www.coresecurity.com
Open in
urlscan Pro
2606:4700::6812:bcc
Public Scan
Submitted URL: https://t.co/0UWQOUxdJr
Effective URL: https://www.coresecurity.com/blog/core-impact-monthly-chronicle-exploits-and-updates-august-september-2024
Submission: On October 28 via api from IN — Scanned from DE
Effective URL: https://www.coresecurity.com/blog/core-impact-monthly-chronicle-exploits-and-updates-august-september-2024
Submission: On October 28 via api from IN — Scanned from DE
Form analysis 0 forms found in the DOM
Text Content
Cookie-Präferenzen
Skip to main content
* Fortra.com
* Contact Us
* Support
* All Fortra Products
* FREE TRIALS
* Fortra.com
* Contact Us
* Support
* All Fortra Products
* FREE TRIALS
* Cyber Threat Toggle Dropdown
PRODUCTS
* Core Impact Penetration testing software
* Cobalt Strike Red team software
* Outflank Security Tooling (OST) Evasive attack simulation
* Event Manager Security information and event management
* Powertech Antivirus Server-level virus protection
* Product Bundles Layered security solutions
SOLUTIONS
* Penetration Testing
* Penetration Testing Services
* Offensive Security
* Threat Detection
* Security Information and Event Management
* Penetration Testing Services Security consulting services
* Identity Toggle Dropdown
PRODUCTS
* Access Assurance Suite User provisioning and governance
* Core Password & Secure Reset Self-service password management
* Core Privileged Access Manager (BoKS) Privileged access management
(PAM)
SOLUTIONS
* Privileged Access Management
* Identity Governance & Administration
* Password Management
* See How to Simplify Access in Your Organization | Request a Demo
* Industries Toggle Dropdown
* Healthcare
* Financial Services
* Federal Government
* Retail
* Utilities & Energy
* Higher Education
* Compliance
* Resources Toggle Dropdown
* Upcoming Webinars & Events
* Blogs
* Case Studies
* Videos
* Datasheets
* Guides
* Training
* Compliance
* All Resources
* CoreLabs Toggle Dropdown
* Advisories
* Exploits
* Articles
* Open Source Tools
* About Toggle Dropdown
* Partners
* Careers
* Newsroom
* Contact Us
1. Home
2. Blog
3. Core Impact Monthly Chronicle: Exploits and Updates | August & September
2024
CORE IMPACT MONTHLY CHRONICLE: EXPLOITS AND UPDATES | AUGUST & SEPTEMBER 2024
CORE IMPACT EXPLOIT LIBRARY ADDITIONS
One of Core Impact’s most valuable features is its certified exploit library.
Fortra’s Core Security has a team of expert exploit writers that conduct
research, evaluating and prioritizing the most relevant vulnerabilities in order
to update the library with critical and useful exploits. Additionally, the QA
team creates its own clean environment to validate each exploit before its
release to ensure our standards and validate that it is safe and ready to use.
While you can keep track of new releases through our exploit mailing list, here
is a more detailed summary of some of the most recent additions to the library.
CVE-2024-30051 - MICROSOFT WINDOWS DWMCORE ELEVATION OF PRIVILEGE VULNERABILITY
EXPLOIT
Authors: Ricardo Narvaja and Daniel De Luca (QA)
CVSS: 7.8 HIGH
Reference: CVE-2024-30051
KEY VULNERABILITY DETAILS
* Boundary error within the Windows DWMCORE library can enable arbitrary memory
write
* Affects multiple versions of Windows 10, Windows 11, and Windows Server
* Classified as Heap-based Buffer Overflow vulnerability (CWE-122)
EXPLOITATION IMPACT AND MITIGATION
* Attackers can escalate privileges from a basic user to full SYSTEM level
* May lead to full system compromise and access to sensitive data
* Microsoft released a patch for this vulnerability in a May 2024 Security
Update
ATTACKS IN THE WILD
* Actively being exploited since April 2024
* Often paired with QakBot Trojan
EXPLOITATION MECHANISM
* Verifies that target system has not been patched
* Leverages Heap Spray within Desktop Window Manager to overwrite adjacent
memory
* Elevates privileges from a standard user to SYSTEM level
* Facilitates execution of arbitrary code with maximum system access rights
ADDITIONAL INFORMATION
* Functional PoC and technical analysis available from Core Labs
CVE-2024-30088 - MICROSOFT WINDOWS KERNEL ELEVATION OF PRIVILEGE VULNERABILITY
EXPLOIT
Authors: Cristian Rubio, Luis García Sierra (QA), and Daniel De Luca (QA)
CVSS: 7.0 HIGH
Reference: CVE-2024-30088
KEY VULNERABILITY DETAILS
* Weakness in system kernel executable, ntoskrnl.exe, can enable arbitrary
memory write
* Affects multiple versions of Windows 10 and Windows 11, and Windows Server
* Classified as a Time-of-check Time-of-use (TOCTOU) Race Condition (CWE-367)
EXPLOITATION IMPACT AND MITIGATION
* Attackers can escalate privileges from a basic user to full SYSTEM access
* May lead to corruption or exfiltration of sensitive data
