Black Arrow Cyber Advisory 17 January 2024 – Citrix and Ivanti Vulnerabilities Under Active Exploitation - Atlassian, Oracle, SonicWall, and VMware also Address Security Flaws
Executive Summary
This week Atlassian, Citrix, Ivanti, Oracle, SonicWall and VMware have addressed multiple vulnerabilities across their product range. Included in the vulnerabilities addressed are two actively exploited 0-days, impacting Ivanti and Citrix products. At the time of writing, over 1700 Ivanti devices have been compromised and over 15,000 devices remain exposed.
Atlassian
CVE-2023-22527 - This exploit is a template injection vulnerability which if successfully exploited, allows an unauthenticated attacker to perform remote code execution on an affected instance.
Impacted Versions:
This vulnerability affects versions 8.0.x, 8.1.x, 8.2.x, 8.3.x, 8.4.x, and 8.5.0-8.5.3.
What can I do?
Atlassian has released patches for the affected products, and it is advised to patch immediately. The listed Fixed Versions are no longer the most up-to-date and do not protect your instance from other non-critical vulnerabilities as outlined in Atlassian’s January Security Bulletin.
Citrix NetScaler
CVE-2023-6548 – Allows authenticated (low privileged user) remote code execution on Management interface. Requires access to NSIP, CLIP or SNIP with management interface.
CVE-2023-6549 - If exploited allows an attacker to perform a denial of service attack. Appliance must be configured as a gateway or AAA virtual server.
Impacted Versions:
NetScaler ADC and NetScaler Gateway 14.1 before 14.1-12.35
NetScaler ADC and NetScaler Gateway 13.1 before 13.1-51.15
NetScaler ADC and NetScaler Gateway 13.0 before 13.0-92.21
NetScaler ADC 13.1-FIPS before 13.1-37.176
NetScaler ADC 12.1-FIPS before 12.1-55.302
NetScaler ADC 12.1-NDcPP before 12.1-55.302
NetScaler ADC and NetScaler Gateway version 12.1 (currently end-of-life)
What can I do?
Citrix have released patches for the impacted products. Citrix have reported that this is being actively exploited and seen in the wild so it is advised that the patches are applied immediately.
Ivanti
CVE-2023-46805 - This is an authentication bypass which enables an attacker to access restricted resources by circumventing control checks.
CVE-2024-21887 - This is a command injection that lets authenticated admins execute arbitrary commands on vulnerable appliances.
Impacted Versions:
These vulnerabilities impact all supported versions, 9.x and 22.x
What can I do?
Ivanti have released mitigation files which can be found below, it is advised to install immediately. Patches are being developed however they are being staggered with the first patches being released on January 22nd and the final patches released on February the 19th.
Oracle
In their first Critical Patch Update of 2024, Oracle hae released 389 security patches, addressing 200 vulnerabilities. Financial Services Applications were the most impacted, with 71 new security patches. Oracle have urged all customers to apply the patches as soon as possible, warning that it periodically receives reports of in-the-wild exploitation of issues for which it has released fixes.
SonicWall
CVE-2022-22274 - This is a buffer overflow which if exploited successfully allows a remote unauthenticated attacker to cause a denial of service or potentially result in a code execution in the firewall.
CVE-2023-0656 - This is a buffer overflow which if exploited successfully allows a remote unauthenticated attacker to cause a denial of service attack which could cause the impacted firewall to crash.
What can I do?
SonicWall have released patches for affected products and it is advised to update to the latest available version.
VMware
CVE-2023-34063 – The affected products contain a missing access control vulnerability, which if successfully exploited, this vulnerability may lead to unauthorised access to remote organisations and workflows.
VMware Aria Automation (8.11.x, 8.12.x, 8.13.x, and 8.14.x)
VMware Cloud Foundation (4.x and 5.x)
What can I do?
VMware have released patches which can be found in the Security Advisory. It is advised to update as soon as possible. There are no current workarounds.
Further Information
Atlassian
Further details on the Atlassian vulnerabilities can be found here:
https://confluence.atlassian.com/security/security-bulletin-january-16-2024-1333335615.html
Citrix NetScaler
Further details on the Citrix NetScaler vulnerabilities can be found here:
Ivanti
Further details on the Ivanti vulnerabilities can be found here:
Oracle
Further details on the Oracle vulnerabilities can be found here:
https://www.oracle.com/security-alerts/cpujan2024.html
SonicWall
Further details on the SonicWall vulnerabilities can be found here:
https://bishopfox.com/blog/its-2024-and-over-178-000-sonicwall-firewalls-are-publicly-exploitable
VMware
Further details on the VMware vulnerability can be found here:
https://www.vmware.com/security/advisories/VMSA-2024-0001.html
https://core.vmware.com/resource/vmsa-2024-0001-questions-answers
Need help understanding your gaps, or just want some advice? Get in touch with us.
#threatadvisory #threatintelligence #cybersecurity