Aggregator

A vulnerability was found in Git up to 2.48.0 and classified as problematic. This issue affects some unknown processing. The manipulation leads to escaping of output. The identification of this vulnerability is CVE-2024-52006. The attack may be initiated remotely. There is no exploit available. It is recommended to upgrade the affected component.

The post Patch Tuesday Update - January 2024 appeared first on Digital Defense.

The post Patch Tuesday Update – January 2024 appeared first on Security Boulevard.

A vulnerability has been found in Git up to 2.48.0 and classified as critical. This vulnerability affects unknown code of the component ANSI Escape Sequence Handler. The manipulation leads to escaping of output. This vulnerability was named CVE-2024-50349. The attack can be initiated remotely. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability, which was classified as critical, was found in RasaHQ rasa and rasa-pro. This affects an unknown part. The manipulation leads to deserialization. This vulnerability is uniquely identified as CVE-2024-49375. It is possible to initiate the attack remotely. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability, which was classified as problematic, has been found in TYPO3 up to 9.5.48/10.4.47/11.5.41/12.4.24/13.4.2. Affected by this issue is some unknown functionality. The manipulation leads to open redirect. This vulnerability is handled as CVE-2024-55892. The attack may be launched remotely. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability classified as problematic was found in TYPO3 up to 10.4.47/11.5.41/12.4.24/13.4.2. Affected by this vulnerability is an unknown functionality of the component Extension Manager Module. The manipulation leads to cross-site request forgery. This vulnerability is known as CVE-2024-55921. The attack can be launched remotely. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability classified as problematic has been found in TYPO3 up to 13.4.2. Affected is an unknown function of the component Password Hash Handler. The manipulation leads to sensitive information in log files. This vulnerability is traded as CVE-2024-55891. It is possible to launch the attack remotely. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability was found in Gradio up to 5.5.x. It has been rated as critical. This issue affects some unknown processing of the component Access Control List Handler. The manipulation leads to improper authorization. The identification of this vulnerability is CVE-2025-23042. The attack may be initiated remotely. There is no exploit available. It is recommended to upgrade the affected component.

Texas Attorney General Ken Paxton has filed a lawsuit against Allstate and its data subsidiary Arity for unlawfully collecting, using, and selling driving data from over 45 million Americans. [...]

Two hacker groups were paid to develop malware targeting victims in the US, Europe, and Asia, as well as various Chinese dissident groups.

[Darknetlive Archive] Opiates Vendor "DopeKingUSA" Imprisoned for Distributing Fentanyl

Microsoft has marked January 2025 Patch Tuesday with a hefty load of patches: 157 CVE-numbered security issues have been fixed in various products, three of which (in Hyper-V) are being actively exploited. The exploited Hyper-V vulnerabilities The exploited zero-days are CVE-2025-21333 (a buffer overflow bug), CVE-2025-21334 and CVE-2025-21335 (use after free flaws), and they all allow attackers to elevated their privilege to SYSTEM on compromised Windows and Windows Server machines. They affect a component of … More →

The post Microsoft fixes actively exploited Windows Hyper-V zero-day flaws appeared first on Help Net Security.

A new malware campaign has compromised more than 5,000 WordPress sites to create admin accounts, install a malicious plugin, and steal data. [...]

Attacks on individual applications were down month to month in December 2024, but one of the most dangerous types of attacks was up significantly. That’s according to data Contrast Security publishes monthly about the detection and response of real-world application and application programming interface (API) attacks with Application Detection and Response (ADR). What you’re about to see is data that we gather from the attacks on our apps and those of our customers, anonymized and averaged. 

The post Unsafe Deserialization Attacks Surge | December Attack Data | Contrast Security appeared first on Security Boulevard.

Find out why unknown build assets is a growing problem and how Legit can help.

The post How to Prevent Risk From Unknown Build Assets appeared first on Security Boulevard.

​North Korean state-backed hacking groups have stolen over $659 million worth of cryptocurrency in multiple crypto-heists, according to a joint statement issued by the United States, South Korea, and Japan on Tuesday. [...]

