Executive summary

Apple, Google, ownCloud and Zoom have all addressed vulnerabilities in their products which could be exploited by an attacker. The vulnerabilities could lead to remote code execution. The vulnerabilities impacting Google and ownCloud are actively being exploited by malicious actors.

Apple

Two new Zero-Days impacting Apples WebKit Browser were fixed in emergency updates. The two vulnerabilities allow attackers to gain access to sensitive information via an out-of-bounds read weakness and gain arbitrary code execution via maliciously crafted webpages.

Google Chrome

Google has addressed several vulnerabilities, including one actively exploited zero-day. The actively exploited zero-day is caused by a weakness within the Skia open-source 2D graphics library and can lead to remote execution. The vulnerability has been recorded as actively exploited.

ownCloud

Three vulnerabilities in the open-source file sharing software, ownCloud could disclose sensitive information and allow an attacker to modify files, if exploited. As a fix, ownCloud is recommending to delete the "owncloud/apps/graphapi/vendor/microsoft/microsoft-graph/tests/GetPhpInfo.php" file and disable the 'phpinfo' function. It is also advising users to change secrets like the ownCloud admin password, mail server and database credentials, and Object-Store/S3 access keys. One of the vulnerabilities has already been recorded as being actively exploited by malicious actors

Zoom

A vulnerability in Zoom could allow threat actors to take over meetings and steal data has been patched. Research has stated that the flaw was first discovered in June 2023. There are no reports of active exploitation in the wild at this time.

Zyxel

Zyxel have documented multiple security flaws in a range of products, including firewalls, access points and network attached storage (NAS) Devices, warning that unpatched devices are at risk of authentication bypass, command injection and denial-of-service attacks.

What’s the risk to me or my business?

There is a risk that that running unpatched versions of the above products will leave users at open to having the confidentiality, integrity and availability of their information compromised.

What can I do?

Black Arrow recommends organisations check whether they are running vulnerable versions of the above products, and if so, these should be updated to patched versions. Further information can be found below.

Further information about the Apple vulnerabilities can be found here:

https://www.bleepingcomputer.com/news/apple/apple-fixes-two-new-ios-zero-days-in-emergency-updates/

https://support.apple.com/en-gb/HT214031

https://support.apple.com/en-gb/HT214033

further information about the Google vulnerabilities can be found here:

https://thehackernews.com/2023/11/zero-day-alert-google-chrome-under.html

https://chromereleases.googleblog.com/2023/11/stable-channel-update-for-desktop_28.html

Further information about the ownCloud vulnerabilities can be found here:

https://thehackernews.com/2023/11/warning-3-critical-vulnerabilities.html

https://owncloud.com/security-advisories/subdomain-validation-bypass/

https://owncloud.com/security-advisories/webdav-api-authentication-bypass-using-pre-signed-urls/

https://owncloud.com/security-advisories/disclosure-of-sensitive-credentials-and-configuration-in-containerized-deployments/

Further information about the Zoom vulnerabilities can be found here:

https://www.hackread.com/zoom-vulnerability-hackers-hijack-meetings-data/

Further information about the Zyxel vulnerabilities can be found here:

https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-authentication-bypass-and-command-injection-vulnerabilities-in-nas-products

Need help understanding your gaps, or just want some advice? Get in touch with us.

#threatadvisory #threatintelligence #cybersecurity

Executive summary

Atlassian has published a security advisory warning users of an active exploitation of a critical vulnerability in all versions of Atlassian Confluence Data Center and Server, which could allow an unauthenticated attacker to perform actions with administrative functions. The vulnerability has been added to the US Cybersecurity and Infrastructure Security Agency (CISA) Known Exploited Vulnerabilities (KEV) catalog.

What’s the risk to me or my business?

There is a risk that organisations operating a vulnerable version are leaving themselves at risk of allowing an unauthenticated attacker to reset confluence and create an administrator account. Atlassian has stated that exploitation can lead to a full loss of confidentiality, integrity and availability. This vulnerability affects all versions of Atlassian Confluence Data Center and Server.

What can I do?

Black Arrow recommends following Atlassian’s advice and applying updates immediately, which can be found in their advisory linked below. Atlassian have stated that publicly accessible Confluence Data Center and Server versions in particular, are at critical risk of exploitation.

In the event that you are unable to apply the updates, mitigations have been provided by Atlassian, however updates should be applied as soon as possible. The fixed versions of Confluence Data Center and Server are as follows:

• 7.19.16

• 8.3.4

• 8.4.4

• 8.5.3

• 8.6.1

Technical Summary

CVE-2023-22518-  An improper authorisation vulnerability in Atlassian Confluence Data Center and Server.

