HPE Aruba Networking has released software patches for Access Points running Instant AOS-8 and AOS-10 that address multiple security vulnerabilities.

Reference - https://csaf.arubanetworks.com/2024/hpe_aruba_networking_-_hpesbnw04722.txt

Related vulnerabilities: CVE-2024-47462CVE-2024-47460CVE-2024-42509CVE-2024-47464CVE-2024-47461CVE-2024-47463

Mozilla Foundation Security Advisory 2024-55 Security Vulnerabilities fixed in Firefox 132

Security Advisory: https://www.mozilla.org/en-US/security/advisories/mfsa2024-55/

• CVE-2024-10458: Permission leak via embed or object elements
• CVE-2024-10459: Use-after-free in layout with accessibility
• CVE-2024-10460: Confusing display of origin for external protocol handler prompt
• CVE-2024-10461: XSS due to Content-Disposition being ignored in multipart/x-mixed-replace response
• CVE-2024-10462: Origin of permission prompt could be spoofed by long URL
• CVE-2024-10463: Cross origin video frame leak
• CVE-2024-10468: Race conditions in IndexedDB
• CVE-2024-10464: History interface could have been used to cause a Denial of Service condition in the browser
• CVE-2024-10465: Clipboard "paste" button persisted across tabs
• CVE-2024-10466: DOM push subscription message could hang Firefox
• CVE-2024-10467: Memory safety bugs fixed in Firefox 132, Thunderbird 132, Firefox ESR 128.4, and Thunderbird 128.4

Related vulnerabilities: CVE-2024-10467CVE-2024-10465CVE-2024-10461CVE-2024-10464CVE-2024-10459CVE-2024-10462CVE-2024-10460CVE-2024-10458CVE-2024-10466CVE-2024-10463CVE-2024-10468

NVIDIA has released a software security update for NVIDIA GPU Display Driver to address various issues.

CVE‑2024‑0126 - "NVIDIA GPU Display Driver for Windows and Linux contains a vulnerability which could allow a privileged attacker to escalate permissions. A successful exploit of this vulnerability might lead to code execution, denial of service, escalation of privileges, information disclosure, and data tampering."

Related vulnerabilities: CVE-2024-0119CVE-2024-0126CVE-2024-0118CVE-2024-0127CVE-2024-0121CVE-2024-0117CVE-2024-0128CVE-2024-0120

Burning Zero Days: Suspected Nation-State Adversary Targets Ivanti CSA | FortiGuard Labs

Reference: https://www.fortinet.com/blog/threat-research/burning-zero-days-suspected-nation-state-adversary-targets-ivanti-csa

Affected Platforms: Ivanti Cloud Services Appliance version 4.6 and prior Impacted Users: Any organization Impact: Remote attackers gain control of the vulnerable systems Severity Level: Critical

Today FortiGuard Labs is releasing this blog post about a case where an advanced adversary was observed exploiting three vulnerabilities affecting the Ivanti Cloud Services Appliance (CSA). At the time of our investigation, two out of the three identified vulnerabilities were not publicly known. This incident is a prime example of how threat actors chain zero-day vulnerabilities to gain initial access to a victim’s network. Background

In a recent incident response engagement, FortiGuard Incident Response (FGIR) services were engaged by a customer to investigate malicious communication originating from their network. During the investigation, FGIR came across an adversary who had gained access to the customer’s network by exploiting the CVE-2024-8190 and two previously unknown vulnerabilities affecting the PHP front end of the Ivanti CSA appliance.

