Q3 2024 saw multiple vulnerabilities discovered in Windows and Linux subsystems that are not standard for cyberattacks. This is because operating system developers have been releasing new security mitigations for whole sets of vulnerabilities in commonly used subsystems. For example, a log integrity check is set to appear in the Common Log Filing System (CLFS) in Windows, so the number of exploits for it will drop. As for Linux, this operating system has the Linux Kernel Runtime Guard (LKRG), implemented as a separate kernel module. Although the first version of LKRG was released back in 2018, it is undergoing constant refinement. And it is becoming more actively used in various Linux builds.
Statistics on registered vulnerabilities
As is customary, this section presents statistics on registered vulnerabilities. The data is taken from cve.org.
Total number of registered vulnerabilities and number of critical ones, Q3 2023 and Q3 2024 (download)
Q3 2024 preserved the upward trend in the number of vulnerabilities detected and registered. As before, the graph shows an increase relative to the same period in 2023 in both the total number of vulnerabilities and the number of critical ones. Notably, the number of discovered vulnerabilities over the three quarters is almost four-fifths of the whole of last year’s figure, further evidence of a marked increase.
Number of vulnerabilities and the shares of those that are critical and of those for which exploits exist, 2019 — 2024 (download)
The total number of first-time publications of PoCs for fresh CVEs rose by 2%, which indicates an acceleration in exploit creation. The rise in the number of PoCs may also be due to the fact that security researchers increasingly are not just commenting on vulnerability detection, but releasing detailed data that includes an exploit. Most PoCs appear within a week of the developers of vulnerable software releasing a patch.
Exploitation statistics
This section presents statistics on exploit usage in Q3 2024. The data is obtained from open sources and our own telemetry.
Windows and Linux vulnerability exploitation
Among the exploits detected by Kaspersky solutions for Windows are ones for relatively new vulnerabilities that are gaining popularity. These include vulnerabilities in WinRAR, Microsoft Office, Windows Error Reporting Service and Microsoft Streaming Service Proxy:
- CVE-2023-38831 – a vulnerability in WinRAR to do with incorrect handling of objects in an archive;
- CVE-2023-23397 – a vulnerability that allows an attacker to steal authentication data from Outlook;
- CVE-2023-36874 – an impersonation vulnerability that allows the CreateProcess function to run under SYSTEM user;
- CVE-2023-36802 – a UAF vulnerability in the mskssrv.sys driver.
Meanwhile, the most common vulnerabilities in Microsoft Office products are quite old ones:
- CVE-2018-0802 – a remote code execution vulnerability in the Equation Editor component;
- CVE-2017-11882 – another remote code execution vulnerability in Equation Editor;
- CVE-2017-0199 – Microsoft Office and WordPad vulnerability that can be used to gain control over the victim system;
- CVE-2021-40444 – a remote code execution vulnerability in the MSHTML component.
Because these old vulnerabilities are leveraged as tools for initial access to user systems, we recommend updating the relevant software.
Dynamics of the number of Windows users who encountered exploits, Q1 2023 — Q3 2024. The number of users who encountered exploits in Q1 2023 is taken as 100% (download)
For Linux, Kaspersky products detected exploits for the following vulnerabilities:
- CVE-2023-2640 – a vulnerability in the OverlayFS kernel module. Allows privileged labels to be applied to files that can be used after mounting the file system;
- CVE-2023-22809 – a vulnerability in the Sudo utility that allows an attacker to run commands under another user in the system. An attacker can bypass initial settings restricting access to the utility’s functionality and act as any user;
- CVE-2023-4911 – a vulnerability in the dynamic loader ld.so to do with a buffer overflow when processing the environment variable GLIBC_TUNABLES;
- CVE-2023-32233 – a UAF vulnerability in the Netfilter subsystem that allows writing and reading data at arbitrary addresses in kernel memory;
- CVE-2023-3269 – a UAF vulnerability in the kernel memory management system that allows an attacker to run arbitrary code;
- CVE-2023-31248 – a UAF vulnerability in nftables that allows an attacker to run arbitrary code when firewall rules are being processed.
Changes in the number of Linux users who encountered exploits in Q1 2023 — Q3 2024. The number of users who encountered exploits in Q1 2023 is taken as 100% (download)
As the detection statistics and the list of common exploits for Linux show, it is critical to update both kernel components and applications that you use regularly.
Most prevalent exploits
Distribution of exploits for critical vulnerabilities by platform, Q1 2024 (download)
Distribution of exploits for critical vulnerabilities by platform, Q2 2024 (download)
Distribution of exploits for critical vulnerabilities by platform, Q3 2024 (download)
In Q3, vulnerabilities that have workable exploits and are considered the most critical (according to our methodology) were more likely than before to be related to operating system subsystems. This is because researchers, like attackers, give preference to code that is present in the operating system regardless of what software the user prefers. This allows them to target more devices and find new ways to run commands on vulnerable systems.
Vulnerability exploitation in APT attacks
We analyzed which vulnerabilities were most often used in advanced persistent threats (APTs) in Q3. The ranking below is based on our telemetry, research and open sources.
The list of vulnerabilities exploited in APT attacks has changed since last quarter. It now includes vulnerabilities that grant access to systems running web applications and mail servers. Some of the vulnerabilities are quite fresh, with one being registered last year and three this year. That said, most of the listed vulnerabilities are at least three years old. This suggests that developing exploits for new vulnerabilities is a harder task than writing new code for known ones. The longer an issue remains unfixed, the more information about it available to attackers since researchers and vendors publish data on vulnerabilities. In addition, if potential targets fail to patch old vulnerabilities for whatever reason, there is no need for attackers to look for new ones. This only goes to show yet again how important it is to update systems in a timely manner.
