In the ever-evolving digital connectivity and technology landscape, organizations face a constant challenge to fortify their cyber defenses against an ever-expanding array of threats. The rapid advancement of information technology has brought about unparalleled convenience and efficiency. Still, it has also ushered in an era where the vulnerability of digital ecosystems is a constant concern. Recent times have witnessed the emergence of critical vulnerabilities that have the potential to compromise the security and integrity of systems on a global scale.
This is a case study of CVEs that were trending from January to April 2024, which are critical in nature, have been exploited by attackers, and have affected the organization’s overall security. This list consists of popular products with critical and high CVSS score CVEs. This case study aims to illuminate the intricacies surrounding a series of recent critical vulnerabilities that have shocked the cybersecurity community. As we delve into the depths of these vulnerabilities, we will unravel the technical nuances, assess the potential impact on affected systems, and explore the subsequent response mechanisms employed by organizations and security experts.
CVE-2024-29201 & CVE-2024-29202 Flaws Expose JumpServer Users to RCE Attacks
Product Description:
JumpServer is a widely used open-source bastion host system designed to manage and control access to sensitive systems within an organization’s network. It is a centralized hub for securely managing SSH, RDP, and web protocols, facilitating secure remote access for authorized users. JumpServer offers comprehensive features, including user authentication, session recording, and access control policies, making it a vital component of an organization’s security infrastructure.
Vulnerability Description:
CVE-2024-29201 and CVE-2024-29202 are critical vulnerabilities discovered in JumpServer, exposing it to remote code execution (RCE) attacks.
- CVE-2024-29201: This vulnerability arises from a flaw in JumpServer’s Ansible playbook validation process. Attackers can exploit this vulnerability to inject malicious code into Ansible playbooks, allowing them to execute arbitrary commands within JumpServer’s Celery container with root privileges.
- Exploitation Scenario:
Attackers exploit CVE-2024-29201 by crafting a malicious Ansible playbook yaml template within JumpServer’s “Job > Template” section. Below is the malicious playbook snippet:
– name: RCE Playbook
hosts: all
tasks:
– name: Execute command in Celery container
shell: id > /tmp/pwnd
delegate_to: localhost
vars:
ansible_connection: local
Upon running the malicious playbook as a job, the specified command (id > /tmp/pwnd) executes within the Celery container, allowing attackers to compromise the system and gain unauthorized access.
- Exploitation Scenario:
- CVE-2024-29202: The second vulnerability originates from a Jinja2 template injection flaw in JumpServer’s Ansible module. By crafting malicious playbook templates, attackers can execute arbitrary code within the Celery container.
- Exploitation Scenario:
Attackers exploit CVE-2024-29202 by constructing a malicious Jinja2 template within the “Job > Template” section of JumpServer. Below is the malicious template snippet:
– name: |
{% for x in ().__class__.__base__.__subclasses__() %}
{% if “warning” in x.__name__ %}
{{
x()._module.__builtins__[“__import__”](“os”).system(“id > /tmp/pwnd”)
}}
{%endif%}
{%endfor%}
Upon execution as a job, the crafted template triggers the execution of the specified command (id > /tmp/pwnd) within the Celery container. This provides attackers with unauthorized access and the ability to execute arbitrary commands, compromising the system.
- Exploitation Scenario:
Impact on Organizations:
The exploitation of CVE-2024-29201 and CVE-2024-29202 can have severe consequences for organizations relying on JumpServer for their security infrastructure:
Data Theft: Attackers can steal sensitive data from connected hosts, compromising confidentiality and integrity.
Database Manipulation: Manipulating databases accessible to JumpServer can lead to data corruption or unauthorized modifications, affecting the organization’s operations.
Network Compromise: Successful exploitation may grant attackers further access to the organization’s network, extending the scope of the breach and posing a significant risk to network security.
Ransomware Deployment: In real-world scenarios, attackers may deploy ransomware through remote code execution, encrypting critical data and demanding ransoms for decryption. This can lead to financial losses and business disruptions.
