A surge of critical vulnerabilities and zero-day exploits has made for a very busy week in IT security, affecting a range of tech giants like Atlassian, Cisco, Apple, Arm, Qualcomm and Microsoft.
Among the issues in the last week, Android and Arm faced actively exploited vulnerabilities in GPU drivers. Microsoft released urgent patches for Edge, Teams, and Skype. Ransomware gangs exploited a recently patched vulnerability in JetBrains’ TeamCity server, while Exim mail servers grappled with multiple zero-days, including remote control execution (RCE) issues. Major zero-day vulnerabilities were reported in Atlassian and Cisco tools, while Apple responded to its own zero-day issue. And Linux distributions and the TorchServe AI tool were confronted with major security flaws too.
October 2, 2023
Ransomware Targets JetBrains TeamCity RCE
Type of attack: Remote Code Execution (RCE) Attack, Authentication Bypass Vulnerability
The problem: Ransomware gangs exploited a recently patched critical vulnerability in JetBrains’ TeamCity continuous integration and deployment (CI/CD) server to launch ransomware attacks. This vulnerability, identified as CVE-2023-42793, can give unauthenticated attackers remote code execution (RCE) abilities without requiring user input by exploiting an authentication bypass flaw. The issue affects all TeamCity versions prior to the patched release in on-premises servers running Windows, Linux, macOS, or Docker. The flaw not only allows attackers to steal source code but also to acquire service secrets and private keys. Furthermore, attackers can inject malicious code into the build process, compromising the integrity of software releases and affecting downstream users.
The fix: To address this issue, TeamCity users should immediately update their servers to the most recent patched version (TeamCity 2023.05.4 or later), and examine and update their security configurations to prevent unauthorized access.
Targeted Attacks Exploit Arm’s Mali GPU Vulnerabilities
Type of attack: Remote code execution (RCE) vulnerability, Out-of-Bounds Write Weakness, and Information Disclosure vulnerability.
The problem: Arm has issued a security alert on CVE-2023-4211, an actively exploited vulnerability in its Mali GPU drivers. This issue affects several GPU kernel driver versions spanning many GPU architectures, including Midgard, Bifrost, Valhall, and Arm’s 5th Gen GPU architecture. Researchers from Google’s Threat Analysis Group (TAG) and Project Zero uncovered the weakness, which is connected to unauthorized access to freed memory, possibly allowing attackers to corrupt or change sensitive data. Arm also published two additional vulnerabilities, CVE-2023-33200 and CVE-2023-34970.
The fix: Arm patched the issue for Bifrost, Valhall, and Arm 5th Gen GPU architectures on March 24, 2023, by issuing a new kernel driver version named r43p0. However, because the Midgard GPU kernel driver is no longer supported, a fix for the CVE-2023-4211 issue may not be available. CVE-2023-33200 and CVE-2023-34970 affect Bifrost, Valhall, and Arm’s 5th Gen GPU architecture kernel driver versions up to r44p0. Upgrade to r44p1 or r45p0, which were published on September 15, 2023, to resolve these vulnerabilities.
Exim Mail Server Faces Multiple Zero-day Vulnerabilities
Type of attack: Remote code execution (RCE) vulnerability, out-of-bounds write weakness, information disclosure vulnerability, and other unpatched zero-day vulnerabilities.
The problem: Exim, a widely used mail server program, has been working to address vulnerabilities first reported in late September. Due to an Out-of-bounds Write vulnerability in Exim’s SMTP service, Remote Code Execution (RCE) Vulnerability CVE-2023-42115 allows remote unauthenticated attackers to execute code in the context of the service account. The problem is caused by insufficient validation of user-supplied data, resulting in a buffer overflow.
The fix: Exim patched an RCE flaw (CVE-2023-42114) and an information disclosure vulnerability (CVE-2023-42116). Several zero-day vulnerabilities, including those with varied severity levels (CVE-2023-42117, CVE-2023-42118, and CVE-2023-42119), remain unpatched. Users are encouraged to implement these updates as soon as possible and to evaluate server settings for potential vulnerability to other zero-day vulnerabilities.