Related vulnerabilities: CVE-2024-29824CVE-2024-9380CVE-2024-8190CVE-2024-8963

The Federal Bureau of Investigation (FBI), the National Security Agency (NSA), Cyber National Mission Force (CNMF), and the United Kingdom’s National Cyber Security Centre (NCSC-UK) are releasing this joint Cybersecurity Advisory (CSA) to highlight the tactics, techniques, and procedures (TTPs) employed by the Russian Federation’s Foreign Intelligence Service (SVR) in recent cyber operations and provide network defenders with information to help counter SVR cyber threats. Since at least 2021, Russian SVR cyber actors – also tracked as APT29, Midnight Blizzard (formerly Nobelium), Cozy Bear, and the Dukes– have consistently targeted US, European, and global entities in the defense, technology, and finance sectors to collect foreign intelligence and enable future cyber operations, including in support of Russia’s ongoing invasion of Ukraine since February 2022. Their operations continue to pose a global threat to government and private sector organization

The authoring agencies are releasing this CSA to warn network defenders that SVR cyber actors are highly capable of and interested in exploiting software vulnerabilities for initial access [T1190] and escalation of privileges [T1068]. Organizations should prioritize rapid patch deployment and keep software up to date. The SVR continues using TTPs such as spearphishing [T1566], password spraying [T1078], abuse of supply chain [T1195] and trusted relationships [T1199], custom and bespoke malware, cloud exploitation, and living-off-the-land techniques to gain initial access, escalate privileges, move laterally, maintain persistence in victim networks and cloud environments, and exfiltrate information. SVR actors often use The Onion Router (TOR) network, leased and compromised infrastructure, and proxies to obfuscate activity.

Ref: PDF - Update on SVR Cyber Operations and Vulnerability Exploitation

Related vulnerabilities: CVE-2023-40289CVE-2023-42793CVE-2023-24023CVE-2023-45866CVE-2022-40507CVE-2021-27850CVE-2023-37580CVE-2023-20198CVE-2023-38546CVE-2023-40076CVE-2023-35078CVE-2021-41773CVE-2023-29357CVE-2023-5044CVE-2023-4911CVE-2023-6345CVE-2023-40088CVE-2018-13379CVE-2023-4966CVE-2023-36745CVE-2023-38545CVE-2023-24955CVE-2021-42013CVE-2023-40077

GitLab Critical Patch Release: 17.4.2, 17.3.5, 17.2.9 Nikhil George 8–10 minutes

Learn more about GitLab Critical Patch Release: 17.4.2, 17.3.5, 17.2.9 for GitLab Community Edition (CE) and Enterprise Edition (EE).

Today we are releasing versions 17.4.2, 17.3.5, 17.2.9 for GitLab Community Edition (CE) and Enterprise Edition (EE).

These versions contain important bug and security fixes, and we strongly recommend that all self-managed GitLab installations be upgraded to one of these versions immediately. GitLab.com is already running the patched version. GitLab Dedicated customers do not need to take action.

GitLab releases fixes for vulnerabilities in patch releases. There are two types of patch releases: scheduled releases, and ad-hoc critical patches for high-severity vulnerabilities. Scheduled releases are released twice a month on the second and fourth Wednesdays. For more information, you can visit our releases handbook and security FAQ. You can see all of GitLab release blog posts here.

For security fixes, the issues detailing each vulnerability are made public on our issue tracker 30 days after the release in which they were patched.

We are committed to ensuring all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. As part of maintaining good security hygiene, it is highly recommended that all customers upgrade to the latest patch release for their supported version. You can read more best practices in securing your GitLab instance in our blog post. Recommended Action

We strongly recommend that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible.

When no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, this means all types are affected. Security fixes Table of security fixes Title Severity Run pipelines on arbitrary branches Critical An attacker can impersonate arbitrary user High SSRF in Analytics Dashboard High Viewing diffs of MR with conflicts can be slow High HTMLi in OAuth page High Deploy Keys can push changes to an archived repository Medium Guests can disclose project templates Medium GitLab instance version disclosed to unauthorized users Low Run pipelines on arbitrary branches

An issue was discovered in GitLab EE affecting all versions starting from 12.5 prior to 17.2.9, starting from 17.3, prior to 17.3.5, and starting from 17.4 prior to 17.4.2, which allows running pipelines on arbitrary branches. This is a critical severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N, 9.6). It is now mitigated in the latest release and is assigned CVE-2024-9164.