Need help understanding your gaps, or just want some advice? Get in touch with us.

Further information can be found here:

https://confluence.atlassian.com/security/cve-2023-22518-improper-authorization-vulnerability-in-confluence-data-center-and-server-1311473907.html

https://nvd.nist.gov/vuln/detail/CVE-2023-22518  

#threatadvisory #threatintelligence #cybersecurity

Executive Summary

Apple have released emergency updates to patch two zero-day vulnerabilities, including one actively exploited vulnerability, which target iPhone and iPad devices. The vulnerabilities allow an attacker to escalate privileges and perform remote code execution.

What’s the risk to me or my business?

Exploitation allows an attacker to elevate their privileges to the highest available and perform code execution. This allows attackers to perform actions such as extracting messages, photos, emails, and recording calls, impacting the confidentiality, integrity and availability of data.

Patches are available for:

• iPhone XS and later

• iPad Pro 12.9-inch 2nd generation and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 6th generation and later, and iPad mini 5th generation and later

Technical Summary:

CVE-2023-42824- A kernel vulnerability allowing local attackers to escalate privileges on vulnerable iPhones and iPads. This vulnerability has been exploited against versions of iOS before 16.6.

CVE-2023-5217 – A heap buffer overflow weakness in libvpx which could allow code execution.

What can I do?

Users are recommended the apply the patches immediately, due to the active exploitation in the wild. Organisations should also be aware that the patches mean employees using Apple BYOD devices will need to apply the relevant patches, as this impacts corporate information which the devices have access to.

Further information can be found below:

https://support.apple.com/en-gb/HT213961  

Executive summary

A new actively exploited zero-day vulnerability in Google Chrome which can lead to remote code execution has been identified, with patches released. Also this week, Mozilla released updates for high-severity vulnerabilities in both Firefox and Thunderbird.

What’s the risk to me or my business?

The actively exploited vulnerability and high-severity vulnerabilities can allow an attacker to execute malicious code, compromising the confidentiality, integrity and availability of data.

What can I do?

Security updates are available for both browsers. The updates for Chrome are available in version  117.0.5938.132 and should be applied immediately. The updates for Firefox are available in version 118 and should be applied as soon as possible.

Technical Summary

CVE-2023-5217: an actively exploited zero-day heap-based buffer overflow which can lead to execution of arbitrary code.

The security advisory from Google Chrome can be found here:

https://chromereleases.googleblog.com/2023/09/stable-channel-update-for-desktop_27.html

The security advisory from Firefox can be found here:

https://www.mozilla.org/en-US/security/advisories/mfsa2023-41/

Need help understanding your gaps, or just want some advice? Get in touch with us.

#threatadvisory #threatintelligence #cybersecurity

Executive summary

Microsoft’s September Patch Tuesday provides updates to address 59 security issues across its product range, including two actively exploited zero-day vulnerabilities. The exploited zero-days have both been added to the US Cybersecurity and Infrastructure Security Agency’s (CISA) “Known Exploited Vulnerabilities Catalog”. Of the 59 security issues addressed by Microsoft , 5 were rated critical.

What’s the risk to me or my business?

The actively exploited vulnerabilities could allow an attacker to gain SYSTEM privileges or capture and relay hashes of user passwords to gain access to that users account. Both compromise the confidentiality, integrity and availability of data stored by an organisation.

What can I do?

Security updates are available for all supported versions of Windows impacted. The updates should be applied as soon as possible for the actively exploited vulnerabilities and all other vulnerabilities that have a critical severity rating.

Technical Summary

CVE-2023-36802: The actively exploited allows a local attacker to gain SYSTEM privileges.

CVE-2023-36761: This actively exploited vulnerability can allow an attacker to steal user password NTLM hashes of users who open a document, even if just in the preview plane.

Adobe

This month, Adobe released fixes for 5 vulnerabilities, including 1 critical vulnerability, across Adobe Acrobat & Reader (1), Adobe Connect (2) and Adobe Experience Manager (2).  The critical vulnerability, tracked as CVE-2023-26369, impacts both Windows and macOS versions of Adobe Acrobat & Reader and if exploited, can allow an attacker to execute malicious code.

Chrome

A new update for Google Chrome is available for Windows, Linux and macOS. The update addresses 16 security fixes, including one critical and actively exploited vulnerability which could cause for denial of service or allow code execution.

