Here are the CVE updates for the week of December 16th through the 22nd.
Critical Severity Vulnerabilities
JNDI Injection Vulnerability in Databricks JDBC Driver | CVE-2024-49194
Description: Identifies a vulnerability in the Databricks JDBC Driver versions prior to 2.6.40, allowing potential Remote Code Execution (RCE) via JNDI injection. The flaw lies in the improper handling of the krbJAASFile parameter in JDBC URL properties. An attacker could exploit this vulnerability by crafting a malicious connection URL, tricking the victim into executing it, and triggering the execution of arbitrary code within the driver’s context.
Potential Impacts:
- Remote Code Execution (RCE): Attackers could execute arbitrary commands or malicious code on the target system.
- Data Compromise: Unauthorized access or tampering with sensitive data managed by the Databricks JDBC Driver.
- Supply Chain Risk: Secondary exploitation of connected systems and services relying on the vulnerable driver.
Mitigation Recommendations:
- Update the Driver: Upgrade to Databricks JDBC Driver version 2.6.40 or later, where this vulnerability is patched.
- Validate URLs: Ensure strict validation and sanitization of JDBC URLs to prevent injection attacks.
- Restrict Network Access: Limit access to services using the Databricks JDBC Driver to trusted systems and users.
- Disable JNDI Lookups (if applicable): Review the configuration to prevent insecure JNDI lookups within the driver.
- User Awareness: Educate users and administrators about the risks of using untrusted or crafted JDBC URLs.
- Monitor Logs: Implement logging and monitoring to detect and respond to suspicious connection attempts.
Cleo Multiple Products Unauthenticated File Upload Vulnerability | CVE-2024-55956
Description: exposes a severe command injection vulnerability in Cleo Harmony, VLTrader, and LexiCom versions prior to 5.8.0.24. An unauthenticated attacker can exploit the default settings of the Autorun directory to import and execute arbitrary Bash or PowerShell commands on the host system. This vulnerability is particularly dangerous as it allows attackers to gain unauthorized control over the system without requiring authentication.
Potential Impacts:
- Arbitrary Command Execution: Attackers can run malicious commands, compromising system integrity.
- Data Breach: Unauthorized access to sensitive files and data stored on the affected host.
- Malware Deployment: Exploitation can lead to the installation of ransomware or other malicious payloads.
- System Takeover: Attackers may gain full control over the host, escalating privileges and moving laterally across the network.
- Service Disruption: Systems may become unavailable due to resource exhaustion or deliberate sabotage.
Mitigation Recommendations:
- Immediate Updates: Upgrade to Cleo Harmony, VLTrader, and LexiCom version 5.8.0.24 or later to address the vulnerability.
- Restrict Autorun Directory Usage: Disable or tightly control the Autorun directory functionality if not required for operations. Apply strict permissions to prevent unauthorized access.
- Authentication Enforcement: Ensure that all features, especially those that can execute commands, are accessible only to authenticated and authorized users.
- System Hardening: Limit the execution of scripts and commands to specific trusted users and environments. Implement application whitelisting to block unauthorized scripts.
- Monitor for Exploitation: Regularly review logs for unusual or unauthorized use of the Autorun directory.
- Network Isolation: Segregate critical systems running Cleo software from the broader network to limit the scope of potential attacks.
- Incident Response Planning: Prepare to identify, isolate, and remediate affected systems promptly if exploitation is detected.
Reolink RLC-410W IP Camera OS Command Injection Vulnerability | CVE-2021-40407
Description: identifies an OS command injection vulnerability in the device network settings functionality of the Reolink RLC-410W (version 3.0.0.136_20121102). The vulnerability resides in the handling of the ddns->domain variable, which receives input from the domain parameter provided via the SetDdns API. Insufficient validation of this input allows attackers to inject malicious OS commands, potentially compromising the system. This vulnerability can be exploited by sending a crafted HTTP request to the affected API endpoints.
