While the number of reported vulnerabilities sometimes decrease over the Christmas and New Year’s holidays, active and potential exploits are no less threatening. During the past couple weeks, Google has seen multiple vulnerabilities, including a zero-day in Chrome. SonicWall researchers discovered that an Apache patch was incomplete, still permitting authentication bypass in open-source ERP software Apache OfBiz. And issues with Barracuda’s Email Secure Gateway persist, with an FBI safety warning about an older vulnerability still outstanding.
Your IT and security teams should stay alert and aware during holidays, consistently patching known vulnerabilities and updating systems to the most recent versions of software. We’ve developed a list of recent vulnerabilities so your team can make any needed updates, including potential product removals.
December 22, 2023
Google Chrome Zero-Day Could Lead to Remote Code Execution
Type of attack: Zero-day remote code execution
The problem: Researchers on Google’s threat analysis team found a zero-day vulnerability in Chrome’s instance of open-source web software WebRTC. The vulnerability is a severe heap buffer overflow issue that can lead to remote code execution. Google has already seen this vulnerability exploited in the wild.
The fix: Access to fix data is currently limited. Google announced an update to the desktop stable channel to 120.0.6099.129 on December 20, 2023, which was expected to roll out over the coming days and weeks.
December 24, 2023
Problems Continue for Barracuda’s Email Gateways
Type of attack: Arbitrary code execution
The problem: We’ve mentioned Barracuda’s Email Secure Gateway vulnerabilities before, but now a new one is plaguing customers. Chinese-based threat actor group UNC4841 is suspected to be responsible for exploits of Spreadsheet::ParseExcel, a third-party open source Perl module. The threat actors used this software to deploy an Excel email attachment and attack ESG appliances.
The fix: Barracuda deployed a patch on December 22, 2023, to fix the exploited ESG appliances. On December 24, when Barracuda released the security notice, there was no remediation or patch available for CVE-2023-7101, the Spreadsheet::ParseExcel vulnerability, within the open-source library.
Previous vulnerabilities have affected Barracuda ESG. In August 2023, the FBI recommended that customers remove their Barracuda ESG appliances altogether after Barracuda discovered a zero-day remote command injection vulnerability in the ESG appliances. While Barracuda automatically rolled out the patch BNSF-36456 to all exploited appliances back in August, according to the FBI, the fix didn’t work — even patched appliances could still be exploited. If your team doesn’t already know, find out whether your appliances were compromised by CVE-2023-2868.
December 26, 2023
SonicWall Discovers Apache OfBiz Patch Was Incomplete
Type of vulnerability: Authentication bypass
The problem: SonicWall Capture Labs’ threat research team discovered an authentication bypass vulnerability, tracked as CVE-2023-51467, in Apache OfBiz software. Apache OfBiz is an open-source enterprise resource planning product that’s part of the software supply chain and appears in multiple other products, such as Atlassian JIRA.
Previously, Apache had released a patch for CVE-2023-49070, a remote code execution vulnerability. But SonicWall’s researchers realized that the authentication bypass still existed in the patched version of OfBiz. According to SonicWall, an attacker could expose sensitive data or execute code arbitrarily if they exploit the authentication bypass.
The fix: SonicWall recommends that all Apache OfBiz users update their software to version 18.12.11. SonicWall also developed the IPS signature IPS:15949, which is designed to detect exploitation of the OfBiz vulnerability.
December 29, 2023
Google Kubernetes Engine Vulnerability Allows Attackers to Escalate Privileges
Type of vulnerability: Privilege escalation
The problem: According to Google, an attacker could escalate their privileges in a Google Kubernetes cluster by compromising a Fluent Bit logging container and combining that with Anthos Service Mesh privileges. An exploit of Anthos Service Mesh privileges would only be relevant for Kubernetes clusters that have ASM enabled. Google released the initial vulnerability notice on December 14. While Google isn’t yet aware of any active exploitation, the vulnerability should be patched immediately.
The fix: Google recommends manually upgrading your instance of Google Kubernetes Engine to one of the following or later:
- 1.25.16-gke.1020000
- 1.26.10-gke.1235000
- 1.27.7-gke.1293000
- 1.28.4-gke.1083000
Also, for in-cluster Anthos Service Mesh, Google recommends a manual upgrade to one of the following versions:
- 1.17.8-asm.8
- 1.18.6-asm.2
- 1.19.5-asm.4
January 1, 2024
Windows Vulnerability Allows DLL Exploitation
Type of vulnerability: Bypassing privilege access requirements to exploit executables
The problem: Researchers from Security Joes discovered a malicious code execution vulnerability in Windows 10 and 11. According to the researchers, these executables are found in the normally trusted WinSxS folder.
The technique that threat actors can use is Dynamic Link Library (DLL) search order hijacking. By bypassing the high privilege requirements, Security Joes said, a threat actor can exploit the executables to execute code in WinSxS and other Windows applications.
The fix: Security Joes recommends studying the relationships between parent-child binaries, particularly focusing on trusted binaries, to find strange processes that involve the WinSxS folder’s binaries. Additionally, Security Joes suggests examining legitimate binaries within the WinSxS folder that create strange or unexpected child processes.
Terrapin Attack Discovered by German Researchers
Type of vulnerability: Secure Shell vulnerability that can lead to prefix truncation attacks
The problem: Security researchers from Ruhr University Bochum in Germany found a Secure Shell (SSH) vulnerability that allows attackers to adjust sequence numbers during a handshake process and subtly remove client or server messages. This is a prefix truncation attack known as Terrapin. It downgrades communication security, potentially resulting in decreasingly secure client authentication.
The fix: The researchers recommend updating clients and servers so those systems are less vulnerable to prefix truncation attacks. The researchers also provided their contact information in the report.
Read next: