An IT safety alert replace for identified vulnerabilities has been revealed for VPN / DHCP shoppers. You can learn the outline of the safety hole together with the newest updates and details about the affected iPhoneOS, Linux and MacOS X working methods and merchandise right here.
Federal workplace for Security in Information Technology (BSI) revealed an replace on May 20, 2024 for safety vulnerabilities in VPN / DHCP shoppers identified on May 6, 2024. iPhoneOS, Linux, MacOS working methods
The newest producer suggestions for updates, workarounds and safety patches for this vulnerability might be discovered right here: F5 Security Advisory K000139553 (From 21 May 2024). Some helpful hyperlinks are listed later on this article.
Security warning for VPN / DHCP shoppers – danger: excessive
Risk stage: 4 (excessive)
CVSS Base Score: 8.8
CVSS provisional rating: 8,3
Remote management: Ja
The Common Vulnerability Scoring System (CVSS) is used to evaluate the vulnerability of laptop methods. The CVSS commonplace makes it attainable to match potential or precise safety dangers primarily based on varied standards to create a precedence listing for countermeasures. The attributes “none”, “low”, “medium”, “excessive” and “extreme” are used to find out the severity ranges of vulnerability. The Base Score evaluates the necessities of an assault (together with authentication, complexity, privileges, consumer interplay) and its outcomes. Temporary scores additionally take into consideration modifications over time within the danger scenario. According to CVSS, the severity of the present vulnerability is rated as “excessive” with a base rating of 8.8.
VPN Clients / DHCP Bug: Vulnerability permits safety measures to be bypassed
DHCP is a Dynamic Host Configuration Protocol for mechanically configuring shoppers on a community.
An attacker from an adjoining community might exploit the vulnerability in VPN shoppers utilizing configured DHCP methods to redirect site visitors.
Vulnerabilities are recognized by a CVE (Common Vulnerabilities and Exposures) serial quantity. CVE-2024-3661 on the market.
Systems affected by the safety hole at a look
Operating methods
iPhoneOS, Linux, MacOS X, UNIX, Windows
Products
Open Source Linux (cpe:/o:open_source:linux)
Microsoft Windows (cpe:/o:microsoft:home windows)
Apple iOS (cpe:/o:apple:iphone_os)
Apple macOS (cpe:/o:apple:mac_os)
PaloAlto Networks GlobalProtect software (cpe:/a:paloaltonetworks:globalprotect)
F5 BIG-IP 17.1.0-17.1.1 (cpe:/a:f5:big-ip)
F5 BIG-IP 16.1.0-16.1.4 (cpe:/a:f5:big-ip)
F5 BIG-IP 15.1.0-15.1.10 (cpe:/a:f5:big-ip)
F5 BIG-IP ARM Clients 7.2.3-7.2.4 (cpe:/a:f5:big-ip)
General suggestions for addressing IT safety gaps
- Users of the affected apps ought to keep up-to-date. When safety holes are identified, producers are required to repair them shortly by creating a patch or workaround. When new safety updates can be found, set up them instantly.
- For data, see the sources listed within the subsequent part. This typically incorporates further details about the newest model of the software program in query and the supply of safety patches or efficiency ideas.
- If you could have any additional questions or uncertainties, please contact your accountable administrator. IT safety managers ought to repeatedly verify the desired sources to see if a brand new safety replace is accessible.
Sources for updates, patches and workarounds
Here you’ll discover some hyperlinks with details about bug reviews, safety fixes and workarounds.
F5 Security Advisory K000139553 vom 2024-05-21 (20.05.2024)
For extra data, see:
Palo Alto Networks Security Advisories vom 2024-05-16 (16.05.2024)
For extra data, see:
Leviathan Security Blog vom 2024-05-06 (06.05.2024)
For extra data, see:
TunnelVision web site from 2024-05-06 (06.05.2024)
For extra data, see:
GitHub Advisory Database vom 2024-05-06 (06.05.2024)
For extra data, see:
Version historical past of this safety alert
This is model 3 of this IT safety discover for VPN / DHCP shoppers. If additional updates are introduced, this doc shall be up to date. You can examine modifications or additions on this model historical past.
May 6, 2024 – First model
May 16, 2024 – New updates added
05/20/2024 – New F5 updates added
+++ Editorial observe: This doc relies on present BSI knowledge and shall be up to date in a data-driven method relying on the standing of the alert. We welcome suggestions and feedback at [email protected]. +++
observe News.de you’re right here Facebook, Twitter, Pinterest once more YouTube? Here you’ll discover scorching information, present movies and a direct line to the editorial crew.
kns/roj/information.de