The CyberScotland Technical Bulletin is designed to provide you with information about updates, exploits and countermeasures.
Please subscribe to our CyberScotland mailing list to be notified by email when a new bulletin is published.
Microsoft Patch Tuesday
The first batch of Microsoft updates for 2024 have been released addressing a total of 49 vulnerabilities, including 12 that could allow remote code execution. This patch does not cover the 4 other issues Microsoft patched earlier on the 5th of January.
Among these, only two vulnerabilities are deemed critical. These include a security feature bypass in Windows Kerberos and a remote code execution (RCE) vulnerability in Hyper-V. Interestingly, this month’s updates feature no vulnerabilities that are either actively exploited or disclosed to the public.
One notable correction in this batch is the rectification of an Office RCE vulnerability, identified as CVE-2024-20677. This flaw allowed attackers to execute remote code by using Office documents containing maliciously embedded FBX 3D model files. As a countermeasure, Microsoft has disabled the insertion of FBX files in several Office applications, including Word, Excel, PowerPoint, and Outlook, across both Windows and Mac platforms. Consequently, Office versions like 2019, 2021, Office LTSC for Mac 2021, and Microsoft 365, which previously supported this feature, have now had it removed. Existing 3D models in Office documents from FBX files will continue to function normally unless they were linked to the original file during insertion.
For optimal security, it is advised that all users ensure their systems are updated to the most recent version of Windows.
Critical GitLab Zero-Click Vulnerability
GitLab administrators are urged to swiftly implement the latest security updates, considering a critical vulnerability that allows bypassing of account security.
This vulnerability, identified as CVE-2023-7028, is considered to have maximum severity. It stems from a modification made in GitLab’s version 16.1.0 in May 2023, which introduced the capability for users to reset passwords via a secondary email address. The flaw enables attackers, particularly those targeting self-hosted GitLab instances, to send a password reset email to an email address under their control through a specially crafted HTTP request. This vulnerability is especially concerning as it allows attackers to gain control of an account without any action from the user, making those without two-factor authentication (2FA) particularly susceptible.
However, it’s worth noting that users who have enabled 2FA are not at risk of account takeover, unless the attacker also has access to their 2FA device. While a password reset is still possible, GitLab’s omission of SMS-based 2FA (a common target for hijacking) in favor of app-based 2FA or WebAuthn devices, enhances security.
At the time this vulnerability was disclosed, there was no evidence of successful exploitation. However, the simplicity of the exploit and its public disclosure mean that the likelihood of attempted exploitations increases, turning it into a race for administrators to secure their systems against potential attacks.
Cisco Fixes High-Risk Vulnerability
Cisco has recently issued updates for its software to rectify a critical security vulnerability found in Unity Connection, which could potentially enable an attacker to carry out arbitrary commands on the affected system.
The flaw, designated as CVE-2024-20272 with a CVSS score of 7.3, is an arbitrary file upload issue located within the web-based management interface. This vulnerability arises due to insufficient authentication in a particular API and inadequate validation of data provided by users. As detailed in Cisco’s advisory published on Wednesday, this vulnerability could be exploited by an attacker by uploading arbitrary files to the compromised system. A successful exploit might result in the storage of malicious files on the system, execution of arbitrary commands on the operating system, and escalation of privileges to root level.
In addition to the patch for CVE-2024-20272, Cisco has also released updates addressing 11 vulnerabilities of medium severity. These vulnerabilities affect various Cisco software products, including the Identity Services Engine, WAP371 Wireless Access Point, ThousandEyes Enterprise Agent, and the TelePresence Management Suite (TMS).
It is essential for users and administrators of these Cisco products to promptly update to the latest software versions. Staying current with software updates is a crucial step in protecting systems from potential security threats and maintaining robust cyber security defences.
