FOCUS FRIDAY: TPRM INSIGHTS ON GOGS, INTERNET EXPLORER, DOCKER AUTHZ, AND JumpServer VULNERABILITIES

Written By: Ferdi Gül
Contributor: Ferhat Dikbiyik

Welcome to this week’s Focus Friday blog, where we delve into high-profile cybersecurity incidents with a critical eye on Third-Party Risk Management (TPRM). In this edition, we explore significant vulnerabilities impacting Gogs, Internet Explorer, Docker AuthZ, and JumpServer. Utilizing Black Kite’s FocusTags™, we provide you with actionable insights to manage these risks effectively and maintain robust cybersecurity defenses.

CVE-2024-39930, CVE-2024-39931, CVE-2024-39932, CVE-2024-39933 : Argument Injection Vulnerability in Gogs.

What is the Argument Injection in SSH Server Vulnerability?

CVE-2024-39930, CVE-2024-39932,CVE-2024-39933 is a critical argument injection vulnerability in the built-in SSH server of Gogs. This flaw allows attackers to inject malicious arguments, leading to unauthorized command execution and potentially full system compromise. The vulnerability has a CVSS score of 9.9. First disclosed on July 8, 2024, it has been exploited in the wild, although it is not yet listed in CISA’s Known Exploited Vulnerabilities (KEV) catalog​. POC exploit code was publicly disclosed on July 8, 2024, increasing the risk of exploitation by malicious actors. Exploiting CVE-2024-39930 requires the built-in SSH server to be enabled, the specific version of the env binary, and a valid SSH private key.

CVE-2024-39931 involves the deletion of internal files in Gogs. An attacker exploiting this vulnerability can delete critical internal files, disrupting the application’s functionality and potentially leading to data loss and system instability. This vulnerability poses a high risk due to its potential impact on system integrity.

Why Should TPRM Professionals Care About This Vulnerability?

Given its potential to allow unauthorized access and control over Gogs servers, this vulnerability is critical for TPRM. Compromised servers could lead to altered code repositories, injected malicious code, or exfiltrated sensitive data, severely impacting organizational security​.

What Questions Should TPRM Professionals Ask Vendors About This Vulnerability?

1. Have you upgraded all instances of Gogs to version 0.14.0 or later to mitigate the risk of CVE-2024-39930, CVE-2024-39932, and CVE-2024-39933?
2. How have you verified that the built-in SSH server in Gogs is either securely configured or disabled to prevent argument injection vulnerabilities?
3. What measures have you implemented to monitor and prevent the unauthorized deletion of internal files as outlined in CVE-2024-39931?
4. How have you ensured that access to Gogs servers is restricted to trusted networks only?

Remediation Recommendations for Vendors

1. Upgrade to Gogs version 0.14.0 or later.
2. Restrict access to the Gogs server to trusted networks.
3. Implement comprehensive logging and monitoring.
4. Enforce strong, unique passwords and enable two-factor authentication (2FA)​.

How TPRM Professionals Can Leverage Black Kite for This Vulnerability

Black Kite’s FocusTags offer a powerful tool for identifying and managing vendor risks associated with critical vulnerabilities like CVE-2024-39930. Black Kite provides detailed information about vendors potentially affected by this vulnerability, including specific assets and subdomains at risk. This intelligence allows TPRM professionals to prioritize their efforts, focusing on the most relevant vendors and streamlining the risk assessment process.

Black Kite published the tag for this vulnerability on July 10, 2024, providing actionable insights for proactive risk management. By integrating these FocusTags into your TPRM processes, you can enhance your ability to mitigate risks, reduce assessment time, and improve overall cybersecurity posture​.

CVE-2012-4792: Use-After-Free Vulnerability in Internet Explorer

What is the Use-After-Free Vulnerability in Internet Explorer?

CVE-2012-4792 is a critical use-after-free vulnerability in Microsoft Internet Explorer versions 6 through 8. It allows remote attackers to execute arbitrary code by enticing users to visit a malicious webpage. When the webpage is loaded, Internet Explorer improperly handles the CDwnBindInfo object, causing memory corruption. This allows attackers to execute arbitrary code with the user’s privileges. If the user has administrative rights, the attacker could take full control of the system, enabling actions such as installing programs, altering or deleting data, and creating new accounts with full rights.

