Vulnerabilities have been reported in ArubaOS, CrushFTP, Gitlab, JudgeO, and the R programming language. Microsoft also issued a warning due to a so-called Dirty stream attack. CERT-IS recommends updating as soon as possible to a version where the vulnerabilities have been fixed.
Serious weaknesses (e. critical)
ArubaOS
The vulnerabilities CVE-2024-26305, CVE-2024-26304, CVE-2024-33511 CVE-2024-33512 all have a CVSSv3 vulnerability score of 9.8 and allow an unidentified attacker to execute code remotely by sending a specially crafted packet to Aruba’s access point management protocol). Exploitation of the vulnerabilities can also lead to the execution of code on the underlying operating system with system rights (e. privileged user) [x,y]. The vulnerabilities have been patched in ARubaOS versions 10.6.xx, 10.5.1.1 and higher, 10.4.1.1 and higher, 8.11.2.2 and higher, and 8.10.0.11 and higher [1,2].
CrushFTP
The vulnerability CVE-2024-4040 with a CVSSv3 vulnerability score of 10.0 allows a remote attacker to escape the CrushFTP virtual file system (e.g. escape virtual file system) to the underlying operating system. The vulnerability has been fixed in versions >= 11.1 [3,4,5].
Gitlab
The vulnerability CVE-2024-2279 with CVSSv3 vulnerability score of 8.7 allows a threat actor to execute commands on behalf of the victim. The vulnerability has been patched in versions 16.10.2, 16.9.4 and 16.8.6 [6,7].
JudgeO sandbox
Vulnerabilities CVE-2024-28185 and CVE-2024-28189 with CVSSv3 vulnerability score of 10.0 together with vulnerability CVE-2024-29021 with vulnerability score of CVSSv3 9.1 may allow an attacker to break out of Jugde0’s sandbox environment and gain root privileges on the underlying operating system. The vulnerabilities have been fixed in version 1.13.1 [8].
The R programming language
The vulnerability CVE-2024-27322 has a CVSSv3 vulnerability level of 8.8 allows a threat actor to perform supply chain attacks via specially crafted R packages that can lead to arbitrary code execution when rebuilding (e. deserializing) unreliable data. The vulnerability has been fixed in version 4.4.0 [9].
Dirty Stream
Microsoft has warned about the so-called „Dirty Stream“ of the year, which allows malicious Android apps to overwrite files in the home directory of other apps that are not properly implemented. Overwriting files can lead to arbitrary code execution and secrets theft. An example of a bad implementation involves an applet trusting untrusted file names, which allows a threat actor to abuse the FileProvider in overwriting files [10].
References
[1] https://www.bleepingcomputer.com/news/security/hpe-aruba-networking-fixes-four-critical-rce-flaws-in-arubaos
[2] https://www.arubanetworks.com/assets /alert/ARUBA-PSA-2024-004.txt
[3] https://blog.sonicwall.com/en-us/2024/05/crushftp-server-side-template-injection-ssti/
[4] https: //nvd.nist.gov/vuln/detail/CVE-2024-4040
[5] https://www.crushftp.com/crush11wiki/Wiki.jsp?page=Update
[6] https://about.gitlab. com/releases/2024/04/10/patch-release-gitlab-16-10-2-released/
[7] https://blog.sonicwall.com/en-us/2024/04/gitlab-xss-via -autocomplete-results/
[8] https://thehackernews.com/2024/04/sandbox-escape-vulnerabilities-in.html
[9] https://thehackernews.com/2024/04/new-r-programming- vulnerability-exposes.html
[10] https://www.bleepingcomputer.com/news/security/microsoft-warns-of-dirty-stream-attack-impacting-android-apps/