Is it better to stress now, or stress more later? Organizations that possess effective patch and vulnerability management suffer stress earlier as vulnerabilities are announced and their teams work hard to eliminate them. Organizations that don’t patch promptly likely suffer additional stress when the unpatched vulnerabilities are targeted by attackers.
The ongoing stress related to pre-existing vulnerabilities continue to haunt customers for Citrix NetScaler, Cisco IOS XE, and Apple. Yet with patches available for new vulnerabilities in tools such as VMware vCenter Server and F5 BIG-IP, patching teams need to get moving to avoid being the next victims. A few of the vulnerabilities this week are particularly critical — so much so that VMware took the unusual step of updating a product that had reached end of life status.
It can also be a challenge for security and IT pros even to know everything they own — a vulnerable device may have been forgotten — so asset management is an increasingly important part of vulnerability management.
October 23, 2023
Citrix NetScaler Vulnerability Under Active Attack
The problem: Unpatched Citrix NetScaler ADC and Gateway appliances allow attackers to retrieve authentication session cookies and other information stored in buffers.
Widespread Cisco IOS XE Vulnerability Under Active Attack
Type of attack: Attackers actively exploit vulnerabilities in internet-facing IOS XE systems to add new privileged users and back doors.
The problem: CVE-2023-20198, with a highest-possible CVSS Score of 10.0, and CVE-2023-20273 with a CVSS Score of 7.2, allow for authentication bypass and gain root access to systems. While reported last week, researchers observed hackers altering systems to potentially hide vulnerable servers from detection.
The fix: Updated versions of IOS XE are available now for installation; however, updates will not remove added credentials or other backdoors installed on servers. Security teams are strongly recommended to perform a forensic triage to detect and reverse all unauthorized changes.
0Auth API Misconfigurations Expose User Accounts to Takeover
Type of attack: No active attacks are underway, but researchers found (and fixed) common 0Auth implementation errors that exposed millions of customer accounts.
The problem: Grammarly, Vidio, Bukalapak, and other websites that use 0Auth authentication (“log in with your [Facebook, Google, etc.] account”) failed to verify secret tokens received for authentication before making API requests. These sites have fixed the error, but it remains widespread. Skipping this step allows attackers to use any token to authorize access for the account.
The fix: Modify application code to verify that the access token was generated for that specific application’s ID and not some other site or application.
October 25, 2023
VMware vCenter Server Flaw Triggers Emergency and End-of-Life Updates
Type of attack: Remote code execution (RCE) attacks that do not require any user interaction to trigger can be executed with non-administrative privileges.
The problem: An out-of-bounds write weakness with a CVSS severity score of 9.8/10, tracked as CVE-2023-34048, affects a huge range of vCenter Server and Cloud Foundation products. While not currently exploited by attackers, there is no workaround to mitigate this issue in unpatched systems.
The fix: VMware has issued patches that should be applied immediately. This vulnerability is so severe that VMware took the unusual step of issuing patches for end-of-life products, including vCenter Server versions 6.5U3 and VCF 3.x and Asynchronous vCenter Server VCF 4.x.
VMware Aria Operations for Logs Exploit Code Published
Type of attack: Remote code execution (RCE) triggered by the injection of files into an appliance’s operating system.
The problem: An authentication bypass flaw, tracked as CVE-2023-34051, carries a severity rating of 9.8 and allows unauthenticated users to inject files into the Aria Operations for Logs product. While not currently actively exploited, the exploit code has been published, which means that attackers will soon punish organizations that are slow to patch.
The fix: VMware urges immediate patching of affected versions of VMware Aria Operations for Logs and VMware Cloud Foundation 5.x or 4.x that also includes Aria Operations for Logs.
Firefox and Chrome Updates Fix High-Severity Vulnerabilities
Type of attack: Clickjacking, arbitrary code execution (ACE), and more.
The problem: Firefox (and Thunderbird) patched 11 vulnerabilities, including three high-severity issues related to insufficient activation-delay and memory safety issues. Chrome patched two use-after-free issues in Profiles that enable an escape from the browser sandbox.
The fix: Ensure users update to the latest versions of Chrome, Firefox, and Thunderbird and restart the program.
Russian Attackers Exploit Zero-day One-Click Exploit in Roundcube Email Servers
The problem: The persistent XSS vulnerability, tracked as CVE-2023-5631, currently only rates a CVSS base score of 5.4/10, but is being reevaluated because of the active exploitation. The software flaw improperly neutralizes input during web page generation and can be triggered simply by opening an email.
October 26, 2023
Apple Issues Second Urgent Patch for ACE Vulnerability
Type of attack: Attackers install espionage software TriangleDB on iPhones and iPads released before September 2023 (pre-iOS 15.7).
The problem: Four zero-day vulnerabilities discovered by Kaspersky researchers introduce a variety of flaws, but the most significant is an integer overflow vulnerability that allows for arbitrary code execution (ACE) with kernel privileges. These patches are the second set intended to fix CVE-2023-32434, which was first announced in June of this year.
The fix: Ensure users update to the latest versions of iOS and iPadOS quickly.
October 27, 2023
F5 BIG-IP RCE Triggered by Unauthenticated Users with Network Access
Type of attack: Attackers could perform remote code execution (RCE) through unauthenticated users that have network access to BIG-IP instances that expose the Traffic Management User Interface (TMUI).
The problem: The authentication bypass flaw, CVE-2023-46747, holds a CVSS rating of 9.8/10 because it will be easy to exploit for any attacker that can gain access to the configuration utility.
The fix: Update vulnerable BIG-IP modules to versions that include the Hotfix as soon as possible.
iLeakage Attack Can Steal Apple Browser Information
Type of attack: Side-channel attacks on Apple CPUs have been found capable of extracting browser information such as emails, passwords, or browser history.
The problem: Similar to 2018’s Spectre processor vulnerability, the iLeakage vulnerability stems from Apple CPU performing speculative execution. While the technique speeds up processing, it abandons information in the cache that can be extracted with side-channel attacks.
The fix: A preliminary and unstable fix for macOS is optionally available to users, but is neither enabled by default nor available for mobile users (iOS, iPadOS). While the research paper explaining the attack has been released, no attacks are currently observed and Apple plans to address the issue in the next scheduled software release.