Executive summary

Microsoft’s May Patch Tuesday provides updates to address 61 security issues across its product range. Notably, the update tackles two actively exploited zero-day vulnerabilities. The zero-days include a security feature bypass and an elevation of privilege vulnerability. Among the updates provided by Microsoft were 1 critical vulnerability, allowing an attacker remote code execution.

In addition to the Microsoft updates this week also saw Adobe, Apple, Firefox, Google Chrome, SAP and VMware all provide updates for vulnerabilities in a variety of their products, including multiple zero-days and critical vulnerabilities.

What’s the risk to me or my business?

The actively exploited vulnerabilities could allow an unauthenticated attacker to gain code execution as well as elevating to system privileges, the highest available. Both of which compromise the confidentiality, integrity and availability of data stored by an organisation.

What can I do?

Security updates are available for all supported versions of Windows impacted. The updates should be applied as soon as possible for the actively exploited vulnerability and all other vulnerabilities that have an available patch should be updated as soon as possible.

Technical Summary

Microsoft

CVE-2024-30040 – A security feature bypass, in which an unauthenticated attacker can gain code execution through convincing a user to open a malicious document. It is now known how this flaw was abused in attacks.

CVE-2024-30051- A flaw in Windows DWM Core Library which upon exploitation, allows an attacker to elevate to system privileges, the highest available.

Apple

Apple have addressed multiple vulnerabilities in its products, including 16 vulnerabilities on iPhone and iPads. This includes include one vulnerability which the company say “may have been exploited”.

Adobe

Adobe have addressed 37 vulnerabilities in its products, including 9 critical vulnerabilities in Adobe Acrobat and Reader, ,  2 critical vulnerabilities in Adobe Commerce, Adobe InDesign, Adobe Experience manager, 1 critical vulnerability in Adobe Media Encoder and Adobe Bridge, 3 critical vulnerabilities in Adobe Illustrator and 2 critical vulnerabilities in Adobe Animate. The company said it was not aware of any exploits in the wild for any of the documented issues.

Firefox

Firefox has upgraded to version 126. The new version addresses 16 unique security issues. None of the vulnerabilities are currently under active exploitation. The release also comes with some quality-of-life changes such as search telemetry changes and copy link without site tracking.

Google Chrome

Google Chrome released an emergency update to fix their 6th zero-day exploited this year, just one week after a previous one. Google are aware that an exploit for the vulnerability exists in the wild. Users are recommended to update as soon as possible.

SAP

This month, SAP has released 17 patches, which include 14 new fixes and 3 updates from previous releases. Two patches and one update have been given the “hot news” priority in SAP, the highest severity. The vulnerabilities encompass a range of issues, including CSS Injection, Remote Code Execution, File Upload flaws, and Cross-Site Scripting (XSS).

VMWare

Multiple security flaws, including one critical vulnerability, have been addressed by VMware after their exploitation was demonstrated at a security event. Some of the vulnerabilities do not have a fix yet and as such, users are advised to disable Bluetooth support and 3D acceleration as temporary workarounds until patches are applied.

More info:

Microsoft

Further details on other specific updates within Microsoft’s May patch Tuesday can be found here:

https://www.bleepingcomputer.com/news/microsoft/microsoft-may-2024-patch-tuesday-fixes-3-zero-days-61-flaws/

https://www.ghacks.net/2024/05/14/microsoft-releases-the-may-2024-security-updates-for-windows/

Apple

Further details of the vulnerabilities in Apple can be found here:

https://support.apple.com/en-gb/HT201222

Adobe

Further details of the vulnerabilities in Adobe Acrobat and Reader can be found here:

https://helpx.adobe.com/security/products/acrobat/apsb24-29.html

Further details of the vulnerabilities in Adobe Photoshop can be found here:

https://helpx.adobe.com/security/products/photoshop/apsb24-16.html

Further details of the vulnerabilities in Adobe Commerce can be found here:

https://helpx.adobe.com/uk/security/products/magento/apsb24-18.html

Further details of the vulnerabilities in Adobe InDesign can be found here:

https://helpx.adobe.com/uk/security/products/indesign/apsb24-20.html

Further details of the vulnerabilities in Adobe Experience Manager can be found here:

https://helpx.adobe.com/uk/security/products/experience-manager/apsb24-21.html

Further details of the vulnerabilities in Adobe Media Encoder can be found here:

https://helpx.adobe.com/uk/security/products/media-encoder/apsb24-23.html

Further details of the vulnerabilities in Adobe Bridge can be found here:

https://helpx.adobe.com/uk/security/products/bridge/apsb24-24.html

Further details of the vulnerabilities in Adobe Illustrator can be found here:

https://helpx.adobe.com/uk/security/products/illustrator/apsb24-25.html

Further details of the vulnerabilities in Adobe Animate can be found here:

https://helpx.adobe.com/uk/security/products/animate/apsb24-26.html

Firefox

Further details on the vulnerabilities addressed in the Firefox release can be found here:
https://www.mozilla.org/en-US/security/advisories/mfsa2024-21/

Google Chrome

Further details on the vulnerabilities addressed in the Google Chrome update can be found here:

https://chromereleases.googleblog.com/2024/05/stable-channel-update-for-desktop_13.html

SAP

Further details on the vulnerabilities addressed in SAP can be found here:

https://support.sap.com/en/my-support/knowledge-base/security-notes-news/may-2024.html

VMware

Further details on the vulnerabilities addressed by VMware can be found here:

https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/24280

Need help understanding your gaps, or just want some advice? Get in touch with us.

#threatadvisory #threatintelligence #cybersecurity

Executive Summary

In Microsoft’s April Patch Tuesday, updates were released to rectify 149 security issues across its product range. Notably, the update tackles two actively exploited zero-day vulnerabilities which are being exploited in to deploy malware. The exploited zero-day vulnerabilities allow for the bypassing of security feature prompts on SmartScreen and malicious drivers to deploy backdoors. Among these, 67 specifically addressed Remote Code Execution vulnerabilities. Among the updates provided by Microsoft were 3 critical vulnerabilities.

In addition to the Microsoft updates this week also saw Adobe and SAP provide updates for vulnerabilities in a variety of their products, with multiple rated as critical.

What’s the risk to me or my business?

Successful exploitation of these vulnerabilities allow for an attacker to distribute malware to a vulnerable system, gain remote code execution, cause a denial of service and impact the confidentiality, integrity and availability of information.

What can I do?

All vulnerabilities with an available patch should be updated as soon as possible.

Technical Summary

Microsoft

CVE-2024-26234: This vulnerability is caused by a malicious driver that has been signed with a valid Microsoft Hardware Publisher Certificate. The driver is used to deploy a backdoor.

CVE-2024-29988: This vulnerability, if actively exploited, allows a malicious attachment to bypass Microsoft Defenders SmartScreen prompts when a file is opened. This has been recorded as exploited by financially motivated Water Hydra hacking group.

Adobe

This month, Adobe released fixes for 24 vulnerabilities, of which 5 were rated critical, across Adobe After Effects, 2 critical vulnerabilities impacting Adobe Photoshop, Adobe Commerce and Adobe InDesign, a critical vulnerability impacting Adobe Experience Manager, Adobe Media Encoder, Adobe Bridge and Adobe Illustrator and 2 critical vulnerabilities impacting Adobe Animate. At current, Adobe is not aware of any of these vulnerabilities being actively exploited. The vulnerabilities include Out of Bounds Read, Improper Input Validation, Cross-site Scripting (Stored XSS), Information Exposure and Arbitrary code execution.