Interesting vulnerabilities
This section presents information about vulnerabilities of interest that were registered in Q3 2024.
CVE-2024-47177 (CUPS filters)
The issue was discovered in the Linux version of CUPS, a printing toolkit for Unix-like operating systems, such as iOS, macOS and Linux. Specifically, CUPS helps manage printers on a local network. See below for a flowchart of how it works.
To start any job, the CUPS scheduler creates a job file. The file may contain print setup information and special PostScript commands. One of these commands, FoomaticRIPCommandLine, contains a logical vulnerability that allows arbitrary commands to be run in the operating system shell. To exploit the vulnerability, an attacker just needs to create a malicious printer configuration, but in order to run the code, the user must be persuaded to print any document on that printer. The malicious code automatically executes when printing begins.
The main problem with CUPS is the lack of restrictions on actions that can be performed in the system using this toolkit. To detect an exploitation of the vulnerability, it is essential to monitor commands executed on the part of the foomatic-rip print filter.
CVE-2024-38112 (MSHTML Spoofing)
Discovered in active attacks carried out in May 2024, this vulnerability can be used to run code on a system through an old version of Internet Explorer. It stems from being able to create a malicious .url file that bypasses Microsoft Edge and runs an old version of Internet Explorer. This is achieved by using !x-usc, a special directive that must be handled by the MSHTML protocol. Such sleight of hand recalls to mind the exploitation of another popular vulnerability in Microsoft Office, CVE-2021-40444, which we wrote about here.
While researching the vulnerability, we learned that in early August an exploit with functionality similar to the exploit for CVE-2024-38112 was up for sale on the dark web:
Such attacks can be prevented by denylisting emails with .url file attachments and, of course, by applying Microsoft patch.
CVE-2024-6387 (regreSSHion)
Security issues with the OpenSSH tool always reverberate far and wide, since many systems run on the Linux kernel, where effectively the main way to remotely access the OS functionality is via an SSH server. In 2023, for instance, the CVE-2023-51385 vulnerability was found to exist in all versions of OpenSSH right up to 9.6 – the dark web was selling an exploit that covered this invulnerable version too, but it may have been a dummy:
A new vulnerability, CVE-2024-6387, dubbed regreSSHion, also caused a stir in Q3 2024. The issue arises during SSH authentication. The vulnerable code is located in the SIGALRM handler, which runs asynchronously and uses unsafe functions to interact with memory. This makes it possible to launch an attack on the system at the very stage when the SSH server receives authentication data.
Threat actors have used regreSSHion to attack researchers in a very unconventional way. No sooner had the general principle of the vulnerability been published than there appeared false PoCs and various malware projects that in reality had nothing to do with regreSSHion.
At the time of writing this post, around 105 fake projects had been published online claiming to contain an exploit for CVE-2024-6387. However, a working proof of concept (PoC) for this vulnerability has not yet been published.
CVE-2024-3183 (Free IPA)
A vulnerability found inside the open-source FreeIPA, which provides centralized identity management and authentication for Linux systems. The issue occurs during Kerberos authentication. A user with minimal privileges on the network can sniff ticket encryption data and use it to carry out a Kerberoasting attack, which attackers have previously done to gain access to Windows-based infrastructure.
Most interesting of all, this vulnerability can be exploited by performing a minimal update of the toolkit used for Kerberoasting attacks on Windows Active Directory systems.
An effective countermeasure is this patch, but if for some reason installation isn’t possible, you need to monitor ticket requests for users (principals) that are on the FreeIPA network and are different from the user making the request.
CVE-2024-45519 (Zimbra)
A vulnerability in the postjournal service allowing an attacker to manipulate email messages. What the vulnerability essentially allows is an OS Command Injection attack in its simplest form. An attacker with the ability to send emails to the server can specify in the To field of a message a payload to run in the target service. The command will be executed with the privileges of the mail user.
You can guard against this vulnerability by disabling the postjournal service or updating the mail server to the latest version. At the time of posting, it was no longer possible to install the vulnerable postjournal. Instead, the patched version is automatically loaded when deploying the mail server.
CVE-2024-5290 (Ubuntu wpa_supplicant)
Wpa_supplicant is a set of tools for handling wireless security protocols. It includes utilities with graphical and terminal interfaces.
These interfaces can be used either directly through the command line, or through RPC mechanisms. The Ubuntu operating system uses D-Bus to describe RPC functions. This technology can be used to communicate with an application and leverage its functionality. It was a misconfigured RPC interface that caused the wpa_supplicant vulnerability: the default settings allowed a regular user to access quite critical functionality.
Through this vulnerability, any .so file could be loaded into process memory, with its path specified by the user when interfacing with wpa_supplicant via D-Bus.
Conclusion and advice
The number of discovered vulnerabilities for which there are working PoCs continues to grow. Some exploits are sold on the dark web, others are in the public domain. Moreover, threat actors leverage not only real PoCs, but also interest in the topic of high-profile vulnerabilities. For instance, they create fake exploits to attack security researchers: while the victim is studying the behavior of the pseudo-exploit, an entirely different malicious payload compromises their system.
To stay safe, it is essential to respond promptly to the evolving threat landscape. Also, make sure that you:
- Never research exploits for vulnerabilities outside of a secure virtual environment.
- Know your way around and closely monitor your infrastructure, paying special attention to the perimeter.
- Wherever possible, install patches for vulnerabilities as soon as they become available. Specialized solutions such as Vulnerability Assessment and Patch Management and Kaspersky Vulnerability Data Feed can automate and simplify vulnerability and patch management.
- Use comprehensive solutions that feature not only basic malware protection, but incident response scenarios, employee awareness training and an up-to-date database of cyberthreats. Our Kaspersky NEXT line of solutions ticks all these boxes and more.
Source:: Securelist