Written by: Ferdi Gül

Welcome to this week’s edition of FOCUS FRIDAY, where we delve into high-profile cybersecurity incidents from a Third-Party Risk Management (TPRM) perspective. In this installment, we examine critical vulnerabilities affecting widely-used products such as LiteSpeed Cache, RICOH Web Image Monitor, Squid Proxy, and Xlight FTP. By leveraging Black Kite’s proprietary FocusTags™, we provide actionable insights and strategic recommendations to help organizations effectively manage and mitigate the risks associated with these vulnerabilities. Join us as we explore the details of each incident and outline best practices for enhancing your TPRM strategies.

Filtered view of companies with LiteSpeed Cache FocusTag™ on the Black Kite platform.

CVE-2024-50550: LiteSpeed Cache Privilege Escalation Vulnerability

What is the LiteSpeed Cache Privilege Escalation Vulnerability (CVE-2024-50550)?

CVE-2024-50550 is a high-severity privilege escalation vulnerability identified in the LiteSpeed Cache plugin for WordPress. With a CVSS score of 8.1, this vulnerability allows unauthorized users to gain administrator-level access to affected WordPress sites. Discovered and published on November 1, 2024, the flaw resides in the is_role_simulation() function within the plugin’s Crawler feature. By exploiting inadequate hashing mechanisms, attackers can bypass security checks, enabling them to upload and activate malicious plugins, potentially leading to full site takeover. POC exploit code is not available and the vulnerability has not yet been added to CISA’s Known Exploited Vulnerabilities catalog. The vulnerabilities can be exploited by threat actors. Once an attacker circumvents the hash check, they could gain full control over the site, leading to the installation of malware, data theft, and even disruptions to website operations.

Why Should TPRM Professionals Care About CVE-2024-50550?

From a Third-Party Risk Management (TPRM) perspective, CVE-2024-50550 poses significant risks to organizations relying on WordPress sites that utilize the LiteSpeed Cache plugin. A successful exploitation can compromise site integrity, leading to unauthorized data access, malware distribution, and operational disruptions. Given the plugin’s widespread use—over six million active installations—TPRM professionals must assess the potential impact on their vendor ecosystems to prevent cascading security breaches.

What Questions Should TPRM Professionals Ask Vendors About CVE-2024-50550?

To effectively evaluate the risk associated with CVE-2024-50550, TPRM professionals should engage vendors with the following targeted questions:

  1. Have you updated all instances of LiteSpeed Cache to version 6.5.2 or later to mitigate the risk of CVE-2024-50550?
  2. Can you confirm if you have deactivated the Crawler feature in LiteSpeed Cache to limit potential exploit vectors related to the privilege escalation vulnerability?
  3. Are you regularly monitoring server logs and website activity, specifically for unusual behavior around plugin installation and activation, to detect potential exploitation of the CVE-2024-50550 vulnerability?
  4. Have you enabled virtual patching through security platforms like Patchstack until the LiteSpeed Cache plugin is updated to address the CVE-2024-50550 vulnerability?

Remediation Recommendations for Vendors Subject to CVE-2024-50550

Vendors should adopt the following remediation strategies to address CVE-2024-50550 effectively:

  • Upgrade the LiteSpeed Cache Plugin: Immediately update to LiteSpeed Cache version 6.5.2 or newer to patch the identified vulnerability.
  • Implement Virtual Patching: Utilize security platforms like Patchstack to apply virtual patches until the plugin update is completed.
  • Restrict Access: Limit access to site settings and other sensitive areas to minimize potential exploitation vectors.
  • Monitor Activity: Regularly review server logs and website activities for any signs of unusual behavior, particularly related to plugin installations and activations.
  • Optimize Plugin Usage: Ensure that only essential plugins are active and disable the Crawler feature if it is not required for your operations.

