Typically, these vulnerabilities result in remote code execution or denial-of-service attacks, posing major dangers to users' data security.
Multiple Vulnerabilities Discovered in LG WebOS Smart TVs. Type of vulnerability: Authorization bypass, privilege escalation, command injection.
The problem: Bitdefender researchers discovered four vulnerabilities in LG WebOS smart TVs that allowed unauthorized access and control.
The problem: The Shadowserver Foundation found approximately 16,000 internet-exposed Ivanti VPN appliances that could be affected by CVE-2024-21894, a high-severity heap overflow vulnerability that allows remote code execution.
This vulnerability exists in all supported versions of Ivanti Connect Secure and Policy Secure.
The fix: On April 2, Ivanti provided fixes to address this problem and three other vulnerabilities.
Ivanti encourages all users to update their instances with the most recent software fixes to reduce the risks associated with CVE-2024-21894 and other vulnerabilities.
The problem: Microsoft performed a significant patch that addresses at least 150 vulnerabilities, with a focus on CVE-2024-29990, which affects Azure Kubernetes Service confidential containers.
The exploit has a CVSS severity of 9/10. This significant vulnerability allows unauthenticated attackers to take complete control of Azure Kubernetes clusters, allowing them to steal credentials and compromise sensitive containers.
The problem: Fortinet has released updates for several vulnerabilities, including a major remote code execution problem in FortiClientLinux.
This vulnerability enables unauthenticated remote attackers to execute arbitrary code via a code injection flaw.
Type of vulnerability: Denial-of-service, firewall disruption, data processing vulnerability.
The problem: Palo Alto Networks announced PAN-OS patches that addressed many critical vulnerabilities that might interrupt firewalls.
CVE-2024-3383 is another severe vulnerability that affects user access control via Cloud Identity Engine data processing.
The fix: Palo Alto Networks' update resolved these vulnerabilities involving decryption, user impersonation, and third-party components.
Type of vulnerability: Command injection, remote code execution.
The problem: Another Palo Alto Networks' incident last week disclosed a significant zero-day vulnerability, CVE-2024-3400, in PAN-OS software's GlobalProtect gateway.
This vulnerability allows unauthenticated attackers to run arbitrary code with root access.
While both cases involve vulnerabilities in Palo Alto Networks' PAN-OS software, the first incident focuses on high-severity vulnerabilities, such as denial-of-service problems, whilst the second incident exposes a severe zero-day vulnerability that allows remote code execution.
The problem: On April 9, rumors circulated about a zero-day vulnerability in Telegram's Windows app that enabled the automated running of Python programs.
This Cyber News was published on www.esecurityplanet.com. Publication date: Mon, 15 Apr 2024 22:13:04 +0000