Patch Tuesday January 2024 Updates – Vulnerability Digest from Action1
This digest explains the most serious vulnerabilities in popular Windows software that have been patched over the past month.
In this issue, you will learn about patches for:
- Microsoft vulnerabilities from Patch Tuesday:
- Windows Kerberos Security Feature Bypass Vulnerability (CVE-2024-20674)
- Windows Hyper-V Remote Code Execution Vulnerability (CVE-2024-20700)
- Remote Desktop Client Remote Code Execution Vulnerability (CVE-2024-21307)
- Windows Kernel Elevation of Privilege Vulnerability (CVE-2024-20698)
- Remote Code Execution Vulnerability in Microsoft Office (CVE-2024-20677)
- Third-party application vulnerabilities:
Microsoft Vulnerabilities
Welcome to the first 2024 edition of the Vulnerability Digest from Action1, highlighting the January Patch Tuesday release. As always, we provide an overview of the most critical vulnerabilities, ensuring your systems are consistently updated and shielded against potential threats.
This Patch Tuesday, Microsoft has resolved 48 vulnerabilities, a number higher than what we saw in December, and made revisions to 9 vulnerabilities previously addressed. Of particular note, there are only two critical vulnerabilities that have been fixed, marking a decrease from last month. Importantly, there are no zero-day vulnerabilities or vulnerabilities with proof of concept at this time. While Microsoft begins smoothly, keep an eye out for new third-party vulnerabilities. Detailed below are the most significant critical updates from this release.
Windows Kerberos Security Feature Bypass Vulnerability
The CVE-2024-20674 is a critical security vulnerability in the Windows Kerberos authentication protocol. This vulnerability is classified as a security feature bypass with a high severity level, carrying a CVSS score of 9.0 / 7.8. It poses a significant risk by potentially allowing unauthorized impersonation and exploitation of the authentication feature.
To exploit this vulnerability, an unauthenticated attacker would need to initiate a machine-in-the-middle (MITM) attack or employ a similar local network spoofing technique. By gaining control, the attacker can send a malicious Kerberos message to the target machine, posing as the Kerberos authentication server.
According to the CVSS metric, the attack vector for this vulnerability is categorized as “adjacent” (AV:A), indicating that the attacker must first gain access to a restricted network to launch the attack successfully.
Moreover, successful exploitation could result in a scope change (S:C). This indicates that the vulnerability’s impact extends beyond the security scope managed by the authority responsible for the affected component, affecting components managed by different security authorities.
Operating systems affected by this vulnerability include Windows 10, Windows 11, Windows Server 2019, and Windows Server 2022. As of the original publication date, there is no known exploit code available. The recommended course of action is to apply the official fix as a remediation measure.
The Windows Hyper-V Remote Code Execution Vulnerability
The CVE-2024-20700 pertains to a critical vulnerability within Windows Hyper-V, the virtualization feature of Windows. This vulnerability, capable of enabling remote code execution, carries a high severity rating with a CVSS score of 7.5 / 6.5. It presents a considerable risk to the confidentiality, integrity, and availability of the affected system.
Crucially, this vulnerability can be exploited without any special privileges or user interaction. The CVSS metric categorizes its attack vector as “adjacent” (AV:A), indicating that an attacker must first access the restricted network to initiate the attack.
The attack complexity of this vulnerability is high (AC:H), as per the CVSS metric. This suggests that successful exploitation requires winning a race condition, necessitating precise manipulation of event timing and sequence to execute malicious code.
The scope of the vulnerability is unchanged, with implications for the confidentiality, integrity, and availability of the system. An exploited vulnerability can only affect resources managed by the same security authority. In this case, the vulnerable component and the impacted component are either the same, or both are managed by the same security authority. Exploitation could enable an attacker to run arbitrary code with the privileges of the Hyper-V host, potentially compromising the entire system. The operating systems affected include Windows 10, Windows 11, Windows Server 2019, and Windows Server 2022.
As of the initial publication, there has been no public disclosure or confirmed instances of this vulnerability being exploited. The maturity of any exploit code remains unproven. The application of the official fix provided by Microsoft is the advised mitigation strategy. The reliability of this vulnerability report has been confirmed.