Fortinet patched a zero day authentication bypass vulnerability in FortiOS and FortiProxy that has been actively exploited in the wild as a zero-day since November 2024.

Background

On January 14, Fortinet released a security advisory (FG-IR-24-535) addressing a critical severity vulnerability impacting FortiOS and FortiProxy.

CVEDescriptionCVSSv3CVE-2024-55591FortiOS and FortiProxy Authentication Bypass Vulnerability9.6Analysis

CVE-2024-55591 is an authentication bypass vulnerability in FortiOS and FortiProxy. An unauthenticated, remote attacker could exploit this vulnerability by sending a specially crafted request to a Node.js websocket module. Successful exploitation may grant an attacker super-admin privileges on a vulnerable device. According to the Fortinet advisory, this vulnerability has been exploited in the wild.

Zero Day Campaign May Have Been Active Since November

Researchers at Arctic Wolf published a blog post on January 10 detailing a campaign first observed in mid-November 2024 of suspicious activity related to the exploitation of a zero-day vulnerability, which is presumed to be CVE-2024-55591. Arctic Wolf Labs details four distinct phases of the campaign that were observed against Fortinet FortiGate firewall devices; scanning, reconnaissance, SSL VPN configuration and lateral movement. For more information on the observations of this campaign, we recommend reviewing its blog post.

At the time this blog was published, the Fortinet advisory did not credit Arctic Wolf with the discovery of CVE-2024-55591. However, the indicators of compromise (IoCs) listed in the Fortinet advisory overlap with the report from Arctic Wolf.

Historical exploitation of Fortinet FortiOS and FortiProxy

Fortinet FortiOS and FortiProxy have been targeted by threat actors previously, including targeting by advanced persistent threat (APT) actors. We’ve written about several noteworthy Fortinet flaws since 2019, including flaws impacting SSL VPNs from Fortinet and other vendors:

CVEDescriptionPatchedTenable BlogCVE-2024-21762Fortinet FortiOS Out-of-bound Write Vulnerability in sslvpndFebruary 2024CVE-2024-21762: Critical Fortinet FortiOS Out-of-Bound Write SSL VPN VulnerabilityCVE-2023-27997FortiOS and FortiProxy Heap-Based Buffer Overflow VulnerabilityJune 2023CVE-2023-27997: Heap-Based Buffer Overflow in Fortinet FortiOS and FortiProxy SSL-VPN (XORtigate)CVE-2022-42475FortiOS and FortiProxy Heap-Based Buffer Overflow VulnerabilityDecember 2022

CVE-2022-42475: Fortinet Patches Zero Day in FortiOS SSL VPNs

AA23-250A: Multiple Nation-State Threat Actors Exploit CVE-2022-47966 and CVE-2022-42475

CVE-2022-40684FortiOS and FortiProxy Authentication Bypass VulnerabilityOctober 2022CVE-2022-40684: Critical Authentication Bypass in FortiOS and FortiProxyCVE-2020-12812FortiOS Improper Authentication VulnerabilityJuly 2020CVE-2018-13379, CVE-2019-5591, CVE-2020-12812: Fortinet Vulnerabilities Targeted by APT ActorsCVE-2019-5591FortiOS Default Configuration VulnerabilityJuly 2019CVE-2018-13379, CVE-2019-5591, CVE-2020-12812: Fortinet Vulnerabilities Targeted by APT ActorsCVE-2018-13379FortiOS Path Traversal/Arbitrary File Read VulnerabilityAugust 2019CVE-2018-13379, CVE-2019-11510: FortiGate and Pulse Connect Secure Vulnerabilities Exploited In the WildProof of concept

At the time this blog post was published, there were no public proof-of-concept exploits for CVE-2024-55591.

Solution

Fortinet published its security advisory (FG-IR-24-535) on January 14 to address this vulnerability. The advisory also contains IoCs and workaround steps that can be utilized if immediate patching is not feasible. Fortinet has released the following patches for FortiOS and FortiProxy.