Data Exfiltration: Attackers may extract sensitive information such as customer details, financial records, or intellectual property, leading to reputational damage and regulatory penalties.
The attack surface on Shodan can be found by querying [http.html:”JumpServer” “JumpServer”].
To mitigate the vulnerabilities impacting JumpServer versions v3.0.0 through v3.10.6, users are strongly advised to upgrade to v3.10.7, as patched versions are available and should be applied immediately. A temporary workaround for those unable to upgrade immediately is to disable JumpServer’s Job Center feature, providing interim mitigation until upgrades can be implemented.
- Ref.
https://nvd.nist.gov/vuln/detail/CVE-2024-29201
https://nvd.nist.gov/vuln/detail/CVE-2024-29202
https://github.com/jumpserver/jumpserver/security/advisories/GHSA-pjpp-cm9x-6rwj
Microsoft Outlook RCE Flaw – CVE-2024-21413
Product Description:
Microsoft Outlook is a widely used email client utilized by organizations and individuals for communication and productivity. It offers a comprehensive suite of features, including email management, calendar scheduling, task tracking, and contact organization. Microsoft Outlook is integral to many businesses’ communication infrastructure, facilitating efficient and secure email communication.
Vulnerability Description:
CVE-2024-21413 is a critical vulnerability discovered in Microsoft Outlook, exposing it to remote code execution (RCE) attacks. This vulnerability allows attackers to execute arbitrary code when opening emails containing malicious links, exploiting a flaw in Microsoft Outlook’s handling of certain types of content.
Exploitation Scenario:
Attackers exploit CVE-2024-21413 by crafting malicious emails containing links that exploit the vulnerability when opened in vulnerable versions of Microsoft Outlook. Upon clicking the malicious link, the attacker can execute arbitrary code within the context of the Outlook application, potentially compromising the victim’s system and gaining unauthorized access to sensitive information.
POC Walkthrough:
Crafting the Email: The script constructs an email message with both plain text and HTML parts. The HTML part contains an image and a link to the malicious URL. This URL is designed to exploit the vulnerability when clicked.
Sending the Email: The script connects to the specified SMTP server using the provided credentials (username and password).
It authenticates to the SMTP server using the provided credentials.
The script then sends the crafted email to the recipient specified in the command-line arguments.
Exploiting the Vulnerability: When the recipient opens the email and clicks on the link, CVE-2024-21413 is exploited.
The vulnerability allows remote code execution (RCE) when opening emails with malicious links using vulnerable versions of Microsoft Outlook.
By exploiting this vulnerability, attackers can execute arbitrary code on the victim’s system, potentially compromising the system or network completely.
Impact on Organizations:
The exploitation of CVE-2024-21413 can have severe consequences for organizations relying on Microsoft Outlook for their email communication:
Data Breach: Attackers can gain unauthorized access to sensitive information stored within the Outlook application, compromising confidentiality and integrity.
System Compromise: Successful exploitation of the vulnerability may compromise the victim’s system, allowing attackers to execute arbitrary code, potentially install malware, or steal sensitive data.
Business Disruption: A compromised Outlook client can disrupt business operations, leading to downtime, loss of productivity, and potential financial losses.
Reputation Damage: A security breach involving Microsoft Outlook can damage an organization’s reputation and erode trust among clients, partners, and stakeholders.
We can find the attack surface on shodan by [”X-AspNet-Version http.title:”Outlook” –”x-owa-version”] query.
The discovery of CVE-2024-21413 highlights the importance of promptly addressing security vulnerabilities in Microsoft Outlook to safeguard organizational communication and data. Organizations are advised to apply patches provided by Microsoft and implement additional security measures, such as email filtering and user awareness training, to mitigate the risks associated with this vulnerability and protect against potential exploitation.
