Written by: Ferdi Gül

Welcome to this week’s Focus Friday blog! As the cybersecurity landscape evolves, organizations are tasked with managing an ever-growing array of threats, especially within their vendor ecosystems. Third-Party Risk Management (TPRM) professionals play a crucial role in safeguarding operations against vulnerabilities that could ripple through the supply chain. This week, we delve into three critical vulnerabilities affecting Qlik Sense Enterprise, Cleo File Transfer software, and SAP NetWeaver JAVA. Each of these incidents highlights the importance of proactive risk management and showcases how Black Kite’s FocusTags™ empower organizations to stay ahead of emerging threats.

Filtered view of companies with Qlik Sense Enterprise FocusTag™ on the Black Kite platform.

CVE-2024-55579 and CVE-2024-55580: Critical Vulnerabilities in Qlik Sense Enterprise

What are the vulnerabilities in Qlik Sense Enterprise?

Qlik Sense Enterprise for Windows has been identified with two critical vulnerabilities:

CVE-2024-55579 vulnerability allows unprivileged users with network access to create connection objects that can trigger the execution of arbitrary executable files on the Qlik Sense server. It has a CVSS score of 8.8, indicating high severity. CVE-2024-55580: This flaw enables unprivileged users with network access to execute remote commands, potentially causing significant impacts on system availability, integrity, and confidentiality. It carries a CVSS score of 7.5.

Both vulnerabilities were publicly disclosed on December 8, 2024. As of now, there is no evidence of active exploitation in the wild, and they have not been added to CISA’s Known Exploited Vulnerabilities catalog. Qlik has released security patches to address these issues and strongly advises immediate application to mitigate associated risks.

Why should TPRM professionals be concerned about these vulnerabilities?

Third-Party Risk Management (TPRM) professionals should be vigilant regarding these vulnerabilities due to the following reasons:

  • Data Compromise: Exploitation could lead to unauthorized access and manipulation of sensitive data, undermining data integrity and confidentiality.
  • Operational Disruption: Successful attacks may disrupt business intelligence operations, affecting decision-making processes and overall business performance.
  • Supply Chain Risk: If vendors or partners utilize Qlik Sense Enterprise, their vulnerabilities could cascade, impacting your organization’s security posture.

What questions should TPRM professionals ask vendors regarding these vulnerabilities?

To assess and mitigate risks associated with these vulnerabilities, consider posing the following questions to your vendors:

  1. Have you updated all instances of Qlik Sense Enterprise for Windows to the latest patched version to mitigate the risk of CVE-2024-55579 and CVE-2024-55580?
  2. Can you confirm if you have implemented the workaround provided in Qlik’s advisory to ensure proper functionality of all extensions and visualizations post-update?
  3. Have you restricted network access to trusted users to minimize unauthorized exploitation of the vulnerabilities CVE-2024-55579 and CVE-2024-55580?
  4. Are you continuously monitoring your network traffic to detect unusual activity and mitigate potential exploitation attempts related to the vulnerabilities CVE-2024-55579 and CVE-2024-55580?

Remediation recommendations for vendors affected by these vulnerabilities

Vendors utilizing Qlik Sense Enterprise should implement the following remediation steps:

  1. Immediate Patching: Apply the latest security patches released by Qlik for Qlik Sense Enterprise for Windows.
  2. Access Control Review: Ensure that only authorized users have network access to Qlik Sense servers, adhering to the principle of least privilege.
  3. Monitoring and Detection: Implement monitoring solutions to detect any anomalous activities indicative of exploitation attempts.
  4. Incident Response Preparedness: Develop and test incident response plans specifically addressing potential exploitation of these vulnerabilities.

How can TPRM professionals leverage Black Kite’s FocusTagsTM regarding these vulnerabilities?

Black Kite has issued a FocusTag™ for Qlik Sense Enterprise, enabling TPRM professionals to:

  • Identify At-Risk Vendors: Determine which vendors may be affected by these vulnerabilities.
  • Access Vulnerable Asset Information: Obtain details about specific assets, such as IP addresses and subdomains, that could be compromised.
  • Prioritize Risk Mitigation: Focus efforts on vendors with the highest risk exposure, streamlining the remediation process.
Black Kite’s Qlik Sense Enterprise FocusTagTM details critical insights on the event for TPRM professionals.