SAP

This month, SAP has released 12 patches, which include 10 new releases and 2 updates from previous releases. The vulnerabilities encompass a range of issues, including Security misconfiguration, Information disclosure, Directory traversal, Denial of Service and Missing authorisation checks.

further details on other specific updates within this patch Tuesday can be found here:

https://www.ghacks.net/2024/04/09/microsoft-releases-the-april-2024-security-updates-for-windows/

https://www.bleepingcomputer.com/news/microsoft/microsoft-fixes-two-windows-zero-days-exploited-in-malware-attacks/

Further details of the vulnerabilities addressed in Adobe After Effects can be found here: https://helpx.adobe.com/security/products/after_effects/apsb24-09.html

Further details of the vulnerabilities addressed in Adobe Photoshop can be found here:

https://helpx.adobe.com/security/products/photoshop/apsb24-16.html

Further details of the vulnerabilities addressed in Adobe Commerce can be found here: https://helpx.adobe.com/security/products/magento/apsb24-18.html

Further details of the vulnerabilities addressed in Adobe InDesign can be found here:

https://helpx.adobe.com/security/products/indesign/apsb24-20.html

Further details of the vulnerabilities addressed in Adobe Experience Manager can be found here:

https://helpx.adobe.com/security/products/experience-manager/apsb24-21.html

Further details of the vulnerabilities addressed in Adobe Media Encoder can be found here:

https://helpx.adobe.com/security/products/media-encoder/apsb24-23.html

Further details of the vulnerabilities addressed in Adobe Bridge can be found here:

https://helpx.adobe.com/security/products/bridge/apsb24-24.html

Further details of the vulnerabilities addressed in Adobe Illustrator can be found here:

https://helpx.adobe.com/security/products/illustrator/apsb24-25.html

Further details of the vulnerabilities addressed by SAP can be found here:

https://support.sap.com/en/my-support/knowledge-base/security-notes-news/april-2024.html

Need help understanding your gaps, or just want some advice? Get in touch with us.

#threatadvisory #threatintelligence #cybersecurity

Executive summary

Microsoft’s March Patch Tuesday provides updates to address 60 security issues across its product range. Among the updates provided by Microsoft were 2 critical vulnerabilities allowing remote code execution and denial of service; both of these vulnerabilities relate to Windows Hyper-V. Microsoft’s March 2024 Patch Tuesday has not identified any zero-day vulnerabilities.

In addition to the Microsoft updates this week also saw Adobe, FortiGuard and SAP all provide updates for vulnerabilities in a variety of their products, with multiple rated as critical.

What’s the risk to me or my business?

Successful exploitation of the vulnerabilities could allow an attacker to gain remote code execution, cause a denial of service and impact the confidentiality, integrity and availability of information.

What can I do?

Security updates are available for all supported versions of Windows impacted. The updates should be applied as soon as possible for the actively exploited vulnerability and all other vulnerabilities that have a critical severity rating.

Technical Summary

Microsoft

CVE-2024-21407- This vulnerability if actively exploited, allows a threat actor to gain remote code execution on the host server of a guest virtual machine. It requires an authenticated attacker to send specially crafted file operation requests.

CVE-2024-21408- This vulnerability if actively exploited, allows a threat actor to perform a denial of service. Microsoft have not disclosed how this could be exploited.

Adobe

Adobe have addressed multiple vulnerabilities in its products, including at least 46 in Adobe Experience Manager, 2 critical vulnerabilities in Adobe Premier Pro, a critical vulnerability in Adobe ColdFusion,  and 4 vulnerabilities, of which 3 are critical in Adobe Bridge.

Fortinet

Fortinet have released three updates, of which 1 is critical impacting FortiOS and FortiProxy, 1 vulnerability impacting FortiClientEMS, 1 vulnerability impacting FortiWLM MEA for Fortimanager and 1 critical vulnerability in the DAS component.

SAP

This month, SAP has released 12 patches, which include 10 new releases and 2 updates from previous releases. 1 patch and 1 update have been given the “hot news” priority in SAP, the highest severity.. The vulnerabilities encompass a range of issues, including Privilege Escalation, Code Injection, Denial of Service, Information Disclosure, and Improper Authorisation.

further details on other specific updates within this patch Tuesday can be found here:

https://www.bleepingcomputer.com/news/microsoft/microsoft-march-2024-patch-tuesday-fixes-60-flaws-18-rce-bugs/

Further details of the vulnerabilities in Adobe Experience Manager can be found here:

https://helpx.adobe.com/security/products/experience-manager/apsb24-05.html

Further details of the vulnerabilities in Adobe Premier Pro can be found here:

https://helpx.adobe.com/security/products/premiere_pro/apsb24-12.html

Further details of the vulnerabilities in Adobe ColdFusion can be found here:

https://helpx.adobe.com/security/products/coldfusion/apsb24-14.html

Further details of the vulnerabilities in Adobe Bridge can be found here:

https://helpx.adobe.com/security/products/bridge/apsb24-15.html

Further details of the vulnerabilities in FortiOS and FortiProxy can be found here:

https://www.fortiguard.com/psirt/FG-IR-23-328

Further details of the vulnerability in FortiClientEMS can be found here:

https://www.fortiguard.com/psirt/FG-IR-23-390

https://www.fortiguard.com/psirt/FG-IR-24-013

Further details of the vulnerability in FortiManager can be found here:

https://www.fortiguard.com/psirt/FG-IR-23-103

Further details of the vulnerability impacting the DAS component can be found here:

https://www.fortiguard.com/psirt/FG-IR-24-007

Further details of the vulnerabilities addressed by SAP can be found here:

https://support.sap.com/en/my-support/knowledge-base/security-notes-news/march-2024.html

Need help understanding your gaps, or just want some advice? Get in touch with us.

#threatadvisory #threatintelligence #cybersecurity 

Executive Summary

Apple, Cisco and VMware have addressed multiple vulnerabilities across their product range this week, including two actively exploited zero-days affecting Apple products. These vulnerabilities are reportedly being exploited in the wild and have been added to the U.S. Cybersecurity and Infrastructure Security Agency (CISA) Known Exploited Vulnerability (KEV) catalog. The seriousness of the VMware vulnerabilities has led to Vmware releasing patches for end-of-life products.

In addition, CISA has issued a warning about a flaw (CVE-2023-21237) impacting Google Pixel phones. Although Google addressed this vulnerability in June 2023, CISA reports that it is still being actively exploited in the wild and has added it to the KEV catalog.

Apple

Apple have released security updates to address several security flaws including two zero-day vulnerabilities that are being actively exploited in the wild and have been added to the (KEV) catalog. This is the third actively exploited zero-day in its software since the start of the year.

What can I do?

Apple have released security patches to address the vulnerabilities and it is advised to update immediately since it has been reported that the vulnerabilities are being exploited in the wild. The vulnerabilities have been addressed in iOS 17.4, iPadOS 17.4, iOS 16.7.6, and iPadOS 16.7.6.

Technical Summary

CVE-2024-23225 – This is a memory corruption issues in the kernel that an attacker with arbitrary kernel read and write capability can exploit to bypass kernel memory protections.

CVE-2024-23296 – This is a memory corruption issue in the RTKit real-time operating system (RTOS) that an attacker with arbitrary kernel read and write can exploit to bypass kernel memory protections.

Cisco

Cisco have addressed two high-severity vulnerabilities in it’s VPN application Secure Client, that could lead to remote exploitation without authentication and execution of code with the highest level of privilege.

What can I do?

Organisations using Secure Client should check if they are running vulnerable versions and apply patches immediately. Where a patch is not available, organisations should follow CISCO’s guidance linked below.

Technical Summary

CVE-2024-20337 - A carriage return line feed injection attack that could be caused remotely, by tricking a user in to clicking a maliciously crafted link. According to CISCO, this only impacts Secure Client instances where the VPN headend is configured with the SAML external browser.

CVE-2024-20338 - A vulnerability that can allow an attacker to execute code with root privileges. This vulnerability only Secure Client for Linux and requires authentication prior to exploitation.

The following versions of Secure Client have been impacted:

CVE-2024-20337

versions 4.10.04065 and later - upgrade to version 4.10.08025

version 5.0 - no patch available and users should migrate to a fixed release

Version 5.1 - should apply the patches in version 5.1.2.42

Versions earlier than Earlier than 4.10.04065 are not vulnerable.

CVE-2024-20338

This impacts Linux versions earlier than 5.1.2.42 and requires authentication for successful exploitation. The first fixed release is version 5.1.2.42.

VMware

VMware have released security patches to address four security flaws impacting ESXi, Workstation and Fusing, two of which are critical flaws (CVE-2024-22252 and CVE-2024-22253) which if exploited could lead to code execution.

What can I do?

VMware have released patches for the impacted products and it is recommended to patch immediately, given the severity of the vulnerabilities. Organisations should also check any end-of-life products they may be using as these have also had patches released.

The following versions have been impacted:

ESXi 6.5 – fixed in 6.5U3v

ESXi 6.7 - fixed in 6.7U3u

ESXi 7.0 - fixed in ESXi70U3p-23307199

ESXi 8.0 - fixed in ESXi80U2sb-23305545 and ESXi80U1d-23299997

VMware Cloud Foundation (VCF) 5.x/4.x – fixed in version KB88287

Workstation 17.x - fixed in 17.5.1

Fusion 13.x (macOS) - fixed in 13.5.1

Technical Summary

CVE-2024-22254 – This is an out-of-bounds write vulnerability in ESXi that a malicious actor with privileges within VMX process could exploit to trigger a sandbox escape.

CVE-2024-22255 – This is an information disclosure vulnerability in the UHCI USB controller that a malicious actor with administrative access to a virtual machine may exploit to leak memory from the VMX process.

Further Information

Apple

Further details on the Apple vulnerabilities can be found here:

https://support.apple.com/en-us/HT214081

Cisco

Further details on the Cisco vulnerabilities can be found here:

CVE-2024-20337 - https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-secure-client-crlf-W43V4G7

CVE-2024-20338 - https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-secure-privesc-sYxQO6ds

CISA KEV catalog

Further details of CISA’s KEV catalog can be found here:
 https://www.cisa.gov/known-exploited-vulnerabilities-catalog

VMware

Further details on the VMware vulnerabilities can be found here:

https://www.vmware.com/security/advisories/VMSA-2024-0006.html

Need help understanding your gaps, or just want some advice? Get in touch with us.

#threatadvisory #threatintelligence #cybersecurity 

Executive summary

It is Valentine’s, and what better way to spend it than reading about Microsoft’s latest patch Tuesday. In this months patch Tuesday, Microsoft has provided updates to address 73 security issues across its product range, including two exploited zero-day vulnerabilities (CVE-2024-21351and CVE-2024-21412). Microsoft is classifying these as a flaw that is publicly disclosed or actively exploited with no official fix available. The two exploited vulnerabilities affect Windows Smart Screen and Internet Shortcut File, allowing security bypasses. They have both been added to the known ‘exploited vulnerabilities catalog’ by the Cybersecurity and Infrastructure Agency (CISA).

In addition to the updates from Microsoft, this week also saw Adobe fixing 38 vulnerabilities and SAP issued 13 new patches for its range of products, in which three of the patches were rated as critical.

What’s the risk to me or my business?

The vulnerabilities, if actively exploited could allow an attacker to bypass security features and inject malicious code, impacting the confidentiality, integrity and availability of data.

Microsoft

There is no official fix for the exploited vulnerabilities, however they both require a user to interact with a malicious file. As such, it is important to make sure users remain vigilant when interacting with their emails. Organisations should follow the vulnerabilities closely, so that they can apply any patches immediately. Other available updates should be applied as soon as possible for the actively exploited vulnerability and all other vulnerabilities that have a critical severity rating. Other patches should be applied in a reasonable time frame.

Technical Summary

CVE-2024-21351: This vulnerability if actively exploited, allows an attacker to bypass Windows SmartScreen. It relies on an authorised attacker sending a malicious file and convincing a user to open it.

CVE-2024-21412: This vulnerability if actively exploited, allows an attacker bypass Windows security features and send malicious files to users. The attacker would still need to user to interact with the file.

Adobe

This month, Adobe has released fixes vulnerabilities impacting Adobe Acrobat and Reader (13, of which 5 are critical), Commerce (9, of which 6 are critical), Substance 3D Painter (13, of which 5 are critical), FrameMaker Publishing Server (1 critical), Audition (1 critical) and Substance 3D Designer (1 critical). Currently, Adobe is not aware of any active exploitation of these vulnerabilities. The vulnerabilities include issues such as arbitrary code execution and memory leaks.

SAP

This month, SAP has released 13 patches, which include 10 new releases and 3 updates from previous releases. These patches address 8 critical vulnerabilities affecting a variety of SAP products. The vulnerabilities encompass a range of issues, including Privilege Escalation, Code Injection, Denial of Service, Information Disclosure, and Improper Authorisation.

Microsoft

Further details on other specific updates within this patch Tuesday can be found here:

https://www.bleepingcomputer.com/news/microsoft/microsoft-february-2024-patch-tuesday-fixes-2-zero-days-73-flaws/

https://www.ghacks.net/2024/02/13/the-windows-security-updates-for-february-2024-are-here/

Adobe

Further details of the vulnerabilities addressed in Adobe Acrobat and Reader be found here:

https://helpx.adobe.com/security/products/acrobat/apsb24-07.html

Further details of the vulnerabilities addressed in Adobe Substance 3D Painter be found here:

https://helpx.adobe.com/security/products/substance3d_painter/apsb24-04.html

Further details of the vulnerabilities addressed in Adobe FrameMaker be found here:

https://helpx.adobe.com/security/products/acrobat/apsb24-07.html

Further details of the vulnerabilities addressed in Adobe Audition be found here:

https://helpx.adobe.com/security/products/audition/apsb24-11.html

Further details of the vulnerabilities addressed in Adobe Substance 3D Designer be found here:

https://helpx.adobe.com/security/products/substance3d_designer/apsb24-13.html

SAP

https://support.sap.com/en/my-support/knowledge-base/security-notes-news/february-2024.html

Need help understanding your gaps, or just want some advice? Get in touch with us.

#threatadvisory #threatintelligence #cybersecurity.

Executive Summary

Fortinet have released a patch to fix a critical vulnerability in their FortiOS product, stating that is potentially being exploited in the wild. Successful exploitation of the vulnerability could allow a remote unauthorised attacker to execute code or commands.

What’s the risk to me or my business?

There is a risk that organisations using vulnerable versions of FortiOS are leaving themselves at risk of allowing an unauthenticated remote attacker to perform arbitrary code execution. This means an attacker could potentially gain unauthorised access and perform actions that could impact the confidentiality, integrity, and availability of the organisations data. This vulnerability only impacts organisations who have SSL VPN enabled.

The affected versions of FortiOS and FortiProxy are:

FortiOS

FortiOS 7.4 (7.4.0 through 7.4.2) – upgrade to 7.4.3 or above.

FortiOS 7.2 (7.2.0 through 7.2.6) – upgrade to 7.2.7 or above.

FortiOS 7.0 (7.0.0 through 7.0.13) – upgrade to 7.0.14 or above.

FortiOS 6.4 (6.4.0 through 6.4.14) – upgrade to 6.4.15 or above.

FortiOS 6.2 (6.2.0 through 6.2.15) – upgrade to 6.4.15 or above.

FortiOS 6.0 (all versions) - migrate to fixed release.

FortiProxy

FortiProxy 7.4 (7.4.0 through 7.4.2) - upgrade to 7.4.3 or above.

FortiProxy 7.2 (7.2.0 through 7.2.8) - upgrade to 7.2.9 or above.

FortiProxy 7.0 (7.0.0 through 7.0.14) - upgrade to 7.0.15 or above.

FortiProxy 2.0 (2.0.0 through 2.0.13) - upgrade to 2.0.14 or above.

FortiProxy 1.2 (all versions) - migrate to fixed release.

FortiProxy 1.1 (all versions) - migrate to fixed release.

FortiProxy 1.0 (all versions) - migrate to fixed release.

What can I do?

Black Arrow recommends applying the available patches for the vulnerability immediately due its severity. Further information can be found in the Fortigaurd security update below. Organisations have also been advised to disable SSL VPN if they cannot apply patches immediately, however this is not a long term solution.

Technical Summary

CVE-2024-2176 – This is a out-of-bound write vulnerability in the sslvpnd which may allow a remote unauthenticated attacker to execute arbitrary code or commands using  specifically crafted HTTP requests. 

Further information on the FortiOS vulnerability can be found here:

https://www.fortiguard.com/psirt/FG-IR-24-015

Further information on upgrading can be found here:

https://docs.fortinet.com/upgrade-tool

Need help understanding your gaps, or just want some advice? Get in touch with us.

#threatadvisory #threatintelligence #cybersecurity

Executive Summary

Cisco, Fortinet, Ivanti and VMware have addressed multiple vulnerabilities across their product range. All of the vendors have a security patch available to address the vulnerabilities and due to the active exploitation of some of the vulnerabilities, it is recommended to apply them immediately.

