Black Arrow Cyber Advisory 23 January 2024 – Apple, Atlassian, Ivanti and VMware Vulnerabilities Under Active Exploitation
Executive Summary
Vulnerabilities in Apple, Atlassian, Ivanti and VMware are currently being actively exploited in the wild. All of the vendors have a security patch available to address the vulnerabilities and due to the active exploitation of the vulnerabilities, it is recommended to apply them immediately.
Apple
Following a report that Chinese authorities revealed they have used previously known vulnerabilities in Apple's AirDrop functionality to help law enforcement, Apple have released a patch for an actively exploited critical Zero-day in iOS, iPadOS, macOS, tvOS and Safari web browser,. The zero-day vulnerability is a type confusion exploit that allows an attacker to perform arbitrary code execution.
Impacted Versions:
iOS 17.3 and iPadOS 17.3 - iPhone XS and later, iPad Pro 12.9-inch 2nd generation and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 6th generation and later, and iPad mini 5th generation and later
iOS 16.7.5 and iPadOS 16.7.5 - iPhone 8, iPhone 8 Plus, iPhone X, iPad 5th generation, iPad Pro 9.7-inch, and iPad Pro 12.9-inch 1st generation
macOS Sonoma 14.3 - Macs running macOS Sonoma
macOS Ventura 13.6.4 - Macs running macOS Ventura
macOS Monterey 12.7.3 - Macs running macOS Monterey
Safari 17.3 - Macs running macOS Monterey and macOS Ventura
What can I do?
Updates to vulnerable devices should be applied immediately due to this vulnerability being under active exploitation.
Atlassian
Following the disclosure of the Atlassian Confluence vulnerability, it has become a target for active exploitation. Researchers have observed attackers attempting to exploit this vulnerability. At present, there are 11,000 Confluence instances exposed on the internet, and Shadowserver has recorded nearly 40,000 exploitation attempts. For further information on the vulnerability see our advisory posted linked below.
Ivanti
Following the public disclosure of two Ivanti vulnerabilities being actively exploited, a third vulnerability has now been added to the CISA’s Known Exploited Vulnerabilities (KEV) Catalog.
CVE-2023-35082 - This vulnerability enables a remote unauthorised attacker to access users’ personally identifiable information and make limited modifications to the server.
Impacted versions:
his vulnerability impacts all versions of Ivanti Endpoint Manager Mobile (EPMM) 11.10, 11.9, and 11.8. MobileIron Core 11.7 and earlier versions are also affected by this vulnerability.
What can I do?
Ivanti released a patch for this vulnerability in August 2023. It is recommended to update any impacted products to version 11.11.0.0 or later to safeguard them from this vulnerability.
VMware
A critical vulnerability in VMware vCenter Server Management has been exploited in the wild by a Chinese hacking group since 2021. The vulnerability (CVE-2023-34048) allows an attacker to write out of bounds potentially leading to remote code execution. VMware released a patch in October 2023 stating that it was not under active exploitation. VMware have recommend customers update to the latest version, which is 9.0U2.
Further Information
For further information on Ivanti and Atlassian see our previous advisory:
Apple
Further details on the Apple vulnerabilities can be found here:
https://support.apple.com/en-gb/HT201222
Ivanti
Further details on the Ivanti vulnerabilities can be found here:
VMware
Further details on the VMware vCenter Server Management vulnerability can be found here:
https://www.vmware.com/security/advisories/VMSA-2023-0023.html
Need help understanding your gaps, or just want some advice? Get in touch with us.
#threatadvisory #threatintelligence #cybersecurity