Skip to content

How to find VMware vCenter assets on your network

Latest vCenter vulnerabilities

Broadcom has issued a security advisory for VMware vCenter that indicates that one of the two vulnerabilities disclosed on the 17th of September, 2024,  CVE-2024-38812, which was fully patched by October 21, is under active exploitation in the wild.

This vulnerability has a CVSS score of 9.8, which is considered highly critical.

What is the impact?

An attacker with remote access to a vulnerable system could send specially crafted requests that could trigger a heap-overflow and result in remote code execution or privilege escalation into root.

Are updates or workarounds available?

Broadcom has issued patches to resolve both vulnerabilities. Reference the Response Matrix section of the advisory for the appropriate fixed version to apply in your environment.

How to find potentially vulnerable systems with runZero

From the Asset Inventory, use the following query to locate systems running potentially vulnerable software:

product:vCenter

 

CVE-2024-38812 and CVE-2024-33813 (September 2024)

Broadcom has issued a security advisory for two vulnerabilities that affect VMware vCenter, which exists in both VMware vSphere and VMware Cloud Foundation products.

  • CVE-2024-38812 is rated critical with CVSS score of 9.8, and potentially allows for remote code execution.

  • CVE-2024-38813 is rated high with CVSS score of 7.5, which can result in privilege escalation into root.

What is the impact?

An attacker with remote access to a vulnerable system could send specially crafted requests that could trigger a heap-overflow and result in remote code execution or privilege escalation into root.

Are updates or workarounds available?

Broadcom has issued patches to resolve both vulnerabilities. Reference the Response Matrix section of the advisory for the appropriate fixed version to apply in your environment.

How to find potentially vulnerable systems with runZero

From the Asset Inventory, use the following query to locate systems running potentially vulnerable software:

product:vCenter

 

About runZero
runZero, a network discovery and asset inventory solution, was founded in 2018 by HD Moore, the creator of Metasploit. HD envisioned a modern active discovery solution that could find and identify everything on a network–without credentials. As a security researcher and penetration tester, he often employed benign ways to get information leaks and piece them together to build device profiles. Eventually, this work led him to leverage applied research and the discovery techniques developed for security and penetration testing to create runZero.

About Version 2 Digital

Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.

Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

How to find Fortinet assets on your network

Latest Fortinet vulnerabilities 

Fortinet has issued advisories for its FortiAnalyzer, FortiAnalyzer-BigData, FortiManager, and FortiOS products.

  • CVE-2023-50176 detailed in FG-IR-23-475 is rated high with a CVSS score of 7.1, and may allow an unauthenticated attacker to hijack a user session.
  • CVE-2024-23666 detailed in FG-IR-23-396 is rated high with a CVSS score of 7.1 and may allow an authenticated, read-only user the ability to execute “sensitive operations”.

What is the impact?

CVE-2024-23666, which affects FortiAnalyzer and FortiManager products, requires that an attacker (or malicious user) is authenticated against the system. A read-only user can potentially execute sensitive operations through crafted requests, bypassing client-side enforcement through the web interface. CVE-2023-50176, which affects the SSLVPN component of FortiOS, is a session fixation vulnerability that allows an unauthenticated attacker the ability to hijack an authenticated user’s session via a “phishing SAML authentication link”.

Are updates or workarounds available?

The vendor has released patches for all affected products. They recommend following the upgrade path using their upgrade tool.

How to find potentially vulnerable systems with runZero

From the Asset Inventory, use the following query to locate systems running potentially vulnerable software:

hw:FortiManager OR hw:FortiAnalyzer OR os:FortiOS

March 2024

On March 12th, 2024, Fortinet disclosed several vulnerabilities in their FortiOS, FortiProxy, and FortiClient products:

  • FG-IR-23-328 – a buffer overflow vulnerability in the handling of form-based authentication in the FortiOS and FortiProxy captive portals, allowing remote, unauthenticated attackers to execute arbitrary code. This vulnerability has been assigned CVEs CVE-2023-42789 and CVE-2023-42790. These vulnerabilities have a CVSS score of 9.3, indicating that they are critical.

