Pierluigi Paganini September 17, 2024

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds Microsoft Windows MSHTML Platform and Progress WhatsUp Gold bugs to its Known Exploited Vulnerabilities catalog.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added SonicWall SonicOS, ImageMagick and Linux Kernel vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog.

Below are the descriptions for these vulnerabilities:

• CVE-2024-43461 Microsoft Windows MSHTML Platform Spoofing Vulnerability
• CVE-2024-6670 Progress WhatsUp Gold SQL Injection Vulnerability

CVE-2024-43461 – Microsoft this week warned that attackers actively exploited the Windows vulnerability CVE-2024-43461 as a zero-day before July 2024.

The vulnerability CVE-2024-43461 is a Windows MSHTML platform spoofing issue. MSHTML is a platform used by Internet Explorer. Although the browser has been retired, MSHTML remains in Windows and is still used by certain applications.

The ZDI Threat Hunting team discovered a new exploit similar to a previously patched July vulnerability tracked as CVE-2024-38112.

“This vulnerability allows remote attackers to execute arbitrary code on affected installations of Microsoft Windows. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.” reads the advisory published by ZDI. “The specific flaw exists within the way Internet Explorer prompts the user after a file is downloaded. A crafted file name can cause the true file extension to be hidden, misleading the user into believing that the file type is harmless. An attacker can leverage this vulnerability to execute code in the context of the current user.”

Despite reporting it to Microsoft in June, threat actors quickly devised a method to bypass the patch. Though actively used, Microsoft hasn’t labeled it as under attack. The flaw impacts all supported Windows versions.

“Yes. CVE-2024-43461 was exploited as a part of an attack chain relating to CVE-2024-38112, prior to July 2024.” reads the advisory published by Microsoft. “We released a fix for CVE-2024-38112 in our July 2024 security updates which broke this attack chain. See [CVE-2024-38112 – Security Update Guide – Microsoft – Windows MSHTML Platform Spoofing Vulnerability[(https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-38112). Customers should both the July 2024 and September 2024 security update to fully protect themselves.”

Patch Tuesday security updates for September 2024 addressed the CVE-2024-43461 vulnerability.

The vulnerability CVE-2024-6670 in WhatsUp Gold is an SQL Injection authentication bypass issue.

An unauthenticated attacker could trigger this vulnerability to retrieve the users encrypted password. The flaw impacts WhatsUp Gold versions released before 2024.0.0.

According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.

Experts also recommend private organizations review the Catalog and address the vulnerabilities in their infrastructure.

CISA orders federal agencies to fix this vulnerability by October 7, 2024.

Pierluigi Paganini

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

(SecurityAffairs – hacking, CISA)