Cisco, Fortinet, and VMware have released security fixes for multiple security vulnerabilities, including critical weaknesses that could be exploited to perform arbitrary actions on affected devices.
The first set from Cisco consists of three flaws – CVE-2024-20252 and CVE-2024-20254 (CVSS score: 9.6) and CVE-2024-20255 (CVSS score: 8.2) – impacting Cisco Expressway Series that could allow an unauthenticated, remote attacker to conduct cross-site request forgery (CSRF) attacks.
All the issues, which were found during internal security testing, stem from insufficient CSRF protections for the web-based management interface that could permit an attacker to perform arbitrary actions with the privilege level of the affected user.
"If the affected user has administrative privileges, these actions could include modifying the system configuration and creating new privileged accounts," Cisco said about CVE-2024-20252 and CVE-2024-20254.
On the other hand, successful exploitation of CVE-2024-20255 targeting a user with administrative privileges could enable the threat actor to overwrite system configuration settings, resulting in a denial-of-service (DoS) condition.
Another crucial difference between the two sets of flaws is that while the former two affect Cisco Expressway Series devices in the default configuration, CVE-2024-20252 only impacts them if the cluster database (CDB) API feature has been enabled. It's disabled by default.
Patches for the vulnerabilities are available in Cisco Expressway Series Release versions 14.3.4 and 15.0.0.
Fortinet, for its part, has released a second round of updates to address what are bypasses for a previously disclosed critical flaw (CVE-2023-34992, CVSS score: 9.7) in FortiSIEM supervisor that could result in the execution of arbitrary code, according to Horizon3.ai researcher Zach Hanley.
Tracked as CVE-2024-23108 and CVE-2024-23109 (CVSS scores: 9.7), the flaws "may allow a remote unauthenticated attacker to execute unauthorized commands via crafted API requests."
It's worth noting that Fortinet resolved another variant of CVE-2023-34992 by closing out CVE-2023-36553 (CVSS score: 9.3) in November 2023. The two new vulnerabilities are/will be plugged in the following versions -
- FortiSIEM version 7.1.2 or above
- FortiSIEM version 7.2.0 or above (upcoming)
- FortiSIEM version 7.0.3 or above (upcoming)
- FortiSIEM version 6.7.9 or above (upcoming)
- FortiSIEM version 6.6.5 or above (upcoming)
- FortiSIEM version 6.5.3 or above (upcoming), and
- FortiSIEM version 6.4.4 or above (upcoming)
Completing the trifecta is VMware, which has warned of five moderate-to-important severity flaws in Aria Operations for Networks (formerly vRealize Network Insight) -
- CVE-2024-22237 (CVSS score: 7.8) - Local privilege escalation vulnerability that allows a console user to gain regular root access
- CVE-2024-22238 (CVSS score: 6.4) - Cross-site scripting (XSS) vulnerability that allows a malicious actor with admin privileges to inject malicious code into user profile configurations
- CVE-2024-22239 (CVSS score: 5.3) - Local privilege escalation vulnerability that allows a console user to gain regular shell access
- CVE-2024-22240 (CVSS score: 4.9) - Local file read vulnerability that allows a malicious actor with admin privileges to access sensitive information
- CVE-2024-22241 (CVSS score: 4.3) - Cross-site scripting (XSS) vulnerability that allows a malicious actor with admin privileges to inject malicious code and take over the user account
To mitigate the risks, all users of VMware Aria Operations for Networks version 6.x are being recommended to upgrade to version 6.12.0.
Considering the history of exploitation when it comes to Cisco, Fortinet, and VMware flaws, patching is a necessary and crucial first step that organizations need to take to handle the shortcomings.
Update:
Horizon3.ai has made available a proof-of-concept (PoC) exploit for CVE-2024-23108, a bypass for CVE-2023-34992 that could lead to remote code execution. "There is very little difference in the exploitation of the previous command injection, CVE-2023-34992, to this one, CVE-2024-23108, reported 6 months later," Hanley said.
(The story was updated after publication on May 29, 2024, to revise the CVSS scores for CVE-2024-23108 and CVE-2024-23109 from 9.8 to 9.7, reflecting the advisory from Fortinet, and to include information about the availability of a PoC for CVE-2024-23108).