The vulnerability has a CVSS score of 9.3 and an EPSS score of 91.57%. This vulnerability was disclosed in December 2012 and has been exploited by threat actors including APT17 (DeputyDog) and APT28​ (Fancy Bear), and the Winnti Group, among others. Its inclusion in CISA’s KEV catalog may draw renewed attention to it.

Why Should TPRM Professionals Care About This Vulnerability?

This vulnerability can compromise data security and system integrity. Affected Internet Explorer instances could lead to unauthorized installations, data theft, or system hijacking, posing significant risks to organizations using legacy systems​.

What Questions Should TPRM Professionals Ask Vendors About This Vulnerability?

1. Have you discontinued the use of Internet Explorer versions 6, 7, and 8 across all systems to mitigate the risk of CVE-2012-4792?
2. Have you applied the security update provided in Microsoft Security Advisory 2794220 to address the use-after-free vulnerability in Internet Explorer?
3. How have you deployed the Enhanced Mitigation Experience Toolkit (EMET) to protect against this and similar vulnerabilities?
4. What measures have you taken to limit administrative privileges and implement strong monitoring to prevent exploitation of this vulnerability?

Remediation Recommendations for Vendors

1. Discontinue the use of Internet Explorer 6, 7, and 8.
2. Apply the security update provided in Microsoft Security Advisory 2794220.
3. Deploy the Enhanced Mitigation Experience Toolkit (EMET).
4. Limit administrative privileges and implement strong monitoring​.

How TPRM Professionals Can Leverage Black Kite for This Vulnerability

Black Kite’s FocusTags provide valuable intelligence for managing vendor risks associated with CVE-2012-4792. By using these tags, TPRM professionals can identify vendors potentially affected by this vulnerability, including details about specific assets and subdomains at risk. This targeted approach allows for more efficient risk assessments and remediation efforts.

Black Kite published the FocusTag for this vulnerability on January 23, 2024, providing actionable insights for proactive risk management. TPRM professionals can leverage this information to prioritize their efforts, reduce assessment time, and enhance their overall cybersecurity posture​.

CVE-2024-41110: AuthZ Bypass and Privilege Escalation Vulnerability in Docker

What is the Authorization Bypass and Privilege Escalation Vulnerability?

CVE-2024-41110 is a critical vulnerability in Docker Engine related to authorization plugins (AuthZ). This vulnerability allows attackers to bypass authorization controls, leading to unauthorized actions and potential full system compromise. It has a CVSS score of 10.0, disclosed on July 24, 2024​.

The vulnerability, not listed in CISA’s Known Exploited Vulnerabilities catalog and without published POC exploit code, allows attackers to bypass Docker Engine authorization plugins (AuthZ) under certain conditions through crafted API requests. Despite the lack of published exploits, it poses a serious threat due to its potential impact on access controls.

Users of Docker Engine v19.03.x and later who use authorization plugins (AuthZ) for access control decisions are potentially vulnerable.

Why Should TPRM Professionals Care About This Vulnerability?

This vulnerability can severely impact Docker-managed environments, leading to data leaks and unauthorized access. Given its high CVSS score, it is essential for organizations to ensure vendors have mitigated this vulnerability​.

What Questions Should TPRM Professionals Ask Vendors About This Vulnerability?

1. Have you upgraded all instances of Docker Engine to versions higher than v23.0.14, v26.1.4, or v27.1.0 to mitigate the risk of CVE-2024-41110?
2. How have you ensured that the AuthZ plugins in Docker Engine are either securely configured or disabled to prevent authorization bypass?
3. What measures have you taken to limit access to the Docker API to trusted networks only?
4. How have you implemented the use of TLS certificates for securing communications with Docker Engine?

Remediation Recommendations for Vendors

1. Upgrade to Docker Engine versions higher than v23.0.14, v26.1.4, v27.1.0.
2. Disable AuthZ plugins if unable to update immediately.
3. Limit access to the Docker API to trusted networks.
4. Use TLS certificates for securing communications​.

How TPRM Professionals Can Leverage Black Kite for This Vulnerability

Black Kite’s FocusTags provide detailed information about vendors potentially affected by CVE-2024-41110. By leveraging these tags, TPRM professionals can quickly identify which vendors might be at risk, understand the specific assets involved, and streamline their risk assessment processes. Black Kite published the tag for this vulnerability on July 24, 2024, enabling proactive risk management through detailed insights and prioritized actions​.