How TPRM Professionals Can Leverage Black Kite for CVE-2024-50550

Black Kite’s FocusTag™ for CVE-2024-50550 was published on November 1, 2024, providing TPRM professionals with precise intelligence to identify vendors at risk. By utilizing Black Kite’s platform, organizations can efficiently filter and focus on vendors that specifically use the vulnerable LiteSpeed Cache plugin, thereby streamlining their risk assessment processes. Additionally, Black Kite offers detailed asset information, including affected IP addresses and subdomains, enabling targeted remediation efforts and reducing the overhead associated with broad-based vendor questionnaires.

Black Kite’s LiteSpeed Cache FocusTagTM details critical insights on the event for TPRM professionals.

CVE-2024-47939: RICOH Web Image Monitor Buffer Overflow Vulnerability

What is the RICOH Web Image Monitor Buffer Overflow Vulnerability (CVE-2024-47939)?

CVE-2024-47939 is a critical stack-based buffer overflow vulnerability identified in Ricoh’s Web Image Monitor, a component utilized in numerous Ricoh laser printers and Multi-Function Printers (MFPs). With a CVSS score of 9.8 and an EPSS score of 0.05%, this vulnerability allows attackers to execute arbitrary code remotely or cause a denial of service (DoS) by sending specially crafted HTTP requests to affected devices. Discovered and published on November 4, 2024, the flaw arises from improper handling of HTTP requests within the Web Image Monitor, enabling malicious actors to manipulate device settings, install malware, or disrupt printing services. Currently, there is no PoC exploit available, and the vulnerability has not been added to CISA’s Known Exploited Vulnerabilities (KEV) catalog. However, the potential for exploitation remains high given the nature of the vulnerability.

Affected Products: Ricoh’s security advisory lists specific MFP and printer models. MP 501SPF, MP 601SPF, IM 550F, IM 600F, IM 600SRF, SP 5300DN, SP 5310DN, P 800, P 801, IM 2702, MP C8003, MP C6503, IM C6500, IM C8000, IM 350F, IM 350, IM 430F, IM 430Fb, P 501, P 502, IM 2500, IM 3000, IM 3500, IM 4000, IM 5000, IM 6000, MP 2555, MP 3055, MP 3555, MP 4055, MP 5055, MP 6055, SP 8400DN, SP 6430DN, IM C530F, IM C530FB, MP 402SPF, IM C400F, IM C400SRF, IM C300F, IM C300, P C600, Aficio MP 2001, Aficio MP 2501, MP 6503, MP 7503, MP 9003, IM 7000, IM 8000, IM 9000, MP C3003, MP C3503, MP C4503, MP C5503, MP C6003, MP C2003, MP C2503, MP C3004ex, MP C3504ex, MP C2004ex, MP C2504ex, MP C4504ex, MP C5504ex, MP C6004ex, MP C3004, MP C3504, MP C2004, MP C2504, MP C4504, MP C5504, MP C6004, IM C3000, IM C3500, IM C2000, IM C2500, IM C4500, IM C5500, IM C6000, SP C842DN, SP C340DN, SP C342DN, MP C501SP, IM CW2200, IP CW2200, Aficio MP 301, SP C360SNw, SP C360SFNw, SP C361SFNw, SP C352DN, SP C360DNw, SP C435DN, SP C440DN, MP C3003, MP C3503, MP C4503, MP C5503, MP C6003, MP C2003, MP C2503, MP C6502, MP 2554, MP 3054, MP 3554, MP 4054, MP 5054, MP 6054, MP C306, MP C406, Pro 8300S, Pro 8310S, Pro 8320S, Pro 8310, Pro 8320, Pro C5200S, Pro C5210S, Pro C5300S, Pro C5310S, Pro C5300SL, Pro C7200S, Pro C7210S, Pro C7200SX, Pro C7210SX, Pro C7200SL, Pro C7200, Pro C7210, Pro C7200X, Pro C7210X, Pro C7200e, Pro C9100, Pro 9110, Pro C7100S, Pro C7110S, Pro C7100SX, Pro C7110SX, Pro C7100, Pro C7110, Pro C7100X, Pro C7110X, Pro C9200, Pro C9210.

Why Should TPRM Professionals Care About CVE-2024-47939?

