Patch Tuesday December 2023

Patch Tuesday December 2023 Updates – Vulnerability Digest from Action1

This digest explains the most serious vulnerabilities in popular Windows software that have been patched over the past month.

In this issue, you will learn about patches for:

• ^ Microsoft vulnerabilities from Patch Tuesday:
  • ^ Windows MSHTML Platform Remote Code Execution Vulnerability (CVE-2023-35628)
  • ^ Internet Connection Sharing (ICS) Remote Code Execution Vulnerability (CVE-2023-35641 and CVE-2023-35630)
  • ^ Microsoft Power Platform Connector Spoofing Vulnerability (CVE-2023-36019)
• ^ Microsoft Access
• ^ Third-party application vulnerabilities:
  • • ^ Google Chrome
    • ^ Mozilla Firefox
    • ^ WordPress
    • ^ Web Password Managers
    • ^ Atlassian
    • ^ Cisco
    • ^ Bluetooth
    • ^ VMware
    • ^ Zyxel
    • ^ Apple
    • ^ Qlik Sense
    • ^ ownCloud
    • ^ CrushFTP
    • ^ FortiSIEM
    • ^ AMD
    • ^ Intel

Microsoft Vulnerabilities

Welcome to Vulnerability Digest from Action1 and the final Patch Tuesday release of 2023. As usual, here’s an overview of the most critical vulnerabilities to keep an eye on, ensuring your systems stay updated and protected against potential threats.

This month’s Patch Tuesday from Microsoft presents a welcome change, with a total of 34 fixed vulnerabilities, slightly fewer than in November. Among these, there are four critical vulnerabilities that have been addressed, marking a slight increase from the previous month. Notably, the only vulnerability with a Proof of Concept (PoC) this month is specifically related to AMD chipsets. While December brings a welcome pause from zero-day vulnerabilities, it’s crucial to remember that hackers often intensify their efforts during the holidays, so it’s essential to secure your systems and endpoints before the holiday season begins. This proactive approach will help you enjoy the holidays without concerns about cybersecurity. Let’s dive into the details of the most significant critical updates from this month’s release.

Windows MSHTML Platform Remote Code Execution Vulnerability

CVE-2023-35628 is a critical vulnerability identified in Microsoft Windows 10 and later versions, as well as in Microsoft Windows Server 2008 and subsequent versions. This vulnerability, primarily concerning remote code execution (RCE), has been assigned a CVSS rating of 8.1. Its classification as critical stems from its ability to facilitate RCE, as per Microsoft’s criteria. The attack vector associated with this vulnerability is network-based, characterized by high complexity and low privilege requirements, with no need for user interaction.

Exploiting this vulnerability involves an attacker sending a malicious link to the victim, possibly via email, or convincing the user to click on the link through deceptive means, such as a lure in an email or an instant messenger message. In a particularly severe email attack scenario, an attacker could send an email containing a specially crafted link that allows remote code execution on the victim’s computer, even before the email is opened or the link is clicked, including when the email is viewed in the preview pane. However, the complexity of this attack, which requires sophisticated memory manipulation techniques, is a contributing factor to its CVSS rating not reaching the maximum score of 10.

Microsoft acknowledges that while the exploitation of this vulnerability is more likely, there have been no confirmed instances of its real-world exploitation or a proof of concept. In light of this, Microsoft strongly advises users to apply the updates addressing this vulnerability as soon as possible to mitigate the risk.

Internet Connection Sharing (ICS) Remote Code Execution Vulnerability

Two critical remote code execution vulnerabilities, CVE-2023-35641 and CVE-2023-35630, have been identified, each with a CVSS rating of 8.8. These vulnerabilities share similar characteristics, including an adjacent attack vector, low complexity, low privilege requirements, and no user interaction needed.

The scope of these attacks is confined to systems on the same network segment as the attacker, meaning they cannot be conducted across multiple networks, such as a WAN. The attacks are restricted to systems that are either on the same network switch or within the same virtual network. To exploit CVE-2023-35641, an attacker would need to send a maliciously crafted DHCP message to a server that is running the Internet Connection Sharing service. As for CVE-2023-35630, successful exploitation requires the attacker to alter the option->length field in a DHCPv6 DHCPV6_MESSAGE_INFORMATION_REQUEST input message. These vulnerabilities impact Microsoft Windows 10 and later versions, as well as Microsoft Windows Server 2008 and subsequent versions.

