FOCUS FRIDAY: TPRM INSIGHTS ON POLYFILL SUPPLY CHAIN ATTACK AND MOVEit, CISCO NX-OS, OPENSSH, APACHE TOMCAT, PROGRESS’ WHATSUP GOLD, AND MICROSOFT MSHTML VULNERABILITIES

Written By: Ferdi Gul
Contributor: Ferhat Dikbiyik

Welcome to this week’s Focus Friday blog, where we delve into critical vulnerabilities impacting today’s digital landscape from a Third-Party Risk Management (TPRM) perspective. In this edition, we explore significant threats associated with Progress’ MOVEit, Cisco NX-OS, OpenSSH, Apache Tomcat, Polyfill, Progress’ WhatsUp Gold, Microsoft MSHTML. Understanding these vulnerabilities and their implications is crucial for maintaining robust cybersecurity defenses and managing third-party risks effectively.

*Filtered view of companies with a Microsoft MOVEit FocusTag on the Black Kite platform.*

CVE-2024-5805 and CVE-2024-5806: MOVEit Transfer and MOVEit Gateway Vulnerabilities

What is the Improper Authentication Vulnerability in MOVEit?

CVE-2024-5805 and CVE-2024-5806 are critical improper authentication vulnerabilities found in the Progress MOVEit Transfer and MOVEit Gateway software, respectively. Both vulnerabilities allow unauthorized attackers to bypass authentication mechanisms, potentially leading to unauthorized access, file theft, data leakage, and server takeovers. The vulnerabilities were first disclosed on June 25, 2024, with public proof-of-concept (PoC) exploit code available, increasing the likelihood of exploitation.

CVE-2024-5805 affects the SFTP module in MOVEit Transfer, while CVE-2024-5806 impacts the MOVEit Gateway’s SFTP module. These flaws arise from improper handling of authentication tokens, enabling attackers to forge credentials and access the system without proper authentication. While the vulnerabilities have not yet been listed in CISA’s Known Exploited Vulnerabilities (KEV) catalog, exploitation attempts have already begun.

Affected versions include MOVEit Transfer versions from 2023.0.0 to before 2023.0.11, from 2023.1.0 to before 2023.1.6, and from 2024.0.0 to before 2024.0.2. MOVEit Gateway version 2024.0.0 is also affected. Progress Software has released patches to address these issues.

Why Should TPRM Professionals Care About This Vulnerability?

TPRM professionals need to be aware of these vulnerabilities because they pose significant risks to any organization using MOVEit Transfer or MOVEit Gateway. Given the critical nature of these products, which are often used for secure file transfers and gateway services, successful exploitation can result in severe data breaches and operational disruptions.

Organizations relying on these products for sensitive data transfers must recognize the potential impact of an unauthorized attacker gaining access. The previous exploitation of MOVEit Transfer by the Cl0p ransomware group underscores the severe consequences of such vulnerabilities.

What Questions Should TPRM Professionals Ask Vendors?

Have you applied the latest patches released by Progress for MOVEit Transfer and MOVEit Gateway?
Can you confirm whether two-factor authentication (2FA) is enabled for all MOVEit-related access points?
Have you implemented network segmentation to limit access to MOVEit servers?
How are you monitoring for unusual activity on MOVEit systems, and what indicators of compromise (IoCs) are being tracked?

Remediation Recommendations for Vendors

To mitigate the risks associated with these vulnerabilities, vendors should:

Upgrade to the latest versions of MOVEit Transfer (2023.0.11, 2023.1.6, 2024.0.2) and MOVEit Gateway (2024.0.1).
Enable two-factor authentication (2FA) to enhance login security.
Enforce strong password policies to prevent easy exploitation.
Segment the network to restrict access to critical systems.
Block public inbound RDP access to MOVEit Transfer servers and limit outbound access to known, trusted endpoints.
Regularly monitor network traffic for unusual activities.

How TPRM Professionals Can Leverage Black Kite for This Vulnerability

Black Kite helps TPRM professionals identify vendors affected by these vulnerabilities through its FocusTags^TM, which provide detailed information about the exposed assets, such as IP addresses and subdomains. This intelligence allows organizations to prioritize their response and remediation efforts. Black Kite’s tags, published on June 28, 2024, also offer updated information as new vulnerabilities or fixes are disclosed, ensuring that TPRM professionals stay informed and can take timely action.

By operationalizing Black Kite’s insights, organizations can efficiently address the highest risks within their vendor ecosystem, reducing the overall impact and improving their security posture.

*Black Kite’s MOVEit FocusTag^TM details critical insights on the event for TPRM professionals.*

CVE-2024-20399: Cisco NX-OS Arbitrary Command Execution Vulnerability

What is the Command Injection Vulnerability in Cisco NX-OS?

CVE-2024-20399 is an authenticated arbitrary command execution vulnerability in the Command Line Interface (CLI) of Cisco NX-OS Software. This medium-severity vulnerability (CVSS score: 6.0, EPSS score: 0.04%) enables an authenticated local attacker to execute arbitrary commands with root privileges on the affected device’s operating system. It was first published on July 2, 2024.

The vulnerability arises due to insufficient validation of input parameters passed to specific configuration CLI commands. By crafting malicious input, an attacker can inject arguments into vulnerable commands, gaining unauthorized access to execute root-level commands. This can lead to data theft, service disruption, and potentially complete system compromise. The vulnerability has been exploited in the wild, with the Chinese state-backed hacking group Velvet Ant targeting Cisco network switches as part of a cyberespionage campaign.

Why Should TPRM Professionals Care About This Vulnerability?

TPRM professionals must be concerned about CVE-2024-20399 due to its potential impact on critical network infrastructure. Cisco NX-OS is widely used in various enterprise environments for managing network switches. If exploited, this vulnerability could allow attackers to disrupt services, steal sensitive data, and compromise network integrity. Given the involvement of state-backed threat actors, the risk extends to potential espionage activities, further emphasizing the need for immediate attention and remediation.

What Questions Should TPRM Professionals Ask Vendors?

Have you applied the latest security patches for Cisco NX-OS to address CVE-2024-20399?
What measures are in place to validate and sanitize input parameters in CLI commands?
How do you monitor and detect unauthorized access attempts or unusual activities on NX-OS devices?
Can you provide documentation on your network segmentation and access control policies?

Remediation Recommendations for Vendors

To mitigate the risks associated with CVE-2024-20399, vendors should:

Apply the latest security patches released by Cisco for NX-OS.
Implement strong password policies requiring complex passwords and regular changes.
Avoid using default credentials on devices.
Regularly monitor network traffic for unusual activities.
Segment the network to restrict access to critical systems.

How TPRM Professionals Can Leverage Black Kite for This Vulnerability

Black Kite assists TPRM professionals by identifying vendors affected by this vulnerability through its FocusTags, providing detailed information about exposed assets. This intelligence allows organizations to prioritize remediation efforts effectively. Black Kite’s FocusTags, published on July 2, 2024, offer updated insights as new information becomes available, ensuring that TPRM professionals can take timely and informed actions.

By operationalizing Black Kite’s insights, organizations can efficiently address high-risk areas within their vendor ecosystem, enhancing overall security posture.

*Black Kite’s Cisco NX-OS FocusTag^TM details critical insights on the event for TPRM professionals.*

CVE-2024-6387: OpenSSH RegreSSHion Vulnerability

What is the Signal Handler Race Condition Vulnerability in OpenSSH?

CVE-2024-6387, also known as “RegreSSHion,” is a critical vulnerability in the OpenSSH server (sshd). This vulnerability arises from a signal handler race condition that can be exploited to execute arbitrary code or cause a denial of service (DoS). The vulnerability has a CVSS score of 8.1 and an EPSS score of 0.05%. It was publicly disclosed on July 1, 2024.

The issue occurs when the SSH server calls the SIGALRM handler asynchronously if a client fails to authenticate within the configured LoginGraceTime. This vulnerability can be exploited by repeatedly sending connection attempts to the server, triggering the SIGALRM handler, and potentially leading to arbitrary code execution or server crashes (Kaspersky).

Why Should TPRM Professionals Care About This Vulnerability?

TPRM professionals need to be aware of CVE-2024-6387 due to its potential impact on a wide range of systems. OpenSSH is widely used across various platforms, including Linux distributions, macOS, and even some Windows installations. Successful exploitation of this vulnerability could lead to severe consequences such as unauthorized access, data breaches, and persistent system control by attackers.

