Patch Tuesday November 2023 Updates – Vulnerability Digest from Action1
This digest explains the most serious vulnerabilities in popular Windows software that have been patched over the past month.
In this issue, you will learn about patches for:
- Microsoft vulnerabilities from Patch Tuesday:
- Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability (CVE-2023-36036)
- Windows DWM Core Library Elevation of Privilege Vulnerability (CVE-2023-36033)
- Windows SmartScreen Security Feature Bypass Vulnerability (CVE-2023-36025)
- Microsoft Office Security Feature Bypass Vulnerability (CVE-2023-36413)
- ASP.NET Core Denial of Service Vulnerability (CVE-2023-36038)
- Windows Pragmatic General Multicast (PGM) Remote Code Execution Vulnerability (CVE-2023-36397)
- Microsoft Exchange
- Microsoft Access
- Microsoft 365
- Third-party application vulnerabilities:
Microsoft Vulnerabilities
Welcome to November 2023 Patch Tuesday release, featuring a suite of vital security updates for Microsoft products to maintain the integrity and security of your systems. While we observe a decrease in the number of fixes this month, with 63 vulnerabilities addressed compared to October’s count, the volume remains noteworthy, particularly when considering third-party updates as well. This batch includes three zero-day fixes and three vulnerabilities for which proofs of concept exist. It encompasses three critical fixes, a significant reduction from last month. Here are details on the most interesting critical updates.
Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability
The CVE-2023-36036 vulnerability, identified today, is a critical zero-day elevation of privilege issue affecting Microsoft Windows 10 and later, as well as Microsoft Windows Server 2008 and onwards. With a CVSS score of 7.8, it is considered a significant threat according to Microsoft’s assessment criteria. The vulnerability, which requires local access, is of low complexity and can be exploited without high-level privileges or user interaction. Successful exploitation allows attackers to gain SYSTEM-level privileges, making it an ideal tool for escalating privileges after initial access, such as through phishing.
Microsoft urgently recommends updating systems to address this vulnerability, which is already being exploited in active attacks, although no proof of concept is currently available.
Windows DWM Core Library Elevation of Privilege Vulnerability
CVE-2023-36033 is a zero-day vulnerability targeting the Windows DWM Core Library, presenting an elevation of privilege risk. It shares traits with CVE-2023-36036, notably a CVSS score of 7.8. This vulnerability can be exploited locally, with low complexity and without needing high-level privileges or user interaction. Attackers exploiting this flaw could gain SYSTEM privileges, making it an efficient method for escalating privileges, especially after initial access through methods like phishing. It affects Microsoft Windows 10 and later, as well as Microsoft Windows Server 2019 and subsequent versions.
Unlike the previous vulnerability, there is a proof of concept available for CVE-2023-36033, and Microsoft has confirmed its active exploitation. Therefore, Microsoft urgently advises applying the available updates to mitigate this vulnerability.
Windows SmartScreen Security Feature Bypass Vulnerability
CVE-2023-36025 is a zero-day vulnerability in the Windows SmartScreen feature, posing a significant security bypass risk. Unlike the other vulnerabilities mentioned, this one has a network attack vector and requires user interaction, though it still maintains low attack complexity and doesn’t require high privileges. Notably, it has a high CVSS rating of 8.8.
This vulnerability impacts Microsoft Windows 10 and later versions, as well as Microsoft Windows Server 2008 and subsequent releases. It enables attackers to circumvent Windows Defender SmartScreen checks and prompts. To exploit this flaw, a user must interact with a malicious Internet shortcut (.URL) or a hyperlink directing to such a shortcut. This exploitation allows attackers to prevent Windows Smart Screen from blocking malware.
Microsoft has confirmed that this vulnerability is currently being exploited in active attacks, although no proof of concept is available as of now. Given its high CVSS rating and the fact that it is being actively exploited, this makes CVE-2023-36025 one of the vulnerabilities that should be prioritized for patching.
Microsoft Office Security Feature Bypass Vulnerability
CVE-2023-36413 is a vulnerability in Microsoft Office, notable for its available proof of concept and potential for exploitation in the wild. It has a network attack vector and is characterized by low attack complexity. While it does not require high-level privileges, user interaction is necessary for exploitation. The vulnerability has a moderate CVSS rating of 6.5, primarily because it enables bypassing a specific Microsoft Office security feature. This could allow malicious code execution via compromised Microsoft Office files. The vulnerability specifically affects Microsoft Office 2016 and later versions.
A key aspect of this vulnerability is that it allows attackers to circumvent Office’s protected view, causing documents to open in edit mode instead of the more secure protected mode. Although Microsoft has confirmed the existence of a proof of concept, there is currently no concrete evidence of this vulnerability being exploited in the wild. This nuanced understanding of the vulnerability’s potential impact is essential for prioritizing security measures.
