Microsoft Discloses Unpatched Office Vulnerability Leading to Data Exposure
Overview
Microsoft issued a critical warning about an unpatched zero-day vulnerability in its Office suite. It has been identified as CVE-2024-38200 as it poses a big risk of unauthorized data exposure. The flaw has a CVSS score of 7.5 as it affects multiple versions of Microsoft Office, including Office 2016, Office LTSC 2021, Office 365 Apps for Enterprise, Office 2019, etc. for both 32-bit and 64-bit systems.
Impact
This flaw is a spoofing issue as it can be exploited in a web-based attack. An attacker might set up a fake website or use a compromised one to deliver a malicious exploiting file. However, this attack requires user interaction. The attacker would need to trick the user into clicking a link. If successful, this could lead to sensitive info loss and overall security risk.
Recommendation
Microsoft has announced a permanent fix for the CVE-2024-38200 vulnerability. It will be included in the upcoming August 13th Patch Tuesday update.
However, Microsoft has activated a Feature Flighting solution as a temporary workaround. We recommend you apply this immediate fix and then install the official patch when available.
To further protect systems until the patch is released, Microsoft recommends:
- Restrict NTLM Traffic to remote servers through network security policies.
- Protect User Accounts. Add critical accounts to the Protected Users Security Group.
- Block TCP 445/SMB: Use firewalls / VPNs to block outbound TCP 445/SMB traffic.
Critical AWS Flaws Leading to RCE and Data Theft Exposed
Overview
Big flaws discovered in Amazon Web Services (AWS) pose serious security threats. These flaws could lead to devastating consequences such as remote code execution (RCE) and data theft. These vulnerabilities can even cause complete service takeovers. The issues primarily involve AWS services i.e. CloudFormation, Glue, EMR, SageMaker, ServiceCatalog, CodeStar, etc. They are all susceptible to a novel attack vector- Bucket Monopoly.
Impact
Attackers can make new S3 buckets in places where AWS does not already use them. They can use these buckets to get secret data. They can also run their own programs and take over accounts. This can cause big problems as they can stop services, steal data, change AI programs, take over accounts, and do whatnot.
Recommendation
WME security experts strongly advise adopting top security measures for counteraction. Specifically, you should steer clear of using predictable or fixed identifiers for S3 bucket names. Instead, try to generate unique hashes or random identifiers for each region, account, etc. This approach can help deter attackers from prematurely claiming S3 buckets. That said, monitor AWS configs to ensure no unauthorized access may happen. This is for proactive care.
Microsoft Identifies Four OpenVPN Vulnerabilities Enabling Potential RCE and LPE
Overview
Microsoft discloses four big security issues in OpenVPN software. The flaws could be chained together to facilitate RCE and local privilege escalation. These vulnerabilities affected all OpenVPN versions before 2.6.10 and 2.5.10. And, they were unveiled during the Black Hat USA 2024 conference. They have medium-level severity.
Impact
The flaws could enable attackers to have complete control over targeted systems. So, it could lead to data breaches, system compromises, unauthorized access, etc. The attack chain, however, requires hackers to have access to the user’s OpenVPN credentials. They also need to have some deep understanding of OpenVPN’s internal mechanisms. But once credentials are obtained ( using methods like purchasing them via dark web or using network sniffers ), they can execute arbitrary code / escalate privileges.
Specific vulnerabilities include:
- A stack overflow flaw in Windows (CVE-2024-27459) can lead to system crashes.
- A security hole in the Windows OpenVPN service (CVE-2024-24974) allows remote attackers to interfere with the service.
- A plugin vulnerability (CVE-2024-27903) can result in remote code execution and data tampering.
- A memory error in the Windows TAP driver (CVE-2024-1305) can cause the system to become unresponsive.
Recommendation
We recommend all OpenVPN users upgrade to versions 2.6.10 or 2.5.10 at least. You should also follow best practices for credential security i.e. Change PWs regularly and use MFA.
That said, try to implement network-level protections i.e. Unusual outbound traffic monitoring, endpoint protection tools, etc. Stay vigilant and apply these updates ASAP.
Sonos Speaker Vulnerabilities Expose Users to Remote Eavesdropping
Overview
Critical vulnerabilities have been detected in Sonos smart speakers. It can potentially enable remote attackers to eavesdrop on users. These vulnerabilities are found in various Sonos models as they undermine the integrity of the secure boot process. They can also allow unauthorized over-the-air access to the devices.
Impact
The discovered flaws pose a serious threat. They allow remote attackers to compromise Sonos devices through an over-the-air attack to cause a covert audio capture. The vulnerabilities affect all Sonos models before S2 release 15.9 and S1 release 11.12. They were released in late 2023.
Notably, one of these (CVE-2023-50809) involves a Wi-Fi stack issue in the Sonos One Gen 2. It can enable remote code execution due to improper validation during the WPA2 handshake. The other one (CVE-2023-50810) in the U-Boot component of the Sonos Era-100 firmware allows persistent arbitrary code execution with kernel-level privileges. That means it can lead to full control over the device.
Recommendation
To mitigate these risks, we strongly recommend that Sonos users update their devices to the latest firmware: Sonos S2 release 15.9 or Sonos S1 release 11.12. They should also review device settings. Disable any unnecessary remote access features.
DOJ Charges Nashville Man in North Korean IT Worker Fraud Scheme
Overview
The U.S. government has charged a man from Nashville with multiple crimes. His name is Matthew Isaac Knoot and the government says he helped North Korean people get jobs in the United States and the United Kingdom. These jobs were for computer work. Knoot used fake names to get these jobs for the North Korean people.
Impact
The charges against Knoot include conspiracy to cause damage to protected computers and to commit wire fraud and aggravated identity theft. The fraudulent activities were part of a broader effort by North Korean operatives to generate revenue. Knoot’s actions led to significant financial losses for several technology, media, and financial companies. It all totaled over $500,000. The IT workers dispatched from North Korea were paid more than $250,000 during the scheme.
Recommendation
DoJ warns businesses to beef up their security measures, especially when hiring remote workers. To prevent scams like this, you should double-check employee identities and keep a close eye on their computer systems. It’s also important to be suspicious of unusual activity and report them to the authorities.