Thanks pwnie for reporting this vulnerability through our HackerOne bug bounty program. An attacker can impersonate arbitrary user

An issue was discovered in GitLab CE/EE affecting all versions starting from 11.6 prior to 17.2.9, starting from 17.3 prior to 17.3.5, and starting from 17.4 prior to 17.4.2, which allows an attacker to trigger a pipeline as another user under certain circumstances. This is a high severity issue (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N, 8.2). It is now mitigated in the latest release and is assigned CVE-2024-8970.

Thanks yvvdwf for reporting this vulnerability through our HackerOne bug bounty program. SSRF in Analytics Dashboard

An issue has been discovered in GitLab EE affecting all versions starting from 15.10 prior to 17.2.9, from 17.3 prior to 17.3.5, and from 17.4 prior to 17.4.2. Instances with Product Analytics Dashboard configured and enabled could be vulnerable to SSRF attacks. This is a high severity issue (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N, 8.2). It is now mitigated in the latest release and is assigned CVE-2024-8977.

Thanks joaxcar for reporting this vulnerability through our HackerOne bug bounty program. Viewing diffs of MR with conflicts can be slow

An issue was discovered in GitLab CE/EE affecting all versions starting from 13.6 prior to 17.2.9, starting from 17.3 prior to 17.3.5, and starting from 17.4 prior to 17.4.2, were viewing diffs of MR with conflicts can be slow. This is a high severity issue (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, 7.5). It is now mitigated in the latest release and is assigned CVE-2024-9631.

Thanks a92847865 for reporting this vulnerability through our HackerOne bug bounty program. HTMLi in OAuth page

A cross-site scripting issue has been discovered in GitLab affecting all versions starting from 17.1 prior 17.2.9, starting from 17.3 prior to 17.3.5, and starting from 17.4 prior to 17.4.2. When authorising a new application, it can be made to render as HTML under specific circumstances. This is a high severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N, 7.3). It is now mitigated in the latest release and is assigned CVE-2024-6530.

Thanks joaxcar for reporting this vulnerability through our HackerOne bug bounty program. Deploy Keys can push changes to an archived repository

An issue was discovered in GitLab CE/EE affecting all versions starting from 8.16 prior to 17.2.9, starting from 17.3 prior to 17.3.5, and starting from 17.4 prior to 17.4.2, which allows deploy keys to push to an archived repository. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N, 4.9). It is now mitigated in the latest release and is assigned CVE-2024-9623.

Thanks stevenorman for reporting this vulnerability. Guests can disclose project templates

An issue has been discovered discovered in GitLab EE/CE affecting all versions starting from 11.4 before 17.2.9, all versions starting from 17.3 before 17.3.5, all versions starting from 17.4 before 17.4.2 It was possible for guest users to disclose project templates using the API. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N, 4.3). It is now mitigated in the latest release and is assigned CVE-2024-5005.

Thanks js_noob for reporting this vulnerability through our HackerOne bug bounty program. GitLab instance version disclosed to unauthorized users

An issue has been discovered in GitLab EE affecting all versions starting from 16.6 prior to 17.2.9, from 17.3 prior to 17.3.5, and from 17.4 prior to 17.4.2. It was possible for an unauthenticated attacker to determine the GitLab version number for a GitLab instance. This is a low severity issue (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N, 3.7). It is now mitigated in the latest release and is assigned CVE-2024-9596.