* Microsoft released a patch for this vulnerability in a June 2024 Security
Update
ATTACKS IN THE WILD
* No major attacks have been reported at this time
EXPLOITATION MECHANISM
* Leverages a race condition in the Windows kernel's token handling process to
manipulate the current process token
* Elevates privileges from a standard user to SYSTEM level
* Facilitates execution of arbitrary code with maximum system access rights
CVE-2024-34102, CVE-2024-2961 - MAGENTO ECOMMERCE WEBSITES COSMICSTING AND CNEXT
REMOTE CODE EXECUTION CHAIN EXPLOIT
Authors: Marcos Accossatto and Nahuel Gonzalez (QA)
CVSS: 9.8 CRITICAL
Reference: CVE-2024-34102, CVE-2024-2961
KEY VULNERABILITY DETAILS
* CVE-2024-34102 – Weakness in processing of XML input during the serialization
process of Magento
* CVE-2024-2961 – Memory corruption weakness in the iconv() function of the GNU
C Library for Linux programs
* When chained together, can result in full remote code execution
* Affects versions 2.4.7 and earlier of Adobe Commerce, versions 2.4.7 and
earlier of Magento Open Source, and version 2.39 and earlier of GNU C
Library
* Classified as an Improper Restriction of XML External Entity Reference
(CWE-611) and an Out-of-Bounds Write (CWE-787)
EXPLOITATION IMPACT AND MITIGATION
* Chaining vulnerabilities could lead full control of the targeted system
* A hotfix, security update, and an isolated patch have been issued by Adobe to
remediate CVE-2024-34102
* The 2.40 release of GNU C Library includes a patch for CVE-2024-2961
ATTACKS IN THE WILD
* This vulnerability chain has been actively exploited in the wild since June
2024, impacting numerous e-commerce sites
* Has been added to CISA’s Known Exploited Vulnerabilites Catalog
EXPLOITATION MECHANISMEXPLOITATION MECHANISM
* Leverages XXE vulnerability to obtain authentication keys
* Uses authentication keys to escalate privileges and trigger heap buffer
overflow
* Execute arbitrary commands on the target system
CVE-2024-21887, CVE-2023-46805, CVE-2024-21893 - IVANTI CONNECT SECURE
UNAUTHENTICATED REMOTE CODE EXECUTION EXPLOIT CHAIN
Authors: Fernando Páez Barceló and Nahuel Gonzalez (QA)
CVSS: 9.1 CRITICAL, 8.2 HIGH, 8.2 HIGH
Reference: CVE-2024-21887, CVE-2023-46805, CVE-2024-21893
KEY TECHNICAL DETAILS
* CVE-2024-21887 – Command injection vulnerability in web components of Ivanti
Connect Secure
* CVE-2023-46805 – Authentication bypass vulnerability in the web component of
Ivanti ICS and Ivanti Policy Secure
* CVE-2024-21893 – Server-side request forgery vulnerability in the SAML
component of Ivanti Connect Secure and Ivanti Policy Secure
* When chained together, can result in full remote code execution
* Affects multiple versions of Ivanti Connect Secure, Ivanti Policy Secure, and
ZTA Gateways
* Classified as Improper Neutralization of Special Elements used in an OS
Command (CWE-78), Improper Authentication (CWE-287), and Server-Side Request
Forgery (CWE-918)
EXPLOITATION IMPACT AND MITIGATION
* Powerful exploit chain that enables authentication bypass, injection and
execution of arbitrary commands, and access restricted resources without
authentication
* Can lead to complete control over targeted systems
* Ivanti has published documentation on how to apply mitigations
ATTACKS IN THE WILD
* Reports of active exploitation attempts targeting these vulnerabilities as
early as December 2023
* CISA issued an Emergency Directive to assist remediation efforts
EXPLOITATION MECHANISM
* Obtains the version of Ivanti Connect Secure installed on the system
* Leverages a flaw in the SAML component to access certain restricted resources
without authentication
* Enables remote code execution with elevated privileges in the management
component
CVE-2023-7028 - GITLAB PASSWORD RESET ACCOUNT TAKEOVER EXPLOIT
Authors: Lucas Dominikow and Arthur Lallemant (QA)
CVSS: 9.8 CRITICAL
Reference: CVE-2023-7028
KEY VULNERABILITY DETAILS
* Lack of verification checks when sending password reset emails could lead to
account takeovers
* Affects versions 16.1 prior to 16.1.5, 16.2 prior to 16.2.8, 16.3 prior to
16.3.6,16.4 prior to 16.4.4, 16.5 prior to 16.5.6, 16.6 prior to 16.6.4,
and16.7 prior to 16.7.2
* Classified as a Weak Password Recovery Mechanism for Forgotten Password
(CWE-640)
EXPLOITATION IMPACT AND MITIGATION
* Unauthenticated attackers could potentially compromise user accounts by
redirecting password resets to attacker-controlled email addresses
* Provides foothold and may allow attackers to access sensitive data, move
laterally, or maintain long-term unauthorized access
* Gitlab addressed this vulnerability in versions 16.5.6, 16.6.4, and 16.7.2,
with the patches also backported to versions 16.1.6, 16.2.9, 16.3.7, and
16.4.5.
