CISA Adds Three Known Exploited Vulnerabilities
How are Vulnerabilities Rated?
This week’s CISA advisories report focuses on Three Known Exploited Vulnerabilities that affect three popular products that include the firmware in Google Android Pixel Phones, Microsoft Windows, and Progress Telerik Servers.
These vulnerabilities are based on the Common Vulnerabilities and Exposures (CVE) vulnerability naming standard and are organized according to severity, determined by the Common Vulnerability Scoring System (CVSS) standard. The division of high, medium, and low severities correspond to the following scores:
- High: vulnerabilities with a CVSS base score of 7.0–10.0
- Medium: vulnerabilities with a CVSS base score of 4.0–6.9
- Low: vulnerabilities with a CVSS base score of 0.0–3.9
This week’s CISA advisories report highlights Three Known Exploited Vulnerabilities in popular products including Android Pixel Phones, Microsoft Windows, and Progress Telerik Servers.
Vendor/Product: Android Pixel (Google devices)
Description:
Android Pixel Privilege Escalation Vulnerability (Firmware)
Android Pixel contains an unspecified vulnerability in the firmware that allows for privilege escalation. Google did not expand on specific details of the zero-day, mentioning it only briefly in the Pixel security bulletin: “There are indications that CVE-2024-32896 may be under limited, targeted exploitation.”
Impact:
It is possible to bypass due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation.
Source: CVE-2024-32896
Max Severity: High
CVSS Score: 7.8
Mitigation:
For Google devices, security patch levels of 2024-06-05 or later address all issues in this bulletin and all issues in the June 2024 Android Security Bulletin. To learn how to check a device’s security patch level, see Check and update your Android version.
All supported Google devices will receive an update to the 2024-06-05 patch level. Google advises all customers to accept these updates to their devices.
Vendor/Product: Microsoft Windows
Description:
Windows Error Reporting Service Elevation of Privilege Vulnerability
A flaw in the Error Reporting Service allows a local authenticated attacker to gain elevated privileges on the system. An attacker who successfully exploits this vulnerability could gain SYSTEM privileges.
Impact:
An attacker can gain control of a system by executing arbitrary code with elevated privileges.
Source: CVE-2024-26169
Max Severity: High
CVSS Score: 7.8
Mitigation:
Microsoft has released a security update to address this vulnerability, and it highly recommended users to apply the patch as soon as possible. The patch can be found in the Microsoft Security Response Center Advisory.
Vendor/Product: Progress Telerik Report Server
Description:
Authentication Bypass by Spoofing Vulnerability
In Progress Telerik Report Server, version 2024 Q1 (10.0.24.305) or earlier, an unauthenticated attacker can gain access to Telerik Report Server restricted functionality via an authentication bypass vulnerability.
Impact:
An attacker can exploit this flaw to bypass security restrictions.
Source: CVE-2024-4358
Max Severity: Critical
CVSS Score: 9.8
Mitigation:
Updating to Report Server 2024 Q2 (10.1.24.514) or later is the only way to remove this vulnerability. The Progress Telerik team strongly recommends performing an upgrade to the latest version. All customers who have a Telerik Report Server license can access the downloads here Product Downloads | Your Account.
If you have any questions or concerns related to this issue, open a new Technical Support case in Your Account | Support Center. Technical Support is available to Telerik customers with an active support plan.