October 3, 2023
Android’s October Update Addresses 54 Vulnerabilities
Type of attack: Buffer Overflow Vulnerability, Use-After-Free Memory Issue, Remote Code Execution Vulnerabilities
The problem: Google has released the Android security patches for October 2023, which address 54 vulnerabilities, including two actively exploited weaknesses:
- CVE-2023-4863 is a buffer overflow vulnerability in the widely used open-source library libwebp, which affects a variety of software products such as browsers such as Chrome and Firefox, as well as Microsoft Teams.
- CVE-2023-4211 is an actively exploited vulnerability that affects different versions of the Arm Mali GPU drivers in Android devices. It’s a use-after-free memory bug that might allow attackers to access or change sensitive data locally.
The fix: To resolve these vulnerabilities, Android users are strongly encouraged to apply the October 2023 security update. The update contains 13 fixes for the Android Framework, 12 for System components, and updates for other components such as Arm and Qualcomm.
To allow device makers to deploy updates relevant to their hardware models more quickly, Google implements a two-tier patch system, with the first level focused on core Android components and the second addressing the kernel and closed-source components. Users of older Android systems should consider upgrading to newer models or adopting third-party Android versions that provide security upgrades for their devices.
AI Servers Vulnerable to Code Execution Due to ShellTorch Flaws
Type of attack: Remote Code Execution (RCE), Server-Side Request Forgery (SSRF), Java Deserialization Vulnerability
The problem: Critical vulnerabilities known as ‘ShellTorch’ in Meta and Amazon’s TorchServe AI model-serving tool compromise thousands of internet-exposed servers, including those used by major enterprises.
- The first flaw stems from an unauthenticated management interface API misconfiguration, which exposes the web panel to external queries and allows any user to submit malicious models.
- The second vulnerability is an SSRF hole (CVE-2023-43654) in the API that allows all domains by default, possibly leading to RCE if exploited as part of a bug chain.
- The third vulnerability (CVE-2022-1471) is a Java deserialization issue caused by unsafe deserialization in the SnakeYAML library, which allows attackers to perform RCE with a malicious YAML file.
The fix: Users should upgrade to TorchServe 0.8.2, published on August 28, 2023. This shows a warning for the SSRF problem, resolving the danger from CVE-2023-43654. Amazon has issued mitigation instructions to customers that use Deep Learning Containers (DLC) in EC2, EKS, or ECS that are impacted by this vulnerability. Oligo also launched a free checker tool to assist administrators in determining whether their instances are vulnerable to ShellTorch attacks and taking the appropriate security measures.
Qualcomm Warns of Actively Exploited Zero-Days
Type of attack: Zero-Day Vulnerabilities, Locally and Remotely Exploitable Flaws
The problem: Qualcomm has revealed three zero-day vulnerabilities in its GPU and Compute DSP drivers that are being actively exploited by hackers. These vulnerabilities have been monitored as CVE-2023-33106, CVE-2023-33107, CVE-2022-22071, and CVE-2023-33063 by Google’s Threat Analysis Group (TAG) and Project Zero teams. Qualcomm has not specified the actively exploited vulnerabilities, but further information is expected in its December 2023 bulletin.
The fix: Qualcomm device owners should deploy security upgrades as soon as they become available through OEM channels. In addition to the frequently exploited vulnerabilities, Qualcomm’s security warning mentions three other significant vulnerabilities, each with a different consequence, such as memory corruption and cryptographic difficulties.
While the CVE-2023-24855, CVE-2023-28540, and CVE-2023-33028 issues have not been publicly exploited, they are remotely exploitable and should be treated seriously. Users are advised to use caution when installing programs and to acquire them only from reputable sources.
Microsoft Addresses Zero-Day Exploits in Edge and Teams
Type of attack: Heap Buffer Overflow Vulnerabilities, Zero-Day Exploits
The problem: Due to two zero-day vulnerabilities in open source libraries on which they rely, Microsoft has released emergency security fixes for Edge, Teams, and Skype. CVE-2023-4863 and CVE-2023-5217 are vulnerabilities that cause crashes or arbitrary code execution. Although precise attack specifics have not been released, they have been revealed by credible research organizations such as Google Threat Analysis Group and Citizen Lab. These weaknesses affect widely used programs and services, including web browsers such as Safari, Firefox, and Microsoft Edge, popular apps such as 1Password and Signal (CVE-2023-4863), and video players and streaming services such as Netflix and YouTube (CVE-2023-5217).
The fix: Microsoft has issued fixes to address the two open source software security issues. To obtain the security update for Webp Image Extensions, users must have automatic updates enabled in the Microsoft Store.