ASP.NET Core Denial of Service Vulnerability
CVE-2023-36038 represents a significant vulnerability in ASP.NET Core, capable of causing denial of service. This vulnerability is noteworthy for its network attack vector, low attack complexity, and the fact that it doesn’t require any privileges or user interaction for exploitation. It holds a high CVSS rating of 8.2, reflecting the serious risk of website downtime for those utilizing the ASP.NET library. This issue specifically affects .NET Core 8.0 and ASP.NET Core 8.0.
The vulnerability can be triggered when HTTP requests to .NET 8 RC 1, running on the IIS InProcess hosting model, are canceled. This can lead to an increase in the number of threads and potentially cause an OutOfMemoryException. Successful exploitation of this vulnerability could lead to a complete loss of service availability.
Microsoft has confirmed the existence of a proof of concept for this vulnerability, although there’s no concrete evidence of its exploitation in the wild as yet. Websites running on IIS with ASP.NET 8.0 are at risk of a DDoS attack, making it imperative to install a fix to mitigate this vulnerability.
Windows Pragmatic General Multicast (PGM) Remote Code Execution Vulnerability
A critical remote code execution vulnerability, identified as CVE-2023-36397, has been discovered in the Windows Pragmatic General Multicast (PGM) protocol. This vulnerability presents a network attack vector, is characterized by low complexity, and does not require any privileges or user interaction for exploitation. It holds a critically high CVSS rating of 9.8, indicating its severe impact. This vulnerability affects Windows 10 and later, as well as Windows Server 2008 and subsequent versions.
The vulnerability becomes exploitable if the Windows Message Queuing Service is active in a PGM Server environment. In such cases, an attacker could transmit a specially crafted file over the network to execute remote code and potentially initiate malicious actions. It’s important to note that the Windows Message Queuing Service, a standard Windows component, must be enabled for a system to be vulnerable. This service can be added via the Control Panel, and its presence can be verified by checking if a service named “Message Queuing” is operating and listening on TCP port 1801 on the machine. Systems without this service active are not susceptible to this specific vulnerability.
As of now, there is no evidence of this vulnerability being exploited in the wild, nor is there a proof of concept available. However, for systems with the Message Queuing service running, applying a fix is crucial to mitigate the risk posed by this vulnerability.
Microsoft Exchange
Microsoft has chosen to overlook four vulnerabilities in its Exchange mail server, identified by Peter Bazydlo of the Trend Micro Zero Day Initiative (ZDI). These vulnerabilities, comprising three Server-Side Request Forgery (SSRF) issues and one Remote Code Execution (RCE), are currently tracked as ZDI-23-1578, ZDI-23-1579, ZDI-23-1580, and ZDI-23-1581, pending the assignment of CVE identifiers.
ZDI reported these vulnerabilities to Microsoft on September 7-8. Microsoft acknowledged them on September 11 but later, between September 27-29, indicated that these vulnerabilities do not necessitate “immediate maintenance.”
Contrary to their initial classification as zero-day vulnerabilities in the disclosure to ZDI, Microsoft does not categorize them as such. The rationale is that they have not been exploited in the wild, nor is there any publicly available proof-of-concept. Additionally, exploiting these vulnerabilities requires authentication, which diminishes the likelihood of their malicious use. Notably, one of these vulnerabilities, ZDI-23-1578, which involves a data deserialization issue leading to remote code execution, was already addressed in the August Patch Tuesday update.
Microsoft has emphasized that exploiting each of these security issues necessitates prior access to email credentials. The company also stated that for two of these vulnerabilities, there is no evidence suggesting they could be used for privilege escalation or to access sensitive customer data.
Microsoft Access
Researchers at Check Point Research have identified a security vulnerability in Microsoft Access that could potentially allow an attacker to acquire a Windows user’s NTLM token. This vulnerability can be exploited via any TCP port, including port 80, when a user opens an .accdb or .mdb file. This method effectively circumvents existing firewall rules that are meant to prevent the theft of NTLM credentials.
NTLM, an outdated authentication protocol introduced by Microsoft in 1993, is susceptible to three well-known types of attacks: brute force, pass-the-hash, and relay attacks. The vulnerability leverages a feature in Microsoft Access known as “Linked Tables,” which enables Access databases to link to tables in other databases. Check Point notes that this feature is not covered by local firewall rules, thereby allowing attackers to exploit it to transmit NTLM hashes across the network.
Furthermore, the Check Point specialists have also described a method to bypass protections that block all outbound traffic on ports typically used by the NTLM protocol (139 and 445). This bypass exploits the “Access Link Tables” feature in the Microsoft Access application.
