Quest Security and Service Advisories
As an ongoing service to Quest's valued clients, our team of experts monitors security and service advisories we are seeing in the market from multiple vendors and these important notices are sent to our clients. You can view an overview of our recent advisories below. If you need more information on any of these advisories, or would like to set up a meeting to discuss them further, please reach out to our team.
November 2024
Security Advisory: Critical Palo Alto / PAN OS Vulnerability (11/19)
October 2024
Security Advisory: Critical Cisco ASA, FMC, FTD Vulnerabilities (10/24)
Security Advisory: Critical FortiManager API Vulnerability Zero-Day (10/23)
Security Advisory: *Updated Patch* Critical Broadcom/VMware vCenter PLE Vulnerabilities (10/22)
Security Advisory: Sharp Increase in DDoS Attacks Impacting VPN Services (10/11)
September 2024
Security Advisory: Apple iOS 18 Concerns – Please Test (9/19)
Security Advisory: Critical Broadcom/VMware vCenter PLE Vulnerabilities (9/18)
Security Advisory: Critical Patching - A Must to Review (9/17)
Security Advisory: Critical Veeam Backup & Replication RCE Vulnerabilities (9/5)
Security Advisory: FBI/CISA/DoD Warning on Iranian Ransomware Campaign (9/3)
August 2024
Security Advisory: Critical Windows IPv6 TCP/IP RCE: Apply Microsoft Patches Now (8/15)
Security Advisory: You need more than MFA (8/9)
July 2024
Security Advisory: Urgent Notice: Increased Threat Actor Activity Post-Crowdstrike Outage (7/22)
Security Advisory: Crowdstrike - Official Workaround to Ongoing Issue (7/18)
Security Advisory: Critical Vulnerabilities in OpenSSH (7/2)
June 2024
Security Advisory: Critical Vulnerabilities in VMware vCenter Server (6/19)
Security Advisory: Pure Storage Cyber Incident (6/14)
May 2024
Security Advisory: Cyber Threats Targeting Snowflake Accounts (5/31)
Security Advisory: Holiday Weekend Preparation and Response for Ransomware Attacks (5/22)
Security Advisory: Critical Roll Up Patches for May (5/16)
April 2024
Security Advisory: Cisco DDoS/Code Execution Threat (4/29/2024)
Security Advisory: PAN Re-statement Recommendations
Security Advisory: Citrix: Citrix Hypervisor Security Update
Security Advisory: Palo Alto Network: CVE-2024-3400
Security Advisory: Fortinet: FG-IR-23-493 (4/9/2024)
March 2024
Security Advisory: Critical VMware Vulnerabilities Identified
February 2024
Security Advisory: ConnectWise ScreenConnect Security Threat
Security Advisory: Critical Vulnerabilities (CVSS 9.8) in Wide Range of Fortinet Software
January 2024
November 2024
Security Advisory: Critical Palo Alto / PAN OS Vulnerability (11/19):
Quest has been notified of a security advisory addressing a vulnerability in Palo Alto (PAN OS) Management Interface. Companies which have their PAN OS Management Interface externally accessible are at the Highest risk of compromise and are advised to immediately remove external access, update to fixed version, and threat hunt for IOCs (links below).
Vendor: Palo Alto
CVE(s): CVE-2024-0012
CVSS: 9.3 Critical
Exploited in the wild: Yes
Description: PAN-OS: Unauthenticated Bypass in the Management Web Interface
Impact: Vulnerability in Palo Alto Networks PAN-OS software enables an unauthenticated attacker with network access to the management web interface to gain PAN-OS administrator privileges to perform administrative actions, tamper with the configuration, or exploit other authenticated privilege escalation vulnerabilities
Workarounds: Yes; See vendor solutions
Link to source(s): https://security.paloaltonetworks.com/CVE-2024-0012
IOC Available: Yes, https://unit42.paloaltonetworks.com/cve-2024-0012-cve-2024-9474/
Recommendation: Review Vendor Advisory; Remove Firewall Management from Internet Immediately (threat hunt for IOCs if externally accessible), apply updates as necessary.
October 2024
Security Advisory: Critical Cisco ASA, FMC, FTD Vulnerabilities (10/24):
Cisco has released their semiannual Cisco ASA, FMC, and FTD Software Security Advisory Bundled Publication containing over 30 vulnerabilities. Quest has identified multiple Critical vulnerabilities in Cisco ASA, FMC, FTD devices listed in the security advisory and recommends you review the entire published list of risks.
Vendor: Cisco (ASA, FMC, FTD)
CVE(s): CVE-2024-47575
CVSS: 9.3 - 9.9 Critical
Exploited in the wild: No
Description: Cisco released its semiannual Cisco ASA, FMC, and FTD Software Security Advisory Bundled Publication. Below are the critical vulnerabilities impacting multiple products.