Microsoft has indicated that the likelihood of exploitation for these vulnerabilities is more probable than not, yet there have been no confirmed real-world cases or proof of concept. Regardless, Microsoft strongly advises users to apply the available updates for these vulnerabilities as soon as possible.

Microsoft Power Platform Connector Spoofing Vulnerability

Today’s final critical vulnerability under discussion is CVE-2023-36019, a serious issue identified in the Microsoft Power Platform. This vulnerability, primarily involving spoofing, allows an attacker to deceive a user by masquerading a malicious link or file as a legitimate one. The vulnerability has a network-based attack vector, is low in attack complexity, and does not require system privileges, but it does require user interaction to be exploited. Its CVSS rating stands at 9.6, indicating a high level of severity.

This particular vulnerability is specific to the Microsoft Power Platform and Azure Logic Apps. Therefore, if you are not using these applications, your systems are not at risk.

The exploitation scenario involves an attacker crafting a malicious link, application, or file that appears legitimate to the victim. For instance, this vulnerability could be used in conjunction with malware that automatically downloads and installs itself once a user clicks on a deceptive link. While the vulnerability originates in the web server, the malicious scripts have the potential to execute in the browser on the victim’s machine.

As of now, there is no known evidence of this vulnerability being exploited in the wild, and no Proof of Concept (PoC) is available.

Microsoft Access

Acros Security developers have stepped up to address a significant issue in Microsoft Access.

On November 9, 2023, Check Point Research researchers revealed an information disclosure vulnerability in Microsoft Access. This flaw allows attackers to obtain a victim’s NTLM hash. It occurs when the victim opens a Microsoft Office document embedded with an Access database linked to a remote SQL Server database using “Windows NT authentication.” This forces authentication, thus leaking the NTLM hash each time Access updates a table with this link. Unlike typical forced authentication problems, this one uses SQL Server port 1433 instead of SMB and RPC, with the ability to use any port, including firewall-friendly ports 80 or 443. Haifei researchers proposed an AutoExec macro solution to automatically open a table and prompt an update, circumventing these issues.

Check Point initially reported this vulnerability to Microsoft in January 2023. However, by July, they had not received a definitive response, as the issue was deemed “low/no severity” by the MSRC. Although Access began showing a security dialog box when opening a Proof of Concept (PoC) file, closing this dialog still triggered AutoExec, sending credentials to the attacker’s server. The only solution to prevent this exploit is to forcibly terminate the msaccess.exe process. Over recent years, Microsoft has addressed some vulnerabilities but ignored others, such as DFSCoerce, PrinterBug/SpoolSample, and PetitPotam. RemotePotato0 and ShadowCoerce were initially ignored too but were discreetly patched 9 and 6 months after their discovery, respectively. In contrast, a similar WordPad vulnerability was openly patched by Microsoft just last month.

In conclusion, the researchers believe Microsoft has no plans to rectify this Access issue, a stance they find problematic given its similarity in impact to the WordPad vulnerability. While Microsoft’s response remains uncertain, 0patch has taken the initiative, releasing a micropatch for Microsoft Office to mitigate this security risk.

Google Chrome

Google is responding to a significant cybersecurity threat with an emergency update aimed at addressing the sixth zero-day vulnerability discovered in Chrome this year. This vulnerability, actively exploited in real-world attacks, is one of seven critical issues currently being patched.

The primary concern is CVE-2023-6345, an integer overflow issue in the Skia 2D graphics library, an open-source project. This flaw can lead to a range of problems, from Denial of Service (DoS) to Remote Code Execution (RCE). It allows remote attackers to bypass Chrome’s sandbox protections via a specially crafted HTML page, potentially after compromising the renderer process. This vulnerability was identified last Friday by Google TAG researchers, who focus on spyware and Advanced Persistent Threat (APT) activity.

Interestingly, this isn’t the first time Google has addressed a similar issue. In April 2023, they patched another integer overflow vulnerability (CVE-2023-2136) in Skia. Given that the previous flaw was also exploited as a zero-day, CVE-2023-6345 might represent a method to circumvent that earlier patch.

The other vulnerabilities addressed in this update include:

• CVE-2023-6348: A type confusion issue in Spellcheck, reported by Mark Brand of Google Project Zero on October 23, 2023.
• CVE-2023-6347: A use-after-free error in Mojo, reported by Leecraso and Guang Gong of the 360 Vulnerability Research Institute on October 21, 2023.
• CVE-2023-6346: A use-after-free error in WebAudio, reported by Huang Xilin of Ant Group Light-Year Security Lab on November 9, 2023.
• CVE-2023-6350: An out-of-bounds memory access in libavif, reported by Fudan University on November 13, 2023.
• CVE-2023-6351: Another use-after-free error in libavif, also reported by Fudan University.

Google has withheld detailed information on these vulnerabilities and their exploitation, pending the complete rollout of the updates. These updates are available for Windows (version 119.0.6045.199/.200) and Mac and Linux (version 119.0.6045.199).

Mozilla Firefox

Mozilla’s latest release, Firefox 119, not only brings new features and bug fixes but also includes 25 security updates. Of these, 17 vulnerabilities, primarily grouped under CVE-2023-5730 and CVE-2023-5731, are classified as dangerous due to memory-related issues. These include buffer overflows and accessing previously freed memory areas, which could potentially enable an attacker to execute code when specific, specially crafted web pages are accessed.

Additionally, a separate critical vulnerability, identified as CVE-2023-5721, poses a risk by allowing clickjacking. This vulnerability could be exploited to manipulate users into inadvertently confirming or canceling certain browser dialogues or warnings.

WordPress

A significant security concern has emerged for users of the WP Fastest Cache plugin, which is widely used on WordPress sites. This plugin, installed on over 1 million websites, is designed to enhance page load times, boost visitor interaction, and improve Google search rankings. However, a SQL vulnerability in the plugin puts more than 600,000 websites at risk, as revealed by the WPScan team at Automattic. This vulnerability, identified as CVE-2023-6063 and rated with a severity of 8.6, affects versions of the plugin dating back to 1.2.2. It stems from an issue in the is_user_admin function of the WpFastestCacheCreateCache class, where the $username input from cookies is improperly sanitized. This oversight allows unauthenticated attackers to manipulate the SQL query, gaining access to the site’s database, which often contains sensitive user data, passwords, and site configurations. With its potential for easy exploitation, the urgency for users to update to the latest plugin version, 1.2.2, cannot be overstated.

Additionally, WordPress’s release of update 6.4.2 addresses another critical vulnerability. Discovered by Wordfence, this vulnerability involves a property-oriented programming (POP) chain in the WP_HTML_Token class, introduced in WordPress 6.4. Under certain conditions, it could allow attackers to execute arbitrary PHP code on vulnerable sites. The POP chain vulnerability is particularly concerning because it enables attackers to hijack application flow and potentially take control of a site. However, exploiting this vulnerability requires control over all properties of a deserialized object, achievable via the PHP unserialize() function. Although this vulnerability is not critical on its own, it becomes significantly more dangerous when combined with a PHP object injection vulnerability in a plugin or theme add-on.

The exploit chain, already available on GitHub and added to the PHP Generic Gadget Chains (PHPGGC) project, heightens the risk. Patchstack advises users to manually check their websites and update to the latest WordPress version. They also recommend replacing any calls to the unserialize function with safer alternatives like json_encode and json_decode.

In summary, while both vulnerabilities pose critical risks under certain conditions, the recommended course of action is for administrators to promptly upgrade to the latest versions of both the WP Fastest Cache plugin and WordPress.

WordPress users have been alerted to a critical Remote Code Execution (RCE) vulnerability in the Backup Migration plugin, identified as CVE-2023-6553 and rated with a CVSS score of 9.8. This severe vulnerability permits unauthenticated attackers to hijack target websites by executing remote code through PHP injection. The specific point of exploit is found in the file /includes/backup-heart.php.

This critical bug was first identified by the Nex Team, who promptly reported their findings to Wordfence. Wordfence then quickly communicated the issue to the developers of the Backup Migration plugin. The vulnerability impacts all plugin versions up to and including Backup Migration 1.3.6 and can be exploited without any user interaction. Despite the swift release of a patch to address this issue, an estimated 50,000 WordPress sites using this plugin remain vulnerable.

As a precautionary measure, experts are urging users to immediately update the Backup Migration plugin. In addition to this, they recommend backing up site data and changing WordPress login credentials to further secure their websites against potential exploits.

Web Password Managers

Recent research conducted by experts at the Indian Institute of Technology in Hyderabad has uncovered a significant vulnerability in several widely-used Android password managers. This vulnerability, known as AutoSpill, poses a serious threat as it allows attackers to access user credentials. The vulnerability becomes exploitable when users employ the AutoFill password feature in conjunction with WebView.

In their investigation, the researchers tested AutoSpill against popular password managers like 1Password, LastPass, Keeper, and Enpass. They discovered that most of these applications were still vulnerable, even when JavaScript injection protection was active. Notably, all the password managers tested showed vulnerabilities when JavaScript was enabled, and the research was conducted on the latest versions of Android.

The severity of this finding cannot be overstated, given that password managers are expected to be among the most secure applications. The developers of these password managers have been informed about the issues and are currently working on fixes. However, in light of these findings, the researchers advise users to exercise caution. As a temporary measure, it is recommended to avoid using these password management applications until the vulnerabilities are fully addressed.

Atlassian

Atlassian has announced the release of patches for four critical vulnerabilities in its software suite, addressing flaws that could potentially lead to Remote Code Execution (RCE) if exploited.

The vulnerabilities are as follows:

• CVE-2022-1471 (CVSS score: 9.8): This is a deserialization vulnerability found in the SnakeYAML library, affecting multiple Atlassian products. It poses a high risk of remote code execution.
• CVE-2023-22522 (CVSS score: 9.0): This vulnerability affects all versions of Confluence Data Center and Confluence Server, including 4.0.0 and later. Atlassian has identified it as a pattern injection vulnerability, which allows even an anonymous attacker to execute code by manipulating insecure user input on a Confluence page.
• CVE-2023-22523 (CVSS score: 9.8): Found in Assets Discovery for Jira Service Management Cloud, Server, and Data Center, this vulnerability affects all versions up to and including 3.2.0-Cloud/6.2.0-Data Center. It enables attackers to perform privileged remote code execution on systems with the Asset Discovery agent installed.
• CVE-2023-22524 (CVSS rating: 9.6): This vulnerability is present in the Atlassian Companion application for MacOS, affecting all versions up to and including 2.0.0. It could allow attackers to execute code by leveraging WebSockets to circumvent Atlassian Companion blacklisting and macOS gatekeeper protection.

Given the increasing use of Atlassian solutions as attack vectors, users are strongly advised to update their installations to the patched versions immediately to mitigate these security risks.

Cisco

Cisco has recently addressed a significant vulnerability in its Firepower VPN, identified as CVE-2023-20275. This bug impacts the AnyConnect SSL VPN in both the Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) software. The vulnerability posed a risk that allowed an authenticated remote attacker to send packets appearing to originate from the IP address of another VPN user. However, it’s important to note that the attacker would not be able to receive any return packets.

In response, Cisco has released software updates to rectify this issue and emphasized that there are no alternative workarounds for this vulnerability. While there have been no observed instances of exploitation in the wild, the details of this vulnerability are already being examined within the cyber underground community.

The situation is further compounded by the ongoing exploitation of recent Cisco IOS XE vulnerabilities, specifically CVE-2023-20198 (rated CVSS 10) and CVE-2023-20273 (rated CVSS 7.2), as warned by the Shadowserver Foundation. These vulnerabilities have been actively targeted by hackers, leading to a significant number of compromised devices.

Initially, attackers exploited these vulnerabilities to create high-privilege accounts and install a Lua-based backdoor, resulting in the takeover of vulnerable devices. At one point, up to 50,000 switches and routers were compromised, with approximately 40,000 still infected even after the attackers updated their implant.

Recent data indicates that over 23,000 Cisco IOS XE devices are still infected with the BadCandy backdoor. While the number of infections had been steadily decreasing throughout November, a recent surge, particularly in Mexico and Chile, suggests a new wave of attacks, potentially leading to an increase in compromised devices.

