Unpatched MS Office Vulnerability Leads to Potential Data Breaches

In the past week, critical cybersecurity threats have emerged, with significant vulnerabilities being reported across various platforms. Recent cybersecurity incidents include the discovery of multiple vulnerabilities in OpenVPN and OpenSSH, a zero-day vulnerability in Microsoft Office leading to potential data breaches, a browser flaw that exposes Local Services to RCE on macOS and Linux Devices, and a massive malware campaign targeting Chrome and Edge users. These developments underscore the urgent need for organizations to stay vigilant and apply security updates promptly.

SISA Weekly Threat Watch – our weekly feature brings to you a quick snapshot of all the major security vulnerabilities that posed a threat to organizations worldwide. These recurring actionable threat advisories will also provide information and recommendations that will help security teams take appropriate actions to defend against the latest and critical threats.

1. Cyber security researchers discover Four Key Vulnerabilities in OpenVPN

Cyber security researchers have detected four medium-severity vulnerabilities in the OpenVPN open-source software, which can potentially lead to remote code execution (RCE) and local privilege escalation (LPE) if exploited in combination. These issues were uncovered during a routine security review aimed at improving enterprise security standards and affect several components, including the openvpnserv component and the Windows TAP driver. The flaws are critical because they enable attackers to gain complete control over targeted endpoints, which increases the risk of data breaches and unauthorized access

The identified vulnerabilities are CVE-2024-27459, which causes a Denial-of-Service (DoS) and LPE through a stack overflow in Windows; CVE-2024-24974, which permits unauthorized interaction with the “openvpnservice” named pipe; CVE-2024-27903, leading to RCE in Windows and affecting multiple platforms; and CVE-2024-1305, which triggers a DoS via a memory overflow in the Windows TAP driver. To mitigate these threats, organizations should update OpenVPN to versions later than 2.5.10 and 2.6.10, disconnect OpenVPN clients from the internet where possible, segment them within the network, and restrict client access to authorized users only while ensuring strong passwords and limited write permissions.

2. Microsoft Discloses Unpatched Office Vulnerability Leading to Potential Data Breaches

Microsoft has disclosed an unpatched zero-day vulnerability, CVE-2024-38200, in Office that poses a risk of unauthorized sensitive information exposure, with a CVSS score of 7.5. This spoofing flaw affects various Microsoft Office versions, including Office 2016, Office LTSC 2021, Microsoft 365 Apps for Enterprise, and Office 2019, allowing attackers to deceive users into opening malicious files. Typically, attackers host these files on compromised websites or send links through phishing efforts, requiring user interaction to trigger the exploit. While a permanent patch is scheduled for release on August 13^th as part of Microsoft’s Patch Tuesday, a temporary fix through Feature Flighting is already in place, providing protection to in-support versions of Office and Microsoft 365. Despite the risk of exploitation being assessed as “Less Likely,” Microsoft advises restricting outgoing NTLM traffic, adding users to the Protected Users Security Group, and blocking outbound TCP 445/SMB to mitigate potential threats until the final patch is applied.

3. Massive Malware Campaign Strikes 300,000 Users via Chrome and Edge Extensions

A sophisticated malware campaign is targeting Google Chrome and Microsoft Edge users, tricking them into downloading malicious extensions via fake websites posing as popular software. This malware, affecting over 300,000 users, uses a trojan to install extensions that hijack search results and steal sensitive data. These extensions, once installed, cannot be disabled, and modify search queries through attacker-controlled servers.

To mitigate this threat, users should delete the related scheduled task, remove malicious registry keys, and eliminate specific malicious files and folders from their systems. Additionally, reinstalling or resetting browsers, running comprehensive security scans, and regularly updating security settings are recommended to ensure all traces of the malware are removed and to prevent future infections.

4. Browser Flaw Exposes Local Services to RCE on macOS and Linux Devices

A critical vulnerability known as “0.0.0.0 Day” has been identified in major web browsers like Google Chrome, Mozilla Firefox, and Apple Safari. This flaw allows malicious websites to exploit local network services via the IP address 0.0.0.0, potentially leading to unauthorized access and remote code execution.

The vulnerability stems from inconsistent security implementations across browsers and a lack of industry standardization. It has been present since 2006, affecting macOS and Linux systems, while Windows devices remain unaffected due to Microsoft’s blocking of the IP at the OS level. Attackers can use this vulnerability to execute arbitrary code on devices by interacting with local services instead of using typical local addresses like localhost or 127.0.0.1.

To safeguard local applications from this threat, implement PNA headers, verify HOST headers to prevent DNS rebinding attacks, use HTTPS, and include CSRF tokens in local applications. Additionally, treat localhost networks with caution and add basic authorization measures.

5. CVE-2024-7589: Vulnerability in OpenSSH Allows RCE on FreeBSD Systems

The FreeBSD Project has released security patches for a critical vulnerability in OpenSSH, identified as CVE-2024-7589, which allows remote attackers to execute code with root privileges. This vulnerability, scoring 8.1 on the CVSSv3, stems from a race condition triggered by client authentication timeouts in the sshd(8) service. It specifically involves the unsafe invocation of a logging function by the signal handler during the default 120-second LoginGraceTime.

This flaw is an escalation of a previous issue known as regreSSHion (CVE-2024-6387) and is linked to the ‘blacklistd’ feature in OpenSSH on FreeBSD. All supported FreeBSD versions are affected. To address this, FreeBSD has updated its releases: 14.1-RELEASE-p3, 14.0-RELEASE-p9, and 13.3-RELEASE-p5. Users should immediately update their systems using the freebsd-update utility or manually apply source code patches. Restarting the sshd service post-update is crucial to implement the changes. Alternatively, setting LoginGraceTime to 0 in the sshd_config file can mitigate the risk but may increase susceptibility to denial-of-service attacks.