ATTACKS IN THE WILD
* CISA reported vulnerability has been exploited in the wild
* Has also been added to CISA’s Known Exploited Vulnerabilites Catalog
EXPLOITATION MECHANISM
* Adds email to the JSON from /users/password endpoint
* Connects via IMAP to the pen tester’s email
* Parses the reset email and changes the password
CVE-2024-4885 - PROGRESS WHATSUP GOLD GETFILEWITHOUTZIP DIRECTORY TRAVERSAL
VULNERABILITY REMOTE CODE EXECUTION EXPLOIT
Authors: Marcos Accossatto and Luis García Sierra (QA)
CVSS: 9.8 CRITICAL
Reference: CVE-2024-4885
KEY VULNERABILITY DETAILS
* Improper input validation in RecurringReport endpoint could result in
arbitrary command injection
* Affects WhatsUp Gold versions 24.0 and below
* Classified as a Path Traversal— an Improper Limitation of a Pathname to a
Restricted Director (CWE-22)
EXPLOITATION IMPACT AND MITIGATION
* Unauthenticated remote attackers could execute arbitrary commands
* Could result in full system compromise
* Vulnerability has been addressed beginning in version 24.0.1
ATTACKS IN THE WILD
* Actively exploited in the wild beginning in August 2024
EXPLOITATION MECHANISM
* Crafts a malicious request targeting the NmAPI/RecurringReport in WhatsUp
Gold
* Utilizes directory traversal to execute malicious payload
* Establish a foothold within the compromised system
CVE-2024-21413, CVE-2024-38021 - MICROSOFT OUTLOOK MONIKER IMAGE TAG INFORMATION
DISCLOSURE EXPLOIT
Authors: Ricardo Narvaja and Nahuel Gonzalez (QA)
CVSS: 9.8 CRITICAL, 8.8 HIGH
Reference: CVE-2024-21413, CVE-2024-38021
KEY VULNERABILITY DETAILS
* CVE-2024-21413 -- Improper handling of certain URL types in Outlook’s link
processing could lead to remote code execution
* CVE-2024-38021 – Bypasses the initial patch for CVE-2024-21413
* Affects multiple versions of Microsoft Outlook, including Microsoft 365 Apps,
Office 2016, 2019, and LTSC 2021
* Classified as an Improper Authentication (CWE-287) and Improper Input
Validation (CWE-20)
EXPLOITATION IMPACT AND MITIGATION
* Unauthenticated remote attackers could bypass security mechanisms and steal
NTLM hashes
* Could potentially execute arbitrary code through Outlook emails
* Microsoft released a patch for this vulnerability in a February 2024 Security
Update
ATTACKS IN THE WILD
* No major attacks have been reported at this time
* Microsoft confirmed vulnerability is “trivial to exploit”
EXPLOITATION MECHANISM
* If target is unpatched, uses an exclamation mark in URL link to bypass
security
* If target is patched, uses image tag to bypass security restrictions
* Sends email with malicious image tag URL to target Outlook user
* If successful, victims machine sends NTLM hash which is captured by pen
tester
CVE-2024-40711 - VEEAM BACKUP AND REPLICATION DESERIALIZATION VULNERABILITY
REMOTE CODE EXECUTION EXPLOIT
Authors: Ricardo Narvaja and Nahuel Gonzalez (QA)
CVSS: 9.8 CRITICAL
Reference: CVE-2024-40711
KEY VULNERABILITY DETAILS
* Improper handling of .NET deserialization could result in remote code
execution
* Affects Veeam Backup & Replication 12.1.2.172 and earlier version 12 builds
* Classified as Deserialization of Untrusted Data (CWE-502)
EXPLOITATION IMPACT AND MITIGATION
* Unauthenticated remote attackers could bypass existing protective measures
and deploy arbitrary code remotely with SYSTEM level privileges
* May lead to full compromise, with ability to access, modify, or delete backup
data
* Veeam remediated this vulnerability in version 12.2 of Veeam Backup and
Replication
ATTACKS IN THE WILD
* No major attacks have been reported at this time