Bluetooth

Mark Newlin, a researcher at Skysafe, has uncovered a critical Bluetooth vulnerability that poses a threat to various operating systems, including Android, Linux, MacOS, and iOS. Identified as CVE-2023-45866, this vulnerability is present in multiple Bluetooth stacks and allows for an authentication bypass. This security flaw enables attackers to connect to a discoverable host without requiring user confirmation, intercept connections, and inject keystrokes. The mechanism of the attack involves deceiving the target device into believing it is paired with a Bluetooth keyboard, exploiting the unauthenticated pairing process outlined in the Bluetooth specification. If exploited successfully, an attacker within close proximity could connect to the vulnerable device to install malicious applications or execute arbitrary commands.

Notably, executing this attack does not require specialized hardware and can be carried out using a standard Bluetooth adapter on a Linux computer.

The vulnerability impacts Android devices running version 4.2.2.2 (released in November 2012) and later, as well as Linux, iOS, and macOS devices. It is particularly concerning for macOS and iOS devices, as it remains exploitable even when Bluetooth is enabled and the Magic Keyboard is paired, and even if Apple’s lockdown mode is active. Google’s recent advisory highlights the severity of CVE-2023-45866, noting its potential for remote privilege escalation without additional execution privileges. As of now, only the Android team has addressed this vulnerability with a patch. More technical details about this vulnerability are expected to be released in the future.

VMware

VMware has recently identified and patched a critical authentication bypass vulnerability in its Cloud Director software, which is essential for managing cloud services within Virtual Data Centers (VDC). This particular vulnerability, tracked as CVE-2023-34060 and referenced in VMSA-2023-0026, specifically impacts instances of VCD Appliance 10.5 that have undergone an upgrade from an earlier version.

It’s important to note that this vulnerability does not affect new installations of VCD Appliance 10.5, nor does it impact Linux deployments or other devices. The vulnerability allows unauthenticated attackers with network access to the appliance to remotely exploit the flaw. These attacks are of low complexity and do not require user interaction, leading to bypassing login restrictions when accessing ports 22 (ssh) and 5480 (device management console).

VMware responded promptly to this security issue, releasing a patch just a few weeks after its discovery on November 14. Notably, fresh installations of VMware Cloud Director Appliance 10.5 are not subject to this vulnerability.

For those who may need additional time to implement the patches, VMware has not only provided a patch but also issued advisories for VMSA-2023-0026 and a workaround. This workaround is specifically designed for affected versions of VCD Appliance 10.5.0 and involves executing a special script to mitigate the vulnerability temporarily.

Zyxel

Zyxel has recently taken steps to address multiple vulnerabilities in its NAS devices, including three critical issues that pose a significant threat. These vulnerabilities enable unauthenticated attackers to execute operating system commands on certain Zyxel NAS models, specifically the NAS326 running version 5.21(AAZF.14)C0 and the NAS542 running version 5.21(ABAG.11)C0, as well as earlier versions of both models. These NAS devices, known for their centralized storage capabilities, are widely used for data backup, media streaming, remote access, and collaboration, making them popular among small and medium-sized businesses, as well as professionals in IT, video, and design.
The vulnerabilities patched by Zyxel include:

• CVE-2023-4473 (Score 9.8): A command injection flaw in the web server of Zyxel NAS devices, allowing unauthenticated attackers to execute operating system commands via a specially crafted URL.
• CVE-2023-4474 (Score 9.8): A vulnerability in the WSGI server of these devices that permits unauthenticated attackers to execute OS commands through a crafted URL.
• CVE-2023-35137 (Score 7.5): A misauthentication issue in the authentication module, potentially allowing unauthenticated attackers to access system information via a crafted URL.
• CVE-2023-35138 (Score 9.8): A command injection bug in the show_zysync_server_contents function, enabling unauthenticated attackers to execute operating system commands via a crafted HTTP POST request.
• CVE-2023-37927 (Score 8.8): A vulnerability in a CGI program that allows authenticated attackers to execute OS commands through a crafted URL.
• CVE-2023-37928 (Score 8.8): A post-authentication command injection issue in the WSGI server, allowing authenticated attackers to execute OS commands via a crafted URL.

These vulnerabilities, if exploited, could allow attackers to gain unauthorized access, execute operating system commands, obtain sensitive system information, or even take full control of the affected Zyxel NAS devices. Therefore, Zyxel strongly advises NAS users to update their devices with the latest patches, emphasizing that there are no known workarounds or mitigations for these vulnerabilities.

Apple

Apple has swiftly responded with emergency updates to address two zero-day vulnerabilities, CVE-2023-42916 and CVE-2023-42917, that are currently being actively exploited in attacks against owners of iPhones, iPads, and Macs.

The list of vulnerable Apple devices is extensive, including the iPhone XS, various models of iPad Pro (12.9-inch 2nd generation, 10.5-inch, 11-inch 1st generation), iPad Air 3rd generation, iPad 6th generation, iPad mini 5th generation, as well as Mac computers running Monterey, Ventura, and Sonoma. The vulnerabilities reside in the WebKit browser engine and pose serious risks, allowing attackers to perform out-of-bounds reads and execute remote code (RCE) via memory corruption when users visit malicious web pages. To combat these issues, Apple has released updates for devices running iOS 17.1.2, iPadOS 17.1.2, macOS Sonoma 14.1.2, and Safari 17.1.2, focusing on improved input validation and enhanced blocking mechanisms.

Furthermore, Apple has extended these critical updates to older iPhone models, some Apple Watch and Apple TV models, addressing potential exploits in iOS versions prior to iOS 16.7.1. The company has remedied the situation by releasing iOS 16.7.3, iPadOS 16.7.3, tvOS 17.2, and watchOS 10.2. These updates, which also concentrate on input validation and blocking, are now available for a broad spectrum of devices, including iPhone 8 onwards, all iPad Pro models, iPad Air 3rd generation, iPad 5th generation, new iPad mini 5th generation, all models of Apple TV HD and Apple TV 4K, and Apple Watch Series 4 and later.

The discovery and disclosure of these new zero-days are credited to Clément Lesigne of Google TAG. Given Lesigne’s previous investigations, there is speculation that these vulnerabilities may be linked to spyware or an Advanced Persistent Threat (APT). However, as is typical, Apple has not publicly disclosed this information.

Qlik Sense

Arctic Wolf researchers have recently released a report detailing the first documented instance of CACTUS ransomware being used in an attack targeting Qlik Sense, a cloud-based analytics and business intelligence platform. This campaign is notable for its exploitation of vulnerabilities in the platform.

The experts have identified three key vulnerabilities that were likely exploited in these attacks:

• CVE-2023-41265 (CVSS: 9.9): This vulnerability allows a remote attacker to escalate privileges and send executable requests to the server.
• CVE-2023-41266 (CVSS: 6.5): It enables attackers to send HTTP requests to unauthorized endpoints.
• CVE-2023-48365 (CVSS: 9.9): Linked to improper HTTP header validation, this flaw leads to privilege escalation for remote attackers.

It’s important to note that CVE-2023-48365 emerged as a result of an incomplete patch for CVE-2023-41265. Both CVE-2023-41265 and CVE-2023-41266 were initially disclosed by Praetorian in late August 2023, with the patch for CVE-2023-48365 being released later, on November 20.

During these attacks, the perpetrators manipulated the Qlik Sense scheduler service to execute processes that download additional tools. These tools facilitate resilience monitoring and enable remote management configuration. The tools include ManageEngine Unified Endpoint Management and Security (UEMS), AnyDesk, and Plink. The attackers also took measures such as uninstalling Sophos software, changing administrator account passwords, and creating an RDP tunnel through Plink. The attack ultimately leads to the deployment of ransomware, with the attackers additionally using rclone to extract data.

ownCloud

Critical vulnerabilities have been identified in ownCloud, an open-source file sharing and collaboration software, which pose risks of sensitive information disclosure and authentication bypass. This software is extensively used, with more than 200,000 installations, 600 enterprise customers, and 200 million users worldwide.

The most critical of these vulnerabilities, receiving a maximum CVSS score of 10/10, impacts the Graphapi feature. This issue involves a third-party library used by Graphapi, which generates a URL that, when accessed, reveals detailed PHP environment configuration (phpinfo). This vulnerability affects versions 0.2.0 through 0.3.0 of Graphapi and exposes critical information such as the ownCloud admin password, mail server credentials, license key, and other sensitive data. Notably, deactivating the Graphapi application does not resolve this vulnerability. As a precaution, administrators are advised to change their ownCloud admin password, object store/S3 access key, and mail server and database credentials.

In response, ownCloud has taken measures to disable phpinfo in Docker containers and plans to implement additional security enhancements in future major releases to prevent similar vulnerabilities.

The second vulnerability, rated 9.8/10 in severity, involves an authentication bypass in the WebDAV API through pre-signed URLs. This flaw affects ownCloud base versions from 10.6.0 to 10.13.0 and enables unauthorized access, modification, or deletion of any file if the victim’s username is known and no signature key is configured (the default setting). The recommended fix is to prohibit the use of pre-signed URLs when no signing key is set for the file owner.

A third bug, with a CVSS rating of 9/10, affects the oauth2 application in versions prior to 0.6.1, allowing for subdomain validation bypass. In the oauth2 application, an attacker can use a specially crafted redirect URL to circumvent the validation code, redirecting callbacks to a domain under the attacker’s control. The suggested solution is to strengthen the validation code in the Oauth2 application, with a temporary workaround being to disable the “allow subdomains” option.

Soon after the public disclosure of these vulnerabilities on November 21, including CVE-2023-49104 and CVE-2023-49105, exploitation attempts were reported, specifically targeting CVE-2023-49103. The Shadowserver Foundation discovered around 11,000 online OwnCloud instances potentially at risk, with Germany, the United States, and France having the highest number of vulnerable instances.

In light of the recent exploitation of file sharing platform vulnerabilities, as evidenced in the CLOP ransomware case, it is critical for ownCloud administrators to promptly apply the recommended fixes and update their software libraries to safeguard against these threats.

CrushFTP

A critical zero-day vulnerability, identified as CVE-2023-43177, has been discovered in CrushFTP, a widely used file transfer server, posing a significant threat to thousands of organizations. First identified in August 2023, this vulnerability is particularly concerning due to CrushFTP’s popularity for secure file transfers across various devices and platforms in the business sector.

The flaw enables an unauthenticated attacker to gain unrestricted access to all files on CrushFTP, execute arbitrary programs on the host server, and obtain passwords in clear text. The root cause of this vulnerability lies in the improper handling of AS2 headers within CrushFTP. By exploiting these headers, an attacker can manipulate Java properties user information, which in turn allows them to set arbitrary permissions. This can lead to reading and deleting files, ultimately resulting in root-level system compromise and remote code execution (RCE).

In response to the discovery of this vulnerability, the CrushFTP development team acted swiftly, releasing a patch in CrushFTP 10.5.2. Despite this prompt action, the risk of exploitation remains a concern, especially since a Proof of Concept (PoC) for the vulnerability has been developed and is currently available.

Given the seriousness of this security issue, organizations using CrushFTP are strongly advised to apply the patch immediately and take additional measures to secure their systems. The developers have highlighted that AS2 is a specialized feature, so any unusual activity related to AS2 on servers should be treated with high suspicion, as it could indicate a potential attack.

FortiSIEM

Fortinet has issued a warning regarding a critical command injection vulnerability in the FortiSIEM server, a security concern that unauthenticated remote attackers could exploit to execute commands via API requests.

This vulnerability, designated as CVE-2023-36553, has been given a severity rating of 9.3 by Fortinet, while NIST has assessed it at a higher score of 9.8. Researchers have identified CVE-2023-36553 as a derivative of another critical issue, CVE-2023-34992. This related vulnerability, involving improper input sanitization, was patched earlier in October. CVE-2023-36553 manifests when the program improperly handles API requests containing wildcards or controls, passing them to the operating system as executable commands. This flaw could lead to several dangerous outcomes, such as unauthorized data access.

Impacting FortiSIEM versions 4.7 through 5.4, Fortinet is urging users to upgrade to one of the safer versions – 6.4.3, 6.5.2, 6.6.4, 6.7.6, 7.0.1, or 7.1.0 and later.

Given that Fortinet’s solutions are widely utilized in critical sectors such as healthcare, financial services, retail, e-commerce, and government facilities, unpatched systems pose a significant risk. In the past, unprotected instances of Fortinet products have frequently been targeted in ART (Advanced Reconnaissance and Targeting) attacks, aiming to breach an organization’s network.

AMD

A collaborative team of researchers from the Helmholtz IS Center CISPA in Germany, Graz University of Technology in Austria, and Youheng Lu has unveiled a new vulnerability in AMD processors, dubbed CacheWarp. This discovery represents a significant software bug injection attack targeting AMD SEV-ES and SEV-SNP. CacheWarp enables the architectural reversion of modified guest virtual machine cache lines to their original state, thereby compromising virtual machines through memory writes, privilege escalation, and remote code executions (RCEs). This vulnerability specifically affects AMD’s Secure Encrypted Virtualization (SEV) CPU extension, which plays a crucial role in protecting against malicious hypervisors and reducing the attack surface of virtual machines in cloud environments by encrypting data.

The researchers highlight that CacheWarp could permit hackers to gain control over and breach encrypted virtual machines, thereby escalating privileges. For example, attackers could exploit CacheWarp to revert authentication variables to an earlier state, hijacking a previously authenticated session. Furthermore, CacheWarp can be used to manipulate return addresses in the stack, altering the control flow of a program. This attack is attributed to a hardware problem in processors, with the root cause being an architectural flaw.

CacheWarp poses a threat to any system running on AMD processors that support SEV. However, the risk is specifically significant for users deploying secure virtual machines using SEV. The underlying vulnerability, tracked as CVE-2023-20592, affects various AMD systems with SEV-enabled processors, including 1st and 2nd generation EPYC (SEV and SEV-ES), and 3rd generation EPYC (SEV, SEV-ES, SEV-SNP), but does not impact the 4th generation AMD EPYC Genoa (Zen 4).

The researchers have provided comprehensive documentation of their findings, launched a dedicated website to summarize the attack, and released a video demonstrating CacheWarp gaining root privileges and bypassing OpenSSH authentication to escalate to root via sudo.

AMD has responded with a security advisory. While no mitigations are available for 1st or 2nd generation EPYC processors, the company has released a microcode fix for 3rd generation AMD EPYC processors with SEV-SNP enabled, ensuring no performance degradation as a result of the fix.

Intel

Intel has recently addressed a significant vulnerability present in its range of CPUs, including the newest Alder Lake, Raptor Lake, and Sapphire Rapids microarchitectures, which span desktop, server, mobile, and embedded platforms.

This vulnerability, cataloged as CVE-2023-23583, is identified as a redundant prefix issue. It has the potential to be exploited in several ways, such as escalating privileges, accessing sensitive information, or triggering a Denial of Service (DoS) condition, which could lead to substantial losses, especially for cloud providers. Intel’s investigation revealed that under certain conditions, the execution of the REP MOVSB instruction, if encoded with a redundant REX prefix, might cause unpredictable system behavior. This could lead to a system crash or freeze and, in limited scenarios, enable an elevation of privilege (EoP) from CPL3 to CPL0. Intel assesses that the likelihood of this problem occurring in any software is low, as redundant REX prefixes are generally not present in code and are not generated by compilers. Nevertheless, the potential for malicious exploitation exists, requiring the execution of arbitrary code.

This issue, also independently identified by several Google research groups and termed ‘Reptar,’ involves the interpretation of redundant prefixes by CPUs. According to Phil Venables, VP and IS Director at Google Cloud, successful exploitation can bypass the security boundaries of the CPU, leading to unusual and problematic behavior. Systems equipped with vulnerable CPUs, including those based on Alder Lake, Raptor Lake, and Sapphire Rapids architectures, have already been updated with new microcode. Notably, these updates did not impact system performance.

Intel has released microcode updates for other affected processors and strongly advises users to update their BIOS, operating systems, and drivers to safeguard against this vulnerability.

How To Efficiently Patch All of These Vulnerabilities And More

Want to learn about newly released updates as soon as they are available? With Action1, you can — as well as streamline the entire patch management process, from identifying missing updates to compliance reporting, across both Windows OS and third-party software.

Webinar Recording: December 2023 Vulnerability Digest from Action1