Affected ProductAffected VersionFixed VersionFortiOS 7.07.0.0 through 7.0.16Upgrade to 7.0.17 or aboveFortiProxy 7.07.0.0 through 7.0.19Upgrade to 7.0.20 or aboveFortiProxy 7.27.2.0 through 7.2.12Upgrade to 7.2.13 or above

Fortinet also released several additional security advisories on January 14 for vulnerabilities affecting FortiOS and FortiProxy:

Affected Product(s)Vulnerability DescriptionSecurity AdvisoryCVSSv3/SeverityFortiOS, FortiProxy, FortiMail, FortiSwitch, FortiVoiceEnterprise, FortiNDR, FortiWLC, FortiADC, FortiAuthenticator, FortiRecorder, FortiDDoS-F, FortiDDoS, FortiSOAR and FortiTesterAn externally controlled reference to a resource may allow an unauthenticated attacker to poison web caches between an affected device and an attacker using crafted HTTP requestsFG-IR-23-4944.1 / MediumFortiAnalyzer, FortiAnalyzer Cloud, FortiAuthenticator, FortiManager, FortiManager Cloud, FortiOS, FortiProxy, FortiSASEAn unauthenticated attacker with access to the Security Fabric protocol may be able to brute force an affected product to bypass authentication.FG-IR-24-2218.0 / HighFortiOSAn authenticated, remote attacker may be able to prevent access to the GUI using specially crafted requests and causing a denial of service (DoS) condition.FG-IR-24-2504.8 / MediumFortiOSAn authenticated attacker may be able to cause a DoS condition due to a NULL pointer dereference vulnerability in the SSLVPN web portal.FG-IR-23-4736.2 / MediumFortiManager, FortiOS, FortiProxy, FortiRecorder, FortiSASE, FortiVoice and FortiWebA path traversal vulnerability may be exploited by a remote attacker with access to the security fabric interface, allowing the attacker to access and modify arbitrary files.FG-IR-24-2597.1 / HighFortiOSAn unauthenticated attacker may be able to exploit an out-of-bounds write vulnerability to cause a DoS condition.FG-IR-24-3733.5 / LowFortiOSAn unauthenticated attacker may be able to exploit an out-of-bounds read vulnerability to cause a DoS condition.FG-IR-24-2667.5 / HighFortiOSAn authenticated attacker with low privileges may be able to cause a DoS condition due to two NULL pointer dereference vulnerabilities.FG-IR-23-2936.4 / MediumFortiOSAn unauthenticated attacker may be able to exploit a resource allocation vulnerability to cause a DoS condition using multiple large file uploads.FG-IR-24-2197.1 / HighFortiOSAn authenticated attacker may be able to exploit an integer overflow vulnerability to cause a DoS condition.FG-IR-24-2673.2 / LowFortiOSAn authenticated attacker may be able to exploit an improper access control vulnerability.FG-IR-23-4074.7 / MediumFortiOS, FortiProxy and FortiSASEAn unauthenticated attacker may be able to exploit a http response splitting vulnerability in FortiOS, FortiProxy and FortiSASEFG-IR-24-2826.4 / MediumFortiOSAn unauthenticated attacker may be able to exploit a man-in-the-middle vulnerability to intercept sensitive information.FG-IR-24-3263.5 / LowIdentifying affected systems

A list of Tenable plugins for this vulnerability can be found on the individual CVE page for CVE-2024-55591 as they’re released. This link will display all available plugins for this vulnerability, including upcoming plugins in our Plugins Pipeline.

Additionally, customers can utilize Tenable Attack Surface Management to identify public facing Fortinet assets:

 Get more information

• Fortinet FG-IR-24-535 Security Advisory
• Arctic Wolf Blog - Console Chaos: A Campaign Targeting Publicly Exposed Management Interfaces on Fortinet FortiGate Firewalls

Join Tenable's Security Response Team on the Tenable Community.

Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.

Fortinet patched a zero day authentication bypass vulnerability in FortiOS and FortiProxy that has been actively exploited in the wild as a zero-day since November 2024.