From a Third-Party Risk Management (TPRM) perspective, CVE-2024-47939 poses significant threats to organizations that rely on Ricoh printers and MFPs within their operational infrastructure. Exploitation of this vulnerability can lead to unauthorized access to sensitive documents, disruption of essential printing services, and potential pivot points for broader network compromises. Given the extensive range of affected Ricoh devices, organizations must assess the impact on their vendor ecosystems to mitigate risks associated with data breaches, operational downtime, and compromised network integrity.

What Questions Should TPRM Professionals Ask Vendors About CVE-2024-47939?

To effectively evaluate the risk associated with CVE-2024-47939, TPRM professionals should engage vendors with the following targeted questions:

  1. Have you updated the firmware for all affected Ricoh printers and MFPs as advised by Ricoh to mitigate the vulnerability of CVE-2024-47939?
  2. Have you implemented strong network segmentation and isolated printing devices from other critical network segments to reduce the impact of a potential compromise due to CVE-2024-47939?
  3. Are you monitoring network traffic to identify any unusual behavior from Ricoh devices that could indicate an exploitation of the buffer overflow vulnerability CVE-2024-47939?
  4. Have you configured firewall rules to block unauthorized IPs from accessing the device and limited access to the Web Image Monitor to trusted networks only to prevent potential exploitation of CVE-2024-47939?

Remediation Recommendations for Vendors Subject to CVE-2024-47939

Vendors should adopt the following remediation strategies to effectively address CVE-2024-47939:

  • Update the firmware for all affected Ricoh printers and MFPs as advised by Ricoh to mitigate the vulnerability.
  • Limit access to the Web Image Monitor to trusted networks only. Configure firewall rules to block unauthorized IPs from accessing the device.
  • Monitor network traffic to identify any unusual behavior from Ricoh devices. Enable logging features where possible to track access and detect potential intrusions.
  • Implement Strong Network Segmentation. Isolate printing devices from other critical network segments to reduce the impact of a potential compromise.

How TPRM Professionals Can Leverage Black Kite for CVE-2024-47939

Black Kite’s FocusTag™ for CVE-2024-47939 was published on November 4, 2024, equipping TPRM professionals with actionable intelligence to identify and assess vendors utilizing vulnerable Ricoh printers and MFPs. By leveraging Black Kite’s platform, organizations can precisely filter and target vendors that operate affected Ricoh devices, thereby streamlining their risk assessment and mitigation processes. Additionally, Black Kite provides detailed asset information, including specific IP addresses and subdomains associated with the vulnerable systems, enabling targeted remediation efforts and minimizing the resources spent on broad-based vendor evaluations.

Black Kite’s RICOH Web Image Monitor FocusTagTM details critical insights on the event for TPRM professionals.

CVE-2024-45802: Squid Proxy DoS Vulnerability

What is the Squid Proxy Denial-of-Service Vulnerability (CVE-2024-45802)?

CVE-2024-45802 is a high-severity Denial-of-Service (DoS) vulnerability identified in the Squid caching proxy server when the Edge Side Includes (ESI) feature is enabled. With a CVSS score of 7.5 and an EPSS score of 0.12%, this vulnerability allows trusted servers to disrupt services by exploiting flaws in input validation, premature release of resources, and missing release of resources. Disclosed on October 30, 2024, the vulnerability affects Squid versions 3.0 through 6.9 configured with ESI, as well as Squid 6.10 and newer if ESI is manually re-enabled. There is currently no proof-of-concept (PoC) exploit available, and the vulnerability has not been added to CISA’s Known Exploited Vulnerabilities (KEV) catalog. Additionally, there are no indications of active exploitation campaigns or specific threat actors targeting this vulnerability.

Why Should TPRM Professionals Care About CVE-2024-45802?

From a Third-Party Risk Management (TPRM) standpoint, CVE-2024-45802 poses substantial risks to organizations that utilize Squid Proxy servers within their infrastructure. Exploitation of this vulnerability can lead to significant service disruptions, affecting all clients reliant on the Squid proxy. In environments where Squid is deployed as a reverse proxy, such disruptions can impede critical business operations, compromise the availability of web services, and potentially serve as a pivot point for further network attacks. Given the widespread use of Squid in various network architectures, TPRM professionals must evaluate the potential impact on their vendor networks to ensure continuity and maintain robust security postures.

