Vulnerabilities carrying high severity scores require urgent attention, and many of this week’s critical vulnerabilities are no exception. A host of zero-day vulnerabilities, several under active attack, will require immediate attention for patching or mitigation.
However, as valuable as ratings can be, they don’t tell the whole story. 25-year-old RSA description vulnerabilities defy the CSV ratings due to their complexity, and of the eight Cisco IOS vulnerabilities, it is their second-lowest-rated vulnerability under attack in the wild.
As always, our pressured IT and security teams will need to use severity ratings in combination with a risk analysis of assets potentially exposed by vulnerabilities to determine priorities and schedules.
Active Vulnerability Exploits This Week
Many IT and security teams struggle to keep up with vulnerability management and patch management. Yet, once an attacker begins to actively exploit vulnerabilities, the risk becomes exponentially higher and these vulnerabilities must be prioritized for patching or mitigation.
This week, the following active exploits of older vulnerabilities were announced:
- Ransomware gangs actively exploit thousands of unpatched Openfire chat servers that have not updated Openfire chat server vulnerabilities that allow administration console authentication bypass attacks
- Eight 2022 Bluetooth Low Energy (BLE) vulnerabilities were added by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to the Known Exploited Vulnerabilities (KEV) catalog – notable because an attacker must be within 330 feet (100 meters) of the vulnerable device
See also: Top Patch and Vulnerability Management products
October 1, 2023
Cloudflare Shared Security Certificate DDoS Vulnerability
Type of attack: Attackers can obtain a free Cloudflare account to bypass Cloudflare protections to launch distributed denial of service (DDoS) attacks on Cloudflare customers with shared security certificates.
The problem: Researchers discovered a flaw in the way Cloudflare trusts Cloudflare customers. When customers request a private key and certificate signing request through Cloudflare, Cloudflare uses a shared certificate for all such customers. This shared certificate is then abused to bypass Cloudflare DDoS security and launch DDoS attacks against known server IP addresses.
The fix: Until tenant-specific certificates are available, Cloudflare customers should use their own custom certificates.
25-year-old RSA Decryption Flaw Still Vulnerable
Type of attack: The “Marvin Attack,” detailed by RedHat, uses a timing attack to target weakness in padding error management to perform side-channel attacks to decrypt ciphertexts, forge signatures, and possibly decrypt TLS server sessions.
The problem: Most asymmetric cryptographic algorithms, such as Open SSL, GnuTLS, NSS, and M2Crypto are found to be vulnerable in some fashion in these types of attacks. No vulnerability rating is possible due to the variety and complexity of the implementation of these algorithms in specific products.
The fix: Researchers advise against using RSA PKCS#1 v1.5 encryption and to contact vendors about possible issues and fixes for their encryption algorithms. No single patch is universally available.
Arm’s Mali GPU Drivers Expose Memory Data
Type of attack: Details are not available, but targeted attacks on the graphic processing unit (GPU) kernel driver can gain access to data retained in already freed memory.
The problem: Google researchers reported targeted exploitation of vulnerable GPU kernel drivers in Arm’s Mali GPU chips to steal data from memory. This vulnerability exposes mobile phones using the Mali GPU chip such as the Samsung Galaxy S20/S20 FE, Motorola Edge 40, or Xiaomi Redmi K30/K40. These flaws require local access, which will most commonly be obtained when a victim downloads other malware to their phone.
The fix: Patches are available, but may take time to work their way through the device makers. Organizations should examine the affected model list and scrutinize installed software on affected devices until patches are available.
September 29, 2023
Patch WS_FTP Now: 10 / 10 RCE Vulnerability Revealed
Type of attack: Attackers can exploit unpatched vulnerabilities to perform remote code execution (RCE), directory traversal, cross-site scripting (XSS), SQL injection, cross-site request forgery (CSRF), and file enumeration attacks.
The problem: The key vulnerability, CVE-2023-40044, affects potentially thousands of WS_FTP servers worldwide with an RCE vulnerability in the Ad Hoc Transfer module. This vulnerability receives the maximum 10.0 rating under CVSS v3.1 because the attacks are simple to perform and need no interaction with legitimate users or credentials.
