This week, from February 26th to March 1st, the FireCompass research team identified a huge number of CVEs that are high in severity, along with ransomware, botnets, and threat actors creating havoc. Some of the CVEs identified are in popular commercial products used by various industries, and there are also new and well-known malware- targeting industries. In this report, we will list important CVEs discovered as well as the list of malware, threat actors, and botnets that were most active, along with the CVEs they were using in their campaigns.
List of Critical Vulnerabilities That Were Exploited – FireCompass Research :
- CVE-2022-43842 – IBM Aspera Console
- CVE-2024-27132, CVE-2024-27133 – MLflow Multiple Vulnerability
- CVE-2024-24401 – Nagios XI
- CVE-2024-1403 – OpenEdge Authentication Gateway and AdminServer
- CVE-2024-21885, CVE-2024-21886 – X.Org server Multiple Vulnerability
- CVE-2023-45873, CVE-2023-49338, CVE-2023-43769, CVE-2023-45874, CVE-2023-49930, CVE-2023-49931, CVE-2023-49932, CVE-2023-50436, CVE-2023-50437 – Couchbase Server Multiple Vulnerability
- CVE-2022-34270 – RWS WorldServer
- CVE-2023-34198, CVE-2023-41165 – Stormshield Network Security (SNS) Multiple Vulnerability
- CVE-2024-23328 – DataEase
Detailed Analysis: Vulnerabilities
CVE-2022-43842 – IBM Aspera Console
ConnectWise ScreenConnect versions 23.9.7 and earlier contain a critical path-traversal vulnerability (CVE-2024-1708), exposing systems to potential remote code execution, data breaches, and critical system interference. Attackers can exploit this vulnerability through crafted user interactions. It is imperative to update to the latest version (23.9.8) promptly. Though technical details and exploits are not publicly available, the severity demands immediate action to mitigate risks. If updating is not feasible in the short term, consider alternative products. Remember, early patching is crucial to safeguard your environment.
A total of 164 endpoints of IBM Aspera Console are exposed on the Shodan.
CVE-2024-27132, CVE-2024-27133 – MLflow Multiple Vulnerability:
CVE-2024-27132
CVE-2024-27132 is a recently discovered vulnerability in MLflow that can be exploited by attackers to execute malicious code on a victim’s machine. It arises due to insufficient sanitization of template variables, allowing attackers to inject code when running untrusted recipes, particularly in Jupyter Notebooks. This vulnerability can lead to a range of severe consequences, including compromising sensitive data, taking control of systems, and disrupting normal operations. It’s crucial to stay updated on the latest security information and apply any available patches promptly to mitigate this risk.
CVE-2024-27133
CVE-2024-27133 is a vulnerability in MLflow that can be exploited by attackers under specific circumstances. It occurs due to insufficient data sanitization, potentially allowing attackers to inject malicious scripts and run them on a client’s machine (Cross-Site Scripting, XSS) when using untrusted datasets in recipes, particularly within Jupyter Notebooks. This vulnerability can potentially lead to more severe consequences like Remote Code Execution (RCE) in specific scenarios. Applying available patches is crucial to address this risk.
A total of more than 1K endpoints of ML Flow are exposed on the Shodan.
CVE-2024-24401 – Nagios XI
CVE-2024-24401 is a critical vulnerability in Nagios XI version 2024R1.01. It is an SQL injection vulnerability that allows remote attackers to execute arbitrary code on the system by sending a specially crafted payload to the monitoringwizard.php component. This could allow attackers to take complete control of the affected system, potentially compromising sensitive data, deploying malware, or disrupting critical operations. Upgrading to a non-vulnerable version or applying the available patch is crucial to mitigate this risk.
A total of 885 endpoints of Nagios XI are exposed on the Shodan.
CVE-2024-1403 – OpenEdge Authentication Gateway and AdminServer
CVE-2024-1403 is a vulnerability in Progress OpenEdge Authentication Gateway and AdminServer versions before 11.7.19, 12.2.14, and 12.8.1. It allows attackers to bypass authentication altogether due to improper handling of usernames and passwords. By providing unexpected data within the credentials, attackers can gain unauthorized access to the system without needing valid login information. This vulnerability poses a significant risk, as it grants attackers complete access to the system’s functionalities and potentially sensitive data. Upgrading to patched versions (11.7.19, 12.2.14, or 12.8.1) is essential to address this vulnerability.