1. CVE-2024-20329 - Cisco Adaptive Security Appliance (ASA) - A vulnerability in the SSH subsystem of Cisco Adaptive Security Appliance (ASA) Software could allow an authenticated, remote attacker to execute operating system commands as root.
2. CVE-2024-20424 - Cisco Secure Firewall Management Center Software (FMC) - A vulnerability in the web-based management interface of Cisco Secure Firewall Management Center (FMC) Software, formerly Firepower Management Center Software, could allow an authenticated, remote attacker to execute arbitrary commands on the underlying operating system as root.
3. CVE-2024-20412 - Cisco Firepower Threat Defense Software for Firepower (FTD) - A vulnerability in Cisco Firepower Threat Defense (FTD) Software for Cisco Firepower 1000, 2100, 3100, and 4200 Series could allow an unauthenticated, local attacker to access an affected system using static credentials.
Impact: Exploitation of these vulnerabilities can allow for unauthenticated privileged access to gain control over the system.
Workarounds: Yes, Please review vendor advisory for additional details
Link to source(s): https://sec.cloudapps.cisco.com/security/center/viewErp.x?alertId=ERP-75300
Recommendation: Review the Cisco ASA, FMC, and FTD Software Security Advisory Bundled Publication for applicability and apply the updates or workarounds, released by Cisco, as soon as possible.
If you need assistance with your review and patching of your Cisco devices or would like to discuss these vulnerabilities in more detail, please let us know, and we will set up call.
Security Advisory: Critical FortiManager API Vulnerability Zero-Day (10/23):
Quest has been notified of a security advisory addressing critical vulnerabilities in Fortinet FortiManager. Fortinet has patched a critical security vulnerability that may allow a remote unauthenticated attacker to execute arbitrary code or commands via specially crafted requests.
Vendor: Fortinet / FortiManager
CVE(s): CVE-2024-47575
CVSS: 9.8 Critical
Exploited in the wild: Yes
Description: Critical FortiManager API vulnerability
Impact: A missing authentication for a critical function vulnerability in FortiManager fgfmd daemon may allow a remote unauthenticated attacker to execute arbitrary code or commands via specially crafted requests to steal sensitive files containing configurations, IP addresses, and credentials for managed devices.
Workarounds: Yes, please review the vendor advisory for additional details
Link to source(s): https://www.fortiguard.com/psirt/FG-IR-24-423
Recommendation: Review applicability and apply the updates or workarounds, released by Fortinet, as soon as possible.
If you need assistance with your review and patching of your FortiManager or would like to discuss these vulnerabilities in more detail, please let us know, and we will set up call.
Security Advisory: *Updated Patch* Critical Broadcom/VMware vCenter PLE Vulnerabilities (10/22):
Quest has been notified of a security advisory addressing critical vulnerabilities in Broadcom VMware vCenter. Broadcom has urgently patched a critical security vulnerability that can allow unauthenticated users to perform privilege escalation on impacted products listed in their security advisory.
IMPORTANT: VMware by Broadcom has determined that the vCenter patches released on September 17, 2024, did not fully address CVE-2024-38812. All customers are strongly encouraged to apply the patches currently listed in the Response Matrix (linked in the source). Additionally, patches for the 8.0 U2 line are also available.
Vendor: Broadcom/VMware
CVE(s): CVE-2024-38812, CVE-2024-38813
CVSS: 9.8 Critical
Description: VMware vCenter Server updates address heap-overflow and privilege escalation vulnerabilities.
Impact: The vCenter Server contains a heap-overflow vulnerability in the implementation of the DCERPC protocol. A malicious actor with network access to the vCenter Server may trigger this vulnerability by sending a specially crafted network packet, potentially leading to remote code execution.
Workarounds: No
Link to source(s): https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/24968
Recommendation: Review applicability and apply the update released by Broadcom as soon as possible.
If you need assistance with your review and patching of your vCenter or would like to discuss these vulnerabilities in more detail, please let us know, and we will set up call.
Security Advisory: Sharp Increase in DDoS Attacks Impacting VPN Services (10/11):
Quest monitors trends in cyber activity and has seen a dramatic increase in Distributed Denial of Service (DDoS) attacks impacting organizations. A DDoS attack is a malicious attempt to disrupt the normal traffic of a targeted server, service, or network by overwhelming it with a flood of internet traffic. Quest has been responding to a number of customers impacted by DDoS attacks, resulting in entire internet outages and VPN service outages.
