Top Trending CVEs of February 2024

February 2024 is off to a ripping start for security research. This month we’re focusing on a piece of open source CMS software, not because of its supreme popularity, but because the XSS vector it’s vulnerable to is pretty interesting. We also dive into an RCE attack chain that reads like a capture the flag (CTF) that impacts a data loss prevention (DLP) solution. It turns out Ivanti is having a difficult time addressing a recent spate of critical vulnerabilities as last month’s patch resulted in the discovery of additional risk vectors. Finally, we cover a Microsoft Exchange privilege escalation vulnerability that could enable motivated threat actors to steal your NTLM password hash. Fill up your coffee and drop to a command line as we cover the trending CVEs of February.

1. Ghost CMS Persistent XSS CVE-2024-23724

Researchers at Rhino have identified a persistent cross-site scripting (XSS) vulnerability that impacts Ghost CMS. Ghost CMS is an open-source content management platform. The attack chain is pretty interesting, but does require authenticated access. The research team discovered that the users of Ghost CMS were granted the ability to upload an avatar to their account profile. Supported formats included the usual crop of raster images such as PNG and JPG as well as SVGs. SVG images use an XML markup language to define a vector graphic. The profile editor is a feature accessible to all users and provides a convenient means for less privileged accounts to target accounts with elevated privileges. As it turned out, Ghost CMS provided no validation of uploaded SVG files, which provided an easy means to craft a malicious SVG that contained JavaScript.

Executing JavaScript is nice, but the team wanted to identify a means for a user in the least privileged role, a contributor, to elevate to that of an owner. The owner role is like the Highlander, there can be only one and this role has the ability to manage all settings and users on the instance. Although there can be only one Owner account any user in the owner role can re-assign the designation to an Admin level account. To begin the attack the Rhino team needed to identify a few key pieces of information. As it turned out all of the needed information was accessible to any authenticated user via a request to the “/ghost/api/admin/users/?include=roles” endpoint. This seems like an authorization vulnerability, but maybe Ghost CMS is just loose with the definition of sensitive data. Using the user data, it’s possible to craft an XSS payload that, if accessed by a user in the owner role, will elevate the contributor account to an administrator and designate it as the owner. From persistent XSS to Ghost CMS takeover. Nice. The team at Rhino has released a Python tool to automate the creation and deployment of the malicious SVG payload. In a weird twist, the Ghost CMS team did not believe the persistent XSS vulnerability was actually a vulnerability, because the attack required authenticated access, i.e. inherent trust. Lame. Not to be deterred, Rhino released their own patch! So, patch now!

Systems Impacted: 

• 5.76.0 or earlier

Read more:

• https://github.com/RhinoSecurityLabs/CVEs/tree/master/CVE-2024-23724
• https://rhinosecuritylabs.com/research/cve-2024-23724-ghost-cms-stored-xss/
• https://github.com/TryGhost/Ghost/pull/19646

2. GTB Central Console DLP SQLi to RCE (CVE-2024-22108 & CVE-2024-22107)

GTB Central Console is an enterprise data loss prevention (DLP) solution. Researchers recently discovered that the software was prone to authenticated remote command execution (CVE-2024-22107). The DLP platform, which is deployed via a custom, stand alone version of CentOS. Upon boot a prompt appears for credentials and this is exactly where the research begins.

Default credentials enabled the execution of a configuration console upon boot, but didn’t facilitate trivial command execution. The research endeavored to edit the grub boot loader to force a shell to boot, but the grub password was password protected. To bypass this restriction, the researcher booted an Ubuntu Live CD as a means to replace the Grub2 configuration with a known password. When booted it was possible to edit the boot loader, append “init=/bin/bash”, and boot into a root shell. After a few clever tricks, it was possible to create a root user. This set the stage for a detailed analysis of the entirety of the file system. 

The researcher noted that when the web administration console is accessed, three requests were immediately made to various PHP scripts. The researcher quickly isolated an unauthenticated SQL injection vulnerability (CVE-2024-22108) that could be exploited to create a new administrator account with a known password. Having attained unauthorized admin access to the platform the researcher expanded the analysis of PHP scripts on the instance. Using some clever grepping to isolate scripts with hallmarks of command execution the researcher quickly identified the perfect vector for trivial remote command execution. What a great attack chain. 

