Written By: Ferdi Gül
Contributor: Ferhat Dikbiyik

Welcome to this week’s edition of Focus Friday, where we delve into the latest high-profile vulnerabilities from a Third-Party Risk Management (TPRM) perspective. In today’s rapidly evolving cyber threat landscape, staying ahead of vulnerabilities is imperative. This week, we explore three critical vulnerabilities that could have far-reaching impacts across multiple industries: the Dahua NVR4 remote code execution and authentication bypass vulnerabilities, Jenkins ClassLoaderProxy’s arbitrary file read issue, and a severe remote code execution vulnerability in Zabbix. These vulnerabilities pose significant risks, and understanding them from a TPRM perspective is crucial for safeguarding your organization’s cyber infrastructure.

Filtered view of companies with a Dahua NVR4 FocusTag™ on the Black Kite platform.

CVE-2024-39944: Remote Code Execution Vulnerability in Dahua NVR4

What is the Dahua NVR4 RCE Vulnerability?

CVE-2024-39944 is a critical Remote Code Execution (RCE) vulnerability that affects Dahua’s IP cameras and network video recorders (NVR4XXX, IPC-HX8XXX). This vulnerability allows an attacker to execute arbitrary commands on the affected device without needing authentication. The vulnerability is currently rated with a CVSS score of 7.5, indicating a high level of severity. 

CVE-2024-39948 addresses an authentication bypass flaw in the NVR4XXX series. This vulnerability allows attackers to bypass security measures, granting unauthorized access to device functionalities and sensitive data. Such access could lead to significant security risks, including the manipulation of device settings and unauthorized interception of data, thereby compromising the overall security of the network.

CVE-2024-39949 involves a vulnerability stemming from improper access control in the NVR4XXX series. Exploitation of this flaw could enable threat actors to elevate their privileges on the affected device, providing them with unauthorized access to sensitive data and the potential to manipulate system configurations. This poses a serious threat to the integrity and security of the device and its network environment.

While suggesting a lower probability of exploitation, it still poses significant risks due to the potential for complete system compromise. Although there is no PoC available, the vulnerability’s nature suggests it could be exploited by attackers with sufficient knowledge and resources. As of now, this vulnerability has not been added to CISA’s Known Exploited Vulnerabilities (KEV) catalog.

Why should TPRM professionals care about these vulnerabilities?

From a Third-Party Risk Management (TPRM) perspective, the implications of an RCE vulnerability in a video surveillance product like Dahua NVR4 are profound. If exploited, this vulnerability could allow attackers to gain unauthorized access to critical surveillance systems, leading to potential breaches of sensitive data and unauthorized surveillance activities. For organizations relying on Dahua devices, this could result in significant operational disruptions and legal liabilities. TPRM professionals should prioritize assessing the risk of this vulnerability in their vendor environments, especially if Dahua devices are integrated into their critical infrastructure.

What questions should TPRM professionals ask vendors about this vulnerability?

  • Have you verified that all affected Dahua NVR4XXX and IPC-HX8XXX devices have been updated to the latest firmware versions that address CVE-2024-39944?
  • How have you configured network segmentation to ensure that Dahua devices, specifically the NVR4XXX series, are isolated from critical infrastructure and sensitive networks?
  • Have you disabled non-essential services and protocols on Dahua NVR4XXX devices, such as UPnP and P2P, to minimize the attack surface, and what specific services have been deactivated?
  • How are you utilizing Syslog or other centralized logging solutions to collect and analyze security logs from Dahua devices for signs of potential exploitation, and what specific indicators of compromise are you monitoring?

Remediation recommendations for vendors subject to this risk

  • Immediate application of the latest security patches provided by Dahua.
  • Implementation of strong, unique passwords and enabling multi-factor authentication (MFA) on all Dahua devices.
  • Segregation of Dahua devices from critical systems and sensitive networks.
  • Regular review of access logs and monitoring of network traffic for signs of exploitation attempts.
  • Deactivation of non-essential services on Dahua devices to reduce the attack surface.