If your organization is configured to use SSL/VPN, you are especially at risk of being targeted or impacted. In the last few weeks, a number of firewall/router vendors have released updates to address denial of service vulnerabilities impacting SSL/VPN services.
Recommendation: Review and apply firewall/router vendor patches relating to denial of service vulnerabilities, especially those relating to SSL/VPN services.
September 2024
Security Advisory: Apple iOS 18 Concerns – Please Test (9/19):
With the release of Apple iOS 18 on September 17, 2024, clients may experience enterprise connectivity issues when integrating with tools for remote management and access. Quest understands that iOS 18 will address multiple security concerns and provide many new features; however, we suggest that clients review their Apple iOS 18 upgrade and testing process. For the majority of users, this upgrade could automatically download. Please review your deployment process, and you may want to postpone the upgrade until this iOS has been in the production field for more than 1-2 days.
If you need assistance with your mobile devices and/or applications, please let us know as soon as possible.
Security Advisory: Critical Broadcom/VMware vCenter PLE Vulnerabilities (9/18):
Quest has been alerted to critical vulnerabilities in Broadcom VMware vCenter. Broadcom has released urgent patches to fix a flaw that allows unauthenticated users to escalate privileges on affected products.
Vendor: Broadcom/VMware
CVE(s): CVE-2024-38812, CVE-2024-38813
Max CVSS: 9.8 Critical
Description: VMware vCenter Server updates address heap-overflow and privilege escalation vulnerabilities.
Impact: The vCenter Server contains a heap-overflow vulnerability in the implementation of the DCERPC protocol. A malicious actor with network access to the vCenter Server may trigger this vulnerability by sending a specially crafted network packet, potentially leading to remote code execution.
Workarounds: No
Link to source(s): https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/24968
If you need assistance with your review and patching of your vCenter or would like to discuss these vulnerabilities in more detail, please let us know, and we will set up call.
Security Advisory: Critical Patching - A Must to Review (9/17):
Quest is working with its service and account managers and technical consultants to review what we are and are not providing clients with respect to patching workstations, mobile devices, servers, networking devices, and applications within their infrastructure. As we are all aware, patching is a critical process to minimize cyber risk, and the process and execution are often not clearly understood. It is important that Quest and our clients review these tasks and clarify the details regarding how systems are patched and who is responsible. For some clients, Quest is responsible, while with many clients, we are waiting for them to request our services, or we are only patching a specific device, such as a firewall.
Throughout September, we are asking our teams to review clients' expectations and understanding of Quest's role in their patching processes. Our team may reach out to request a conversation, or please reach out to us if you wish to discuss further.
Security Advisory: Critical Veeam Backup & Replication RCE Vulnerabilities (9/5):
Quest has been notified of a security advisory addressing multiple critical vulnerabilities in Veeam products. Veeam has urgently patched a critical security vulnerability that can allow unauthenticated remote execution on the impacted products listed below.
Vendor: Veeam
CVE(s): CVE-2024-40711, CVE-2024-40713, CVE-2024-42024, CVE-2024-42019, CVE-2024-38650, CVE-2024-39714
Max CVSS: 9.9 Critical
Impacted Products:
- Veeam Backup & Replication
- Veeam ONE
- Veeam Service Provider Console
- Veeam Agent for Linux
- Veeam Backup for Nutanix AHV
- Veeam Backup for Oracle Linux Virtualization Manager and Red Hat Virtualization
Description: A vulnerability allowing unauthenticated remote code execution (RCE).
Impact: An unauthenticated attacker could initiate a remote code execution leading to unauthorized access to backup server.
Link to source(s): https://www.veeam.com/kb4649
Security Advisory: FBI/CISA/DoD Warning on Iranian Ransomware Campaign (9/3):
An Iranian-backed ransomware operation is targeting local government, defense, finance, education, and healthcare sectors. The campaign is exploiting a group of previously known, highly impactful vulnerabilities on the following platforms:
1. Citrix NetScaler (CVE-2019-19781 and CVE-2023-3519)
2. F5 BIG-IP (CVE-2022-1388)
3. Pulse Secure/Ivanti VPNs (CVE-2024-21887)
4. PAN-OS firewalls (CVE-2024-3400)
5. Check Point Security Gateways (CVE-2024-24919)
If your organization uses the platforms above, Quest recommends reviewing the code/OS on those devices and patching/upgrading to the latest stable release. If you have partners that use these platforms, it’s advised to make them aware of this advisory, as supply chain attacks from this type of threat are not common.