What Questions Should TPRM Professionals Ask Vendors About CVE-2024-45802?

To thoroughly assess the risk associated with CVE-2024-45802, TPRM professionals should pose the following specific inquiries to their vendors:

  1. Can you confirm if you have updated all instances of Squid Proxy Server to version 6.10 or later, ensuring that the Edge Side Includes (ESI) feature is disabled by default, to mitigate the risk of CVE-2024-45802?
  2. Have you run the command ‘squid -v’ to verify the build parameters and confirm that ESI is disabled in your Squid Proxy Server configuration? If ‘–enable-esi’ appears, have you rebuilt Squid with ‘–disable-esi’?
  3. Have you restricted proxy server access to trusted networks only to reduce exposure to potential exploitation sources, as recommended in the advisory for CVE-2024-45802?
  4. Are you monitoring network traffic for unusual or sustained requests, which may indicate attempted exploitation of the DoS vulnerability in Squid Proxy Server?

Remediation Recommendations for Vendors Subject to CVE-2024-45802

Vendors should implement the following remediation measures to effectively mitigate the risks posed by CVE-2024-45802:

  • Upgrade Squid Proxy: Immediately update all Squid Proxy servers to version 6.10 or newer, ensuring that the ESI feature is disabled by default to eliminate the vulnerability.
  • Verify Configuration: Execute squid -v to confirm that the –disable-esi flag is present in your Squid Proxy build parameters. If the –enable-esi option is enabled, rebuild Squid with the –disable-esi configuration.
  • Implement Network Monitoring: Continuously monitor network traffic for any unusual or sustained request patterns that may suggest attempts to exploit the DoS vulnerability.
  • Restrict Access: Limit access to Squid Proxy servers by configuring firewall rules to allow connections only from trusted networks and authorized IP addresses.
  • Temporary Mitigation: For environments where immediate upgrading is not feasible, rebuild Squid Proxy with the –disable-esi flag as a temporary measure to prevent exploitation.

How TPRM Professionals Can Leverage Black Kite for CVE-2024-45802

Black Kite’s FocusTag™ for CVE-2024-45802 was published on October 30, 2024, providing TPRM professionals with precise intelligence to identify vendors utilizing vulnerable Squid Proxy servers. By leveraging Black Kite’s platform, organizations can efficiently filter and concentrate on vendors that operate affected Squid Proxy versions, streamlining their risk assessment and mitigation processes. Additionally, Black Kite offers detailed asset information, including specific IP addresses and subdomains associated with the vulnerable systems, enabling targeted remediation efforts and reducing the resources required for broad-based vendor evaluations.

Black Kite’s Squid Proxy FocusTagTM details critical insights on the event for TPRM professionals.

CVE-2024-46483: Xlight FTP Critical Vulnerability

What is the Xlight FTP Remote Code Execution Vulnerability (CVE-2024-46483)?

CVE-2024-46483 is a critical heap overflow vulnerability identified in Xlight SFTP Server, a widely-used FTP and SFTP solution for Windows. With a CVSS score of 9.8, this vulnerability allows unauthenticated attackers to execute remote code or initiate denial-of-service (DoS) attacks. Disclosed on October 31, 2024, the flaw originates from inadequate validation in the SFTP protocol’s packet parsing, specifically in handling client-sent strings. By manipulating a four-byte string length prefix, attackers can craft malicious packets that trigger out-of-bounds memory operations, potentially leading to complete system compromise. While PoC exploit code is publicly available on GitHub, the vulnerability has not been added to CISA’s Known Exploited Vulnerabilities (KEV) catalog, and there are no current reports of active exploitation by threat actors.

Why Should TPRM Professionals Care About CVE-2024-46483?

From a Third-Party Risk Management (TPRM) perspective, CVE-2024-46483 poses significant threats to organizations utilizing Xlight SFTP Server for secure file transfers. Exploitation of this vulnerability can result in unauthorized system access, allowing attackers to execute arbitrary commands, install malware, or disrupt critical services through DoS attacks. Given the widespread deployment of Xlight SFTP Server in various industries, including finance, healthcare, and technology, the potential impact on vendor ecosystems is substantial. TPRM professionals must assess the presence of vulnerable Xlight instances within their supply chains to prevent cascading security breaches and ensure the integrity of sensitive data exchanges.

What Questions Should TPRM Professionals Ask Vendors About CVE-2024-46483?

To effectively evaluate the risk associated with CVE-2024-46483, TPRM professionals should engage vendors with the following targeted questions:

  1. Have you updated all instances of Xlight SFTP Server to the latest version that patches CVE-2024-46483, specifically versions 3.9.4.2 and earlier?
  2. Can you confirm if you have implemented firewall rules to restrict access to the SFTP server and are actively monitoring for unexpected traffic as recommended?
  3. Are you limiting network access to the SFTP server to trusted IPs only as a measure to mitigate the risk of CVE-2024-46483?
  4. Given the public availability of PoC exploit code for CVE-2024-46483 on GitHub, what specific measures have you taken to monitor and detect potential exploitation attempts on your Xlight SFTP Server?

Remediation Recommendations for Vendors Subject to CVE-2024-46483

Vendors should implement the following remediation measures to effectively mitigate the risks posed by CVE-2024-46483:

  • Update Xlight SFTP Server: Immediately upgrade to the latest version of Xlight SFTP Server, which patches CVE-2024-46483, to eliminate the vulnerability.
  • Restrict Network Access: Limit access to the SFTP server by configuring firewall rules to allow connections only from trusted IP addresses, thereby reducing exposure to potential attackers.
  • Monitor Network Traffic: Continuously monitor network traffic for any abnormal patterns or sustained requests that may indicate attempted exploitation of the vulnerability.
  • Implement Strong Authentication: Enhance security by enforcing robust authentication mechanisms, such as multi-factor authentication (MFA), to prevent unauthorized access.
  • Regular Security Audits: Conduct regular security assessments and vulnerability scans to ensure that all systems are up-to-date and free from exploitable vulnerabilities.

How TPRM Professionals Can Leverage Black Kite for CVE-2024-46483

Black Kite’s FocusTag™ for CVE-2024-46483 was published on October 31, 2024, providing TPRM professionals with actionable intelligence to identify vendors utilizing vulnerable Xlight SFTP Server instances. By leveraging Black Kite’s platform, organizations can efficiently filter and target vendors that operate affected Xlight versions, streamlining their risk assessment and mitigation processes. Additionally, Black Kite offers comprehensive asset information, including specific IP addresses and subdomains associated with the vulnerable systems, enabling targeted remediation efforts and minimizing the resources required for broad-based vendor evaluations.

Black Kite’s Xlight FTP FocusTagTM details critical insights on the event for TPRM professionals.

Elevating TPRM Strategies with Black Kite’s FocusTags™

Black Kite’s FocusTags™ are instrumental in enhancing Third-Party Risk Management (TPRM) approaches, particularly when addressing vulnerabilities in widely-deployed systems like LiteSpeed Cache, RICOH Web Image Monitor, Squid Proxy, and Xlight FTP. These tags provide:

  • Real-Time Vulnerability Tracking: Instantly identifying vendors affected by the latest vulnerabilities enables rapid and strategic responses.
  • Risk Prioritization: By evaluating both the criticality of vendors and the severity of vulnerabilities, FocusTags™ assists in allocating resources more effectively.
  • Informed Vendor Engagement: Facilitate targeted discussions with vendors, focusing on their specific security postures in relation to the identified vulnerabilities.
  • Comprehensive Security Overview: With a broad view of the threat landscape, these tags aid in enhancing overall cybersecurity strategies.

Black Kite’s FocusTags™, tailored to the complexities of vulnerabilities in diverse systems, offer a streamlined, intelligent approach to TPRM. By converting intricate cyber threat data into actionable intelligence, these tags are critical for managing risks efficiently and proactively in an environment where cyber threats are constantly evolving.