Potential Impacts:
- Remote Code Execution (RCE): Attackers can execute arbitrary OS commands, potentially gaining full control over the device.
- System Compromise: Exploitation may lead to data theft, surveillance, or device malfunction.
- Network Infiltration: Compromised devices may serve as entry points for broader attacks on connected networks.
- Service Disruption: Attackers could render the device inoperable by executing destructive commands.
Mitigation Recommendations:
- Apply Firmware Updates: Update the Reolink RLC-410W firmware to the latest version where the vulnerability is patched.
- Input Validation: Reolink should ensure proper sanitization and validation of user inputs in the SetDdns API to prevent command injection.
- Restrict API Access: Limit access to the API endpoints through network segmentation or firewall rules, ensuring only trusted users or systems can connect.
- Authentication Requirements: Enforce strong authentication mechanisms for accessing network settings and APIs.
- Monitor Network Activity: Regularly check logs for unusual API calls or system behavior indicative of exploitation attempts.
- Disable Unused Services: Turn off DDNS or other unnecessary services that expose the API if not required.
- Isolate Vulnerable Devices: Segregate cameras from sensitive parts of the network and use VLANs to limit exposure.
NUUO NVRmini 2 Devices Missing Authentication Vulnerability | CVE-2022-23227
Description: is a critical vulnerability affecting NUUO NVRmini2 through version 3.11. This flaw allows an unauthenticated attacker to upload an encrypted TAR archive that can be abused to create arbitrary users without authentication due to the insecure implementation of handle_import_user.php. When combined with CVE-2011-5325, the attacker can overwrite arbitrary files under the web root directory, ultimately achieving remote code execution with root privileges.
Potential Impacts:
- Unauthorized Access: Attackers can create privileged user accounts, enabling them to access and control the system.
- Remote Code Execution (RCE): Exploitation allows the execution of arbitrary commands as root, leading to full system compromise.
- File Manipulation: Critical system files or application files can be overwritten, disrupting normal operations or introducing malicious functionality.
- Persistent Threat: Attackers can establish a backdoor or persistent presence within the system.
Mitigation Recommendations:
- Upgrade Firmware: Update to the latest NUUO NVRmini2 firmware version where the vulnerability is addressed.
- Restrict Network Access: Use a firewall to limit access to the NVR’s web interface, allowing only trusted IPs.
- Input Validation and Authentication: Developers should enforce strict authentication for the handle_import_user.php endpoint and validate all file uploads.
- Disable Unused Features: If the handle_import_user.php feature is not essential, disable it to reduce the attack surface.
- Monitor System Activity: Implement logging and monitoring to detect unauthorized user creation or suspicious file changes.
- Network Segmentation: Place the NVR on a separate VLAN to limit potential lateral movement from a compromised device.
NUUO NVRmini Devices OS Command Injection Vulnerability | CVE-2018-14933
Description: is a vulnerability found in the upgrade_handle.php script on NUUO NVRmini devices. This flaw allows a remote attacker to execute arbitrary commands on the system through improper input validation in the uploaddir parameter. By injecting shell metacharacters in the uploaddir field during the writeuploaddir command, an attacker can run arbitrary shell commands on the device.
Potential Impacts:
- Remote Command Execution (RCE): An attacker can execute arbitrary shell commands on the NVRmini device, potentially compromising the entire system.
- System Control: Full control over the device, allowing attackers to modify configurations, disable services, or gain access to sensitive data.
- Data Loss or Corruption: Exploitation may lead to the loss, corruption, or unauthorized access to surveillance data and system files.
- Compromise of Security: The attacker could exploit the device for lateral movement within a network, potentially compromising other connected systems.
Mitigation Recommendations:
- Firmware Update: Apply the latest firmware patch provided by NUUO to resolve the vulnerability in the upgrade_handle.php script.
- Input Sanitization: Ensure proper validation and sanitization of the uploaddir parameter to prevent the execution of shell metacharacters.
- Restrict Network Access: Limit the device’s web interface to trusted IPs and ensure it is not exposed to the internet unless necessary.
- Disable Unnecessary Functionality: If the upgrade_handle.php script is not required, consider disabling or removing it to minimize exposure.
- Implement Intrusion Detection: Use intrusion detection systems (IDS) to monitor network traffic and log suspicious attempts to exploit this vulnerability.
Command Injection Vulnerability in PRA and RS Products | CVE-2024-12356
Description: Identifies a critical vulnerability in the Privileged Remote Access (PRA) and Remote Support (RS) products. This flaw allows an unauthenticated attacker to inject malicious commands that execute with the permissions of a site user. Improper input handling in the affected components leads to unauthorized command execution, potentially compromising the integrity and security of the system.
Potential Impacts:
- Remote Command Execution: An attacker can inject and execute arbitrary commands, gaining unauthorized control of the system.
- Privilege Escalation: By exploiting this vulnerability, the attacker could leverage site user permissions to access sensitive files and configurations.
- Data Compromise: Exploitation may result in the theft, corruption, or unauthorized modification of sensitive information.
- Network Breach: Once the attacker gains access, they may pivot to other systems within the network, leading to further compromise.
- Service Disruption: The execution of malicious commands could disrupt critical remote access and support services.
Mitigation Recommendations:
- Apply Patches: Update PRA and RS products to the latest version, ensuring all security patches addressing CVE-2024-12356 are applied.
- Input Validation: Enhance input validation and sanitization mechanisms in the affected components to block malicious payloads.
- Restrict Network Access: Limit access to the PRA and RS interfaces to trusted networks and authenticated users only.
- Monitor System Activity: Implement logging and monitoring to detect unusual command execution or access patterns.
- Implement Firewalls: Use network firewalls to restrict unauthorized access and block suspicious activity targeting vulnerable endpoints.
- Regular Security Audits: Conduct regular reviews of system configurations and logs to identify and remediate potential vulnerabilities.
High Severity Vulnerabilities
Windows Kernel-Mode Driver Elevation of Privilege Vulnerability | CVE-2024-35250: is a high vulnerability in the Windows Kernel-Mode Driver, specifically within the Microsoft Kernel Streaming Service (MSKSSRV.SYS). This flaw allows local attackers to gain SYSTEM privileges by exploiting an untrusted pointer dereference issue. The vulnerability is particularly concerning as it requires low complexity to exploit and no user interaction, making it an appealing target for attackers.
Improper Access Control Vulnerability in Adobe ColdFusion | CVE-2024-20767: is an Improper Access Control vulnerability affecting Adobe ColdFusion versions 2023.6, 2021.12, and earlier. This flaw allows attackers to read arbitrary files on the file system and potentially access or modify restricted files. The vulnerability can be exploited without user interaction but requires the administrative panel of ColdFusion to be exposed to the internet.
Reolink Multiple IP Cameras OS Command Injection Vulnerability | CVE-2019-11001: highlights an OS command injection vulnerability in Reolink devices, including models RLC-410W, C1 Pro, C2 Pro, RLC-422W, and RLC-511W, up to firmware version 1.0.227. The issue resides in the TestEmail functionality, where an authenticated administrator can inject and execute OS commands as root by embedding shell metacharacters in the addr1 field. This flaw can be exploited to gain unauthorized root-level access and control over the device.
Medium Severity Vulnerabilities
Keycloak Configuration Vulnerability Exposing Sensitive Information | CVE-2024-10973: identifies a vulnerability in Keycloak where the environment option KC_CACHE_EMBEDDED_MTLS_ENABLED fails to function correctly. Instead, the JGroups replication configuration defaults to using plain text. This issue can allow attackers on adjacent networks with access to JGroups to intercept and read sensitive information, potentially leading to data exposure.