10 May 2024

Week in review


Some of you might have already heard the exciting news at AUSCERT. We are thrilled to officially introduce our new General Manager – Dr. Ivano Bongiovanni! With an impressive international career spanning over two decades in cyber security and risk management, Ivano joins us from his Senior Lecturer role in Information Security, Governance and Leadership with the UQ Business School.

Motivated by AUSCERT's 30-year legacy and commitment to societal good, Ivano eagerly embraced the opportunity to join the team. In today's user-centric cyber security landscape, Ivanoโ€™s capability for guiding evidence-based decisions is critical. His expertise will fuel innovation in our services, ensuring proactive adaptation to our members' evolving needs. We're enthusiastic about the fresh perspectives and innovative ideas he brings, propelling us towards providing more advanced and tailored support and advice. We are excited for the future with Ivano guiding the way forward!

With Australia observing Privacy Awareness Week, which is an annual event to raise awareness of privacy issues and the importance of protecting personal information, we invite you to attend two presentations at AUSCERT2024: "Privacy Pioneers: A Blueprint for Security Professionals" and "Deciphering Australia's Cyber Security Laws."

These sessions offer comprehensive insights into privacy matters, equipping you with essential knowledge in this domain. This includes understanding the Privacy Act and associated obligations under this legislation, along with how to kickstart a privacy program. Find out more.

Veeam fixes RCE flaw in backup management platform (CVE-2024-29212)
Date: 2024-05-08
Author: Help Net Security

[AUSCERT has identified the impacted members (where possible) and notified them via email]
Veeam has patched a high-severity vulnerability (CVE-2024-29212) in Veeam Service Provider Console (VSPC) and is urging customers to implement the patch.
Veeam Service Provider Console is a cloud platform used by managed services providers (MSPs) and enterprises to manage and monitor data backup operations.
โ€œService providers can deploy Veeam Service Provider Console to deliver Veeam-powered Backup-as-a-Service and Disaster Recovery-as-a-Service services to their customers.

Critical Tinyproxy Flaw Opens Over 50,000 Hosts to Remote Code Execution
Date: 2024-05-06
Author: The Hacker News

[AUSCERT has identified the impacted members (where possible) and notified them via email]
More than 50% of the 90,310 hosts have been found exposing a Tinyproxy service on the internet that's vulnerable to a critical unpatched security flaw in the HTTP/HTTPS proxy tool.
The issue, tracked as CVE-2023-49606, carries a CVSS score of 9.8 out of a maximum of 10, per Cisco Talos, which described it as a use-after-free bug impacting versions 1.10.0 and 1.11.1, which is the latest version.

Citrix Addresses High-Severity Flaw in NetScaler ADC and Gateway
Date: 2024-05-07
Author: Dark Reading

Citrix appears to have quietly addressed a vulnerability in its NetScaler Application Delivery Control (ADC) and Gateway appliances that gave remote, unauthenticated attackers a way to obtain potentially sensitive information from the memory of affected systems.
The bug was nearly identical to โ€” but not as serious as โ€” "CitrixBleed" (CVE-2023-4966), a critical zero-day vulnerability in the same two technologies that Citrix disclosed last year, according to researchers at Bishop Fox, who discovered and reported the flaw to Citrix in January.

New BIG-IP Next Central Manager bugs allow device takeover
Date: 2024-05-08
Author: Bleeping Computer

[Please see AUSCERT bulletins: ESB-2024.2881 and ESB-2024.2882]

F5 has fixed two high-severity BIG-IP Next Central Manager vulnerabilities, which can be exploited to gain admin control and create hidden rogue accounts on any managed assets.
Next Central Manager allows administrators to control on-premises or cloud BIG-IP Next instances and services via a unified management user interface.
The flaws are an SQL injection vulnerability (CVE-2024-26026) and an OData injection vulnerability (CVE-2024-21793) found in the BIG-IP Next Central Manager API that would allow unauthenticated attackers to execute malicious SQL statements on unpatched devices remotely.

CISA, FBI Urge Organizations to Eliminate Path Traversal Vulnerabilities
Date: 2024-05-03
Author: Securtiy Week

The US cybersecurity agency CISA and the FBI on Thursday released a Secure by Design Alert warning of path traversal software vulnerabilities being exploited in attacks targeting critical infrastructure entities.
Also known as directory traversal, path traversal flaws rely on manipulated user input to access application files and directories that should not be accessible. Successful exploitation allows threat actors to manipulate arbitrary files, read sensitive data, and potentially fully compromise the system.

ESB-2024.0272.2 – UPDATE ALERT GitLab Community Edition (CE) and GitLab Enterprise Edition (EE): CVSS (Max): 10.0

CISA issued a warning about threat actors actively exploiting a critical GitLab vulnerability, identified as CVE-2023-7028. This security flaw enables remote unauthenticated attackers to send password reset emails to email accounts they control, allowing them to change passwords and take over targeted accounts without requiring user interaction.

ESB-2024.2875 – Apple iTunes: CVSS (Max): None

An Apple iTunes (for Windows) vulnerability stemming from a boundary error in file processing enables a remote attacker to run arbitrary code on the target system. Apple has issued patches to resolve this security concern.

ESB-2024.2860 – Google Chrome: CVSS (Max): None

Two high severity vulnerabilities, CVE-2024-4558 and CVE-2024-4559, have been identified in Google Chrome. Google has released fixes to address these issues, and administrators are advised to apply the fixes to stay protected.

ESB-2024.2828 – Android: CVSS (Max): 8.4*

Google recently released security updates for Android, targeting 26 vulnerabilities, one of which is a critical flaw in the System component. This bug, identified as CVE-2024-23706 and affecting Android 14, has the potential to enable attackers to elevate their privileges on vulnerable devices.

ESB-2024.2280.5 – UPDATE ALERT GlobalProtect feature of PAN-OS: CVSS (Max): 10.0

Palo Alto issued an advisory in April regarding a critical vulnerability exists in their Global Protect feature in PAN-OS software. With a CVSS score of 10, this flaw allows an unauthenticated attacker to execute arbitrary code with root privileges on the firewall. The vendor has since updated their advisory to provide information on the exploitation status about proof-of-concept and enhanced EFR procedure.

Stay safe, stay patched and have a good weekend!

The AUSCERT team