Cyber Threat Pulse
#7, April 2024
Critical vulnerability in PuTTY allows recovery of private SSH keys
A critical vulnerability (CVE-2024-31497) has been identified in PuTTY versions 0.68 through 0.80 that could allow attackers to recover private keys used for SSH authentication. This vulnerability specifically affects NIST P-521 (ecdsa-sha2-nistp521) keys.
If an attacker gains access to a certain number of signed messages created with this key, they could potentially recover the key itself. Recovering a private key allows attackers to impersonate the legitimate user and gain unauthorized access to SSH servers or even forge signatures, like signing GitHub commits as a developer.
Software that uses PuTTY components is also at risk, namely:
● FileZilla v3.24.1 - v3.66.5 ● TortoiseGit v2.4.0.2 - v2.15.0 ● TortoiseSVN v1.10.0 - v1.14.6 ● WinSCP v5.9.5 - v6.3.2)
Remediation and Prevention
● Update PuTTY to version 0.81 or later. This version addresses the vulnerability by switching to a more secure method for generating nonces. ● Update FileZilla to v3.67.0, WinSCP to v6.3.3, TortoiseGit to v2.15.0.1. TortoiseSVN needs to be configured to use Putty v0.81. ● Revoke NIST P-521 keys by removing them from ~/.ssh/authorized_keys files and their equivalents in other SSH servers.
Learn more: https://seclists.org/oss-sec/2024/q2/122
Critical Vulnerability in Palo Alto Networks Pan-OS: Urgent Update Required
A critical command injection vulnerability in Palo Alto Networks PAN-OS software enables an unauthenticated attacker to execute arbitrary code with root privileges on the firewall. The vulnerability assigned CVE-2024-3400 has a CVSS score of 10.0.
This issue is applicable only to PAN-OS 10.2, PAN-OS 11.0, and PAN-OS 11.1 firewalls configured with GlobalProtect gateway or GlobalProtect portal (or both).
Palo Alto Networks is aware of an increasing number of attacks that leverage the exploitation of this vulnerability. Proof of concepts for this vulnerability have been publicly disclosed by third parties.
Recommendations:
As of April 17, 2024, this issue is fixed in hotfix releases of PAN-OS 10.2.9-h1, PAN-OS 11.0.4-h1, PAN-OS 11.1.2-h3 and all later PAN-OS versions. Palo Alto Networks strongly advise customers to immediately upgrade to a fixed version of PAN-OS to protect their devices. Hotfixes for other commonly deployed maintenance releases will also be made available.
Palo Alto Networks recommends using the Vulnerability Protection profile with Applications and Threats version 8835-8689 and higher on the interface with Global Protect. This configuration will block attempts to exploit this vulnerability (Threat ID 95187 and 95189)
As a best practice, Palo Alto Networks recommends that you thoroughly scan your network for any abnormal network activity.
Learn more:https://security.paloaltonetworks.com/CVE-2024-3400 https://unit42.paloaltonetworks.com/cve-2024-3400/
CVE-2024-3094: Backdoor in XZ Utils Explained
On March 29, 2024, CISA reported a critical supply chain compromise identified as CVE-2024-3094, affecting the XZ Utils data compression library. This vulnerability, with a CVSS score of 10.0 (Critical), introduces a backdoor that could allow attackers to bypass SSH authentication and execute remote code on the affected systems. CVE-2024-3094 vulnerability influences XZ Utils versions 5.6.0 and 5.6.1 and organizations are advised to downgrade to a secure version, such as 5.4.6, to prevent potential exploits.
Numerous Linux distributions, including Fedora, Debian, openSUSE, and Kali Linux, have been impacted by a backdoor discovered in the XZ Utils library.
In its blog, Picus Security explores how the XZ Utils CVE-2024-3094 exploit works and how organizations can protect against such attacks.
Learn more: https://www.picussecurity.com/resource/blog/cve-2024-3094-a-backdoor-in-xz-utils-leads-to-remote-code-execution
It's Time to Update!
Microsoft
his month's Patch Tuesday fixes 151 vulnerabilities, including:
● Critical RCE vulnerabilities in Microsoft Defender for IoT (CVE-2024-29053, CVE-2024-21323). These could allow attackers to remotely take control of affected devices.● Multiple RCE vulnerabilities in Microsoft OLE DB Driver for SQL Server (CVE-2024-28906 etc.): These could allow attackers to compromise systems running SQL Server. ● RCE vulnerability in Microsoft Excel (CVE-2024-26257): This can be exploited by tricking users into opening malicious files. ● RCE vulnerability in Remote Procedure Call (RPC) Runtime (CVE-2024-20678): This could allow attackers with low privileges to remotely execute code on vulnerable systems.
Although no zero-day vulnerabilities or publicly known exploit methods have been identified at this time, we recommend that you update your operating system as soon as possible.
Learn more: https://msrc.microsoft.com/update-guide/releaseNote/2024-Apr
Apple
Vulnerability detected CVE-2024-1580 in CoreMedia and WebRTC on iOS, iPadOS, and masOS Sonoma devices, which results in Remote Code Execution (RCE). The vulnerability, although of moderate severity, is characterized by the fact that it can be exploited on a network with minimal privileges and without user interaction.
How to fix: Update iOS and iPadOS to version 17.4.1, macOS Sonoma to version 14.4.1.
Learn more: https://support.apple.com/en-us/HT214097 https://support.apple.com/en-us/HT214096
Chrome
Vulnerability detected CVE-2024-2887 in WebAssembly and CVE-2024-2886 in the WebCodecs API. Both are critical and allow malicious code to be executed on the device.
How to fix: Update to Google Chrome version 123.0.6312.86/.87 (Windows/Mac) and 123.0.6312.86 (Linux).
Learn more: https://chromereleases.googleblog.com/2024/03/stable-channel-update-for-desktop_26.html
Firefox
Vulnerability detected CVE-2024-29943 (out-of-bounds write) and CVE-2024-29944 (sandbox escape). Both are critical and allow malicious code to be executed on the device.
How to fix: Upgrade to Firefox 124.0.1 and Firefox ESR 115.9.1.
Learn more: https://www.mozilla.org/en-US/security/advisories/mfsa2024-15/