Attacked vulnerabilities: FortiClient, Kemp Loadmaster, PAN-OS, VMware vCenter

There are currently an increasing number of attacks on security vulnerabilities in widespread software and hardware. New warnings about observed attacks in the wild on vulnerabilities in FortiClient, Kemp Loadmaster, PAN-OS and VMware vCenter have been issued by manufacturers or authorities.

The US IT security authority CISA, for example, warns that two vulnerabilities in Palo Alto Networks PAN-OS are being actively abused (CVE-2024-0012, CVE-2024-9474). However, there has already been some excitement about these vulnerabilities in recent days. Updates are apparently available to close the gaps – on Monday this was not yet the case. In addition, malicious actors are attacking a code-smuggling vulnerability in the Kemp Loadmaster load balancer for which they do not even require authentication (CVE-2024-1212, CVSS 10.0, risk"critical"). The manufacturer Progress already published software updates to close the gap in February.

Broadcom updates security notice for vCenter Server

Broadcom closed two security gaps in VMware vCenter Server with an update in September. One of them is considered critical and allows attackers to inject malicious code from the network. The second vulnerability allows attackers to extend their rights in the system. This is exactly what cyber criminals are currently doing. In the security announcement, Broadcom writes with an update from Monday of this week: "VMware by Broadcom confirms that active exploitation has occurred in the wild for CVE-2024-38812". The manufacturer repeats the same for the CVE-2024-38813 vulnerability. There was also another problem with the September updates, which did not sufficiently patch the vulnerabilities. The developers therefore released updated patches again on October 21. IT managers who installed the update before this date and think they are safe should still take action and apply the correct fix.

A warning about a security vulnerability in Fortinet's Windows VPN client Forticlient was issued at the weekend. While analyzing malware in July of this year, IT security researchers from Volexity discovered a vulnerability in Forticlient 7.4.0. The VPN client retains access data in the process memory even after authentication in the VPN. The suspected Chinese attackers abused this zero-day vulnerability in the Southeast Asian region. "Volexity reported the vulnerability to Fortinet on July 18, 2024, and Fortinet confirmed the issue on July 24, 2024. At the time of notification, the issue remains unresolved and Volexity has no knowledge of an assigned CVE vulnerability number," the researchers wrote on November 15. To protect themselves, admins should block the indications of an attack (IOCs) that Volexity has collected here. The IT researchers also provide YAR rules that IT managers can use.

(dmk)