Background

On January 14, Fortinet released a security advisory (FG-IR-24-535) addressing a critical severity vulnerability impacting FortiOS and FortiProxy.

CVE Description CVSSv3 CVE-2024-55591 FortiOS and FortiProxy Authentication Bypass Vulnerability 9.6 Analysis

CVE-2024-55591 is an authentication bypass vulnerability in FortiOS and FortiProxy. An unauthenticated, remote attacker could exploit this vulnerability by sending a specially crafted request to a Node.js websocket module. Successful exploitation may grant an attacker super-admin privileges on a vulnerable device. According to the Fortinet advisory, this vulnerability has been exploited in the wild.

Zero Day Campaign May Have Been Active Since November

Researchers at Arctic Wolf published a blog post on January 10 detailing a campaign first observed in mid-November 2024 of suspicious activity related to the exploitation of a zero-day vulnerability, which is presumed to be CVE-2024-55591. Arctic Wolf Labs details four distinct phases of the campaign that were observed against Fortinet FortiGate firewall devices; scanning, reconnaissance, SSL VPN configuration and lateral movement. For more information on the observations of this campaign, we recommend reviewing its blog post.

At the time this blog was published, the Fortinet advisory did not credit Arctic Wolf with the discovery of CVE-2024-55591. However, the indicators of compromise (IoCs) listed in the Fortinet advisory overlap with the report from Arctic Wolf.

Historical exploitation of Fortinet FortiOS and FortiProxy

Fortinet FortiOS and FortiProxy have been targeted by threat actors previously, including targeting by advanced persistent threat (APT) actors. We’ve written about several noteworthy Fortinet flaws since 2019, including flaws impacting SSL VPNs from Fortinet and other vendors:

CVE Description Patched Tenable Blog CVE-2024-21762 Fortinet FortiOS Out-of-bound Write Vulnerability in sslvpnd February 2024 CVE-2024-21762: Critical Fortinet FortiOS Out-of-Bound Write SSL VPN Vulnerability CVE-2023-27997 FortiOS and FortiProxy Heap-Based Buffer Overflow Vulnerability June 2023 CVE-2023-27997: Heap-Based Buffer Overflow in Fortinet FortiOS and FortiProxy SSL-VPN (XORtigate) CVE-2022-42475 FortiOS and FortiProxy Heap-Based Buffer Overflow Vulnerability December 2022

CVE-2022-42475: Fortinet Patches Zero Day in FortiOS SSL VPNs

AA23-250A: Multiple Nation-State Threat Actors Exploit CVE-2022-47966 and CVE-2022-42475

CVE-2022-40684 FortiOS and FortiProxy Authentication Bypass Vulnerability October 2022 CVE-2022-40684: Critical Authentication Bypass in FortiOS and FortiProxy CVE-2020-12812 FortiOS Improper Authentication Vulnerability July 2020 CVE-2018-13379, CVE-2019-5591, CVE-2020-12812: Fortinet Vulnerabilities Targeted by APT Actors CVE-2019-5591 FortiOS Default Configuration Vulnerability July 2019 CVE-2018-13379, CVE-2019-5591, CVE-2020-12812: Fortinet Vulnerabilities Targeted by APT Actors CVE-2018-13379 FortiOS Path Traversal/Arbitrary File Read Vulnerability August 2019 CVE-2018-13379, CVE-2019-11510: FortiGate and Pulse Connect Secure Vulnerabilities Exploited In the Wild Proof of concept

At the time this blog post was published, there were no public proof-of-concept exploits for CVE-2024-55591.

Solution

Fortinet published its security advisory (FG-IR-24-535) on January 14 to address this vulnerability. The advisory also contains IoCs and workaround steps that can be utilized if immediate patching is not feasible. Fortinet has released the following patches for FortiOS and FortiProxy.

