vFeed Newsletter December 2024
December 27, 2024
Zetafence & vFeed Wishes all security professionals a happy, safe and secure New Year 2025.
Welcome to vFeed December cybersecurity and vulnerability newsletter!
December has been nothing short of surprises in the cybersecurity and threat landscape. From WordPress Plugins to CLEO Javascript injectors to AWS client VPN and to Envoy Network proxy vulnerabilities, the threat landscape has kept the security professionals busier than ever. The Black Hat Europe conference in London served as a stark reminder of the ever-evolving threats facing security professionals.
As we navigate through the December newsletter, we will delve deeper into critical vulnerability trends, the Curiosity Questionnaire of the Month, and address some of the Zero-day exploit trends. We discuss some of the Envoy network proxy vulnerabilities, and introduce MITRE™ D3FEND framework. We close by summarizing CVSS Scoring System Flaws, a presentation that caught our attention in Black Hat London that happened this month.
Zetafence team is working hard integrating vFeed IO operations into building overall security posture management capabilities, as we bring focus on enriching threat intelligence, improving the overall performance and reliability of our feed correlation engines, and strengthening our ability to proactively identify and mitigate emerging threats. We are dedicated to ensuring the highest levels of data integrity and system stability, while providing timely and actionable alerts to keep our customers informed and protected.
Critical Vulnerabilities – December 2024
| CVE | Description | CVSS 3 Base | Date Published | Weakness | Versions Affected | References |
| CVE-2024-50623 | Cleo Harmony before 5.8.0.20, VLTrader before 5.8.0.20, and LexiCom before 5.8.0.20, there is a JavaScript Injection vulnerability: unrestricted file upload and download could lead to remote code execution | 8.8 | 2024-10-28 | CWE-434 Unrestricted Upload of File with Dangerous Type | Cleo Harmony Up to (excluding),5.8.0.21 | https://support.cleo.com/hc/en-us/articles/27140294267799-Cleo-Product-Security-Advisory |
| CVE-2024-10905 | IdentityIQ 8.4 and all 8.4 patch levels prior to 8.4p2, IdentityIQ 8.3 and all 8.3 patch levels prior to 8.3p5, IdentityIQ 8.2 and all 8.2 patch levels prior to 8.2p8, and all prior versions allow HTTP/HTTPS access to static content in the IdentityIQ application directory that should be protected. | 10.0 | 2024-12-02 | CWE-66 Improper Handling of File Names that Identify Virtual Resources | 8.2 patch levels prior to 8.2p8 | https://www.sailpoint.com/security-advisories/identityiq-improper-access-control-vulnerability-cve-2024-10905 |
| CVE-2024-10095 | In Progress Telerik UI for WPF versions prior to 2024 Q4 (2024.4.1213), a code execution attack is possible through an insecure deserialization vulnerability. | 9.8 | 2024-12-16 | CWE-502 Deserialization of Untrusted Data | Up to (excluding),24.4.1213 | https://docs.telerik.com/devtools/wpf/knowledge-base/kb-security-unsafe-deserialization-vulnerability-cve-2024-10095 |
| CVE-2024-11986 | Improper input handling in the ‘Host Header’ allows an unauthenticated attacker to store a payload in web application logs. When an Administrator views the logs using the application’s standard functionality, it enables the execution of the payload, resulting in Stored XSS. | 9.6 | 2024-12-13 | CWE-79 Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) | N/A | https://crushftp.com/crush11wiki/Wiki.jsp?page=Update |
| CVE-2024-10205 | Authentication Bypass vulnerability in Hitachi OpsCenter Analyzer on Linux, 64 bit (Hitachi Opscenter Analyzer detail view component), Hitachi Infrastructure Analytics Advisor on Linux, 64 bit (Hitachi Data Center Analytics \n\ncomponent\n\n) | 9.4 | 2024-12-17 | CWE-306 Missing Authentication for Critical Function | Hitachi Infrastructure Analytics Advisor: from 2.1.0-00 through 4.4.0-00 | https://www.hitachi.com/products/it/software/security/info/vuls/hitachi-sec-2024-151/index.html |
