24 May 2024

Week in review


What an amazing week itโ€™s been at AUSCERT2024! This week was full of groundbreaking sessions, engaging workshops, and internationally renowned speakers. In addition to our great program of informative sessions, we also focused on important initiatives such as mental health, featuring several activities centred around uplifting mindfulness practices. To start their day, delegates enjoyed a morning stroll together in the Broadbeach sun, walking along the sand as the sun rose. We also offered puppy cuddles to lift attendees' spirits and had an onsite psychologist available for discussions on mental well-being and life coaching.

Our "pay it forward" theme provided a platform for speakers to inspire the cyber security industry. Organisations are realising the importance of contributing to the growth and development of the community to propel it forwards. AUSCERT2024 featured keynote sessions by Piotr Kijewski, CEO of the Shadowserver Foundation, a prominent nonprofit dedicated to enhancing cyber security. The foundation is renowned for its comprehensive approach to improving internet security through data collection, analysis, and dissemination.

Another highlight was keynote speaker Darren Kitchen, who presented on innovative implants and deceptive devices, equipping red teams around the world. HAK5, the platform he founded, is a significant contributor to the community, producing content that explores hacking tools and various cyber security topics to enhance collective knowledge.

To top off a great week, we also released the Year in Review report! The year 2023 has been a period of remarkable achievements and developments. This comprehensive report highlights key successes, accomplishments, and projects undertaken by AUSCERT over the past year. From strategic initiatives and performance to market expansion and operational improvements, this review provides an in-depth analysis of our progress and sets the stage for our future endeavours.

Critical GitHub Enterprise Server Flaw Allows Authentication Bypass
Date: 2024-05-21
Author: The Hacker News

[AUSCERT identified impacted members (where possible) and contacted them via email ]
GitHub has rolled out fixes to address a maximum severity flaw in the GitHub Enterprise Server (GHES) that could allow an attacker to bypass authentication protections.
Tracked as CVE-2024-4985 (CVSS score: 10.0), the issue could permit unauthorized access to an instance without requiring prior authentication.
"On instances that use SAML single sign-on (SSO) authentication with the optional encrypted assertions feature, an attacker could forge a SAML response to provision and/or gain access to a user with administrator privileges," the company said in an advisory.

Ivanti Patches Critical Code Execution Vulnerabilities in Endpoint Manager
Date: 2024-05-22
Author: Security Week

[AUSCERT utilized third-party search engines to identify and alert any impacted members]
IT software company Ivanti on Tuesday announced patches for several products, including fixes for critical vulnerabilities in Endpoint Manager (EPM). Six out of the ten security defects resolved in EPM are critical-severity SQL Injection bugs that could allow an unauthenticated attacker on the network to execute arbitrary code, Ivanti says.

Unauthenticated Attackers Can Hijack 400K+ WordPress Sites via Fluent Forms Bug (CVE-2024-2771)
Date: 2024-05-20
Author: Security Online

[AUSCERT utilized third-party search engines to identify and alert any impacted members]
Fluent Forms, a popular WordPress plugin with over 400,000 active installations, has been found to contain multiple critical security vulnerabilities, leaving websites at risk of exploitation. The vulnerabilities, tracked as CVE-2024-4709, CVE-2024-2771, and CVE-2024-2782, range from cross-site scripting (XSS) to unauthorized access and privilege escalation, potentially allowing attackers to compromise websites and steal sensitive data.

Atlassian Patches RCE Flaw in Confluence Data Center and Server
Date: 2024-05-21
Author: Security Online

[AUSCERT identified the impacted members (where possible) and contacted them via email]
Atlassian, a leading provider of collaboration and productivity software, has urgently addressed a remote code execution (RCE) vulnerability in its Confluence Data Center and Server products. Tracked as CVE-2024-21683, this flaw could allow authenticated attackers to seize control of affected systems, potentially leading to data breaches and operational disruptions.

Veeam warns of critical Backup Enterprise Manager auth bypass bug
Date: 2024-05-21
Author: Bleeping Computer

[AUSCERT utilized third-party search engines to identify and alert any impacted members]
Veeam warned customers today to patch a critical security vulnerability that allows unauthenticated attackers to sign into any account via the Veeam Backup Enterprise Manager (VBEM).
VBEM is a web-based platform that enables administrators to manage Veeam Backup & Replication installations via a single web console. It helps control backup jobs and perform restoration operations across an organization's backup infrastructure and large-scale deployments.

ESB-2024.3251 – VMware Products CVSS (Max): 8.1

VMware has issued a security advisory to address vulnerabilities in multiple VMware products. These vulnerabilities, if exploited, could enable attackers to run malicious code on host systems from within a virtual machine, presenting significant security threats to numerous organizations globally.

ESB-2024.3252 – Atlassian Products CVSS (Max): 9.8

Atlassian has identified numerous vulnerabilities in its range of products, comprising 35 high-severity vulnerabilities and 2 critical-severity vulnerabilities. These issues have been addressed and resolved in the latest versions of the products.

ESB-2024.3232 – Google Chrome CVSS (Max): None

Google has introduced a Chrome 125 update that addresses six vulnerabilities, including four high-severity bugs identified by external researchers. The most recent Chrome release is currently being distributed as version 125.0.6422.76 for Linux, and as versions 125.0.6422.76/.77 for Windows and macOS.

ESB-2024.3354 – Cisco Firepower Management Center (FMC) CVSS (Max): 8.8

A vulnerability in the web-based management interface of Cisco Firepower Management Center (FMC) Software could enable an authenticated, remote attacker to carry out SQL injection attacks on a compromised system. This issue arises due to inadequate validation of user input within the web-based management interface.

Stay safe, stay patched and have a good weekend!

The AusCERT team