  • FG-IR-24-007 – a SQL injection vulnerability in the FortiClient Enterprise Management Server. This vulnerability has been designated CVE-2023-48788, and has been given a CVSS score of 9.8 (critical).

  • FG-IR-23-390 – a log injection vulnerability in the FortiClient Enterprise Management Server. This vulnerability has been assigned CVE-2023-47534 and a CVSS score of 7.7 (high).

  • FG-IR-23-103 – a remote code execution vulnerability in the FortiManager product. This vulnerability has been designated CVE-2023-36554 with a CVSS score of 7.7 (high). Note that the vulnerable subsystem is not installed by default.

  • FG-IR-23-013 – an information disclosure vulnerability in the FortiGuard SSL-VPN product. This vulnerability has been designated CVE-2024-23112 and given a CVSS score of 7.2 (high).

Upon successful exploitation of these vulnerabilities, attackers could execute arbitrary code on the vulnerable system or disclose privileged information. Fortinet released updates to mitigate this issue and all users were urged to update immediately.

How to find FortiOS, FortiProxy or FortiClient operating systems

From the Asset Inventory, use the following query to locate assets running the FortiOS or FortiProxy operating systems, which may be vulnerable:

os:"FortiOS" OR os:"FortiProxy"

Additionally, from the Services Inventory, use the following query to locate potentially vulnerable systems:

html.title:="FortiClient Endpoint Management Server"

CVE-2024-21762 (February 2024)

On February 8th, 2024, Fortinet disclosed a serious vulnerability in their FortiOS operating system, used by multiple Fortinet products.

The issue, CVE-2024-21762, allowed attackers to execute arbitrary code on vulnerable devices. The vendor has indicated that this is a critical vulnerability. The vendor reports that there are indications that this vulnerability may be actively exploited in the wild. Upon successful exploitation of these vulnerabilities, attackers could execute arbitrary code on the vulnerable system.

Fortinet released an update to mitigate this issue and all users were urged to update immediately. Additionally, the vendor indicated that disabling the SSL-VPN functionality of the device would mitigate the issue.

How to find FortiOS devices

From the Asset Inventory, use the following query to locate assets running the FortiOS operating system which may potentially be vulnerable:

os:"FortiOS" AND tcp:443

CVE-2022-40684 (October 2022)

News surfaced in October 2022 of a critical authentication bypass vulnerability present in the web administration interface of some Fortinet products. Successful exploitation of this vulnerability (tracked as CVE-2022-40684) via crafted HTTP and HTTPS requests could provide remote attackers with admin-level command execution on vulnerable FortiOS devices including FortiGate firewalls, FortiProxy web proxies, and FortiSwitchManager assets.

With a CVSS critical score of 9.6, attackers running admin-level commands on compromised assets may have had the ability to persist presence, explore connected internal networks, and exfiltrate data. At the time Fortinet was aware of at least one exploit of this vulnerability in the wild, and Bleeping Computer offered a Shodan search showing more than 140k publicly accessible FortiGate devices potentially running vulnerable FortiOS. Additionally, security researchers with Horizon3.ai planned on publishing an exploit PoC. For admins wanting to check if a FortiOS/FortiProxy/FortiSwitchManager asset had been exploited, Fortinet provides an indicator of compromise (see the “Exploitation Status” section).

Fortinet called out the vulnerable FortiOS, FortiProxy, and FortiSwitchManager versions in their advisory and had made updates available for affected products. Admins were advised to ensure that affected models were updated to the latest version as soon as possible. If updates could not be completed in the near term, Fortinet provided some mitigation steps (see the “Workaround” section) that could be taken to secure vulnerable assets.

