Overview
Microsoft have released their monthly security update addressing multiple vulnerabilities in multiple products, which could allow a malicious threat update to take control of an infected system. The update contains three critical vulnerabilities:
- CVE-2024-21364: Affecting Azure Site Recovery, this critical vulnerability can execute code to escalate privileges to unauthorised users that could discover MySQL root passwords.
- CVE-2024-21401: Affecting Jira Servers, this critical vulnerability can be exploited by running a script to access targeted servers over the internet.
- CVE-2024-214132: Affecting Microsoft Office 2016, this critical vulnerability can be exploited by attackers to gain high privilege access, including read, write and delete functions.
Microsoft have also reported a critical privilege-escalation flaw (CVE-2024-21410) in Exchange Server. There has been evidence of exploitation by cyber-attackers. An attacker could target an NTLM-client, such as Outlook, with an NTLM credentials-leaking type vulnerability. The leaked credentials can then be relayed against the Exchange Server to gain privileges as the victim client and to perform operations on the Exchange Server on the victim's behalf.
Adobe have released security updates addressing multiple vulnerabilities for Commerce and Magneto, Substance 3D Painter, Acrobat Reader, FrameMaker Publishing Server, Audition and Substance 3D Designer. We recommend you review the link below and navigate to the service you use to review specific actions.
SolarWinds has released security updates addressing five vulnerabilities in Access Rights Manager (ARM):
- CVE-2024-23476: A path-traversal vulnerability with a CVSS score of 9.6.
- CVE-2024-23479: A path-traversal vulnerability with a CVSS score of 9.6.
- CVE-2024-40057: A de-serialisation of untrusted data vulnerability with a CVSS score of 8.0.
- CVE-2024-23478: A de-serialisation of untrusted data vulnerability with a CVSS score of 8.0.
- CVE-2024-23477: A remote code execution vulnerability with a CVSS score of 7.9.
ConnectWise have released a critical security update addressing 2 vulnerabilities in ScreenConnect deployments. CWE-288 is classified as critical, with a base score of 10, and is an authentication bypass that makes use of an alternate path or channel. CWE-22 is classified as high, with a base score of 8.4, and is a path traversal vulnerability, making use of improper limitation of a pathname to a restricted directory.
Mozilla have released security updates addressing multiple vulnerabilities found in their products. Each update mentions a collection of vulnerabilities, ranging from low risk to critical. Both Firefox 123 and ESR 1153.8 are affected, along with Thunderbird 115.8. If you or your company are using these products, we recommend reviewing the below security updates for steps on how to proceed.
Recommended Action
Organisations are encouraged to review the appropriate security advisory pages and apply the updates:
Microsoft – February 2024 Security Update
Microsoft – Advisory: Microsoft Exchange Server vulnerability
Adobe – CISA Recommendations
SolarWinds – Security Advisories
ConnectWise – Security Bulletin
Mozilla – Firefox 123 and ESR 115.8, and Thunderbird 115.8
If you have any concerns, or have been affected by a cyber-related issue, report it to us by submitting a Cyber Concerns Online Reporting Form.