Microsoft 365
Zscaler’s ThreatLabz team has identified an alarming number of vulnerabilities—117 in total—in Microsoft 365 applications for both Windows and Mac. This surge in security flaws stems from the integration of the SketchUp 3D library. Microsoft introduced support for SketchUp files (SKP) in June 2022, inadvertently introducing numerous bugs into Microsoft 365. These vulnerabilities were uncovered through three months of thorough research by the ThreatLabz team. Initially, only four SKP-related bugs were identified in Microsoft Office as part of the Zero Day Initiative by the end of December 2022. This discovery prompted the ThreatLabz researchers to examine the problematic component more closely.
Microsoft has responded by assigning identifiers CVE-2023-28285, CVE-2023-29344, and CVE-2023-33146 to track these vulnerabilities. Although a patch was released by Microsoft to address these issues, ThreatLabz successfully found ways to bypass it.
In response to these findings, Microsoft took preventive steps in June 2023 by temporarily disabling SketchUp support in Microsoft 365. The researchers have comprehensively detailed their detection methods and the technical aspects of some of these vulnerabilities in a report. The first part of this report has been published, with the second part expected to be available shortly.
Google Chrome
In its latest version 119, the Google Chrome browser has addressed 15 security vulnerabilities. These include three high-criticality, eight medium-criticality, and two low-criticality vulnerabilities. Among the most critical are CVE-2023-5480, which relates to implementation errors in the payment system, and CVE-2023-5482, involving incorrect data validation in USB functionalities.
Many of these vulnerabilities were detected through automated testing using tools like AddressSanitizer, MemorySanitizer, Control Flow Integrity, LibFuzzer, and AFL.
However, it’s important to note that these vulnerabilities do not compromise all layers of the browser’s protection. They are unable to allow code execution on the system outside of Chrome’s sandbox environment. As part of its security bounty program for this release, Google has awarded a total of $40.5K across 13 different bounties.
Mozilla Firefox
Mozilla’s latest release, Firefox 119, not only brings new features and bug fixes but also includes 25 security updates. Of these, 17 vulnerabilities, primarily grouped under CVE-2023-5730 and CVE-2023-5731, are classified as dangerous due to memory-related issues. These include buffer overflows and accessing previously freed memory areas, which could potentially enable an attacker to execute code when specific, specially crafted web pages are accessed.
Additionally, a separate critical vulnerability, identified as CVE-2023-5721, poses a risk by allowing clickjacking. This vulnerability could be exploited to manipulate users into inadvertently confirming or canceling certain browser dialogues or warnings.
Veeam ONE
Veeam has recently issued patches for four vulnerabilities in its Veeam ONE monitoring and analysis platform, including two critical Remote Code Execution (RCE) vulnerabilities with high CVSS base scores of 9.8 and 9.9 out of 10.
The first critical vulnerability, CVE-2023-38547, could allow an unauthenticated user to access information about the SQL Server connection used by Veeam ONE for its configuration database. The second, CVE-2023-38548, enables an unauthenticated user with access to the Veeam ONE web client to obtain an account’s NTLM hash.
Additionally, Veeam has rectified a Cross-Site Scripting (XSS) vulnerability, identified as CVE-2023-38549. This flaw could be exploited to acquire an administrator access token and requires communication to be effective.
The fourth vulnerability addressed, CVE-2023-41723, could be exploited by an attacker with read-only user privileges to access dashboard schedules. However, this vulnerability does not allow the attacker to make any changes.
These vulnerabilities impact all actively supported versions of Veeam ONE up to the latest version. The fixes are included in Veeam ONE 12 P20230314 (version 12.0.1.2591), Veeam ONE 11a (version 11.0.1.1880), and Veeam ONE 11 (version 11.0.0.1379).
Apache ActiveMQ
Apache ActiveMQ
A critical Remote Code Execution (RCE) vulnerability has been identified in over 3,000 publicly accessible Apache ActiveMQ servers. Apache ActiveMQ, known for its scalability, is an open-source message broker that supports Java and various cross-language clients, along with multiple protocols like AMQP, MQTT, OpenWire, and STOMP. It’s widely used in enterprise environments for system communication without direct connectivity, thanks to its range of secure authentication and authorization mechanisms.
The vulnerability, designated as CVE-2023-46604, is rated 10.0 on the CVSS v3 scale. It allows attackers to execute arbitrary shell commands by utilizing serialized class types in the OpenWire protocol.
As per Apache’s advisory on October 27, the issue impacts Apache Active MQ and the legacy OpenWire module versions from 5.18.x through 5.18.3, 5.17.x through 5.17.6, 5.16.x through 5.16.7, down to version 5.15.16. Fixes were released on the same day for versions 5.15.16, 5.16.7, 5.17.6, and 5.18.3.