Cisco

Cisco have released security updates for three flaws affecting the Cisco Expressway Series that could allow an unauthenticated remote attacker to conduct cross-site request forgery attacks. Two of the flaws are rated critical (CVE-2024-20252 and CVE-2024-20254) and can be exploited in the impacted devices default configuration, however the third flaw (CVE-2024-20255) can only be exploited if the cluster database API feature has been enabled, which is disabled by default.

Cisco have released patches for the affected products and are available in Cisco Expressway Series Release versions 14.3.4 and 15.0.0.

Fortinet
Fortinet have released a second round of updates addressing two previously disclosed critical flaws in the FortiSIEM supervisor. The two flaws (CVE-2024-23108 and CVE-02024-23109) allows a remote unauthenticated attacker to perform arbitrary code execution.

Impacted products are:
FortiSIEM version 7.1.0 through 7.1.1 fixed in 7.1.2
FortiSIEM version 7.0.0 through 7.0.2 fixed in 7.0.3
FortiSIEM version 6.7.0 through 6.7.8 fixed in 6.7.9
FortiSIEM version 6.6.0 through 6.6.3 fixed in 6.6.5
FortiSIEM version 6.5.0 through 6.5.2 fixed in 6.5.3
FortiSIEM version 6.4.0 through 6.4.2 fixed in 6.4.4

Ivanti
Another critical security patch has been released by Ivanti for their Connect Secure product, Policy Secure and ZTA gateways. The flaw (CVE-2024-22024) allows remote attackers to gain access to restricted resources without requiring user interaction or authentication. While Ivanti have stated that this vulnerability is not currently being actively exploited they urge affected users to patch immediately.

To mitigate the risks, it is recommended that all users of the impacted devices running version 6.x upgrade to version 6.12.0.

VMware
VMware have warned of five vulnerabilities in the Aria Operations for Networks. The vulnerabilities encompass a range of issues, including local privilege escalation, cross-site scripting and local file read (requires admin privileges).

To mitigate the risks, it is recommended that all users of the impacted devices running version 6.x upgrade to version 6.12.0

Further Information

Cisco
Further details on the Cisco vulnerabilities can be found here:

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-expressway-csrf-KnnZDMj3

Fortinet

Further details on the Fortinet vulnerabilities can be found here:

https://www.fortiguard.com/psirt/FG-IR-23-130

Ivanti

Further details on the Ivanti vulnerabilities can be found here:

https://forums.ivanti.com/s/article/CVE-2024-22024-XXE-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure?language=en_US

VMware

Further details on the VMware vulnerabilities can be found here:

https://kb.vmware.com/s/article/96450

Need help understanding your gaps, or just want some advice? Get in touch with us.

#threatadvisory #threatintelligence #cybersecurity

Executive Summary

Vulnerabilities in Apple, Atlassian, Ivanti and VMware are currently being actively exploited in the wild. All of the vendors have a security patch available to address the vulnerabilities and due to the active exploitation of the vulnerabilities, it is recommended to apply them immediately.

Apple

Following  a report that Chinese authorities revealed they have used previously known vulnerabilities in Apple's AirDrop functionality to help law enforcement, Apple have released a patch for an actively exploited critical Zero-day in iOS, iPadOS, macOS, tvOS and Safari web browser,. The zero-day vulnerability is a type confusion exploit that allows an attacker to perform arbitrary code execution.

Impacted Versions:

iOS 17.3 and iPadOS 17.3 - iPhone XS and later, iPad Pro 12.9-inch 2nd generation and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 6th generation and later, and iPad mini 5th generation and later

iOS 16.7.5 and iPadOS 16.7.5 - iPhone 8, iPhone 8 Plus, iPhone X, iPad 5th generation, iPad Pro 9.7-inch, and iPad Pro 12.9-inch 1st generation

macOS Sonoma 14.3 - Macs running macOS Sonoma

macOS Ventura 13.6.4 - Macs running macOS Ventura

macOS Monterey 12.7.3 - Macs running macOS Monterey

Safari 17.3 - Macs running macOS Monterey and macOS Ventura

What can I do?

Updates to vulnerable devices should be applied immediately due to this vulnerability being under active exploitation.

Atlassian

Following the disclosure of the Atlassian Confluence vulnerability, it has become a target for active exploitation. Researchers have observed attackers attempting to exploit this vulnerability. At present, there are 11,000 Confluence instances exposed on the internet, and Shadowserver has recorded nearly 40,000 exploitation attempts. For further information on the vulnerability see our advisory posted linked below.

Ivanti

Following the public disclosure of two Ivanti vulnerabilities being actively exploited, a third vulnerability has now been added to the CISA’s Known Exploited Vulnerabilities (KEV) Catalog.

CVE-2023-35082 - This vulnerability enables a remote unauthorised attacker to access users’ personally identifiable information and make limited modifications to the server.

Impacted versions:

his vulnerability impacts all versions of Ivanti Endpoint Manager Mobile (EPMM) 11.10, 11.9, and 11.8. MobileIron Core 11.7 and earlier versions are also affected by this vulnerability.

What can I do?

Ivanti released a patch for this vulnerability in August 2023. It is recommended to update any impacted products to version 11.11.0.0 or later to safeguard them from this vulnerability.

VMware

A critical vulnerability in VMware vCenter Server Management has been exploited in the wild by a Chinese hacking group since 2021. The vulnerability (CVE-2023-34048) allows an attacker to write out of bounds potentially leading to remote code execution. VMware released a patch in October 2023 stating that it was not under active exploitation. VMware have recommend customers update to the latest version, which is 9.0U2.

Further Information

For further information on Ivanti and Atlassian see our previous advisory:

https://www.blackarrowcyber.com/blog/advisory-17-january-2024-citrix-ivanti-atlassian-oracle-sonicwall-vmware-security-updates

Apple

Further details on the Apple vulnerabilities can be found here:

https://support.apple.com/en-gb/HT201222

Ivanti

Further details on the Ivanti vulnerabilities can be found here:

https://forums.ivanti.com/s/article/KB-Remote-Unauthenticated-API-Access-Vulnerability-CVE-2023-35082?language=en_US

https://www.cisa.gov/news-events/alerts/2024/01/18/cisa-adds-one-known-exploited-vulnerability-catalog

VMware

Further details on the VMware  vCenter Server Management vulnerability can be found here:

https://www.vmware.com/security/advisories/VMSA-2023-0023.html

Need help understanding your gaps, or just want some advice? Get in touch with us.

#threatadvisory #threatintelligence #cybersecurity 

Executive Summary

This week Atlassian, Citrix, Ivanti, Oracle, SonicWall and VMware have addressed multiple vulnerabilities across their product range. Included in the vulnerabilities addressed are two actively exploited 0-days, impacting Ivanti and Citrix products. At the time of writing, over 1700 Ivanti devices have been compromised and over 15,000 devices remain exposed.

Atlassian

CVE-2023-22527 - This exploit is a template injection vulnerability which if successfully exploited, allows an unauthenticated attacker to perform remote code execution on an affected instance.

Impacted Versions:

This vulnerability affects versions 8.0.x, 8.1.x, 8.2.x, 8.3.x, 8.4.x, and 8.5.0-8.5.3.

What can I do?

Atlassian has released patches for the affected products, and it is advised to patch immediately. The listed Fixed Versions are no longer the most up-to-date and do not protect your instance from other non-critical vulnerabilities as outlined in Atlassian’s January Security Bulletin.

Citrix NetScaler

CVE-2023-6548 – Allows authenticated (low privileged user) remote code execution on Management interface. Requires access to NSIP, CLIP or SNIP with management interface.

CVE-2023-6549 - If exploited allows an attacker to perform a denial of service attack. Appliance must be configured as a gateway or AAA virtual server.

Impacted Versions:

NetScaler ADC and NetScaler Gateway 14.1 before 14.1-12.35

NetScaler ADC and NetScaler Gateway 13.1 before 13.1-51.15

NetScaler ADC and NetScaler Gateway 13.0 before 13.0-92.21

NetScaler ADC 13.1-FIPS before 13.1-37.176

NetScaler ADC 12.1-FIPS before 12.1-55.302

NetScaler ADC 12.1-NDcPP before 12.1-55.302

NetScaler ADC and NetScaler Gateway version 12.1 (currently end-of-life)

What can I do?