Affected Product Affected Version Fixed Version FortiOS 7.0 7.0.0 through 7.0.16 Upgrade to 7.0.17 or above FortiProxy 7.0 7.0.0 through 7.0.19 Upgrade to 7.0.20 or above FortiProxy 7.2 7.2.0 through 7.2.12 Upgrade to 7.2.13 or above

Fortinet also released several additional security advisories on January 14 for vulnerabilities affecting FortiOS and FortiProxy:

Affected Product(s) Vulnerability Description Security Advisory CVSSv3/Severity FortiOS, FortiProxy, FortiMail, FortiSwitch, FortiVoiceEnterprise, FortiNDR, FortiWLC, FortiADC, FortiAuthenticator, FortiRecorder, FortiDDoS-F, FortiDDoS, FortiSOAR and FortiTester An externally controlled reference to a resource may allow an unauthenticated attacker to poison web caches between an affected device and an attacker using crafted HTTP requests FG-IR-23-494 4.1 / Medium FortiAnalyzer, FortiAnalyzer Cloud, FortiAuthenticator, FortiManager, FortiManager Cloud, FortiOS, FortiProxy, FortiSASE An unauthenticated attacker with access to the Security Fabric protocol may be able to brute force an affected product to bypass authentication. FG-IR-24-221 8.0 / High FortiOS An authenticated, remote attacker may be able to prevent access to the GUI using specially crafted requests and causing a denial of service (DoS) condition. FG-IR-24-250 4.8 / Medium FortiOS An authenticated attacker may be able to cause a DoS condition due to a NULL pointer dereference vulnerability in the SSLVPN web portal. FG-IR-23-473 6.2 / Medium FortiManager, FortiOS, FortiProxy, FortiRecorder, FortiSASE, FortiVoice and FortiWeb A path traversal vulnerability may be exploited by a remote attacker with access to the security fabric interface, allowing the attacker to access and modify arbitrary files. FG-IR-24-259 7.1 / High FortiOS An unauthenticated attacker may be able to exploit an out-of-bounds write vulnerability to cause a DoS condition. FG-IR-24-373 3.5 / Low FortiOS An unauthenticated attacker may be able to exploit an out-of-bounds read vulnerability to cause a DoS condition. FG-IR-24-266 7.5 / High FortiOS An authenticated attacker with low privileges may be able to cause a DoS condition due to two NULL pointer dereference vulnerabilities. FG-IR-23-293 6.4 / Medium FortiOS An unauthenticated attacker may be able to exploit a resource allocation vulnerability to cause a DoS condition using multiple large file uploads. FG-IR-24-219 7.1 / High FortiOS An authenticated attacker may be able to exploit an integer overflow vulnerability to cause a DoS condition. FG-IR-24-267 3.2 / Low FortiOS An authenticated attacker may be able to exploit an improper access control vulnerability. FG-IR-23-407 4.7 / Medium FortiOS, FortiProxy and FortiSASE An unauthenticated attacker may be able to exploit a http response splitting vulnerability in FortiOS, FortiProxy and FortiSASE FG-IR-24-282 6.4 / Medium FortiOS An unauthenticated attacker may be able to exploit a man-in-the-middle vulnerability to intercept sensitive information. FG-IR-24-326 3.5 / Low Identifying affected systems

A list of Tenable plugins for this vulnerability can be found on the individual CVE page for CVE-2024-55591 as they’re released. This link will display all available plugins for this vulnerability, including upcoming plugins in our Plugins Pipeline.

Additionally, customers can utilize Tenable Attack Surface Management to identify public facing Fortinet assets:

  Get more information

• Fortinet FG-IR-24-535 Security Advisory
• Arctic Wolf Blog - Console Chaos: A Campaign Targeting Publicly Exposed Management Interfaces on Fortinet FortiGate Firewalls

Join Tenable's Security Response Team on the Tenable Community.

Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.

The post CVE-2024-55591: Fortinet Authentication Bypass Zero-Day Vulnerability Exploited in the Wild appeared first on Security Boulevard.

British Government Proposals Also Include Payment Bans for Critical Infrastructure
Banning ransom payments by public sector and critical infrastructure entities, notifying the government of any intent to pay a ransom, and reporting incidents to authorities comprise three counter-ransomware initiatives proposed by the British government. Which ones will pass muster?