CVE-2024-40628, CVE-2024-40629: Sensitive Information Disclosure & RCE Vulnerability in JumpServer

What is the Sensitive Information Disclosure Vulnerability in JumpServer?

CVE-2024-40628 is a critical vulnerability found in JumpServer, an open-source bastion host. This vulnerability results from improper input validation, allowing attackers to execute arbitrary code on the affected system by sending specially crafted requests. This can lead to a complete system compromise. The CVSS score for this vulnerability is 10. Discovered on July 23, 2024, this vulnerability has the potential to be exploited due to its inherent exploitable nature​.

What is the Remote Code Execution Vulnerability in JumpServer?

CVE-2024-40629 is another critical vulnerability affecting JumpServer due to insufficient access control mechanisms. This flaw allows unauthorized users to gain elevated privileges, potentially accessing sensitive data, modifying system configurations, and disrupting critical services. This vulnerability has a CVSS score of 10. The vulnerability was disclosed on July 23, 2024, and is highly exploitable​.

Why Should TPRM Professionals Care About This Vulnerability?

This vulnerability poses a significant threat to TPRM processes because it can lead to unauthorized access and control over critical systems managed by JumpServer. This could result in data breaches, system disruptions, and loss of sensitive information. Given the high CVSS score, it is crucial for organizations to ensure that their vendors have addressed this vulnerability to prevent potential exploitation​. All the CVEs have POC exploits available, but they are not yet listed in CISA’s Known Exploited Vulnerabilities catalog. These vulnerabilities are inherently exploitable, posing significant risks to system integrity and confidentiality. No known workarounds are available.

What Questions Should TPRM Professionals Ask Vendors About This Vulnerability?

1. Have you upgraded all instances of JumpServer to the latest versions, v3.10.12 or v4.0.0, to include all recent security patches and fixes for CVE-2024-40628 and CVE-2024-40629?
2. How have you ensured that access to JumpServer is restricted to authorized users only, and what strong authentication measures like multi-factor authentication (MFA) have you implemented?
3. What steps have you taken to isolate critical systems from potentially compromised components to reduce the risk of widespread system impact?
4. How do you continuously monitor network traffic and system logs to detect unusual activities and potential exploitation attempts promptly?

Remediation Recommendations for Vendors

1. Ensure you are using the latest versions, v3.10.12 or v4.0.0, to include all recent security patches and fixes.
2. Limit access to JumpServer to authorized users only, and enforce strong authentication measures like multi-factor authentication (MFA).
3. Periodically review system configurations and access controls to detect and address any security vulnerabilities or gaps.
4. Isolate critical systems from potentially compromised components to reduce the risk of widespread system impact.
5. Monitor network traffic and system logs continuously to detect unusual activities and potential exploitation attempts promptly.

How TPRM Professionals Can Leverage Black Kite for This Vulnerability

Black Kite’s Focus Tags provide detailed information about vendors potentially affected by CVE-2024-40628 and CVE-2024-40629. By leveraging these tags, TPRM professionals can quickly identify which vendors might be at risk, understand the specific assets involved, and streamline their risk assessment processes. Black Kite published the tag for these vulnerabilities on July 23, 2024, enabling proactive risk management through detailed insights and prioritized actions​.

Enhancing TPRM Strategies With Black Kite’s FocusTags™

In today’s rapidly evolving cyber threat landscape, staying ahead of vulnerabilities is imperative for robust Third-Party Risk Management (TPRM). Black Kite’s FocusTags™ are at the forefront of this challenge, providing essential insights and tools to effectively manage these risks. The value of these tags becomes evident when faced with critical vulnerabilities like those in Gogs, Internet Explorer, Docker AuthZ, and JumpServer. Here’s how Black Kite’s FocusTags™ transform TPRM practices:

• Real-Time Vulnerability Tracking: Instantly identifying vendors affected by the latest vulnerabilities allows for a swift and strategic response.
• Risk Prioritization: By evaluating both vendor importance and vulnerability severity, FocusTags™ help in allocating resources more effectively.
• Informed Vendor Conversations: Facilitate targeted discussions with vendors, focusing on their specific security posture in relation to the identified vulnerabilities.
• Comprehensive Security Overview: With a broad view of the threat landscape, these tags aid in enhancing overall cybersecurity strategies.

Black Kite’s FocusTags™, especially when dealing with the complexities of recent vulnerabilities in diverse systems, offer a streamlined, intelligent approach to TPRM, converting intricate cyber threat data into actionable intelligence. This capability is critical for managing risks efficiently and proactively in an environment where cyber threats are constantly evolving.

By leveraging Black Kite’s FocusTags™, TPRM professionals can enhance their risk management strategies, ensuring a more secure and resilient supply chain in the face of evolving cyber threats.

About Focus Friday

Every week, we delve into the realms of critical vulnerabilities and their implications from a Third-Party Risk Management (TPRM) perspective. This series is dedicated to shedding light on pressing cybersecurity threats, offering in-depth analyses, and providing actionable insights.

FocusTags^TM in the Last 30 Days:

• Gogs: CVE-2024-39930, CVE-2024-39931, CVE-2024-39932, and CVE-2024-39933, Argument Injection Vulnerability in Gogs.
• Internet Explorer: CVE-2012-4792, Use-After-Free Vulnerability in Internet Explorer.
• Docker AuthZ: CVE-2024-41110, AuthZ Bypass and Privilege Escalation Vulnerability in Docker.
• JumpServer: CVE-2024-40628, CVE-2024-40629, Sensitive Information Disclosure and RCE Vulnerability in JumpServer.
• Serv-U FTP: CVE-2024-28995, Directory Traversal Vulnerability in SolarWinds Serv-U.
• Microsoft SharePoint: CVE-2024-38094, Remote Code Execution Vulnerability in Microsoft SharePoint.
• Citrix NetScaler: CVE-2024-6235, Information Disclosure Vulnerability in Citrix NetScaler.
• ServiceNow: CVE-2024-4879, Input Validation Vulnerability in ServiceNow.
• Exim Mail: CVE-2024-39929, Security Restriction Bypass Vulnerability in Exim Mail Servers.
• GeoServer: CVE-2024-36401, Eval Injection and RCE Vulnerability in GeoServer.
• PHP-CGI: CVE-2024-4577, OS Command Injection Vulnerability in PHP-CGI Module.
• Microsoft MSMQ: CVE-2024-30080, Use After Free, Remote Code Execution Vulnerability in Microsoft Message Queuing (MSMQ).
• Rejetto HFS: CVE-2024-23692, Template Injection Vulnerability, Unauthenticated RCE Vulnerability in Rejetto HTTP File Server
• Checkpoint SNX: CVE-2024-24919, An Information Disclosure Vulnerability in Check Point’s CloudGuard Network, Quantum Maestro, Quantum Scalable Chassis, Quantum Security Gateways, Quantum Spark Appliances

References:

https://nvd.nist.gov/vuln/detail/CVE-2024-39930

https://nvd.nist.gov/vuln/detail/CVE-2024-39931

https://nvd.nist.gov/vuln/detail/CVE-2024-39932

https://nvd.nist.gov/vuln/detail/CVE-2024-39933

https://thehackernews.com/2024/07/critical-vulnerabilities-disclosed-in.html

https://www.vicarius.io/vsociety/posts/cve-2024-39930-xdetection-gogs-v0130-or-earlier

https://www.sonarsource.com/blog/securing-developer-tools-unpatched-code-vulnerabilities-in-gogs-1

https://nvd.nist.gov/vuln/detail/CVE-2012-4792

https://learn.microsoft.com/en-us/security-updates/SecurityAdvisories/2013/2794220?redirectedfrom=MSDN

https://packetstormsecurity.com/files/119168/Microsoft-Internet-Explorer-CDwnBindInfo-Object-Use-After-Free.html

https://nvd.nist.gov/vuln/detail/CVE-2024-41110

https://www.docker.com/blog/docker-security-advisory-docker-engine-authz-plugin

https://securityonline.info/docker-users-beware-cve-2024-41110-cvss-10-could-lead-to-system-takeover

https://nvd.nist.gov/vuln/detail/CVE-2024-40628

https://securityonline.info/cve-2024-40628-cve-2024-40629-two-maximum-severity-flaws-in-jumpserver

https://github.com/jumpserver/jumpserver/security/advisories/GHSA-rpf7-g4xh-84v9