Prepare your NX-OS and bite the pillow because Cisco has some zero-days!

In case you wanted even more Cisco, they dropped a total of 36 security advisories today, 23 October 2024.

Fortinet exploited zero-day: FG-IR-24-423 Missing authentication in fgfmsd
CVE-2024-47575 (9.8 critical, disclosed 23 October by Fortinet, noted earlier on 13 October by @GossiTheDog on Mastodon) Fortinet FortiManager Missing Authentication Vulnerability.

  • Reports have shown this vulnerability to be exploited in the wild.
  • The identified actions of this attack in the wild have been to automate via a script the exfiltration of various files from the FortiManager which contained the IPs, credentials and configurations of the managed devices.

CISA added CVE-2024-47575 to the KEV Catalog about 3 hours afterward.

Just in case you didn't read closely, there are indicators of compromise (IoC) in the advisory. At least one of the IP addresses was reportedly used as a Cobalt Strike server 2 years ago.

cc: @cR0w @nopatience I require at least 25 favorites to unlock my next toot!

#fortinet #fortimanager #cve #zeroday #CVE_2024_47575 #vulnerability #eitw #activeexploitation #kev #cisakev #KnownExploitedVulnerabilitiesCatalog

Ivanti Security Advisory: Ivanti CSA (Cloud Services Application) (CVE-2024-9379, CVE-2024-9380, CVE-2024-9381)
Very sneaky of Ivanti to quietly update the security advisory without a changelog: They removed CVE-2024-9381 (CVSSv3: 7.2 high) Path traversal in Ivanti CSA before version 5.0.2 from the exploitation announcement:

We have observed limited exploitation of CSA 4.6 when CVE-2024-9379 or CVE-2024-9380 are chained with CVE-2024-8963, present in CSA 4.6 patch 518 and below, it could lead to unauthenticated remote code execution. We have not observed these vulnerabilities being exploited in CSA 5.0.

See parent toot above for the original wording. cc: @cR0w @reverseics

Happy EXPLOITED ZERO-DAY #PatchTuesday from Ivanti: October Security Update

We are aware of a limited number of customers running CSA 4.6 patch 518 and prior who have been exploited when CVE-2024-9379, CVE-2024-9380 or CVE-2024-9381 are chained with CVE-2024-8963.

Palo Alto Networks security advisory: PAN-SA-2024-0010 Expedition: Multiple Vulnerabilities Lead to Firewall Admin Account Takeover
See parent toot above for Horizon3 vulnerability details.

  • CVE-2024-9463 (9.9 critical) Palo Alto Networks Expedition OS command injection vulnerability
  • CVE-2024-9464 (9.3 critical) Palo Alto Networks Expedition OS command injection vulnerability
  • CVE-2024-9465 (9.2 critical) Palo Alto Networks Expedition SQL injection vulnerability
  • CVE-2024-9466 (8.2 high) Palo Alto Networks Expedition cleartext storage of sensitive information vulnerability
  • CVE-2024-9467 (7.0 high) Palo Alto Networks Expedition reflected XSS vulnerability

Palo Alto Networks is not aware of any malicious exploitation of these issues.

Horizon3: Palo Alto Expedition: From N-Day to Full Compromise
References:

Daaaaaaaamn @hacks_zach, Zach Hanley at it again with the Palo Alto Networks vulnerabilities. In trying to find CVE2-2024-5910 in Expedition (a configuration migration tool from a supported vendor to Palo Alto Networks PAN-OS), he found CVE-2024-9464, CVE-2024-9465 and CVE-2024-9466. It appears that CVE-2024-9465 (unauth SQL injection) leads to leaking credentials via "users" and "devices" tables which contain password hashes and device API keys. This is the CVE-2024-9466.