This week’s vulnerability news is proof that everyone experiences security vulnerabilities, even the biggest tech names and projects. Android, Apple, Apache, Cisco, and Microsoft are among the names reporting significant security vulnerabilities and fixes in the last week, and some of those are already under assault by hackers.
Network security is another big theme this week: Whether it’s a VPN connection or an enterprise-grade networking platform, patch management solutions typically won’t update network devices, so admins may need to keep an eye on any flaws there too.
Here are some of the top vulnerabilities from the last week that security and IT teams should address.
September 5, 2023
Atlas VPN Leaks Users’ IP Addresses
Type of attack: Zero-Day Vulnerability, a new vulnerability that is often difficult to fix since no patch is available on the market yet.
The problem: The vulnerability resides within version 1.0.3 of the Atlas VPN Linux client. Within this version, an API endpoint is active on the local host (127.0.0.1) via port 8076. This API provides a command-line interface (CLI) for executing various actions, including disconnecting a VPN session. Alarmingly, this API lacks any form of authentication, allowing virtually anyone, even a malicious website you might visit, to send commands to the CLI.
The fix: Atlas has promised a patch, but until then users might want to consider alternatives. Some have suggested installing the JShelter browser plug-in for extra security.
ASUS Routers Remote Access Vulnerability
Type of attack: Remote Access Vulnerability, where three critical-severity remote code execution vulnerabilities seriously threaten ASUS RT-AX55, RT-AX56U_V2, and RT-AC86U routers. These vulnerabilities could be exploited by threat actors to gain control of devices if security updates are not applied.
The problem: The vulnerabilities (CVE-2023-39238, CVE-2023-39239 and CVE-2023-39240), with a CVSS v3.1 score of 9.8 out of 10.0, are format string vulnerabilities. They can be remotely exploited without authentication, potentially enabling remote code execution, service disruptions, and arbitrary operations on the routers. Attackers target certain administrative API functions on these devices using specially crafted input.
The fix: ASUS released firmware updates to address the vulnerabilities. Users are strongly advised to apply the following updates:
- RT-AX55: Update to firmware version 3.0.0.4.386_51948 or later
- RT-AX56U_V2: Update to firmware version 3.0.0.4.386_51948 or later
- RT-AC86U: Update to firmware version 3.0.0.4.386_51915 or later
Additionally, admins should disable remote administration (WAN Web Access) to enhance security and prevent internet-based access to router configurations.
9 Security Flaws Discovered in Schweitzer Power Management Products
Type of attack: The security threats associated with the flaws in Schweitzer Engineering Laboratories (SEL) power management devices include remote code execution, arbitrary code execution, access to administrator rights, and watering hole attacks. These flaws affect SEL-5030 acSELeratorQuickSet and SEL-5037 GridConfigurator devices and were detailed by Nozomi Networks researchers.
The problem: The vulnerabilities are identified as CVE-2023-34392 and CVE-2023-31168 through CVE-2023-31175 and were initially published on Aug. 31 and updated Sept. 5. Sending phishing emails to engineers can be used as an exploitation technique to get them to import malicious configuration files (CVE-2023-31171), which results in arbitrary code execution. Watering hole attacks might take advantage of some vulnerabilities, while others could be weaponized (CVE-2023-34392). These weaknesses follow a group of 19 security flaws in SEL’s Real Time Automation Controller (RTAC) suite (CVE-2023-31148 through CVE-2023-31166) that were previously revealed.
The fix: Users should follow SEL’s security updates and latest software versions pages for fixes.
September 6, 2023
Android Update Fixes 33 Vulnerabilities, Including Zero-Day
Type of attack: The Android security patches released on Sept. 5 fix 33 vulnerabilities, including a critical zero-day flaw (CVE-2023-35674) in the Android Framework. Without user involvement or extra execution rights, this zero-day vulnerability enables attackers to escalate privileges.
The problem: The Android Framework’s zero-day vulnerability (CVE-2023-35674) was actively targeted in the wild. Google stated that because of improvements made to the Android platform in more recent versions, exploitation is difficult. Additionally, four severe vulnerabilities were fixed, including one in Qualcomm’s closed-source components and three in the Android System components (CVE-2023-35658, CVE-2023-35673, and CVE-2023-35681). Without further access or human engagement, these flaws might lead to remote code execution.
The fix: Google published the 2023-09-01 and 2023-09-05 security patch versions in early September. The identified vulnerabilities in Android versions 11, 12, and 13 are addressed by these updates, with possible consequences for older, unsupported OS versions. While Google Pixel devices automatically receive monthly security updates, other device manufacturers may take a little longer to deploy updates since they need to test and tailor fixes for certain hardware setups. Those using Android 10 and earlier versions should consider switching to devices running supported versions or utilizing third-party Android ROMs based on recent AOSP versions. Also see the Google support page Check & update your Android version.
W3LL Phishing Tool Steals Thousands of Microsoft 365 Accounts
Type of attack: W3LL, a threat actor, created a phishing kit that can defeat multi-factor authentication (MFA), which allowed it to infiltrate over 8,000 corporate Microsoft 365 accounts. Business email compromise (BEC) assaults were the main aim of this large phishing effort, which resulted in significant financial losses. Group-IB researchers detailed the attacks.
The problem: A group of at least 500 hackers utilized W3LL’s tools to plan BEC assaults. The complete BEC death chain was included in the actor’s inventory, making it available to hackers with different levels of technical proficiency. W3LL first rose to popularity in 2017 by providing a platform for sending bulk emails, and it eventually concentrated on marketing a special phishing kit for Microsoft 365 business accounts. 16 BEC attack-specific tools, including SMTP senders, link stagers, vulnerability scanners, and more, are in the actor’s toolbox.
The fix: There’s no immediate fix for the W3LL Phishing Attacks. However, there are some precautions that organizations must take to avoid incidents, improve security posture and mitigate such threats:
- Regular Security Awareness Training: Inform staff members about the dangers of phishing and the value of avoiding clicking on dubious links and downloading files from untrusted sources.
- Email Filtering and Security Solutions: Implement reliable email filtering and security systems that can recognize and block phishing emails. These tools ought to examine email headers and content for irregularities and potential dangers.
- Multi-Factor Authentication or Passkey Usage: Enforce the usage of multi-factor authentication (MFA) or passkeys for all users accessing Microsoft 365 accounts. By demanding many types of authentication, MFA offers an additional degree of protection or having a physical key or biometric for users to safely access their accounts.
- Patch and Update: Keeping software, operating systems, and apps up to date will limit vulnerabilities that threat actors may try to exploit.
- Incident Response Plan: To guarantee a prompt and efficient reaction in the event of a security incident or breach, develop and frequently update an incident response plan.
- Security audits and assessments: To find weaknesses in your organization’s systems and procedures, do routine security audits and vulnerability assessments.
- Limit Access Privileges: Limit access privileges by adhering to the principle of least privilege.
- Vendor and Third-Party Risk Assessment: Conduct risk assessment for suppliers and third parties.
Also read: How to Improve Email Security for Enterprises & Businesses
Cisco BroadWorks Vulnerability Rated a 10
Type of attack: Authentication bypass that can counterfeit credentials of businesses and individual users.
The problem: Cisco security engineers found CV3-2023-20238, which carries a CVSS score of 10, the highest possible. This vulnerability allows threat actors to freely execute commands, gain access to sensitive and confidential data, change user settings, and potentially commit fraud. The vulnerability affects the Cisco Application Delivery Platform and BroadWorks Xtended Services Platform when the following apps are run with a vulnerable BroadWorks release:
- AuthenticationService
- BWCallCenter
- BWReceptionist
- CustomMediaFilesRetrieval
- ModeratorClientApp
- PublicECLQuery
- PublicReporting
- UCAPI
- Xsi-Actions
- Xsi-Events
- Xsi-MMTel
- Xsi-VTR
How it is fixed: Cisco has released details on fixes for the vulnerability. Users of the 23.0 branch are recommended to update to AP.platform.23.0.1075.ap385341 and users of the release independent (RI) edition to update to 2023.06_1.333 or 2023.07_1.332. But as for users of the 22.0 branch, Cisco recommends they migrate to a newer version 23.0 or RI, since Cisco will not be releasing any update for the 22.0 version.