CVE-2024-50623: Remote Code Execution Vulnerability in Cleo File Transfer Software

What is the Remote Code Execution Vulnerability in Cleo File Transfer Software?

CVE-2024-50623 is a high-severity unrestricted file upload and download vulnerability affecting Cleo’s file transfer products: Harmony®, VLTrader®, and LexiCom®, in versions prior to 5.8.0.21. This flaw allows attackers to upload malicious files to the software’s autorun directory, which are then automatically executed, enabling remote code execution. The vulnerability has a CVSS score of 8.8. It was publicly disclosed on December 10, 2024. PoC exploit code is available, and active exploitation has been observed in the wild, notably by the Termite ransomware group targeting sectors such as logistics, shipping, and consumer products. As of now, this vulnerability has not been added to CISA’s Known Exploited Vulnerabilities catalog.

We published an article on December 11, 2024, stating that the Cleo vulnerability (CVE-2024-50623) was actively exploited by ransomware groups. You can find more details in the related blog post.

Why should TPRM professionals be concerned about this vulnerability?

Third-Party Risk Management (TPRM) professionals should be attentive to this vulnerability due to its potential impact on data integrity and operational continuity. Exploitation can lead to unauthorized access and control over systems, resulting in data breaches, service disruptions, and propagation of malware across networks. Given the widespread use of Cleo’s file transfer solutions among vendors and partners, this vulnerability poses a significant supply chain risk, potentially affecting interconnected systems and data exchanges.

What questions should TPRM professionals ask vendors regarding this vulnerability?

To assess and mitigate risks associated with CVE-2024-50623, TPRM professionals should inquire:

  1. Have you identified any instances of CVE-2024-50623 within your systems?
  2. Have you applied the security patches provided by Cleo to address this vulnerability?
  3. What measures are in place to detect and prevent exploitation attempts related to this vulnerability?
  4. How do you ensure that your use of Cleo’s file transfer software does not introduce security risks to our organization?

Remediation recommendations for vendors affected by this vulnerability

Vendors utilizing Cleo’s file transfer products should implement the following remediation steps:

  1. Immediate Software Update: Upgrade all instances of Cleo Harmony®, VLTrader®, and LexiCom® to version 5.8.0.21 or later to mitigate the vulnerability.
  2. Disable Autorun Functionality: Access the “Configure” menu in the software, select “Options,” navigate to the “Other” pane, and clear the contents of the “Autorun Directory” field to prevent automatic execution of files.
  3. Place Systems Behind a Firewall: Ensure internet-facing Cleo systems are placed behind a firewall to limit exposure to potential attacks.
  4. Monitor for Indicators of Compromise (IOCs): Check for suspicious IPs and suspicious files, such as main.xml or 60282967-dc91-40ef-a34c-38e992509c2c.xml, which may contain encoded malicious commands.
  5. Block Malicious IPs: Consider blocking attacker IPs, including 176[.]123[.]5[.]126, 5[.]149[.]249[.]226, 185[.]181[.]230[.]103, 209[.]127[.]12[.]38, 181[.]214[.]147[.]164, 192[.]119[.]99[.]42
  6. Implement Strong Security Practices: Enforce strong, unique passwords and enable multi-factor authentication (MFA) to enhance security.

How can TPRM professionals leverage Black Kite’s FocusTagsTM regarding this vulnerability?

Black Kite has issued a FocusTag™ for Cleo File Transfer, enabling TPRM professionals to:

  • Identify At-Risk Vendors: Determine which vendors may be affected by CVE-2024-50623.
  • Access Vulnerable Asset Information: Obtain details about specific assets, such as IP addresses and subdomains, that could be compromised.
  • Prioritize Risk Mitigation: Focus efforts on vendors with the highest risk exposure, streamlining the remediation process.
Black Kite’s Cleo File Transfer FocusTagTM details critical insights on the event for TPRM professionals.

CVE-2024-47578: Server-Side Request Forgery Vulnerability in SAP NetWeaver AS for JAVA

What is the SAP NetWeaver AS for JAVA SSRF Vulnerability?

