Executive Summary

Apple, Cisco and VMware have addressed multiple vulnerabilities across their product range this week, including two actively exploited zero-days affecting Apple products. These vulnerabilities are reportedly being exploited in the wild and have been added to the U.S. Cybersecurity and Infrastructure Security Agency (CISA) Known Exploited Vulnerability (KEV) catalog. The seriousness of the VMware vulnerabilities has led to Vmware releasing patches for end-of-life products.

In addition, CISA has issued a warning about a flaw (CVE-2023-21237) impacting Google Pixel phones. Although Google addressed this vulnerability in June 2023, CISA reports that it is still being actively exploited in the wild and has added it to the KEV catalog.

Apple

Apple have released security updates to address several security flaws including two zero-day vulnerabilities that are being actively exploited in the wild and have been added to the (KEV) catalog. This is the third actively exploited zero-day in its software since the start of the year.

What can I do?

Apple have released security patches to address the vulnerabilities and it is advised to update immediately since it has been reported that the vulnerabilities are being exploited in the wild. The vulnerabilities have been addressed in iOS 17.4, iPadOS 17.4, iOS 16.7.6, and iPadOS 16.7.6.

Technical Summary

CVE-2024-23225 – This is a memory corruption issues in the kernel that an attacker with arbitrary kernel read and write capability can exploit to bypass kernel memory protections.

CVE-2024-23296 – This is a memory corruption issue in the RTKit real-time operating system (RTOS) that an attacker with arbitrary kernel read and write can exploit to bypass kernel memory protections.

Cisco

Cisco have addressed two high-severity vulnerabilities in it’s VPN application Secure Client, that could lead to remote exploitation without authentication and execution of code with the highest level of privilege.

What can I do?

Organisations using Secure Client should check if they are running vulnerable versions and apply patches immediately. Where a patch is not available, organisations should follow CISCO’s guidance linked below.

Technical Summary

CVE-2024-20337 - A carriage return line feed injection attack that could be caused remotely, by tricking a user in to clicking a maliciously crafted link. According to CISCO, this only impacts Secure Client instances where the VPN headend is configured with the SAML external browser.

CVE-2024-20338 - A vulnerability that can allow an attacker to execute code with root privileges. This vulnerability only Secure Client for Linux and requires authentication prior to exploitation.

The following versions of Secure Client have been impacted:

CVE-2024-20337

versions 4.10.04065 and later - upgrade to version 4.10.08025

version 5.0 - no patch available and users should migrate to a fixed release

Version 5.1 - should apply the patches in version 5.1.2.42

Versions earlier than Earlier than 4.10.04065 are not vulnerable.

CVE-2024-20338

This impacts Linux versions earlier than 5.1.2.42 and requires authentication for successful exploitation. The first fixed release is version 5.1.2.42.

VMware

VMware have released security patches to address four security flaws impacting ESXi, Workstation and Fusing, two of which are critical flaws (CVE-2024-22252 and CVE-2024-22253) which if exploited could lead to code execution.

What can I do?

VMware have released patches for the impacted products and it is recommended to patch immediately, given the severity of the vulnerabilities. Organisations should also check any end-of-life products they may be using as these have also had patches released.

The following versions have been impacted:

ESXi 6.5 – fixed in 6.5U3v

ESXi 6.7 - fixed in 6.7U3u

ESXi 7.0 - fixed in ESXi70U3p-23307199

ESXi 8.0 - fixed in ESXi80U2sb-23305545 and ESXi80U1d-23299997

VMware Cloud Foundation (VCF) 5.x/4.x – fixed in version KB88287

Workstation 17.x - fixed in 17.5.1

Fusion 13.x (macOS) - fixed in 13.5.1

Technical Summary

CVE-2024-22254 – This is an out-of-bounds write vulnerability in ESXi that a malicious actor with privileges within VMX process could exploit to trigger a sandbox escape.

CVE-2024-22255 – This is an information disclosure vulnerability in the UHCI USB controller that a malicious actor with administrative access to a virtual machine may exploit to leak memory from the VMX process.

