Microsoft’s Patch Tuesday dominates the headlines because of near-universal Windows adoption. However, many other companies time their updates for the same week, such as Adobe, SAP, and VMware.
Active exploits also lead to new versions of all major browsers as well as older versions of Apple products. Organizations of all sizes need to review the active exploits and announced patches and ensure that vulnerabilities in all of their high value and high risk systems are mitigated.
Active Vulnerability Exploits This Week
Vulnerabilities are serious business, but the sheer number of assets and vulnerabilities can leave many IT and security teams struggling to keep up with vulnerability management and patch management. However, once an attacker begins to actively exploit vulnerabilities, the risk becomes exponentially higher and these vulnerabilities must be prioritized for patching or mitigation.
This week, the following active exploits of vulnerabilities were announced:
- Iranian advanced persistent threat (APT) group exploits January 2023 vulnerabilities in Fortinet firewalls and ManageEngine software to perform remote code execution (RCE) on U.S. aeronautical targets
- Ransomware groups exploit the September 8, 2023 announced Zero-Day vulnerability in Cisco’s Adaptive Security and Firepower Threat Defense appliances
September 13, 2023
3 Kubernetes RCE Vulnerabilities Patched
Type of attack: Remote code execution (RCE) attacks using YAML files in a Kubernetes cluster could execute on all Windows endpoints within the cluster.
The problem: Akamai security researchers discovered a high-severity vulnerability in which insecure function calls and lack of user input sanitation can allow RCE.
The fix: Update all Kubernetes versions 1.28 or older.
Numerous XSS Vulnerabilities in Microsoft Azure HDInsight
Type of attack: Cross-site scripting (XSS) vulnerabilities in various Apache services were incorporated into Azure HDInsight and could allow attackers to hijack web sessions.
The problem: Orca security researchers found 8 important XSS vulnerabilities and demonstrated proof of concept of attacks.
The fix: All 8 vulnerabilities were patched by Microsoft as part of Patch Tuesday on August 8. However, HDInsight will not support in-place upgrades so security teams need to check for delays in the creation of new clusters with the updated version in some production environments.
- Application Security: Complete Definition, Types & Solutions
- Best DevOps, Website, and Application Vulnerability Scanning Tools
September 12, 2023
Adobe Recommends Applying Updates Within 72 Hours for Reader and Acrobat
Type of attack: An actively exploited out-of-bounds write attack can lead to RCE in Adobe Acrobat or Adobe Reader. Adobe Connect and Experience Manager are also vulnerable to cross-site scripting (XSS) attacks that can access cookies, session tokens, and other information stored in web browsers.
The problem: Adobe recognizes the critical Acrobat/Reader vulnerability, CVE-2023-26369, is currently being exploited on Windows and macOS systems. Adobe Connect and Experience Manager vulnerabilities are less urgent, but should also be patched.
The fix: Apply patches to update the relevant Adobe products.
Significant Vulnerabilities Patched for Apple, SAP, VMware
Many other vendors joined Microsoft and Adobe in releasing vulnerability patches this week. Notable updates include:
- Apple applies the fix for September 7th’s BLASTPASS vulnerability to older operating systems past support: iOS 15.7.9 and iPadOS 15.7.9 (as well as macOS Monterey and Big Sur) to cover older iPhone models (6s, 7, SE generation 1).
- SAP released patches to fix 13 new vulnerabilities including a critical information exposure vulnerability rated CVSS 9.9 in Business Objects that could lead to complete application compromise.
- VMware fixed a SAML token signature bypass vulnerability in VMware Tools with a 7.5 CVSS score that could lead to privilege escalation in an attack.
- The 8 Best Vulnerability Scanner Tools for 2023
- What is Patch Management? Getting Vulnerability Protection Right
September 11, 2023
Actively-Exploited Zero-Day in Major Browsers
Type of attack: The active exploit is not revealed, but researchers note the potential for it to crash the browser or perform RCE attacks.
The problem: A heap buffer overflow vulnerability, CVE-2023-4863, can overwrite code into memory because of a flaw in the libwebp library.
September 8, 2023
Buffer Overflow Zero-Days in Notepad++ With RCE Potential
Type of attack: Attackers could use specially crafted files to trick users into remote code execution (RCE) in older Notepad++ versions.
The problem: GitHub researcher Jaroslav Lobacevski found and reported on four buffer overflow vulnerabilities. The most severe, rated CVSS 7.8 (high) could be used to execute arbitrary and potentially malicious code within Notepad++.
The fix: The four vulnerabilities and other bugs have been fixed in the latest version of the open source code editing product, Notepad++ 8.5.7.
Ubuntu Kernel OverlayFS Access To Root Vulnerability
Type of attack: Two new privilege escalation attacks from non-root containers aim to obtain container root privileges.
The problem: Ubuntu’s Linux kernel did not properly perform permission checks in certain situations and could allow attackers with access to a non-root container to execute files that could obtain root privileges.
The fix: Ubuntu nodes should be upgraded to a patched kernel version. For unpatched nodes, actively monitor and detect non-root privileged containers and use Seccomp or AppArmour to block the use of the “unshare” command.
- Network Protection: How to Secure a Network
- Weekly Vulnerability Recap – Sept. 11, 2023 – Android Update Fixes 33 Vulnerabilities
Get the Free Cybersecurity Newsletter
Strengthen your organization’s IT security defenses by keeping up to date on the latest cybersecurity news, solutions, and best practices.