| CVE-2024-49147 | Deserialization of untrusted data in Microsoft Update Catalog allows an unauthorized attacker to elevate privileges on the website’s web server. | 9.3 | 2024-12-12 | CWE-502 Deserialization of Untrusted Data | Microsoft Update Catalog | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-49147 |
| CVE-2024-0130 | NVIDIA UFM Enterprise, UFM Appliance, and UFM CyberAI contain a vulnerability where an attacker can cause an improper authentication issue by sending a malformed request through the Ethernet management interface. | 8.8 | 2024-12-06 | CWE-287 Improper Authentication | UFM 6.15.x, 6.16.x, 6.17.x | https://nvidia.custhelp.com/app/answers/detail/a_id/5584 |
| CVE-2024-11274 | An issue was discovered in GitLab CE/EE affecting all versions starting from 16.1 prior to 17.4.6, starting from 17.5 prior to 17.5.4, and starting from 17.6 prior to 17.6.2, injection of NEL headers in k8s proxy response could lead to session data exfiltration. | 8.7 | 2024-12-12 | CWE-601 URL Redirection to Untrusted Site (‘Open Redirect’) | GitLab starting from 17.5 prior to 17.5.4 | https://gitlab.com/gitlab-org/gitlab/-/issues/504707 |
December Vulnerability Trends
The first histogram under each platform shows the High count, and second the Medium count.
Curiosity Questionnaire of the Month
We got asked a number of curious questions during the month, and thought we should share those insights here.
What are some ways to automate vulnerability management in your environment today?
Here are some ways you can automate vulnerability management in your organization.
- Utilize your large vulnerability database feeds such as vFeed to monitor for active exploitation trends.
- Identify priority vulnerabilities to narrow down based on CVSS3, EPSS scores.
- Identify critically important assets using tools to assign identify and focus on remediation efforts on high-impact vulnerabilities.
- Utilize graph-based analysis techniques to assess the risk associated with vulnerabilities in attack paths.
- Put MITRETM CAPEC Attack Paths into good use for understanding exploitations
- Implement triggers in workflow for flagging vulnerabilities in your environment via cloud-native services such as AWS SMS
- Use CI/CD workflows, and integrate scanning tools with Jira or ServiceNow to automatically create and track remediation tickets
How can SOCs put a vulnerability dashboard into effective use?
Prioritization by Risk: Display critical vulnerabilities sorted by severity such as CVSS/EPSS scores and correlation to assets allows SOCs to focus on the highest risks.
Context-Aware Decision Making: SOC can enrich vulnerability data with context, such as which assets are public-facing, business-critical, or part of production. Threat intel data can provide potential exploitation paths involving vulnerabilities, helping SOCs assess overall impact.
Active Exploitation Monitoring: SOC can integrate vulnerability threat feeds to understand vulnerabilities actively exploited in the wild, as reported by sources like CISA KEV or MITRE ATT&CK.
Proactive Threat Hunting: SOC can use custom dashboard views for vulnerabilities based on types (e.g. cross-site), CPEs (e.g. wordpress), environments (e.g. Windows), or affected systems (e.g., outdated Apache servers).
How can I use vulnerability & threat intel feeds to do effective ITAM & SBOM vulnerability analysis?
Security teams, and SOC must take efforts to integrate vulnerability and threat intelligence feeds into IT Asset Management (ITAM) and Software Bill of Materials (SBOM) automation and analysis. This could significantly enhance an organization’s ability to manage risks and improve security posture in the following ways.
- Establishing threat context by mapping asset inventory to the data in vulnerability feeds, identifying which assets are exposed to specific vulnerabilities, such as asset metadata (OS version, software version, IP addresses) to vulnerabilities feeds like NVD, CISA KEV, and EPSS.