How TPRM professionals can leverage Black Kite for this vulnerability

Black Kite’s FocusTag™ for Dahua NVR4 provides critical intelligence that allows TPRM professionals to quickly identify which vendors might be impacted by this vulnerability. The tag includes details on the specific assets at risk, such as IP addresses and subdomains associated with Dahua devices. This information enables organizations to prioritize their remediation efforts effectively. Black Kite published this tag on August 2, 2024, and it remains a vital resource for ongoing risk assessment and mitigation efforts related to Dahua products.

Black Kite’s Dahua NVR4 FocusTagTM details critical insights on the event for TPRM professionals.

CVE-2024-43044: Arbitrary File Read Vulnerability in Jenkins ClassLoaderProxy

What is the Jenkins ClassLoaderProxy Vulnerability?

CVE-2024-43044 is a critical Arbitrary File Read vulnerability in Jenkins that could potentially lead to Remote Code Execution (RCE). This vulnerability arises from the misuse of the ClassLoaderProxy#fetchJar method in Jenkins’ Remoting library, which allows agents to request files from the Jenkins controller’s file system. In Jenkins versions 2.470 and earlier, this method doesn’t restrict the paths that agents can access, enabling attackers with Agent/Connect permissions to read arbitrary files. The vulnerability is rated with a CVSS score of 9.0, highlighting its severity. The EPSS score stands at 0.04%, indicating a relatively low likelihood of exploitation, yet the potential impact on Jenkins environments is considerable. The vulnerability was first disclosed on August 7, 2024, and currently, no public PoC is available. Additionally, this vulnerability has not been listed in CISA’s Known Exploited Vulnerabilities (KEV) catalog, but given its potential implications, it remains a serious concern for organizations utilizing Jenkins​ (Jenkins).

Why should TPRM professionals care about this vulnerability?

For Third-Party Risk Management (TPRM) professionals, the implications of CVE-2024-43044 are significant, especially for organizations that rely on Jenkins for continuous integration and deployment. Exploiting this vulnerability could allow unauthorized access to sensitive files on the Jenkins controller, leading to potential data breaches and the execution of malicious code. This not only risks the integrity of the development pipeline but could also lead to broader security compromises across the organization’s infrastructure. TPRM professionals should prioritize assessing whether their vendors are using vulnerable Jenkins versions and ensure that appropriate mitigations are in place.

What questions should TPRM professionals ask vendors about this vulnerability?

  • Have you upgraded Jenkins to version 2.471 or LTS versions 2.452.4 or 2.462.1 to address the CVE-2024-43044 vulnerability, and can you confirm that the ClassLoaderProxy#fetchJar method now enforces path restrictions on agent requests?
  • How have you configured access control mechanisms to ensure that only trusted networks can reach Jenkins servers, and what specific firewall rules or network segmentation techniques are in place to restrict unauthorized access?
  • What monitoring solutions are you using to detect unauthorized file access attempts on Jenkins controllers, specifically related to potential exploitation of the ClassLoaderProxy#fetchJar method?
  • How frequently do you review and update Jenkins security configurations, and what specific measures have been implemented to minimize the attack surface, particularly in relation to agent permissions and file system access controls?

Remediation recommendations for vendors subject to this risk

  • Upgrade Jenkins to version 2.471 or LTS versions 2.452.4 or 2.462.1 to mitigate the vulnerability.
  • Restrict network access to Jenkins servers to trusted networks only and employ firewalls to prevent unauthorized access.
  • Monitor Jenkins environments for unusual activity, especially related to unauthorized file access.
  • Regularly review and update Jenkins security configurations to adhere to best practices and minimize the attack surface.

How TPRM professionals can leverage Black Kite for this vulnerability

Black Kite’s FocusTag for Jenkins ClassLoaderProxy provides essential intelligence to TPRM professionals, enabling them to quickly identify which vendors might be affected by this vulnerability. The FocusTag includes critical information about the vulnerable assets, such as specific Jenkins versions and associated risks. Published on August 13, 2024, this tag allows organizations to prioritize their remediation efforts and ensure that their vendors have addressed the vulnerability effectively. By leveraging the detailed asset information provided, TPRM professionals can streamline their risk assessment processes and take proactive measures to mitigate potential security threats.

Black Kite’s Jenkins ClassLoaderProxy FocusTagTM details critical insights on the event for TPRM professionals.

CVE-2024-22116: Critical RCE Vulnerability in Zabbix Monitoring Solution

What is the Zabbix RCE Vulnerability?

CVE-2024-22116 is a critical Remote Code Execution (RCE) vulnerability affecting the Zabbix Monitoring Solution, a widely used tool for IT infrastructure monitoring. The flaw exists in how Zabbix processes inputs within its web-based interface, specifically in the Monitoring Hosts section. Due to improper input validation, an attacker with restricted permissions can exploit this vulnerability by sending crafted requests that lead to the execution of arbitrary code with the same privileges as the Zabbix server. This vulnerability has a CVSS score of 9.9, underscoring its high severity, and an EPSS score of 0.04%, indicating a relatively low likelihood of exploitation.

Discovered and published on August 9, 2024, there is currently no public proof-of-concept (PoC) available, and it has not yet been listed in CISA’s Known Exploited Vulnerabilities (KEV) catalog. However, given the potential impact, organizations using Zabbix should treat this vulnerability with high priority​.

Why should TPRM professionals care about this vulnerability?

TPRM professionals should be highly concerned about this vulnerability because it directly affects a critical component of IT infrastructure monitoring. If exploited, an attacker could gain full control over the Zabbix server, allowing them to alter configurations, steal sensitive data, disrupt monitoring services, and even compromise other connected systems. The remote, unauthenticated nature of this vulnerability increases its risk profile, making it a serious threat to any organization relying on Zabbix for infrastructure monitoring​.

What questions should TPRM professionals ask vendors about this vulnerability?

  • Have you upgraded Zabbix to the latest patched versions, specifically 7.0.0rc3 or 6.4.16rc1, to mitigate the CVE-2024-22116 vulnerability, and can you confirm that the web-based interface now properly validates inputs in the Monitoring Hosts section?
  • How have you configured network access restrictions to the Zabbix interface, and what specific IP filtering or firewall rules are in place to ensure that only trusted IP addresses can access the interface?
  • What logging mechanisms have you implemented to monitor for suspicious activities within the Zabbix environment, particularly focusing on any unexpected or unauthorized script executions?
  • How are you enforcing the principle of least privilege in your Zabbix environment, and what measures have been taken to limit administrative access to only essential personnel, ensuring that users with restricted permissions cannot exploit this vulnerability?

Remediation recommendations for vendors subject to this risk

  • Immediately update Zabbix to the latest patched versions (7.0.0rc3, 6.4.16rc1) as recommended.
  • Restrict network access to the Zabbix interface to trusted IP addresses and implement strict access control measures.
  • Regularly review and monitor logs for suspicious activity, particularly any unexpected script executions.
  • Ensure that the principle of least privilege is applied, limiting administrative access to essential personnel only.

How TPRM professionals can leverage Black Kite for this vulnerability

Black Kite’s FocusTag for the Zabbix RCE vulnerability provides TPRM professionals with crucial insights into which vendors may be impacted by this vulnerability. The tag includes specific details about affected Zabbix versions and associated risks. Published on August 14, 2024, this tag enables organizations to efficiently identify vendors at risk and prioritize remediation efforts accordingly. By utilizing the detailed asset information provided by Black Kite, TPRM professionals can streamline their risk assessment processes and enhance their response to this critical security issue.

Black Kite’s Zabbix FocusTagTM details critical insights on the event for TPRM professionals.

Enhancing TPRM Strategies with Black Kite’s FocusTags™

In the ever-evolving realm of cybersecurity, proactive risk management is essential, particularly when addressing critical vulnerabilities like those found in Dahua NVR4, Jenkins ClassLoaderProxy, and Zabbix. Black Kite’s FocusTags™ are designed to provide unparalleled support in Third-Party Risk Management (TPRM) by offering real-time insights into potential threats, enabling swift and informed decision-making.

Dynamic Vulnerability Identification: Black Kite’s FocusTags™ allow organizations to quickly identify which vendors are impacted by emerging vulnerabilities, ensuring that responses are both timely and strategic.

Strategic Risk Prioritization: By evaluating both the severity of the vulnerabilities and the criticality of the affected vendors, FocusTags™ help organizations allocate their resources efficiently, focusing on the most pressing threats.

Informed Vendor Engagement: These tags facilitate more meaningful conversations with vendors, focusing on their specific exposure to the identified vulnerabilities, thereby enhancing the overall security posture.

Comprehensive Threat Landscape Overview: With a broad view of the evolving threat landscape, Black Kite’s FocusTags™ provide TPRM professionals with the actionable intelligence needed to fortify their organization’s cybersecurity defenses.

By integrating Black Kite’s FocusTags™ into your TPRM strategy, you can convert complex cyber threat data into actionable insights, ensuring a proactive and resilient approach to third-party risk management in the face of ever-changing cybersecurity challenges.



Want to take a closer look at FocusTags™?


Take our platform for a test drive and request a demo today.




About Focus Friday

Every week, we delve into the realms of critical vulnerabilities and their implications from a Third-Party Risk Management (TPRM) perspective. This series is dedicated to shedding light on pressing cybersecurity threats, offering in-depth analyses, and providing actionable insights.

FocusTagsTM in the Last 30 Days:

  • Zabbix: CVE-2024-22116, Critical Remote Code Execution Vulnerability in Zabbix Monitoring Solution
  • Jenkins ClassLoaderProxy: CVE-2024-43044, Arbitrary File Read and Remote Code Execution Vulnerability in Jenkins ClassLoaderProxy
  • Dahua NVR4: CVE-2024-39944, CVE-2024-39948, and CVE-2024-39949, Remote Code Execution, Authentication Bypass, and Improper Access Control Vulnerabilities in Dahua NVR4 devices
  • VMware ESXi: CVE-2024-37085, Authentication Bypass Vulnerability in VMware ESXi, VMware Cloud Foundation
  • Gogs: CVE-2024-39930, CVE-2024-39931, CVE-2024-39932, and CVE-2024-39933, Argument Injection Vulnerability in Gogs
  • Internet Explorer: CVE-2012-4792, Use-After-Free Vulnerability in Internet Explorer
  • Docker AuthZ: CVE-2024-41110, AuthZ Bypass and Privilege Escalation Vulnerability in Docker
  • JumpServer: CVE-2024-40628, CVE-2024-40629, Sensitive Information Disclosure and RCE Vulnerability in JumpServer
  • Serv-U FTP: CVE-2024-28995, Directory Traversal Vulnerability in SolarWinds Serv-U
  • Microsoft SharePoint: CVE-2024-38094, Remote Code Execution Vulnerability in Microsoft SharePoint
  • Citrix NetScaler: CVE-2024-6235, Information Disclosure Vulnerability in Citrix NetScaler
  • ServiceNow: CVE-2024-4879, Input Validation Vulnerability in ServiceNow
  • Exim Mail: CVE-2024-39929, Security Restriction Bypass Vulnerability in Exim Mail Servers

References:

https://nvd.nist.gov/vuln/detail/CVE-2024-39944

https://nvd.nist.gov/vuln/detail/CVE-2024-39948

https://nvd.nist.gov/vuln/detail/CVE-2024-39949

https://www.dahuasecurity.com/aboutUs/trustedCenter/details/768

https://feedly.com/cve/CVE-2024-39944

https://nvd.nist.gov/vuln/detail/CVE-2024-43044

https://nvd.nist.gov/vuln/detail/CVE-2024-43045

https://www.jenkins.io/security/advisory/2024-08-07

https://vulert.com/vuln-db/bitnami-jenkins-146849

https://nvd.nist.gov/vuln/detail/CVE-2024-22116

https://securityonline.info/cve-2024-22116-cvss-9-9-critical-rce-vulnerability-found-in-zabbix-monitoring-solution

https://support.zabbix.com/browse/ZBX-25016