Mozilla

Mozilla released fixes for two critical vulnerabilities, impacting Firefox and Thunderbird. The vulnerabilities could allow an attacker to perform code execution.

SAP

Enterprise software vendor SAP has addressed 13 vulnerabilities in several of its products, including two critical-severity vulnerabilities that impact SAP BusinessObjects Business Intelligence Platform. 66Including remote execution and authentication bypass. A total of 5 vulnerabilities were given the “Hot News” priority, which is the highest priority according to SAP.

further details on other specific updates within this patch Tuesday can be found here:

https://www.ghacks.net/2023/09/12/the-windows-september-2023-security-updates-are-now-available/

Further information on Adobe Acrobat and Reader can be found here:

https://helpx.adobe.com/security/products/acrobat/apsb23-34.html

Further information on Adobe Connect can be found here:

https://helpx.adobe.com/security/products/connect/apsb23-33.html

Further information on Adobe Experience Manager can be found here:

https://helpx.adobe.com/security/products/experience-manager/apsb23-43.html

Further information on the patches by SAP can be found here:

https://dam.sap.com/mac/app/e/pdf/preview/embed/ucQrx6G?ltr=a&rc=10

Further information on Google Chrome can be found here:

https://chromereleases.googleblog.com/2023/09/stable-channel-update-for-desktop_12.html

Further information on Mozilla can be found here:

https://www.mozilla.org/en-US/security/advisories/mfsa2023-40/

Need help understanding your gaps, or just want some advice? Get in touch with us.

#threatadvisory #threatintelligence #cybersecurity

Executive Summary

Apple have released emergency updates to fix two actively exploited new zero-day vulnerabilities which target iPhone and Mac users. The vulnerabilities, if exploited on an unpatched Apple device, allow attacks to execute arbitrary code through the use of maliciously crafted images and attachments.

What’s the risk to me or my business?

Exploitation of the vulnerabilities has already been used as part of zero-click iMessage exploits to deploy Pegasus mercenary software. This allows attackers execute code to perform actions such as extracting messages, photos, emails, and recording calls, impacting the confidentiality, integrity and availability of data.

Patches are available in:

macOS Ventura 13.5.2: Available for devices running macOS Ventura.

iOS 16.6.1 and iPadOS 16.6.1: Available for iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later.

Technical Summary:

CVE-2023-41064 – A buffer overflow weakness that when processing maliciously crafted images, can lead to arbitrary code execution

CVE-2023-41061 – a validation issue which can be exploited through a malicious attachment to also gain arbitrary code execution

What can I do?

Users are recommended the apply the patches as soon as possible due to their active exploitation in the wild. Organisations should also be aware that the patches mean employees using Apple BYOD devices will need to apply the relevant patches, as this impacts corporate information which the devices have access to.

Further information can be found below:

https://www.bleepingcomputer.com/news/apple/apple-discloses-2-new-zero-days-exploited-to-attack-iphones-macs/

https://support.apple.com/en-gb/HT213905

https://support.apple.com/en-gb/HT213906 

Executive summary

Microsoft’s August Patch Tuesday provides updates to address 86 security issues across its product range, including two zero-day vulnerabilities (CVE-2023-36884, CVE-2023-38180). The vulnerabilities allow remote code execution and denial of service. Among the updates provided by Microsoft, 6 addressed critical vulnerabilities.

What’s the risk to me or my business?

The vulnerabilities allow an attacker to remotely execute code and cause a denial-of-service, impacting the confidentiality, integrity and availability of data held by an organisation. CVE-2023-38180, which is a denial-of-service vulnerability has been recorded by the US Cybersecurity and Infrastructure Security Agency (CISA) in its “Known Exploited Vulnerabilities” Catalogue.

What can I do?

Security updates are available for all supported versions of Windows impacted. The updates should be applied immediately for the zero-day vulnerabilities and as soon as possible for all other vulnerabilities.  Microsoft has also published an separate advisory for CVE-2023-36884.

Technical Summary

CVE-2023-36884: This vulnerability, if exploited allows threat actors to create specially crafted documents which bypass Mark of the Web (MoTW) security features, causing files to be opened with no warning, allowing a threat actor to perform remote code execution.

CVE-2023-38180: The actively exploited vulnerability allows an attacker to cause a denial-of-service attack on .NET applications and Visual Studio.

