The Bug Report - April 2024 Edition

By Jonathan Omakun and Tobi Olawale· April 29, 2024

Why am I here?

Just when you thought it was safe to go back into the digital waters, out pops another series of rogue waves in the form of CVEs! It's like that beach vacation you planned to get away from it all, only to find the hotel is double-booked with hackers and digital con artists, all eager to spoil your serene scene. From commandeering your compression tools to turning your checkout process into a hacker’s playground and even making your firewall as penetrable as a medieval castle during a siege, the digital world is echoing with the sounds of vulnerabilities being exploited.

Why drag yourself away from pondering the existential dread of an infinite news feed or the latest celebrity gossip to dive into the nitty-gritty of CVEs? Because, dear reader, knowledge is power, and in our digital age, staying informed is the armor you wear against the ceaseless onslaught of cyber threats. This month, we’ve lined up a rogue’s gallery of digital misfits: CVE-2024-3094, CVE-2024-20720, and CVE-2021-44529—each a master of disguise in its own right, turning trusted tools and processes into weapons against their unwitting hosts.

You are here because you prefer your data uncompressed by third parties, your checkout processes free of skimmers, and your firewalls impregnable. Our roundup promises to arm you with the what, the who, and how to protect your digital domain. So, grab your digital sword and shield; it’s time to delve into the hows and whys of keeping your network operational and secure. After all, who wants their name in dazzling neon lights on the 'breached entities' list? Not us, and we bet not you either!

• CVE-2024-3094: Red Hat Fedora 41 and Raw Hide XZ Utils, Supply Chain
• CVE-2024-20720: Adobe Commerce, Remote Code Execution
• CVE-2021-44529: Ivanti Endpoint Manager Cloud Services Appliance
• CVE-2024-3400: Palo Alto PAN-OS, OS Command Injection Vulnerability

CVE-2024-3094: When Your Compressor Goes Rogue!

What is it?

Imagine this: You're casually zipping up some files on your Linux machine, trusting your faithful XZ utility to compress your data like squeezing into a pair of jeans from your high school days. But little did you know, your beloved XZ has turned against you! Introducing CVE-2024-3094, the supply chain villain in the world of compression tools.

CVE-2024-3094 isn’t just any bug—it’s a Hollywood-worthy spy thriller hidden within the liblzma build process. Some clever bad guys embedded a sneaky piece of malicious code in the XZ versions starting from 5.6.0, causing the liblzma library to act more like a double agent than a compression tool. This crafty manipulation allows the tainted library to intercept and tweak data without anyone noticing. It's like finding out your quiet, dependable neighbor has been leading a secret life as a master spy!

Red Hat, wearing the cybersecurity cape, swooped in with a severity score of 10/10 (because when you go rogue, you go big) and rolled Fedora back to XZ version 5.4.x. Meanwhile, Debian took a similar route, sticking with its stable, uncompromised versions.

Who cares?

Who should be wringing their hands in worry? Well, if you’re sporting Fedora 41 or dabbling with Fedora Rawhide, you might want to sit up and pay attention. And if you’re a Debian enthusiast poking around their testing or unstable waters, it’s time to double-check your gear. Thankfully, Red Hat Enterprise Linux users and Debian stable sailors can keep their feet up—this storm hasn’t reached their shores.

What can I do?

1. Detective work: Whip out your terminal and channel your inner detective with xz --version. Spot a 5.6.0 or 5.6.1? You’ve got the rogue on your machine.
2. Digital sleuthing: Feeling adventurous? Dive deeper with these handy commands:
   • strings /usr/local/bin/xz | grep "(XZ Utils)"
   • strings $(which xz) | grep "(XZ Utils"
   • for xz_p in $(type -a xz | awk '{print $NF}' | uniq); do strings "$xz_p" | grep "xz (XZ Utils)" || echo "No match found for $xz_p"; done
3. These snippets will let you peek behind the curtain to see if your XZ utility has gone to the dark side.
4. Patch it up: Fedora fans, jump to version 5.4.6 Stable faster than you can say "compressed." Debian users, ensure you’re rocking 5.4.5 in the unstable repos—because sometimes, going backward is the only way to move forward.
5. Stay updated: As always, keep your systems updated. Whether you’re navigating the rolling hills of openSUSE Tumbleweed or the cutting-edge streets of Fedora Rawhide, staying patched is staying protected.

CVE-2024-20720: The Checkout Chicanery

What is it?

Picture this: You're breezing through your favorite online store, loading your virtual cart like it's Black Friday. Little do you know, lurking beneath the seamless checkout process is a digital trickster—CVE-2024-20720. This isn't just a bump in the digital road; it's an 'OS Command Injection' vulnerability that's made itself cozy in Adobe Commerce, including those running the e-commerce giant Magento.

CVE-2024-20720 is like the digital equivalent of a con artist slipping a card skimmer into a checkout terminal. Only in this case, the skimmer doesn’t need you to swipe your card; it activates the moment you hit the checkout page. The culprit? A crafty mishandling of special elements in OS commands, which basically hands over the keys to your server without needing so much as a user's click to get going.

Who cares?

If you're running an e-commerce empire on Adobe Commerce versions like 2.4.6-p3 down to the older relics, or if Magento still powers your online storefront, this one's aimed at you. The villainy of CVE-2024-20720 has already seen action, with cyber crooks injecting malware to orchestrate everything from data heists to planting nasty backdoors that stick around like unwelcome party guests.

The exploit here is particularly sneaky. By hijacking the Magento layout parser, the attackers found a clever way to weave their commands into the checkout cart's layout. So every time a customer hits the checkout page, bam! The commands execute, paving the way for anything from a backdoor entry to a data-stealing skimmer.

Imagine going to check out your shopping cart and instead of getting a receipt, you get a sneaky stowaway that rifles through your server and sets up shop. That's CVE-2024-20720 for you—less of a bug and more of a cyber burglar.

What can I do?

1. Update with urgency: Adobe has rolled out the cavalry with updates that slam the door on this vulnerability. Your mission, should you choose to accept it, involves updating to patched versions like Adobe Commerce 4.6-p4 or Magento Open Source 4.6-p4. Check your version and patch up faster than you can say "zero-day."
2. Monitor and defend: Keep an eagle eye on your checkout processes. Look out for unusual activity or mysterious snippets of code that seem out of place. Tools that monitor and defend your web applications can be invaluable allies in this ongoing battle.
3. Educate your crew: Make sure your team knows about this threat. Awareness can be as crucial as your cybersecurity tools. Knowing what to look for means you can catch breaches before they escalate.

CVE-2021-44529: Patch Up or Hack In!

What is it?

Roll up, roll up, IT admins and cyber sleuths! Picture yourself locking up your house but leaving a sneaky side window cracked open—that's kind of what's going on with CVE-2021-44529 in Ivanti's Endpoint Manager (CSA). In the vast labyrinth of software vulnerabilities, this one's a hidden trapdoor in the basement. Located deep within the csrf-magic.php file of Ivanti EPM, this flaw lets a remote rascal run code as if they've sneakily nabbed the house keys—from the comfort of their own hideout!

What's the catch? This isn't your usual lock-pick scenario. The bug allows attackers to slip through with the unassuming permissions of the "nobody" user, but don't be fooled by the name—that "nobody" can become a "somebody" really fast in your network, setting up shop and doing as they please.

Who cares?

If you're steering the ship at an organization using Ivanti’s CSA, especially if you're cruising with a version earlier than 4.6, it's time to batten down the hatches. This bug is like leaving your digital door ajar, with a welcome mat that reads "Hackers Welcome."

What can I do?