Researchers from ArcticWolf and Huntress Labs discovered attacks exploiting CVE-2023-46604 to deploy SparkRAT malware on ActiveMQ servers starting as early as October 10, well before Apache released the patch on October 25.
Furthermore, even after the patch release, over 9,200 Apache ActiveMQ servers remained open on the network, with more than 4,770 still vulnerable to exploits targeting CVE-2023-46604. Following this, ransomware attacks were observed, with some of the compromised servers being encrypted by HelloKitty, followed by TellYouThePass, as noted by researchers from Huntress Labs and Rapid7.
Given Apache ActiveMQ’s critical role as a message broker in enterprise environments, the exploitation of CVE-2023-46604 poses severe risks, including potential lateral movement across the network. With the technical details of exploiting CVE-2023-46604 publicly available, it is imperative and urgent for security updates to be applied.
Atlassian
On October 17th, Atlassian issued a security bulletin announcing patches for 28 vulnerabilities in their software, including two critical and 26 high-risk issues.
The most severe vulnerabilities are CVE-2023-22515, with a maximum severity score of 10.0, affecting all Confluence Data Center and Server versions, and CVE-2019-13990, scoring 9.8, impacting Jira Service Management Data Center and Server. The majority of the other significant vulnerabilities have a 7.5 rating, except for CVE-2023-22514 at 7.8 and CVE-2021-22569 at 5.5.
A Proof of Concept (PoC) for CVE-2023-22515, a zero-day vulnerability in Atlassian Confluence, was incorporated into Metasploit after several operational exploit versions were leaked. Notably, this vulnerability was actively exploited by an attacker, known as DarkShadow or Oro0lxy, starting September 14, 2023, prior to its official disclosure on October 4.
Another grave concern is CVE-2023-22518, a critical vulnerability in Confluence that could lead to substantial data loss due to improper authorization. This flaw affects all versions of Confluence Data Center and Server, though it does not threaten data privacy. Atlassian has addressed this in specific Confluence versions. If upgrading isn’t possible, implementing mitigating measures such as backups and restricting Internet access is recommended.
The release of a publicly accessible PoC for CVE-2023-22518 has triggered active exploitation of this vulnerability. Security firms GreyNoise and Rapid7 have observed extensive campaigns exploiting CVE-2023-22518 and the older critical bug CVE-2023-22515. These attacks have often involved deploying the Cerber ransomware on compromised servers.
This event marks the second significant instance of CerberImposter ransomware being used in attacks, following a previous campaign against Atlassian Confluence that exploited the RCE vulnerability CVE-2021-26084 two years earlier.
Kubernetes ingress-nginx
Three high-severity vulnerabilities, currently unpatched, have been identified in the NGINX controller for Kubernetes. These vulnerabilities could potentially allow an attacker to access sensitive credentials within a Kubernetes cluster.
The ingress controller in Kubernetes serves as a gateway, managing external network access to services within the cluster. The widely-used ingress-nginx controller, distinct from the Kubernetes basic ingress controllers for AWS, GCE, and nginx, leverages the NGINX server for forwarding access, routing external requests, and load balancing. Notably, the ingress-nginx controller is maintained separately by F5/NGINX and is not affiliated with the Kubernetes project’s nginx controller.
The vulnerabilities are as follows:
-
- CVE-2022-4886 (CVSS score: 8.8): This vulnerability allows bypassing path sanitization in Ingress-nginx, enabling access to Ingress-nginx controller credentials.
- CVE-2023-5043 (CVSS score: 7.6): This allows the injection of an Ingress-nginx annotation to execute arbitrary commands.
- CVE-2023-5044 (CVSS score: 7.6): This involves code injection through the nginx.ingress.kubernetes[.io]/permanent-redirect annotation.
CVE-2022-4886 specifically involves inadequate validation in the “spec.rules[].http.paths[].path” field of the Ingress object. An attacker with access to Ingress could exploit this to download Kubernetes API credentials from the ingress controller. The vulnerability arises because the application does not sufficiently verify the validity of internal paths, which could be manipulated to point to internal files containing service account tokens for authenticating to the API server.
In the absence of an official patch, software developers have suggested mitigations. These include enabling the strict-validate-path-type option and using the –enable-annotation-validation flag. These measures are designed to prevent the creation of Ingress objects with invalid characters and enforce additional restrictions. ARMO recommends updating NGINX to version 1.19 and adding the –enable-annotation-validation command line configuration to resolve CVE-2023-5043 and CVE-2023-5044.
Cisco
Cisco is cautioning customers about a new zero-day vulnerability in IOS XE, identified as CVE-2023-20198, that could potentially compromise devices. This critical issue, a privilege escalation vulnerability, affects the default image’s IOS XE web user interface. The vulnerability, exploitable from the network or directly from the Internet, allows an unauthenticated remote attacker to create a high-privilege account (level 15 access) and gain full control of the device. Such access enables an attacker to alter network routing rules, open ports to connect to attacker-controlled servers, and steal data.