Apache Superset Security Vulnerabilities Resolved
Type of attack: Two vulnerabilities in Apache Superset were disclosed by Horizon3.ai researchers and patched by the metadata database project the same day. The flaws can expose systems to remote code execution, credential theft, and data breaches.
The problem: CVE-2023-39265 allows attackers to access the SQLite metadata database through the SQLAlchemy URI, allowing them to alter the settings without authorization. CVE-2023-37941 could allow remote code execution on the Superset server. Superset versions from 1.5 to 2.1.0 use Python’s pickle package to store certain configuration data, the researchers noted. “An attacker with write access to the metadata database can insert an arbitrary pickle payload into the store, and then trigger deserialization of it, leading to remote code execution,” they noted.
The fix: Those Issues and others have been fixed in the just-released 2.1.1 version of Superset. Users are also urged to carefully inspect the default setups and passwords, especially while installing software. It was also suggested to use a VPN for Superset instances that are connected to the internet.
Sept. 7, 2023
Apple Releases Emergency Updates for Actively Exploited Zero-Days
Type of attack: Zero-day exploits targeting image I/O and wallet frameworks are tracked as CVE-2023-41064, which was discovered by Citizen Lab security researchers, and CVE-2023-41061, which was discovered by Apple.
The problem: The zero-day vulnerabilities were actively exploited in attacks against iPhone and Mac users. The flaws were a component of the BLASTPASS zero-click iMessage exploit chain, which let hackers use malicious photos and attachments to install the Pegasus mercenary spyware from the NSO Group on fully patched iPhones. When processing manipulated photos, the buffer overflow vulnerability CVE-2023-41064 is activated, which permits arbitrary code execution. Malicious attachments can take advantage of a validation flaw (CVE-2023-41061) to execute arbitrary code on vulnerable devices.
The fix: The vulnerabilities have been fixed by Apple through emergency security updates. By enhancing logic and memory handling, Apple fixed several zero-day vulnerabilities in macOS Ventura 13.5.2, iOS 16.6.1, iPadOS 16.6.1, and watchOS 9.6.2. Numerous devices, including the iPhone 8 and later, different iPad models, Macs running macOS Ventura, and the Apple Watch Series 4 and later, are affected by the fixes.
Apple has patched zero-day vulnerabilities used in attacks against its devices 13 times so far in 2023.
Sept. 8, 2023
Cisco Warns of Actively Exploited Zero-Day VPN Vulnerability
Type of attack: Brute-force attack via zero-day vulnerability on credentials without MFA configuration used by ransomware gangs.
The problem: Cisco has issued a warning about a zero-day vulnerability, CVE-2023-20269, affecting its Cisco Adaptive Security Appliance (ASA) and Cisco Firepower Threat Defense (FTD). This vulnerability has been exploited by ransomware groups to gain initial access to corporate networks. The flaw affects the VPN feature of these Cisco products, allowing unauthorized remote attackers to conduct brute-force attacks against existing accounts. By successfully accessing these accounts, attackers can establish a clientless SSL VPN session within the breached organization’s network, potentially leading to a range of consequences depending on the victim’s network configuration.
The vulnerability arises from improper separation of authentication, authorization, and accounting (AAA) functions within the web services interface of Cisco ASA and FTD devices. The conditions for these brute force attacks include having at least one user configured with a password in the LOCAL database pointing HTTPS management authentication to a valid AAA server, and having SSL VPN or IKEv2 VPN enabled on at least one interface.
The fix: Cisco has provided interim measures to mitigate the vulnerability. System administrators are advised to implement Dynamic Access Policies (DAP) to halt VPN tunnels with DefaultADMINGroup or DefaultL2LGroup, deny access with Default Group Policy, and ensure all VPN session profiles point to a custom policy.
To enhance security, administrators can restrict LOCAL user database access, lock specific users to a single profile, and prevent VPN setups by setting ‘vpn-simultaneous-logins’ to zero. Default Remote Access VPN profiles should be secured by directing non-default profiles to a sinkhole AAA server and enabling logging to detect potential attack incidents. Multi-factor authentication (MFA) is also recommended as an effective mitigation measure.
Read next:
