Written by: Ferhat Dikbiyik
Additional Contributions: Ferdi Gül and Yavuz Han
Edited by: Emily Conlin

Welcome to this week’s edition of Focus Friday, where we delve into the latest high-profile cybersecurity vulnerabilities from a Third-Party Risk Management (TPRM) perspective. As cyber threats continue to evolve, understanding and mitigating risks associated with critical vulnerabilities has never been more crucial. This week, we spotlight significant vulnerabilities in FortiOS SSL VPN, Symantec MG, RoundCube Webmail, and QNAP QTS, examining their implications and providing actionable insights for TPRM professionals. Our goal is to empower organizations with the knowledge to protect their digital ecosystems effectively.

CVE-2024-21762: FortiOS SSL VPN Critical Vulnerability

What is CVE-2024-21762?

CVE-2024-21762 is a critical out-of-bounds write vulnerability in FortiOS SSL VPN, rated with a CVSS score of 9.6, signaling a high severity level. It allows unauthenticated, remote attackers to execute arbitrary code via specially crafted HTTP requests. This vulnerability is noted for its potential exploitation in the wild, targeting Fortinet systems to breach networks for ransomware attacks or cyber espionage. The vulnerability, first disclosed by Fortinet on February 8, 2024, affects multiple versions of FortiOS and has prompted an advisory from CISA highlighting its inclusion in the Known Exploited Vulnerabilities Catalog, urging users to patch before February 16, 2024​​​​​​​​.

Why Should TPRM Professionals Care?

This vulnerability poses a significant risk to organizations due to the widespread use of Fortinet SSL VPNs for secure remote access. TPRM professionals should be particularly vigilant as the exploitation of this vulnerability can lead to unauthorized access, data breaches, and potential compromise of sensitive information. Given the critical role of SSL VPNs in securing remote connections, any vulnerability within this system can have far-reaching implications for organizational security and compliance.

What questions should TPRM professionals ask vendors

  1. Have you assessed your systems for the presence of CVE-2024-21762?
  2. What measures have you implemented to mitigate the risk associated with this vulnerability?
  3. Can you confirm the application of the recommended patches for affected FortiOS versions?
  4. How do you monitor for potential exploitation attempts against known vulnerabilities like CVE-2024-21762?

Remediation Recommendations for Vendors

  • Immediately upgrade FortiOS to the patched versions as recommended by Fortinet: 7.4.3 or above, 7.2.7 or above, etc.
  • Consider disabling SSL VPN if immediate patching is not feasible to reduce exposure to the vulnerability.
  • Implement rigorous monitoring for unusual network activities indicative of exploitation attempts.

Operationalizing Black Kite Focus Tags™

Black Kite published the tag for CVE-2024-21762 on February 9, 2024, highlighting its potential exploitation in the wild. TPRM professionals can leverage Black Kite to identify vendors at risk efficiently, focusing on those whose systems may be compromised by this vulnerability. By providing detailed information on affected assets, Black Kite enables targeted risk management and enhances the overall security posture against emerging threats.

CVE-2024-23615 & CVE-2024-23614: Symantec MG Critical Buffer Overflow Vulnerabilities

What Are CVE-2024-23615 & CVE-2024-23614?

CVE-2024-23615 and CVE-2024-23614, disclosed on January 26, 2024, are critical buffer overflow vulnerabilities in Symantec Messaging Gateway (SMG), with both assigned a CVSS score of 9.8. These vulnerabilities can allow a remote, anonymous attacker to execute arbitrary code with root privileges by sending a specially crafted email to the SMTP server. While there’s no current evidence of these vulnerabilities being exploited in the wild, their high severity scores and potential impact make them likely targets for future exploitation. The affected product versions are SMG 10.5 and earlier for CVE-2024-23615 and SMG 9.5 and earlier for CVE-2024-23614. It’s important to note that the affected product is end-of-life, and no patches are available, emphasizing the need for mitigation strategies​​​​​​.

Evaluating the Impact on Third-Party Risk Management

These vulnerabilities highlight significant risks in email gateway security, posing direct threats to the confidentiality, integrity, and availability of corporate communications. For TPRM professionals, the critical nature of these vulnerabilities in a widely used email security product like Symantec MG underlines the urgency of vendor communication and risk assessment. The potential for root-level remote code execution could lead to unauthorized data access, system control, and the spread of malware within an organization’s network.

Key Queries Regarding CVE-2024-23615 & CVE-2024-23614 Mitigation

  1. Can you confirm whether your systems are running the vulnerable versions of Symantec Messaging Gateway?
  2. What interim security measures have you implemented to mitigate the risks associated with these vulnerabilities?
  3. Are there plans to replace or upgrade the end-of-life products to secure the email gateway infrastructure?
  4. How do you monitor and respond to emerging threats targeting vulnerabilities in your email security systems?

Remediation Recommendations for Vendors

  • Immediately identify and document any use of the affected Symantec MG versions within your network.
  • Implement alternative security measures, such as firewalls and web application firewalls (WAFs), to mitigate the risk.
  • Develop a transition plan to migrate from the end-of-life SMG versions to supported and secure email security solutions.
  • Regularly back up critical data and monitor network traffic for signs of anomalous activities that may indicate exploitation attempts.

Leveraging Black Kite for Symantec MG Vulnerabilities

Black Kite’s focus on CVE-2024-23615 and CVE-2024-23614, published on February 1, 2024, serves as a proactive tool for TPRM professionals to identify and prioritize risks associated with Symantec MG vulnerabilities. By utilizing Black Kite’s comprehensive risk intelligence, organizations can effectively pinpoint which vendors may be impacted by these vulnerabilities, allowing for targeted risk management actions and enhanced security postures against potential exploitation paths.

CVE-2023-43770 & CVE-2023-5631: RoundCube XSS Vulnerabilities

What are CVE-2023-43770 & CVE-2023-5631?

CVE-2023-43770 and CVE-2023-5631 are vulnerabilities in RoundCube Webmail that allow for stored Cross-Site Scripting (XSS). CVE-2023-43770 can be exploited via text/plain email messages containing crafted links due to the behavior of the rcube_string_replacer.php function. Similarly, CVE-2023-5631 allows attackers to inject malicious scripts through HTML email messages with specially crafted SVG documents, impacting versions of RoundCube before 1.4.15, 1.5.x before 1.5.5, and 1.6.x before 1.6.4. Both vulnerabilities have been given a medium severity rating by NIST, with CVE-2023-43770 having a CVSS score of 6.1​​​​.

Importance for TPRM Professionals

These vulnerabilities underscore the critical need for vigilant third-party risk management (TPRM) in protecting email communication systems against XSS attacks. Exploitation of these vulnerabilities could lead to unauthorized access to sensitive information, account takeovers, or further malicious activities within an organization’s network. The fact that CVE-2023-43770 has been added to CISA’s Known Exploited Vulnerabilities Catalog further emphasizes the urgency of addressing these issues​​​​.

Questions for Vendors

  1. Have CVE-2023-43770 and CVE-2023-5631 been identified and patched in your RoundCube Webmail setup?
  2. What measures are in place to detect and prevent XSS attacks on your webmail system?
  3. Have you updated RoundCube Webmail to the patched versions that address these vulnerabilities?
  4. How do you monitor for and respond to XSS vulnerabilities and other security threats in your email systems?

Remediation Recommendations for Vendors

  • Update RoundCube Webmail to the latest versions as outlined by security advisories to mitigate vulnerabilities.
  • Consider implementing additional security controls, such as Content Security Policy (CSP), to prevent XSS attacks.
  • Regularly audit webmail systems for vulnerabilities and apply security patches promptly.
  • Educate users on the risks of clicking on links in emails from unknown sources to prevent exploitation of XSS vulnerabilities.

Leveraging Black Kite for RoundCube Vulnerabilities

Black Kite published focus tags™ for CVE-2023-43770 and CVE-2023-5631, highlighting the active exploitation of these vulnerabilities and their inclusion in CISA’s KEV catalog. TPRM professionals can use Black Kite’s platform to identify which vendors are potentially affected by these vulnerabilities and prioritize risk mitigation efforts. By leveraging detailed asset information, Black Kite enables a targeted approach to managing the risk posed by these and other vulnerabilities in third-party email systems​​​​.

CVE-2023-47218 & CVE-2023-50358: QNAP QTS Command Injection Vulnerabilities

What are CVE-2023-47218 & CVE-2023-50358?

These vulnerabilities are unauthenticated OS command injection flaws in QNAP operating systems, which, if exploited, allow remote execution of commands over the network. Specifically, CVE-2023-47218 involves sending a specially crafted HTTP POST request that exploits the handling of the ‘SPECIFIC_SERVER’ parameter, leading to arbitrary command execution​​. Researchers at Rapid7 provided an exploit PoC on February 13, 2024.

Why Should TPRM Professionals Care?

The exploitation of these vulnerabilities could lead to unauthorized system access, data breach, or further network compromise. Given the critical role of NAS devices in data storage and management, it’s vital for TPRM professionals to ensure that their vendors have implemented the necessary patches to mitigate these risks.

What to Ask Vendors for Risk Assessment

  1. Have CVE-2023-47218 and CVE-2023-50358 been patched in your QNAP devices?
  2. What measures are in place to prevent similar command injection vulnerabilities?
  3. How do you monitor for potential exploitation of vulnerabilities in your NAS devices?
  4. Can you provide documentation on the latest security updates for your QNAP devices?

