CISA warns of four actively attacked security vulnerabilities
The US IT security authority CISA warns that attackers are abusing four security vulnerabilities. Admins should take action.
(Image: Gorodenkoff/Shutterstock.com)
The US IT security authority CISA has added four new vulnerabilities to the Known Exploited Vulnerabilities catalog. This is where the authority collects vulnerabilities that have been observed in attacks in the wild. IT managers should therefore check whether the vulnerabilities listed there have been closed in their organizations.
In its announcement, CISA writes that security leaks in Android, Cyberpanel, Nostromo nhttpd and Palo Alto Expedition have now been attacked. Two of the vulnerabilities mentioned were already known beforehand. The November patch collection for Android Patchday already included an update that closes the vulnerability in the Google Docs user interface, which Google reported had been attacked (CVE-2024-43093).
Abused vulnerabilities
In the previous week, attacks on servers on which Cyberpanel is installed also became known. The cyber gang Psaux is behind the attacks on the critical vulnerability CVE-2024-51567 and has targeted around 22,000 instances. The manufacturer had already warned of a vulnerability in Palo Alto's migration tool Expedition in July of this year. The vulnerability with the CVE entry CVE-2024-5910 is also considered critical and allows networks to be compromised. The flaw lies in a lack of authentication that allows the Expedition admin account to be taken over.
Videos by heise
The fourth vulnerability observed in attacks concerns the Nostromo nhttpd server. It was reported back in 2019 and updates to plug the security leak have been available since then. In the wild, malicious actors have now abused the directory traversal vulnerability, which is located in the software's http_verify function and can lead to the execution of injected malicious code – by sending carefully crafted HTTP requests (CVE-2019-16278, CVSS 9.8, risk"critical").
CISA does not explain what the observed attacks look like, to what extent they take place or how admins can recognize an attack. IT managers should check whether they are using the vulnerable software and, if so, apply the available security updates as quickly as possible.
(dmk)