What Questions Should TPRM Professionals Ask Vendors?

Have you applied the latest patches for OpenSSH to address CVE-2024-6387?
What measures have been implemented to prevent the exploitation of signal handler race conditions?
How do you monitor and detect unusual login attempts or patterns that might indicate an exploit attempt?
Can you provide details on your incident response plan in case of a successful exploitation of this vulnerability?

Remediation Recommendations for Vendors

To mitigate the risks associated with CVE-2024-6387, vendors should:

Update OpenSSH to version 9.8 or later, which includes the patch for CVE-2024-6387.
Temporarily set LoginGraceTime to ‘0’ in /etc/ssh/sshd_config to prevent exploitation, while noting this increases susceptibility to DoS attacks.
Implement strong authentication mechanisms such as multi-factor authentication (MFA).
Configure firewalls and network monitoring to detect and block unusual activities.
Limit the number of concurrent unauthenticated connections to reduce the risk of DoS attacks.

How TPRM Professionals Can Leverage Black Kite for This Vulnerability

Black Kite helps TPRM professionals by identifying vendors affected by this vulnerability through its FocusTags, providing detailed information about exposed assets. This intelligence allows organizations to prioritize remediation efforts effectively. The FocusTag for this vulnerability was published on July 3, 2024, and includes updated information, ensuring that TPRM professionals can take timely and informed actions.

By operationalizing Black Kite’s insights, organizations can efficiently address high-risk areas within their vendor ecosystem, enhancing overall security posture.

*Black Kite’s OpenSSH RegreSSHion FocusTag^TM details critical insights on the event for TPRM professionals.*

CVE-2024-34750: Apache Tomcat DoS Vulnerability

What is the Improper Handling of Exceptional Conditions and Uncontrolled Resource Consumption Vulnerability in Apache Tomcat?

CVE-2024-34750 is a high-severity vulnerability in Apache Tomcat caused by improper handling of exceptional conditions and uncontrolled resource consumption. This issue occurs during the processing of an HTTP/2 stream where Apache Tomcat fails to handle cases of excessive HTTP headers correctly. This mismanagement leads to a miscount of active HTTP/2 streams, resulting in an incorrect infinite timeout being applied. Consequently, connections that should have been closed remain open, causing resource exhaustion. The vulnerability has a CVSS score of 7.5 and an EPSS score of 0.04%. It was publicly disclosed on July 5, 2024.

Attackers can exploit this vulnerability by sending specially crafted HTTP/2 requests with excessive headers, leading to uncontrolled resource consumption and eventual denial of service (DoS). Currently, there is no known exploitation in the wild, and no proof-of-concept (PoC) exploit code has been published. The vulnerability is not listed in CISA’s KEV catalog.

Why Should TPRM Professionals Care About This Vulnerability?

TPRM professionals should be concerned about CVE-2024-34750 because it can significantly impact the availability and performance of services relying on Apache Tomcat. Exploiting this vulnerability could lead to severe service disruptions, financial loss, and reputational damage. Since Apache Tomcat is widely used in web applications and enterprise environments, a successful attack can affect critical business operations and customer services.

What Questions Should TPRM Professionals Ask Vendors?

Have you upgraded Apache Tomcat to the latest fixed versions (11.0.0-M21, 10.1.25, or 9.0.90)?
What measures are in place to monitor and limit resource consumption on Apache Tomcat servers?
How do you ensure that HTTP requests are properly validated and managed to prevent resource exhaustion?
Can you provide logs or reports on any unusual HTTP/2 traffic or attempted exploitations?

Remediation Recommendations for Vendors

To mitigate the risks associated with CVE-2024-34750, vendors should:

Upgrade Apache Tomcat to the latest fixed versions (11.0.0-M21, 10.1.25, or 9.0.90) as listed in the Apache Tomcat security advisory.
Restrict network access to Apache Tomcat servers, using firewalls and network segmentation to limit exposure to trusted IP addresses only.
Deploy Web Application Firewalls (WAFs) to filter and monitor HTTP requests for malicious content.
Ensure strong, unique passwords for all accounts with access to Apache Tomcat, and enable multi-factor authentication (MFA) where possible.
Regularly review server logs for signs of unusual or suspicious activity that may indicate an attempted or successful exploitation.
Perform frequent security assessments and vulnerability scans on systems running Apache Tomcat to identify and remediate potential security issues.
Monitor network traffic for any unusual activities.

How TPRM Professionals Can Leverage Black Kite for This Vulnerability

Black Kite helps TPRM professionals by identifying vendors affected by this vulnerability through its FocusTags. The tags provide detailed information about the exposed assets, such as IP addresses and subdomains, allowing organizations to prioritize their response and remediation efforts. Black Kite’s FocusTags for this vulnerability were published on July 5, 2024, and offer updated insights, ensuring that TPRM professionals can take timely and informed actions.

By operationalizing Black Kite’s insights, organizations can efficiently address high-risk areas within their vendor ecosystem, enhancing overall security posture.

*Black Kite’s Apache Tomcat DoS FocusTag^TM details critical insights on the event for TPRM professionals.*

Polyfill.io Supply Chain Attack

What happened in the Polyfill.io Supply Chain Attack?

A recent security incident involving Polyfill.io, a widely used JavaScript library provider, resulted in a significant supply chain attack. On July 3, 2024, it was discovered that attackers exploited vulnerabilities in Polyfill.io’s infrastructure to inject malicious code into the library’s distributed files. This malicious code allowed attackers to gain unauthorized access to systems using these libraries. The incident compromised customer data and affected numerous organizations relying on Polyfill.io for JavaScript functionality. The attack’s sophistication and widespread impact highlight the risks associated with third-party dependencies in software development.

Why Should TPRM Professionals Care About the Polyfill.io Incident?

TPRM professionals should be concerned about the Polyfill.io supply chain attack because it highlights the vulnerabilities and risks associated with third-party software dependencies. Many organizations rely on JavaScript libraries like Polyfill.io for their web applications, making them susceptible to such attacks. The potential for data breaches, unauthorized access, and subsequent financial and reputational damage underscores the importance of robust third-party risk management practices. Ensuring that vendors maintain secure software supply chains is critical to mitigating such risks.

What Questions Should TPRM Professionals Ask Vendors About the Polyfill.io Incident?

Have you identified any assets within your organization using Polyfill.io JavaScript libraries?
What steps have been taken to update Polyfill.io libraries to the latest secure versions?
How do you monitor and manage third-party software dependencies for security vulnerabilities?
Can you provide evidence of a thorough review and audit of all JavaScript dependencies in use?
What measures are in place to detect and mitigate supply chain attacks on third-party software?
How are you ensuring that all JavaScript libraries are sourced from secure and trusted repositories?

Remediation Recommendations for Vendors Subject to This Risk

To mitigate the risks associated with the Polyfill.io supply chain attack, vendors should:

Immediately update all Polyfill.io JavaScript libraries to the latest secure versions.
Conduct a comprehensive review of all JavaScript dependencies and ensure they are sourced from secure and trusted sources.
Deploy a Web Application Firewall (WAF) to monitor and block malicious traffic potentially exploiting compromised libraries.
Continuously monitor network traffic for any unusual activities that could indicate an exploitation attempt.
Implement stringent security controls for third-party software management, including regular vulnerability assessments and security audits.

How TPRM Professionals Can Leverage Black Kite for This Incident

Black Kite assists TPRM professionals by identifying vendors affected by incidents like the Polyfill.io supply chain attack through its Focus Tags. By analyzing subdomain names and using internet-wide scanners, Black Kite detects if any external assets of an organization have Polyfill in their source HTML code. This intelligence allows organizations to prioritize remediation efforts effectively. The Focus Tag for this incident was published on July 3, 2024, offering updated insights to ensure timely and informed actions.

Operationalizing Black Kite’s insights helps organizations efficiently address high-risk areas within their vendor ecosystem, enhancing overall security posture.

*Black Kite’s Polyfill FocusTag^TM details critical insights on the event for TPRM professionals.*

CVE-2024-5009: WhatsUp Gold Privilege Escalation Vulnerability

What is the Privilege Escalation Vulnerability in WhatsUp Gold?

CVE-2024-5009 is a high-severity privilege escalation vulnerability in Progress WhatsUp Gold, a network monitoring software. This vulnerability, with a CVSS score of 8.4 and an EPSS score of 0.04%, allows attackers to gain administrative privileges by exploiting improper input validation in the setAdminPassword function. An attacker can reset the administrator password without prior authentication, granting full control over the system. This vulnerability was publicly disclosed on June 8, 2024, and affects WhatsUp Gold versions 20.0 to 21.1.

Why Should TPRM Professionals Care About This Vulnerability?

TPRM professionals should care about this vulnerability due to its potential to compromise network monitoring systems, leading to unauthorized access to sensitive data and disruption of network services. Since WhatsUp Gold is widely used for IT infrastructure management, exploiting this vulnerability can have severe implications for business operations, including data breaches and lateral movement within compromised networks.

What Questions Should TPRM Professionals Ask Vendors About the Vulnerability?

Have you updated WhatsUp Gold to the latest fixed version (2023.1.3 or later)?
How do you restrict access to the setAdminPassword API endpoint?
What measures are in place to monitor and detect unauthorized access attempts?
Can you provide evidence of implementing network segmentation and access control lists (ACLs)?
How do you enforce strong password policies and multi-factor authentication (MFA) for administrative accounts?
What is your process for staying updated with Progress security bulletins and advisories?

Remediation Recommendations for Vendors

To mitigate the risks associated with CVE-2024-5009, vendors should:

Update WhatsUp Gold to the latest fixed versions (2023.1.3 or later).
Restrict access to the setAdminPassword API endpoint to trusted network segments.
Monitor network traffic and system logs for signs of unauthorized access.
Implement strong password policies and multi-factor authentication (MFA) for administrative accounts.
Conduct regular security audits and vulnerability scans on systems running WhatsUp Gold.
Stay updated with Progress security bulletins and advisories.

How TPRM Professionals Can Leverage Black Kite for This Vulnerability

Black Kite helps TPRM professionals by identifying vendors affected by CVE-2024-5009 through its FocusTags, providing detailed information about exposed assets. This intelligence allows organizations to prioritize remediation efforts effectively. The FocusTag for this vulnerability was published on July 9, 2024, ensuring that TPRM professionals can take timely and informed actions.

By using Black Kite’s insights, organizations can efficiently address high-risk areas within their vendor ecosystem, enhancing overall security posture.

*Black Kite’s WhatsUp Gold FocusTag^TM details critical insights on the event for TPRM professionals.*

CVE-2024-38112: Microsoft MSHTML Vulnerability

What is the Spoofing Vulnerability in MSHTML?

CVE-2024-38112 is a critical spoofing vulnerability affecting Windows. This vulnerability, with a CVSS score of 7.5 and an EPSS score of 0.04%, allows attackers to execute arbitrary commands on the victim’s system remotely, potentially leading to full control over the affected machine. The issue arises from improper handling of Internet Shortcut files (.url) by Internet Explorer. This vulnerability was publicly disclosed on July 10, 2024.

Attackers can exploit this vulnerability by crafting malicious .url files that, when accessed, exploit this flaw to execute arbitrary code. The process involves tricking the user into opening a malicious shortcut file, which then triggers the vulnerability, allowing the attacker to run arbitrary code in the context of the user. This can lead to severe impacts, including data theft, system compromise, and the spread of malware. PoC exploit code has been disclosed publicly, increasing the likelihood of widespread exploitation. The vulnerability has been actively exploited in the wild, with reports indicating that attackers use spear-phishing emails to distribute malicious .url files.

Why Should TPRM Professionals Care About This Vulnerability?

TPRM professionals need to be aware of CVE-2024-38112 due to its potential impact on any organization using Internet Explorer. Successful exploitation can lead to unauthorized access, data breaches, and system compromise. As Internet Explorer is still used in some corporate environments, understanding and mitigating this vulnerability is crucial to maintaining robust cybersecurity defenses and protecting sensitive data.

What Questions Should TPRM Professionals Ask Vendors About the Vulnerability?

Have you applied the latest patches from Microsoft to address CVE-2024-38112?
Are there any instances of Internet Explorer being used within your organization?
How do you ensure that Internet Shortcut files (.url) are handled securely?
What measures are in place to educate users about the risks of opening unexpected or suspicious files?
How do you monitor for suspicious activities that may indicate an attempt to exploit this vulnerability?

