Aggregator

由清华大学网络科学与网络空间研究院、奇安信集团、蚂蚁集团、广东联通、百度安全、赛尔网络主办，复旦大学计算机科学技术学院、西安交通大学、腾讯安全应急响应中心、北京蓝莲网安科技有限公司协办的DataCon

我们仍在 Day 1

A vulnerability classified as problematic was found in EventPrime Plugin up to 4.0.4.7 on WordPress. Affected by this vulnerability is an unknown functionality of the component Transaction Log Handler. The manipulation leads to cross site scripting. This vulnerability is known as CVE-2024-9865. The attack can be launched remotely. There is no exploit available.

A vulnerability classified as problematic has been found in PDF Flipbook, 3D Flipbook, PDF Embed, PDF Viewer Plugin up to 2.3.32 on WordPress. Affected is an unknown function. The manipulation leads to cross site scripting. This vulnerability is traded as CVE-2024-8717. It is possible to launch the attack remotely. There is no exploit available.

A vulnerability was found in MultiVendorX Plugin up to 4.2.4 on WordPress. It has been rated as problematic. This issue affects some unknown processing. The manipulation leads to cross-site request forgery. The identification of this vulnerability is CVE-2024-9943. The attack may be initiated remotely. There is no exploit available.

A vulnerability was found in MultiVendorX Plugin up to 4.2.4 on WordPress. It has been declared as problematic. This vulnerability affects unknown code. The manipulation leads to missing authorization. This vulnerability was named CVE-2024-9531. The attack can be initiated remotely. There is no exploit available.

A vulnerability was found in Elementor Header & Footer Builder Plugin up to 1.6.43 on WordPress. It has been classified as problematic. This affects an unknown part of the component Shortcode Handler. The manipulation leads to information disclosure. This vulnerability is uniquely identified as CVE-2024-10050. It is possible to initiate the attack remotely. There is no exploit available.

A vulnerability was found in HurryTimer Plugin up to 2.10.0 on WordPress and classified as critical. Affected by this issue is some unknown functionality. The manipulation leads to missing authorization. This vulnerability is handled as CVE-2024-8667. The attack may be launched remotely. There is no exploit available.

A vulnerability has been found in Realtek SD Card Reader Driver and classified as critical. Affected by this vulnerability is an unknown functionality. The manipulation leads to denial of service. This vulnerability is known as CVE-2024-40432. The attack needs to be approached within the local network. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability, which was classified as critical, was found in Snyk Gradle Plugin. Affected is an unknown function of the component Gradle Project Scanning. The manipulation leads to os command injection. This vulnerability is traded as CVE-2024-48964. It is possible to launch the attack remotely. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability, which was classified as critical, has been found in Realtek SD Card Reader Driver. This issue affects some unknown processing of the component Kernel Memory Handler. The manipulation leads to memory corruption. The identification of this vulnerability is CVE-2024-40431. Access to the local network is required for this attack. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability classified as critical was found in Xinhu RockOA 2.6.5. This vulnerability affects unknown code of the file webmain/system/beifen/beifenAction.php. The manipulation leads to path traversal. This vulnerability was named CVE-2024-48213. The attack needs to be initiated within the local network. There is no exploit available.

A vulnerability classified as critical has been found in Snyk Cli 1.996.0. This affects an unknown part of the component PHP Project Scanning. The manipulation leads to os command injection. This vulnerability is uniquely identified as CVE-2024-48963. It is possible to initiate the attack remotely. There is no exploit available. It is recommended to upgrade the affected component.

2024-10-2312 min readBastionZero joined Cloudflare in May 2024. We are thrilled to announce Access f

The North Korean actor is going after cryptocurrency investors worldwide leveraging a genuine-looking game site and AI-generated content and images.

At long last, there’s a spotlight — Application Detection and Response (ADR) — that shines the light into what’s been a blindspot: namely, the application layer. 

The post Application Layer Security: ADR Brings the Application Layer into Cybersecurity Monitoring and Response | Contrast Security appeared first on Security Boulevard.

Frequently asked questions about a zero-day vulnerability in Fortinet’s FortiManager that has reportedly been exploited in the wild.

Background

The Tenable Security Response Team (SRT) has compiled this blog to answer Frequently Asked Questions (FAQ) regarding a zero-day vulnerability in Fortinet’s FortiManager.

Update October 23: The blog has been updated with new information about in-the-wild exploitation and threat actor activity associated with this vulnerability.

View Change Log

FAQ

What is FortiJump?

FortiJump is a name given to a zero-day vulnerability in the FortiGate-FortiManager (FGFM) protocol in Fortinet’s FortiManager and FortiManager Cloud. It was named by security researcher Kevin Beaumont in a blog post on October 22. Beaumont also created a logo for FortiJump.

What are the vulnerabilities associated with FortiJump?

On October 23, Fortinet published an advisory (FG-IR-24-423) for FortiJump, assigning a CVE identifier for the flaw.

CVEDescriptionCVSSv3CVE-2024-47575FortiManager Missing authentication in fgfmsd Vulnerability9.8

What is CVE-2024-47575?

CVE-2024-47575 is a missing authentication vulnerability in the FortiGate to FortiManager (FGFM) daemon (fgfmsd) in FortiManager and FortiManager Cloud.

How severe is CVE-2024-47575?

Exploitation of FortiJump could allow an unauthenticated, remote attacker using a valid FortiGate certificate to register unauthorized devices in FortiManager. Successful exploitation would grant the attacker the ability to view and modify files, such as configuration files, to obtain sensitive information, as well as the ability to manage other devices.

Obtaining a certificate from a FortiGate device is relatively easy:

Comment
by from discussion
infortinet

 

According to results from Shodan, there are nearly 60,000 FortiManager devices that are internet-facing, including over 13,000 in the United States, over 5,800 in China, nearly 3,000 in Brazil and 2,300 in India:

When was FortiJump first disclosed?

There were reports on Reddit that Fortinet proactively notified customers using FortiManager about the flaw ahead of the release of patches, though some customers say they never received any notifications. Beaumont posted a warning to Mastodon on October 13:

Post by @[email protected]View on Mastodon

 

Was this exploited as a zero-day?

Yes, according to both Beaumont and Fortinet, FortiJump has been exploited in the wild as a zero-day. Additionally, Google Mandiant published a blog post on October 23 highlighting its collaborative investigation with Fortinet into the “mass exploitation” of this zero-day vulnerability. According to Google Mandiant, they’ve discovered over 50 plus “potentially compromised FortiManager devices in various industries.”

Which threat actors are exploiting FortiJump?

Google Mandiant attributed exploitation activity to a new threat cluster called UNC5820, adding that the cluster has been observed exploiting the flaw since “as early as June 27, 2024.”

Is there a proof-of-concept (PoC) available for this vulnerability/these vulnerabilities?

As of October 23, there are no public proof-of-concept exploits available for FortiJump.

Are patches or mitigations available for FortiJump?

The following table contains a list of affected products, versions and fixed versions.

Affected ProductAffected VersionsFixed VersionFortiManager 6.26.2.0 through 6.2.12Upgrade to 6.2.13 or aboveFortiManager 6.46.4.0 through 6.4.14Upgrade to 6.4.15 or aboveFortiManager 7.07.0.0 through 7.0.12Upgrade to 7.0.13 or aboveFortiManager 7.27.2.0 through 7.2.7Upgrade to 7.2.8 or aboveFortiManager 7.47.4.0 through 7.4.4Upgrade to 7.4.5 or aboveFortiManager 7.67.6.0Upgrade to 7.6.1 or aboveFortiManager Cloud 6.46.4 all versionsMigrate to a fixed releaseFortiManager Cloud 7.07.0.1 through 7.0.12Upgrade to 7.0.13 or aboveFortiManager Cloud 7.27.2.1 through 7.2.7Upgrade to 7.2.8 or aboveFortiManager Cloud 7.47.4.1 through 7.4.4Upgrade to 7.4.5 or aboveFortiManager Cloud 7.6Not affectedNot Applicable

Fortinet’s advisory provides workarounds for specific impacted versions if patching is not feasible. These include blocking unknown devices from attempting to register to FortiManager, creating IP allow lists of approved FortiGate devices that can connect to FortiManager and the creation of custom certificates. Generally speaking, it is advised to ensure FGFM is not internet-facing.

Has Tenable released any product coverage for these vulnerabilities?

A list of Tenable plugins for this vulnerability can be found on the individual CVE page for CVE-2024-47575 as they’re released. This link will display all available plugins for this vulnerability, including upcoming plugins in our Plugins Pipeline.

Get more information

• Burning Zero Days: FortiJump FortiManager vulnerability used by nation state in espionage via MSPs
• FortiGuard Labs PSIRT FG-IR-24-423 Advisory

Change Log

Update October 23: The blog has been updated with new information about in-the-wild exploitation and threat actor activity associated with this vulnerability.

Join Tenable's Security Response Team on the Tenable Community.
Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.