Top Trending CVEs of April 2024

April is here, spring has arrived and everyone in the lower 48 of the United States got to witness a near total solar eclipse. All good stuff. With all these distractions security researchers still found time to inform the public that software can introduce risk. This month we dive into a trio of critical vulnerabilities across a broad spectrum of products including SSL VPNs, email clients, and web server load balancers. Successful exploitation results in unauthenticated remote command execution, the best kind of remote command execution, and exploit code is available in the public domain. What a fun month! Let’s drop to a command line, clone some Git repos and demystify the trending CVEs of April 2024.

1. Palo Alto PanOS RCE CVE-2024-3400

It feels like the first quarter of 2024 has been defined by a string of SSL VPN command execution vulnerabilities and Palo Alto has jumped on the wagon. Researchers at Veloxity observed that clients were reporting breach incidents at their firewall end-points. The vulnerability, assigned CVE-2024-3400, is a critical command injection vulnerability in Palo Alto Networks PAN-OS software that enables an unauthenticated attacker to execute arbitrary code with root privileges on the firewall. 

A second research team at watchTowr dove into the reported vulnerability. The analysis revealed that the SSL VPN end-point was shipped without disk encryption enabled, which made filesystem access trivial. Leveraging filesystem access facilitated the discovery of API routes configured on the web server, but these avenues didn’t offer an obvious path to command injection. Short on viable vectors, the GlobalProtect service binary was disassembled and analyzed. Using this test harness it was found that crafted path traversal characters injected into the session cookie resulted in the creation of a zero-length file at the destination path. A zero length file isn’t terribly useful, but if the firewall device is configured with Telemetry enabled, it opens new avenues for escalating the methods of attack.

An analysis of log files revealed that with telemetry enabled the device made periodic Curl requests to a Palo Alto server. This also exposed the fact that user controlled input was echoed into the Curl command. The combination of unsanitized user controlled input injected into a Curl command was sufficient to achieve remote command execution through the injection of a properly crafted session cookie. Neat! 

The one trick that was required to achieve meaningful results was the injection of the IFS shell variable. IFS or internal field separator inserts a space wherever it is referenced in a shell command. This often abused shell variable was needed to bypass validation filters that remove spaces from session identifiers. Proof of concept code was not technically published, but the research is sufficiently detailed that bridging the malicious code execution gap would be trivial. This is a high profile, critical vulnerability that has a relatively low level of complexity. Patch now!

Systems Impacted: 

2. Microsoft Outlook Spoofing Vulnerability CVE-2024-21413

Microsoft Outlook has a well documented, unfortunate history of talking to strange servers. Compelling a victim to Interact with untrusted servers is a bedrock characteristic of request forgery vulnerabilities and can result in credential compromise or remote command execution. The research team at Check Point released a detailed report documenting a vulnerability in Microsoft Outlook. It’s attributed to the handling of specific kinds of hyper-links. Nearly a year ago, we documented a similar vulnerability relating to the manner in which paths were handled in calendar invites (CVE-2023-23397). 

It was found that when the latest Outlook handled specific links, such as “http://” or “https://”, that a web browser would be opened. However, things get more interesting when Outlook handles a link such as “file://”. The risk associated with accessing the file system via crafted emails motivated Microsoft to implement validation controls that specifically prohibited these kinds of vectors. 

Though well intended, the security control was not without flaws. The researchers discovered that it was possible to bypass these controls by appending an exclamation point (!) followed by a string of random characters to a hyperlink in an email. The control bypass enables an attacker to access resources on the host or compel the victim host to interact with an untrusted node. Exploitation can be conducted via a single malicious email and does not require user interaction. 

The impact of this vulnerability casts a wide net. The ability to inject arbitrary paths into a hyperlink can lead to credential compromise in the form of Net-NTLMv2 hashes via SMB protocols and the injection of UNC paths. It’s also possible for an attacker to interact with files on the remote filesystem, which includes launching binary executables. This is a critical vulnerability, particularly if your organization uses the Outlook desktop client. Proof of concept code is mature and ready to be weaponized. It is highly recommended that you patch now.

Systems Impacted: 

• Microsoft Office 2016 build 16.0.5435.1001

3. LoadMaster Unauthenticated Command Injection CVE-2024-1212

LoadMaster is an application delivery controller that also handles load balancing duties, with the intention of ensuring high availability. Researchers at Rhino Security discovered that the software was prone to an unauthenticated remote command execution vulnerability. The LoadMaster software can be deployed in a variety of mediums, but the research team focused attention on the Virtual Machine (VM). 

The research began by first gaining access to the file system of the VM. Access to the filesystem enabled a proper analysis of the device configuration and supporting source code. It was discovered that API requests were handled by a Bash script that proxied arguments to the binary “/bin/access” resident on the VM. Using the tool Ghidra, the team was able to decompile the binary and analyze the source code. 

Leveraging this test harness the researchers learned how RESTful API requests translated into commands and correlating arguments. Submitting a request to the ‘/access’ API endpoint results in a 404 message, because the second REST parameter was missing, which references a destination. When a more complete request was submitted, it was found that the server responded with a 401 response, meaning a verification check was encountered and access denied. 

This led the research team to probe the session verification functions. It was discovered that credentials (or maybe a payload?) submitted via Basic HTTP Authentication were persisted on the server side in the environment variables REMOTE_USER and REMOTE_PASS, regardless of the validity. Traversing the verification execution flow, it was found that the environment variables were eventually used to construct a command string executed in a system() function. Further compounding this injection vulnerability was that at no point was the data validated or sanitized. You can guess where this is going. 

Command injection was achieved by terminating the intended command with a single quote (‘) injected into a base64 encoded Basic HTTP Authentication header, resulting in the ability of an attacker to define any arbitrary command they want. This technically didn’t grant ‘root’ privileges, however once arbitrary command injection was achieved escalating to ‘root’ was trivial via the abuse of sudo entries. Due to the nature of the vulnerability there are no mitigating controls, even if the REST API endpoint is disabled. This is a low complexity, critical vulnerability and anyone with unauthenticated access to the LoadMaster admin instance can easily launch a successful exploit. Exploit code is mature and already present in the public domain. Patch now!

Systems/Applications Impacted:

• affected from 7.2.48.1 before 7.2.48.10 
• affected from 7.2.54.0 before 7.2.54.8 
• affected from 7.2.55.0 before 7.2.59.2

To stay up to date on the latest trending and critical celebrity vulnerabilities, subscribe to NopSec’s newsletter. If you don’t like having to keep up with vulnerabilities like these yourself, let the NopSec platform do it for you. It takes into account new critical vulnerabilities as they emerge, ensuring your risks are prioritized accordingly in your unique environment. If you’d like to see what the NopSec platform can do in action, register for our monthly platform walkthrough webinar. Bring any questions you have and we’ll be happy to answer them!