Remediation Recommendations for Vendors

To mitigate the risks associated with CVE-2024-38112, vendors should:

Apply Microsoft’s security updates immediately to address CVE-2024-38112. Updates can be found via the Microsoft Update Catalog or through Windows Update.
Disable Internet Explorer where possible and transition to more secure browsers like Microsoft Edge.
Educate users about the risks of opening unexpected or suspicious files, particularly those received via email.
Implement network traffic monitoring to detect any suspicious activities that may indicate exploitation attempts.
Regularly review security practices and ensure that systems are configured to handle Internet Shortcut files securely.

How TPRM Professionals Can Leverage Black Kite for This Vulnerability

Black Kite assists TPRM professionals by identifying vendors affected by CVE-2024-38112 through its FocusTags. These tags provide detailed information about exposed assets, such as IP addresses and subdomains, allowing organizations to prioritize their response and remediation efforts. The FocusTag for this vulnerability was published on July 10, 2024, ensuring that TPRM professionals can take timely and informed actions.

By using Black Kite’s insights, organizations can efficiently address high-risk areas within their vendor ecosystem, enhancing overall security posture.

*Black Kite’s MSHTML FocusTag^TM details critical insights on the event for TPRM professionals.*

Enhancing TPRM Strategies with Black Kite’s FocusTags™

In today’s dynamic cyber threat landscape, Black Kite’s FocusTags™ provide essential tools for effective Third-Party Risk Management (TPRM). These tags are invaluable for managing vulnerabilities like those in Progress’ MOVEit, Cisco NX-OS, OpenSSH, Apache Tomcat, Polyfill, Progress’ WhatsUp Gold, and Microsoft MSHTML. Here’s how they transform TPRM practices:

Dynamic Vulnerability Insights: Instantly identify vendors impacted by emerging threats, enabling swift and decisive responses.
Strategic Risk Management: Categorize risks based on vulnerability severity and vendor criticality, ensuring focused attention where it’s needed most.
Enhanced Vendor Communication: Facilitate detailed discussions with vendors about their exposure to recent vulnerabilities.
Overall Security Ecosystem Strengthening: Present a comprehensive view of the evolving threat landscape, facilitating more robust and adaptive cybersecurity strategies.

Tailored to recent cybersecurity developments, Black Kite’s FocusTags empower TPRM professionals with actionable insights, fostering more effective and proactive risk management in today’s digital threat environment.

Want to take a closer look at FocusTags™?

Take our platform for a test drive and request a demo today.

Request a Demo

About Focus Friday

Every week, we delve into the realms of critical vulnerabilities and their implications from a Third-Party Risk Management (TPRM) perspective. This series is dedicated to shedding light on pressing cybersecurity threats, offering in-depth analyses, and providing actionable insights.

FocusTags^TM in the Last 30 Days:

PHP-CGI: CVE-2024-4577, OS Command Injection Vulnerability in PHP-CGI Module.
Microsoft MSMQ: CVE-2024-30080, Use After Free, Remote Code Execution Vulnerability in Microsoft Message Queuing (MSMQ)
Rejetto HFS: CVE-2024-23692, Template Injection Vulnerability, Unauthenticated RCE Vulnerability in Rejetto HTTP File Server
Checkpoint SNX: CVE-2024-24919, An Information Disclosure Vulnerability in Check Point’s CloudGuard Network, Quantum Maestro, Quantum Scalable Chassis, Quantum Security Gateways, Quantum Spark Appliances
DNSBomb: CVE-2023-28450, DNSBomb Attack in Dnsmasq, CoreDNS, Knot DNS, Simple DNS Plus, Technitium DNS, MaraDNS, CoreDNS
Veeam VBEM: CVE-2024-29849, Authentication Bypass Vulnerability in Veeam Backup Enterprise Manager
Multi Connect: CVE-2023-43208, Deserialization of Untrusted Data Vulnerability, RCE Vulnerability in NextGen Healthcare Mirth Connect
Cacti: CVE-2024-25641, Remote Code Execution Vulnerability in Cacti
Veeam SPC: CVE-2024-29212, Remote Code Execution Vulnerability in Veeam Service Provider Console
TinyProxy: CVE-2023-49606, Use-After-Free Vulnerability, RCE Vulnerability in Tinyproxy