- Dependency risk analysis through analyzing direct and transitive dependencies of vulnerabilities against specific asset information such as packages, libraries, etc.
- Automate patch management process by mapping SBOM data to CVE feeds using scripts or APIs, using CI/CD pipeline to scan and analyze for vulnerabilities before deployment, and utilizing Puppet/Ansible for large-scale patch management.
- Proactively anticipate attack tactics targeting weak points like unpatched vulnerabilities, misconfigured systems, and spear-phishing emails (source: CISA A Day in the Life of a Threat Hunter)
Give me concrete examples of “context” going from environment to risk analysis.
Exploitability Based on Configuration: VM instance or database instance with specific open unpatched vulnerability could lead to a privilege escalation. This could lead to a full server compromise allowing untrusted users or leaked data and compromised access keys.
Inventory/Asset Criticality: A public IP/port or public-facing web service hosting custom plugins could have XSS vulnerability that when exploited, could lead to remote code execution (RCE) and data breaches. Immediate patching may be necessary, but this wouldn’t be uncovered without proper risk analysis or inventory asset discoveries.
Attack Path Context: An internal application or a public-facing web plugin could potentially allow privilege escalation attacks. Graph-based attack path analysis, when used correctly, demonstrates how attackers are systematically targeting systems from initial access to exfiltration by going through exploitation paths, and studying lateral movements.
A short list of pen-testing tools to use with vFeed threat intel feeds.
Here are some penetration testing tools that can be used with a vulnerability and threat intel feed database such as vFeed Intel.
- Metasploit Framework for map CVEs to Metasploit modules, enabling targeted exploitation based on CVEs and exploit data
- Nikto Web server vulnerability scanning mapping known vulnerabilities to Nikto to enhance web server analysis
- Exploit DB to Use vFeed to directly map CVEs to Exploit-DB entries, providing exploits for vulnerabilities detected in your environment
- OWASP ZAP Web application security testing to align ZAP results to enhance insights into detected vulnerabilities and identify related threat vectors
0-Day “In the Wild”
Windows Vulnerabilities
CVE-2024-49138 Windows Common Log File System Driver Elevation of Privilege Vulnerability identified by Advanced Research Team with CrowdStrike.
Android Vulnerability
CVE-2024-36971 Google Android Memory Corruption Use after free in Linux kernel. This flaw allowed remote code execution and was under limited, targeted exploitation. Google’s August patch addressed a total of 47 flaws.
Browser Vulnerabilities
- CVE-2024-0519 Google Chrome Memory Corruption Chrome’s V8 JavaScript engine, actively exploited in the wild.
- CVE-2024-38178 Microsoft Scripting Engine Memory Corruption Vulnerability in Microsoft Edge’s Internet Explorer Mode causing a remote code execution flaw
- CVE-2024-4947 Type Confusion in V8 in Google Chrome prior to 125.0.6422.60 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)
- CVE-2024-7971 Type confusion in V8 in Google Chrome prior to 128.0.6613.84 allowed a remote attacker to exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
- CVE-2024-9680 An attacker was able to achieve code execution in the content process by exploiting a use-after-free in Animation timelines. We have had reports of this vulnerability being exploited in the wild. This vulnerability affects Firefox < 131.0.2, Firefox ESR < 128.3.1, Firefox ESR < 115.16.1, Thunderbird < 131.0.1, Thunderbird < 128.3.1, and Thunderbird < 115.16.0.”