Adobe

In addition to Microsoft’s Patch Tuesday Adobe released fixes for 36 vulnerabilities, of which 19 were rated critical. The critical vulnerabilities spanned across Adobe Acrobat and Reader (16), Adobe Commerce and  Adobe Dimension (2). At current, Adobe is not aware of any of these vulnerabilities being actively exploited. The vulnerabilities include remote code execution, memory leak and security bypass.

further details on other specific updates within this patch Tuesday can be found here:

https://www.ghacks.net/2023/08/08/the-windows-august-2023-security-updates-fix-critical-vulnerabilities-and-internet-explorer/

Further details about CVE-2023-38180 can be found here:                     

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-38180

Further details about CVE-2023-36884 can be found here:                     

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36884  

The advisory from Microsoft can be found here:

Further information on CISA’s Known Exploited Vulnerabilities Catalog can be found here:

https://www.cisa.gov/known-exploited-vulnerabilities-catalog

https://msrc.microsoft.com/update-guide/vulnerability/ADV230003

Further details of the vulnerabilities addressed in Adobe Acrobat DC and Reader can be found here: https://helpx.adobe.com/security/products/acrobat/apsb23-30.html

Further details of the vulnerabilities addressed in Adobe Commerce can be found here: https://helpx.adobe.com/security/products/magento/apsb23-42.html

Further details of the vulnerabilities addressed in Adobe Dimension can be found here: https://helpx.adobe.com/security/products/dimension/apsb23-44.html

Need help understanding your gaps, or just want some advice? Get in touch with us.

#threatadvisory #threatintelligence #cybersecurity 

Executive summary

Apple has recently released updates for iOS, iPadOS, macOS, watchOS and Safari browser. These updates address a set of flaws that were actively exploited in the wild with the most severe allowing an attacker to perform Arbitrary Code Execution.

What’s the risk to me or my business?

Depending on the privileges associated with the user, if the vulnerability is successfully exploited an attacker could install programs; view, change, or delete data; or create new accounts with full user rights. This can lead to compromise of the confidentiality, integrity, and availability of organisational information in that could be accessed from the affected asset.

Technical Summary

The two vulnerabilities below have been actively exploited in the mobile surveillance campaign called Operation Triangulation.

CVE-2023-32434 – This is an integer overflow vulnerability in the kernel that could be exploited by a malicious app to execute arbitrary code with kernel privileges.

CVE-2023-32435 – This is a memory corruption vulnerability in Webkit that could lead to arbitrary code execution when processing specially crafted web content.

The updates are available for the following platforms:

• iOS 16.5.1 and iPadOS 16.5.1 - iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

• iOS 15.7.7 and iPadOS 15.7.7 - iPhone 6s (all models), iPhone 7 (all models), iPhone SE (1st generation), iPad Air 2, iPad mini (4th generation), and iPod touch (7th generation)

• macOS Ventura 13.4.1, macOS Monterey 12.6.7, and macOS Big Sur 11.7.8

• watchOS 9.5.2 - Apple Watch Series 4 and later

• watchOS 8.8.1 - Apple Watch Series 3, Series 4, Series 5, Series 6, Series 7, and SE, and

• Safari 16.5.1 - Macs running macOS Monterey

What can I do?

It is recommended to apply the update provided by Apple to all vulnerable systems immediately as the flaws have been addressed in this patch.

Further details on the Apple security updates can be found here: https://support.apple.com/en-us/HT201222

An update from an advisory published on the 8th June 2023 by Black Arrow: https://www.blackarrowcyber.com/blog/advisory-08062023-barracuda-cisco-vmware-vulns

Executive summary

VMware has confirmed that exploitation of the critical rated CVE-2023-20887 has occurred in the wild. This vulnerability affects the VMware Aria Operations (formerly known as vRealize Network Insight) and allows a malicious actor with access to the network to perform remote code execution (RCE).

What’s the risk to me or my business?

The vulnerability, if exploited using command injection, could allow the attacker to have unrestricted access with root to compromise the confidentiality, integrity, and availability of data in your organisation.

Impacted versions include: VMware Aria Operations Networks version 6.x.

What can I do?

VMware have recommended applying patches which they have made available for the following versions: 6.2/6.3/6.4/6.5.1/6.6/6.7/6.8/6.9/6.10.

There are no workarounds for this vulnerability.

Further details on the VMware vulnerability can be found here: https://www.vmware.com/security/advisories/VMSA-2023-0012.html

Further details on the VMware patch can be found here: https://kb.vmware.com/s/article/92684

Executive Summary

A number of recently disclosed vulnerabilities in Zyxel firewalls are now known to be being actively exploited by malicious actors.

