overview
This week the Apache Software Foundation shipped security updates for the Apache Tomcat web server software and Apache Traffic Control.
Tracked as CVE-2024-56337 (Tomcat) and CVE-2024-45387 (Traffic Control) respectively, this vulnerabilities are high severity and would allow attackers to gain high level control within an environment or remotely execute code.
CVE-2024-56337 is a Time-of-check Time-of-use (TOCTOU) race condition vulnerability in Apache Tomcat, potentially leading to remote code execution. It affects versions 9.0.0.M1–9.0.97, 10.1.0-M1–10.1.33, and 11.0.0-M1–11.0.1. The flaw arises from an incomplete mitigation of CVE-2024-50379, exposing systems with specific configurations. To mitigate, upgrade to Apache Tomcat 9.0.99, 10.1.35, or 11.0.3. Ensure appropriate configurations, particularly for systems using Java Security Manager. Validate that web applications are not inadvertently exposing privileged operations and review logs for suspicious activities. Implement general security practices, including limiting unnecessary file system access and enforcing robust network controls, to reduce exposure.
CVE-2024-45387 is an SQL injection vulnerability in Apache Traffic Control's Traffic Ops component, affecting versions 8.0.0–8.0.1. It allows privileged users with roles like "admin" or "steering" to execute arbitrary SQL commands via crafted PUT requests, potentially compromising the database and exposing sensitive information. To mitigate, upgrade to Apache Traffic Control version 8.0.2 or later. Restrict access to privileged roles and enforce the principle of least privilege. Regularly audit and monitor system logs for suspicious activity. Employ web application firewalls (WAFs) to detect and block malicious SQL queries, and to ensure robust input validation to prevent exploitation.
how avertium is protecting our customers
At this time, there are no known IoCs associated with attempts to exploit either of these vulnerabilities. Avertium remains vigilant in locating IoCs for our customers. Should any be located, Avertium will disclose them as soon as possible. For more information on how Avertium can help protect your organization, please reach out to your Avertium Service Delivery Manager or Account Executive.
TTPs TO MONITOR
1. Exploitation for Privilege Escalation (T1068)
- Description: An attacker exploits vulnerabilities, such as race conditions (TOCTOU in CVE-2024-56337), to gain higher privileges than originally granted.
- Relevance: A successful TOCTOU attack could allow remote code execution or elevated privileges in the system hosting Apache Tomcat.
2. Input Validation Bypass (T1203 - Exploitation of Client Execution)
- Description: Exploitation of application-level input flaws, like SQL injection in CVE-2024-45387, to bypass validation and execute unauthorized commands.
- Relevance: An attacker could craft malicious SQL payloads to manipulate the database via vulnerable PUT requests.
3. Valid Accounts (T1078)
- Description: Use of compromised or privileged accounts to perform malicious actions.
- Relevance: Exploiting CVE-2024-45387 requires privileged roles like "admin" or "steering," making this TTP crucial for initial access.
4. System Information Discovery (T1082)
- Description: Gathering details about the target system, such as services and configurations, to tailor exploits.
- Relevance: Attackers targeting CVE-2024-56337 need to analyze Tomcat's specific configurations to trigger the TOCTOU condition.
5. Remote Code Execution (RCE) (T1210)
- Description: Leveraging vulnerabilities to execute arbitrary code on remote systems.
- Relevance: CVE-2024-56337 could allow attackers to execute arbitrary code by exploiting the race condition.
ADDITIONAL SERVICE OFFERINGS
- Fusion MXDR is the first MDR offering that fuse together all aspects of security operations into a living, breathing, threat-resistant XDR solution. By fusing insights from threat intelligence, security assessments, and vulnerability management into our MDR approach, Fusion MXDR offers a more informed, robust, and cost-effective approach to cybersecurity – one that is greater than the sum of its parts.
- Security Information and Event Management (SIEM) - Minimizing the impact of a successful ransomware or malware attack requires detecting it as early in the attack as possible. A Security Information and Event Management (SIEM) system can help an organization to accomplish this. Avertium offers a comprehensive SIEM-based approach that increases the potential for detecting a ransomware infection before it deploys. SIEM provides a holistic overview of a company’s IT environment from a single point of view in terms of its specific security events, empowering teams to detect and analyze unusual behavior.
- Avertium aligns your Cybersecurity Strategy with your business strategy, ensuring that your investment in security is also an investment in your business. Our Cybersecurity Strategy service includes:
- Strategic Security Assessments - Strengthening your security posture begins with knowing where your current program stands (NIST CSF, Security Architecture, Business Impact Analysis, Sensitive Data Inventory, Network Virtualization and Cloud Assessment).
- Threat Mapping – Leverage Avertium’s Cyber Threat Intelligence, getting a more informed view of your most likely attack scenarios (Threat Assessment and MITRE ATT&CK).
- Cyber Maturity Roadmap - Embrace a comprehensive, quantifiable, and well-organized approach to establishing and continuously enhancing your cybersecurity resilience (Policy + Procedure Development, Virtual CISO (VCISO), Training + Enablement, Tabletop Exercises, and Business Continuity + Disaster Recovery Plan).
SUPPORTING DOCUMENTATION
