Older unpatched vulnerabilities make hackers’ work easier: They can keep running tried-and-true exploits and just look for new victims.
Unfortunately, the theme for this week is returning vulnerabilities, or ones that haven’t been excised quite yet. Some exploits and weaknesses have had fixes for months or longer, yet they keep showing up in the news, indicating that either they haven’t been patched properly or the patches haven’t worked.
But that’s not all — last week also brought yet another Windows vulnerability: Deep Instinct reported tactics for exploiting the Windows Filtering Platform, so add that to the list of Windows vulnerabilities to mitigate.
We’ve compiled some recently active vulnerabilities — both old and new — for security teams to monitor, mitigate, patch, or even remove from your infrastructure altogether.
August 17-20, 2023
Deep Instinct finds vulnerabilities in Windows Filtering Platform
In research first unveiled at the Black Hat conference earlier this month, Deep Instinct researchers reported successful privilege escalation attacks on the Windows Filtering Platform, which helps teams filter network traffic. Threat actors can use WFP to escalate their privileges on Windows. Some of these attacks are challenging to detect because they look like they could be the behavior of legitimate system administrators.
Deep Instinct reported their attack findings to Microsoft’s Security Response Center and were told this is by design, which suggests that Microsoft won’t be issuing a fix so security teams will have to monitor for suspicious behavior, like the following:
- New IPSec policies being created
- Brute forcing the LUID of a token through WfpAleQueryTokenById calls
- Remote procedure calls (RPCs) to Spooler or OneSyncSvc, which are Windows 10 services
- A device I/O request to the device WfpAle by other processes than Microsoft’s Base Filtering Engine (BFE) service
The researchers have also created a GitHub repository for their work, most recently updated on Aug. 20.
August 21, 2023
Ivanti finds another vulnerability
For the third time in a month, Ivanti’s has reported a vulnerability in a mobile device management platform.
The latest — CVE-2023-38035 — affects the Sentry secure mobile gateway, part of Ivanti’s UEM platform and is being exploited as a zero-day. Attackers use Sentry’s System Manager Portal to configure Sentry and its operating system, potentially executing operating system commands on the appliance as root, according to Ivanti.
In July, Ivanti’s Endpoint Manager Mobile (EPMM) saw the vulnerability CVE-2023-35078, exploited by threat actors who spied on the Norwegian government, and earlier this month Tenable researchers discovered vulnerability CVE-2023-32560, which affects Ivanti’s Avalanche supply chain device management solution.
For CVE-2023-38035, Ivanti recommends installing the corresponding version of Sentry using RPM scripts:
- Log in to a system command line interface in a terminal window as the admin user established during system installation, and enter the corresponding password.
- Type enable and the corresponding system password initially set during system installation to enter EXEC PRIVILEGED mode. The command line prompt will be changed from > to #.
- Install the correct RPM for your version to download and install.
August 22, 2023
Adobe ColdFusion still being exploited despite patches
Some versions of Adobe ColdFusion have a deserialization vulnerability (CVE-2023-26359) that is still being exploited after Adobe patched the vulnerability five months ago.
The deserialization vulnerability has a high-severity CVSS score of 9.8. This vulnerability can lead to arbitrary code execution (ACE).
To remedy this vulnerability, Adobe recommends installing Update 16 for ColdFusion 2018 and Update 6 for ColdFusion 2021. Adobe provides further instructions for updating application servers correctly.
OpenFire vulnerability persists
Open-source chat server OpenFire has been affected by an authentication bypass vulnerability (CVE-2023-32315) since May. An attacker creates a new admin user and logs into an OpenFire account. If they then install a plugin, they can execute commands.
The vulnerability is still active in the wild. VulnCheck just released its research on a new exploitation method, hoping to provide indicators of compromise for potential victims. There are still thousands of OpenFire servers that haven’t been patched. Servers should be updated to versions 4.6.8, 4.7.5, or 4.8.0, which have security patches for this vulnerability.
August 23, 2023
After failed patches, FBI recommends complete removal of Barracuda product
A zero-day vulnerability in Barracuda’s Email Secure Gateway products (CVE-2023-2868) has been exploited since October 2022, and since then, Barracuda has pushed security patches to prevent threat actors from executing command injection attacks on on the appliances, Barracuda ESG (appliance form factor only) versions 5.1.3.001-9.2.0.006.
But those patches haven’t been successful. On August 23, the FBI issued an alert for ESG customers to replace their Barracuda gateways, stating that the vendor’s patches weren’t effective and that all exploited ESG products could still be compromised. Barracuda has also recommended this solution.
This vulnerability allows attackers to make system commands with administrator privileges on Barracuda’s ESG. The FBI’s recommended fix for this solution is not a patch but rather the removal of any Barracuda ESG appliances from your business’s security infrastructure. They shouldn’t be connected to any networks because of the risk they still pose, despite attempted patches.
August 24, 2023
Akira ransomware targeting Cisco, but MFA helps
Akira ransomware groups have been exploiting Cisco’s virtual private network (VPN) tools.
Sophos researchers first flagged this in May, and another researcher later noted that multiple other Cisco VPN instances had been compromised. Akira carries out attacks via compromised user accounts, particularly ones that don’t have multi-factor authentication (MFA) enabled.
Cisco last week confirmed that the company has “observed instances where threat actors appear to be targeting organizations that do not configure multi-factor authentication for their VPN users. This highlights the importance of enabling multi-factor authentication (MFA) in VPN implementations.”
The Cisco advisory discusses the exploits and controls, including setting up logging to detect incidents.
August 25, 2023
Exploit publicly released for Juniper Networks OS vulnerability
A number of vulnerabilities in Juniper Networks’ Junos OS affects both the SRX and EX firewall series. They’re found in the J-Web interface of the operating system, which is a PHP-based interface. Unauthenticated users on the network could chain the exploitation of these vulnerabilities and execute code remotely once they have gained access to the operating system.
According to Juniper, all versions of Junos OS on SRX and EX Series firewalls are affected by this vulnerability. The security bulletin was last updated August 25.
See our recent weekly vulnerability recaps:
Get the Free Cybersecurity Newsletter
Strengthen your organization’s IT security defenses by keeping up to date on the latest cybersecurity news, solutions, and best practices.