Overview
Veeam has published a security bulletin addressing one critical vulnerability (CVE-2024-40711) and five high-severity vulnerabilities in their Backup & Replication product, including.
- CVE-2024-40711 is a critical deserialisation of untrusted data vulnerability with a CVSSv3 score of 9.8. If exploited, an unauthenticated attacker could achieve remote code execution (RCE). It is now under active exploitation by ransomware groups.
Mozilla has released security updates to address one critical vulnerability in Firefox and Firefox ESR.
- CVE-2024-9680 is a use-after-free vulnerability in Animation timelines and has a CVSSv3 score of 9.8. It could allow a remote, unauthenticated attacker to achieve code execution.
Mitel has released security advisories addressing multiple vulnerabilities in MiCollab. MiCollab is a cloud-based platform that integrates chat, voice, video, and SMS messaging for teams.
- CVE-2024-41713 is a vulnerability in the NuPoint Unified Messaging (NPM) component of Mitel MiCollab and has a CVSSv3 score of 9.8. It could allow an unauthenticated attacker to conduct path traversal due to insufficient input validation.
- CVE-2024-47223 is a vulnerability in the Audio, Web and Video Conferencing (AWV) component of Mitel MiCollab and has a CVSSv3 score of 9.4. It could allow an unauthenticated attacker to conduct SQL injection due to insufficient sanitisation of user input.
Two further vulnerabilities rated as high severity, and one medium severity could lead to authentication bypass, SQL injection or CRLF injection.
Fortinet has released a security advisory to address a critical vulnerability in the FortiOS fgfmd daemon.
- CVE-2024-23113 is a ‘use of externally controlled format string’ vulnerability with a CVSSv3 score of 9.8. A remote unauthenticated attacker could send specially crafted requests to execute arbitrary code (ACE) or commands.
Ivanti has released security advisories addressing vulnerabilities in multiple products.
Three vulnerabilities affecting Cloud Services Appliance (CSA) have been exploited by being chained together with previously patched vulnerability CVE-2024-8963:
- CVE-2024-9381 has a CVSSv3 score of 7.2 and is a path traversal vulnerability in Ivanti CSA. If exploited, a remote authenticated attacker with admin privileges could bypass restrictions.
- CVE-2024-9380 has a CVSSv3 score of 7.2 and is an OS command injection vulnerability in the admin web console of Ivanti CSA. If exploited, a remote authenticated attacker with admin privileges could achieve remote code execution (RCE).
- CVE-2024-9379 has a CVSSv3 score of 6.5 and is an SQL injection vulnerability in the admin web console of Ivanti CSA. If exploited, a remote authenticated attacker with admin privileges could run arbitrary SQL statements.
Microsoft has released security updates to address 117 vulnerabilities in Microsoft products. The security updates include five zero-day vulnerabilities. Two vulnerabilities are under active exploitation:
- CVE-2024-43572 is an improper neutralisation vulnerability in the Management Console feature of Windows and Windows Server and has a CVSSv3 score of 7.8. Successful exploitation could allow a local attacker to perform remote code execution (RCE) on vulnerable devices. This zero-day vulnerability is under active exploitation.
- CVE-2024-43573 is a cross-site scripting vulnerability in Windows and Windows Server MSHTML Platform with a CVSSv3 score of 6.5. MSHTML is a software component used to render web pages on Windows. This zero-day vulnerability is under active exploitation.
- CVE-2024-20659 is an improper input validation vulnerability in Windows Hyper-V with a CVSSv3 score of 7.1. Successful exploitation of this vulnerability requires multiple conditions to be met, such as specific application behaviour, user actions, manipulation of parameters passed to a function, and impersonation of an integrity level token. With these conditions being met, it could lead to an attacker compromising the hypervisor and the secure kernel. This vulnerability has been publicly disclosed but no exploitation has been observed.
- CVE-2024-43583 is an execution with unnecessary privileges vulnerability in Windows and Windows Server and has a CVSSv3 score of 7.8. Successful exploitation could allow a local attacker to gain SYSTEM privileges. This privilege escalation vulnerability has been publicly disclosed and exploitation is considered more likely.
- CVE-2024-6197 is a free of memory not on the heap vulnerability in Open Source Curl with a CVSSv3 score of 8.8. Successful exploitation could allow a remote attacker to achieve RCE if user interaction occurs by selecting and communicating with the malicious server.
Recommended Action
Organisations are encouraged to review the appropriate security advisory pages and apply the updates:
Veeam – Security Bulletin
Mozilla – Security Advisory
Mitel – Security Advisories
Fortinet – Fortiguard Labs
Ivanti – Security Advisory (Ivanti Connect Secure and Policy Secure) and Security Advisory (Cloud Services Application)
Microsoft – Security Updates
If you have any concerns, or have been affected by a cyber-related issue, report it to us by submitting a Cyber Concerns Online Reporting Form.