Top Trending CVEs of January 2024
- Jan 31, 2024
- Shawn Evans
Happy New Year! We open up 2024 with an interesting mix of vulnerabilities, some of which have been patched for nearly a year. We’re going back in time – 2023 was too juicy. We begin with a privilege escalation vulnerability that impacts Windows that was discovered through a happy accident. We also cover an Adobe ColdFusion vulnerability that results in unauthenticated RCE. It turns out this vulnerability seemed to impact government agencies the hardest. Someone should maybe inform our government to ditch ColdFusion? We save the best for last and take a look at a serious duo of vulnerabilities that impact Invanit (Pulse Secure) SSL VPNs. The research leaves off on a cliff-hanger though, just like this intro. Roll up your sleeves and drop into a command line as we cover the trending CVEs of January 2024.
Researchers have stumbled across a privilege escalation vulnerability that impacts Microsoft Windows. The vulnerability is rooted in the XAML subsystem. XAML is a markup language developed by Microsoft that facilitates the creation of user interface elements for Windows desktop applications (much like HTML can be used to render a web page).
The vulnerability is present due to a lack of token handle validation, which enables an attacker to inject a DLL from a non-elevated process into that of an elevated process. Specifically, the researcher found that the issue was rooted in the InitializeXamlDiagnosticsEx API. This function is the entry point for debugging any XAML supported application, which can include elevated processes such as Task Manager and Windows Terminal. The debugging mechanism is intended for diagnostic purposes of XAML apps, which was first introduced in later builds of Windows 10. Due to a lack of security checks it’s possible to abuse the diagnostic feature to inject DLLs into the arbitrary processes. The mechanism further has the benefit of bypassing UAC, which minimizes chances of user interference. This exploit will certainly be chained with other vulnerabilities and post exploitation methods that require SYSTEM privileges.
Successful exploitation requires that an attacker already have a foothold on a system, which implies the ability to execute commands. One of the more interesting aspects of this vulnerability is that the vulnerable XAML component leverages undocumented API methods within the CoreMessaging.dll for interprocess communication. These mechanisms facilitate messaging between processes of differing privilege levels, which could introduce similar, still unknown, instances of privilege escalation. The researcher noted that the Emoji input method could provide a means for a non-elevated process to send arbitrary messages to an elevated terminal window. This could lead to command execution. This however is speculative, only time and research will tell if it merits attention. Microsoft released a patch in December to address the issue. The proof of concept released by the researcher is mature and primed for use by malicious actors. Patch now!
Researchers have identified an unauthenticated remote command execution (RCE) vulnerability that impacts Adobe ColdFusion. ColdFusion has been a reliable target for remote command execution vulnerabilities for literal decades at this point. It’s like the golden goose of vulnerability research. Adobe, to their credit, is receptive to research and patches vulnerabilities promptly, enabling the cycle to begin once more (said in the voice of David Atenborough).
This iteration of ColdFusion RCE technically covers two discrete vulnerabilities. The first exploit relies on a crafted JSON payload that contains path-traversal characters. Conventionally, the JSON payload contains metadata about the script such as variables and associated classes. Due to a lack of validation on the “classname” element, it’s possible to compel the server to read arbitrary files on the victim via a POST request to ANY *.cfs script present in a standard ColdFusion deployment.
Researchers discovered that the same mechanism that facilitated path traversal via classname manipulation could also be exploited to define ColdFusion specific elements, i.e. server side scripts, which includes the <cfexecute> tag used to start a process on the server. Using a crafted POST request it’s possible to cause trivial remote command execution with a single cURL command.
While exploitation of this RCE vulnerability is straightforward, the nature of the vulnerability isn’t as direct. By decompiling the ColdFusion core, researchers were able to compare differences between patched and unpatched versions. Using this test harness it was discovered that the path-traversal vulnerability not only resulted in arbitrary file read, but also arbitrary file compilation due to some unexpected behavior within the template mapping logic ColdFusion. This means that any valid code present in a file on the system could technically be compiled and executed. Arbitrary system files will never contain ColdFusion metatags. However, what if an attacker could inject server side tags into a file on the victim host, such as a log file, and tell the system to read/compile the log file? Well, that would result in unauthenticated remote command execution. It’s Log4Fusion!
What a clever attack chain! We won’t get into the nitty gritty details of the unexpected behavior, but suffice to say the simplicity of the exploit doesn’t provide a complete picture. We encourage everyone to read the full blog at SecureLayer7. This vulnerability has technically been patched for a year now, however recent campaigns from Chinese hacking groups inspired additional coverage of the risk. If you’re running ColdFusion you should already be patched, but if this is news, patch now and scrutinize the system for any abnormalities or indicators of compromise.
I feel like we’ve covered quite a few SSL VPN vulnerabilities lately. Researchers have discovered that Ivanti, formerly Pulse Secure, Connect Secure, and Policy Secure products are prone to two critical vulnerabilities that, when chained, results in unauthenticated remote command execution. The best kind of command execution. The exploit chain consists of an authentication bypass vulnerability, which opens vectors to unauthorized command execution. The rub here is that Ivanti has only released a mitigation XML file and not a proper, formal patch to squash the bugs. As a result, researchers have elected to withhold the complete picture until Invanti releases said patch. However, they quite precisely determined the root cause and developed a functional exploit. The gist of the exploit focuses on API endpoints accessible to unauthenticated users. Although no formal patch has been released, the XML mitigation file released by Ivanti does at least provide a few additional layers of security by restricting unauthenticated users from accessing API functions. However, the underlying code remains vulnerable and unchanged.
Due to the nature of the exploit, detecting vulnerable deployments is trivial and can be accomplished using cURL.
$ curl -v <https://host/api/v1/configuration/users/user-roles/user-role/rest-userrole1/web/web-bookmarks/bookmark>
On vulnerable deployments of Connect Secure and Policy Secure the above request will result in an empty 403 response. On deployments with the mitigation XML deployed the response includes a complete HTML page. It is strongly recommended that all admins apply the provided XML patch. Ivanti also recommends that integrity checks be performed to identify any changes to the disk image. This exploit chain is being actively exploited in the wild by APT hacking groups. We encourage you to read the Volexity blog for a detailed breakdown of the indicators of compromise to triage hosts.
To stay up to date on the latest trending and critical celebrity vulnerabilities, subscribe to NopSec’s newsletter. If you don’t like having to keep up with vulnerabilities like these yourself, let the NopSec platform do it for you. It takes into account new critical vulnerabilities as they emerge, ensuring your risks are prioritized accordingly in your unique environment. If you’d like to see what the NopSec platform can do in action watch this on-demand product tour.