Remote Desktop Client Remote Code Execution Vulnerability
CVE-2024-21307 is a remote code execution vulnerability in the Remote Desktop Client, commonly utilized for establishing remote desktop connections.
This vulnerability is classified as a Remote Code Execution with an ‘Important’ severity rating and a CVSS score of 7.5 / 6.5. Its successful exploitation poses a significant threat to the confidentiality, integrity, and availability of the system impacted.
The vulnerability can be exploited remotely over a network connection, as its attack vector is network-based. The CVSS metric assigns a high attack complexity (AC:H) to this vulnerability, suggesting that sophisticated methods, potentially involving a race condition, are required for successful exploitation.
No user interaction or special privileges are needed for exploitation. This implies that an unauthorized attacker could exploit this vulnerability by waiting for a user to connect to the compromised Remote Desktop Client, thereby enabling the execution of arbitrary code on the target system.
The scope and impact of this vulnerability remain unchanged, posing a high risk to the system’s confidentiality, integrity, and availability. Exploitation could lead to unauthorized access, data manipulation, and disruption of system operations. The affected operating systems include Windows 10, Windows 11, Windows Server 2019, and Windows Server 2022.
As of the original publication, there have been no demonstrations of proof-of-concept or confirmed exploitations. The maturity of any exploit code is considered unproven. The application of Microsoft’s official fix is recommended for mitigation.
The Windows Kernel Elevation of Privilege Vulnerability
CVE-2024-20698 is a security vulnerability in the Windows kernel that enables an attacker to elevate privileges, potentially leading to unauthorized access and control of affected systems. It is categorized as an elevation of privilege vulnerability, allowing attackers to obtain higher privileges than initially granted. This vulnerability is rated as ‘Important’ with a CVSS score of 7.8 / 6.8, and its successful exploitation significantly impacts the confidentiality, integrity, and availability of the system.
The vulnerability’s attack vector is local, requiring the attacker to have initial access to the target system. Its attack complexity is low (AC:L), as per the CVSS metric, meaning it does not necessitate sophisticated techniques for exploitation. However, it does require low privileges (PR:L), implying some level of system access is needed by the attacker.
No user interaction is required (UI:N) for exploitation, raising the possibility of unauthenticated remote attacks if the attacker has already compromised the target system.
The scope and impact of this vulnerability remain unchanged, presenting a high risk to the system’s confidentiality, integrity, and availability. Exploitation could grant an attacker SYSTEM privileges, leading to complete control over the affected system. The operating systems impacted include Windows 10, Windows 11, Windows Server 2019, and Windows Server 2022.
As of the initial publication, there were no demonstrations of proof-of-concept or confirmed exploitations. The exploit code’s maturity is unproven. The application of Microsoft’s official fix is advised for mitigation.
Remote Code Execution Vulnerability in Microsoft Office
CVE-2024-20677 is a Remote Code Execution vulnerability in Microsoft Office applications, posing a significant risk to system confidentiality, integrity, and availability. Rated as ‘Important’ with a CVSS score of 7.8 / 6.8, it allows attackers to execute arbitrary code remotely on the targeted system.
The attack vector is local (AV:L), requiring initial system access for exploitation. However, the attack complexity is low (AC:L), meaning no sophisticated techniques are needed. The vulnerability can be exploited by any user, privileged or not (PR:N).
User interaction (UI:R) is necessary, indicating an attacker must entice a user to take action, like opening a crafted file or clicking a malicious link, highlighting the need for user vigilance.
As of the initial publication, there were no proof-of-concept demonstrations or confirmed exploits. The exploit code’s maturity is unproven. Applying Microsoft’s official fix is the advised remedy.
To mitigate this risk, Microsoft has disabled inserting FBX files in Word, Excel, PowerPoint, and Outlook on Windows and Mac, impacting Office 2019, 2021, LTSC for Mac 2021, and Microsoft 365. Existing 3D models from FBX files will function unless “Link to file” was used during pasting.
Note that the security update for Microsoft Office 2021 for Mac is pending and will be released promptly, with users notified upon availability. For more details on this vulnerability and disabling the Paste FBX file feature, refer to Microsoft’s support blog post.