Further Information

Apple

Further details on the Apple vulnerabilities can be found here:

https://support.apple.com/en-us/HT214081

Cisco

Further details on the Cisco vulnerabilities can be found here:

CVE-2024-20337 - https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-secure-client-crlf-W43V4G7

CVE-2024-20338 - https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-secure-privesc-sYxQO6ds

CISA KEV catalog

Further details of CISA’s KEV catalog can be found here:
 https://www.cisa.gov/known-exploited-vulnerabilities-catalog

VMware

Further details on the VMware vulnerabilities can be found here:

https://www.vmware.com/security/advisories/VMSA-2024-0006.html

Need help understanding your gaps, or just want some advice? Get in touch with us.

#threatadvisory #threatintelligence #cybersecurity 

Executive Summary

Apple have released emergency updates to patch two zero-day vulnerabilities, including one actively exploited vulnerability, which target iPhone and iPad devices. The vulnerabilities allow an attacker to escalate privileges and perform remote code execution.

What’s the risk to me or my business?

Exploitation allows an attacker to elevate their privileges to the highest available and perform code execution. This allows attackers to perform actions such as extracting messages, photos, emails, and recording calls, impacting the confidentiality, integrity and availability of data.

Patches are available for:

• iPhone XS and later

• iPad Pro 12.9-inch 2nd generation and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 6th generation and later, and iPad mini 5th generation and later

Technical Summary:

CVE-2023-42824- A kernel vulnerability allowing local attackers to escalate privileges on vulnerable iPhones and iPads. This vulnerability has been exploited against versions of iOS before 16.6.

CVE-2023-5217 – A heap buffer overflow weakness in libvpx which could allow code execution.

What can I do?

Users are recommended the apply the patches immediately, due to the active exploitation in the wild. Organisations should also be aware that the patches mean employees using Apple BYOD devices will need to apply the relevant patches, as this impacts corporate information which the devices have access to.

Further information can be found below:

https://support.apple.com/en-gb/HT213961  

Executive Summary

Apple has recently released multiple patches, covering a number of vulnerabilities, including one actively exploited zero-day. The zero-day vulnerability has been found to affect devices running vulnerable versions of iOS, iPadOS, macOS, tvOS, watchOS and Safari. The actively exploited zero-day allows threat actors to obtain the highest privileges available (kernel privileges) on affected devices. Earlier this month, another actively exploited zero day, CVE-2023-37450, was addressed by Apple through a Rapid Security Response update.

What’s the risk to me or my business?

Exploitation of the vulnerability could allow an attacker unauthorised access to sensitive data, allowing them to manipulate or delete important information, or even take over the entire device, compromising the confidentiality, integrity, and availability of the data held by an exploited device. In some cases, threat actors are exploiting the vulnerability to install spyware on vulnerable devices.

What can I do?

Given the widespread use of Apple devices for both corporate and personal use, it is important to prioritise the application of the released patches to protect devices. Apple has also released patches addressing these vulnerabilities for products that are no longer supported. We recommend updating your devices promptly to these latest versions. Apple has acknowledged active exploitation of these vulnerabilities and as such recommends updating immediately. Organisations who do not use Apple devices, but have a bring your own device policy should consider whether this may include Apple devices.

Apple have addressed the zero-day in the following versions:

• macOS Ventura 13.5

• iOS 16.6

• iPadOS 16.6

• Safari 16.6

• tvOS 16.6

• watchOS 9.6

 Technical Summary

CVE-2023-38606 – Successful exploitation of this flaw could lead to a threat actor obtaining kernel privileges (the highest available). This allows the malicious actor to “modify sensitive kernel state”.

For information on all vulnerabilities addressed can be found in the following links below:

Further information on the iOS and iPadOS vulnerabilities can be found here:

https://support.apple.com/en-us/HT213841

Further information on the Mac vulnerabilities can be found here:

https://support.apple.com/en-us/HT213843

Further information on the Safari vulnerabilities can be found here:

https://support.apple.com/en-gb/HT213847

Further information on the tvOS vulnerabilities can be found here:

https://support.apple.com/en-gb/HT213846

Further information on the watchOS vulnerabilities can be found here:

https://support.apple.com/en-gb/HT213848

Need help understanding your gaps, or just want some advice? Get in touch with us.

#threatadvisory #threatintelligence #cybersecurity