The Latest Cybersecurity Vulnerabilities Unveiled
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has flagged a critical security vulnerability affecting Fortinet products, particularly FortiOS, FortiPAM, FortiProxy, and FortiWeb. Identified as CVE-2024-23113 with a CVSS score of 9.8, this flaw allows remote code execution via externally-controlled format string vulnerability, paving the way for attackers to execute arbitrary code or commands.
Federal Civilian Executive Branch (FCEB) agencies have been advised to implement vendor-provided mitigations by October 30, 2024, to ensure their systems are shielded from potential exploits.
Palo Alto Networks Exposes Critical Bugs in Expedition
Palo Alto Networks has made public several security vulnerabilities in Expedition that permit unauthorized access to database contents, arbitrary file writing, and reading. These issues put PAN-OS firewalls at risk by revealing sensitive information such as usernames, passwords, and device configurations.
The identified vulnerabilities have been categorized as follows:
- CVE-2024-9463 (CVSS score: 9.9) – An OS command injection flaw enabling unauthenticated remote attackers to execute arbitrary commands as root.
- CVE-2024-9464 (CVSS score: 9.3) – An authenticated OS command injection vulnerability allowing users to run arbitrary OS commands as root.
- CVE-2024-9465 (CVSS score: 9.2) – An SQL injection weakness that reveals Expedition’s database contents to unauthenticated adversaries.
- CVE-2024-9466 (CVSS score: 8.2) – A flaw exposing cleartext storage of sensitive information, letting authenticated users disclose usernames, passwords, and API keys.
- CVE-2024-9467 (CVSS score: 7.0) – A reflected cross-site scripting (XSS) vulnerability facilitating the execution of malicious JavaScript in authenticated users’ browsers.
Palo Alto Networks credited Zach Hanley of Horizon3.ai and Enrique Castillo of Palo Alto Networks for discovering and reporting these vulnerabilities.
Cisco Resolves Nexus Dashboard Fabric Controller Flaw
Cisco has released patches to address a critical command execution vulnerability in Nexus Dashboard Fabric Controller (NDFC), known as CVE-2024-20432 with a CVSS score of 9.9. This flaw allows authenticated remote attackers to execute arbitrary commands with network-admin privileges on an affected device through the REST API or web UI.
Version 12.2.2 of NDFC contains the fix for this vulnerability, ensuring that devices are protected against potential exploitation.