CVE-2024-47578 is a critical Server-Side Request Forgery (SSRF) vulnerability in SAP NetWeaver AS for JAVA, specifically within the Adobe Document Services component. An attacker with administrator privileges can exploit this flaw by sending crafted requests from a vulnerable web application, targeting internal systems behind firewalls that are typically inaccessible from external networks. Successful exploitation enables the attacker to read or modify any file and potentially render the entire system unavailable. It has a CVSS score of 9.1, indicating critical severity. SAP has released a security patch addressing this vulnerability and strongly recommends immediate application to mitigate associated risks.

Why should TPRM professionals be concerned about this vulnerability?

Third-Party Risk Management (TPRM) professionals should be concerned about CVE-2024-47578 due to its potential to compromise data confidentiality, integrity, and availability. Exploitation of this vulnerability can lead to unauthorized access to sensitive information and disruption of critical business operations. Given the widespread use of SAP NetWeaver AS for JAVA among vendors, this vulnerability poses a significant risk to the supply chain, potentially affecting interconnected systems and data exchanges.

What questions should TPRM professionals ask vendors regarding this vulnerability?

To assess and mitigate risks associated with CVE-2024-47578, TPRM professionals should inquire:

  1. Have you updated all instances of SAP NetWeaver AS for JAVA (Adobe Document Services) to the latest version as per SAP Security Note 3536965 to mitigate the risk of CVE-2024-47578, CVE-2024-47579, and CVE-2024-47580?
  2. Can you confirm if you have restricted administrative access to essential personnel only and enforced the principle of least privilege to prevent potential exploitation of the Server-Side Request Forgery (SSRF) vulnerability in SAP NetWeaver AS for JAVA?
  3. What specific measures have you implemented to monitor network traffic and detect suspicious activities that could indicate an exploitation of the vulnerabilities CVE-2024-47579 and CVE-2024-47580, which allow access to sensitive server files through exposed web services?
  4. Can you confirm if you have reviewed and updated your firewall configurations to ensure that internal systems are appropriately segmented and protected from unauthorized access, specifically in relation to the SSRF vulnerability CVE-2024-47578 in SAP NetWeaver AS for JAVA?

Remediation recommendations for vendors affected by this vulnerability

Vendors utilizing SAP NetWeaver AS for JAVA should implement the following remediation steps:

  1. Immediate Software Update: Apply the security patch provided by SAP as per SAP Security Note 3536965 to address the vulnerability.
  2. Restrict Administrative Access: Limit administrative privileges to essential personnel and enforce the principle of least privilege.
  3. Monitor Network Traffic: Implement monitoring to detect and respond to suspicious activities promptly.
  4. Review Firewall Configurations: Ensure that internal systems are appropriately segmented and protected from unauthorized access.

How can TPRM professionals leverage Black Kite’s FocusTagsTM regarding this vulnerability?

Black Kite has issued a FocusTag™ for SAP NetWeaver, enabling TPRM professionals to:

  • Identify At-Risk Vendors: Determine which vendors may be affected by CVE-2024-47578.
  • Access Vulnerable Asset Information: Obtain details about specific assets, such as IP addresses and subdomains, that could be compromised.
  • Prioritize Risk Mitigation: Focus efforts on vendors with the highest risk exposure, streamlining the remediation process.
Black Kite’s SAP NetWeaver JAVA FocusTagTM details critical insights on the event for TPRM professionals.

Enhancing TPRM Strategies with Black Kite’s FocusTags™

In today’s dynamic cybersecurity environment, managing third-party risks requires precision and timely intelligence. Black Kite’s FocusTags™ are an indispensable tool for organizations navigating critical vulnerabilities like those in Qlik Sense Enterprise, Cleo File Transfer, and SAP NetWeaver JAVA. These tags are designed to provide:

  • Real-Time Risk Insights: Quickly identify vendors impacted by specific vulnerabilities, enabling immediate action.
  • Targeted Prioritization: Focus efforts on high-severity vulnerabilities and vendors most critical to your operations.
  • Tailored Vendor Communication: Facilitate targeted discussions with vendors, addressing their specific security measures and vulnerabilities.
  • Comprehensive Threat Visibility: Gain a holistic view of the threat landscape, empowering more strategic decision-making.

Black Kite’s FocusTags™ transform complex cybersecurity challenges into actionable intelligence, allowing TPRM professionals to mitigate risks efficiently and strengthen overall security. By leveraging these insights, organizations can proactively address vulnerabilities, ensuring resilience in an ever-evolving threat landscape.

