9 Aug 2024

Week in review

Greetings,

We continuously strive to help our members minimize their exposure to cyber threats and understand that effective prioritisation in vulnerability management is a growing concern. To assist with these efforts, AUSCERT is pleased to introduce the Exploitation Prediction Scoring System (EPSS) within our bulletins and Critical MSINs, starting August 12, 2024. Read our blog article for more information!.

This week, CrowdStrike published a root cause analysis of the recent widespread outage caused by a faulty update pushed out to its Falcon customers. The report details the chain of events and multiple independent testing failures that occurred during the creation and validation of the problematic configuration file distributed to customers.

After such a widespread outage causing billions of dollars in damage across multiple countries, many are questioning who is legally responsible. Microsoft, whose ecosystem was impacted, estimated the outage affected 8.5 million Windows devices. Some organisations that were significantly affected by the incident have begun seeking legal recourse against CrowdStrike for compensation for the disruption to business.

Delta Air Lines, which suffered widespread flight disruptions and service failures, is seeking financial damages against CrowdStrike. The outages cost Delta an estimated US$350 million to $500 million, as they are dealing with over 176,000 refund or reimbursement requests after almost 7,000 flights were cancelled.
However, CrowdStrike has rejected allegations of gross negligence or misconduct, arguing that the terms and conditions of their contracts may limit their liability to customers, thereby severely restricting options for seeking redress under contract law. This has led some law firms to explore the possibility of pursuing class action under other claims, such as negligence.

This case reveals the vulnerability of global supply chains and the significant impact IT disruptions can have on organisations worldwide. Major insurance companies are closely monitoring the situation, and many businesses are now scrutinizing their cyber insurance policies. This incident has prompted many to consider whether additional legal ramifications should be established to better protect consumers and hold responsible parties more accountable for their actions.


Critical Kibana Vulnerability Let Attackers Execute Arbitrary Code
Date: 2024-08-07
Author: Cyber Security News

[AUSCERT has identified the impacted members (where possible) and contacted them via email]
Kibana, a popular open-source data visualization and exploration tool, has identified a critical security flaw that could allow attackers to execute arbitrary code.
This vulnerability, tracked as CVE-2024-37287, has a CVSSv3 severity rating of 9.9, indicating its critical nature.
The flaw arises from a prototype pollution vulnerability that can be exploited by attackers with access to Machine Learning (ML) and Alerting connector features and write access to internal ML indices.
Exploiting this vulnerability allows attackers to execute arbitrary code, posing significant security risks, as reported by Elastic Cloud.

Chrome, Firefox Updates Patch Serious Vulnerabilities
Date: 2024-08-07
Author: Security Week

[Please also see AUSCERT's bulletins: https://portal.auscert.org.au/bulletins/ESB-2024.5054/ & https://portal.auscert.org.au/bulletins/ESB-2024.5049/]
Mozilla and Google both updated their web browsers on Tuesday and the latest versions patch several potentially serious vulnerabilities. Google updated Chrome to version 127.0.6533.99, which fixes six vulnerabilities, including a critical out-of-bounds memory access issue in the Angle component. A reward has yet to be determined for this flaw, which is tracked as CVE-2024-7532.

Critical 1Password Security Flaw Could Let Hackers Steal Unlock Key
Date: 2024-08-07
Author: Forbes

AgileBits, the developer of the hugely popular 1Password password manager, has confirmed that a critical security vulnerability could have allowed an attacker to exfiltrate password vault items and potentially obtain account unlock keys from macOS users.
What Is CVE-2024-42219?
In a 1Password support posting it was stated that CVE-2024-42219 could enable a “malicious process running locally on a machine to bypass inter-process communication protections” and allow the malicious software in question to “exfiltrate vault items, as well as obtain derived values used to sign in to 1Password, specifically the account unlock key and SRP-𝑥.”

Security Bypass Vulnerability Found in Rockwell Automation Logix Controllers
Date: 2024-08-02
Author: Security Week

[Please also see AUSCERT bulletin: https://portal.auscert.org.au/bulletins/ESB-2024.4972/]
Organizations using certain Logix programmable logic controllers (PLCs) made by Rockwell Automation have been informed about a high-severity security bypass vulnerability discovered by researchers at industrial cybersecurity firm Claroty.
On August 1, Claroty published a blog post describing its findings, and Rockwell and the cybersecurity agency CISA published advisories for the flaw, which is tracked as CVE-2024-6242.