Cisco Talos detected malicious activity related to CVE-2023-20198 on September 28, following unusual activity on a customer’s device. Analysis revealed the creation of a new user account named “cisco_tac_admin” as early as September 18. This activity paused on October 1 but resumed on October 12, believed to be by the same attacker. In September, the hackers merely created a new account, but in October, they also deployed an implant consisting of a configuration file, enabling them to execute arbitrary commands at the system or IOS level.
The implant was delivered by exploiting CVE-2021-1435, a command injection vulnerability in IOS XE that Cisco had patched in March 2021. However, the implant was also observed on devices patched for CVE-2021-1435, with the delivery mechanism in these cases remaining unidentified. The implant is not permanent, disappearing after a device reboot, but the attacker-created accounts remain active.
Researchers have documented extensive zero-day attacks on the Cisco IOS XE operating system. VulnCheck discovered thousands of compromised Cisco IOS XE systems with the web user interface feature enabled and released a scanner for malicious implants, while LeakIX reported more than 30,000 such systems. Over 34,500 Cisco IOS XE devices have been compromised by CVE-2023-20198 attacks, according to Orange’s CERT Coordination Center. Shodan’s data indicates that over 140,000 web-enabled Cisco devices are currently online.
GreyNoise has identified nearly 42,000 Cisco routers and switches worldwide with a malicious implant installed. The scope of the Cisco IOS XE zero-day impact has widened with the discovery of a similar vulnerability, CVE-2023-20273. Rockwell Automation informed customers about an actively exploited zero-day affecting Stratix industrial switches. Unknown attackers exploited two zero-day vulnerabilities in Cisco IOS XE (CVE-2023-20198 and CVE-2023-20273) to create high-privilege accounts and deploy a Lua implant for full system control. The Rockwell advisory, issued before the second zero-day discovery, does not mention CVE-2023-20273, but this vulnerability also impacts IOS XE software on Rockwell switches.
A publicly available exploit for the critical Cisco IOS XE vulnerability (CVE-2023-20198) emerged from a trap study by SECUINFRA. Horizon3.ai researchers detailed how attackers can bypass authentication on vulnerable Cisco IOS XE devices. They can encode an HTTP request to the WMSA service in iosd, a key binary in Cisco IOS XE, to generate a configuration file for OpenResty (a Nginx-based server with Lua scripting) used by the vulnerable webui service. WSMA enables command execution via SOAP requests, including access to a configuration function to create a fully privileged user. The researchers demonstrated how the bug could be exploited to create a new user with level 15 privileges, granting full device control and the ability to write malicious implants directly to the hard drive.
LeakIX researchers confirmed the exploit’s effectiveness, detecting specific command executions on their Cisco IOS XE decoys. Consequently, Cisco updated its advisory for CVE-2023-20198, announcing IOS XE updates containing fixes for the vulnerability. Despite Cisco releasing patches for most IOS XE software versions, thousands of systems remain vulnerable.
Cisco also released software updates addressing 27 vulnerabilities across its Adaptive Security Appliance (ASA), Firepower Management Center (FMC), and Firepower Threat Defense (FTD) products, and issued 22 security advisories. The most severe is CVE-2023-20048, with a CVSS rating of 9.9, caused by insufficient authorization of configuration commands in the FMC web service interface. An attacker could exploit this using crafted HTTP requests to execute configuration commands on the targeted FTD device.
Seven advisories describe eight flaws in ASA, FMC, and FTD software, with five potentially leading to Denial of Service (DoS) and the rest permitting command injection. The DoS vulnerabilities impact ICMPv6 processing, VPNs, internal packet processing, and ICMPv6 inspection using Snort 2 features and APIs in these products.
Eighteen moderate vulnerabilities in ASA, FMC, and FTD could result in DoS, arbitrary file uploads, SAML hijacking, XSS attacks, policy bypass, discovery mechanism bypass, certificate authentication bypass, and geolocation filter bypass. The most severe, CVE-2022-20713, exploitable remotely without authentication, manipulates client requests in the VPN services component of ASA and FTD software.
The issue was discovered on August 10, 2022, and it took over a year for Cisco to provide a patch. Despite the public availability of the PoC exploit, there have been no reported real-world exploits.
Users with publicly accessible Cisco devices are advised to update them as soon as possible or restrict their internet access to mitigate these vulnerabilities.
