The past week has been an eventful one for cybersecurity vulnerabilities, from record DDoS attacks and three Microsoft zero-days to vulnerabilities in Linux, Apple, Citrix, and other widely used technologies.
About the only good news last week was that a much-hyped heap buffer overflow vulnerability in the widely used Curl file transfer tool turned out to be not as bad as feared, and reports of a possible zero day in the Signal encrypted messaging app turned out to be just a rumor.
We cover all those vulnerabilities and more below. Together, they underscore the importance of patching — while acknowledging that prioritizing patches and inventorying all IT assets remain major challenges for even the best IT teams.
October 9, 2023
D-Link WiFi range extender susceptible to command injection attacks
Type of attack: The vulnerability is a combination of a Denial of Service (DoS) attack and a Remote Command Injection attack.
The problem: The main problem with the D-Link DAP-X1860 WiFi 6 range extender is its susceptibility to a vulnerability (CVE-2023-45208) that allows attackers to execute remote commands and perform DoS attacks. Specifically, the extender fails to properly parse SSIDs containing a single tick (‘) in the name, misinterpreting it as a command terminator. This flaw, reported by Germany-based Red Team Pentesting, allows attackers to inject malicious shell commands, leading to unauthorized remote access and potential control over the device. All processes on the extender, including injected commands, are executed with root privileges, making it a significant security concern.
The fix: The vendor (D-Link) has not yet released a fix for the vulnerability despite being notified by the researchers. Users of D-Link DAP-X1860 extenders are advised to take precautions, such as limiting manual network scans, being suspicious of sudden disconnections, and turning off the extender when not in use. Additionally, isolating IoT devices and range extenders on a separate network from sensitive devices can help mitigate potential risks until a proper fix is provided by the vendor.
Remote Code Execution Threatens GNOME Linux Systems Through File Downloads
Type of attack: A Remote Code Execution (RCE) vulnerability (CVE-2023-43641) was found in the libcue library, a component integrated into the Tracker Miners file metadata indexer used in Linux distributions that run GNOME, such as Fedora and Ubuntu.
The problem: A memory corruption vulnerability in the open-source libcue library was reported by the GitHub Security Lab. This library parses cue sheet files and is incorporated into the Tracker Miners file metadata indexer, included by default in the most recent GNOME desktop environment releases. Tracker Miners can be fooled into processing a maliciously crafted CUE file when it automatically scans downloaded files to refresh the search index on GNOME Linux devices. This parsing procedure could allow libcue’s memory corruption weakness to be exploited, allowing attackers to execute arbitrary code on the vulnerable Linux machine. The bug allows for a 1-click RCE attack by requiring a user to mistakenly download and open a specially crafted.CUE file.
Mirai DDoS malware version adds 13 router vulnerabilities to its list of targets
Type of attack: DDoS (Distributed Denial of Service) attack
The problem: DDoS malware botnet IZ1H9 based on Mirai targeting routers from various manufacturers such as D-Link, Zyxel, TP-Link, and TOTOLINK; in all, Fortinet found about 30 vulnerabilities targeted across 9 product families. The botnet compromises these devices and enlists them in its DDoS swarm by exploiting several vulnerabilities in them. Once infiltrated, these devices are used to perform DDoS assaults against specific targets as instructed by the botnet’s operators. Because of the botnet’s capacity to target a broad variety of devices and vulnerabilities, it poses a substantial danger capable of delivering enormous DDoS assaults.
The fix: Users are advised to promptly apply patches and updates and to always change default credentials.
October 10, 2023
Record DDoS Attacks Traced to HTTP/2 Flaw, Hits All Web Servers
Type of attack: DDoS attacks more than five times larger than the previous record were jointly revealed by Cloudflare, Google and AWS.
The problem: A vulnerability in the HTTP/2 protocol dubbed “Rapid Reset” that affects almost all web servers and tracked as CVE-2023-44487 was blamed for the attacks.
The fix: More than 100 advisories and patches have been issued so far and can be found in the CVE listing. For full coverage, see ‘Rapid Reset’ DDoS Attack Hits HTTP/2 Web Servers.
Microsoft Patch Tuesday Addresses 103 CVEs
Type of attack: Zero-days and other vulnerabilities.
The problem: Microsoft’s Patch Tuesday for October 2023 covers a total of 103 CVEs, including three zero-day vulnerabilities affecting WordPad, Skype and the HTTP/2 “Rapid Reset” DDoS vulnerability, plus 9 critical Layer 2 tunneling vulnerabilities.
The fix: The CVEs and associated patches are detailed in October 2023 Patch Tuesday Includes Three Zero-Days Flaws.
High-Risk Vulnerability in Citrix NetScaler Exposes Sensitive Data
Type of attack: A combination of vulnerabilities in Citrix NetScaler ADC and NetScaler Gateway, leading to potential sensitive information disclosure and denial of service (DoS) attacks.
The problem: Two main issues were detected in Citrix NetScaler:
- CVE-2023-4966 (Sensitive Information Disclosure): This significant vulnerability causes Citrix NetScaler ADC and NetScaler Gateway equipment to disclose sensitive information. Although no specifics regarding the type of the exposed information were revealed, the defect potentially exposes important data. The vulnerability may be exploited remotely without requiring elevated access, human interaction, or a high level of complexity. The appliance must be configured as a Gateway or a AAA virtual server to be susceptible.
- CVE-2023-4967 (Denial of Service): CVE-2023-4967, a high-severity issue (CVSS score: 8.2), has similar requirements and can possibly cause a denial of service (DoS) on vulnerable devices.
The fix: Citrix patched these flaws by issuing updated versions of the affected products. The remedy entails applying security updates to the following versions:
- 14.1-8.50 and later NetScaler ADC and NetScaler Gateway
- NetScaler ADC and NetScaler Gateway 13.1-49.15, as well as subsequent 13.1 versions
- NetScaler ADC and NetScaler Gateway 13.0-92.19, as well as subsequent 13.0 versions
- NetScaler ADC 13.1-FIPS 13.1-37.164 and subsequent 13.1-FIPS releases
- NetScaler ADC 12.1-FIPS 12.1-55.300 and subsequent 12.1-FIPS releases
- NetScaler ADC 12.1-NDcPP 12.1-55.300 and subsequent 12.1-NDcPP releases
Version 12.1, which has reached its end of life (EOL), will no longer be maintained, thus users are encouraged to update to a more recent, actively supported edition to guarantee continuous security.
October 12, 2023
Curl vulnerability falls short of expectations
Type of attack: The Curl file transfer tool contains a high-severity vulnerability known as a “Heap Buffer Overflow,” which was identified as CVE-2023-38545. A heap buffer overflow is a type of software vulnerability where a program writes more data to a block of memory, or buffer, than it can hold.
The problem: A heap buffer overflow flaw in Curl’s SOCKS5 proxy protocol implementation causes this vulnerability. When software permits more data to be written to an allocated memory space than it can contain, a heap buffer overflow occurs. Overwriting contiguous memory areas can result in program crashes and, in certain situations, remote code execution (RCE) attacks.
The issue was first classified as a major threat; however, it was later discovered to have particular prerequisites for exploitation, making it less critical than previously thought. The issue only affects Curl clients who are set to utilize a SOCKS5 proxy and have automatic redirections enabled.
The fix: A vulnerability in curl version 8.4.0 was fixed by addressing a heap buffer overflow issue in the SOCKS5 proxy protocol implementation. Users are advised to upgrade to patch the flaw and protect their systems from potential exploitation. The vulnerability required specific conditions, including SOCKS5 proxies and slow connections to the remote site. Security researchers and developers using SOCKS5 proxies for legitimate purposes were potential targets. The practical exploitation of the vulnerability was complex and required careful crafting.
Apple patches iOS Kernel zero-day vulnerability on older iPhones
Type of attack: The first type of attack is the Privilege Escalation Vulnerability CVE-2023-42824 vulnerability allows local attackers to elevate privileges on vulnerable iPhones and iPads by exploiting a weakness in the XNU kernel. The second is the Heap Buffer Overflow Vulnerability CVE-2023-5217 vulnerability causes a heap buffer overflow within the VP8 encoding of the libvpx video codec library.
The problem: Privilege Escalation CVE-2023-42824 and Heap Buffer Overflow CVE-2023-5217 are vulnerabilities in the XNU kernel and libvpx video codec library. The former allows local attackers to gain escalated privileges on iPhones and iPads, potentially compromising the entire system. The latter allows remote code execution, allowing attackers to run malicious code without user consent or knowledge. Both vulnerabilities are crucial for system security.
The fix: Apple has addressed two vulnerabilities in its iOS and iPadOS software. The first, Privilege Escalation CVE-2023-42824, was fixed in iOS 16.7.1 and iPadOS 16.7.1 by improving checks in the XNU kernel. The second, Heap Buffer Overflow CVE-2023-5217, was addressed in the libvpx video codec library by releasing patches for iOS and iPadOS. These patches included security measures to prevent heap buffer overflows, preventing arbitrary code execution. Both vulnerabilities require users to update their devices to the latest versions, as regular software updates are crucial for protecting against known vulnerabilities and potential exploits.
Last week’s vulnerability recap can be found here: Weekly Vulnerability Recap – October 9, 2023 – Zero-Days Strike Android, Microsoft, Apple, Cisco & More
Get the Free Cybersecurity Newsletter
Strengthen your organization’s IT security defenses by keeping up to date on the latest cybersecurity news, solutions, and best practices.