Executive Summary

Apple have released emergency updates to patch two zero-day vulnerabilities, including one actively exploited vulnerability, which target iPhone and iPad devices. The vulnerabilities allow an attacker to escalate privileges and perform remote code execution.

What’s the risk to me or my business?

Exploitation allows an attacker to elevate their privileges to the highest available and perform code execution. This allows attackers to perform actions such as extracting messages, photos, emails, and recording calls, impacting the confidentiality, integrity and availability of data.

Patches are available for:

• iPhone XS and later

• iPad Pro 12.9-inch 2nd generation and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 6th generation and later, and iPad mini 5th generation and later

Technical Summary:

CVE-2023-42824- A kernel vulnerability allowing local attackers to escalate privileges on vulnerable iPhones and iPads. This vulnerability has been exploited against versions of iOS before 16.6.

CVE-2023-5217 – A heap buffer overflow weakness in libvpx which could allow code execution.

What can I do?

Users are recommended the apply the patches immediately, due to the active exploitation in the wild. Organisations should also be aware that the patches mean employees using Apple BYOD devices will need to apply the relevant patches, as this impacts corporate information which the devices have access to.

Further information can be found below:

https://support.apple.com/en-gb/HT213961  

Executive Summary

Researchers who discovered two critical vulnerabilities in Microsoft SharePoint Server have released details of an exploit which chains the two together to allow an attacker to enable remote code execution on affected servers. One of the vulnerabilities, which has had a proof of concept released this week, allows a malicious attacker to gain administrator privileges from a non-privileged account. The other vulnerability allows the attacker to execute arbitrary code on SharePoint servers. Microsoft has issued patches that address these vulnerabilities in its monthly security update for May and June.

Technical Summary

CVE-2023-29357 – This is a critical vulnerability which allows an attacker to use spoofed JWT authentication tokens to bypass authentication and allow them to gain access to the privileges of an authenticated user. The attacker does not need any privileges to execute this vulnerability. 

CVE-2023-24955 – This is a critical vulnerability which allows an attacker to execute arbitrary code on the vulnerable SharePoint servers.

What’s the risk to me or my business?

The vulnerabilities when chained together allows an attacker to elevate to a privileged account and perform remote code execution. This gives an attacker the ability to distribute malicious files, links, and emails to users. This access allows to attacker to compromise the confidentiality, integrity, and availability of the data in your organisation.

The impacted on-premises products include the following:

• SharePoint Server 2019

• SharePoint Server 2016

• SharePoint Server Subscription Edition

What can I do?

Microsoft have released patches for these vulnerabilities in its monthly security update for May and June. They also advise that if there are multiple updates available to apply all updates available to ensure that the product is secure.

More information on the SharePoint Server Remote Code Execution Vulnerability:

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-24955

More information on the SharePoint Server Elevation of Privilege Vulnerability:

 https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-29357

Need help understanding your gaps, or just want some advice? Get in touch with us.

#threatadvisory #threatintelligence #cybersecurity

Executive Summary

Earlier this week Apple announced the release of macOS 14 Sonoma. A security update from Apple shows that the latest version of this patches more than 60 vulnerabilities.

What’s the risk to me or my business?

The vulnerabilities can be exploited to obtain sensitive information, execute code, elevate privileges, bypass security and modify the file system. All of which impact the confidentiality, integrity and availability of a vulnerable device. Patches are available for:

Mac Studio (2022 and later)

iMac (2019 and later)

Mac Pro (2019 and later)

Mac mini (2018 and later)

MacBook Air (2018 and later)

MacBook Pro (2018 and later)

iMac Pro (2017)

What can I do?

The update should be applied as soon as possible. Organisations should also be aware that the the vulnerabilities will impact employees with Apple BYOD as these devices will have access to corporate information.

Further information can be found below:

https://support.apple.com/en-us/HT213940

https://www.securityweek.com/macos-14-sonoma-patches-60-vulnerabilities/

Executive summary

A new actively exploited zero-day vulnerability in Google Chrome which can lead to remote code execution has been identified, with patches released. Also this week, Mozilla released updates for high-severity vulnerabilities in both Firefox and Thunderbird.

What’s the risk to me or my business?

The actively exploited vulnerability and high-severity vulnerabilities can allow an attacker to execute malicious code, compromising the confidentiality, integrity and availability of data.

What can I do?

Security updates are available for both browsers. The updates for Chrome are available in version  117.0.5938.132 and should be applied immediately. The updates for Firefox are available in version 118 and should be applied as soon as possible.

Technical Summary

CVE-2023-5217: an actively exploited zero-day heap-based buffer overflow which can lead to execution of arbitrary code.

The security advisory from Google Chrome can be found here:

https://chromereleases.googleblog.com/2023/09/stable-channel-update-for-desktop_27.html

The security advisory from Firefox can be found here:

https://www.mozilla.org/en-US/security/advisories/mfsa2023-41/

Need help understanding your gaps, or just want some advice? Get in touch with us.

#threatadvisory #threatintelligence #cybersecurity

Executive summary

Microsoft’s September Patch Tuesday provides updates to address 59 security issues across its product range, including two actively exploited zero-day vulnerabilities. The exploited zero-days have both been added to the US Cybersecurity and Infrastructure Security Agency’s (CISA) “Known Exploited Vulnerabilities Catalog”. Of the 59 security issues addressed by Microsoft , 5 were rated critical.