Citrix have released patches for the impacted products. Citrix have reported that this is being actively exploited and seen in the wild so it is advised that the patches are applied immediately.

Ivanti

CVE-2023-46805 - This is an authentication bypass which enables an attacker to access restricted resources by circumventing control checks.

CVE-2024-21887 - This is a command injection that lets authenticated admins execute arbitrary commands on vulnerable appliances.

Impacted Versions:

These vulnerabilities impact all supported versions, 9.x and 22.x

What can I do?

Ivanti have released mitigation files which can be found below, it is advised to install immediately. Patches are being developed however they are being staggered with the first patches being released on January 22nd and the final patches released on February the 19th.

Oracle

In their first Critical Patch Update of 2024, Oracle hae released 389 security patches, addressing 200 vulnerabilities. Financial Services Applications were the most impacted, with 71 new security patches. Oracle have urged all customers to apply the patches as soon as possible, warning that it periodically receives reports of in-the-wild exploitation of issues for which it has released fixes.

SonicWall

CVE-2022-22274 - This is a buffer overflow which if exploited successfully allows a remote unauthenticated attacker to cause a denial of service or potentially result in a code execution in the firewall.

CVE-2023-0656 - This is a buffer overflow which if exploited successfully allows a remote unauthenticated attacker to cause a denial of service attack which could cause the impacted firewall to crash.

What can I do?

SonicWall have released patches for affected products and it is advised to update to the latest available version.

VMware

CVE-2023-34063 – The affected products contain a missing access control vulnerability, which if successfully exploited, this vulnerability may lead to unauthorised access to remote organisations and workflows.

VMware Aria Automation (8.11.x, 8.12.x, 8.13.x, and 8.14.x)

VMware Cloud Foundation (4.x and 5.x)

What can I do?

VMware have released patches which can be found in the Security Advisory. It is advised to update as soon as possible. There are no current workarounds.

Further Information

Atlassian

Further details on the Atlassian vulnerabilities can be found here:

https://confluence.atlassian.com/security/cve-2023-22527-rce-remote-code-execution-vulnerability-in-confluence-data-center-and-confluence-server-1333990257.html

https://confluence.atlassian.com/security/security-bulletin-january-16-2024-1333335615.html

Citrix NetScaler

Further details on the Citrix NetScaler vulnerabilities can be found here:

https://support.citrix.com/article/CTX584986/netscaler-adc-and-netscaler-gateway-security-bulletin-for-cve20236548-and-cve20236549

Ivanti

Further details on the Ivanti vulnerabilities can be found here:

https://forums.ivanti.com/s/article/KB-CVE-2023-46805-Authentication-Bypass-CVE-2024-21887-Command-Injection-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure-Gateways?language=en_US 

Oracle

Further details on the Oracle vulnerabilities can be found here:

https://www.oracle.com/security-alerts/cpujan2024.html

SonicWall

Further details on the SonicWall vulnerabilities can be found here:

https://bishopfox.com/blog/its-2024-and-over-178-000-sonicwall-firewalls-are-publicly-exploitable

VMware

Further details on the VMware vulnerability can be found here:

https://www.vmware.com/security/advisories/VMSA-2024-0001.html

https://core.vmware.com/resource/vmsa-2024-0001-questions-answers

Need help understanding your gaps, or just want some advice? Get in touch with us.

#threatadvisory #threatintelligence #cybersecurity

Executive summary

In its first Patch Tuesday of 2024, Microsoft has provided updates to address 49 security issues across its product range, including two critical vulnerabilities (CVE-2024-20700 and CVE-2024-20674). None of these vulnerabilities are listed as publicly known or under active exploitation. The two critical vulnerabilities affect Hyper-V, allowing remote code execution, and Kerberos, enabling attackers to bypass security features.

In addition to the updates from Microsoft, this week also saw Adobe fixing 6 vulnerabilities, Cisco patching 2 vulnerabilities, and Android addressing 59 vulnerabilities, none of which were critical. SAP also issued 12 new patches for its range of products, three of the patches were rated as critical.

What’s the risk to me or my business?

The vulnerabilities, if actively exploited could allow an attacker to perform remote code execution, the other vulnerability allows an attacker to perform a man in the middle attack and send a malicious message to impersonate themselves as the Kerberos authentication server, bypassing security features.

What can I do?

Security updates are available for all supported versions of Windows impacted. The updates should be applied as soon as possible for the critical vulnerabilities. Other patches should be applied in a reasonable time frame.

Technical Summary

CVE-2024-20700: This vulnerability if actively exploited, allows an attacker to impersonate the Kerberos authentication server and bypass security features.

CVE -2024-20674: This vulnerability if actively exploited, allows an attacker to perform remote code execution. Successful exploitation requires an attacker to gain access to the restricted network before running an attack.

Adobe

This month, Adobe has released fixes for six vulnerabilities that affect Adobe Substance 3D Stage 2.1.3 and earlier versions. None of these vulnerabilities were rated as critical. Currently, Adobe is not aware of any active exploitation of these vulnerabilities. The vulnerabilities include issues such as arbitrary code execution and memory leaks.

Android

In Google’s January Security Bulletin for Android, 59 vulnerabilities are addressed, including three that are critical in the Qualcomm section. None of these vulnerabilities appear to have been discovered and exploited by criminals prior to the release of the patches. The vulnerabilities include issues such as elevation of privileges and information disclosure.

Cisco

Cisco has released an update to address two privilege escalation CVEs in its Identity Services Engine (ISE). These vulnerabilities, which were disclosed in September, necessitate administrator-level privileges for exploitation. At present, Cisco has provided patches to rectify these issues, and no other workaround is available.

SAP

This month, SAP has released 12 patches, which include 10 new releases and 2 updates from previous releases. These patches address 3 critical vulnerabilities affecting a variety of SAP products. The vulnerabilities encompass a range of issues, including Privilege Escalation, Code Injection, Denial of Service, Information Disclosure, and Improper Authorisation.

Microsoft

Further details on other specific updates within this patch Tuesday can be found here:

https://www.theregister.com/2024/01/09/january_patch_tuesday/

https://www.ghacks.net/2024/01/09/the-first-windows-security-updates-of-2024-are-here/

Adobe

Further details of the vulnerabilities addressed in Adobe Substance 3D Stager be found here: https://helpx.adobe.com/security/products/substance3d_stager/apsb24-06.html

Android

Further details on the Android patches can be found here:

https://source.android.com/docs/security/bulletin/2024-01-01

Cisco

Further details on the Cisco patch can be found here:

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ise-priv-esc-KJLp2Aw

SAP

Further information of the vulnerabilities address by SAP can be found here:
https://dam.sap.com/mac/app/e/pdf/preview/embed/ucQrx6G?ltr=a&rc=10

Need help understanding your gaps, or just want some advice? Get in touch with us.

#threatadvisory #threatintelligence #cybersecurity

Executive summary

Microsoft’s December Patch Tuesday provides updates to address 36 security issues across its product range, including 4 critical vulnerabilities and 1 zero-day. The zero-day, which impacts AMD processors, was originally disclosed in August 2023 with no patches provided by AMD.

In addition to the Microsoft updates this week, Adobe and SAP fixed multiple vulnerabilities across their product range. 

What’s the risk to me or my business?

The vulnerabilities, if actively exploited, can allow an attacker to escalate privileges, remotely execute code, cause sensitive data leaks and cause a denial of service. All of which can result in an impact to the confidentiality, integrity and availability of data in your organisation.

What can I do?

Security updates are available for all supported versions of Windows impacted. The updates should be applied as soon as possible for the vulnerabilities that have a critical severity rating. Other patches should be applied in a reasonable time frame.

Technical Summary

Microsoft

CVE-2023-20588: A vulnerability in AMD processors that could potentially return speculative and sensitive data if exploirted.

CVE-2023-36019- A vulnerability in Microsoft Power Platform and Azure Logic Apps that allows spoofing.

CVE-2023-35630- A vulnerability in Internet Connection Sharing that if exploited, allows remote code execution.

CVE-2023-35628- A vulnerability in Internet Connection Sharing that if exploited, allows remote code execution.