Two of these exploited vulnerabilities are buffer overflows which enable an unauthenticated attacker to cause a denial-of-service (DoS) condition and remote code execution. In addition, a further critical vulnerability has been disclosed which allows an unauthenticated attacker to execute operating system commands to remotely send packets to a device.

These vulnerabilities have been added to the US Cybersecurity and Infrastructure Security Agency (CISA) Known Exploited Vulnerabilities (KEV) catalog: Known Exploited Vulnerabilities Catalog | CISA

What’s the risk to me or my business?

The vulnerabilities, if exploited, allow an attacker to execute remote code and cause a denial of service. If this occurs it can allow an attacker to disable or modify the firewall rules, allowing further malicious attacks to breach the network – all of which impact the confidentiality, integrity and availability of data of the organisation.

Technical Summary

CVE-2023-3309 – A buffer overflow vulnerability in the notification function in some firewall versions could allow an unauthenticated attacker to cause DoS conditions and even remotely execute code on an affected device.

CVE-2023-33010 – A buffer overflow vulnerability in the ID processing function in some firewall versions could allow an unauthenticated attacker to cause DoS conditions and even motely execute code on an affected device.

CVE-2023-28771 – Improper error message handling in some firewall versions could allow an unauthenticated attacker to execute some operating system commands remotely by sending crafted packets to an affected device.

The affected firewall products and versions are patched in version ZLD V5.36 Patch 2:

- ATP – versions: ZLD V4.32 to V5.36 Patch 1

- USG FLEX – versions: ZLD V4.50 to V5.36 Patch 1

- USG FLEX50(W)/USG20(W)-VPN – versions: ZLD V4.25 to V5.36 Patch 1

- VPN – versions: ZLD V4.30 to V5.36 Patch 1

The following affected product and versions are patched in version ZLD V4.73 Patch 2:

-  ZyWALL/USG – versions: ZLD V4.25 to V4.73 Patch 1

What can I do?

It is recommended that patches are applied immediately for the impacted products. Zyxel has also issued guidance to disable HTTP/HTTPS services from the Wide Area Network (WAN) unless absolutely required, and to disable UDP ports 500 and 4500 if not in use. If you are unsure, it is advised to check with your MSP.

Further information can be found here:

https://www.zyxel.com/global/en/support/security-advisories/zyxels-guidance-for-the-recent-attacks-on-the-zywall-devices

Need help understanding your gaps, or just want some advice? Get in touch with us.

#threatadvisory #threatintelligence #cybersecurity

Executive summary

As part of its April 2023 vulnerability advisories update, Fortinet has released patches for one actively exploited vulnerability (CVE-2022-0847) which impacted FortiAuthenticator, FortiProxy and FortiSIEM. The advisory also addressed high severity vulnerabilities in FortiOS, FortiProxy, FortiSOAR, FortiClient, FortiNAC, FortiADC, FortiDDoS, FortiDDoS-F, FortiPresence, Fortiweb, FortiADC, FortiAnalyzer, FortiSandbox, FortiDeceptor, FortiManager, FortiGate and FortiAuthenticator.

Technical Summary

CVE-2022-0847 is an actively exploited Linux kernel privilege escalation vulnerability known as “dirty pipe” which was patched in March last year. Some versions of FortiAuthenticator, FortiProxy and FortiSIEM use a version of the linux kernel which was still vulnerable to this exploit, prior to Fortinet releasing the April updates.

What’s the risk to me or my business?

The vulnerabilities, if exploited, could allow an attacker to escalate privileges, perform command execution, bypass anti brute-force defences, create files and perform man-in-the-middle attacks; all of which can compromise the confidentiality, integrity and availability of data in your organisation.

According to Fortinet, the following products are affected by the actively exploited vulnerability:

FortiAuthenticator version 6.3.0 through 6.3.3 and 6.4.0 through 6.4.1

FortiProxy version 7.0.0 through 7.0.3

FortiSIEM version 6.1.0 through 6.1.2, 6.2.0 through 6.2.1, 6.3.0 through 6.3.3 and 6.4.0

What can I do?

Patches are available for the products affected by the exploited vulnerability and should be applied immediately. Security updates are available for the other vulnerabilities addressed by Fortinet. Further information for each vulnerability can be found in the advisory from Fortinet.

 More information on the Fortinet vulnerabilities can be found here: https://www.fortiguard.com/psirt-monthly-advisory/april-2023-vulnerability-advisories

More information on the actively exploited vulnerability can be found here:

https://www.fortiguard.com/psirt/FG-IR-22-050

Need help understanding your gaps, or just want some advice? Get in touch with us.

#threatadvisory #threatintelligence #cybersecurity