How to find FortiOS, FortiProxy, and FortiSwitchManager assets

From the Asset Inventory, runZero users entered the following pre-built query to locate FortiOS, FortiProxy, and FortiSwitchManager assets:

os:FortiOS or product:FortiProxy or product:FortiSwitchManager

 

About runZero
runZero, a network discovery and asset inventory solution, was founded in 2018 by HD Moore, the creator of Metasploit. HD envisioned a modern active discovery solution that could find and identify everything on a network–without credentials. As a security researcher and penetration tester, he often employed benign ways to get information leaks and piece them together to build device profiles. Eventually, this work led him to leverage applied research and the discovery techniques developed for security and penetration testing to create runZero.

About Version 2 Digital

Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.

Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

How to find FortiManager instances on your network

Latest FortiManager vulnerability 

Fortinet has issued an advisory for its Fortinet FortiManager product. The vendor confirms that this vulnerability is being actively exploited in the wild.

This vulnerability has been designated CVE-2024-47575 and has been assigned a CVSS score of 9.8 (extremely critical).

Note that this vulnerability is the same one discussed in an earlier version of this blog post, prior to vendor confirmation.

What is the impact?

The vulnerability would allow remote code execution by an attacker with upon connection to a FortiManager instance. Attackers need to have a valid Fortinet device certificate, but this certificate can be obtained from an existing Fortinet device and reused.

Successful exploitation of this attack is reported to allow remote code execution, potentially leading to total compromise of the vulnerable system.

The vendor has released a list of indicators of compromise (IOCs); users are encouraged to use this list to determine if a system has been successfully attacked.

Are updates or workarounds available?

The vendor has released updates and mitigation strategies to address this issue, and the vendor advises users to update as quickly as possible. Mitigation strategies include disabling the affected service and denying registration to systems with unknown serial numbers.

How to find potentially vulnerable systems with runZero

From the Asset Inventory, use the following query to locate systems running potentially vulnerable software:

hw:FortiManager

 

About runZero
runZero, a network discovery and asset inventory solution, was founded in 2018 by HD Moore, the creator of Metasploit. HD envisioned a modern active discovery solution that could find and identify everything on a network–without credentials. As a security researcher and penetration tester, he often employed benign ways to get information leaks and piece them together to build device profiles. Eventually, this work led him to leverage applied research and the discovery techniques developed for security and penetration testing to create runZero.

About Version 2 Digital

Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.

Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

How to find SolarWinds Web Help Desk services on your network

Latest SolarWinds vulnerability (CVE-2024-28987)

According to the US Cybersecurity and Infrastructure Security Agency (CISA), a critical hardcoded password vulnerability within SolarWinds’ Web Help Desk software is actively being exploited and was added to their Known Exploited Vulnerability (KEV) catalog.

  • CVE-2024-28987 is rated critical with CVSS score of 9.1 allowing for unauthorized access by a remote attacker.

What is the impact?

A remote attacker has the ability to log in to a vulnerable system using hardcoded credentials, providing access to internal information with the ability to modify the data.

Are updates or workarounds available?

According to the security advisory issued by SolarWinds, systems running “WHD 12.8.3 HF1 and all previous versions” of the Web Help Desk software are affected. Organizations are recommended to manually apply the hot fix released by SolarWinds to remove the hardcoded credentials from the software.

How to find potentially vulnerable systems with runZero

From the Service Inventory, use the following query to locate systems running potentially vulnerable software:

_service.product:="SolarWinds:Web Help Desk:"

 

About Version 2 Digital

Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.

Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About runZero
runZero, a network discovery and asset inventory solution, was founded in 2018 by HD Moore, the creator of Metasploit. HD envisioned a modern active discovery solution that could find and identify everything on a network–without credentials. As a security researcher and penetration tester, he often employed benign ways to get information leaks and piece them together to build device profiles. Eventually, this work led him to leverage applied research and the discovery techniques developed for security and penetration testing to create runZero.

How to find Palo Alto Network firewalls running PAN-OS

Latest Palo Alto Networks vulnerabilities 

Palo Alto Networks (PAN) released a security advisory with multiple vulnerabilities on PAN-OS firewalls that could lead to admin account takeover.

