Post-Patch Tuesday Roundup: April 2024

Greg Smith

Cyber Security Engineer

In this edition, we will focus on the patches by Microsoft, Fortinet, Adobe, Cisco, SAP, VMware, Ivanti, and Linux (XZ Utils).

Microsoft

In their April Patch Tuesday release, Microsoft has addressed 158 vulnerabilities, with only 3 of those rated as Critical. There have been two zero-day vulnerabilities identified, however these were not initially reported as zero days by Microsoft. The patches cover a broad array of applications and services, including Windows, SQL Server, .Net, Office, SharePoint, Azure, and more.

This month's vulnerabilities chiefly revolve around Remote Code Execution (RCE), Elevation of Privilege (EoP), and Security Feature Bypass. Outlined below are the two zero-days along with some of the more critical and important vulnerabilities detailed in this month’s Patch Tuesday:

Zero-Days

1. CVE-2024-26234 – This is a Proxy Driver Spoofing vulnerability in various versions of Windows that can allow an attacker to impersonate devices or services within the system without proper authentication. Although it is only rated as Important and has a CVSS score of 6.7, it is known to have been exploited in the wild and does not require user interaction. Since this vulnerability is known to have been exploited in the wild, users should look to patch it as soon as possible to prevent potential exploitation.

2. CVE-2024-29988 – This is a Security Feature Bypass vulnerability in Microsoft Defender SmartScreen. An attacker could exploit this vulnerability by convincing a target to open a specially crafted file using social engineering tactics such as an external link or malicious attachment sent over email, instant messages, or social media. The vulnerability was assigned a CVSSv3 score of 8.8 and is rated as important. Since this vulnerability is known to have been exploited in the wild, users should look to patch it as soon as possible to prevent potential exploitation.

Critical

1. CVE-2024-29053 and CVE-2024-21323 – These are a Remote Code Execution vulnerabilities in Microsoft Windows Media Foundation that can allow an attacker to execute arbitrary code on the target system. Rated as Critical, it has a CVSS score of 9.8. Attackers could exploit this vulnerability by tricking users into opening a maliciously crafted file or visiting a specially crafted website, leading to the execution of arbitrary code on the target system. Since this is known to have been exploited in the wild, users should look to patch this vulnerability as soon as possible to prevent potential exploitation.

2. CVE-2024-21322 – This is a Remote Code Execution vulnerability in Microsoft Excel that can allows an attacker to execute arbitrary code on the target system. This was detected by Microsoft. Rated as Critical, it has a CVSS score of 9.8. Similar to the vulnerabilities above, attackers could exploit this vulnerability by convincing a user to open a specially crafted file (this time an Excel file), leading to the execution of arbitrary code on the target system. Since this is known to have been exploited in the wild, users should look to patch this vulnerability as soon as possible to prevent potential exploitation.

Important

1. CVE-2024-28902 – This is an Information Disclosure vulnerability in Windows Remote Access Connection Manager. An attacker who successfully exploits this vulnerability could potentially read small portions of heap memory. The vulnerability has a CVSS score of 5.5. Although it is rated as Important, it is known to have been exploited in the wild. Users should promptly apply patches to prevent potential exploitation. The specific attack method is not disclosed in the available information.

2. CVE-2024-26236 – This is an Elevation Of Privilege vulnerability in Microsoft Windows. It allows attackers to access sensitive information on the affected system. Detected by Microsoft, the severity of this vulnerability is rated as Moderate, with a CVSS score of 5.4. There is no indication of exploitation in the wild. The attack method involves leveraging the vulnerability to gain unauthorised access to sensitive data stored on the system.

Fortinet

Fortinet are urging users to quickly implement available security patches on their devices to stop three vulnerabilities being utilised by attackers.

1. CVE-2023-41677 – This insufficiently protected credential vulnerability (CWE-522) exists in FortiOS and FortiProxy. Under specific and rare conditions, an attacker could exploit this vulnerability by tricking an administrator into visiting a malicious website via the SSL-VPN. As a result, the attacker may obtain the administrator cookie. The vulnerability has a CVSS score of 7.5.

2. CVE-2023-48784 – This externally-controlled format string vulnerability (CWE-134) has been identified in the FortiOS command line interface. Under specific conditions, a local privileged attacker with a super-admin profile and CLI access could exploit this vulnerability to execute arbitrary code or commands by sending specially crafted requests. This vulnerability has a CVSS score of 6.1.

3. CVE-2024-23662 – This vulnerability which leads to exposure of sensitive information to an unauthorised actor (CWE-200) has been identified in FortiOS. In this scenario, an unauthenticated attacker can fingerprint the device version by making HTTP requests. The vulnerability has a CVSS score of 5.0.

Adobe

Adobe has released nine security updates this month, addressing 25 vulnerabilities. The applications in question are:

Adobe After Effects – 1 Important

Adobe Photoshop – 1 Important

Adobe Commerce – 2 Critical

Adobe InDesign – 1 Important

Adobe Experience Manager – 13 Important

Adobe Media Encoder – 1 Critical

Adobe Bridge – 1 Important

Adobe Illustrator – 1 Important

Adobe Animate – 2 Critical and 2 Important

All of these vulnerabilities are rated as a priority 3 by Adobe, meaning they relate to a product that has historically not been a target for attackers.

Cisco

Since last Patch Tuesday Cisco has released 30 security advisories addressing 41 vulnerabilities, with the impact ratings ranging from Medium to High. There have been no Critical vulnerabilities identified. The main issues are with Cisco IOS, IOS XE, IOS XR, Nexus Dashboard, and Access Point Software.

SAP

SAP has released 10 new security notes and 2 updates to previous security notes. Three of these CVEs are rated High. The products affected by the high rated CVEs are:

· SAP NetWeaver AS Java Management Engine

· SAP BusinessObjects Web Intelligence

· SAP Asset Accounting

VMware

VMware has released patches for three vulnerabilities affecting VMware SD-WAN Edge and SD-WAN Orchestrator.

Ivanti

CVE-2023-46805 – This is a Critical Authentication Bypass vulnerability impacting Ivanti Connect Secure (ICS) and Ivanti Policy Secure gateways. This is known to have been exploited in the wild and can allow remote attackers to execute arbitrary commands on the targeted gateways. The affected versions include 9.x and 22.x1. This has a CVSS score of 8.2. Since this is known to have been exploited in the wild, users should look to patch this vulnerability as soon as possible to prevent potential exploitation.

CVE-2024-21887 – This is a command injection vulnerability in web components of (again) Ivanti Connect Secure and Ivanti Policy Secure (with the same affected versions: 9.x, 22.x). An authenticated administrator can send specially crafted requests and execute arbitrary commands on the appliance. The severity of this vulnerability is critical, with a CVSS score of 9.1. It allows attackers to execute arbitrary commands. Again, since this vulnerability is known to have been exploited in the wild, users are urged to patch their systems as soon as possible to prevent potential exploitation.

Linux XZ Utils

CVE-2024-3094: A critical vulnerability has been discovered in XZ Utils, a data compression format widely used in Linux distributions. This supply chain compromise affects versions 5.6.0 and 5.6.1 of XZ Utils. The vulnerability introduces a backdoor that allows an attacker to send hidden commands via sshd during SSH connections. By providing a specific private key (known only to the attacker), arbitrary commands can be sent to the affected system prior to the authentication step, enabling unauthenticated remote code execution. The severity of this issue is reflected in its CVSS score of 10.0

A more in-depth explanation of this vulnerability can be found here.