CVE-2023-35641- A Remote Code Execution Vulnerability in Windows MSHTML, which is used for Internet Explorer.

Adobe

This month, Adobe released fixes for 212 vulnerabilities, of which 13 were rated critical, across Adobe Illustrator (3), Substance3D Sampler (6), After Effects (3) and Designer (1). The critical vulnerabilities include arbitrary code execution and memory leak.

SAP

Enterprise software vendor SAP has addressed 17 vulnerabilities, including 4 critical, in several of its products.

Microsoft

Further details on other specific updates within this patch Tuesday can be found here:

https://www.ghacks.net/2023/12/13/the-windows-december-2023-security-updates-fix-a-0-day-vulnerability/

Adobe

Further details of the vulnerabilities addressed in Adobe Illustrator can be found here:

https://helpx.adobe.com/security/products/illustrator/apsb23-68.html

Further details of the vulnerabilities addressed in Adobe Substance3D Sampler can be found here:

https://helpx.adobe.com/security/products/substance3d-sampler/apsb23-74.html

Further details of the vulnerabilities addressed in Adobe Substance3D After Effects can be found here:

https://helpx.adobe.com/security/products/after_effects/apsb23-75.html

Further details of the vulnerabilities addressed in Adobe Substance3D Designer can be found here:

https://helpx.adobe.com/security/products/substance3d_designer/apsb23-76.html

SAP

Further information of the vulnerabilities address by SAP can be found here:

https://dam.sap.com/mac/app/e/pdf/preview/embed/ucQrx6G?ltr=a&rc=10

Need help understanding your gaps, or just want some advice? Get in touch with us.

#threatadvisory #threatintelligence #cybersecurity

Executive summary

Apple, Google, ownCloud and Zoom have all addressed vulnerabilities in their products which could be exploited by an attacker. The vulnerabilities could lead to remote code execution. The vulnerabilities impacting Google and ownCloud are actively being exploited by malicious actors.

Apple

Two new Zero-Days impacting Apples WebKit Browser were fixed in emergency updates. The two vulnerabilities allow attackers to gain access to sensitive information via an out-of-bounds read weakness and gain arbitrary code execution via maliciously crafted webpages.

Google Chrome

Google has addressed several vulnerabilities, including one actively exploited zero-day. The actively exploited zero-day is caused by a weakness within the Skia open-source 2D graphics library and can lead to remote execution. The vulnerability has been recorded as actively exploited.

ownCloud

Three vulnerabilities in the open-source file sharing software, ownCloud could disclose sensitive information and allow an attacker to modify files, if exploited. As a fix, ownCloud is recommending to delete the "owncloud/apps/graphapi/vendor/microsoft/microsoft-graph/tests/GetPhpInfo.php" file and disable the 'phpinfo' function. It is also advising users to change secrets like the ownCloud admin password, mail server and database credentials, and Object-Store/S3 access keys. One of the vulnerabilities has already been recorded as being actively exploited by malicious actors

Zoom

A vulnerability in Zoom could allow threat actors to take over meetings and steal data has been patched. Research has stated that the flaw was first discovered in June 2023. There are no reports of active exploitation in the wild at this time.

Zyxel

Zyxel have documented multiple security flaws in a range of products, including firewalls, access points and network attached storage (NAS) Devices, warning that unpatched devices are at risk of authentication bypass, command injection and denial-of-service attacks.

What’s the risk to me or my business?

There is a risk that that running unpatched versions of the above products will leave users at open to having the confidentiality, integrity and availability of their information compromised.

What can I do?

Black Arrow recommends organisations check whether they are running vulnerable versions of the above products, and if so, these should be updated to patched versions. Further information can be found below.

Further information about the Apple vulnerabilities can be found here:

https://www.bleepingcomputer.com/news/apple/apple-fixes-two-new-ios-zero-days-in-emergency-updates/

https://support.apple.com/en-gb/HT214031

https://support.apple.com/en-gb/HT214033

further information about the Google vulnerabilities can be found here:

https://thehackernews.com/2023/11/zero-day-alert-google-chrome-under.html

https://chromereleases.googleblog.com/2023/11/stable-channel-update-for-desktop_28.html

Further information about the ownCloud vulnerabilities can be found here:

https://thehackernews.com/2023/11/warning-3-critical-vulnerabilities.html

https://owncloud.com/security-advisories/subdomain-validation-bypass/

https://owncloud.com/security-advisories/webdav-api-authentication-bypass-using-pre-signed-urls/

https://owncloud.com/security-advisories/disclosure-of-sensitive-credentials-and-configuration-in-containerized-deployments/

Further information about the Zoom vulnerabilities can be found here:

https://www.hackread.com/zoom-vulnerability-hackers-hijack-meetings-data/

Further information about the Zyxel vulnerabilities can be found here:

https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-authentication-bypass-and-command-injection-vulnerabilities-in-nas-products

Need help understanding your gaps, or just want some advice? Get in touch with us.

#threatadvisory #threatintelligence #cybersecurity

Executive summary

Financially motivated threat actors are currently exploiting a critical vulnerability in unpatched versions of Windows SmartScreen. The vulnerability which is under exploitation was patched in Microsoft’s November patch Tuesday. Since its patch, a proof of concept exploiting the vulnerability in Windows SmartScreen has become publicly available.

What’s the risk to me or my business?

Windows SmartScreen is a security feature that prevents potentially harmful malware from running.  It checks applications or files to ensure that they are safe; if they are not deemed to be safe, it will give the users the option to cancel running them. The now publicly available exploit allows an attacker to cause a victim to automatically run malware, bypassing SmartScreen checks and therefore impacting the confidentiality, integrity, and availability of data. For an attacker to be able to exploit, all they would need is a user to click on a malicious URL.

What can I do?

Black Arrow recommends applying the patches made available by Microsoft immediately, which can be found in our blog post detailed below. Organisations running unpatched versions are leaving themselves at risk of exploitation.

Technical Summary

CVE-2023-36025- A security bypass vulnerability in Windows SmartScreen

Further information can be found here:

https://www.blackarrowcyber.com/blog/advisory-15-november-2023-microsoft-adobe-fortinet-vmware-wordpress-updates

https://www.ghacks.net/2023/04/11/microsoft-windows-security-updates-april-2023-what-you-need-to-know-before-installation/

Need help understanding your gaps, or just want some advice? Get in touch with us.

#threatadvisory #threatintelligence #cybersecurity

Executive summary

Microsoft’s November Patch Tuesday provides updates to address 58 security issues across its product range, including three actively exploited zero-day vulnerabilities. The exploited zero-day vulnerabilities include two privilege escalation vulnerabilities and a security bypass. These have been added the US Cybersecurity and Infrastructure Security Agency’s (CISA) “Known Exploited Vulnerabilities Catalog”. Also among the updates provided by Microsoft were 3 critical vulnerabilities.

In addition to the Microsoft updates this week Adobe, FortiGuard, VMware and WordPress also provided updates for vulnerabilities in their products. An addressed vulnerability in Citrix known as Citrix Bleed continues to remain a threat, with ransomware gang LockBit actively exploiting publicly known exploits for unpatched versions.

What’s the risk to me or my business?

The actively exploited vulnerability could allow an attacker with access, to bypass security, gain SYSTEM privileges and compromise the confidentiality, integrity and availability of data stored by an organisation.

What can I do?

Security updates are available for all supported versions of Windows impacted. The updates should be applied as soon as possible for the actively exploited vulnerability and all other vulnerabilities that have a critical severity rating.

Technical Summary

CVE-2023-36036: An actively exploited elevation of privilege vulnerability in Windows Cloud Files Mini Filter.

CVE-2023-36033: An actively exploited elevation of privilege vulnerability in Windows DWM Core Library that could allow an attacker to gain the highest privileges.

CVE-2023-36025: An actively exploited vulnerability in Windows SmartScreen which allows a malicious internet shortcut to bypass security.

CVE-2023-36413: A Microsoft Office security feature bypass.

CVE-2023-36038: A denial of service vulnerability in ASP.NET Core.

Adobe

This month, Adobe released fixes for 25 vulnerabilities, of which 13 were rated critical, across Adobe Acrobat and Reader (17), ColdFusion (6), InCopy (1), and Dimension(1). At current, Adobe is not aware of any of these vulnerabilities being actively exploited. The vulnerabilities include remote code execution, memory leak, privilege escalation and security bypass.

