Black Arrow Cyber Advisory 30 July 2024 – Critical Updates for ServiceNow, VMware ESXi and Apple Devices

Executive summary

ServiceNow, VMware, and Apple have addressed multiple vulnerabilities across their product ranges. ServiceNow patched two actively exploited critical vulnerabilities that allow unauthenticated remote code execution, with threat actors claiming to have harvested data from over 105 databases. VMware ESXi’s recent patch addresses a flaw exploited by ransomware groups to gain administrative access via Active Directory group manipulation. Apple released iOS/iPadOS 17.6 and MacOS 14.6, fixing 35 significant security issues in the Kernel and WebKit, urging users to update immediately to ensure maximum security. Despite the availability of patches, many systems remain vulnerable.


ServiceNow

ServiceNow, a cloud-based platform that helps manage digital workflows for enterprise operations, has recently patched two critical vulnerabilities that are being actively exploited in the wild and have been added to the Known Exploited Vulnerabilities (KEV) Catalog. The two critical vulnerabilities, CVE-2024-4879 and CVE-2024-5217, allow unauthenticated attackers to execute arbitrary code and perform remote code execution without requiring any user interaction or special conditions. Threat actors on breach forums are claiming to have harvested data from more than 105 ServiceNow databases and are selling them online. ServiceNow released the patches back on 10 July, further details on the patches can be found below.

VMware ESXi

A recently patched security flaw (CVE-2024-37085) in VMware ESXi hypervisors has been actively exploited by several ransomware groups. This vulnerability allows attackers, who have sufficient Active Directory permissions, to bypass Active Directory integration authentication to gain administrative access to vulnerable ESXi hosts. The flaw can be exploited by creating or renaming an Active Directory group named “ESX Admins” and adding users to it, even if the group did not originally exist within Active Directory. Once attackers have gained admin rights through this vulnerability, they are able to carry out data exfiltration and encryption to demand ransom.

Apple

Apple has released iOS 17.6, urging users to update immediately due to 35 significant security fixes. These fixes address serious vulnerabilities in the Kernel and WebKit, the engine behind Safari. Notably, CVE-2024-27863 and CVE-2024-40788 in the Kernel could allow attackers to determine memory layout or cause system shutdowns, requiring physical access to the device. Additionally, eight WebKit issues, including CVE-2024-40785, could lead to cross-site scripting attacks. Despite no current real-life attacks, the severity of these flaws makes updating crucial.

Apple also released iOS 16.7.9 for older devices. The iOS 17.6 update is available for iPhone XS and later, various iPad models, and iPad mini 5th generation and later. MacOS Sonoma was also updated to 14.6 and included big fixes and security improvements. Users are advised to update to ensure maximum security. 


Further information on ServiceNow vulnerabilities can be found here:

https://www.darkreading.com/cloud-security/patchnow-servicenow-critical-rce-bugs-active-exploit

Kev Catalog - https://www.cisa.gov/known-exploited-vulnerabilities-catalog

Further information on VMware ESXi vulnerability can be found here:

https://www.microsoft.com/en-us/security/blog/2024/07/29/ransomware-operators-exploit-esxi-hypervisor-vulnerability-for-mass-encryption

Further information on Apple update can be found here:

https://support.apple.com/en-ca/HT214117

Need help understanding your gaps, or just want some advice? Get in touch with us.

#threatadvisory #threatintelligence #cybersecurity

Previous
Previous

Black Arrow Cyber Advisory 30 July 2024 – Proofpoint “EchoSpoofing” Phishing Campaign

Next
Next

Black Arrow Cyber Advisory 30 July 2024 – Secure Boot Bypass identified, 200+ models from various vendors affected by PKFail Vulnerability