Cisco, Fortinet, and VMware have released security fixes for multiple security vulnerabilities, including critical weaknesses that could be exploited to perform arbitrary actions on affected devices.
Cisco’s first set consists of three flaws: CVE-2024-20252 and CVE-2024-20254 (CVSS score: 9.6) and CVE-2024-20255 (CVSS score: 8.2) – which impact the Cisco series Expressway and could enable an unauthenticated, remote attacker to conduct cross-site request forgery (CSRF) attacks.
All issues discovered during internal security testing stem from insufficient CSRF protections for the web-based management interface which could allow an attacker to perform arbitrary actions with the affected user’s privilege level.
“If the affected user has administrative privileges, these actions may include changing the system configuration and creating new privileged accounts,” Cisco said of CVE-2024-20252 and CVE-2024-20254.
On the other hand, successful exploitation of CVE-2024-20255 targeting a user with administrative privileges could allow the threat actor to overwrite system configuration settings, resulting in a denial of service (DoS) condition.
Another crucial difference between the two sets of flaws is that while the first two impact Cisco Expressway series devices in the default configuration, CVE-2024-20252 only impacts them if the cluster database (CDB) API functionality has been enabled. It is disabled by default.
Patches for the vulnerabilities are available in Cisco Expressway Series Release 14.3.4 and 15.0.0.
Fortinet, for its part, has released a second set of updates to address what are bypasses of a previously disclosed critical flaw (CVE-2023-34992, CVSS score: 9.7) in the FortiSIEM supervisor that could result in the execution of arbitrary code, second to Horizon3.ai researcher Zach Hanley.
Classified as CVE-2024-23108 and CVE-2024-23109 (CVSS scores: 9.8), the flaws “could allow an unauthenticated, remote attacker to execute unauthorized commands via crafted API requests.”
It is worth noting that Fortinet addressed another variant of CVE-2023-34992 by closing CVE-2023-36553 (CVSS score: 9.3) in November 2023. The two new vulnerabilities are/will be linked in the following releases:
- FortiSIEM version 7.1.2 or later
- FortiSIEM version 7.2.0 or later (upcoming)
- FortiSIEM version 7.0.3 or later (upcoming)
- FortiSIEM version 6.7.9 or later (upcoming)
- FortiSIEM version 6.6.5 or later (upcoming)
- FortiSIEM version 6.5.3 or later (upcoming) e
- FortiSIEM version 6.4.4 or later (upcoming)
Rounding out the trio is VMware, which reported five moderate to major defects in Aria Operations for Networks (formerly vRealize Network Insight):
- CVE-2024-22237 (CVSS Score: 7.8) – Local privilege escalation vulnerability allows a console user to gain regular root access
- CVE-2024-22238 (CVSS Score: 6.4) – Cross-site scripting (XSS) vulnerability allows an attacker with administrator privileges to inject malicious code into user profile configurations
- CVE-2024-22239 (CVSS Score: 5.3) – Local privilege escalation vulnerability allows a console user to gain regular shell access
- CVE-2024-22240 (CVSS Score: 4.9) – Local file read vulnerability allows an attacker with administrator privileges to access sensitive information
- CVE-2024-22241 (CVSS Score: 4.3) – Cross-site scripting (XSS) vulnerability allows an attacker with administrator privileges to inject malicious code and take control of the user account
To mitigate risk, we recommend that all users of VMware Aria Operations for Networks version 6.x upgrade to version 6.12.0.
Given Cisco, Fortinet, and VMware’s history of exploiting flaws, patching is a necessary and crucial first step that organizations must take to address deficiencies.