Ahoy, here’s your treasure map to safer shores:

1. Patch Parade: Ivanti isn’t leaving you to walk the plank. They’ve tossed a lifeline with Patch 512 for CSA version 4.6. Grab it, apply it, and keep the cyber scallywags at bay. If you’re navigating with an older CSA version, chart a course straight for an upgrade to 4.6 before slapping that patch on.
2. Manual Maneuvers: Not ready to patch? There's more than one way to swab the deck. Option A lets you dive into the code yourself. Just head over to /opt/landesk/broker/webroot/lib/csrf-magic.php and cut out those ten lines near the end that start with "// Obscure Tokens." Make sure to leave the six lines after that intact—think of it as keeping the good fish and throwing the bad ones back.
3. Scripted Swashbuckling: For those who prefer sailing with technology at the helm, Option B is your autopilot. This script, wielding SSH commands like a digital cutlass, will back up your csrf-magic.php file and then trim off those pesky lines—all without breaking a sweat.
4. Close the Hatch: If you're not using the "client" endpoint, consider shutting it down. It’s like closing one more gate in your fortress wall. Just make sure you don’t need it for daily operations, or your crew might mutiny!
   Trellix Customers: Trellix Network Security (NX) covers this vulnerability. Ensure that your solution is updated to at least SC: 1396.164

CVE-2024-3400: The Firewall Fiasco

What is it?

Gear up, network knights and cybersecurity squires, as we delve into the digital dragon's den with CVE-2024-3400! This isn't just any old bug—it’s a command injection vulnerability that's taken a liking to the GlobalProtect feature in Palo Alto Networks’ PAN-OS software. Picture your firewall as the mighty gates of a castle, except there’s a sneaky siege tunnel underneath that lets attackers saunter in without so much as a challenge.

CVE-2024-3400 is particularly menacing because it allows these unauthenticated digital invaders to run amok with root privileges—yes, you read that right—root privileges on your firewall. Imagine handing over the keys to your kingdom to the jester; chaos ensues! Affected versions are PAN-OS 10.2, 11.0, and 11.1, specifically when the GlobalProtect gateway and device telemetry configurations are active. And yes, this vulnerability has already been used in the wild to crash a few gates.

Who cares?

Everyone in the realm of Palo Alto Networks’ dominion should perk up their ears—especially if your fortress uses the affected PAN-OS versions to guard its digital borders. This bug isn't just a theoretical threat; it's out there, and it's got the battle scars to prove it.

As per Volexity, CVE-2024-3400 was actively exploited in targeted attacks before a patch could even hit the battlefield. Attackers cleverly crafted HTTP requests that manipulated authentication tokens to gain unauthorized access, proving that sometimes, the pen (or in this case, the keyboard) can indeed be mightier than the sword.

What can I do?

1. Fortify your gates: Palo Alto Networks isn't leaving you to fend off the hordes alone. They’ve rolled out updates faster than a catapult launches boulders:
   • PAN-OS 11.1 folks should upgrade to version 11.1.2-h3.
   • PAN-OS 11.0 users need to bump up to 11.0.4-h1.
   • And if you're still rocking PAN-OS 10.2, leap to 10.2.9-h1 to dodge this digital arrow.
2. Drawbridge defenses: Don't just upgrade and call it a day. Engage these additional fortifications:
   • Enable Threat ID 95187 to block those sneaky attacks.
   • Make sure your vulnerability protection is armed and ready on your GlobalProtect interfaces.
   • If all else fails, temporarily disable device telemetry while you suit up for battle. Here’s how: Disable Device Telemetry
3. Scout and scout again:
   • Keep an eye on your network traffic logs. Look for odd outbound connections that could be rogue parties trying to smuggle data out of your realm.
   • Whip up a Tech Support File from your devices. This is like catching all the gossip at the castle ball—useful intel can be gleaned about potential intruders.
4. Call in the cavalry: If you suspect your castle gates might have been compromised, engage with Palo Alto Networks technical support to collect volatile memory from the device. It’s a bit like consulting the oracle—what you learn could save your kingdom!
   
   Trellix Customers: Trellix has provided a User-Defined Signature (UDS) for the Trellix Intrusion Prevention System (IPS) to provide coverage for this vulnerability. Instructions on how to download and apply this UDS are available in KB97099.
   Trellix Network Security (NX) also provides coverage for this vulnerability. Ensure that your solution is updated to at least SC: 1464.128.