I’m not sure how prevalent GTB Central Console is in the wild, but the research was excellent nonetheless. It features a great blend of Grub2 boot hacks, code analysis, SQL injection, and remote command execution. It reads like a capture the flag. These techniques could easily be applied to other similar platforms and black-box Linux devices.

Systems Impacted: 

• 15.17.1-30814.NG and earlier

Read more: 

• https://adepts.of0x.cc/gtbcc-pwned/
• https://nvd.nist.gov/vuln/detail/CVE-2024-22107
• https://nvd.nist.gov/vuln/detail/CVE-2024-22108

3. Ivanti SSL VPN CVE-2024-21888 and CVE-2024-21893

Ivanti has had a rough couple of months. After uncovering an unauthenticated RCE attack chain last month, researchers have continued the assault. Inhouse researchers at Ivanti identified two new high risk vulnerabilities that impact Connect Secure, Policy Secure, and ZTA gateway products. CVE-2024-21893 is a server-side request forgery (SSRF) vulnerability that was identified by Rapid7 as a means to bypass a patch for an authentication bypass vulnerability identified last month (CVE-2024-46805). 

Although Ivanti implemented filters on the front-end to prevent authentication bypass, the application uses a Python TCP service operating on local port 8090 to fulfill back-end requests. The service only accepts requests originating from localhost and due to the reliance on other systems to regulate access, it does not require any form of authentication to fulfill a request. Neat. By leveraging an exploit for CVE-2024-21893 to submit an HTTP request via SAML XML injection to a key-status service on the back-end it was possible to achieve RCE via CVE-2024-21887, which was also patched last month.

There are few details available regarding CVE-2024-21888, however it is known that exploitation in the wild has not yet been observed. Based on the available research, CVE-2024-21888 enables any Ivanti user to elevate to the level of an administrator. It’s possible this could be chained with the SSRF vulnerability to take over an Ivanti instance from an unauthenticated perspective, however this is speculative. Ivanti has released a fresh patch to address the SSRF and privilege escalation vulnerabilities. Patch now!

Systems/Applications Impacted:

• Ivanti Connect/Pulse Secure:
  • 9.1R14.4
  • 9.1R17.2
  • 9.1R18.3
  • 22.4R2.2
  • 22.5R1.1
• ZTA:
  • 22.6R1.3

Read more:

• https://forums.ivanti.com/s/article/CVE-2024-21888-Privilege-Escalation-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure?language=en_US
• https://forums.ivanti.com/s/article/KB-CVE-2023-46805-Authentication-Bypass-CVE-2024-21887-Command-Injection-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure-Gateways?language=en_US
• https://attackerkb.com/topics/FGlK1TVnB2/cve-2024-21893/rapid7-analysis
• https://www.assetnote.io/resources/research/ivantis-pulse-connect-secure-auth-bypass-round-two

4. Microsoft Exchange Escalation of Privileges CVE-2024-21410

Microsoft has released a patch to address a critical vulnerability impacting Microsoft Exchange. The vulnerability could be exploited by an attacker to gain access to the NetNTLMv2 hash of a domain user to relay those credentials to the Exchange server to execute unauthorized actions on the victims behalf. The attack chain should enable an unauthenticated adversary to elevate privileges, potentially to that of a domain administrator under correct conditions. At this time it is not clear what specific endpoint is being exploited on Exchange (my money is on Exchange Web Services), however Microsoft’s cumulative update (CU) only recommends enabling extended protection on all Exchange deployments. By enabling extended protection the risk of relay attacks is significantly reduced. This setting is enabled by default for the latest CU patch 14. It’s worth noting that Windows extended protection is a feature of IIS and not necessarily unique to Exchange and has been a configuration strategy recommended by Microsoft since August 2022. We’ll be sure to keep a pulse on this one as details emerge.

Systems/Applications Impacted:

• Exchange 2019
• Exchange 2016

Read more:

• https://learn.microsoft.com/en-us/exchange/plan-and-deploy/post-installation-tasks/security-best-practices/exchange-extended-protection?view=exchserver-2019
• https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-21410

To stay up to date on the latest trending and critical celebrity vulnerabilities, subscribe to NopSec’s newsletter. If you don’t like having to keep up with vulnerabilities like these yourself, let the NopSec platform do it for you. It takes into account new critical vulnerabilities as they emerge, ensuring your risks are prioritized accordingly in your unique environment. If you’d like to see what the NopSec platform can do in action register for our monthly platform walkthrough webinar. Bring any questions you have and we’ll be happy to answer them!