Citrix

The LockBit ransomware group are using the publicly available exploits for the Citrix bleed Vulnerability. There are currently thousands of publicly available endpoints which are running and still vulnerable.

FortiGuard

This month, Fortiguard released three advisories for vulnerabilities, including one critical vulnerability, impacting FortiOS, FortiProxy-DOS and FortiProxyVM.

VMware

VMware has patched one critical authentication bypass vulnerability, tracked as CVE-2023-34060 which impacts Cloud Director Appliances. There are no available workarounds.

WordPress

A WordPress plugin, WP Fastest Cache, is vulnerable to an SQL injection vulnerability tracked as CVE-2023-6063, which could allow unauthenticated attackers to read the contents of the site’s database. At current, more than 600,000 websites run a vulnerable version of WP Fastest Cache. A software patch has been made available by the developer.

Further details on other specific updates within this month’s Microsoft Patch Tuesday can be found here: https://www.ghacks.net/2023/04/11/microsoft-windows-security-updates-april-2023-what-you-need-to-know-before-installation/

https://www.bleepingcomputer.com/news/microsoft/microsoft-november-2023-patch-tuesday-fixes-5-zero-days-58-flaws/

Adobe

Further details of the vulnerabilities addressed in Adobe Acrobat and Reader can be found here: https://helpx.adobe.com/security/products/acrobat/apsb23-54.html

Further details of the vulnerabilities addressed in Adobe ColdFusion can be found here:

https://helpx.adobe.com/security/products/coldfusion/apsb23-52.html

Further details of the vulnerabilities addressed in Adobe Dimension can be found here: https://helpx.adobe.com/security/products/dimension/apsb23-62.html

Further details of the vulnerabilities addressed in Adobe InCopy can be found here: https://helpx.adobe.com/security/products/incopy/apsb23-60.html

Citrix

Further details about the Citrix Bleed vulnerability can be found here:

https://www.blackarrowcyber.com/blog/advisory-26-october-2023-citrix-bleed-vulnerability

FortiGuard

Further details on the FortiGuard advisories can be found here:

https://www.fortiguard.com/psirt

VMware

Further information of the vulnerability address by VMware can be found here: https://www.vmware.com/security/advisories/VMSA-2023-0026.html

WordPress

Further information on the WordPress vulnerability can be found here:

https://www.bleepingcomputer.com/news/security/wp-fastest-cache-plugin-bug-exposes-600k-wordpress-sites-to-attacks/

Need help understanding your gaps, or just want some advice? Get in touch with us.

#threatadvisory #threatintelligence #cybersecurity

Executive summary

Veeam has released patches to fix four vulnerabilities including two critical rated vulnerabilities. If exploited the critical vulnerabilities could allow an unauthenticated attacker to steal NTLM hashes to accounts and perform remote code execution on their server hosting the product database.

What’s the risk to me or my business?

There is a risk that organisations with vulnerable products are leaving themselves at risk of allowing an attacker to perform remote code execution and stealing NTLM Hashes. This allows an attacker to log in as the stolen users credentials and perform remote code execution impacting the confidentiality, integrity and availability of data.

The following products affected:

·       Veeam ONE 11 – this is fixed in version (11.0.0.1379)

·       Veeam ONE 11a – this is fixed in version (11.0.1.1880)

·       Veeam ONE 12 – this is fixed in version (12.0.1.2591)

What can I do?

Black Arrow recommends applying the patches for the vulnerabilities immediately due to the severity of the vulnerability; there is no workaround available. Further information can be found in the Veeam security update below.

Technical Summary

CVE-2023-38547 – If exploited this allows an unauthenticated attacker to gain information from the SQL server to access its configuration database. This can lead to an attacker to perform remote code execution.

CVE-2023-38548 – If exploited this allows an unprivileged user who has access to the Veeam One Web client to acquire NTLM hash of the account user, allowing them to obtain the users password.

Further information can be found here: https://www.veeam.com/kb4508  

Need help understanding your gaps, or just want some advice? Get in touch with us.

#threatadvisory #threatintelligence #cybersecurity

Executive summary

A high-serverity vulnerability in NetScaler ADC (formerly Citrix ADC) and NetScaler Gateway (formerly Citrix Gateway) is being actively exploited in the wild. The vulnerability, labelled “Citrix Bleed” allows attackers to retrieve authentication tokens, which can then be used to gain unauthorised access to the user accounts. Following a release of a proof-of-concept, there has been a further rise in attackers exploiting the vulnerability, which has now been added to the Cybersecurity and Infrastructure Security Agency’s (CISA) Known Exploited Vulnerabilities catalog. A second vulnerability, which causes a denial of service has also been addressed.

What’s the risk to me or my business?

Successful exploitation of the critical vulnerability allows an unauthenticated attacker to gain access to sensitive information which can then be used to access user accounts, impacting the confidentiality, integrity and availability of data. The second vulnerability can cause a denial of services, impacting the availability of data.

The following customer-managed versions are affected:

• NetScaler ADC and NetScaler Gateway 14.1 before 14.1-8.50

• NetScaler ADC and NetScaler Gateway 13.1 before 13.1-49.15

• NetScaler ADC and NetScaler Gateway 13.0 before 13.0-92.19

• NetScaler ADC 13.1-FIPS before 13.1-37.164

• NetScaler ADC 12.1-FIPS before 12.1-55.300

• NetScaler ADC 12.1-NDcPP before 12.1-55.300

Note: NetScaler ADC and NetScaler Gateway version 12.1 is now End-of-Life (EOL) and a patch has not been released for these affected products.

What can I do?

Patches are available for impacted versions of NetScaler ADC and NetScaler Gateway. Due to the severity of the vulnerability Black Arrow recommends applying the patches for the critical vulnerability immediately. In addition, NetScaler have also provided a list of commands which can be used to kill active and persistent sessions, these can be found at the bottom of our advisory. These patches will also address the second vulnerability. NetScaler have noted that If you are a Citrix-managed cloud service or Citrix-managed Adaptive Authentication customer, no action is required.

Technical Summary

CVE-2023-4966 – This vulnerability if exploited allows an attacker to retrieve the authentication session cookies by performing an unauthenticated buffer related exploit which can allow the attacker to use the stolen session top log into the users ID.

CVE-2023-4967 – a vulnerability which if exploited, allows an attacker to cause a denial of service.

Further information on the Citrix patches can be found here:

https://support.citrix.com/article/CTX579459/netscaler-adc-and-netscaler-gateway-security-bulletin-for-cve20234966-and-cve20234967

https://www.netscaler.com/blog/news/cve-2023-4966-critical-security-update-now-available-for-netscaler-adc-and-netscaler-gateway/

Further information on the proof-of-concept can be found here:

https://www.assetnote.io/resources/research/citrix-bleed-leaking-session-tokens-with-cve-2023-4966

Need help understanding your gaps, or just want some advice? Get in touch with us.

#threatadvisory #threatintelligence #cybersecurity

Executive summary

VMware have released a security advisory addressing a vulnerability which could allow an attacker to perform to perform remote code execution via VMware vCenter Server. Patches have been released, even for previously end-of-life versions of VMware vCenter Server due to the severity of the vulnerability. VMware have also addressed a vulnerability in which information can be partially disclosed.

What’s the risk to me or my business?

Organisations with a vulnerable server are leaving themselves at risk of allowing an attacker to perform remote code execution, impacting the confidentiality, integrity and availability of data.

The following versions are vulnerable, with patches detailed in VMware’s response matrix: 8.0, 7.0, 5.x, 4.x. Additionally, VMware have noted that whilst VMware does not mention end-of-life products in VMware Security Advisories, due to the critical severity of this vulnerability and lack of workaround VMware has made a patch generally available for vCenter Server 6.7U3, 6.5U3, and VCF 3.x. For the same reasons, VMware has made additional patches available for vCenter Server 8.0U1.

What can I do?

Black Arrow recommends applying the patches for the critical vulnerability immediately due to the severity of the vulnerability; there is no workaround available. Fixes for the other vulnerability are addressed in the patches for the critical vulnerability. Further information can be found in the security advisory by VMware.