The full advisory, along with technical details, can be found here:
https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-241a
August 2024
Security Advisory: Critical Windows IPv6 TCP/IP RCE: Apply Microsoft Patches Now (8/15):
Quest has been notified of a security advisory addressing vulnerabilities in Microsoft Windows. Microsoft urgently addressed a critical security vulnerability within the Windows TCP/IP stack (IPv6), identified as CVE-2024-38063. What makes CVE-2024-38063 particularly concerning is its classification as a “wormable” flaw. This means that once an attacker successfully exploits a single device within an internal network, the vulnerability can facilitate the rapid propagation of malicious code across other connected devices without any user interaction.
Vendor: Microsoft
CVE(s): CVE-2024-38063
CVSS: 9.8 Critical
Description: Windows IPv6 TCP/IP Remote Code Execution Vulnerability
Impact: An unauthenticated attacker could repeatedly send IPv6 packets, that include specially crafted packets, to a Windows machine which could enable remote code execution.
Workaround: Windows machines that cannot be patched urgently a temporary workaround is to disable IPv6 on the host. Disabling IPv6 should be considered a temporary safeguard as it could lead to a malfunction of critical Windows components.
Link to source(s): https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-38063 (Patched in AUG ’24 Patch Tuesday release)
*important* Microsoft has also remediated an additional six Critical Vulnerabilities, which are actively being exploited by Threat Actors, resolved in the AUG ’24 Patch release (CVE-2024-38178, CVE-2024-38193, CVE-2024-38213, CVE-2024-38106, CVE-2024-38107, CVE-2024-38189).
Recommendation: Review and apply the AUG’24 Microsoft Patch updates as soon as possible.
If you need assistance with remediation or would like to discuss these vulnerabilities in more detail, please reply to this email, and we will set up a meeting.
Security Advisory: You need more than MFA (8/9):
Quest Incident Response is continually responding to organizations that are becoming victims of email phishing campaigns designed to bypass Multi-Factor Authentication (MFA) protections in Microsoft 365. Successful compromises have led to data theft containing sensitive information (including OneDrive and SharePoint), lateral movement to third-party services (including financial institutions), financial routing changes, and the threat actor using the compromised email account as a source to phish customers, partners, and employees.
Ways Quest has observed threat actors bypassing MFA:
- Use of Phishing Toolkits: Attackers use phishing toolkits that employ reverse-proxy tactics to bypass MFA. These toolkits are automated and provide a simple platform to run and manage their advanced phishing campaigns.
- Theft of Session Token (Adversary in the Middle): Threat actors steal MFA session cookies by using a reverse proxy server hosting the phishing web page, which intercepts the victim’s input and relays it to the legitimate service. Once the user completes the MFA challenge and the authentication is successful, the server in the middle captures MFA session cookies. This way, the attacker can replay a user’s session and bypass MFA mechanisms to access the resource.
- Targeting Specific Roles: Attackers are improving their techniques and even filtering compromised targets by their organizational roles in an automated manner. Successful BEC compromises are directly targeted towards C-level and accounting departments.
- Social Engineering: Attackers deceive employees and customers into bypassing MFA by masquerading as helpdesk or other trusted entities and gaining access through phone calls. In some cases, Quest has observed employees granting threat actors direct remote access to their workstations using default Microsoft tools.
MFA is still strongly recommended as a critical layer of defense for securing accounts. As threat actors increase their phishing sophistication, additional measures need to be taken to combat this serious threat.
Quest is offering a 30-minute conversation to further inform you about this threat and discuss how Quest can assist you in strengthening your defenses against these MFA bypass tactics.
July 2024
Security Advisory: Critical Vulnerabilities in Microsoft and VMware Exploited in Active Ransomware (7/30):
Quest has been notified of a security advisory addressing vulnerabilities in Microsoft Windows and VMware ESX, which have been observed being exploited/chained together, leading to a possible ransomware ESX encryption events. Details on the vulnerabilities are below:
Vendor: Microsoft
CVE(s): CVE-2023-28252
CVSS: 7.8 High
Description: Windows Common Log File System Driver Elevation of Privilege Vulnerability.
Impact: An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.
Link to source(s): https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2023-28252 (Patched in April ’24 Patch Tuesday release)
Recommendation: Review applicability and apply the updates, Released by Microsoft Apr Patch Release) as soon as possible.
Vendor: VMWare ESX
CVE(s): CVE-2024-37085, CVE-2024-37086, CVE-2024-37087
CVSS: 6.8 Med
Description: VMware ESXi contains an authentication bypass vulnerability
Impact: A malicious actor with sufficient Active Directory (AD) permissions can gain full access to an ESXi host.
Workarounds: https://knowledge.broadcom.com/external/article/369707/
Link to source(s): https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/24505
Recommendation: Review applicability and apply the update released by Broadcom as soon as possible.
If you need assistance with remediation or would like to discuss these vulnerabilities in more detail, please reply to this email, and we will set up a meeting.