Citrix
Mandiant has issued a warning about the use of a recently patched zero-day vulnerability in Citrix NetScaler Application Delivery Controller (ADC) and NetScaler Gateway, identified as CVE-2023-4966, in attacks observed since August. This vulnerability, with a CVSS rating of 9.4, allows unauthorized access to steal sensitive information from devices set up as a gateway or AAA virtual server. Citrix released fixes for the NetScaler ADC and Gateway on October 10, initially not highlighting the exploit potential. However, they subsequently updated their advisory to alert customers about the exploitation of CVE-2023-4966 and urged immediate updating of their systems.
The resolved versions of the bug include NetScaler ADC and NetScaler Gateway versions 14.1-8.50, 13.1-49.15, and 13.0-92.19, as well as specific FIPS and NDcPP versions. Mandiant noted that the vulnerability has been exploited in attacks targeting the government sector and technology companies since August. Attackers successfully exploiting this vulnerability could hijack authenticated sessions, circumventing multi-factor authentication. These sessions might persist even after the CVE-2023-4966 fix is applied. Researchers also observed instances where data was stolen before patching and later used by attackers.
Session hijacking of this nature can give attackers wider access, enabling them to collect credentials, move laterally within networks, and access further resources in compromised environments. Mandiant’s remediation guide advises isolating NetScaler ADC and gateway instances before patching, restricting access to unpatched devices, updating devices, terminating all active sessions post-update, and scanning for malicious activity. They also recommend restoring infected devices from clean backups, changing credentials if remote access is enabled with single-factor authentication, and limiting inbound access to trusted or pre-defined IP address ranges.
Additionally, a Proof of Concept (PoC) for the Citrix Bleed vulnerability (CVE-2023-4966) has been released. Assetnote researchers have elaborated on the exploitation of CVE-2023-4966 and published a PoC exploit on GitHub to demonstrate their findings and assist in verifying the vulnerability. With the CVE-2023-4966 exploit now public, an increase in attacks against Citrix Netscaler appliances is expected for initial access to corporate networks. This prediction was confirmed by Shadowserver, which reported a surge in exploitation attempts after the PoC advisory’s release. Due to the typical use of such vulnerabilities in ransomware and data theft attacks, system administrators are strongly urged to promptly install the necessary patches.
VMware
VMware has issued a warning about an authentication bypass vulnerability in vRealize Log Insight (VMware Aria Operations for Logs), identified as CVE-2023-34051. This vulnerability, for which a PoC is available, enables an unauthenticated attacker to execute code remotely with root privileges under specific conditions.
The Horizon3 researchers, who discovered the bug, noted that successful exploitation relies on permissions to add an interface or static IP address. Horizon3’s technical analysis of the vulnerability’s root cause provides insight into how CVE-2023-34051 can be exploited for Remote Code Execution (RCE) with root privileges on unpatched VMware devices. They have also published a PoC exploit and a list of Indicators of Compromise (IOCs) to detect hacking attempts. The exploit leverages IP address spoofing and Thrift RPC endpoints to write arbitrary files, typically creating a reverse shell via a cron job, though the payload file requires modification to suit the environment. The attacker must share the same IP address as the master/work node for the attack to succeed. This vulnerability effectively serves as a workaround for a series of critical bugs fixed by VMware in January, which also allow RCE.
These include CVE-2022-31706 (a directory traversal bug), CVE-2022-31704 (an access control violation), and CVE-2022-31711 (an information disclosure bug), collectively known as VMSA-2023-0001. Attackers could exploit these to inject malicious files into devices running unpatched Aria Operations for Logs software. Following the patch for VMSA-2023-0001, Horizon3 released a PoC that exploits Thrift RPC endpoints for arbitrary file writes.
The vulnerability is relatively easy to exploit but requires attackers to have specific infrastructure configurations to serve the malicious payload. As the product is unlikely to be exposed on the Internet, attackers need initial network access, making vulnerable VMware appliances valuable targets for lateral movement within compromised networks.
VMware has also patched a critical RCE vulnerability in vCenter Server, designated as CVE-2023-34048 with a CVSS rating of 9.8, discovered by Grigory Dorodnov from the Trend Micro Zero Day Initiative. It involves an out-of-range write vulnerability in the DCE/RPC protocol implementation, exploitable by an attacker with network access to vCenter Server, potentially leading to RCE.
The updates for this vulnerability are available in VMware vCenter Server 8.0 (8.0U1d or 8.0U2), VMware vCenter Server 7.0 (7.0U3o), VMware Cloud Foundation 5.x, and 4.x. Additionally, VMware issued a patch for vCenter Server versions 6.7U3, 6.5U3, and VCF 3.x. The latest update also addresses CVE-2023-34056, a partial information disclosure vulnerability in vCenter.
While there are no known real-world exploitations of these vulnerabilities, VMware strongly advises customers to promptly apply patches to mitigate potential threats.
Cisco
Cisco has recently unveiled a series of patches aimed at addressing various vulnerabilities, among them a moderately severe vulnerability found in IOS and IOS XE software that has exhibited signs of exploitation.