A total of 680 endpoints of OpenEdge are exposed on the Shodan.
CVE-2024-21885, CVE-2024-21886 – X.Org server Multiple Vulnerability:
CVE-2024-21885
CVE-2024-21885 is a vulnerability in the X.Org server that could potentially allow remote attackers to execute malicious code or crash applications under specific circumstances. It exists due to a flaw in the XISendDeviceHierarchyEvent function, where exceeding the allocated memory space when adding new device IDs can lead to a heap buffer overflow. While the full extent of this vulnerability is still being analyzed, it’s crucial to stay updated on the latest information and apply any recommended patches from vendors to mitigate potential risks.
CVE-2024-21886
CVE-2024-21886, a recently discovered vulnerability in the X.Org server’s DisableDevice function, could potentially allow attackers to crash applications or, in rare cases involving SSH X11 forwarding, execute malicious code. While details are still emerging, applying security patches when available and monitoring official channels for updates are crucial to stay informed and mitigate risks.
A total of 91 endpoints of X.Org server are exposed on the Shodan.
CVE-2023-45873, CVE-2023-49338, CVE-2023-43769, CVE-2023-45874, CVE-2023-49930, CVE-2023-49931, CVE-2023-49932, CVE-2023-50436, CVE-2023-50437 – Couchbase Server Multiple Vulnerability:
CVE-2023-45873
CVE-2023-45873 affects Couchbase Server versions up to 7.2.2. It allows an attacker to crash the application (denial-of-service) by manipulating data in a way that overwhelms the system’s resources. This vulnerability, classified as “Medium” severity, arises from an issue in how the server handles data reading, potentially leading to the operating system’s resource manager (OOM killer) terminating the application to free up memory. Upgrading to a non-vulnerable version is recommended to address this risk.
CVE-2023-49338
CVE-2023-49338 is a critical vulnerability in Couchbase Server versions 7.1.x and 7.2.x before 7.2.4. It allows anyone to access sensitive information on the server without needing any authentication. This is because the server grants unauthorized access to specific endpoints on a local port, exposing details like system statistics and cluster health information. Upgrading to version 7.2.4 or later is crucial to address this vulnerability and protect sensitive data.
CVE-2023-43769
CVE-2023-43769 is a critical vulnerability in Couchbase Server versions up to 7.1.4 and before 7.2.1. It allows attackers to gain unauthorized access to the server’s RMI service (a remote procedure invocation service) due to exposed ports in the Analytics section. This could potentially give attackers the ability to execute arbitrary code on the server, leading to compromising sensitive information, disrupting operations, or taking control of the system. Upgrading to versions 7.1.5 or 7.2.1 is essential to address this vulnerability.
CVE-2023-45874
CVE-2023-45874 is a vulnerability in Couchbase Server versions up to 7.2.2. It can be exploited by attackers to trigger a denial-of-service (DoS) attack, causing the server to crash and become unavailable. This vulnerability arises from improper handling of data reading requests, leading to resource exhaustion and potential system crashes. Upgrading to Couchbase Server version 7.2.3 or later is crucial to address this vulnerability and ensure server stability.
CVE-2023-49930
CVE-2023-49930 is a critical vulnerability in Couchbase Server versions up to 7.2.3. It allows attackers to gain unauthorized access to the server due to insufficient restrictions on a functionality called /diag/eval. This vulnerability could potentially allow attackers to execute malicious code on the server, compromise sensitive data, disrupt operations, or even take complete control of the system. Upgrading to Couchbase Server version 7.2.4 or later is essential to address this vulnerability.
CVE-2023-49931
CVE-2023-49931 is a critical vulnerability in Couchbase Server versions up to 7.2.3. It arises from flaws in how the server handles user roles, specifically within the SQL++ cURL calls to /diag/eval. This vulnerability allows attackers to bypass authentication and gain unauthorized access to the cluster’s management interface, potentially enabling them to view sensitive information, modify configurations, or even take complete control of the cluster. Upgrading to Couchbase Server version 7.2.4 or later is essential to address this vulnerability and protect your system.
