The U.S. Cybersecurity and Infrastructure Security Agency (CISA) SonicWall SonicOS, ImageMagick and Linux Kernel vulnerabilities to its .
Below are the descriptions for these vulnerabilities:
CVE-2016-3714 flaw (aka ImageTragick), in the popular image manipulation software could allow remote attackers to execute arbitrary code via shell metacharacters in a crafted image, aka “ImageTragick.” Attackers can exploit the flaw to take over websites running the widely used image-enhancing app. The vulnerability in ImageMagick App allows attackers to run arbitrary code on the targeted web servers that rely on the app for resizing or cropping user-uploaded images.
flaw was discovered by researchers with Qualys Research Labs and affects all Linux distributions that have not fixed their kernels after a commit on April 14, 2015. Attackers can exploit the vulnerability to escalate privileges. The issue resides in the way the kernel loads ELF executables and is triggered by applications that have been built as Position Independent Executables (PIEs).
“A flaw was found in the way the Linux kernel loaded ELF executables. Provided that an application was built as Position Independent Executable (PIE), the loader could allow part of that application’s data segment to map over the memory area reserved for its stack, potentially resulting in memory corruption.” reads the published on RedHat. “An unprivileged local user with access to SUID (or otherwise privileged) PIE binary could use this flaw to escalate their privileges on the system.”
is an Improper Access Control Vulnerability impacting SonicWall SonicOS. SonicWall warns that a recently fixed access control flaw, tracked as CVE-2024-40766 (CVSS v3 score: 9.3), in SonicOS is now potentially exploited in attacks.
According to , FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.
Experts also recommend private organizations review the and address the vulnerabilities in their infrastructure.
CISA orders federal agencies to fix this vulnerability by September 30, 2024.
Follow me on Twitter: and and Mastodon
(SecurityAffairs – hacking, CISA)