Designated as CVE-2023-20109, this vulnerability pertains to the Group Encrypted Transport VPN (GET VPN) feature within IOS and IOS XE and carries the potential for Remote Code Execution (RCE). To successfully exploit this vulnerability, an attacker necessitates valid credentials and administrative control over a group member or key server. The root issue stems from inadequate attribute validation within the Group Domain of Interpretation (GDOI) and G-IKEv2 protocols utilized in the GET VPN function.
This vulnerability affects all Cisco products operating on vulnerable versions of IOS or IOS XE with the GDOI or G-IKEv2 protocol enabled. Unfortunately, there exists no viable workaround for this vulnerability, thus prompting Cisco to strongly recommend that customers apply updates. This is especially crucial considering documented attempts to exploit this vulnerability uncovered in an internal investigation.
Additionally, Cisco has rolled out patches for various vulnerabilities in the Catalyst SD-WAN Manager product, including a critical vulnerability (CVE-2023-20252) within the SAML APIs. This vulnerability carries a CVSS rating of 9.8 and could potentially enable an unauthenticated attacker to gain unauthorized access to the application on behalf of an arbitrary user. This vulnerability was addressed alongside four other high-severity issues, each posing unique threats, such as bypassing authorization and rollback of controller configurations, accessing the Elasticsearch system database, reaching another tenant managed on the same instance, or causing a Denial of Service (DoS) situation.
Cisco has also taken measures to rectify other significant issues, spanning RCE, DoS, unauthorized data access, and file theft, through software updates for IOS, IOS XE, and Cisco DNA Center. Additionally, the company has addressed several moderately severe issues impacting its products.
It’s noteworthy that, aside from CVE-2023-20109, Cisco currently possesses no knowledge of these vulnerabilities being actively exploited in any attacks.
SolarWinds
SolarWinds has remediated critical vulnerabilities in its Access Rights Manager (ARM) software, which is designed for managing user access rights in IT environments. This includes integration with Microsoft Active Directory, role-based access management, and visual feedback, among other features.
On June 22, researchers participating in the Zero Day Initiative (ZDI) identified eight bugs in SolarWinds ARM, three of which were classified as critical. These include:
-
- CVE-2023-35182 (rated 9.8): This vulnerability allows unauthenticated remote attackers to execute arbitrary code with system-level privileges. It stems from untrusted data deserialization in the createGlobalServerChannelInternal method.
- CVE-2023-35185 (rated 9.8): This issue permits unauthenticated remote attackers to execute arbitrary code with SYSTEM-level privileges. The vulnerability is due to insufficient validation of user-entered paths in the OpenFile method.
- CVE-2023-35187 (rated 9.8): Similar to the others, this vulnerability enables unauthenticated remote attackers to execute arbitrary code with SYSTEM-level privileges. This is possible because of inadequate validation of user-supplied paths in the OpenClientUpdateFile method.
In addition to these critical vulnerabilities, SolarWinds also patched several other issues rated as high severity, which could potentially be exploited to gain elevated privileges or remote code execution on a host following authentication. To mitigate these vulnerabilities, SolarWinds released a patch in version 2023.2.1 of its Access Rights Manager. The company also issued advisories detailing all eight vulnerabilities, including their severity as assessed by SolarWinds. Notably, the company itself did not categorize any of the vulnerabilities as critical but assigned the highest rating of 8.8 for those considered high severity.
Oracle
Oracle has rolled out a scheduled Critical Patch Update for its range of products, addressing a significant number of security vulnerabilities. In total, the update rectifies 387 security issues across various Oracle products. Key vulnerabilities addressed in this update include:
- Java SE and GraalVM for JDK: This update fixes three vulnerabilities in Java SE and four in GraalVM for JDK. All these vulnerabilities are capable of being remotely exploited without authentication in environments that permit the execution of untrusted code. In Java SE, the most severe vulnerabilities, located in CORBA and JSSE, have a threat level of 5.3. GraalVM’s most critical vulnerability, found in Node.js, carries a threat level of 7.5. These issues have been resolved in Java SE versions 21.0.1 and 17.0.9.
- MySQL Server: Of the 26 vulnerabilities patched in MySQL Server, two are capable of remote exploitation. The most significant vulnerabilities, impacting the Curl package, the OpenSSL library, and the optimizer, have severity ratings of 7.5 and 6.5. Lesser issues affect the optimizer, InnoDB, DDL, UDF, and encryption tools. These vulnerabilities will be fixed in upcoming MySQL Community Server releases 8.2.0, 8.0.35, and 5.7.44.
- VirtualBox: Three vulnerabilities in VirtualBox, with threat levels of 7.9 and 7.3, have been addressed. These vulnerabilities are fixed in the VirtualBox 7.0.12 update, with branch 6.1 not being affected by these issues.