What’s the risk to me or my business?

The actively exploited vulnerabilities could allow an attacker to gain SYSTEM privileges or capture and relay hashes of user passwords to gain access to that users account. Both compromise the confidentiality, integrity and availability of data stored by an organisation.

What can I do?

Security updates are available for all supported versions of Windows impacted. The updates should be applied as soon as possible for the actively exploited vulnerabilities and all other vulnerabilities that have a critical severity rating.

Technical Summary

CVE-2023-36802: The actively exploited allows a local attacker to gain SYSTEM privileges.

CVE-2023-36761: This actively exploited vulnerability can allow an attacker to steal user password NTLM hashes of users who open a document, even if just in the preview plane.

Adobe

This month, Adobe released fixes for 5 vulnerabilities, including 1 critical vulnerability, across Adobe Acrobat & Reader (1), Adobe Connect (2) and Adobe Experience Manager (2).  The critical vulnerability, tracked as CVE-2023-26369, impacts both Windows and macOS versions of Adobe Acrobat & Reader and if exploited, can allow an attacker to execute malicious code.

Chrome

A new update for Google Chrome is available for Windows, Linux and macOS. The update addresses 16 security fixes, including one critical and actively exploited vulnerability which could cause for denial of service or allow code execution.

Mozilla

Mozilla released fixes for two critical vulnerabilities, impacting Firefox and Thunderbird. The vulnerabilities could allow an attacker to perform code execution.

SAP

Enterprise software vendor SAP has addressed 13 vulnerabilities in several of its products, including two critical-severity vulnerabilities that impact SAP BusinessObjects Business Intelligence Platform. 66Including remote execution and authentication bypass. A total of 5 vulnerabilities were given the “Hot News” priority, which is the highest priority according to SAP.

further details on other specific updates within this patch Tuesday can be found here:

https://www.ghacks.net/2023/09/12/the-windows-september-2023-security-updates-are-now-available/

Further information on Adobe Acrobat and Reader can be found here:

https://helpx.adobe.com/security/products/acrobat/apsb23-34.html

Further information on Adobe Connect can be found here:

https://helpx.adobe.com/security/products/connect/apsb23-33.html

Further information on Adobe Experience Manager can be found here:

https://helpx.adobe.com/security/products/experience-manager/apsb23-43.html

Further information on the patches by SAP can be found here:

https://dam.sap.com/mac/app/e/pdf/preview/embed/ucQrx6G?ltr=a&rc=10

Further information on Google Chrome can be found here:

https://chromereleases.googleblog.com/2023/09/stable-channel-update-for-desktop_12.html

Further information on Mozilla can be found here:

https://www.mozilla.org/en-US/security/advisories/mfsa2023-40/

Need help understanding your gaps, or just want some advice? Get in touch with us.

#threatadvisory #threatintelligence #cybersecurity

Executive Summary

Apple have released emergency updates to fix two actively exploited new zero-day vulnerabilities which target iPhone and Mac users. The vulnerabilities, if exploited on an unpatched Apple device, allow attacks to execute arbitrary code through the use of maliciously crafted images and attachments.

What’s the risk to me or my business?

Exploitation of the vulnerabilities has already been used as part of zero-click iMessage exploits to deploy Pegasus mercenary software. This allows attackers execute code to perform actions such as extracting messages, photos, emails, and recording calls, impacting the confidentiality, integrity and availability of data.

Patches are available in:

macOS Ventura 13.5.2: Available for devices running macOS Ventura.

iOS 16.6.1 and iPadOS 16.6.1: Available for iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later.

Technical Summary:

CVE-2023-41064 – A buffer overflow weakness that when processing maliciously crafted images, can lead to arbitrary code execution

CVE-2023-41061 – a validation issue which can be exploited through a malicious attachment to also gain arbitrary code execution

What can I do?

Users are recommended the apply the patches as soon as possible due to their active exploitation in the wild. Organisations should also be aware that the patches mean employees using Apple BYOD devices will need to apply the relevant patches, as this impacts corporate information which the devices have access to.

Further information can be found below:

https://www.bleepingcomputer.com/news/apple/apple-discloses-2-new-zero-days-exploited-to-attack-iphones-macs/

https://support.apple.com/en-gb/HT213905

https://support.apple.com/en-gb/HT213906 

This is an update following the 19 July Critical Citrix ADC and Gateway flaw actively exploited advisory by Black Arrow.

Executive Summary

Following the previous advisory on the Citrix Netscaler ADC vulnerability (CVE-2023-3519), the NCC Group has identified that as of 14 August, 1828 Citrix NetScaler servers remain compromised or ‘backdoored’ by attackers. Approximately 69% of the servers that contain a backdoor have been updated to remediate the vulnerability and are no longer vulnerable to CVE-2023-3519. This means that the affected systems were compromised by a malicious actor prior to the updates being applied, allowing the malicious actor to establish persistent access to the systems even after the vulnerability has been remediated.

What’s the risk to me or my business?

Successful exploitation of the vulnerability prior to updating would allow an attacker to perform arbitrary code execution with administrator privileges. The main attack campaign is believed to have taken place between late 20 July to early 21 July. If updates were not applied to affected and vulnerable systems prior to this date, exploitation may have already taken place.

Further information on the vulnerability can be found on our previous advisory linked below.

What can I do?

If you have not already updated to a Citrix version that resolves this vulnerability, Black Arrow recommends applying these updates urgently. All affected systems, updated and vulnerable, should be scanned for indicators of compromise (IoC), Mandiant have released a tool that can help organisations to scan their Citrix devices for evidence of post-exploitation indicators. If IoC’s are identified, then forensic data should be secured by taking a copy of both the disk and the memory of the appliance before any remediation or investigative actions are completed. If evidence of persistence such as a webshell is found, then this should be investigated through threat hunting techniques to establish the extent of the incident whilst conducting containment and remediation activities.

More information on the NetScaler vulnerability:

https://support.citrix.com/article/CTX561482/citrix-adc-and-citrix-gateway-security-bulletin-for-cve20233519-cve20233466-cve20233467

Information on the Mandiant Tool:

https://github.com/mandiant/citrix-ioc-scanner-cve-2023-3519

Further information on the study of the exploited devices:

https://research.nccgroup.com/2023/08/15/approximately-2000-citrix-netscalers-backdoored-in-mass-exploitation-campaign/

Previous Advisory: https://www.blackarrowcyber.com/blog/advisory-19-july-2023-citrix-vulns-exploited

Executive summary

Microsoft’s August Patch Tuesday provides updates to address 86 security issues across its product range, including two zero-day vulnerabilities (CVE-2023-36884, CVE-2023-38180). The vulnerabilities allow remote code execution and denial of service. Among the updates provided by Microsoft, 6 addressed critical vulnerabilities.

What’s the risk to me or my business?

The vulnerabilities allow an attacker to remotely execute code and cause a denial-of-service, impacting the confidentiality, integrity and availability of data held by an organisation. CVE-2023-38180, which is a denial-of-service vulnerability has been recorded by the US Cybersecurity and Infrastructure Security Agency (CISA) in its “Known Exploited Vulnerabilities” Catalogue.

What can I do?

Security updates are available for all supported versions of Windows impacted. The updates should be applied immediately for the zero-day vulnerabilities and as soon as possible for all other vulnerabilities.  Microsoft has also published an separate advisory for CVE-2023-36884.

Technical Summary

CVE-2023-36884: This vulnerability, if exploited allows threat actors to create specially crafted documents which bypass Mark of the Web (MoTW) security features, causing files to be opened with no warning, allowing a threat actor to perform remote code execution.

CVE-2023-38180: The actively exploited vulnerability allows an attacker to cause a denial-of-service attack on .NET applications and Visual Studio.

Adobe

In addition to Microsoft’s Patch Tuesday Adobe released fixes for 36 vulnerabilities, of which 19 were rated critical. The critical vulnerabilities spanned across Adobe Acrobat and Reader (16), Adobe Commerce and  Adobe Dimension (2). At current, Adobe is not aware of any of these vulnerabilities being actively exploited. The vulnerabilities include remote code execution, memory leak and security bypass.

further details on other specific updates within this patch Tuesday can be found here:

https://www.ghacks.net/2023/08/08/the-windows-august-2023-security-updates-fix-critical-vulnerabilities-and-internet-explorer/

Further details about CVE-2023-38180 can be found here:                     

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-38180

Further details about CVE-2023-36884 can be found here:                     

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36884  

The advisory from Microsoft can be found here:

Further information on CISA’s Known Exploited Vulnerabilities Catalog can be found here:

https://www.cisa.gov/known-exploited-vulnerabilities-catalog

https://msrc.microsoft.com/update-guide/vulnerability/ADV230003

Further details of the vulnerabilities addressed in Adobe Acrobat DC and Reader can be found here: https://helpx.adobe.com/security/products/acrobat/apsb23-30.html

Further details of the vulnerabilities addressed in Adobe Commerce can be found here: https://helpx.adobe.com/security/products/magento/apsb23-42.html

Further details of the vulnerabilities addressed in Adobe Dimension can be found here: https://helpx.adobe.com/security/products/dimension/apsb23-44.html

Need help understanding your gaps, or just want some advice? Get in touch with us.

#threatadvisory #threatintelligence #cybersecurity 

Executive Summary

A vulnerability dubbed as ‘Zenbleed’ was discovered in AMD's Zen2 microarchitecture which could enable an malicious attacker to steal sensitive data, such as passwords and encryption keys. The Zenbleed vulnerability has been found to affect all AMD Zen 2 processors, including various models of the Ryzen processor and EPYC processor series.  Zenbleed requires local account access to the target system and a high degree of specialization and knowledge to exploit, however a proof of concept has now been publicly released.

What’s the risk to me or my business?

Exploitation of this vulnerability could compromise the confidentiality of data held or accessed through an affected device, allowing an attacker to gain unauthorised access to sensitive data. In addition, detection of the exploitation has been reported as almost impossible due to there being no requirement for elevated privileges to perform the attack. This vulnerability could also allow a malicious actor on a shared tenancy environment to access information running on the same server from a different tenant.

What can I do?

This vulnerability affects all Zen 2 class processors and as such it is essential to prioritise the patching of the upcoming updates to protect devices from this vulnerability when they become available. AMD has released a security bulletin detailing the AGESA Firmware updates which will be included within the BIOS updates for affected processors, and have classified the vulnerability as ‘Medium’ severity. Microcode updates have been created for the affected AMD EPYC processors, however updates for the Desktop, Mobile, High-end Desktop and Workstation processors are scheduled for later in the year. Once OEM’s have released BIOS updates it is strongly recommended that they are applied after appropriate testing has taken place.

In the meantime, a workaround has been recommended by the security researcher who discovered the vulnerability. If you are unsure whether you are impacted or how to implement the mitigation, then you should contact your vendor/MSP. Please note, workarounds are not a permanent fix and Black Arrow maintains that the patches should be applied when available.

Technical Summary

CVE-2023-20593 – If successfully exploited this vulnerability allows a malicious actor to access sensitive data from any system operation including those taking place in virtual machines, isolated containers, and sandboxes.

Affected product ranges include:

• 2nd Generation AMD EPYC “Rome” Processors

• AMD Ryzen 3000 and 4000 series Desktop Processors

• AMD Ryzen Threadripper 3000 and 3000WX series High End Desktop and Workstation Processors

• AMD Ryzen 4000, 5000 and 7020 series Mobile Processors

Further details of the Zenbleed vulnerability can be found here:

https://lock.cmpxchg8b.com/zenbleed.html

https://www.amd.com/en/resources/product-security/bulletin/amd-sb-7008.html

Need help understanding your gaps, or just want some advice? Get in touch with us.

Executive Summary

Apple has recently released multiple patches, covering a number of vulnerabilities, including one actively exploited zero-day. The zero-day vulnerability has been found to affect devices running vulnerable versions of iOS, iPadOS, macOS, tvOS, watchOS and Safari. The actively exploited zero-day allows threat actors to obtain the highest privileges available (kernel privileges) on affected devices. Earlier this month, another actively exploited zero day, CVE-2023-37450, was addressed by Apple through a Rapid Security Response update.

What’s the risk to me or my business?

Exploitation of the vulnerability could allow an attacker unauthorised access to sensitive data, allowing them to manipulate or delete important information, or even take over the entire device, compromising the confidentiality, integrity, and availability of the data held by an exploited device. In some cases, threat actors are exploiting the vulnerability to install spyware on vulnerable devices.

What can I do?

Given the widespread use of Apple devices for both corporate and personal use, it is important to prioritise the application of the released patches to protect devices. Apple has also released patches addressing these vulnerabilities for products that are no longer supported. We recommend updating your devices promptly to these latest versions. Apple has acknowledged active exploitation of these vulnerabilities and as such recommends updating immediately. Organisations who do not use Apple devices, but have a bring your own device policy should consider whether this may include Apple devices.

Apple have addressed the zero-day in the following versions:

• macOS Ventura 13.5

• iOS 16.6

• iPadOS 16.6

• Safari 16.6

• tvOS 16.6

• watchOS 9.6

 Technical Summary

CVE-2023-38606 – Successful exploitation of this flaw could lead to a threat actor obtaining kernel privileges (the highest available). This allows the malicious actor to “modify sensitive kernel state”.

For information on all vulnerabilities addressed can be found in the following links below:

Further information on the iOS and iPadOS vulnerabilities can be found here:

https://support.apple.com/en-us/HT213841

Further information on the Mac vulnerabilities can be found here:

https://support.apple.com/en-us/HT213843

Further information on the Safari vulnerabilities can be found here:

https://support.apple.com/en-gb/HT213847

Further information on the tvOS vulnerabilities can be found here:

https://support.apple.com/en-gb/HT213846

Further information on the watchOS vulnerabilities can be found here:

https://support.apple.com/en-gb/HT213848

Need help understanding your gaps, or just want some advice? Get in touch with us.

#threatadvisory #threatintelligence #cybersecurity

Executive Summary

A remote code execution vulnerability has been discovered in OpenSSH’s forwarded ssh-agent. This vulnerability could potentially enable a remote attacker to execute arbitrary commands on a vulnerable system. Whilst this vulnerability has currently not been given a CVSS rating it is embedded in to a significant amount of systems and devices. A proof of concept (PoC) has also been made public by Qualys Threat Research Unit.

Technical Summary

CVE-2023-38408 – Successful exploitation of this vulnerability allows a remote attacker to execute commands on vulnerable OpenSSH forwarded ssh-agents.

What’s the risk to me or my business?

Successful exploitation of this vulnerability can compromise the confidentiality, integrity, and availability of the data in your organisation. This can result in a malicious actor gaining unauthorised access to sensitive data, manipulation, or deletion of important information, or even a complete system takeover. The publicly released PoC exploits focus on Ubuntu Desktop 22.04 and 21.10, however Qualys Threat Research Unit have advised other Linux distributions are “likely vulnerable and probably exploitable”.

the patch for this vulnerability is available in OpenSSH 9.3p2.

What can I do?

Given the widespread use of OpenSSH's forwarded ssh-agent in devices, software and applications, it is important prioritise the application of patches provided by OpenSSH for this vulnerability. Black Arrow recommends performing vulnerability scanning to identify any devices and software that have been impacted by this vulnerability.

More information on the OpenSSH vulnerability can be found here:

https://blog.qualys.com/vulnerabilities-threat-research/2023/07/19/cve-2023-38408-remote-code-execution-in-opensshs-forwarded-ssh-agent

An in-depth breakdown of the vulnerability can be found here:

https://www.qualys.com/2023/07/19/cve-2023-38408/rce-openssh-forwarded-ssh-agent.txt

Need help understanding your gaps, or just want some advice? Get in touch with us.

#threatadvisory #threatintelligence #cybersecurity

Executive Summary

Citrix have released a patch for three vulnerabilities, including one critical vulnerability in NetScaler ADC (formerly Citrix ADC) and NetScaler Gateway (formerly Citrix Gateway). If exploited, the critical vulnerability allows an unauthenticated malicious actor to perform remote code execution. The other two vulnerabilities allow an attacker to gain root administrator permissions and deliver malicious files and links to a victim.

Technical Summary

CVE-2023-3519 – This is a critical vulnerability which allows an unauthenticated attacker to perform remote code execution. For it to work it requires the appliance to be configured as a gateway.

CVE-2023-3466 – This vulnerability, categorised as high, allows an attacker to perform reflected cross-site scripting, allowing them to deliver malicious files, links, and emails. For it to work, it requires the victim to access an attacker-controlled link in the browser while being on the network.

CVE-2023-3467 – This vulnerability, categorised as high, allows an attacker to perform privilege escalation to gain the highest available. For successful exploitation the attacker needs to have authenticated access to the management interface access.

 What’s the risk to me or my business?

The vulnerabilities allow for a range of attacks such as unauthenticated remote code execution, privilege escalation to root as well as enabling an attacker the ability to distribute malicious files, links, and emails to users. All of which compromise the confidentiality, integrity, and availability of the data in your organisation.

Impacted versions of the products include the following:

• NetScaler ADC and NetScaler Gateway 13.1 before 13.1-49.13 

• NetScaler ADC and NetScaler Gateway 13.0 before 13.0-91.13 

• NetScaler ADC 13.1-FIPS before 13.1-37.159

• NetScaler ADC 12.1-FIPS before 12.1-55.297

• NetScaler ADC 12.1-NDcPP before 12.1-55.297

NetScaler ADC and NetScaler Gateway version 12.1 is now End Of Life (EOL). Citrix advises customers to upgrade their appliances to one of the supported versions that address the vulnerabilities. 

 What can I do?

Citrix has recommended to apply patches which they have made available for the following versions:

• NetScaler ADC and NetScaler Gateway 13.1-49.13 and later releases

• NetScaler ADC and NetScaler Gateway 13.0-91.13 and later releases of 13.0  

• NetScaler ADC 13.1-FIPS 13.1-37.159 and later releases of 13.1-FIPS  

• NetScaler ADC 12.1-FIPS 12.1-55.297 and later releases of 12.1-FIPS  

• NetScaler ADC 12.1-NDcPP 12.1-55.297 and later releases of 12.1-NDcPP 

 More information on the Citrix ADC and Gateway flaw vulnerability can be found here:

https://support.citrix.com/article/CTX561482/citrix-adc-and-citrix-gateway-security-bulletin-for-cve20233519-cve20233466-cve20233467

Need help understanding your gaps, or just want some advice? Get in touch with us.

#threatadvisory #threatintelligence #cybersecurity 

Executive Summary

A critical vulnerability has been identified and addressed in Cisco's network management software, SD-WAN vManage. The vulnerability allows a remote unauthenticated attacker to gain read or limited write permissions to the configuration of an affected Cisco SD-WAN vManage instance. This vulnerability only affects the REST API and does not affect the web-based management interface or the command line interface.

What’s the risk to me or my business?

A successful exploitation of the critical vulnerability allows a remote unauthenticated threat actor to read sensitive information from the compromised system, modify certain configurations, disrupt network operations. This will compromise the confidentiality, integrity, and availability of data in your organisation.

The following Cisco SD-WAN vManage versions are affected by the vulnerability:

• v20.6.3.3 – fixed in v20.6.3.4

• v20.6.4 – fixed in v20.6.4.2

• v20.6.5 – fixed in v20.6.5.5

• v20.7 – Migrate to fixed version v20.8 – Migrate to fixed version

• v20.9 – fixed in v20.9.3.2

• v20.10 – fixed in v20.10.1.2

• v20.11 – fixed in v20.11.1.2

What can I do?

There are no workarounds for the critical vulnerability. As such, it is advised that patches are applied immediately. For versions v20.7 and v20.8, Cisco advises customers to migrate to a fixed release. Cisco has given advice on how to reduce the attack surface for this attack, this includes actions such as monitoring logs for the REST API and limiting instances to specified instances. If you are unsure check with your MSP or network team to ensure these are in place.

More information on the Cisco SD-WAN vManage vulnerability can be found here:

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-vmanage-unauthapi-sphCLYPA

Need help understanding your gaps, or just want some advice? Get in touch with us.

#threatadvisory #threatintelligence #cybersecurity

Executive summary

Microsoft’s July 2023 Patch Tuesday provides updates to address 138 security issues across its product range, including six actively exploited zero-day vulnerability. The exploited zero-day vulnerabilities use a range of Microsoft Windows products to bypass security features, elevate privileges and perform remote code execution. Among the updates provided by Microsoft 9 addressed critical vulnerabilities.

What’s the risk to me or my business?

The actively exploited vulnerabilities could allow an attacker with standard user access, to gain elevated privileges, or install kernel drivers, depending on the exploit used. Other risks such as bypassing security features of Microsoft Outlook and performing remote code execution can occur. This could allow an attacker to further compromise the confidentiality, integrity and availability of the organisation’s information assets.

What can I do?

Security updates are available for all supported versions of Windows impacted. The updates should be applied as soon as possible for the actively exploited vulnerability and all other vulnerabilities.  Other mitigations have been provided by Microsoft and can be found below in the further detail’s section.

Technical Summary

CVE-2023-32046 – The actively exploited vulnerability targets MSHTML Platform which could allow an attacker to elevate their privileges to the rights the user that is running the affected application is.

CVE-2023-32049 – This actively exploited vulnerability targets Windows SmartScreen allowing an attacker to bypass security features including the security warning prompt.

CVE-2023-36874 – This actively exploited vulnerability targets the Windows Error Reporting Service allowing an attacker to elevate privileges allowing them to gain administrator privileges.

CVE-2023-36884 – This actively exploited vulnerability targets the Office and Windows HTML allowing an attacker to perform remote code execution.

CVE-2023-35311 – This actively exploited vulnerability targets Microsoft Outlook and bypasses a security feature however to exploit this an attacker would have to have a user click in a specially crafted link through phishing or social engineering.

ADV230001 – This is a Microsoft signed driver that has been maliciously used in post-exploitation activity which abused a Windows policy loophole to install malicious kernel-mode drivers.

Adobe

This month, Adobe released fixes for 4 vulnerabilities, of which 3 were rated critical across Adobe InDesign and Adobe ColdFusion. At current, Adobe are not aware of any active exploitation of the listed vulnerabilities, however the advice is to update the affected products using their priority rating which can be found in the details below. The vulnerabilities include remote code execution, memory leak and security bypass.

Further details on other specific updates within this patch Tuesday can be found here:

https://www.bleepingcomputer.com/news/microsoft/microsoft-july-2023-patch-tuesday-warns-of-6-zero-days-132-flaws/  

Further details about CVE-2023-32046 can be found here:                     

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-32046

Further details about CVE-2023-32049 can be found here: 

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-32049

Further details about CVE-2023-36874 can be found here: 

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36874

Further details about CVE-2023-36884 can be found here:                   

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36884

Further details about CVE-2023-35311 can be found here:                   

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-35311

Further details about ADV230001 can be found here:

https://msrc.microsoft.com/update-guide/en-US/vulnerability/ADV230001

Further details of the vulnerabilities addressed in Adobe InDesign can be found here:

https://helpx.adobe.com/security/products/indesign/apsb23-38.html

Further details of the vulnerabilities addressed in Adobe ColdFusion can be found here:

https://helpx.adobe.com/security/products/coldfusion/apsb23-40.html

Need help understanding your gaps, or just want some advice? Get in touch with us.

#threatadvisory #threatintelligence #cybersecurity

Executive summary

A critical vulnerability has been identified and addressed in Fortinet FortiNAC products. Fortinet’s FortiNAC is a network access control solution and successful exploitation of the critical vulnerability allows a threat actor to remotely execute code without requiring authentication. In addition, another vulnerability which allowed improper local access in FortiNAC has been addressed.

What’s the risk to me or my business?

The vulnerabilities, if exploited, could allow an attacker to remotely execute code as well as copy local files. Both of which compromise the confidentiality, integrity and availability of data in your organisation.

Technical Summary

CVE-2023-33299– This critical vulnerability is an untrusted object deserialization, allowing an unauthenticated user to execute code or commands via specifically crafted requests.

CVE-2023-33300- This vulnerability allows an unauthenticated attacker to copy local files to other local folders of a device, through specially crafted input fields. It requires local access.

What can I do?

There is no mitigation advice for the critical vulnerability (CVE-2023-33299). As such, customers are urged to immediately upgrade their FortiNAC version depending on the affected product in use. There is no upgrade available for any FortiNAC products running version 8.x. The other vulnerability, CVE-2023-33300, requires users on affected versions to upgrade to 9.4.4 or above or 7.2.2 or above.

Affected products for the critical vulnerability and their patches include:

FortiNAC version 9.4.0 through 9.4.2 upgrade to 9.4.3 or above

FortiNAC version 9.2.0 through 9.2.7 upgrade to 9.2.8 or above

FortiNAC version 9.1.0 through 9.1.9 upgrade to 9.1.10 or above

FortiNAC version 7.2.0 through 7.2.1 upgrade to 7.2.2 or above

FortiNAC 8.8 all versions

FortiNAC 8.7 all versions

FortiNAC 8.6 all versions

FortiNAC 8.5 all versions

FortiNAC 8.3 all versions

Affected products for CVE-2023-33300 include:

FortiNAC 9.4.0 through 9.4.3 upgrade to 9.4.4. or above

FortiNAC 7.2.0 through 7.2.1 upgrade to 7.2.2 or above

Further details on Fortinet’s advisories for the critical vulnerability can be found here:

https://www.fortiguard.com/psirt/FG-IR-23-074

Further details on Fortinet’s advisory for CVE-2023-33300 can be found here

https://www.fortiguard.com/psirt/FG-IR-23-096

Need help understanding your gaps, or just want some advice? Get in touch with us.

#threatadvisory #threatintelligence #cybersecurity

Executive summary

Apple has recently released updates for iOS, iPadOS, macOS, watchOS and Safari browser. These updates address a set of flaws that were actively exploited in the wild with the most severe allowing an attacker to perform Arbitrary Code Execution.

What’s the risk to me or my business?

Depending on the privileges associated with the user, if the vulnerability is successfully exploited an attacker could install programs; view, change, or delete data; or create new accounts with full user rights. This can lead to compromise of the confidentiality, integrity, and availability of organisational information in that could be accessed from the affected asset.

Technical Summary

The two vulnerabilities below have been actively exploited in the mobile surveillance campaign called Operation Triangulation.

CVE-2023-32434 – This is an integer overflow vulnerability in the kernel that could be exploited by a malicious app to execute arbitrary code with kernel privileges.

CVE-2023-32435 – This is a memory corruption vulnerability in Webkit that could lead to arbitrary code execution when processing specially crafted web content.

The updates are available for the following platforms:

• iOS 16.5.1 and iPadOS 16.5.1 - iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

• iOS 15.7.7 and iPadOS 15.7.7 - iPhone 6s (all models), iPhone 7 (all models), iPhone SE (1st generation), iPad Air 2, iPad mini (4th generation), and iPod touch (7th generation)

• macOS Ventura 13.4.1, macOS Monterey 12.6.7, and macOS Big Sur 11.7.8

• watchOS 9.5.2 - Apple Watch Series 4 and later

• watchOS 8.8.1 - Apple Watch Series 3, Series 4, Series 5, Series 6, Series 7, and SE, and

• Safari 16.5.1 - Macs running macOS Monterey

What can I do?

It is recommended to apply the update provided by Apple to all vulnerable systems immediately as the flaws have been addressed in this patch.

Further details on the Apple security updates can be found here: https://support.apple.com/en-us/HT201222

An update from an advisory published on the 8th June 2023 by Black Arrow: https://www.blackarrowcyber.com/blog/advisory-08062023-barracuda-cisco-vmware-vulns

Executive summary

VMware has confirmed that exploitation of the critical rated CVE-2023-20887 has occurred in the wild. This vulnerability affects the VMware Aria Operations (formerly known as vRealize Network Insight) and allows a malicious actor with access to the network to perform remote code execution (RCE).

What’s the risk to me or my business?

The vulnerability, if exploited using command injection, could allow the attacker to have unrestricted access with root to compromise the confidentiality, integrity, and availability of data in your organisation.

Impacted versions include: VMware Aria Operations Networks version 6.x.

What can I do?

VMware have recommended applying patches which they have made available for the following versions: 6.2/6.3/6.4/6.5.1/6.6/6.7/6.8/6.9/6.10.

There are no workarounds for this vulnerability.

Further details on the VMware vulnerability can be found here: https://www.vmware.com/security/advisories/VMSA-2023-0012.html

Further details on the VMware patch can be found here: https://kb.vmware.com/s/article/92684

Executive summary

Microsoft’s June Patch Tuesday provides updates to address 78 security issues across its product range, including 6 critical vulnerabilities. June’s patch Tuesday does not include any zero-day vulnerabilities or actively exploited bugs. The critical vulnerabilities include privilege escalation in Microsoft SharePoint, remote code execution in Microsoft Exchange Server, Windows PGM, .NET, .NET Framework and Visual Studio and finally, a denial of service in Windows Hyper-V.

What’s the risk to me or my business?

The vulnerabilities, if actively exploited allow an attacker to gain system privileges, remotely execute code and cause a denial of service compromising the confidentiality, integrity and availability of data stored by an organisation.

What can I do?

Security updates are available for all supported versions of Windows impacted. The updates should be applied as soon as possible, especially those that have a critical severity rating.

Further details on other specific updates within this patch Tuesday can be found here: https://www.ghacks.net/2023/06/13/the-windows-june-2023-security-patches-are-here-and-address-these-issues/

Need help understanding your gaps, or just want some advice? Get in touch with us.

#threatadvisory #threatintelligence #cybersecurity 

Executive summary

A recent report has highlighted the most notable software vulnerabilities in the first half of 2023, which included 2 critical actively exploited vulnerabilities in PaperCut MF and NG and Fortinet FortiOS products. This comes as Fortinet have recently released a patch for a separate critical vulnerability in FortiOS.  All three vulnerabilities allow an attacker to remotely execute unauthorised code and compromise the confidentiality, integrity and availability of data.

Fortinet

CVE-2023-27997 – This recent critical vulnerability targets an secure socket layer virtual private network  (SSL-VPN) flaw which allows an unauthenticated attacker remote code execution and to interfere with VPN connections even if Mulit-Factor Authentication (MFA) is in place. SSL-VPN is used to allow users to establish a secure, encrypted connection between the public internet and the corporate network.

CVE-2022-41328 – This is a vulnerability in improper limitation of a pathname, allowing an attacker to access restricted files with read and write access. Exploitation allows the attacker to remotely install and execute malware.

What can I do?

Fortinet has released fixes that address the vulnerability CVE-2023-27997. Customers must immediately apply the firmware updates as a matter of urgency. The following versions of FortiOS include patches for the vulnerability: 7.2.5, 7.0.12, 6.4.13, 6.2.15. An advisory has not been publicly announced yet. Results from Shodan indicate around 250,000 publicly discoverable devices are vulnerable.

For CVE-2022-41328, customers are recommended to update the affected products immediately as this is being actively exploited.

Affected products include:

-          FortiOS version 7.2.0 through 7.2.3 (Patched in version 7.2.4 or above)

-          FortiOS version 7.0.0 through 7.0.9 (Patched in version 7.0.10 or above)

-          FortiOS version 6.4.0 through 6.4.11 (Patched in version 6.4.12 or above)

-          FortiOS version 6.2.0 through 6.2.13 (Patched in version 6.2.14 or above)

-          FortiOS 6.0 all versions (No longer supported)

PaperCut

CVE – 2023-27350 – This vulnerability allows an unauthenticated attacker to pull information about a user stored within PaperCut MF or NG. This data includes usernames, full names, email addresses, office/department info and any card numbers associated with the user. The attacker can also retrieve the hashed passwords for internal PaperCut created users only.

The following PaperCut MF and NG versions and components are affected by CVE-2023-27350 on all OS platforms:

-          version 8.0.0 to 19.2.7  

-          version 20.0.0 to 20.1.6

-          version 21.0.0 to 21.2.10

-          version 22.0.0 to 22.0.8

What can I do?

PaperCut has recommended that customers upgrade all application servers and site servers and to patch any of the affected products. This vulnerability has been addressed in Papercut MF and NG versions 20.1.7, 21.2.11, and 22.0.9 and later.

Further details on the Fortinet vulnerability can be found here:

https://www.bleepingcomputer.com/news/security/fortinet-fixes-critical-rce-flaw-in-fortigate-ssl-vpn-devices-patch-now/

Further details on the Fortinet CVE-2022-41328 vulnerability can be found here:

https://www.fortiguard.com/psirt/FG-IR-22-369

Further details on the PaperCut vulnerability can be found here:

https://www.papercut.com/kb/Main/PO-1216-and-PO-1219

Executive summary

This week, Barracuda, Cisco, and VMware have all addressed vulnerabilities in their products. The vulnerabilities allow an attacker to elevate privileges to the highest available and remotely execute. Both Cisco and VMware have applied patches, whilst Barracuda have urged users to immediately replace appliances impacted by the vulnerability.

Barracuda

CVE-2023-2868: This is a remote code injection vulnerability which has been exploited for at least seven months, allowing a successful attacker to steal information from Barracuda Email Security Gateway (ESG) devices.

Impacted versions include:

• ESG devices on version 5.1.3.001 through 9.2.0.006

What can I do?

Barracuda have stated that regardless of the patch version level, customers must immediately replace impacted ESG appliances. If you are unsure, Black Arrow recommend to check with your MSP.

CISCO

CVE-2023-20178: This vulnerability, if exploited, can allow an attacker to execute code with SYSTEM privileges, the highest available.

 Impacted versions include:

• Cisco AnyConnect Secure Mobility Client Software for Windows (version 4.10 and earlier)

• Cisco Secure Client Software for Windows (version 5.0). For releases earlier than 5.0, this is known as Cisco AnyConnect Secure Mobility Client for Windows.

CVE-2023-20105: A vulnerability which allows an administrator with read-only access to elevate to have the ability to write to files.

CVE-2023-20192: A vulnerability which allows an authenticated local user to execute commands and modify configuration files. For this to be successful, the vulnerable version must have granted command line interface access (CLI) to a read-only administrator of the system.

Impacted versions include:

Cisco Express Series and Cisco TelePresence VCS version 14.0 and earlier.

What can I do?

Patches are available in AnyConnect Secure Mobility Client for Windows 4.10MR7 and Cisco Secure Client for Windows 5.0MR2 should be applied. No workarounds are available.

For Cisco Express Series and Cisco TelePresence VCS version 14.0 and earlier, the first fixed releases are 14.2.1. for CVE-2023-20105 and 14.3.0 for CVE-2023-20192. As a mitigation for CVE-2023-20192, Cisco have recommended ensure CLI access is disabled for read-only users; this should be disabled by default.

VMware

CVE-2023-20887: A command injection vulnerability, allowing an attacker to execute code remotely.

CVE-2023-20888: An authentication deserialization vulnerability, allowing remote code execution.

CVE-2023-20889: An information disclosure vulnerability, where an attacker with network access can inject commands to force information out.

Impacted versions include:

• VMware Aria Operations Networks version 6.x.

What can I do?

VMware have recommended applying patches available for versions: 6.2 / 6.3 / 6.4 / 6.5.1 / 6.6 / 6.7 / 6.8 / 6.9 / 6.10.

Further details on the Barracuda ESG vulnerabilities can be found here: https://www.barracuda.com/company/legal/esg-vulnerability

Further details on the Cisco vulnerability can be found here: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ac-csc-privesc-wx4U4Kw

Further details on the VMware vulnerabilities can be found here: https://www.vmware.com/security/advisories/VMSA-2023-0012.html

Further details of the patches available for VMware can be found here: https://kb.vmware.com/s/article/92684

Need help understanding your gaps, or just want some advice? Get in touch with us

#threatadvisory #threatintelligence #cybersecurity