Technical Summary

CVE-2023-34048- A critical out-of-bounds write vulnerability which can lead to remote code execution.

CVE-2023-34056- a vulnerability which can allow threat actors without administrator privileges to access sensitive data.

Need help understanding your gaps, or just want some advice? Get in touch with us.

Further information can be found here: https://www.vmware.com/security/advisories/VMSA-2023-0023.html

#threatadvisory #threatintelligence #cybersecurity

Executive Summary

Oracle's October 2023 Critical Patch Update comprises of 387 new security patches, addressing vulnerabilities both in Oracle's proprietary code and third-party components. This includes over 40 patches that address critical severity flaws and more than 200 patches designed to fix vulnerabilities exploitable remotely without authentication. The most patched Oracle products are Financial Services Applications, receiving 103 patches followed by Oracle communications with 91 patches.

What’s the risk to me or my business?

Due to the large number of patches, especially those fixing critical- severity and remotely exploitable flaws, underscores the potential risks associated with running unpatched Oracle products. Organisations using these products may face threats to data confidentiality, integrity, and availability if the vulnerabilities are exploited. The risk is especially pronounced for products such as Financial Services Applications and Oracle Communications, which have a high count of patches addressing remotely exploitable flaws without authentication.

Affected Products

Oracle's October 2023 CPU encompasses a broad range of affected products. Notably, these include Analytics, Retail Applications, Database Server, Communications Applications, Commerce, GoldenGate, Enterprise Manager, Java SE, PeopleSoft, E-Business Suite, Construction and Engineering, Systems, Utilities, Health Sciences Applications, Siebel CRM, Hyperion, Hospitality Applications, Essbase, REST Data Services, JD Edwards, Supply Chain, Secure Backup, TimesTen In-Memory Database, HealthCare Applications, and Insurance Applications. It's recommended that users of these solutions take note and act accordingly to ensure their systems remain secure.

What can I do?

Oracle has released security patches for all affected products and it is recommended for customers to implement the Critical Patch Update security patches immediately to mitigate potential threats. Oracle has also suggested to revisit any previous Critical Patch Update to ensure their software portfolio is up to date.

Need help understanding your gaps, or just want some advice? Get in touch with us.

Further information can be found here:

https://www.oracle.com/security-alerts/cpuoct2023.html

#threatadvisory #threatintelligence #cybersecurity

Update 25/10/2023:

Another actively exploited zero-day has been found and is being used in the wild (CVE-2023-20273). Both exploits are now being used together to gain initial access and create a new local user, then to elevate privileges allowing the new user to have admin privileges on the system.

Links to the new CVE can be found below.

Update 24/10/2023:

The method of identifying compromised devices was updated and the number of compromised devices jumped back up to 38,000.

Patches have been made available by Cisco and should be applied as soon as possible.

Update 23/10/2023:

The number of compromised devices dropped sharply from 50,000 to 100 after Cisco disclosed the existence of the vulnerability as it appears that attackers modified the implant of the exploitation in an attempt to mask their activity.  

Update 20/10/2013:

The number of Cisco devices hacked through exploitation of the zero-day has now reached approximately 40,000, according to multiple sources.

Executive summary

Cisco has published a security advisory warning users of an active exploitation of a previously unknown vulnerability in the web UI feature of Cisco IOS XE software, which could allow an unauthenticated attacker to create an account with privileged exec mode enabled, allowing them full control. According to Shodan, there are 40,000 vulnerable devices with this vulnerability exposed online.

What’s the risk to me or my business?

There is a risk that organisations with a vulnerable device with the web UI feature exposed, are leaving themselves open to allowing an attacker full access of their Cisco device, impacting the confidentiality, availability and integrity of their data.

This vulnerability affects all Cisco devices that have the web UI feature enabled. The web UI feature is enabled through the ip http server or ip http secure-server commands. There is no patch currently available but Cisco have stated they are working on a fix. In the meantime as a mitigation Cisco strongly recommends that customers disable the HTTP Server feature on all internet-facing systems. To disable the HTTP Server feature, use the no ip http server or no ip http secure-server command in global configuration mode. If both the HTTP server and HTTPS server are in use, both commands are required to disable the HTTP Server feature.

What can I do?

Black Arrow recommends following Cisco’s advice and disabling the HTTP server feature. The commands can be found in Cisco’s security advisory which is linked below.

Technical Summary (updated 23/10/2023)

CVE-2023-20273 The vulnerability allows a malicious attacker to use an authenticated user, such as the one CVE-2023-20198 can create, to gain admin privileges to the system.

CVE-2023-20198  The vulnerability allows a remote, unauthenticated attacker to create an account on an affected system with the highest privilege. The CVE has been given the maximum severity rating.

Need help understanding your gaps, or just want some advice? Get in touch with us.

Further information can be found here:

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-webui-privesc-j22SaA4z

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-webui-privesc-j22SaA4z#fs

Further information on the number of exploited devices can be found here: https://www.securityweek.com/number-of-cisco-devices-hacked-via-unpatched-vulnerability-increases-to-40000/

#threatadvisory #threatintelligence #cybersecurity

Executive summary

Microsoft’s October 2023 Patch Tuesday provides updates to address 103 security issues across its product range, including two actively exploited zero-day vulnerabilities (CVE-2023-36563 and CVE-2023-41763).  One of the exploited zero-day vulnerabilities is a privilege escalation vulnerability in skype. The other is an information disclosure vulnerability in Microsoft WordPad that can result in disclosure of NTLM hashes. Also among the updates provided by Microsoft were 13 critical vulnerabilities.

In addition to the Microsoft updates this week also saw Adobe fix 13 vulnerabilities across various products, with a vulnerability in Adobe Reader under active exploitation, and Google addressing 20 vulnerabilities in Chrome.

What’s the risk to me or my business?

The actively exploited vulnerabilities could allow an attacker with access, to elevate privileges or capture the hashes of user passwords to gain access to that users accounts. Both compromise the confidentiality, integrity and availability of data stored by an organisation.

What can I do?

Security updates are available for all supported versions of Windows impacted. The updates should be applied as soon as possible for the actively exploited vulnerability and all other vulnerabilities that have a critical severity rating.

Technical Summary

CVE-2023-36563: If exploited the vulnerability disclosures of information in Microsoft WordPad that could result in leak in NTLM hashes.

CVE-2023-41763: If actively exploited it allows for an attacker to escalate privileges in Skype that could lead to the exposure of sensitive information, such as IP addresses, port numbers and enabling an attacker to gain access to internal networks.

Adobe

This month, Adobe released fixes for 13 vulnerabilities, of which 8 were rated critical across Adobe Bridge (2), Commerce (10) and Photoshop (1). Adobe have stated a vulnerability in Adobe Reader is under active exploitation. The vulnerabilities include remote code execution, memory leak, privilege escalation and security bypass.

Chrome

An update for Google Chrome which patches 20 vulnerabilities, with the most severe allowing for arbitrary code execution to be performed by a malicious attacker. Depending on the privileges associated with the user an attacker could then install programs; view, delete or modify the data; or create new accounts with full user rights. Users whose accounts have fewer user rights could be less impacted than those who operate with administrative user rights. While there are currently no reports of these vulnerabilities being exploited in the wild, it is advised to update to the latest version as soon as possible.

further details on other specific updates within this patch Tuesday can be found here:

https://msrc.microsoft.com/update-guide/releaseNote/2023-Oct

Further details about CVE-2023-36563 can be found here:              

https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2023-36563

Further details about CVE-2023-41763 can be found here:

https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2023-41763

Further details of the vulnerabilities addressed in Adobe Bridge can be found here:

https://helpx.adobe.com/security/products/bridge/apsb23-49.html

Further details of the vulnerabilities addressed in Adobe Commerce can be found here:

https://helpx.adobe.com/security/products/magento/apsb23-50.html

Further details of the vulnerabilities addressed in Adobe Photoshop can be found here:

https://helpx.adobe.com/security/products/photoshop/apsb23-51.html

Further details of the vulnerabilities addressed in Chrome can be found here:

https://chromereleases.googleblog.com/2023/10/stable-channel-update-for-desktop_10.html

Need help understanding your gaps, or just want some advice? Get in touch with us.

#threatadvisory #threatintelligence #cybersecurity