The other vulnerabilities range between 9.9 (Critical) and 5.3 (Medium). Considering the active ransomware activity with vulnerabilities in Progress Software’s other file transfer software, MOVEit, WS_FTP server maintenance teams should patch ASAP.
The fix: Progress Software issued patches for all vulnerabilities and recommends immediate action to patch systems.
Exim Mail Server Critical RCE & Five Other Zero-Days
Type of attack: Attackers can cause software crashes or remote code execution (RCE), or read information from vulnerable Exim mail servers.
The problem: Vulnerability CVE-2023-42115, rated critical (9.8 under CVSS v3.1) stems from an out-of-bounds write weakness in the simple mail transfer protocol (SMTP) service. The other five vulnerabilities are less serious, but still rated medium to high:
- CVE-2023-42116 = 8.1 RCE vulnerability
- CVE-2023-42117 = 8.1 RCE vulnerability
- CVE-2023-42118 = 7.5 RCE vulnerability
- CVE-2023-42114 = 3.7 information disclosure vulnerability
- CVE-2023-42119 = 3.1 information disclosure vulnerability
The popular Exim mail transfer agent (MTA) provides default MTA for the Debian Linux distribution and more than 3.5 million servers appear to be exposed to the internet which makes them vulnerable to these attacks.
The fix: Some fixes have been made available to Exim distribution maintainers, but the developer has yet to receive sufficient information to resolve all vulnerabilities. Servers should be isolated from internet access until patches for all vulnerabilities are available.
September 28, 2023
Five Cisco Catalyst SD-WAN Manager Vulnerabilities, Including Unauthenticated Access
Type of attack: Unauthenticated Access, Unauthenticated Configuration Rollback, Information Disclosure, Authorization Bypass, Domain of Service
The problem: The most severe of the five vulnerabilities, CVE-2023-20252, is rated 9.8 under CVSS v3.1 and allows an attacker to access or cause a denial of service to affected versions of Cisco Catalyst SD-WAN Manager (formerly SD-WAN vManage).
The fix: Cisco has released a chart of the various vulnerabilities and the minimum upgrade necessary to mitigate the vulnerabilities within their vulnerability disclosure.
Eight Cisco IOS Vulnerabilities Including One Zero-day Under Attack
Type of attack: Out-of-Bounds Write Vulnerability (under exploit), Command Injection, Denial of Service, Command Authorization Bypass
The problem: Cisco disclosed eight IOS and IOS XE vulnerabilities with ratings between 6.1 and 8.8 under CVSS v3.1. Ironically, it is a medium vulnerability with only a 6.6 rating, CVS-2023-20109, that is the vulnerability actively exploited to compromise an installed key server or modify the configuration of a group member.
To exploit CVS-2023-20109, requires admin control of a key server or a group member. This should be difficult, so thus this vulnerability only earns a medium rating. The fact that this is the exploited vulnerability should give all organizations a reason to review, and possibly reset, admin privileges.
The fix: Cisco has already issued patches, so those with IOS or IOS XE can upgrade their software. Organizations without time to install upgrades promptly should consider resetting admin passwords.
Chrome Zero Day Emergency Patch Issued – Again
Type of attack: A heap buffer overflow weakness in the video codec library can cause app crashes or enable arbitrary code execution (ACE)
The problem: Attackers currently exploit CVE-2023-5217 to install spyware.
The fix: Cisco has already released an update, so browsers may be updated immediately. This is the third zero-day vulnerability patched in September and the eighth patched this year. Users that do not have automatically-updating Chrome should be forced to update ASAP.
September 25, 2023
Proof of Concept for Chained SharePoint Vulnerabilities
Type of attack: Elevation of Privilege (EoP), Remote Code Execution (RCE)
The problem: CVE-2023-29357 allows for elevation of privilege within Microsoft Sharepoint through spoofed JSON Web Tokens, which can then be used to exploit CVE-2023-24955 for remote code execution.
The fix: This attack proves the exploitability of vulnerabilities patched in May 2023 (CVE-2023-24955) and June 2023 (CVE-2023-29357). With an announced proof of concept, IT departments should prioritize these Sharepoint patches.
Read next:
- Network Protection: How to Secure a Network
- Weekly Vulnerability Recap – Sept. 25, 2023 – Flaws in Apple Devices, DevOps Tools and More