This issue was discovered internally by GitLab team member Paul Gascou-Vaillancourt. Bug fixes 17.4.2

Backport: fix: Specify an absolute directory for SCHEMA_VERSIONS_DIR to 17-4-stable
Backport grpc-go v1.67.1 upgrade to 17.4
Update expected vulnerability in enable_advanced_sast_spec.rb
Skip multi-version upgrade job for stable branch MRs
Backport 17.4 Fix label filter by name for search
Restrict duo pro assignment email to duo pro for sm
Drop project_id not null constraint ci_deleted_objects
[Backport] Go-get: fix 401 error for unauthenticated requests

17.3.5

Backport: fix: Specify an absolute directory for SCHEMA_VERSIONS_DIR to 17-3-stable
Backport: fix: Allow non-root user to run the bundle-certificates script 17.3
Skip multi-version upgrade job for stable branch MRs
Ensure restricted visibility levels is an array - 17.3 backport

17.2.9

Skip multi-version upgrade job for stable branch MRs
Ensure restricted visibility levels is an array - 17.2 backport

Updating

To update GitLab, see the Update page. To update Gitlab Runner, see the Updating the Runner page. Receive Patch Notifications

To receive patch blog notifications delivered to your inbox, visit our contact us page. To receive release notifications via RSS, subscribe to our patch release RSS feed or our RSS feed for all releases. We’re combining patch and security releases

This improvement in our release process matches the industry standard and will help GitLab users get information about security and bug fixes sooner, read the blog post here.

Related vulnerabilities: CVE-2024-5005CVE-2024-9596CVE-2024-8977CVE-2024-9631CVE-2024-6530CVE-2024-9623CVE-2024-8970CVE-2024-9164

The vulnerability, tracked as CVE-2024-9680, and discovered by ESET researcher Damien Schaeffer, is a use-after-free in Animation timelines.

"An attacker was able to achieve code execution in the content process by exploiting a use-after-free in Animation timelines. We have had reports of this vulnerability being exploited in the wild."

A patch has been made available on Tue, 08 Oct 2024 16:25:12 +0000.

Related vulnerabilities: CVE-2024-9680

Ivanti original security advisory

¨"At Ivanti, our top priority is upholding our commitment to deliver and maintain secure products for our customers"". Our vulnerability management program is designed to enable us to find, fix and disclose vulnerabilities in collaboration with the broader security ecosystem, and communicate responsibly and transparently with customers.

In recent months, we have intensified our internal scanning, manual exploitation and testing capabilities, and have additionally made improvements to our responsible disclosure process so that we can promptly discover and address potential issues.

Ivanti is making a large investment in Secure by Design across our organization and signed the CISA Secure by Design pledge in May. You can follow along with our progress here.

Today, fixes have been released for the following Ivanti solutions: Ivanti Endpoint Manager Mobile (EPMM), Ivanti Cloud Service Application (CSA), Ivanti Velocity License Server, Ivanti Connect Secure and Policy Secure, and Ivanti Avalanche.

It is important for customers to know:

We are aware of a limited number of customers running CSA 4.6 patch 518 and prior who have been exploited when CVE-2024-9379 or CVE-2024-9380 are chained with CVE-2024-8963. We have not observed these vulnerabilities being exploited in any version of CSA 5.0.
We have no evidence of any other vulnerabilities being exploited in the wild.
These vulnerabilities do not impact any other Ivanti products or solutions.

More information on these vulnerabilities and detailed instructions on how to remediate the issues can be found in these Security Advisories:

• Ivanti EPMM
• Ivanti CSA
• Ivanti Velocity License Server
• Ivanti Avalanche
• Ivanti Connect Secure/Policy Secure

Our Support team is always available to help customers and partners should they have any questions. Cases can be logged via the Success portal (login credentials required).

Want to stay up to date on Ivanti Security Advisories? Paste https://www.ivanti.com/blog/topics/security-advisory/rss into your preferred RSS reader / functionality in your email program.