October 4, 2023
Apple Releases Emergency Updates for Zero-Day Vulnerabilities
Type of attack: Zero-Day Vulnerabilities, Privilege Escalation, Heap Buffer Overflow
The problem: Apple has released emergency security fixes to address two zero-day vulnerabilities that have been exploited in attacks. Local attackers were able to elevate privileges on unpatched iPhones and iPads due to CVE-2023-42824, a privilege escalation vulnerability in the XNU kernel. This flaw affected a variety of Apple products, including the iPhone XS and later, iPad Pro models, iPad Air, iPad, and iPad mini. CVE-2023-5217 is a heap buffer overflow bug in the libvpx video codec library’s VP8 encoding that might allow arbitrary code execution. While Apple has not reported it being exploited in the wild, Google and Microsoft have previously patched it in their products.
The fix: Apple advises consumers to upgrade their devices as soon as possible in order to protect themselves from these vulnerabilities. Published patches for iOS 17.0.3 and iPadOS 17.0.3 address CVE-2023-42824 and provide better security checks, and Apple has published a patch for CVE-2023-5217 to prevent arbitrary code execution. The iOS 17.0.3 update also fixes an issue that caused certain iPhones to overheat when running iOS 17.0.2 or earlier.
Atlassian Confluence Zero-Day Patched After Exploits
Type of attack: A critical zero-day vulnerability, identified as CVE-2023-22515, affects Atlassian’s Confluence Data Center and Server software, allowing external attackers to perform unauthorized operations.
The problem: The zero-day vulnerability creates a major risk since it allows external attackers to exploit previously undiscovered flaws in Confluence Data Center and Server installations that are publicly accessible. Attackers might get full access to Confluence instances by creating illegal administrator accounts. The bug was defined as remotely exploitable, which means that attackers may exploit it without requiring user input.
The fix: Atlassian responded with key security upgrades. Customers running impacted Confluence Data Center and Server versions were strongly encouraged to upgrade to patched versions as soon as possible, including 8.3.3 or later, 8.4.3 or later, and 8.5.2 or later. If a compromise is discovered, immediate action is required, such as shutting down and disconnecting impacted servers from the network and analyzing possibly shared user bases or common passwords with hacked systems.
Cisco Emergency Responder Vulnerability
Type of attack: The vulnerability in Cisco Emergency Responder (CER) version 12.5(1)SU4 is characterized by hard-coded root credentials, allowing attackers to easily enter into unpatched systems.
The problem: This vulnerability allows unauthenticated attackers to gain access to targeted devices through the root account, which contains default, unchanging credentials intended for development purposes. As a result, attackers might leverage this issue to gain access to vulnerable systems and execute arbitrary commands as the root user.
The fix: Administrators are advised to update their vulnerable installations as soon as possible. Unfortunately, no temporary fixes are available to address this security problem. At the time of the warning, Cisco’s Product Security Incident Response Team (PSIRT) had not identified any public disclosures or malicious exploitation associated.
October 5, 2023
Linux ‘Looney Tunables’ Vulnerability Threat
Type of attack: Buffer Overflow Vulnerability, Local Privilege Escalation
The problem: CVE-2023-4911, also known as ‘Looney Tunables,’ is a new Linux vulnerability that allows local attackers to obtain root privileges. This flaw is caused by a buffer overflow in the GNU C Library’s ld.so dynamic loader, which is a fundamental component of most Linux kernel-based systems. The issue, discovered by Qualys Threat Research Unit, was introduced in glibc 2.34 in April 2021, affecting major distributions such as Fedora, Ubuntu, and Debian. Attackers can exploit this vulnerability without requiring user engagement, making it a critical concern.
The fix: While Alpine Linux is unaffected, Fedora, Ubuntu, Debian, and other distributions should take action as soon as possible to eliminate the risk. It is strongly recommended that users and administrators implement the most recent Linux security patches supplied by their particular distributions. These updates include patches that address the buffer overflow vulnerability in glibc’s ld.so dynamic loader.
- Best Vulnerability Management Tools
- Weekly Vulnerability Recap – October 2, 2023 – WS_FTP, Exim, Cisco and Other Exploited Vulnerabilities
Get the Free Cybersecurity Newsletter
Strengthen your organization’s IT security defenses by keeping up to date on the latest cybersecurity news, solutions, and best practices.