Did you miss an advisory? Check out our advisory page here: https://questsys.com/Quest-Security-and-Service-Advisories/
Security Advisory: Urgent Notice: Increased Threat Actor Activity Post-Crowdstrike Outage (7/22):
In the wake of the recent global Crowdstrike outage on July 19th, 2024, threat actors and scammers are known to exploit the situation to their advantage. We are reminding you to be vigilant to detect fake emails, voice calls, texts, and websites that pretend to be official. We are seeing an increase in threat actor malicious activity posing as technical support teams or Crowdstrike to attempt trick you to gain personal information, such as passwords, credit card numbers, or other sensitive data using Phishing (Email), Smishing (SMS Text Messages) and Vishing (Phone calls). There are also attempts to leverage a malicious ZIP archive claiming to be a hot fix.
You will never be contacted be contacted (by any means) by Crowdstrike Support directly.
This is a reminder to all of our users to remain vigilant and only follow instructions from legitimate sources. Please avoid the following communication types regarding Crowdstrike:
- Clicking on phishing emails or suspicious links
- Engaging in Phone call conversations or responding to voicemails
- Engaging in Text Message communications
- Using a Zip file that claims to be a hotfix
Common Vishing and Smishing Techniques:
Caller ID Spoofing: Attackers may manipulate caller ID to make it appear as though the call is coming from a trusted source.
Urgency and Fear: Scammers often create a sense of urgency or fear to pressure individuals into providing information quickly.
Pre-recorded Messages: Some vishing attacks use automated messages to instruct recipients to call a number and provide personal information.
How to protect yourself:
Verify the Caller: The number one thing you can do If you receive a suspicious call is to hang up and call the organization directly using a known and trusted phone number.
Do Not Share Personal Information: Never provide sensitive information over the phone especially if they called you.
Report Suspicious Calls: If you receive a vishing call, immediately report it to the IT department.
Did you miss an advisory? Check out our advisory page here: https://questsys.com/Quest-Security-and-Service-Advisories/
Security Advisory: Crowdstrike - Official Workaround to Ongoing Issue (7/18):
Tech Alert | Windows crashes related to Falcon Sensor | 2024-07-19
Cloud:
US-1EU-1US-2
Published Date: Jul 18, 2024
Summary
CrowdStrike is aware of reports of crashes on Windows hosts related to the Falcon Sensor.
Details
- Symptoms include hosts experiencing a bugcheck\blue screen error related to the Falcon Sensor.
- Windows hosts which have not been impacted do not require any action as the problematic channel file has been reverted.
- Windows hosts which are brought online after 0527 UTC will also not be impacted
- The issue is not impacting Mac- or Linux-based hosts
- Channel file "C-00000291*.sys" with timestamp of 0527 UTC or later is the reverted (good) version.
- Channel file "C-00000291*.sys" with timestamp of 0409 UTC is the problematic version.
Current Action
- CrowdStrike Engineering has identified a content deployment related to this issue and reverted those changes.
- If hosts are still crashing and unable to stay online to receive the Channel File Changes, the following steps can be used to workaround this issue:
Workaround Steps for individual hosts:
- Reboot the host to give it an opportunity to download the reverted channel file. If the host crashes again, then:
- Boot Windows into Safe Mode or the Windows Recovery Environment
- Navigate to the %WINDIR%\System32\drivers\CrowdStrike directory
- Locate the file matching “C-00000291*.sys”, and delete it.
- Boot the host normally.
- Note: Bitlocker-encrypted hosts may require a recovery key.
Workaround Steps for individual hosts:
Option 1:
- Detach the operating system disk volume from the impacted virtual server
- Create a snapshot or backup of the disk volume before proceeding further as a precaution against unintended changes
- Attach/mount the volume to to a new virtual server
- Navigate to the %WINDIR%\\System32\drivers\CrowdStrike directory
- Locate the file matching “C-00000291*.sys”, and delete it.
- Detach the volume from the new virtual server
- Reattach the fixed volume to the impacted virtual server
Option 2:
- Roll back to a snapshot before 0409 UTC.
Workaround Steps for Azure via serial:
- Login to Azure console --> Go to Virtual Machines --> Select the VM
- Upper left on console --> Click : "Connect" --> Click --> Connect --> Click "More ways to Connect" --> Click : "Serial Console".
- Once SAC has loaded, type in 'cmd' and press enter.
- type in 'cmd' command
- type in : ch -si 1
- Press any key (space bar). Enter Administrator credentials
- Type the following:
- bcdedit /set {current} safeboot minimal
- bcdedit /set {current} safeboot network
- Restart VM
- Optional: How to confirm the boot state? Run command: wmic COMPUTERSYSTEM GET BootupState
In the event that you need further assistance please contact us at or 1800-443-5605.
Did you miss an advisory? Check out our advisory page here: https://questsys.com/Quest-Security-and-Service-Advisories/
Security Advisory: Critical Vulnerabilities in OpenSSH (7/2):
Quest has been notified of a security advisory addressing critical vulnerabilities in OpenSSH, including an unauthenticated remote code execution (RCE) vulnerability dubbed "regreSSHion," which grants root privileges on glibc-based Linux systems.
Vendor: OpenSSH / Linux Based systems
CVE(s): CVE-2024-6387
CVSS: 8.1 High
Description: A signal handler race condition was found in OpenSSH's server (sshd). If a client does not authenticate within LoginGraceTime seconds (120 by default, 600 in older OpenSSH versions), sshd's SIGALRM handler is called asynchronously.
Impact: A remote, unauthenticated attacker can exploit this flaw to execute arbitrary code with root privileges, potentially leading to full system compromise.
Workarounds: None; however, Quest highly recommends the security practice of keeping SSH management interfaces on a "controlled" network, isolated/blocked from user/non-management segments.
Link to source(s):
- https://ubuntu.com/security/CVE-2024-6387
- https://explore.alas.aws.amazon.com/CVE-2024-6387.html
- https://security-tracker.debian.org/tracker/CVE-2024-6387
- https://access.redhat.com/security/cve/cve-2024-6387
The list is growing; please scan for vulnerabilities and check with your local and cloud deployments for additional susceptible platforms/instances.
Recommendation: Perform a complete vulnerability scan, review applicability, and apply the updates as soon as possible.
If you need assistance with remediation, would like to request a vulnerability scan, or would like to discuss this in more detail, please let us know.
June 2024
Security Advisory: Critical Vulnerabilities in VMware vCenter Server (6/19):
Quest has been notified of a security advisory addressing critical vulnerabilities in VMware vCenter Server, including unauthenticated remote code execution (RCE). See the details below:
Vendor: VMWare
CVE(s): CVE-2024-37079, CVE-2024-37080, CVE-2024-37081
CVSS: 9.8 Critical
Description: VMware vCenter Server updates address heap-overflow and privilege escalation vulnerabilities
Impact: An unauthenticated malicious actor, with network access to vCenter Server, may trigger these vulnerabilities by sending a specially crafted network packet potentially leading to remote code execution and root privileges.
Workarounds: None; However, Quest highly recommends the security practice to keep Vcenter management interfaces on a “controlled” network isolated/blocked from user / non-management segments.
Link to source(s): https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/24453
Recommendation: Review applicability and apply the updates as soon as possible.
Security Advisory: Pure Storage Cyber Incident (6/14):
Quest has been made of aware of a cyber incident involving Pure Storage. An unauthorized third party gained access to a Snowflake data analytics workspace. For more details, please refer to the Pure Storage Documentation portal.May 2024
Security Advisory: Cyber Threats Targeting Snowflake Accounts (5/31):
Quest Security Threat Intelligence has received reports from Snowflake, which is observing and investigating an increase in cyber threat activity targeting Snowflake customers’ accounts. There are unconfirmed reports of customer data exposure of some select Snowflake customers. Snowflake believes this is the result of ongoing industry-wide, identity-based attacks with the intent to obtain customer data using poorly secured accounts. Snowflake provided Indicators of compromise to aid in threat hunting, remediation and prevention. This threat is emerging/preliminary and subject to change.
Link to additional information: https://community.snowflake.com/s/article/Communication-ID-0108977-Additional-Information
If you need assistance or would like to discuss this in more detail, please let us know, and we can schedule a meeting to review.
Security Advisory: Holiday Weekend Preparation and Response for Ransomware Attacks (5/22):
As the Memorial Day holiday approaches this weekend, it's crucial to remain vigilant with your defenses and operational monitoring of your security tools and solutions. The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) have observed an increase in highly impactful ransomware attacks occurring on and around holidays when offices are closed and staff is reduced.
If you encounter anything abnormal or suspicious during the holiday weekend, please contact Quest Technology at . We operate a 24x7 fully staffed NOC/SOC and security practice, including an incident response team, ready to assist you.
Should you need assistance this week with any current patching, remote user access, or other immediate security tasks, please let us know before Friday. Our experts are on hand to help close any gaps before the weekend.
Again, you can reach us at , or call 800-443-5605 for any critical or suspicious activities.
Security Advisory: Critical Roll Up Patches for May (5/16):
CVE-2024-30040: CVSS 8.8 / Windows MSHTML Platform Security Feature Bypass Vulnerability *Active Exploit*
CVE-2024-30051: CVSS 8.8 / Windows MSHTML Platform Security Feature Bypass Vulnerability *Active Exploit* Qakbot is using this as an initial infection vector (via phishing email with file) for affiliates including Conti, ProLock, Egregor, REvil, RansomExx, MegaCortex, and most recently, Black Basta
CVE-2024-30046: CVSS 5.9 / Visual Studio Denial of Service Vulnerability
Recommendation: Patch urgently
Other Notables
Cisco: Cisco IP Phone 6800, 7800, and 8800 Series with Multiplatform Firmware Vulnerabilities CVE-2024-20357, CVE-2024-20376, CVE-2024-20378 – CVSS 7.5
Apple: Apple issued a security advisory that backports fixes zero-day exploited in attacks to older iPhones *Active Exploit*
- Link: https://support.apple.com/en-us/HT201222
- Please check and update your iPhone software
Chrome: Google Chrome emergency update fixes 6th zero-day exploit in 2024 *Active Exploit*
- Link: https://chromereleases.googleblog.com/2024/05/stable-channel-update-for-desktop_13.html
- Recommend: Patch urgently
April 2024
Security Advisory: Cisco DDoS/Code Execution Threat (4/29/2024):
Cisco is warning of a state-backed hacking group has been exploiting two zero-day vulnerabilities in Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) firewalls since November 2023 to breach government networks worldwide. CVE-2024-20353 (denial of service) and CVE-2024-20359 (persistent local code execution)—that the threat actors used as zero-days in these attacks.
Vendor: Cisco
CVE(s): CVE-2024-20353, CVE-2024-20359, CVE-2024-20358
CVSS: 8.6, 6.0 High
Description: DDoS / Code execution
Impact: Observed in attacks, configuration modification, reconnaissance, network traffic capture/exfiltration and potentially lateral movement
Link to source(s):
1. CVE-2024-20358 - https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-cmd-inj-ZJV8Wysm
2. CVE-2024-20359 - https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-persist-rce-FLsNXF4h
3. CVE-2024-20353 - https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-websrvs-dos-X8gNucD2
Additional information: https://sec.cloudapps.cisco.com/security/center/resources/asa_ftd_attacks_event_response
Recommendation: Review applicability; update to fixed release
Cisco is strongly urging its customers to patch for these vulnerabilities. Please contact Quest ASAP at (800) 326-4220 if you need our assistance. If the Quest SOC has already been in touch with you about the your managed firewalls, please ignore this message.
Security Advisory: PAN Re-statement Recommendations (4/19/2024):
Earlier this week Quest published a security advisory for a PAN vulnerability (CVE-2024-3400). Palo Alto updated guidance on this issue.
Updated:
https://security.paloaltonetworks.com/CVE-2024-3400
https://unit42.paloaltonetworks.com/cve-2024-3400/
In earlier versions of this advisory, disabling device telemetry was listed as a secondary mitigation action. Disabling device telemetry is no longer an effective mitigation. Device telemetry does not need to be enabled for PAN-OS firewalls to be exposed to attacks related to this vulnerability.
Palo Alto’s recommendation (if confirmed compromised) is to be sure to wipe the device and rebuild to a patched version; if logs tell you when the exploit took place; you can restore a base configuration prior to that date.
Added to the change is the version level (see below). Please notice the lower version of the most recent advisory (10.2.0):
- First advisory affected devices:
- Must be running GP and telemetry, and on version 10.2.9 or higher
- Second advisory affected devices:
- Must be running GP, and on version 10.2.0 or higher.
Security Advisory: Citrix: Citrix Hypervisor Security Update (4/11/2024):
Two issues have been identified that affect XenServer and Citrix Hypervisor. Each issue may allow malicious, unprivileged code in a guest VM to infer the contents of memory belonging to its own or other VMs on the same host.
For more detail, the official notification can be found here:
https://support.citrix.com/article/CTX633151/xenserver-and-citrix-hypervisor-security-update-for-cve202346842-cve20242201-and-cve202431142
Security Advisory: Palo Alto Network: CVE-2024-3400 (4/17/2024):
A command injection vulnerability in the GlobalProtect feature of Palo Alto Networks' PAN-OS software, for specific PAN-OS versions and distinct feature configurations, may enable an unauthenticated attacker to execute arbitrary code with root privileges on the firewall. For more detail, the official notification can be found here: https://security.paloaltonetworks.com/CVE-2024-3400Security Advisory: Fortinet: FG-IR-23-493 (4/9/2024):
An insufficiently protected credentials vulnerability (CWE-522) in FortiOS and FortiProxy may allow an attacker to obtain the administrator cookie under rare and specific conditions, by tricking the administrator into visiting a malicious, attacker-controlled website through SSL-VPN. For more detail, the official notification can be found here: https://www.fortiguard.com/psirt/FG-IR-23-493March 2024
Security Advisory: Security Advisory: Critical VMware Vulnerabilities Identified (3/8/2024):
VMware has released updates to address multiple security vulnerabilities in VMware ESXi, Workstation, and Fusion. These vulnerabilities are critical and require immediate attention.
Please let us know if you would like to discuss the new CVEs or need assistance with patching these vulnerabilities.
Impact:
A malicious actor with local administrative privileges on a virtual machine can exploit these vulnerabilities to execute code as the virtual machine's VMX process running on the host. This could result in devastating code execution on machines where Workstation or Fusion is installed or contained within the VMX sandbox on ESXi.
Impacted Products:
- VMware ESXi
- VMware Workstation Pro / Player (Workstation)
- VMware Fusion Pro / Fusion (Fusion)
- VMware Cloud Foundation (Cloud Foundation)
Vulnerabilities Summary:
- CVE-2024-22252: Use-after-free vulnerability in XHCI USB controller. Critical severity with a maximum CVSSv3 base score of 9.3 for Workstation/Fusion and 8.4 for ESXi.
- CVE-2024-22253: A use-after-free vulnerability in the UHCI USB controller. It is critical, with a maximum CVSSv3 base score of 9.3 for Workstation/Fusion and 8.4 for ESXi.
- CVE-2024-22254: Out-of-bounds write vulnerability in VMware ESXi. High severity with a CVSS score of 7.9.
- CVE-2024-22255: Information disclosure vulnerability in UHCI USB controller affecting VMware ESXi, Workstation, and Fusion.
February 2024
Security Advisory: ConnectWise ScreenConnect Security Threat (2/22/2024):
Quest has been made aware of a significant and active cyber threat affecting ConnectWise ScreenConnect. Known vulnerabilities present a maximum security risk in ScreenConnect version 23.9.8 or prior, allowing threat actors to gain remote unauthenticated access to the ScreenConnect Platform. While ScreenConnect cloud servers hosted on screenconnect.com, hostedrmm.com, or those part of Quest Services are already secured against potential attacks, partners using a dedicated on-premise ScreenConnect Platform are advised to update their ScreenConnect to version 23.9.8 immediately.
Quest recommends that our customers and partners review the applicability of this update and upgrade to the latest version of ScreenConnect as necessary.
For more detail, the official notification can be found here:
https://www.connectwise.com/company/trust/security-bulletins/connectwise-screenconnect-23.9.8
If you need help applying the necessary recommendations, reviewing for malicious activity, or would like to discuss further, we are here to help.
Security Advisory: Critical Vulnerabilities (CVSS 9.8) in Wide Range of Fortinet Software (2/9/2024)
Quest has been made aware of multiple, significant Cyber threats affecting Fortinet devices running a wide range of ForitOS software. The vulnerabilities, when exploited, could allow threat actors to execute remote code on the affected devices, perform denial of service attacks and establish a Man-in-the-Middle presence between multiple Fortinet devices. The CVSS (Common Vulnerability Scoring System) score for the most significant of these vulnerabilities is a Critical 9.8 (out of 10) and subsequently Quest is recommending that our customers immediately patch their devices to the appropriate level. Affected versions of FortiOS software are as follows: FortiOS versions: 6.0, 6.2, 6.4, 7.0, 7.2, 7.4, and 7.6 FortiProxy versions: 7.0, 7.2, and 7.4. A summary of the vulnerabilities, along with technical detail can be found here: https://www.cisecurity.org/advisory/multiple-vulnerabilities-in-fortios-could-allow-for-remote-code-execution_2024-019 If you would like to discuss this further or if you have any other questions, we are here to help.January 2024
Security Advisory: Malware Bypassing Office 365 Filters (1/12/2024):
Quest has been actively investigating the surge in phishing and malware attacks that cleverly evade third-party gateway filters. These attacks are bypassing defenses and delivering malware directly to Office 365 mailboxes. The Threat actors exploit the default MX records associated with onmicrosoft.com domains, typically taking the form of "CompanyName.onmicrosoft.com," to deliver spam and malicious content without being scanned.
Advanced configuration is required, which may impact mail flow from SMTP devices (printers, scanners, applications) that send mail directly into Office 365 from on-premise locations. Careful deployment and tuning are necessary to ensure minimal interruption to mail flow.
Quest is offering a 30-minute conversation to discuss this threat in greater detail and review options/strategy to close this possible bypass on your office365 tenant. Please reply to this email if you would like to schedule time to discuss details and options for review and remediation.