Executive summary

Microsoft’s May Patch Tuesday provides updates to address 61 security issues across its product range. Notably, the update tackles two actively exploited zero-day vulnerabilities. The zero-days include a security feature bypass and an elevation of privilege vulnerability. Among the updates provided by Microsoft were 1 critical vulnerability, allowing an attacker remote code execution.

In addition to the Microsoft updates this week also saw Adobe, Apple, Firefox, Google Chrome, SAP and VMware all provide updates for vulnerabilities in a variety of their products, including multiple zero-days and critical vulnerabilities.

What’s the risk to me or my business?

The actively exploited vulnerabilities could allow an unauthenticated attacker to gain code execution as well as elevating to system privileges, the highest available. Both of which compromise the confidentiality, integrity and availability of data stored by an organisation.

What can I do?

Security updates are available for all supported versions of Windows impacted. The updates should be applied as soon as possible for the actively exploited vulnerability and all other vulnerabilities that have an available patch should be updated as soon as possible.

Technical Summary

Microsoft

CVE-2024-30040 – A security feature bypass, in which an unauthenticated attacker can gain code execution through convincing a user to open a malicious document. It is now known how this flaw was abused in attacks.

CVE-2024-30051- A flaw in Windows DWM Core Library which upon exploitation, allows an attacker to elevate to system privileges, the highest available.

Apple

Apple have addressed multiple vulnerabilities in its products, including 16 vulnerabilities on iPhone and iPads. This includes include one vulnerability which the company say “may have been exploited”.

Adobe

Adobe have addressed 37 vulnerabilities in its products, including 9 critical vulnerabilities in Adobe Acrobat and Reader, ,  2 critical vulnerabilities in Adobe Commerce, Adobe InDesign, Adobe Experience manager, 1 critical vulnerability in Adobe Media Encoder and Adobe Bridge, 3 critical vulnerabilities in Adobe Illustrator and 2 critical vulnerabilities in Adobe Animate. The company said it was not aware of any exploits in the wild for any of the documented issues.

Firefox

Firefox has upgraded to version 126. The new version addresses 16 unique security issues. None of the vulnerabilities are currently under active exploitation. The release also comes with some quality-of-life changes such as search telemetry changes and copy link without site tracking.

Google Chrome

Google Chrome released an emergency update to fix their 6th zero-day exploited this year, just one week after a previous one. Google are aware that an exploit for the vulnerability exists in the wild. Users are recommended to update as soon as possible.

SAP

This month, SAP has released 17 patches, which include 14 new fixes and 3 updates from previous releases. Two patches and one update have been given the “hot news” priority in SAP, the highest severity. The vulnerabilities encompass a range of issues, including CSS Injection, Remote Code Execution, File Upload flaws, and Cross-Site Scripting (XSS).

VMWare

Multiple security flaws, including one critical vulnerability, have been addressed by VMware after their exploitation was demonstrated at a security event. Some of the vulnerabilities do not have a fix yet and as such, users are advised to disable Bluetooth support and 3D acceleration as temporary workarounds until patches are applied.

More info:

Microsoft

Further details on other specific updates within Microsoft’s May patch Tuesday can be found here:

https://www.bleepingcomputer.com/news/microsoft/microsoft-may-2024-patch-tuesday-fixes-3-zero-days-61-flaws/

https://www.ghacks.net/2024/05/14/microsoft-releases-the-may-2024-security-updates-for-windows/

Apple

Further details of the vulnerabilities in Apple can be found here:

https://support.apple.com/en-gb/HT201222

Adobe

Further details of the vulnerabilities in Adobe Acrobat and Reader can be found here:

https://helpx.adobe.com/security/products/acrobat/apsb24-29.html

Further details of the vulnerabilities in Adobe Photoshop can be found here:

https://helpx.adobe.com/security/products/photoshop/apsb24-16.html

Further details of the vulnerabilities in Adobe Commerce can be found here:

https://helpx.adobe.com/uk/security/products/magento/apsb24-18.html

Further details of the vulnerabilities in Adobe InDesign can be found here:

https://helpx.adobe.com/uk/security/products/indesign/apsb24-20.html

Further details of the vulnerabilities in Adobe Experience Manager can be found here:

https://helpx.adobe.com/uk/security/products/experience-manager/apsb24-21.html

Further details of the vulnerabilities in Adobe Media Encoder can be found here:

https://helpx.adobe.com/uk/security/products/media-encoder/apsb24-23.html

Further details of the vulnerabilities in Adobe Bridge can be found here:

https://helpx.adobe.com/uk/security/products/bridge/apsb24-24.html

Further details of the vulnerabilities in Adobe Illustrator can be found here:

https://helpx.adobe.com/uk/security/products/illustrator/apsb24-25.html

Further details of the vulnerabilities in Adobe Animate can be found here:

https://helpx.adobe.com/uk/security/products/animate/apsb24-26.html

Firefox

Further details on the vulnerabilities addressed in the Firefox release can be found here:
https://www.mozilla.org/en-US/security/advisories/mfsa2024-21/

Google Chrome

Further details on the vulnerabilities addressed in the Google Chrome update can be found here:

https://chromereleases.googleblog.com/2024/05/stable-channel-update-for-desktop_13.html

SAP

Further details on the vulnerabilities addressed in SAP can be found here:

https://support.sap.com/en/my-support/knowledge-base/security-notes-news/may-2024.html

VMware

Further details on the vulnerabilities addressed by VMware can be found here:

https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/24280

Need help understanding your gaps, or just want some advice? Get in touch with us.

#threatadvisory #threatintelligence #cybersecurity

Executive summary

Microsoft’s March Patch Tuesday provides updates to address 60 security issues across its product range. Among the updates provided by Microsoft were 2 critical vulnerabilities allowing remote code execution and denial of service; both of these vulnerabilities relate to Windows Hyper-V. Microsoft’s March 2024 Patch Tuesday has not identified any zero-day vulnerabilities.

In addition to the Microsoft updates this week also saw Adobe, FortiGuard and SAP all provide updates for vulnerabilities in a variety of their products, with multiple rated as critical.

What’s the risk to me or my business?

Successful exploitation of the vulnerabilities could allow an attacker to gain remote code execution, cause a denial of service and impact the confidentiality, integrity and availability of information.

What can I do?

Security updates are available for all supported versions of Windows impacted. The updates should be applied as soon as possible for the actively exploited vulnerability and all other vulnerabilities that have a critical severity rating.

Technical Summary

Microsoft

CVE-2024-21407- This vulnerability if actively exploited, allows a threat actor to gain remote code execution on the host server of a guest virtual machine. It requires an authenticated attacker to send specially crafted file operation requests.

CVE-2024-21408- This vulnerability if actively exploited, allows a threat actor to perform a denial of service. Microsoft have not disclosed how this could be exploited.

Adobe

Adobe have addressed multiple vulnerabilities in its products, including at least 46 in Adobe Experience Manager, 2 critical vulnerabilities in Adobe Premier Pro, a critical vulnerability in Adobe ColdFusion,  and 4 vulnerabilities, of which 3 are critical in Adobe Bridge.

Fortinet

Fortinet have released three updates, of which 1 is critical impacting FortiOS and FortiProxy, 1 vulnerability impacting FortiClientEMS, 1 vulnerability impacting FortiWLM MEA for Fortimanager and 1 critical vulnerability in the DAS component.