About Focus Friday

Every week, we delve into the realms of critical vulnerabilities and their implications from a Third-Party Risk Management (TPRM) perspective. This series is dedicated to shedding light on pressing cybersecurity threats, offering in-depth analyses, and providing actionable insights.

FocusTagsTM in the Last 30 Days:

  • Qlik Sense Enterprise: CVE-2024-55579, CVE-2024-55580, Arbitrary EXE Execution Vulnerability Remote Code Execution Vulnerability in Qlik Sense Enterprise.
  • Cleo File Transfer: Remote Code Execution Vulnerability, Unrestricted File Upload and Download Vulnerability in Cleo Harmony, VLTrader, LexiCom.
  • SAP NetWeaver JAVA: CVE-2024-47578, Server-Side Request Forgery (SSRF) Vulnerability in SAP NetWeaver AS for JAVA (Adobe Document Services).
  • PAN-OS: CVE-2024-0012, CVE-2024-9474, Authentication Bypass Vulnerability and Privilege Escalation Vulnerability in Palo Alto’s PAN-OS.
  • PostgreSQL: CVE-2024-10979, Arbitrary Code Execution Vulnerability in PostgreSQL.
  • Apache Airflow: CVE-2024-45784, Debug Messages Revealing Unnecessary Information in Apache Airflow.
  • Atlassian Jira: CVE-2021-26086, Path Traversal Vulnerability in Atlassian Jira Server and Data Center.
  • Ivanti Connect Secure: CVE-2024-9420, CVE-2024-47906, CVE-2024-38655, CVE-2024-38656, CVE-2024-39710, CVE-2024-11007, CVE-2024-11006, CVE-2024-11005, and CVE-2024-11004, Use-After-Free, Stack-Based Buffer Overflow, Argument Injection, and Reflected XSS Vulnerabilities in Ivanti Connect Secure.
  • Nostromo nhttpd: CVE-2019-16278, Path Traversal Vulnerability, RCE Vulnerability in Nostromo nhttpd.
  • LiteSpeed Cache: CVE-2024-50550, Privilege Escalation Vulnerability iin LiteSpeed Cache plugin.
  • RICOH Web Image Monitor: CVE-2024-47939, Buffer Overflow Vulnerability in RICOH Web Image Monitor.
  • Squid Proxy: CVE-2024-45802, DoS Vulnerability in Squid Proxy Servers.
  • XLight FTP: CVE-2024-46483, Integer Overflow and RCE Vulnerabilities in XLight FTP Servers.
  • Exchange Server RCE: CVE-2021-26855, CVE-2021-27065, CVE-2021-26858, CVE-2021-26857, Remote Code Execution Vulnerability in Exchange Server.

References

https://blackkite.com/blog/when-ransomware-ruins-the-supply-chain-lessons-from-blue-yonder-and-the-rise-of-termite-ransomware-group

https://nvd.nist.gov/vuln/detail/CVE-2024-55579

https://nvd.nist.gov/vuln/detail/CVE-2024-55580

https://community.qlik.com/t5/Official-Support-Articles/High-Security-fixes-for-Qlik-Sense-Enterprise-for-Windows-CVEs/tac-p/2496004

https://securityonline.info/cve-2024-55579-cve-2024-55580-qlik-sense-users-face-serious-security-risk

https://support.cleo.com/hc/en-us/articles/27140294267799-Cleo-Product-Security-Advisory

https://nvd.nist.gov/vuln/detail/CVE-2024-50623

https://www.huntress.com/blog/threat-advisory-oh-no-cleo-cleo-software-actively-being-exploited-in-the-wild

https://securityonline.info/cve-2024-50623-critical-vulnerability-in-cleo-software-actively-exploited-in-the-wild

https://github.com/watchtowrlabs/CVE-2024-50623

https://nvd.nist.gov/vuln/detail/CVE-2024-47578

https://support.sap.com/en/my-support/knowledge-base/security-notes-news/december-2024.html

https://securityonline.info/cve-2024-47578-cvss-9-1-sap-issues-critical-patch-for-netweaver-as-for-java



Want to take a closer look at FocusTags™?


Take our platform for a test drive and request a demo today.




Request a Demo