Original source: https://www.ivanti.com/blog/october-2024-security-update

Counter analysis from @screaminggoat@infosec.exchange

~~~ Ivanti Security Advisory: Ivanti CSA (Cloud Services Application) (CVE-2024-9379, CVE-2024-9380, CVE-2024-9381) Very sneaky of Ivanti to quietly update the security advisory without a changelog: They removed CVE-2024-9381 (CVSSv3: 7.2 high) Path traversal in Ivanti CSA before version 5.0.2 from the exploitation announcement: ~~~

Original source: https://social.circl.lu/@screaminggoat@infosec.exchange/113278926244627512

Related vulnerabilities: CVE-2024-9379CVE-2024-9380CVE-2024-8963CVE-2024-9381

Following the initial research available at the Attacking UNIX Systems via CUPS, Part I done by evilsocket.net.

OpenPrinting Vendor Fixes

• CVE-2024-47176: cups-browsed binds on UDP INADDR_ANY:631 trusting any packet from any source to trigger a get-printer-attributes IPP request to an attacker-controlled URL (GHSA)
  • Preliminary Fix cups-browsed
  • Preliminary Fix cups-filters 1.x
• CVE-2024-47076: cfGetPrinterAttributes5() (libcupsfilters 2.x) and get_printer_attributes5() (cups-filters 1.x) does not validate or sanitize the IPP attributes returned from an IPP server, providing attacker-controlled data to the rest of the CUPS system (GHSA)
  • Fix libcupsfilters 2.x
  • Fix cups-filters 1.x
• CVE-2024-47175: In libppd ppdCreatePPDFromIPP2() does not validate or sanitize the IPP attributes when writing them to the PPD file, allowing the injection of attacker-controlled data into the resulting PPD (GHSA)
  • Fix libppd
  • Fix CUPS Validate IPP attributes in PPD generator
  • Fix CUPS Refactor make-and-model code
  • Fix CUPS PPDize preset and template names
  • Fix CUPS Quote PPD localized strings
  • Fix CUPS Fix warnings for unused vars
• CVE-2024-47177: cups-filters <= 2.0.1 foomatic-rip allows arbitrary command execution via the FoomaticRIPCommandLine PPD parameter (GHSA)

The already available fixes are sufficient to prevent the exploit.

Additional vulnerabilities

• CVE-2024-47850 - CUPS cups-browsed before 2.5b1 will send an HTTP POST request to an arbitrary destination and port in response to a single IPP UDP packet requesting a printer to be added, a different vulnerability than CVE-2024-47176. (The request is meant to probe the new printer but can be used to create DDoS amplification attacks.)

Additional reference

• You're probably not vulnerable to the CUPS CVE
• OpenPrinting OpenPrinting News Flash - cups-browsed Remote Code Execution vulnerability
• Debian CVE-2024-47176
• Ubuntu USN-7042-1: cups-browsed vulnerability
• RedHat Red Hat’s response to OpenPrinting CUPS vulnerabilities: CVE-2024-47076, CVE-2024-47175, CVE-2024-47176 and CVE-2024-47177

Related vulnerabilities: CVE-2024-47076CVE-2024-47850GHSA-RJ88-6MR5-RCW8GHSA-7XFX-47QG-GRP6CVE-2024-47175GHSA-P9RH-JXMQ-GQ47CVE-2024-47177GHSA-W63J-6G73-WMG5CVE-2024-47176

TL;DR: All versions of Red Hat Enterprise Linux (RHEL) are affected by CVE-2024-47076, CVE-2024-47175, CVE-2024-47176 and CVE-2024-47177, but are not vulnerable in their default configurations.

Red Hat has been made aware of a group of vulnerabilities (CVE-2024-47076, CVE-2024-47175, CVE-2024-47176 and CVE-2024-47177) within OpenPrinting CUPS, an open source printing system that is prevalent in most modern Linux distributions, including RHEL. Specifically, CUPS provides tools to manage, discover and share printers for Linux distributions. By chaining this group of vulnerabilities together, an attacker could potentially achieve remote code execution which could then lead to theft of sensitive data and/or damage to critical production systems.

Red Hat rates these issues with a severity impact of Important. While all versions of RHEL are affected, it is important to note that affected packages are not vulnerable in their default configuration. At this time, there are four CVEs assigned to these vulnerabilities, but the exact number is still being coordinated with the upstream community and the researcher who discovered the problem.

More details

Related vulnerabilities: CVE-2024-47076CVE-2024-47176CVE-2024-47177CVE-2024-47175