Could Grant Hacker Access

LG released software updates in March to address security vulnerabilities in its WebOS smart TV platform. These vulnerabilities could allow hackers to gain unauthorized access to LG TVs and potentially compromise other devices on a user's home network.

The flaws, discovered by researchers at Bitdefender, impacted LG WebOS versions 4 through 7. Three of the vulnerabilities received a severity rating of 9.1 out of 10.

One vulnerability (CVE-2023-6317) allowed attackers to bypass the PIN verification process for the LG ThinkQ smartphone app, which can be used to control the TV. This would enable attackers to create a privileged user profile on the TV.

Two other vulnerabilities (CVE-2023-6319 and CVE-2023-6320) could allow attackers to install malware on the TV, monitor network traffic, or move laterally within a smart home network.

The Takeaway: LG TV owners should ensure their devices are updated to the latest software version to address these security vulnerabilities.

Critical Rust Flaw Enables Windows Batch File Attacks

A critical vulnerability (CVE-2024-24576) in the Rust standard library could allow attackers to target Windows users through malicious batch files. This flaw, which only affects scenarios where untrusted arguments are used with batch files, carries a maximum severity score of 10.0.

The issue stems from the Rust standard library's improper handling of arguments when invoking batch files with the ".bat" and ".cmd" extensions on Windows. This weakness could allow attackers to bypass escaping mechanisms and execute arbitrary commands.

While all Rust versions prior to 1.77.2 are affected, the flaw (codenamed BatBadBut) is not exclusive to Rust.  It can potentially impact other programming languages that rely on similar mechanisms for handling command execution in Windows.

The Takeaway: Rust developers, and developers using other potentially vulnerable languages, should exercise caution when executing commands on Windows, especially when dealing with untrusted arguments. Consider updating to the latest Rust version (1.77.2 or later) and following security best practices for command execution.

SAP Patches Critical Password Flaw, Other Vulnerabilities

Enterprise software company SAP released security updates on Tuesday addressing several vulnerabilities, including a critical flaw in SAP NetWeaver AS Java.

The most severe vulnerability (CVE-2024-27899) resides in the User Management Engine (UME) and allows attackers to potentially gain access to user accounts due to insufficient password requirements for two optional features. These features are disabled by default, but SAP recommends patching regardless of their activation.

Other high-severity vulnerabilities addressed include an information disclosure flaw in BusinessObjects Web Intelligence and a directory traversal bug in Asset Accounting. The remaining updates address medium-severity issues across various SAP products.

The Takeaway: SAP customers should prioritize applying these security updates as soon as possible to address critical and high-severity vulnerabilities.

Siemens, Schneider Electric Address ICS Vulnerabilities in April Patch Tuesday

Industrial control system (ICS) giants Siemens and Schneider Electric released security updates on Patch Tuesday addressing vulnerabilities in their products.

Siemens identified and patched roughly 80 vulnerabilities, including critical flaws in access points and its Ruggedcom platform. Notably, some of these vulnerabilities are related to third-party components used in Siemens products.

Schneider Electric addressed a single high-severity vulnerability in its Easergy Studio product that could allow attackers to escalate privileges.

The Takeaway: Industrial control system operators should prioritize applying these security updates from Siemens and Schneider Electric to address critical and high-severity vulnerabilities in their ICS environments.

That’s all for this week – have any exposures to add to our list? Let us know!