- Ref.
https://nvd.nist.gov/vuln/detail/CVE-2024-21413
https://github.com/xaitax/CVE-2024-21413-Microsoft-Outlook-Remote-Code-Execution-Vulnerability
https://github.com/duy-31/CVE-2024-21413/tree/main
Fortinet FortiOS Out-of-Bounds Write Vulnerability – CVE-2024-21762
Product Description:
Fortinet FortiOS is a widely deployed operating system used in Fortinet’s network security appliances. It provides essential functionalities such as firewalling, VPN, intrusion prevention, and web filtering. It is critical in ensuring network security and protecting against various cyber threats.
Vulnerability Description:
CVE-2024-21762 is an out-of-bounds write vulnerability discovered in Fortinet FortiOS, posing a significant risk to network infrastructure security. This vulnerability allows attackers to execute arbitrary code by exploiting a flaw in how FortiOS handles specific requests or inputs.
Exploitation Scenario:
Exploiting CVE-2024-21762 involves leveraging crafted network requests to trigger the out-of-bounds write vulnerability in Fortinet FortiOS. By carefully constructing and sending malicious requests to vulnerable devices, attackers can overwrite critical memory locations and execute arbitrary code within the operating system’s context.
POC Walkthrough:
Understanding Chunked Transfer Encoding:
Chunked transfer encoding, introduced in HTTP/1.1, enables the transmission of HTTP payloads with unknown sizes by dividing them into chunks with known lengths. Each chunk is prefixed by its size in hexadecimal followed by a carriage return and line feed (CRLF). The final chunk is denoted by a zero-length chunk. For example, the string “Hello, World!” is transmitted as:
5
Hello
5
, Wor
3
ld!
0
Patch Diffing:
Analysis of the patch revealed the introduction of validation checks to ensure that certain values are less than 0x10. When this condition is violated, the string “invalid chunk length string” is logged. A BinDiff control flow block diagram illustrates two new basic blocks added by the patch, confirming that the code validates the length of the chunk size field to be no more than 16 characters.
Triggering the Check:
Identifying how to trigger the validation function proved challenging due to the complex request routing and callbacks within the embedded Apache2 server in FortiOS. Setting a breakpoint at the beginning of the target function and sending chunked POST requests to known paths under “/remote/” resulted in hits. It was determined that accessing the target function is easiest through error-related functions like “ap_die.”
Introducing an Observable Effect:
Although directly observing errors caused by sending long size fields was not feasible, it was still possible to observe different behaviors when the validation function failed early. By causing the server to block indefinitely through insufficient data transmission, observable differences in behavior between vulnerable and patched devices could be identified. Sending an excessively long size field revealed that vulnerable devices would hang until a timeout occurred, while patched devices would abort request parsing and return an HTTP response promptly.
Impact on Organizations:
Data Breach Risk: Exploitation may lead to unauthorized access to sensitive data stored within Fortinet FortiOS, compromising confidentiality.
Network Compromise: Attackers could execute arbitrary code, manipulate configurations, and bypass security controls, endangering network integrity.
Business Disruption: System crashes or denial-of-service conditions could cause downtime, productivity loss, and financial harm.
Reputation Damage: Public disclosure of the vulnerability could tarnish the organization’s reputation and erode trust.
Regulatory Compliance Risk: Non-compliance with data protection regulations may result in fines or legal consequences.
Remediation Costs: Addressing the vulnerability requires resources, including patch deployment and security assessments.
Competitive Disadvantage: Exploitation may undermine the organization’s competitive position in the market.
We can find the attack surface on Shodan by [“FortiOS”] query.
Organizations are advised to promptly apply patches or updates released by Fortinet to address the vulnerability (CVE-2024-21762) in FortiOS. Additionally, implementing network segmentation, access controls, and intrusion detection systems can help mitigate the risks associated with potential exploitation. Regular security audits and proactive monitoring of network traffic can also aid in detecting and mitigating potential threats targeting Fortinet FortiOS devices.