CVE-2023-49932
CVE-2023-49932 is a critical vulnerability in Couchbase Server versions up to 7.2.3. It allows attackers to bypass authentication and gain unauthorized access to the server by exploiting weaknesses in how the server handles authorization checks for specific functionalities within the SQL++ N1QL cURL interface. This vulnerability could potentially grant attackers access to view sensitive information, modify configurations, or even take complete control of the Couchbase Server cluster. Upgrading to Couchbase Server version 7.2.4 or later is critical to address this vulnerability and safeguard your system.
CVE-2023-50436
CVE-2023-50436 is a critical vulnerability in Couchbase Server versions up to 7.2.3. It allows attackers to steal encoded administrative credentials for the server by reading them from the server’s diagnostic log file (“diag.log”). Although the credentials are encoded, attackers with sufficient knowledge could potentially decode them and gain unauthorized access to the server. Upgrading to Couchbase Server version 7.2.4 or later is essential to address this vulnerability and protect sensitive administrative credentials.
CVE-2023-50437
CVE-2023-50437 is a critical vulnerability in Couchbase Server versions up to 7.2.3. It exposes sensitive information, specifically the otpCookie with full admin privileges, on two endpoints: /pools/default/serverGroups and /engageCluster2. This vulnerability arises from the server revealing this information even without proper authorization. Attackers exploiting this vulnerability could potentially gain unauthorized access to view sensitive data, modify configurations, or even take complete control of the Couchbase Server cluster. Upgrading to Couchbase Server version 7.2.4 or later is essential to address this vulnerability and protect sensitive information.
A total of 91 endpoints of Couchbase Server are exposed on the Shodan.
CVE-2022-34270 – RWS WorldServer
CVE-2022-34270 is a critical vulnerability in RWS WorldServer versions before 11.7.3. It allows regular users to create new users with administrative privileges, potentially granting them unauthorized access and full control over the server. This could enable attackers to steal sensitive data, deploy malware, or disrupt critical operations. Upgrading to a non-vulnerable version (11.7.3 or later) is essential to address this vulnerability.
A total of 143 endpoints of RWS WorldServer are exposed on the Shodan.
CVE-2023-34198, CVE-2023-41165 – Stormshield Network Security (SNS) Multiple Vulnerability:
CVE-2023-34198
CVE-2023-34198 is a vulnerability in Stormshield Network Security products that affects devices configured in DHCP client mode. If the interface configured in this mode is disabled, the network object IPs associated with that interface are inadvertently changed to “any” within the filter rules. This means the filter rules would no longer function as intended, potentially allowing unauthorized traffic to pass through the firewall. While not classified as critical, it’s important to address this vulnerability to maintain the intended security posture of your network. Upgrading to the latest firmware or applying the available patch is recommended to address this vulnerability.
CVE-2023-41165
CVE-2023-41165 is a vulnerability in Stormshield Network Security products that allows attackers to bypass authentication and gain unauthorized access to the management interface. This vulnerability arises due to an issue with how the web interface handles certain HTTP requests. An attacker could potentially exploit this vulnerability to take complete control of the affected device, allowing them to modify configurations, steal sensitive data, or disrupt critical operations. Upgrading to the latest firmware or applying the available patch is crucial to address this vulnerability.
A total of more than 22K endpoints of SNS are exposed on the Shodan.
CVE-2024-23328 – DataEase
CVE-2024-23328 is a critical vulnerability in DataEase, an open-source data visualization and analysis tool. It exists due to a deserialization flaw in the DataEase data source, allowing attackers to potentially execute arbitrary code on the system. This vulnerability can be exploited by sending a specially crafted payload to the server, enabling attackers to gain unauthorized access, steal sensitive information, disrupt operations, or even take complete control of the system. Upgrading to DataEase versions 1.18.15 or 2.3.0 is essential to address this vulnerability.
A total of 894 endpoints of DataEase are exposed on the Shodan.
Blog By
Author: Debdipta Halder
Assisted By: Soumyanil Biswas, Faran Siddiqui, Anirban Bain
About FireCompass:
FireCompass is a SaaS platform for Continuous Automated Pen Testing, Red Teaming and External Attack Surface Management (EASM). FireCompass continuously indexes and monitors the deep, dark and surface webs using nation-state grade reconnaissance techniques. The platform automatically discovers an organization’s digital attack surface and launches multi-stage safe attacks, mimicking a real attacker, to help identify breach and attack paths that are otherwise missed out by conventional tools.
Feel free to get in touch with us to get a better view of your attack surface.