Google fixes Android kernel zero-day exploited in targeted attacks
Date: 2024-08-07
Author: Bleeping Computer

[Please also see AUSCERT bulletin: https://portal.auscert.org.au/bulletins/ESB-2024.5013]
Android security updates this month patch 46 vulnerabilities, including a high-severity remote code execution (RCE) exploited in targeted attacks.
The zero-day, tracked as CVE-2024-36971, is a use after free (UAF) weakness in the Linux kernel's network route management. It requires System execution privileges for successful exploitation and allows altering the behavior of certain network connections.

Roundcube Webmail Flaws Allow Hackers to Steal Emails and Passwords
Date: 2024-08-07
Author: The Hacker News

[AUSCERT has identified the impacted members (where possible) and contacted them via email]
Cybersecurity researchers have disclosed details of security flaws in the Roundcube webmail software that could be exploited to execute malicious JavaScript in a victim's web browser and steal sensitive information from their account under specific circumstances.
"When a victim views a malicious email in Roundcube sent by an attacker, the attacker can execute arbitrary JavaScript in the victim's browser," cybersecurity company Sonar said in an analysis published this week.

CrowdStrike Releases Root Cause Analysis of Falcon Sensor BSOD Crash
Date: 2024-08-06
Author: Security Week

Embattled cybersecurity vendor CrowdStrike on Tuesday released a root cause analysis detailing the technical mishap behind a software update crash that crippled Windows systems globally and blamed the incident on a confluence of security vulnerabilities and process gaps.
The new CrowdStrike root cause analysis documents a combination of factors the Falcon EDR sensor crash — a mismatch between inputs validated by a Content Validator and those provided to a Content Interpreter, an out-of-bounds read issue in the Content Interpreter, and the absence of a specific test — and a vow to work with Microsoft on secure and reliable access to the Windows kernel.


ESB-2024.4645.2 – Cisco Smart Software Manager On-Prem (SSM On-Prem): CVSS (Max): 10.0

The Cisco PSIRT has updated its initial advisory from July 2027 to confirm that proof-of-concept exploit code is now available for the vulnerability discussed in the advisory. However, they have not reported any instances of malicious exploitation related to this vulnerability. AUSCERT advises its members to apply the patches immediately if they haven't already done so, to prevent potential exploitation.

ESB-2024.5095 – Jenkins (core):CVSS (Max): 9.0

The Jenkins Security Advisory 2024-08-07 addresses critical vulnerabilities in Jenkins core that could lead to arbitrary file read and potential remote code execution (CVE-2024-43044). It also highlights a medium-severity issue allowing unauthorized access to other users' "My Views" (CVE-2024-43045). Updates in Jenkins versions 2.471 and LTS 2.452.4 resolve these vulnerabilities.

ASB-2024.0160 – EPSS Score

Starting August 12, 2024, AUSCERT will include Exploitation Prediction Scoring System (EPSS) scores in Bulletins and Critical MSINs to indicate the likelihood of vulnerability exploitation. The EPSS score will be displayed alongside the CVSS score for Bulletins and in the Overview of Critical MSINs. Members should use up-to-date EPSS values for informed vulnerability management.

ESB-2024.5054 – Google Chrome: CVSS (Max): 8.8*

On August 6, 2024, Chrome’s Stable channel updated to version 127.0.6533.99 for Windows, Mac, and Linux, introducing five security fixes. Notable fixes include critical and high-severity vulnerabilities reported by external researchers, such as out-of-bounds memory access and use-after-free issues.

ESB-2024.5049 – Firefox: CVSS (Max): 9.8*

Mozilla's Security Advisory 2024-33, released August 6, 2024, addresses high-impact vulnerabilities in Firefox 129. Key issues include CVE-2024-7518, which allows fullscreen dialogs to be obscured, and CVE-2024-7519, involving out-of-bounds memory access in graphics handling. Other critical fixes cover type confusion in WebAssembly and various use-after-free vulnerabilities.

ESB-2024.5013 – Android: CVSS (Max): 9.8*

The August 2024 Android Security Bulletin addresses high-severity vulnerabilities affecting Android devices, including critical privilege escalation issues in the Framework component. The patch levels of 2024-08-05 or later resolve these issues. Updates are available in the AOSP repository , with Android partners notified in advance.


Stay safe, stay patched and have a good weekend!

The AUSCERT team