Pierluigi Paganini July 21, 2024

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds Adobe Commerce and Magento, SolarWinds Serv-U, and VMware vCenter Server bugs to its Known Exploited Vulnerabilities catalog.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the following vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog:

• CVE-2024-34102 Adobe Commerce and Magento Open Source Improper Restriction of XML External Entity Reference (XXE) Vulnerability
• CVE-2024-28995 SolarWinds Serv-U Path Traversal Vulnerability
• CVE-2022-22948 VMware vCenter Server Incorrect Default File Permissions Vulnerability

Below are the descriptions of the flaws added to the KEV catalog:

CVE-2024-34102 (CVSS score of 9.8) – the flaw is an Improper Restriction of XML External Entity Reference (‘XXE’) vulnerability that could result in arbitrary code execution. An attacker could exploit this issue by sending a crafted XML document that references external entities. The experts pointed out that the exploitation of this issue does not require user interaction. The flaw impacts Adobe Commerce versions 2.4.7, 2.4.6-p5, 2.4.5-p7, 2.4.4-p8 and earlier. Adobe warned that it is aware that CVE-2024-34102 has been exploited in the wild in limited attacks targeting Adobe Commerce merchants.

CVE-2024-28995 (CVSS score of 7.5) – the flaw is a high-severity directory transversal issue in SolarWinds Serv-U Path that allows attackers to read sensitive files on the host machine. The vulnerability was discovered and reported by Hussein Daher. Experts at threat intelligence firm GreyNoise reported that threat actors are actively exploiting a public available proof-of-concept (PoC) exploit code.

“SolarWinds Serv-U was susceptible to a directory transversal vulnerability that would allow access to read sensitive files on the host machine.” reads the advisory.

The flaw was disclosed on June 6, it impacts Serv-U 15.4.2 HF 1 and previous versions.

GreyNoise researchers started investigating the issue after Rapid7 published technical details about the flaw and PoC exploit code. GitHub users bigb0x also shared a proof-of-concept (PoC) and a bulk scanner for the SolarWinds Serv-U CVE-2024-28995 directory traversal vulnerability.

“The vulnerability is very simple, and accessed via a GET request to the root (/) with the arguments InternalDir and InternalFile set to the desired file. The idea is that InternalDir is the folder, and they attempt to validate there are no path-traversal segments (../). InternalFile is the filename.” reported GreyNoise.

GreyNoise researchers started observing exploitation attempts for this issue over the weekend.

Some failed attempts relied on copies of publicly available PoC exploits, others attempts were associated to attackers with a better knowledge of the attack.

“We see people actively experimenting with this vulnerability – perhaps even a human with a keyboard. The route between this vulnerability and RCE is tricky, so we’ll be curious to see what people attempt!” states GreyNoise.

CVE-2022-22948 (CVSS score of 6.5) – an information disclosure vulnerability in vCenter Server that is caused by improper permission of files. A malicious actor with non-administrative access to the vCenter Server may exploit this issue to gain access to sensitive information.

According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.

Experts also recommend private organizations review the Catalog and address the vulnerabilities in their infrastructure.

CISA orders federal agencies to fix this vulnerability by August 7, 2024.

Pierluigi Paganini

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

(SecurityAffairs – hacking, CISA)