* Veeam has issued warning of vulnerability’s severity
EXPLOITATION MECHANISM
* Crafts and delivers malicious .NET class type object
* Sends object to Veeam endpoint to trigger malicious payload
* Enables execution of arbitrary code with SYSTEM privileges
CVE-2024-6769 - WINDOWS SYSTEM DRIVE REMAPPING LOCAL PRIVILEGE ESCALATION
EXPLOIT UPDATE
Authors: Ricardo Narvaja and Daniel De Luca (QA)
CVSS: 6.7 HIGH
Reference: CVE-2024-6769
KEY VULNERABILITY DETAILS
* Improper handling of drive remapping and activation contexts could enable
escalation to full SYSTEM privileges
* Affects multiple versions of Windows 10, Windows 11, and Windows Server 2016,
2019, and 2022
* Classified as an Untrusted Search Path (CWE-426)
EXPLOITATION IMPACT AND MITIGATION
* Authenticated user with medium privileges could escalate to SYSTEM level
privileges
* Could lead to full compromise, with ability to access, manipulate,
exfiltrate, or delete sensitive data
* No patch is currently available
ATTACKS IN THE WILD
* No major attacks have been reported at this time
EXPLOITATION MECHANISM
* Full details available in functional PoC from Core Labs
CVE-2024-38217 - MICROSOFT SMART APP AND MARK OF THE WEB BYPASS TOOL USING LNK
STOMPING
Authors: Ricardo Narvaja and Nahuel Gonzalez (QA)
CVSS: 5.4 HIGH
Reference: CVE-2024-38217
KEY VULNERABILITY DETAILS
* Improper validation or mishandling of file attributes enable Mark of the Web
(MoTW) bypass and could lead to malware deployment
* Zero-Day
* Affects multiple versions of Windows 10 and 11
* Classified as Protection Mechanism Failure (CWE-693)
EXPLOITATION IMPACT AND MITIGATION
* Attackers can bypass MoTW security mechanism and avoid having malicious files
flagged
* Attackers could use this mechanism to deploy malware, potentially gaining
access to sensitive data or other systems
* Microsoft released a patch for this vulnerability in a September 2024
Security Update
ATTACKS IN THE WILD
* Has been abused in the wild since February 2018
* Has been added to CISA’s Known Exploited Vulnerabilites Catalog
EXPLOITATION MECHANISM
* Crafts LNK files which have non-standard attack paths
* Files are modified by explorer.exe, removing MoTW label
* File is executed without having gone through security checks
Meet the Author
PABLO ZURRO
Cybersecurity Product Manager
Core Security, by Fortra
View Profile
Meet the Author
DANIEL DE LUCA
Software Development Manager
View Profile
Related Products
Core Certified Exploits
Related Content
Blog
Open Source vs. Enterprise: Why Not All Exploits are Created Equal
Blog
Core Impact Monthly Chronicle: Exploits and Updates | July 2024
Blog
Core Impact Monthly Chronicle: Exploits and Updates | June 2024
LEARN MORE ABOUT CORE IMPACT
WATCH DEMO
* Email Us
* X Find us on Twitter
* LinkedIn Find us on LinkedIn
* Facebook Find us on Facebook
* YouTube Find us on YouTube
PRODUCTS
* Access Assurance Suite
* Core Impact
* Cobalt Strike
* Event Manager
* Browse All Products
SOLUTIONS
* IDENTITY GOVERNANCE
* PAM
* IGA
* IAM
* Password Management
* Vulnerability Management
* Compliance
* CYBER THREAT
* Penetration Testing
* Red Team
* Phishing
* Threat Detection
* SIEM
RESOURCES
* Upcoming Webinars & Events
* Corelabs Research
* Blog
* Training
ABOUT
* Our Company
* Partners
* Careers
* Accessibility
Also of Interest
* What is Identity Governance and Administration
* Penetration Testing Services
* Self-Service Password Management
SUPPORT
PRIVACY POLICY
CONTACT
IMPRESSUM
COOKIE POLICY
Copyright © Fortra, LLC and its group of companies. Fortra®, the Fortra® logos,
and other identified marks are proprietary trademarks of Fortra, LLC.