Talking of 0-days, Netflix is premiering “Zero Day”, an American political thriller television series on a deadly cyberattack with a vast web of lies and conspiracies. Premieres February 20, 2025. Source: https://www.netflix.com/title/81598435
Envoy Proxy Vulnerabilities
CVE-2024-7207
A flaw was found in Envoy. It is possible to modify or manipulate headers from external clients when pass-through routes are used for the ingress gateway. This issue could allow a malicious user to forge what is logged by Envoy as a requested path and cause the Envoy proxy to make requests to internal-only services or arbitrary external systems. This is a regression of the fix for CVE-2023-27487. CVSS3 base 9.8, Impact 5.9, Network Attack Vector.
https://github.com/envoyproxy/envoy/security/advisories/GHSA-ffhv-fvxq-r6mf
CVE-2024-53270
Envoy is a cloud-native high-performance edge/middle/service proxy. In affected versions `sendOverloadError` is going to assume the active request exists when `envoy.load_shed_points.http1_server_abort_dispatch` is configured. If `active_request` is nullptr, only onMessageBeginImpl() is called. However, the `onMessageBeginImpl` will directly return ok status if the stream is already reset leading to the nullptr reference. The downstream reset can actually happen during the H/2 upstream reset. As a result, the envoy may crash. This issue has been addressed in releases 1.32.3, 1.31.5, 1.30.9, and 1.29.12. Users are advised to upgrade. Users unable to upgrade may disable `http1_server_abort_dispatch` load shed point and/ or use a high threshold. CVSS3 base 7.5, Impact 3.6, Network Attack Vector
https://github.com/envoyproxy/envoy/security/advisories/GHSA-q9qv-8j52-77p3
CVE-2024-53271
Envoy is a cloud-native high-performance edge/middle/service proxy. In affected versions envoy does not properly handle http 1.1 non-101 1xx responses. This can lead to downstream failures in networked devices. This issue has been addressed in versions 1.31.5 and 1.32.3. Users are advised to upgrade. There are no known workarounds for this issue. CVSS3 base 7.1, Impact 4.2, Network Attack Vector
https://github.com/envoyproxy/envoy/security/advisories/GHSA-rmm5-h2wv-mg4f
MITRE D3FEND 1.0 Framework GA
MITRE™ D3FEND 1.0 General Availability is announced by the Security Architects at MITRE organization this month. More details can be found at: https://d3fend.mitre.org/blog/d3fend-1.0/
MITRE™ D3FEND is a knowledge graph and knowledge base of cybersecurity countermeasure techniques. In the simplest sense, it is a catalog of defensive cybersecurity techniques and their relationships to offensive/adversary techniques. The primary goal of the initial D3FEND release is to help standardize the vocabulary used to describe defensive cybersecurity technology functionality. The most immediate D3FEND audience is security systems architecture experts and technical executives making acquisition or investment decisions in order to understand how cyber defenses work in granular detail (source: D3FEND FAQ).
MITRE™ D3FEND 1.0 GA specifically provides some useful Ontology Updates and User Interface Updates in version 1.0.0. MITRE’s intention was to create a stable, extensible, and integration-friendly version of D3FEND.
CVSS Scoring System Flaws and CVSS Vulnerability Severity
Black Hat London 2024
One of the presentations at Black Hat London 2024 on CVSS Vulnerability Severity caught our attention. This is a presentation on “The CVSS Deception: How We’ve Been Misled on Vulnerability Severity” by the Cybersecurity team at JP Morgan Chase & Co that discussed Vulnerability Lifecycle and CVSS scoring system for severity assessment.
Summary of their main concerns:
- Aggregation Pitfalls: Inability to express Vulnerability Severity using aggregation of CIA Metrics
- CVSS Score Alignment Issues: Scoring Discrepancy (rounding errors), Input Vector Impact, Framework Inconsistency
- Missing Dependency Considerations: Network and Access Controls, Configuration and Dependencies, User Privileges
- Exploit Code Maturity Overhead: Fragmented Information Sources, Lack of Comprehensive Data, Rapid and Dynamic Evolution, Extensive Data Parsing Requirements
- Disconnect in APT & Exploitability: APTs often evading traditional security measures, APTs exploit known vulnerabilities
- Overlooked Privacy Aspect: Privacy not explicitly included in CVSS scoring
More details of the presentation can be viewed here at:
Click here to schedule your demo with vFeed Threat Intel today!