SAP

This month, SAP has released 12 patches, which include 10 new releases and 2 updates from previous releases. 1 patch and 1 update have been given the “hot news” priority in SAP, the highest severity.. The vulnerabilities encompass a range of issues, including Privilege Escalation, Code Injection, Denial of Service, Information Disclosure, and Improper Authorisation.

further details on other specific updates within this patch Tuesday can be found here:

https://www.bleepingcomputer.com/news/microsoft/microsoft-march-2024-patch-tuesday-fixes-60-flaws-18-rce-bugs/

Further details of the vulnerabilities in Adobe Experience Manager can be found here:

https://helpx.adobe.com/security/products/experience-manager/apsb24-05.html

Further details of the vulnerabilities in Adobe Premier Pro can be found here:

https://helpx.adobe.com/security/products/premiere_pro/apsb24-12.html

Further details of the vulnerabilities in Adobe ColdFusion can be found here:

https://helpx.adobe.com/security/products/coldfusion/apsb24-14.html

Further details of the vulnerabilities in Adobe Bridge can be found here:

https://helpx.adobe.com/security/products/bridge/apsb24-15.html

Further details of the vulnerabilities in FortiOS and FortiProxy can be found here:

https://www.fortiguard.com/psirt/FG-IR-23-328

Further details of the vulnerability in FortiClientEMS can be found here:

https://www.fortiguard.com/psirt/FG-IR-23-390

https://www.fortiguard.com/psirt/FG-IR-24-013

Further details of the vulnerability in FortiManager can be found here:

https://www.fortiguard.com/psirt/FG-IR-23-103

Further details of the vulnerability impacting the DAS component can be found here:

https://www.fortiguard.com/psirt/FG-IR-24-007

Further details of the vulnerabilities addressed by SAP can be found here:

https://support.sap.com/en/my-support/knowledge-base/security-notes-news/march-2024.html

Need help understanding your gaps, or just want some advice? Get in touch with us.

#threatadvisory #threatintelligence #cybersecurity 

Executive Summary

Apple, Cisco and VMware have addressed multiple vulnerabilities across their product range this week, including two actively exploited zero-days affecting Apple products. These vulnerabilities are reportedly being exploited in the wild and have been added to the U.S. Cybersecurity and Infrastructure Security Agency (CISA) Known Exploited Vulnerability (KEV) catalog. The seriousness of the VMware vulnerabilities has led to Vmware releasing patches for end-of-life products.

In addition, CISA has issued a warning about a flaw (CVE-2023-21237) impacting Google Pixel phones. Although Google addressed this vulnerability in June 2023, CISA reports that it is still being actively exploited in the wild and has added it to the KEV catalog.

Apple

Apple have released security updates to address several security flaws including two zero-day vulnerabilities that are being actively exploited in the wild and have been added to the (KEV) catalog. This is the third actively exploited zero-day in its software since the start of the year.

What can I do?

Apple have released security patches to address the vulnerabilities and it is advised to update immediately since it has been reported that the vulnerabilities are being exploited in the wild. The vulnerabilities have been addressed in iOS 17.4, iPadOS 17.4, iOS 16.7.6, and iPadOS 16.7.6.

Technical Summary

CVE-2024-23225 – This is a memory corruption issues in the kernel that an attacker with arbitrary kernel read and write capability can exploit to bypass kernel memory protections.

CVE-2024-23296 – This is a memory corruption issue in the RTKit real-time operating system (RTOS) that an attacker with arbitrary kernel read and write can exploit to bypass kernel memory protections.

Cisco

Cisco have addressed two high-severity vulnerabilities in it’s VPN application Secure Client, that could lead to remote exploitation without authentication and execution of code with the highest level of privilege.

What can I do?

Organisations using Secure Client should check if they are running vulnerable versions and apply patches immediately. Where a patch is not available, organisations should follow CISCO’s guidance linked below.

Technical Summary

CVE-2024-20337 - A carriage return line feed injection attack that could be caused remotely, by tricking a user in to clicking a maliciously crafted link. According to CISCO, this only impacts Secure Client instances where the VPN headend is configured with the SAML external browser.

CVE-2024-20338 - A vulnerability that can allow an attacker to execute code with root privileges. This vulnerability only Secure Client for Linux and requires authentication prior to exploitation.

The following versions of Secure Client have been impacted:

CVE-2024-20337

versions 4.10.04065 and later - upgrade to version 4.10.08025

version 5.0 - no patch available and users should migrate to a fixed release

Version 5.1 - should apply the patches in version 5.1.2.42

Versions earlier than Earlier than 4.10.04065 are not vulnerable.

CVE-2024-20338

This impacts Linux versions earlier than 5.1.2.42 and requires authentication for successful exploitation. The first fixed release is version 5.1.2.42.

VMware

VMware have released security patches to address four security flaws impacting ESXi, Workstation and Fusing, two of which are critical flaws (CVE-2024-22252 and CVE-2024-22253) which if exploited could lead to code execution.

What can I do?

VMware have released patches for the impacted products and it is recommended to patch immediately, given the severity of the vulnerabilities. Organisations should also check any end-of-life products they may be using as these have also had patches released.

The following versions have been impacted:

ESXi 6.5 – fixed in 6.5U3v

ESXi 6.7 - fixed in 6.7U3u

ESXi 7.0 - fixed in ESXi70U3p-23307199

ESXi 8.0 - fixed in ESXi80U2sb-23305545 and ESXi80U1d-23299997

VMware Cloud Foundation (VCF) 5.x/4.x – fixed in version KB88287

Workstation 17.x - fixed in 17.5.1

Fusion 13.x (macOS) - fixed in 13.5.1

Technical Summary

CVE-2024-22254 – This is an out-of-bounds write vulnerability in ESXi that a malicious actor with privileges within VMX process could exploit to trigger a sandbox escape.

CVE-2024-22255 – This is an information disclosure vulnerability in the UHCI USB controller that a malicious actor with administrative access to a virtual machine may exploit to leak memory from the VMX process.

Further Information

Apple

Further details on the Apple vulnerabilities can be found here:

https://support.apple.com/en-us/HT214081

Cisco

Further details on the Cisco vulnerabilities can be found here:

CVE-2024-20337 - https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-secure-client-crlf-W43V4G7

CVE-2024-20338 - https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-secure-privesc-sYxQO6ds

CISA KEV catalog

Further details of CISA’s KEV catalog can be found here:
 https://www.cisa.gov/known-exploited-vulnerabilities-catalog

VMware

Further details on the VMware vulnerabilities can be found here:

https://www.vmware.com/security/advisories/VMSA-2024-0006.html

Need help understanding your gaps, or just want some advice? Get in touch with us.

#threatadvisory #threatintelligence #cybersecurity 

Executive summary

It is Valentine’s, and what better way to spend it than reading about Microsoft’s latest patch Tuesday. In this months patch Tuesday, Microsoft has provided updates to address 73 security issues across its product range, including two exploited zero-day vulnerabilities (CVE-2024-21351and CVE-2024-21412). Microsoft is classifying these as a flaw that is publicly disclosed or actively exploited with no official fix available. The two exploited vulnerabilities affect Windows Smart Screen and Internet Shortcut File, allowing security bypasses. They have both been added to the known ‘exploited vulnerabilities catalog’ by the Cybersecurity and Infrastructure Agency (CISA).

In addition to the updates from Microsoft, this week also saw Adobe fixing 38 vulnerabilities and SAP issued 13 new patches for its range of products, in which three of the patches were rated as critical.

What’s the risk to me or my business?

The vulnerabilities, if actively exploited could allow an attacker to bypass security features and inject malicious code, impacting the confidentiality, integrity and availability of data.

Microsoft

There is no official fix for the exploited vulnerabilities, however they both require a user to interact with a malicious file. As such, it is important to make sure users remain vigilant when interacting with their emails. Organisations should follow the vulnerabilities closely, so that they can apply any patches immediately. Other available updates should be applied as soon as possible for the actively exploited vulnerability and all other vulnerabilities that have a critical severity rating. Other patches should be applied in a reasonable time frame.

Technical Summary

CVE-2024-21351: This vulnerability if actively exploited, allows an attacker to bypass Windows SmartScreen. It relies on an authorised attacker sending a malicious file and convincing a user to open it.

CVE-2024-21412: This vulnerability if actively exploited, allows an attacker bypass Windows security features and send malicious files to users. The attacker would still need to user to interact with the file.

Adobe

This month, Adobe has released fixes vulnerabilities impacting Adobe Acrobat and Reader (13, of which 5 are critical), Commerce (9, of which 6 are critical), Substance 3D Painter (13, of which 5 are critical), FrameMaker Publishing Server (1 critical), Audition (1 critical) and Substance 3D Designer (1 critical). Currently, Adobe is not aware of any active exploitation of these vulnerabilities. The vulnerabilities include issues such as arbitrary code execution and memory leaks.

SAP

This month, SAP has released 13 patches, which include 10 new releases and 3 updates from previous releases. These patches address 8 critical vulnerabilities affecting a variety of SAP products. The vulnerabilities encompass a range of issues, including Privilege Escalation, Code Injection, Denial of Service, Information Disclosure, and Improper Authorisation.

Microsoft

Further details on other specific updates within this patch Tuesday can be found here:

https://www.bleepingcomputer.com/news/microsoft/microsoft-february-2024-patch-tuesday-fixes-2-zero-days-73-flaws/

https://www.ghacks.net/2024/02/13/the-windows-security-updates-for-february-2024-are-here/

Adobe

Further details of the vulnerabilities addressed in Adobe Acrobat and Reader be found here:

https://helpx.adobe.com/security/products/acrobat/apsb24-07.html

Further details of the vulnerabilities addressed in Adobe Substance 3D Painter be found here:

https://helpx.adobe.com/security/products/substance3d_painter/apsb24-04.html

Further details of the vulnerabilities addressed in Adobe FrameMaker be found here:

https://helpx.adobe.com/security/products/acrobat/apsb24-07.html

Further details of the vulnerabilities addressed in Adobe Audition be found here:

https://helpx.adobe.com/security/products/audition/apsb24-11.html

Further details of the vulnerabilities addressed in Adobe Substance 3D Designer be found here:

https://helpx.adobe.com/security/products/substance3d_designer/apsb24-13.html

SAP

https://support.sap.com/en/my-support/knowledge-base/security-notes-news/february-2024.html

Need help understanding your gaps, or just want some advice? Get in touch with us.

#threatadvisory #threatintelligence #cybersecurity.

Executive Summary

Cisco, Fortinet, Ivanti and VMware have addressed multiple vulnerabilities across their product range. All of the vendors have a security patch available to address the vulnerabilities and due to the active exploitation of some of the vulnerabilities, it is recommended to apply them immediately.

Cisco

Cisco have released security updates for three flaws affecting the Cisco Expressway Series that could allow an unauthenticated remote attacker to conduct cross-site request forgery attacks. Two of the flaws are rated critical (CVE-2024-20252 and CVE-2024-20254) and can be exploited in the impacted devices default configuration, however the third flaw (CVE-2024-20255) can only be exploited if the cluster database API feature has been enabled, which is disabled by default.

Cisco have released patches for the affected products and are available in Cisco Expressway Series Release versions 14.3.4 and 15.0.0.

Fortinet
Fortinet have released a second round of updates addressing two previously disclosed critical flaws in the FortiSIEM supervisor. The two flaws (CVE-2024-23108 and CVE-02024-23109) allows a remote unauthenticated attacker to perform arbitrary code execution.

Impacted products are:
FortiSIEM version 7.1.0 through 7.1.1 fixed in 7.1.2
FortiSIEM version 7.0.0 through 7.0.2 fixed in 7.0.3
FortiSIEM version 6.7.0 through 6.7.8 fixed in 6.7.9
FortiSIEM version 6.6.0 through 6.6.3 fixed in 6.6.5
FortiSIEM version 6.5.0 through 6.5.2 fixed in 6.5.3
FortiSIEM version 6.4.0 through 6.4.2 fixed in 6.4.4

Ivanti
Another critical security patch has been released by Ivanti for their Connect Secure product, Policy Secure and ZTA gateways. The flaw (CVE-2024-22024) allows remote attackers to gain access to restricted resources without requiring user interaction or authentication. While Ivanti have stated that this vulnerability is not currently being actively exploited they urge affected users to patch immediately.

To mitigate the risks, it is recommended that all users of the impacted devices running version 6.x upgrade to version 6.12.0.

VMware
VMware have warned of five vulnerabilities in the Aria Operations for Networks. The vulnerabilities encompass a range of issues, including local privilege escalation, cross-site scripting and local file read (requires admin privileges).

To mitigate the risks, it is recommended that all users of the impacted devices running version 6.x upgrade to version 6.12.0

Further Information

Cisco
Further details on the Cisco vulnerabilities can be found here:

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-expressway-csrf-KnnZDMj3

Fortinet

Further details on the Fortinet vulnerabilities can be found here:

https://www.fortiguard.com/psirt/FG-IR-23-130

Ivanti

Further details on the Ivanti vulnerabilities can be found here:

https://forums.ivanti.com/s/article/CVE-2024-22024-XXE-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure?language=en_US

VMware

Further details on the VMware vulnerabilities can be found here:

https://kb.vmware.com/s/article/96450

Need help understanding your gaps, or just want some advice? Get in touch with us.

#threatadvisory #threatintelligence #cybersecurity

Executive Summary

Vulnerabilities in Apple, Atlassian, Ivanti and VMware are currently being actively exploited in the wild. All of the vendors have a security patch available to address the vulnerabilities and due to the active exploitation of the vulnerabilities, it is recommended to apply them immediately.

Apple

Following  a report that Chinese authorities revealed they have used previously known vulnerabilities in Apple's AirDrop functionality to help law enforcement, Apple have released a patch for an actively exploited critical Zero-day in iOS, iPadOS, macOS, tvOS and Safari web browser,. The zero-day vulnerability is a type confusion exploit that allows an attacker to perform arbitrary code execution.

Impacted Versions:

iOS 17.3 and iPadOS 17.3 - iPhone XS and later, iPad Pro 12.9-inch 2nd generation and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 6th generation and later, and iPad mini 5th generation and later

iOS 16.7.5 and iPadOS 16.7.5 - iPhone 8, iPhone 8 Plus, iPhone X, iPad 5th generation, iPad Pro 9.7-inch, and iPad Pro 12.9-inch 1st generation

macOS Sonoma 14.3 - Macs running macOS Sonoma

macOS Ventura 13.6.4 - Macs running macOS Ventura

macOS Monterey 12.7.3 - Macs running macOS Monterey

Safari 17.3 - Macs running macOS Monterey and macOS Ventura

What can I do?

