In this week’s urgent updates, Apple and VMware issued updates for zero-day flaws currently under attack, and researchers detected a rise in attacks on unpatched Apache and Atlassian Confluence servers. Meanwhile, the release of proof-of-concept code starts the countdown to attack on other critical vulnerabilities, including Cisco Enterprise Communication, Fortra GoAnywhere, and GitLab.
Patch management and vulnerability management remain critical, but they assume that other fundamental requirements, such as asset management, remain in place. “The most significant risk for enterprises isn’t the speed at which they are applying critical patches; it comes from not applying the patches on every asset,” noted Brian Contos, CSO of Sevco Security. “The simple fact is that most organizations fail to maintain an up-to-date and accurate IT asset inventory.”
Continue reading below to learn more about this week’s vulnerabilities, but don’t forget to double-check IT asset inventories for accuracy.
January 19, 2024
Critical VMware vCenter Server Zero-Day Under Attack Since 2021
Type of vulnerability: Remote code execution (RCE) vulnerability.
The problem: Mandiant revealed possible 2021 exploitation by Chinese espionage attackers for CVE-2023-34048, an out-of-bounds weakness in protocol implementation first publicly reported in October 2023. Mandiant discovered that the VMware Directory Service crashes just prior to the attackers’ backdoor installations enabled by RCE.
The flaw requires no user interaction and affects all versions of VMware’s vSphere product except the very latest versions. Detection of backdoors installed by this attack may be present in log files, but unless an organization keeps extensive log files, there may be no way to rule out compromise.
The fix: Update to the latest version of vSphere as recommended by VMware. There are no known workarounds.
January 22, 2024
Apple Fixes 16 Vulnerabilities, Including Exploited Zero Days
Type of vulnerability: A type confusion issue enables arbitrary code execution (ACE) attacks.
The problem: Apple addressed multiple vulnerabilities, but zero-day vulnerability CVE-2024-23222 leads the list. Although added to the known exploited vulnerability catalog, experts believe attackers used the WebKit vulnerability primarily on specific targets.
The fix: Update to the latest version of the Apple operating system, which is also made available to some older iOS and iPadOS versions.
Critical Apache ActiveMQ Vulnerability Under Active Attack
Type of vulnerability: RCE vulnerability.
The problem: Trustwave reported a surge in Godzilla Webshell attacks concealed within unknown binary format files. Unpatched ActiveMQ instances still vulnerable to CVE-2023-46604 (which enabled ransomware attacks last November) will compile and execute the unknown binary and enable attackers to execute many different types of attacks.
The fix: Deploy the Apache security upgrades available since November 2023.
Attackers Prey Upon Outdated Atlassian Confluence Servers
Type of vulnerability: RCE vulnerability.
The problem: Atlassian disclosed the critical-severity RCE vulnerability, CVE-2023-22527, in Confluence Server and Data Center on January 16, 2024 and noted that only outdated versions would be affected. By January 22, the Shadowserver research team reported over 600 IP addresses testing for unpatched vulnerabilities. Soon after, DFIR publicized that following any success, some attackers will immediately attempt a cryptojacking exploit.
The fix: Update ASAP to the latest versions of Confluence Data Center or Confluence Data Center and Server.
January 23, 2024
POC Released, 96% of Fortra GoAnywhere MFT Still Vulnerable
Type of vulnerability: Authentication bypass vulnerability can create new admin users on exposed admin portals.
The problem: Fortra disclosed CVE-2024-0204, a critical vulnerability with a CVSS score rated 9.8/10, to the public on January 23rd after issuing patches and notifying customers on December 7, 2023. Customers concerned about exploitation should analyze the admin user group for new or unknown users.
Tenable estimates that more than 96% of GoAnywhere MFT instances remain unpatched after one month of patch availability. Unfortunately for those organizations, the Horizon3 research team released a proof of concept and exploit code, which starts the clock for aggressive attack.
The fix: Apply the patches released in December 2023 ASAP. Additionally, Fortra recommends a four step remediation process:
- Delete the affected InitialAccountSetup.xhmtl file
- Restart services
- Establish an empty IntitialAccountSetup.xhmtl file
- Restart services
January 24, 2024
5,300 Internet Exposed GitLab Accounts Remain Vulnerable to Takeover
Type of vulnerability: Account takeover from password-reset emails sent to unverified email addresses.
The problem: Gitlab issued a critical advisory and patch on January 11, 2024 to publicize the fix and CVE-2023-7028, which earns the most dangerous 10/10 CVSS score. As of January 24th, Shadowserver researchers still detected 5,300 older and internet-exposed GitLab accounts.
The fix: GitLab recommends immediate patching that will also fix three other vulnerabilities. However, the flaw does not bypass two-factor authentication (2FA), so implementation of MFA can provide initial remediation.
To check for potential exploitation, Gilab recommends checking internal files:
- gitlab-rails/production_json.log: Look for HTTP requests to the /users/password path with multiple email addresses in a JSON array.
- gitlab-rails/audit_json.log: Look for PasswordsController#create meta.caller.id entries where target_details include multiple email addresses in a JSON array.
Jenkins Command Line Vulnerability Permits RCE
Type of vulnerability: Arbitrary file read vulnerability that can allow RCE.
The problem: The research team at Sonar announced CVE-2024-23897, a critical vulnerability in the Jenkins continuous integration/continuous delivery (CI/CD) automation software that automatically replaces “@” characters followed by a file path with the contents of the file at that path. Attackers can use this feature to read arbitrary files, delete items from Jenkins, or execute code remotely.
Sonar also discovered a similar high severity cross-site WebSocket hijacking vulnerability that also uses the command line to execute ACE attacks if a victim clicks a link. Researchers published proof of concept code on GitHub on January 28, 2024 so attacks should begin shortly.
The fix: Update to Jenkins 2.442 (or LTS 2.426.3) that disables the “@” character feature. As a workaround, older versions of Jenkins can disable access to the command line interface.
January 25, 2024
Cisco Enterprise Communication Software Critical RCE Vulnerability
Type of vulnerability: RCE attacks that possibly establish root access.
The problem: Cisco announced CVE-2024-20253, with a CVSS score of 9.9/10, within the Unified Communications and Contact Center Solutions (UC/CC) that provide integrated voice, video, and messaging services.
The fix: Cisco primarily recommends application of the free software updates for potentially vulnerable products. While no workarounds exist, access control lists may be established on intermediary devices to restrict access to the specific ports for deployed services and mitigate attacks on vulnerable systems.
WatchGuard EPDR, Panda Dome, & Panda AD360 Driver Vulnerabilities
Type of vulnerability: Sophos researchers discovered three vulnerabilities: pool memory corruption, out-of-bounds-read, and arbitrary read.
The problem: WatchGuard confirmed these three vulnerabilities in WatchGuard Endpoint Protection, Detection, and Response (EPDR), Panda Dome, and Panda Adaptive Defense 360. The pool memory corruption vulnerability, CVE-2023-6330 (CVE 6.4), does not authenticate registry information, which could lead to kernel memory pool overflow, denial of service conditions, and possibly ACE with system-level privileges.
Similarly, out-of-bounds vulnerability CVE-2023-6331 (CVSS 6.4) can create a denial of service condition and allow ACE with system-level privileges. The lower risk arbitrary read vulnerability CVE-2023-6332 (CVSS 4.1) could allow users with admin privileges to leak data from kernel memory,
The fix: Although not high severity, attackers will find potential denial of service attacks attractive because they could disable local endpoint protection. WatchGuard recommends updating to the most recent versions of the products to eliminate the vulnerabilities.
Read next: