CISA Alert Highlights for February 13, 2024
How are Vulnerabilities Rated?
These latest cybersecurity vulnerabilities focus on Fortinet, Cisco, and VMware products that have been recently released by CISA in conjunction with the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD). These product vulnerabilities, including Fortinet FortiOS Out-of-Bound Write Vulnerability, Cisco Expressway Series, VMware Aria Operations for networks, have all been rated as high-risk per the criteria listed below.
These vulnerabilities are based on the Common Vulnerabilities and Exposures (CVE) vulnerability naming standard and are organized according to severity, determined by the Common Vulnerability Scoring System (CVSS) standard. The division of high, medium, and low severities correspond to the following scores:
CISA Vulnerabilities for February 13, 2024
Vendor/Product: Fortinet FortiOS Out-of-Bound Write Vulnerability
Description: A out-of-bounds write in Fortinet FortiOS versions 7.4.0 through 7.4.2, 7.2.0 through 7.2.6, 7.0.0 through 7.0.13, 6.4.0 through 6.4.14, 6.2.0 through 6.2.15, 6.0.0 through 6.0.17, FortiProxy versions 7.4.0 through 7.4.2, 7.2.0 through 7.2.8, 7.0.0 through 7.0.14, 2.0.0 through 2.0.13, 1.2.0 through 1.2.13, 1.1.0 through 1.1.6, 1.0.0 through 1.0.7 allows attacker to execute unauthorized code or commands via specifically crafted requests.
Published Date: 02/09/2023
CVSS Score: 9.8
Source: CVE-2024-21762
Patch Info: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable. PSIRT | FortiGuard (fortinet.com)
Vendor/Product: Cisco Expressway Series Cross-Site Request Forgery Vulnerabilities
Note: Cisco Expressway Series refers to Cisco Expressway Control (Expressway-C) devices and Cisco Expressway Edge (Expressway-E) devices.
Description: Multiple vulnerabilities in the Cisco Expressway Series could allow an unauthenticated, remote attacker to conduct cross-site request forgery (CSRF) attacks, which could allow the attacker to perform arbitrary actions on an affected device.
Impact: This vulnerability is due to insufficient CSRF protections for the web-based management interface of an affected system. An attacker could exploit these vulnerabilities by persuading a user of the API to follow a crafted link. A successful exploit could allow the attacker to perform arbitrary actions with the privilege level of the affected user. If the affected user has administrative privileges, these actions could include modifying the system configuration and creating new privileged accounts.
Published Date: 02/12/2024
CVSS Score: 9.6
Source: CVE-2024-202542
Patch Info: Security Vulnerability Policy (cisco.com). There are no workarounds that address this vulnerability.
Vendor/Product: Cisco Expressway Series Cross-Site Request Forgery Vulnerabilities
Note: Cisco Expressway Series refers to Cisco Expressway Control (Expressway-C) devices and Cisco Expressway Edge (Expressway-E) devices.
Description: A vulnerability in the API of the Cisco Expressway Series could allow an unauthenticated, remote attacker to conduct a CSRF attack on an affected system.
Impact:This vulnerability is due to insufficient CSRF protections for the web-based management interface of an affected system. An attacker could exploit this vulnerability by persuading a user of the API to follow a crafted link. A successful exploit could allow the attacker to perform arbitrary actions with the privilege level of the affected user. If the affected user has administrative privileges, these actions could include overwriting system configuration settings, which could prevent the system from processing calls properly and result in a denial of service (DoS) condition.
Published Date: 02/12/2024
CVSS Score: 9.6
Source: CVE-2024-20254
Patch Info:
Security Vulnerability Policy (cisco.com). There are no workarounds that address this vulnerability.
Vendor/Product: Cisco Expressway Series Cross-Site Request Forgery Vulnerabilities
Note: Cisco Expressway Series refers to Cisco Expressway Control (Expressway-C) devices and Cisco Expressway Edge (Expressway-E) devices.
Description: A vulnerability in the API of the Cisco Expressway Series could allow an unauthenticated, remote attacker to conduct a CSRF attack on an affected system.
Impact: This vulnerability is due to insufficient CSRF protections for the web-based management interface of an affected system. An attacker could exploit this vulnerability by persuading a user of the API to follow a crafted link. A successful exploit could allow the attacker to perform arbitrary actions with the privilege level of the affected user. If the affected user has administrative privileges, these actions could include overwriting system configuration settings, which could prevent the system from processing calls properly and result in a denial of service (DoS) condition.
Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.
Published Date: 02/12/2024
CVSS Score: 8.2
Source: CVE-2024-20255
Patch Info:
Security Vulnerability Policy (cisco.com). There are no workarounds that address this vulnerability.
ttps://cert.pl/posts/2024/01/CVE-2023-49253
Vendor/Product: VMware Aria Operations for Networks (formerly vRealize Network Insight)
Description: Aria Operations for Networks contains a local privilege escalation vulnerability.
Impact: A console user with access to Aria Operations for Networks may exploit this vulnerability to escalate privileges to gain root access to the system.
Published Date: 02/09/2024
CVSS Score: 7.8
Source: CVE-2024-22237