Big vendor vulnerabilities from F5, Citrix, and Chrome will lead the headlines with highly dangerous vulnerabilities in popular products. However, the most dangerous vulnerabilities might be the lesser known Tinyproxy and Cinterion Cellular Modem flaws.
Small business owners tend to adopt Tinyproxy and also tend to use part-time IT resources which potentially threatens related supply chains with third-party risk. From the other end of the supply chain, many vendors build Cinterion Cellular Modems into their internet-of-things (IoT) or operations technology (OT) equipment such as sensors, meters, or even medical devices. How long will it take to address these supply chain issues?
The average company probably won’t know about a problem until they’re under attack. Fortunately, the stress and high expense of attacks can be avoided by proactively tracking assets, staying informed, and allocating some resources to eliminating vulnerabilities before they become ballooning disasters.
May 5, 2024
Tinyproxy Vulnerability Potentially Exposes 50,000+ Hosts
Type of vulnerability: Use after free.
The problem: Cisco Talos researchers published a proof of concept for CVE-2023-49606 and Censys detected over 50,000 potentially vulnerable Tinyproxy hosts. Tinyproxy provides a lightweight, open-source HTTP/S proxy adopted by individuals and small businesses for basic proxy functionality. Attackers can send specially crafted HTTP Connection headers to trigger memory corruption, cause denial of service (DoS), and possibly remote code execution (RCE).
The Talos team published that they received no response from the Tinyproxy open-source developers, and therefore they published the proof of concept before a patch was available for this vulnerability with a CVSSv3 rating of 9.8 out of 10. The Tinyproxy team complained that Talos researchers failed to use any of the official channels to contact them when they released the patch. No active exploits are known at this time.
The fix: The next version Tinyproxy (1.11.2) will contain the security fix, but the fix can be pulled from GitHub and manually applied for at-risk deployments exposed to the internet.
To coordinate tracking and remediating vulnerabilities, consider a vulnerability management solution.
May 8, 2024
Citrix Hypervisor 8.2 CU1 LTSR Requires Manual PuTTY Update
Type of vulnerability: Deterministic cryptographic number generation.
The problem: As disclosed in the April 22nd vulnerability recap, PuTTY didn’t generate sufficiently random numbers for encryption keys. Older versions of XenCenter for Citrix Hypervisor included vulnerable versions of PuTTY, which could allow guests on a VM to determine associated XenCenter administrator SSH private keys.
The fix: XenCenter for Citrix Hypervisor versions from 8.2.7 don’t include PuTTY and require no action. Owners of older versions will need to either:
- Remove PuTTY components
- Upgrade PuTTY to at least version 0.81
- Upgrade XenCenter for Citrix Hypervisor
F5 BIG-IP Next Central Manager Device Takeover Vulnerabilities
Type of vulnerability: OData injection, SQL injection (SQLi).
The problem: F5 patched their unified BIG-IP Next controller, Next Central Manager, to fix a pair of official vulnerabilities: CVE-2024-21793 and CVE-2024-26026. Both flaws rate CVSSv3 7.5 out of 10 and successful exploitation of these vulnerabilities can disclose user and administrator password hashes.
Researchers at Eclypsium published a proof of concept that describes five vulnerabilities, of which only two have been assigned CVE numbers and formally patched by F5. The proof of concept demonstrates that unpatched management consoles may be remotely compromised. Obtaining access to the password hashes from the compromise can lead to complete takeover of the F5 management consoles and, by extension, F5 devices managed by the console.
The fix: All device configurations contain the vulnerabilities. F5 recommends installing BIG-IP Next Central Manager version 20.2.0 or higher.
Unsure if your systems remain vulnerable? Consider performing a penetration test on specific systems.
May 9, 2024
Google Patches Actively Exploited Zero-Day Vulnerability in Chrome
Type of vulnerability: Use after free.
The problem: Google sent out Windows and MacOS Chrome updates (Liux to follow shortly) and disclosed their fifth actively-exploited vulnerability of 2024: CVE-2024-4671. Anonymous researchers disclosed the flaw, rated CVSSv3 8.8 out of 10, that could trigger data leakage, code execution, or crashing.
The fix: Chrome should update automatically, but may need to be closed and reopened. Users should be encouraged to restart their browsers and can verify installation of the latest version by selecting “Settings > About Chrome.”
May 10, 2024
Telit IoT Cinterion Cellular Modem Flaws With Unknown Threat Scope
Type of vulnerability: Heap overflow, digital signature check bypass, unauthorized code execution, privilege escalation.
The problem: Vendors integrate Telit’s Cinterion modems into internet of things (IoT) devices such as industrial equipment, medical devices, vehicle tracking sensors, and smart meters. The most significant vulnerability, CVE-2023-47610 rates CVSSv3 9.8 out of 10, and researchers at Kaspersky note that exploitation could lead to remote code execution and unauthorized privilege escalation to take over these devices potentially connected to critical infrastructure.
The other vulnerabilities involve mishandling Java applets running on the IoT. Exploitation of the other vulnerabilities could expose confidential data and allow the device to provide entry to connected networks. Unfortunately, no comprehensive list exists of devices incorporating the modems to provide warnings for all vulnerabile products, so organizations must proactively investigate for possible exposure.
The fix: Owners of IoT with cellular connections should check for the presence of Cinterion modems and patches through the device manufacturers. Kaspersky recommends disabling non-essential SMS messaging capabilities and private access code names (APNs) with strict security settings to counter the most critical vulnerability.
The Java applet-handling flaws can be mitigated through strict and rigorous enforcement of digital signature verification for MIDlets. Kaspersky also recommends regular security audits and controlling physical access to the devices.
Read next:
- Vulnerability Recap 5/6/24 – Aruba, Dropbox, GitLab Bugs
- Penetration Testing vs Vulnerability Scanning: What’s the Difference?
- How to Maximize the Value of Penetration Tests