- Solaris: Two vulnerabilities in Solaris, impacting the kernel and file system, have been identified and addressed, with threat levels of 5.5 and 3.1. These issues are resolved in the Solaris 11.4 SRU62 update. The update also includes enhancements and fixes to several packages, including python 3.7.17, rabbitmq 3.8.35, Firefox 102.15.0esr, Thunderbird 102.15.0, pcre2 10.42, unrar 6.2.10, PHP 8.2.10, Tomcat 8.5.93, mod_jk 1.2.49, cups, perl, ucups, and zfs.
Given the critical nature of these vulnerabilities, it is highly recommended for users of Oracle products to apply these updates promptly to mitigate potential security risks.
Exim
The development team of the Exim mail server has issued a security update addressing the final three out of six zero-day vulnerabilities that were disclosed as part of the Zero Day Initiative (ZDI). The three most critical vulnerabilities among these were initially patched in early October.
With this latest update, all six vulnerabilities originally identified by researchers in the ZDI have now been remediated. Additionally, Exim has announced the deprecation of all previous versions of the Exim server. As a result, only the current version, 4.96.2, is officially supported going forward. This decision underscores the importance of updating to the latest version for enhanced security and support.
SysAid
Cl0p ransomware operators have launched a significant new campaign targeting customers of SysAid, an IT management software provider. SysAid is alerting its customers about a critical vulnerability, CVE-2023-47246, which is being actively exploited by ransomware groups.
The zero-day exploit was initially detected by Microsoft’s threat analysis team, who promptly informed SysAid about the ongoing attacks. SysAid confirmed that its on-premises software was impacted by this vulnerability, characterized as a path traversal issue that leads to Remote Code Execution (RCE). SysAid became aware of the zero-day on November 2. By November 8, they announced the release of version 23.3.36, specifically designed to address this vulnerability. Alongside this fix, SysAid has also provided details about the attacks they observed, along with Indicators of Compromise (IoCs) and advisories.
Microsoft has linked CVE-2023-47246 to the activities of Lace Tempest (also known as DEV-0950), a threat actor whose operations are associated with the FIN11 and TA505 groups, both known for using Cl0p ransomware. Microsoft had previously connected this operator to the widespread exploitation of the MOVEit Transfer zero-day, which affected over 2,500 organizations. In the recent attacks on SysAid, the hackers leveraged IT support software to deploy MeshAgent and GraceWire, typically followed by lateral movement within networks, data theft, and ransomware deployment. SysAid also noted that the attackers used a PowerShell script to erase traces and evidence from the targeted servers.
CVSS 4.0
Over eight years after the release of CVSS v3.0 and eighteen years since the debut of its first version in February 2005, FIRST (Forum of Incident Response and Security Teams) has launched the Common Vulnerability Scoring System (CVSS) 4.0. This update, involving more than 650 organizations from over 100 countries, was initially introduced at the 35th Annual Conference in Montreal in June, representing a significant evolution for the cyber sector.
CVSS 4.0 aims to address previous ambiguities in severity ratings of vulnerabilities. It enhances the standard by offering more detailed baseline granularity for users, clarifying the assessment of different levels, and improving the evaluation of environment-specific security requirements and compensating controls.
This latest version of CVSS introduces additional metrics for vulnerability assessment, such as security (S), automation (A), recovery (R), value density (V), response effort (RE), and vendor urgency (U). A notable improvement in CVSS v4.0 is its expanded applicability to Operational Technology (OT), Industrial Control Systems (ICS), and the Internet of Things (IoT), with added security metrics and values in both the additional and environmental metrics groups.
The CVSS standard is designed to identify essential characteristics of security vulnerabilities and generate a numerical rating reflecting their technical severity, offering information and guidance. FIRST emphasizes that CVSS is not merely a baseline score but a qualitative severity rating (e.g., low, medium, high, critical). The CVSS baseline score is recommended to be complemented with environmental analysis and attributes that may evolve over time (such as threat indicators), aiding organizations in prioritizing their vulnerability management processes and enhancing cyber-attack defenses. This update introduces a new nomenclature for calculating CVSS scores, including combinations of Base (CVSS-B), Base + Threat (CVSS-BT), Base + Environmental (CVSS-BE), and Base + Threat + Environmental (CVSS-BTE).
The release of CVSS 4.0 marks a substantial advancement, equipping teams with enhanced capabilities vital for precise assessment using threat analysis and environmental indicators.
How To Efficiently Patch All of These Vulnerabilities And More
Want to learn about newly released updates as soon as they are available? With Action1, you can — as well as streamline the entire patch management process, from identifying missing updates to compliance reporting, across both Windows OS and third-party software.