Want to take a closer look at FocusTags™?


Take our platform for a test drive and request a demo today.




Request a Demo

About Focus Friday

Every week, we delve into the realms of critical vulnerabilities and their implications from a Third-Party Risk Management (TPRM) perspective. This series is dedicated to shedding light on pressing cybersecurity threats, offering in-depth analyses, and providing actionable insights.

FocusTags™ in the Last 30 Days:

  • LiteSpeed Cache: CVE-2024-50550, Privilege Escalation Vulnerability iin LiteSpeed Cache plugin.
  • RICOH Web Image Monitor: CVE-2024-47939, Buffer Overflow Vulnerability in RICOH Web Image Monitor.
  • Squid Proxy: CVE-2024-45802, DoS Vulnerability in Squid Proxy Servers.
  • XLight FTP: CVE-2024-46483, Integer Overflow and RCE Vulnerabilities in XLight FTP Servers.
  • Exchange Server RCE: CVE-2021-26855, CVE-2021-27065, CVE-2021-26858, CVE-2021-26857, Remote Code Execution Vulnerability in Exchange Server.
  • FortiManager: CVE-2024-47575, Missing Authentication Vulnerability in FortiManager.
  • Grafana: CVE-2024-9264, Remote Code Execution Vulnerability  in Grafana.
  • Roundcube Webmail: CVE-2024-37383, Cross-Site Scripting (XSS) Vulnerability in Roundcube Webmail.
  • Cisco FMC: CVE-2024-20424, Command Injection Vulnerability in Cisco Secure Firewall Management Center.
  • Oracle WebLogic Server: CVE-2024-21216, Remote Code Execution Vulnerability in Oracle WebLogic Server.
  • GitHub Enterprise: CVE-2024-9487, SAML SSO Authentication Bypass Vulnerability in GitHub Enterprise Server.
  • Fortinet Core Products: CVE-2024-23113, Format String Vulnerability in FortiOS, FortiPAM, FortiProxy, and FortiWeb. 
  • Cisco RV Routers: CVE-2024-20393, CVE-2024-20470, Privilege Escalation and RCE Vulnerability in RV340, RV340W, RV345, and RV345P Dual WAN Gigabit VPN Routers. 
  • Ivanti Connect Secure: CVE-2024-37404, Remote Code Execution Vulnerability in Ivanti Connect Secure & Policy Secure.
  • Zimbra: CVE-2024-45519, Remote Command Execution Vulnerability in Zimbra.
  • DrayTek Routers: CVE-2020-15415, Remote Code Execution Vulnerability in DrayTek Vigor Routers.
  • Authentik: CVE-2024-47070, Authentication Bypass Vulnerability in Authentik.
  • Octopus Deploy: CVE-2024-9194, SQL Injection Vulnerability in Octopus Server.
  • pgAdmin: CVE-2024-9014, OAuth2 Authentication Vulnerability in pgAdmin.
  • Keycloak: CVE-2024-8698, CVE-2024-8883, SAML Signature Validation Bypass and Session Hijacking Vulnerability in Keycloak.
  • Navidrome: CVE-2024-47062, SQL Injection Vulnerability in Navidrome.

References

https://nvd.nist.gov/vuln/detail/CVE-2024-50550

https://patchstack.com/database/vulnerability/litespeed-cache/wordpress-litespeed-cache-plugin-6-5-1-privilege-escalation-vulnerability?_s_id=cve

https://securityonline.info/over-6-million-sites-at-risk-severe-privilege-escalation-flaw-cve-2024-50550-in-litespeed-cache-plugin

https://nvd.nist.gov/vuln/detail/CVE-2024-47939

https://www.ricoh.com/products/security/vulnerabilities/vul?id=ricoh-2024-000011

https://nvd.nist.gov/vuln/detail/CVE-2024-45802

https://github.com/squid-cache/squid/security/advisories/GHSA-f975-v7qw-q7hj

https://nvd.nist.gov/vuln/detail/CVE-2024-46483

https://github.com/kn32/cve-2024-46483

https://www.xlightftpd.com/whatsnew.htm