Remediation Recommendations for Vendors

Vendors should update to QTS 5.1.5.2645 build 20240116 and later, QuTS hero h5.1.5.2647 build 20240118 and later, or QuTScloud c5.1.5.2651 and later to fix these vulnerabilities.

  • It is recommended to regularly check for and apply security patches provided by QNAP.
  • Implementing network segmentation and access control can help reduce the risk of unauthorized access.
  • Continuous monitoring for unusual activities can aid in the early detection of potential exploitation attempts.

Leveraging Black Kite for QNAP Vulnerabilities

With Black Kite’s inclusion of the focus tag for CVE-2023-47218 and CVE-2023-50358 on February 16, TPRM professionals are equipped with timely and critical information to address these vulnerabilities effectively. The platform’s real-time alerts and comprehensive vulnerability analysis empower organizations to take proactive steps in safeguarding against potential exploits, particularly in light of the PoC exploit availability.

Enhancing TPRM Strategies with Black Kite’s Focus Tags™

In the dynamic and often tumultuous seas of cybersecurity, Black Kite’s Focus Tags™ serve as an indispensable beacon for navigating Third-Party Risk Management (TPRM). The recent uncovering of vulnerabilities in FortiOS SSL VPN, Symantec MG, RoundCube Webmail, and QNAP QTS underscores the critical need for advanced, real-time threat detection and management. Black Kite’s Focus Tags™ shine a light on these vulnerabilities, enabling TPRM professionals to:

  • Pinpoint Vulnerabilities in Real-Time: Quickly identify which vendors are impacted by specific vulnerabilities, facilitating a prompt and effective response.
  • Prioritize Risks Intelligently: Evaluate the severity of vulnerabilities in the context of your organization’s unique vendor ecosystem, allowing for strategic resource allocation.
  • Engage Vendors with Precision: Armed with detailed vulnerability insights, engage in meaningful dialogues with vendors to address and mitigate risks directly.
  • Broaden Security Perspectives: Gain a comprehensive understanding of the threat landscape, enhancing your organization’s overall security posture and resilience against cyber threats.

By integrating Black Kite’s Focus Tags™ into your TPRM strategy, you transform complex, often overwhelming cyber threat information into clear, actionable intelligence. In today’s landscape, where vulnerabilities like those discussed can significantly impact organizational security, Black Kite’s solution is not just beneficial—it’s essential. Through targeted risk identification, prioritization, and vendor engagement, Focus Tags™ empower TPRM teams to stay one step ahead, ensuring that cybersecurity defenses are as robust and proactive as possible.

Want to take a closer look at Focus Tags™?

Take our platform for a test drive and request a demo today.

Focus Tags™ in the last 30 days:

  • Symantec MG [Suspected]:CVE-2024-23615, CVE-2024-23614, Buffer Overflow Vulnerability (Remote Code Execution)
  • FortiOS SSL VPN [Suspected]:CVE-2024-22024, An Out-of-Bounds Write Vulnerability
  • RoundCube [Suspected] :CVE-2023-43770, Stored-XSS Vulnerability [Updated]
  • Citrix ADC/Gateway:CVE-2023-6549 [Updated], Buffer Overflow Vulnerability
  • Ivanti EPMM:CVE-2023-35082 [Updated], Authentication Bypass Vulnerability
  • GoAnywhere [Suspected]:CVE-2024-0204, Authentication Bypass Vulnerability
  • Redis RCE: CVE-2023-41056, Remote Code Execution Vulnerability
  • Ivanti ICS: CVE-2024-21887, Command Injection Vulnerability, CVE-2023-46805, Authentication Bypass Vulnerability
  • Cacti SQLi: CVE-2023-51448, Blind SQL Injection (SQLi) Vulnerability
  • Juniper OS:CVE-2024-21591 [Updated Tag], Remote Code Execution Vulnerability
  • Kyocera Device Manager [Suspected]:CVE-2023-50916, Path Traversal Vulnerability
  • Apache Tomcat:CVE-2023-46589, Improper Input Validation Vulnerability
  • Laravel [Suspected]:CVE-2018-15133, Deserialization of Untrusted Data Vulnerability
  • SonicWall SonicOS: CVE-2023-0656, A Stack-Based Buffer Overflow Vulnerability, DOS Attack, RCE Vulnerability
  • Confluence Data Center and Server:CVE-2023-22527 [Updated Tag], Template Injection Vulnerability
  • Citrix ADC/Gateway:CVE-2023-6549 [Updated], Buffer Overflow Vulnerability

References: