VMware released a security advisory to address multiple vulnerabilities in ESXi, Workstation, Fusion, and Cloud Foundation. A cyber threat actor could exploit one of these vulnerabilities to take control of an affected system.

CISA encourages users and administrators to review the following VMware security advisory and apply the necessary updates:

• VMSA-2024-0006

View CSAF

1. EXECUTIVE SUMMARY

• CVSS v3 7.8
• ATTENTION: Low attack complexity
• Vendor: Delta Electronics
• Equipment: CNCSoft-B
• Vulnerability: Stack-based Buffer Overflow

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following Delta Electronics products are affected:

• CNCSoft-B: Versions 1.0.0.4 and prior

3.2 Vulnerability Overview

3.2.1 STACK-BASED BUFFER OVERFLOW CWE-121

Delta Electronics CNCSoft-B versions 1.0.0.4 and prior are vulnerable to a stack-based buffer overflow, which may allow an attacker to execute arbitrary code.

CVE-2024-1941 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.8 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

3.3 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
• COUNTRIES/AREAS DEPLOYED: Worldwide
• COMPANY HEADQUARTERS LOCATION: Taiwan

3.4 RESEARCHER

Natnael Samson (@NattiSamson) working with Trend Micro Zero Day Initiative reported this vulnerability to CISA.

4. MITIGATIONS

Delta recommends users update to CNCSoft-B V 1.0.0.4 with Issue Date 2024-01-23 or later.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

• Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
• Locate control system networks and remote devices behind firewalls and isolating them from business networks.
• When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time. This vulnerability is not exploitable remotely.

5. UPDATE HISTORY

• February 29, 2024: Initial Publication

Today, CISA and the following partners released joint Cybersecurity Advisory Threat Actors Exploit Multiple Vulnerabilities in Ivanti Connect Secure and Policy Secure Gateways: 

• Federal Bureau of Investigation (FBI) 
• Multi-State Information Sharing & Analysis Center (MS-ISAC) 
• Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC) 
• United Kingdom National Cyber Security Centre (NCSC-UK) 
• Canadian Centre for Cyber Security (Cyber Centre), a part of the Communications Security Establishment 
• New Zealand National Cyber Security Centre (NCSC-NZ) 
• CERT-New Zealand (CERT NZ) 

The advisory describes cyber threat actor exploitation of multiple previously identified Connect Secure and Policy Secure vulnerabilities—namely CVE-2023-46805, CVE-2024-21887, and CVE-2024-21893—which threat actors can exploit in a chain to bypass authentication, craft malicious requests, and execute arbitrary commands with elevated privileges. Additionally, the advisory describes two key CISA findings:  

1. The Ivanti Integrity Checker Tool is not sufficient to detect compromise due to the ability of threat actors to deceive it, and  
2. A cyber threat actor may be able to gain root-level persistence despite the victim having issued factory resets on the Ivanti device. 

The advisory provides cyber defenders with detection methods and indicators of compromise (IOCs) as well as mitigation guidance to defend against this activity. Note: As exploitation is ongoing as of publication of this advisory, CISA will provide updates to the Additional Resources list below as they are made available. 

CISA and its partners urge cyber defenders to review this advisory and consider the significant risk of cyber threat actor access to, and persistence on Connect Secure and Policy Secure gateways when determining whether to continue operating these devices in an enterprise environment. 

Additional Resources 

• Organizations using these devices should assume a threat actor is maintaining persistence and lying dormant for a period before conducting malicious actions. For more on this specific technique, see Identifying and Mitigating Living Off the Land Techniques. 
• CISA has issued Emergency Directive (ED) 24-01 Mitigate Ivanti Connect Secure and Ivanti Policy Secure Vulnerabilities as well as corresponding Supplemental Direction to ED 24-01 to federal agencies.
• IBM: Widespread exploitation of recently disclosed Ivanti vulnerabilities
• Akamai: Scanning Activity for CVE-2024-22024 (XXE) Vulnerability in Ivanti
• Rapid7 AttackerKB: CVE-2024-21893, CVE-2024-21887, CVE-2024-22024, CVE-2023-46805
• Orange Cyberdefense: Ivanti Connect Secure: Journey to the core of the DSLog backdoor
• Volexity: Active Exploitation of Two Zero-Day Vulnerabilities in Ivanti Connect Secure VPN
• WatchTowr: Ivanti Connect Secure CVE-2024-22024 – Are We Now Part Of Ivanti?
• Mandiant: Cutting Edge: Suspected APT Targets Ivanti Connect Secure VPN in New Zero-Day Exploitation, Cutting Edge, Part 2: Investigating Ivanti Connect Secure VPN Zero-Day Exploitation, Cutting Edge, Part 3: Investigating Ivanti Connect Secure VPN Exploitation and Persistence Attempts
• Grey Noise: Ivanti Connect Secure Exploited to Install Cryptominers
• Ivanti: KB CVE-2023-46805 (Authentication Bypass) & CVE-2024-21887 (Command Injection) for Ivanti Connect Secure and Ivanti Policy Secure Gateways
• Palo Alto Networks Unit 42: Threat Brief: Multiple Ivanti Vulnerabilities
• GitHub: CSIRTs Network – Exploitation of Ivanti Connect Secure and Ivanti Policy Secure Gateway Zero-Days

Cisco released security advisories to address vulnerabilities affecting Cisco NX-OS Software. A cyber threat actor could exploit one of these vulnerabilities to cause a denial-of-service condition.

CISA encourages users and administrators to review the following advisories and apply the necessary updates:

Cisco NX-OS Software MPLS Encapsulated IPv6 Denial of Service Vulnerability

Cisco NX-OS Software External Border Gateway Protocol Denial of Service Vulnerability

Today, CISA, the Federal Bureau of Investigation (FBI), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) released a joint Cybersecurity Advisory (CSA), #StopRansomware: Phobos Ransomware, to disseminate known tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs), which are from incident response investigations tied to Phobos ransomware activity from as recently as February, 2024.

Structured as a ransomware as a service (RaaS) model, Phobos ransomware actors have targeted entities including municipal and county governments, emergency services, education, public healthcare, and critical infrastructure to successfully ransom several million in U.S. dollars.

CISA, the FBI, and MS-ISAC encourage critical infrastructure organizations to review and implement the mitigations provided in the joint CSA to reduce the likelihood and impact of Phobos ransomware and other ransomware incidents. For more information, see CISA’s #StopRansomware webpage and the updated #StopRansomware Guide.