Updates to vulnerable devices should be applied immediately due to this vulnerability being under active exploitation.

Atlassian

Following the disclosure of the Atlassian Confluence vulnerability, it has become a target for active exploitation. Researchers have observed attackers attempting to exploit this vulnerability. At present, there are 11,000 Confluence instances exposed on the internet, and Shadowserver has recorded nearly 40,000 exploitation attempts. For further information on the vulnerability see our advisory posted linked below.

Ivanti

Following the public disclosure of two Ivanti vulnerabilities being actively exploited, a third vulnerability has now been added to the CISA’s Known Exploited Vulnerabilities (KEV) Catalog.

CVE-2023-35082 - This vulnerability enables a remote unauthorised attacker to access users’ personally identifiable information and make limited modifications to the server.

Impacted versions:

his vulnerability impacts all versions of Ivanti Endpoint Manager Mobile (EPMM) 11.10, 11.9, and 11.8. MobileIron Core 11.7 and earlier versions are also affected by this vulnerability.

What can I do?

Ivanti released a patch for this vulnerability in August 2023. It is recommended to update any impacted products to version 11.11.0.0 or later to safeguard them from this vulnerability.

VMware

A critical vulnerability in VMware vCenter Server Management has been exploited in the wild by a Chinese hacking group since 2021. The vulnerability (CVE-2023-34048) allows an attacker to write out of bounds potentially leading to remote code execution. VMware released a patch in October 2023 stating that it was not under active exploitation. VMware have recommend customers update to the latest version, which is 9.0U2.

Further Information

For further information on Ivanti and Atlassian see our previous advisory:

https://www.blackarrowcyber.com/blog/advisory-17-january-2024-citrix-ivanti-atlassian-oracle-sonicwall-vmware-security-updates

Apple

Further details on the Apple vulnerabilities can be found here:

https://support.apple.com/en-gb/HT201222

Ivanti

Further details on the Ivanti vulnerabilities can be found here:

https://forums.ivanti.com/s/article/KB-Remote-Unauthenticated-API-Access-Vulnerability-CVE-2023-35082?language=en_US

https://www.cisa.gov/news-events/alerts/2024/01/18/cisa-adds-one-known-exploited-vulnerability-catalog

VMware

Further details on the VMware  vCenter Server Management vulnerability can be found here:

https://www.vmware.com/security/advisories/VMSA-2023-0023.html

Need help understanding your gaps, or just want some advice? Get in touch with us.

#threatadvisory #threatintelligence #cybersecurity 

Executive Summary

This week Atlassian, Citrix, Ivanti, Oracle, SonicWall and VMware have addressed multiple vulnerabilities across their product range. Included in the vulnerabilities addressed are two actively exploited 0-days, impacting Ivanti and Citrix products. At the time of writing, over 1700 Ivanti devices have been compromised and over 15,000 devices remain exposed.

Atlassian

CVE-2023-22527 - This exploit is a template injection vulnerability which if successfully exploited, allows an unauthenticated attacker to perform remote code execution on an affected instance.

Impacted Versions:

This vulnerability affects versions 8.0.x, 8.1.x, 8.2.x, 8.3.x, 8.4.x, and 8.5.0-8.5.3.

What can I do?

Atlassian has released patches for the affected products, and it is advised to patch immediately. The listed Fixed Versions are no longer the most up-to-date and do not protect your instance from other non-critical vulnerabilities as outlined in Atlassian’s January Security Bulletin.

Citrix NetScaler

CVE-2023-6548 – Allows authenticated (low privileged user) remote code execution on Management interface. Requires access to NSIP, CLIP or SNIP with management interface.

CVE-2023-6549 - If exploited allows an attacker to perform a denial of service attack. Appliance must be configured as a gateway or AAA virtual server.

Impacted Versions:

NetScaler ADC and NetScaler Gateway 14.1 before 14.1-12.35

NetScaler ADC and NetScaler Gateway 13.1 before 13.1-51.15

NetScaler ADC and NetScaler Gateway 13.0 before 13.0-92.21

NetScaler ADC 13.1-FIPS before 13.1-37.176

NetScaler ADC 12.1-FIPS before 12.1-55.302

NetScaler ADC 12.1-NDcPP before 12.1-55.302

NetScaler ADC and NetScaler Gateway version 12.1 (currently end-of-life)

What can I do?

Citrix have released patches for the impacted products. Citrix have reported that this is being actively exploited and seen in the wild so it is advised that the patches are applied immediately.

Ivanti

CVE-2023-46805 - This is an authentication bypass which enables an attacker to access restricted resources by circumventing control checks.

CVE-2024-21887 - This is a command injection that lets authenticated admins execute arbitrary commands on vulnerable appliances.

Impacted Versions:

These vulnerabilities impact all supported versions, 9.x and 22.x

What can I do?

Ivanti have released mitigation files which can be found below, it is advised to install immediately. Patches are being developed however they are being staggered with the first patches being released on January 22nd and the final patches released on February the 19th.

Oracle

In their first Critical Patch Update of 2024, Oracle hae released 389 security patches, addressing 200 vulnerabilities. Financial Services Applications were the most impacted, with 71 new security patches. Oracle have urged all customers to apply the patches as soon as possible, warning that it periodically receives reports of in-the-wild exploitation of issues for which it has released fixes.

SonicWall

CVE-2022-22274 - This is a buffer overflow which if exploited successfully allows a remote unauthenticated attacker to cause a denial of service or potentially result in a code execution in the firewall.

CVE-2023-0656 - This is a buffer overflow which if exploited successfully allows a remote unauthenticated attacker to cause a denial of service attack which could cause the impacted firewall to crash.

What can I do?

SonicWall have released patches for affected products and it is advised to update to the latest available version.

VMware

CVE-2023-34063 – The affected products contain a missing access control vulnerability, which if successfully exploited, this vulnerability may lead to unauthorised access to remote organisations and workflows.

VMware Aria Automation (8.11.x, 8.12.x, 8.13.x, and 8.14.x)

VMware Cloud Foundation (4.x and 5.x)

What can I do?

VMware have released patches which can be found in the Security Advisory. It is advised to update as soon as possible. There are no current workarounds.

Further Information

Atlassian

Further details on the Atlassian vulnerabilities can be found here:

https://confluence.atlassian.com/security/cve-2023-22527-rce-remote-code-execution-vulnerability-in-confluence-data-center-and-confluence-server-1333990257.html

https://confluence.atlassian.com/security/security-bulletin-january-16-2024-1333335615.html

Citrix NetScaler

Further details on the Citrix NetScaler vulnerabilities can be found here:

https://support.citrix.com/article/CTX584986/netscaler-adc-and-netscaler-gateway-security-bulletin-for-cve20236548-and-cve20236549

Ivanti

Further details on the Ivanti vulnerabilities can be found here:

https://forums.ivanti.com/s/article/KB-CVE-2023-46805-Authentication-Bypass-CVE-2024-21887-Command-Injection-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure-Gateways?language=en_US 

Oracle

Further details on the Oracle vulnerabilities can be found here:

https://www.oracle.com/security-alerts/cpujan2024.html

SonicWall

Further details on the SonicWall vulnerabilities can be found here:

https://bishopfox.com/blog/its-2024-and-over-178-000-sonicwall-firewalls-are-publicly-exploitable

VMware

Further details on the VMware vulnerability can be found here:

https://www.vmware.com/security/advisories/VMSA-2024-0001.html

https://core.vmware.com/resource/vmsa-2024-0001-questions-answers

Need help understanding your gaps, or just want some advice? Get in touch with us.

#threatadvisory #threatintelligence #cybersecurity

Executive summary

In its first Patch Tuesday of 2024, Microsoft has provided updates to address 49 security issues across its product range, including two critical vulnerabilities (CVE-2024-20700 and CVE-2024-20674). None of these vulnerabilities are listed as publicly known or under active exploitation. The two critical vulnerabilities affect Hyper-V, allowing remote code execution, and Kerberos, enabling attackers to bypass security features.

In addition to the updates from Microsoft, this week also saw Adobe fixing 6 vulnerabilities, Cisco patching 2 vulnerabilities, and Android addressing 59 vulnerabilities, none of which were critical. SAP also issued 12 new patches for its range of products, three of the patches were rated as critical.

What’s the risk to me or my business?

The vulnerabilities, if actively exploited could allow an attacker to perform remote code execution, the other vulnerability allows an attacker to perform a man in the middle attack and send a malicious message to impersonate themselves as the Kerberos authentication server, bypassing security features.

What can I do?

Security updates are available for all supported versions of Windows impacted. The updates should be applied as soon as possible for the critical vulnerabilities. Other patches should be applied in a reasonable time frame.

Technical Summary

CVE-2024-20700: This vulnerability if actively exploited, allows an attacker to impersonate the Kerberos authentication server and bypass security features.

CVE -2024-20674: This vulnerability if actively exploited, allows an attacker to perform remote code execution. Successful exploitation requires an attacker to gain access to the restricted network before running an attack.

Adobe

This month, Adobe has released fixes for six vulnerabilities that affect Adobe Substance 3D Stage 2.1.3 and earlier versions. None of these vulnerabilities were rated as critical. Currently, Adobe is not aware of any active exploitation of these vulnerabilities. The vulnerabilities include issues such as arbitrary code execution and memory leaks.

Android

In Google’s January Security Bulletin for Android, 59 vulnerabilities are addressed, including three that are critical in the Qualcomm section. None of these vulnerabilities appear to have been discovered and exploited by criminals prior to the release of the patches. The vulnerabilities include issues such as elevation of privileges and information disclosure.

Cisco

Cisco has released an update to address two privilege escalation CVEs in its Identity Services Engine (ISE). These vulnerabilities, which were disclosed in September, necessitate administrator-level privileges for exploitation. At present, Cisco has provided patches to rectify these issues, and no other workaround is available.

SAP

This month, SAP has released 12 patches, which include 10 new releases and 2 updates from previous releases. These patches address 3 critical vulnerabilities affecting a variety of SAP products. The vulnerabilities encompass a range of issues, including Privilege Escalation, Code Injection, Denial of Service, Information Disclosure, and Improper Authorisation.

Microsoft

Further details on other specific updates within this patch Tuesday can be found here:

https://www.theregister.com/2024/01/09/january_patch_tuesday/

https://www.ghacks.net/2024/01/09/the-first-windows-security-updates-of-2024-are-here/

Adobe

Further details of the vulnerabilities addressed in Adobe Substance 3D Stager be found here: https://helpx.adobe.com/security/products/substance3d_stager/apsb24-06.html

Android

Further details on the Android patches can be found here:

https://source.android.com/docs/security/bulletin/2024-01-01

Cisco

Further details on the Cisco patch can be found here:

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ise-priv-esc-KJLp2Aw

SAP

Further information of the vulnerabilities address by SAP can be found here:
https://dam.sap.com/mac/app/e/pdf/preview/embed/ucQrx6G?ltr=a&rc=10

Need help understanding your gaps, or just want some advice? Get in touch with us.

#threatadvisory #threatintelligence #cybersecurity

Executive summary

A new actively exploited zero-day vulnerability in Google Chrome which can lead to remote code execution has been identified, with patches released. Also this week, Mozilla released updates for high-severity vulnerabilities in both Firefox and Thunderbird.

What’s the risk to me or my business?

The actively exploited vulnerability and high-severity vulnerabilities can allow an attacker to execute malicious code, compromising the confidentiality, integrity and availability of data.

What can I do?

Security updates are available for both browsers. The updates for Chrome are available in version  117.0.5938.132 and should be applied immediately. The updates for Firefox are available in version 118 and should be applied as soon as possible.

Technical Summary

CVE-2023-5217: an actively exploited zero-day heap-based buffer overflow which can lead to execution of arbitrary code.

The security advisory from Google Chrome can be found here:

https://chromereleases.googleblog.com/2023/09/stable-channel-update-for-desktop_27.html

The security advisory from Firefox can be found here:

https://www.mozilla.org/en-US/security/advisories/mfsa2023-41/

Need help understanding your gaps, or just want some advice? Get in touch with us.

#threatadvisory #threatintelligence #cybersecurity

Executive summary

Microsoft’s September Patch Tuesday provides updates to address 59 security issues across its product range, including two actively exploited zero-day vulnerabilities. The exploited zero-days have both been added to the US Cybersecurity and Infrastructure Security Agency’s (CISA) “Known Exploited Vulnerabilities Catalog”. Of the 59 security issues addressed by Microsoft , 5 were rated critical.

What’s the risk to me or my business?

The actively exploited vulnerabilities could allow an attacker to gain SYSTEM privileges or capture and relay hashes of user passwords to gain access to that users account. Both compromise the confidentiality, integrity and availability of data stored by an organisation.

What can I do?

Security updates are available for all supported versions of Windows impacted. The updates should be applied as soon as possible for the actively exploited vulnerabilities and all other vulnerabilities that have a critical severity rating.

Technical Summary

CVE-2023-36802: The actively exploited allows a local attacker to gain SYSTEM privileges.

CVE-2023-36761: This actively exploited vulnerability can allow an attacker to steal user password NTLM hashes of users who open a document, even if just in the preview plane.

Adobe

This month, Adobe released fixes for 5 vulnerabilities, including 1 critical vulnerability, across Adobe Acrobat & Reader (1), Adobe Connect (2) and Adobe Experience Manager (2).  The critical vulnerability, tracked as CVE-2023-26369, impacts both Windows and macOS versions of Adobe Acrobat & Reader and if exploited, can allow an attacker to execute malicious code.

Chrome

A new update for Google Chrome is available for Windows, Linux and macOS. The update addresses 16 security fixes, including one critical and actively exploited vulnerability which could cause for denial of service or allow code execution.

Mozilla

Mozilla released fixes for two critical vulnerabilities, impacting Firefox and Thunderbird. The vulnerabilities could allow an attacker to perform code execution.

SAP

Enterprise software vendor SAP has addressed 13 vulnerabilities in several of its products, including two critical-severity vulnerabilities that impact SAP BusinessObjects Business Intelligence Platform. 66Including remote execution and authentication bypass. A total of 5 vulnerabilities were given the “Hot News” priority, which is the highest priority according to SAP.

further details on other specific updates within this patch Tuesday can be found here:

https://www.ghacks.net/2023/09/12/the-windows-september-2023-security-updates-are-now-available/

Further information on Adobe Acrobat and Reader can be found here:

https://helpx.adobe.com/security/products/acrobat/apsb23-34.html

Further information on Adobe Connect can be found here:

https://helpx.adobe.com/security/products/connect/apsb23-33.html

Further information on Adobe Experience Manager can be found here:

https://helpx.adobe.com/security/products/experience-manager/apsb23-43.html

Further information on the patches by SAP can be found here:

https://dam.sap.com/mac/app/e/pdf/preview/embed/ucQrx6G?ltr=a&rc=10

Further information on Google Chrome can be found here:

https://chromereleases.googleblog.com/2023/09/stable-channel-update-for-desktop_12.html

Further information on Mozilla can be found here:

https://www.mozilla.org/en-US/security/advisories/mfsa2023-40/

Need help understanding your gaps, or just want some advice? Get in touch with us.

#threatadvisory #threatintelligence #cybersecurity

Executive summary

Microsoft’s August Patch Tuesday provides updates to address 86 security issues across its product range, including two zero-day vulnerabilities (CVE-2023-36884, CVE-2023-38180). The vulnerabilities allow remote code execution and denial of service. Among the updates provided by Microsoft, 6 addressed critical vulnerabilities.

What’s the risk to me or my business?

The vulnerabilities allow an attacker to remotely execute code and cause a denial-of-service, impacting the confidentiality, integrity and availability of data held by an organisation. CVE-2023-38180, which is a denial-of-service vulnerability has been recorded by the US Cybersecurity and Infrastructure Security Agency (CISA) in its “Known Exploited Vulnerabilities” Catalogue.

What can I do?

Security updates are available for all supported versions of Windows impacted. The updates should be applied immediately for the zero-day vulnerabilities and as soon as possible for all other vulnerabilities.  Microsoft has also published an separate advisory for CVE-2023-36884.

Technical Summary

CVE-2023-36884: This vulnerability, if exploited allows threat actors to create specially crafted documents which bypass Mark of the Web (MoTW) security features, causing files to be opened with no warning, allowing a threat actor to perform remote code execution.

CVE-2023-38180: The actively exploited vulnerability allows an attacker to cause a denial-of-service attack on .NET applications and Visual Studio.

Adobe

In addition to Microsoft’s Patch Tuesday Adobe released fixes for 36 vulnerabilities, of which 19 were rated critical. The critical vulnerabilities spanned across Adobe Acrobat and Reader (16), Adobe Commerce and  Adobe Dimension (2). At current, Adobe is not aware of any of these vulnerabilities being actively exploited. The vulnerabilities include remote code execution, memory leak and security bypass.

further details on other specific updates within this patch Tuesday can be found here:

https://www.ghacks.net/2023/08/08/the-windows-august-2023-security-updates-fix-critical-vulnerabilities-and-internet-explorer/

Further details about CVE-2023-38180 can be found here:                     

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-38180

Further details about CVE-2023-36884 can be found here:                     

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36884  

The advisory from Microsoft can be found here:

Further information on CISA’s Known Exploited Vulnerabilities Catalog can be found here:

https://www.cisa.gov/known-exploited-vulnerabilities-catalog

https://msrc.microsoft.com/update-guide/vulnerability/ADV230003

Further details of the vulnerabilities addressed in Adobe Acrobat DC and Reader can be found here: https://helpx.adobe.com/security/products/acrobat/apsb23-30.html

Further details of the vulnerabilities addressed in Adobe Commerce can be found here: https://helpx.adobe.com/security/products/magento/apsb23-42.html

Further details of the vulnerabilities addressed in Adobe Dimension can be found here: https://helpx.adobe.com/security/products/dimension/apsb23-44.html

Need help understanding your gaps, or just want some advice? Get in touch with us.

#threatadvisory #threatintelligence #cybersecurity 

Executive Summary

A vulnerability dubbed as ‘Zenbleed’ was discovered in AMD's Zen2 microarchitecture which could enable an malicious attacker to steal sensitive data, such as passwords and encryption keys. The Zenbleed vulnerability has been found to affect all AMD Zen 2 processors, including various models of the Ryzen processor and EPYC processor series.  Zenbleed requires local account access to the target system and a high degree of specialization and knowledge to exploit, however a proof of concept has now been publicly released.

What’s the risk to me or my business?

Exploitation of this vulnerability could compromise the confidentiality of data held or accessed through an affected device, allowing an attacker to gain unauthorised access to sensitive data. In addition, detection of the exploitation has been reported as almost impossible due to there being no requirement for elevated privileges to perform the attack. This vulnerability could also allow a malicious actor on a shared tenancy environment to access information running on the same server from a different tenant.

What can I do?

This vulnerability affects all Zen 2 class processors and as such it is essential to prioritise the patching of the upcoming updates to protect devices from this vulnerability when they become available. AMD has released a security bulletin detailing the AGESA Firmware updates which will be included within the BIOS updates for affected processors, and have classified the vulnerability as ‘Medium’ severity. Microcode updates have been created for the affected AMD EPYC processors, however updates for the Desktop, Mobile, High-end Desktop and Workstation processors are scheduled for later in the year. Once OEM’s have released BIOS updates it is strongly recommended that they are applied after appropriate testing has taken place.

In the meantime, a workaround has been recommended by the security researcher who discovered the vulnerability. If you are unsure whether you are impacted or how to implement the mitigation, then you should contact your vendor/MSP. Please note, workarounds are not a permanent fix and Black Arrow maintains that the patches should be applied when available.

Technical Summary

CVE-2023-20593 – If successfully exploited this vulnerability allows a malicious actor to access sensitive data from any system operation including those taking place in virtual machines, isolated containers, and sandboxes.

Affected product ranges include:

• 2nd Generation AMD EPYC “Rome” Processors

• AMD Ryzen 3000 and 4000 series Desktop Processors

• AMD Ryzen Threadripper 3000 and 3000WX series High End Desktop and Workstation Processors

• AMD Ryzen 4000, 5000 and 7020 series Mobile Processors

Further details of the Zenbleed vulnerability can be found here:

https://lock.cmpxchg8b.com/zenbleed.html

https://www.amd.com/en/resources/product-security/bulletin/amd-sb-7008.html

Need help understanding your gaps, or just want some advice? Get in touch with us.

Executive Summary

A remote code execution vulnerability has been discovered in OpenSSH’s forwarded ssh-agent. This vulnerability could potentially enable a remote attacker to execute arbitrary commands on a vulnerable system. Whilst this vulnerability has currently not been given a CVSS rating it is embedded in to a significant amount of systems and devices. A proof of concept (PoC) has also been made public by Qualys Threat Research Unit.

Technical Summary

CVE-2023-38408 – Successful exploitation of this vulnerability allows a remote attacker to execute commands on vulnerable OpenSSH forwarded ssh-agents.

What’s the risk to me or my business?

Successful exploitation of this vulnerability can compromise the confidentiality, integrity, and availability of the data in your organisation. This can result in a malicious actor gaining unauthorised access to sensitive data, manipulation, or deletion of important information, or even a complete system takeover. The publicly released PoC exploits focus on Ubuntu Desktop 22.04 and 21.10, however Qualys Threat Research Unit have advised other Linux distributions are “likely vulnerable and probably exploitable”.

the patch for this vulnerability is available in OpenSSH 9.3p2.

What can I do?

Given the widespread use of OpenSSH's forwarded ssh-agent in devices, software and applications, it is important prioritise the application of patches provided by OpenSSH for this vulnerability. Black Arrow recommends performing vulnerability scanning to identify any devices and software that have been impacted by this vulnerability.

More information on the OpenSSH vulnerability can be found here:

https://blog.qualys.com/vulnerabilities-threat-research/2023/07/19/cve-2023-38408-remote-code-execution-in-opensshs-forwarded-ssh-agent

An in-depth breakdown of the vulnerability can be found here:

https://www.qualys.com/2023/07/19/cve-2023-38408/rce-openssh-forwarded-ssh-agent.txt

Need help understanding your gaps, or just want some advice? Get in touch with us.

#threatadvisory #threatintelligence #cybersecurity

Executive Summary

Citrix have released a patch for three vulnerabilities, including one critical vulnerability in NetScaler ADC (formerly Citrix ADC) and NetScaler Gateway (formerly Citrix Gateway). If exploited, the critical vulnerability allows an unauthenticated malicious actor to perform remote code execution. The other two vulnerabilities allow an attacker to gain root administrator permissions and deliver malicious files and links to a victim.

Technical Summary

CVE-2023-3519 – This is a critical vulnerability which allows an unauthenticated attacker to perform remote code execution. For it to work it requires the appliance to be configured as a gateway.

CVE-2023-3466 – This vulnerability, categorised as high, allows an attacker to perform reflected cross-site scripting, allowing them to deliver malicious files, links, and emails. For it to work, it requires the victim to access an attacker-controlled link in the browser while being on the network.

CVE-2023-3467 – This vulnerability, categorised as high, allows an attacker to perform privilege escalation to gain the highest available. For successful exploitation the attacker needs to have authenticated access to the management interface access.

 What’s the risk to me or my business?

The vulnerabilities allow for a range of attacks such as unauthenticated remote code execution, privilege escalation to root as well as enabling an attacker the ability to distribute malicious files, links, and emails to users. All of which compromise the confidentiality, integrity, and availability of the data in your organisation.

Impacted versions of the products include the following:

• NetScaler ADC and NetScaler Gateway 13.1 before 13.1-49.13 

• NetScaler ADC and NetScaler Gateway 13.0 before 13.0-91.13 

• NetScaler ADC 13.1-FIPS before 13.1-37.159

• NetScaler ADC 12.1-FIPS before 12.1-55.297

• NetScaler ADC 12.1-NDcPP before 12.1-55.297

NetScaler ADC and NetScaler Gateway version 12.1 is now End Of Life (EOL). Citrix advises customers to upgrade their appliances to one of the supported versions that address the vulnerabilities. 

 What can I do?

Citrix has recommended to apply patches which they have made available for the following versions:

• NetScaler ADC and NetScaler Gateway 13.1-49.13 and later releases

• NetScaler ADC and NetScaler Gateway 13.0-91.13 and later releases of 13.0  

• NetScaler ADC 13.1-FIPS 13.1-37.159 and later releases of 13.1-FIPS  

• NetScaler ADC 12.1-FIPS 12.1-55.297 and later releases of 12.1-FIPS  

• NetScaler ADC 12.1-NDcPP 12.1-55.297 and later releases of 12.1-NDcPP 

 More information on the Citrix ADC and Gateway flaw vulnerability can be found here:

https://support.citrix.com/article/CTX561482/citrix-adc-and-citrix-gateway-security-bulletin-for-cve20233519-cve20233466-cve20233467

Need help understanding your gaps, or just want some advice? Get in touch with us.

#threatadvisory #threatintelligence #cybersecurity 

Executive Summary

A critical vulnerability has been identified and addressed in Cisco's network management software, SD-WAN vManage. The vulnerability allows a remote unauthenticated attacker to gain read or limited write permissions to the configuration of an affected Cisco SD-WAN vManage instance. This vulnerability only affects the REST API and does not affect the web-based management interface or the command line interface.

What’s the risk to me or my business?

A successful exploitation of the critical vulnerability allows a remote unauthenticated threat actor to read sensitive information from the compromised system, modify certain configurations, disrupt network operations. This will compromise the confidentiality, integrity, and availability of data in your organisation.

The following Cisco SD-WAN vManage versions are affected by the vulnerability:

• v20.6.3.3 – fixed in v20.6.3.4

• v20.6.4 – fixed in v20.6.4.2

• v20.6.5 – fixed in v20.6.5.5

• v20.7 – Migrate to fixed version v20.8 – Migrate to fixed version

• v20.9 – fixed in v20.9.3.2

• v20.10 – fixed in v20.10.1.2

• v20.11 – fixed in v20.11.1.2

What can I do?

There are no workarounds for the critical vulnerability. As such, it is advised that patches are applied immediately. For versions v20.7 and v20.8, Cisco advises customers to migrate to a fixed release. Cisco has given advice on how to reduce the attack surface for this attack, this includes actions such as monitoring logs for the REST API and limiting instances to specified instances. If you are unsure check with your MSP or network team to ensure these are in place.

More information on the Cisco SD-WAN vManage vulnerability can be found here:

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-vmanage-unauthapi-sphCLYPA

Need help understanding your gaps, or just want some advice? Get in touch with us.

#threatadvisory #threatintelligence #cybersecurity

Executive summary

Microsoft’s July 2023 Patch Tuesday provides updates to address 138 security issues across its product range, including six actively exploited zero-day vulnerability. The exploited zero-day vulnerabilities use a range of Microsoft Windows products to bypass security features, elevate privileges and perform remote code execution. Among the updates provided by Microsoft 9 addressed critical vulnerabilities.

What’s the risk to me or my business?

The actively exploited vulnerabilities could allow an attacker with standard user access, to gain elevated privileges, or install kernel drivers, depending on the exploit used. Other risks such as bypassing security features of Microsoft Outlook and performing remote code execution can occur. This could allow an attacker to further compromise the confidentiality, integrity and availability of the organisation’s information assets.

What can I do?

Security updates are available for all supported versions of Windows impacted. The updates should be applied as soon as possible for the actively exploited vulnerability and all other vulnerabilities.  Other mitigations have been provided by Microsoft and can be found below in the further detail’s section.

Technical Summary

CVE-2023-32046 – The actively exploited vulnerability targets MSHTML Platform which could allow an attacker to elevate their privileges to the rights the user that is running the affected application is.

CVE-2023-32049 – This actively exploited vulnerability targets Windows SmartScreen allowing an attacker to bypass security features including the security warning prompt.

CVE-2023-36874 – This actively exploited vulnerability targets the Windows Error Reporting Service allowing an attacker to elevate privileges allowing them to gain administrator privileges.

CVE-2023-36884 – This actively exploited vulnerability targets the Office and Windows HTML allowing an attacker to perform remote code execution.

CVE-2023-35311 – This actively exploited vulnerability targets Microsoft Outlook and bypasses a security feature however to exploit this an attacker would have to have a user click in a specially crafted link through phishing or social engineering.

ADV230001 – This is a Microsoft signed driver that has been maliciously used in post-exploitation activity which abused a Windows policy loophole to install malicious kernel-mode drivers.

Adobe

This month, Adobe released fixes for 4 vulnerabilities, of which 3 were rated critical across Adobe InDesign and Adobe ColdFusion. At current, Adobe are not aware of any active exploitation of the listed vulnerabilities, however the advice is to update the affected products using their priority rating which can be found in the details below. The vulnerabilities include remote code execution, memory leak and security bypass.

Further details on other specific updates within this patch Tuesday can be found here:

https://www.bleepingcomputer.com/news/microsoft/microsoft-july-2023-patch-tuesday-warns-of-6-zero-days-132-flaws/  

Further details about CVE-2023-32046 can be found here:                     

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-32046

Further details about CVE-2023-32049 can be found here: 

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-32049

Further details about CVE-2023-36874 can be found here: 

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36874

Further details about CVE-2023-36884 can be found here:                   

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36884

Further details about CVE-2023-35311 can be found here:                   

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-35311

Further details about ADV230001 can be found here:

https://msrc.microsoft.com/update-guide/en-US/vulnerability/ADV230001

Further details of the vulnerabilities addressed in Adobe InDesign can be found here:

https://helpx.adobe.com/security/products/indesign/apsb23-38.html

Further details of the vulnerabilities addressed in Adobe ColdFusion can be found here:

https://helpx.adobe.com/security/products/coldfusion/apsb23-40.html

Need help understanding your gaps, or just want some advice? Get in touch with us.

#threatadvisory #threatintelligence #cybersecurity

Executive summary

A critical vulnerability has been identified and addressed in Fortinet FortiNAC products. Fortinet’s FortiNAC is a network access control solution and successful exploitation of the critical vulnerability allows a threat actor to remotely execute code without requiring authentication. In addition, another vulnerability which allowed improper local access in FortiNAC has been addressed.

What’s the risk to me or my business?

The vulnerabilities, if exploited, could allow an attacker to remotely execute code as well as copy local files. Both of which compromise the confidentiality, integrity and availability of data in your organisation.

Technical Summary

CVE-2023-33299– This critical vulnerability is an untrusted object deserialization, allowing an unauthenticated user to execute code or commands via specifically crafted requests.

CVE-2023-33300- This vulnerability allows an unauthenticated attacker to copy local files to other local folders of a device, through specially crafted input fields. It requires local access.

What can I do?

There is no mitigation advice for the critical vulnerability (CVE-2023-33299). As such, customers are urged to immediately upgrade their FortiNAC version depending on the affected product in use. There is no upgrade available for any FortiNAC products running version 8.x. The other vulnerability, CVE-2023-33300, requires users on affected versions to upgrade to 9.4.4 or above or 7.2.2 or above.

Affected products for the critical vulnerability and their patches include:

FortiNAC version 9.4.0 through 9.4.2 upgrade to 9.4.3 or above

FortiNAC version 9.2.0 through 9.2.7 upgrade to 9.2.8 or above

FortiNAC version 9.1.0 through 9.1.9 upgrade to 9.1.10 or above

FortiNAC version 7.2.0 through 7.2.1 upgrade to 7.2.2 or above

FortiNAC 8.8 all versions

FortiNAC 8.7 all versions

FortiNAC 8.6 all versions

FortiNAC 8.5 all versions

FortiNAC 8.3 all versions

Affected products for CVE-2023-33300 include:

FortiNAC 9.4.0 through 9.4.3 upgrade to 9.4.4. or above

FortiNAC 7.2.0 through 7.2.1 upgrade to 7.2.2 or above

Further details on Fortinet’s advisories for the critical vulnerability can be found here:

https://www.fortiguard.com/psirt/FG-IR-23-074

Further details on Fortinet’s advisory for CVE-2023-33300 can be found here

https://www.fortiguard.com/psirt/FG-IR-23-096

Need help understanding your gaps, or just want some advice? Get in touch with us.

#threatadvisory #threatintelligence #cybersecurity

Executive summary

Apple has recently released updates for iOS, iPadOS, macOS, watchOS and Safari browser. These updates address a set of flaws that were actively exploited in the wild with the most severe allowing an attacker to perform Arbitrary Code Execution.

What’s the risk to me or my business?

Depending on the privileges associated with the user, if the vulnerability is successfully exploited an attacker could install programs; view, change, or delete data; or create new accounts with full user rights. This can lead to compromise of the confidentiality, integrity, and availability of organisational information in that could be accessed from the affected asset.

Technical Summary

The two vulnerabilities below have been actively exploited in the mobile surveillance campaign called Operation Triangulation.

CVE-2023-32434 – This is an integer overflow vulnerability in the kernel that could be exploited by a malicious app to execute arbitrary code with kernel privileges.

CVE-2023-32435 – This is a memory corruption vulnerability in Webkit that could lead to arbitrary code execution when processing specially crafted web content.

The updates are available for the following platforms:

• iOS 16.5.1 and iPadOS 16.5.1 - iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

• iOS 15.7.7 and iPadOS 15.7.7 - iPhone 6s (all models), iPhone 7 (all models), iPhone SE (1st generation), iPad Air 2, iPad mini (4th generation), and iPod touch (7th generation)

• macOS Ventura 13.4.1, macOS Monterey 12.6.7, and macOS Big Sur 11.7.8

• watchOS 9.5.2 - Apple Watch Series 4 and later

• watchOS 8.8.1 - Apple Watch Series 3, Series 4, Series 5, Series 6, Series 7, and SE, and

• Safari 16.5.1 - Macs running macOS Monterey

What can I do?

It is recommended to apply the update provided by Apple to all vulnerable systems immediately as the flaws have been addressed in this patch.

Further details on the Apple security updates can be found here: https://support.apple.com/en-us/HT201222

An update from an advisory published on the 8th June 2023 by Black Arrow: https://www.blackarrowcyber.com/blog/advisory-08062023-barracuda-cisco-vmware-vulns

Executive summary

VMware has confirmed that exploitation of the critical rated CVE-2023-20887 has occurred in the wild. This vulnerability affects the VMware Aria Operations (formerly known as vRealize Network Insight) and allows a malicious actor with access to the network to perform remote code execution (RCE).

What’s the risk to me or my business?

The vulnerability, if exploited using command injection, could allow the attacker to have unrestricted access with root to compromise the confidentiality, integrity, and availability of data in your organisation.

Impacted versions include: VMware Aria Operations Networks version 6.x.

What can I do?

VMware have recommended applying patches which they have made available for the following versions: 6.2/6.3/6.4/6.5.1/6.6/6.7/6.8/6.9/6.10.

There are no workarounds for this vulnerability.

Further details on the VMware vulnerability can be found here: https://www.vmware.com/security/advisories/VMSA-2023-0012.html

Further details on the VMware patch can be found here: https://kb.vmware.com/s/article/92684

Executive summary

Microsoft’s June Patch Tuesday provides updates to address 78 security issues across its product range, including 6 critical vulnerabilities. June’s patch Tuesday does not include any zero-day vulnerabilities or actively exploited bugs. The critical vulnerabilities include privilege escalation in Microsoft SharePoint, remote code execution in Microsoft Exchange Server, Windows PGM, .NET, .NET Framework and Visual Studio and finally, a denial of service in Windows Hyper-V.

What’s the risk to me or my business?

The vulnerabilities, if actively exploited allow an attacker to gain system privileges, remotely execute code and cause a denial of service compromising the confidentiality, integrity and availability of data stored by an organisation.

What can I do?

Security updates are available for all supported versions of Windows impacted. The updates should be applied as soon as possible, especially those that have a critical severity rating.

Further details on other specific updates within this patch Tuesday can be found here: https://www.ghacks.net/2023/06/13/the-windows-june-2023-security-patches-are-here-and-address-these-issues/

Need help understanding your gaps, or just want some advice? Get in touch with us.

#threatadvisory #threatintelligence #cybersecurity