  • CVE-2024-9463 is rated critical with CVSS score of 9.9, is an OS command injection vulnerability and potentially allows for  and execution of OS commands as root.
  • CVE-2024-9464 is rated critical with CVSS score of 9.3, is an OS command injection vulnerability and potentially allows for the execution of OS commands as root.
  • CVE-2024-9465 is rated critical with CVSS score of 9.2, is a SQL injection vulnerability and potentially allows a remote unauthenticated attacker to read the contents of the Expedition database.
  • CVE-2024-9466 is rated high with CVSS score of 8.2, and potentially allows for an authenticated user to read sensitive information including passwords and API keys.
  • CVE-2024-9467 is rated high with CVSS score of 7.0, is an XSS vulnerability and potentially allows for execution of malicious JavaScript code that could result in session hijacking.

What is the impact?

If chained together through an exploit, a firewall running the vulnerable software could be completely taken over by an unauthenticated remote attacker. For more information, the team that disclosed the vulnerabilities to Palo Alto Networks, published a detailed analysis.

According to the vendor, there is no known malicious exploitation of vulnerable systems at this time.

Are updates or workarounds available?

According to Palo Alto Networks, “The fixes for all listed issues are available in Expedition 1.2.96, and all later Expedition versions.” They also recommended rotating all passwords and API keys after applying the latest patch to prevent future unauthorized access. Refer to the Workarounds and Mitigations section of the security advisory for information about potential workarounds and additional advice.

How to find potentially vulnerable PAN-OS systems with runZero

From the Asset Inventory you can use the following query to locate potentially vulnerable systems:

os:"PAN-OS"

CVE-2024-3400

Palo Alto Networks (PAN) disclosed that certain versions of their PAN-OS software has a vulnerability that allows for remote command injection.

CVE-2024-3400 is rated critical with CVSS score of 9.8 and indicates an unauthenticated attacker can execute arbitrary code with root privileges on the firewall. The vendor indicates that there is evidence of limited exploitation in the wild.

watchTowr has posted a detailed analysis including the details needed for exploitation. This analysis covers two separate vulnerabilities; an arbitrary file creation vulnerability in the session handler, and a shell metacharacter injection issue that leads to remote execution through the telemetry script. PAN has updated their guidance to state that “Disabling device telemetry is no longer an effective mitigation“.

What is the impact?

The following PAN-OS versions are affected by this vulnerability.

Version

Affected

Unaffected

PAN-OS 11.1

< 11.1.2-h3

>= 11.1.2-h3 (hotfix ETA: By 4/14)

PAN-OS 11.0

< 11.0.4-h1

>= 11.0.4-h1 (hotfix ETA: By 4/14)

PAN-OS 10.2

< 10.2.9-h1

>= 10.2.9-h1 (hotfix ETA: By 4/14)

Palo Alto Networks indicates that PAN-OS 11.1, 11.0, and 10.2 versions with the configurations for both GlobalProtect gateway and device telemetry enabled.

Customers may verify this by checking for entries in the firewall web interface (Network > GlobalProtect > Gateways) and verify whether device telemetry enabled by checking your firewall web interface (Device > Setup > Telemetry).

Are updates or workarounds available?

Palo Alto Networks recommends that customers with a Threat Prevention subscription can block attacks for this vulnerability by enabling Threat ID 95187 (introduced in Applications and Threats content version 8833-8682) and applying vulnerability protection to GlobalProtect interfaces.

It is also recommended that telemetry be disabled until devices can be upgraded to an unaffected version of PAN-OS.

How runZero users found potentially vulnerable PAN-OS systems

From the Asset Inventory, use the following query to locate systems running potentially vulnerable software:

os:"PAN-OS"

About Version 2 Digital

Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.

Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About runZero
runZero, a network discovery and asset inventory solution, was founded in 2018 by HD Moore, the creator of Metasploit. HD envisioned a modern active discovery solution that could find and identify everything on a network–without credentials. As a security researcher and penetration tester, he often employed benign ways to get information leaks and piece them together to build device profiles. Eventually, this work led him to leverage applied research and the discovery techniques developed for security and penetration testing to create runZero.

×

Hello!

Click one of our contacts below to chat on WhatsApp

Social Chat is free, download and try it now here!

×