VulnRecap 1/8/24 – Ivanti EPM & Attacks on Old Apache Vulnerabilities

The new year brought few new vulnerabilities, and only Ivanti Endpoint Manager (EPM) and Kyber, the quantum resistant encryption algorithm, publicized new vulnerabilities or fixes. Unfortunately, most news derived from the active attacks on multiple older vulnerabilities, which threaten to expose organizations slow to patch.

Speed remains critical to security, but more importantly, patching teams need to make progress with patch and vulnerability management. No organization should remain vulnerable six months after vendors issue patches! Struggling teams should engage a managed IT service provider (MSP) to provide temporary or ongoing support to prevent expensive breaches.

Here’s a roundup of the week’s major vulnerabilities that security teams should mitigate or patch.

January 3, 2024

52% of Exposed SSH Servers Vulnerable to Terrapin Attack

Type of attack: Secure Shell (SSH) vulnerability enables prefix truncation attacks.

The problem: As announced last week, attackers able to intercept handshake processes can adjust sequence numbers to downgrade communication security and disable defenses against keystroke timing attacks.

The ShadowServer threat monitoring platform subsequently scanned the internet for vulnerable servers and detected nearly 11 million unique IP addresses worldwide comprising 52% of all scanned IPv4 and IPv6 addresses. The countries with the top vulnerabilities include the USA (3.3 million), China (1.3 million), and Germany (1 million).

The fix: Update clients and servers. Researchers also provide a vulnerability scanner on GitHub written in Go that can detect vulnerable servers.

CISA Adds Chrome & Perl Library Bugs to Active Exploitation List

Type of attack: Arbitrary (ACE) and remote code execution (RCE) attacks that exploit data import/export operations in Excel-related functions in web applications and denial of service (DOS) crashes or ACE/RCE related to heap buffer overflows in Chrome.

The problem: The US Cybersecurity and Infrastructure Security Agency (CISA) added two vulnerabilities to the Known Exploited Vulnerabilities (KEV) catalog. Government agencies have until January 23 to mitigate the issues or stop using affected products.

Versions 0.65 and older of the Perl Spreadsheet::ParseExcel library (CVE-2023-7101) contain a RCE vulnerability exploited by Chinese hackers, as noted on December 24th. Chrome web browsers experience heap buffer overflow (CVE-2023-7024) in the WebRTC real-time communication coding that can crash chrome or allow for code execution.

The fix: For CVE-2023-7101, update applications using Spreadsheet::ParseExcel to version 0.66 and check for products issuing updates related to the issue such as Barracuda’s Email Security Gateway Appliance. For CVE-2023-7024, update to the latest version of Chrome.

January 4, 2024

Ivaniti Endpoint Manager (EPM) Vulnerability Could Expose Data

Type of attack: SQL injection (SQLi) vulnerability permits an RCE attack allows the hijack of enrolled devices or even the core server. This attack requires network access, and the complexity of exploitation leads to a 3.0 rating.

The problem: Ivanti announced CVE-2023-39336 that affects all versions of EPM prior to and including 2022 SU4. Attackers with internal network access can execute SQLi to retrieve information without verification that can enable control over machines running the EPM agent or on a server configured to use Microsoft SQL Express and running Ivanti EPM.

The fix: Update to 2022 Service Update 5.

January 5, 2024

Attackers Target Unpatched Apache RocketMQ NameServers

Type of attack: Critical RCE vulnerability in unpatched or partially patched RocketMQ services.

The problem: The ShadowServer Foundation logs show hundreds of hosts scanning for exposed RocketMQ systems still vulnerable to the original critical RCE vulnerability, CVE-2023-33246, patched earlier in 2023. However, the patch didn’t fully solve the vulnerability, leading to a second announced vulnerability, CVE-2023-37582, rated 9.8/10.0 for severity.

Apache released patches for both of these vulnerabilities in July 2023, yet over six months later, attackers still search for potential victims. This should lend some urgency to patch systems affected by this flaw or the incomplete OfBiz Patch covered last week.

The fix: Update to Apache NameServer version 5.1.2 or later, RocketMQ 5.x or 4.9.7 or above.

January 7, 2024

Some Quantum Encryption Vulnerable to KyberSlash Attacks

Type of attack: Timing-based attack on Kyber Encryption implementations can expose encryption keys.

The problem: Researchers at Cryspen discovered that some services allow multiple operation requests toward the same encryption key pair. The Kyber key decapsulation process uses division operations, and timing-based attacks — dubbed KyberSlash — can allow the encryption key to be determined in as many as two out of three attacks.

Researchers reported the first vulnerability, KyberSlash1, to Kyber’s developers in November 2023 and discovered KyberSlash2 in December. The Kyber development team patched both vulnerabilities promptly, but not all projects and tools incorporating patches patched as quickly.

The fix: First, check the list of projects impacted by the issue and their current status. The vulnerability does not impact some libraries and tools, and some libraries fully patched for all known vulnerabilities. For unpatched libraries and tools that could leak a secret key, consider altering implementations to suspend multiple operation requests or switch tools and libraries to fully patched options.

Read next:

• Vulnerability Recap – 1/2/2024 – Barracuda ESG, Apache OfBiz Vulnerabilities Persist
• External vs Internal Vulnerability Scans: Difference Explained
• Tips for Stronger Encryption