Google Chrome
Google has swiftly issued emergency updates in response to an actively exploited critical vulnerability, marking the eighth zero-day flaw addressed in Chrome within a year. Detailed in their security advisory for CVE-2023-7024, the company acknowledges the existence of a functional exploit.
This high-severity issue, identified as CVE-2023-7024, stems from a heap buffer overflow within the WebRTC platform, a component also used in other browsers such as Mozilla Firefox, Safari, and Microsoft Edge. Researchers Clément Lesigne and Vlad Stolyarov from Google’s Threat Analysis Group (TAG) uncovered this flaw. The active exploitation of this vulnerability suggests potential involvement in advanced persistent threat (APT) activities or spyware campaigns.
While specific details of the attacks remain undisclosed, Google’s rapid response saw updates released just a day after the bug’s report. These updates are available for Windows (versions 120.0.6099.129/130) and for Mac and Linux (version 120.0.6099.129).
Google Web Toolkit
The Google Web Toolkit (GWT) Remote Code Execution (RCE) vulnerability has been a persistent security concern, unaddressed for over eight years, leaving numerous applications exposed to server-side risks. The Google Web Toolkit, an open-source tool used by around 2,000 software companies according to Enlyft, enables web developers to create and manage JavaScript interface applications in Java.
Despite its disclosure in 2015, the critical unauthenticated Java deserialization bug in the Google Web Toolkit platform remains unresolved. This oversight suggests that significant infrastructure modifications might be necessary for the future security of affected applications.
A comprehensive study by Bishop Fox delves into the specifics of the GWT vulnerability. The report not only details the vulnerability but also demonstrates its practical application in software and discusses possible countermeasures. The researchers draw parallels between the GWT issue and the Spring4Shell vulnerability identified in 2022, pointing out the negligence of code developers in addressing these vulnerabilities, including a lack of manual updates to the framework.
Bishop Fox highlights the complexity of mitigating the risks associated with vulnerable web applications. Given the fundamental nature of the bug, safeguarding applications developed using the framework might necessitate substantial changes either to the applications themselves or to the framework’s architecture.
However, the study does offer some interim measures for mitigation, providing a starting point for addressing this longstanding security flaw.
Mozilla Firefox
Mozilla has addressed 27 security vulnerabilities in Firefox version 121, enhancing the browser’s security. Among these, 13 vulnerabilities, notably dangerous, have been identified. Eleven of these are collectively categorized under CVE-2023-6864 and CVE-2023-6873. These vulnerabilities stem from memory-related issues, such as buffer overflows and accessing previously freed memory areas. Such flaws could potentially enable the execution of malicious code when a user visits specially crafted web pages.
Additionally, a critical vulnerability, designated as CVE-2023-6135, concerns the susceptibility of the NSS library to the “Minerva” attack. This specific attack method involves the recovery of a private key by analyzing data through indirect channels, posing a significant security risk.
Apache Open Office
The latest version of the Apache OpenOffice suite, 4.1.15, addresses four vulnerabilities, which were not initially mentioned in the changelog and disclosed only a few days post-release.
The first vulnerability, CVE-2023-1183, poses a risk by allowing data to be written to any file on the system, subject to access permissions. This can occur when OBD (Office Binder Document) files, formatted in a specific way, are opened in OpenOffice Base. The exploit involves using the SCRIPT command in a “database/script” file within the document, enabling the attacker to specify a file path where the content gets written.
Another vulnerability, CVE-2012-5639, concerns the automatic downloading and opening of internal or external resources without user notification. Initially identified in LibreOffice in 2012 and mistakenly marked as a non-issue, it was later resolved in LibreOffice 4.2 in 2014. However, this vulnerability remained unaddressed in OpenOffice until now.
CVE-2022-43680 represents a potential threat where a remote attacker could execute code through specially crafted documents, particularly in low-memory situations. This vulnerability stems from a use-after-free memory access error in the libexpat library, which is used for XML data parsing. The issue has been rectified in libexpat version 2.4.9.
The final vulnerability, CVE-2023-47804, introduces a new attack vector related to the previously patched CVE-2022-47502 in OpenOffice 4.1.14. It allows an attacker to embed a link in a document that triggers the execution of a macro with arbitrary arguments. This script execution can occur upon user interaction with the link or automatically through document-associated events, without requiring user confirmation.
Apache OFBiz
A critical Remote Code Execution (RCE) vulnerability in Apache OFBiz is currently being exploited, with publicly available Proof of Concepts (PoCs) aiding the attacks.
Apache OFBiz, an open-source Enterprise Resource Planning (ERP) system, is widely used by various companies for e-commerce, human resources, and accounting management. It is a crucial part of the supply chain, impacting software like Atlassian’s JIRA, which over 120,000 companies globally rely on.
This vulnerability, identified as CVE-2023-49070, was initially patched in the OFBiz version 18.12.10, released on December 5, 2023. The bug allows unauthorized privilege escalation, arbitrary code execution, and access to sensitive data. However, SonicWall researchers discovered that the root cause of CVE-2023-49070 remains unaddressed in the patched version, leaving it susceptible to exploitation.
SonicWall’s report outlines methods to circumvent Apache’s patch for CVE-2023-49070, exploiting specific credential combinations. The vulnerability originates from a flaw in handling empty or special parameters. After SonicWall communicated their findings, Apache quickly addressed the issue, categorizing it as a Server Side Request Forgery (SSRF) problem.
This newly identified bypass issue was assigned CVE-2023-51467 and was fixed in OFBiz version 18.12.11, released on December 26, 2023. Despite the availability of this update, many users have not yet upgraded, and the widespread availability of PoC exploits for pre-authenticated RCEs makes this vulnerability highly appealing to attackers. The Shadowserver Foundation has observed extensive scanning activities using these PoCs, targeting vulnerabilities like CVE-2023-49070, and anticipates similar patterns for CVE-2023-51467. The primary target of these attacks is the vulnerable Confluence software.
Apache OFBiz users are strongly encouraged to update to version 18.12.11 promptly to reduce their risk of exploitation.
Apache Struts
Shadowserver has reported the exploitation of a critical path traversal vulnerability in Apache Struts, identified as CVE-2023-50164. This Remote Code Execution (RCE) vulnerability impacts multiple versions of Struts, including 2.0.0 – 2.3.37, 2.5.0 – 2.5.32, and 6.0.0 – 6.3.0. Apache has issued patches for this vulnerability in versions 6.3.0.2 and 2.5.33 on December 7. Successful exploitation of this vulnerability can lead to unauthorized server access, sensitive data theft, disruption of critical services, and lateral movement within compromised networks.
As of now, only a limited number of IP addresses have been observed engaging in exploitation attempts. However, a more significant wave of attacks is anticipated. This expectation stems from the fact that on December 10, technical details about the vulnerability were leaked, along with the release of a publicly available Proof of Concept (PoC) exploit. The availability of this information is likely to increase the vulnerability’s exploitation by malicious actors.
Barracuda ESG
Barracuda and Mandiant have reported the active exploitation of two zero-day vulnerabilities by a Chinese APT group, UNC4841, with the primary vulnerability remaining unpatched.
The key vulnerability is designated as CVE-2023-7101, involving an arbitrary code execution issue in the third-party library Spreadsheet::ParseExcel, a Perl module for parsing Excel files. The flaw arises from the handling of unverified input data from a file by the ‘eval’ function as a string. Specifically, this vulnerability is linked to the processing of numeric format strings in Excel’s parsing logic.
The second vulnerability, labeled CVE-2023-7102, is found in a library used in the firmware of Barracuda’s ESG appliances and is considered a separate bug.
Upon successful exploitation of these vulnerabilities, UNC4841 managed to deploy new variants of the SEASPY and SALTWATER malware on a limited number of ESG appliances. In response, Barracuda released a patch on December 22, 2023, to address the compromised ESG devices showing indicators of the identified malware variants. While Barracuda has restricted the functionality of the vulnerable library in its ESG appliance, the primary issue, CVE-2023-7101, in the open-source library remains unpatched.
Organizations utilizing the Spreadsheet::ParseExcel library are advised to assess the impact of CVE-2023-7101 and implement immediate remediation measures. Experts believe that the APT group, UNC4841, may still possess additional undisclosed zero-day vulnerabilities, which could be strategically employed in targeted attacks against significant entities.
Apple
The narrative of last year’s most infamous cyberattack is reaching its conclusion, revealing that vulnerabilities and exploits to bypass iPhone hardware security mechanisms were due to undocumented features in Apple chips, from A12 to A16 Bionic. The comprehensive reverse-engineering of the attack chain led to the patching of most firmware vulnerabilities. Many of these vulnerabilities were exploited due to features left in the firmware for testing, debugging, or accidentally during manufacturing.
Labelled as Operation Triangulation, this campaign is considered one of the most sophisticated attack chains in history. Kaspersky Lab researchers spent a year dissecting the attack, striving to unravel all aspects of this cyber espionage campaign first discovered in early 2023.
In their investigation, researchers also analyzed previously known zero-days and unveiled a notable iOS device feature, assigned CVE-2023-38606, patched on July 24 with iOS/iPadOS 16.6 release. Attackers exploited undocumented functionalities in Apple processors, which, while unused in iOS code, enabled them to bypass hardware protections and seize complete device control. Specifically, CVE-2023-38606 exploits unknown MMIO registers in Apple’s A12-A16 Bionic chips, likely linked to the graphic coprocessor. This vulnerability allows manipulation of hardware functions and control over direct memory access. Researchers speculate that this undocumented feature’s inclusion in iPhones was either an oversight or intended for Apple engineers’ debugging and testing.
Yet, many questions about CVE-2023-38606 remain unanswered, including how attackers discovered this feature and its original intent, and whether Apple or a third party developed it. This case underscores that systems relying on “security by obscurity” cannot guarantee absolute security.
In response to these findings, Apple has released security updates for iOS, iPadOS, macOS, tvOS, watchOS, and Safari, addressing multiple new vulnerabilities, including critical ones. The iOS and iPadOS updates fix 12 vulnerabilities, with the most severe being a memory corruption issue in ImageIO. macOS Sonoma 14.2 patches 39 bugs, including a critical Bluetooth vulnerability (CVE-2023-45866) allowing network-based keystroke injection.
Additionally, Safari 17.2 addresses two WebKit bugs leading to potential RCE and DoS attacks. These updates cover devices running macOS Monterey and Ventura. iOS 17.2 and iPadOS 17.2 not only fix a Siri vulnerability but also introduce a new contact key verification feature in iMessage, enhancing privacy and countering server infrastructure abuse by spyware and APT vendors.
Linux
In December, a local vulnerability in the Linux kernel, exploitable through nftables, was addressed. This vulnerability, identified as CVE-2023-6817, was found in the netfilter subsystem and could allow a local user to escalate privileges on the system. The issue originates from a use-after-free memory access in the nf_tables module, responsible for the nftables packet filter.
The vulnerability is present in Linux kernel versions starting from 5.6. A resolution for this issue was proposed in the 6.7-rc5 testing release of the Linux kernel and has since been integrated into the current stable branches, including versions 5.10.204, 5.15.143, 6.1.68, and 6.6.7.
Specifically, the vulnerability stems from a flaw in the nft_pipapo_walk function. This function, involved in the Pile Packet Policies (PIPAPO) item lookup process, fails to properly check for duplicates, leading to the erroneous release of memory. To exploit this vulnerability, an attacker requires access to nftables, achievable with CAP_NET_ADMIN privileges in any user or network namespace, such as those found in isolated containers.
For testing purposes, a prototype exploit has been developed and released, allowing client systems to assess their vulnerability to this security flaw.
ESET
A serious vulnerability in the secure traffic scanning feature of ESET’s endpoint security products has been disclosed by an anonymous researcher.
This vulnerability, designated as CVE-2023-5594 and rated 7.5 on the CVSS scale, affects the way ESET’s products monitor SSL/TLS protocol scans. Specifically, it leads to browsers trusting sites with certificates signed by outdated algorithms that are considered untrustworthy.
The root cause of this issue is the improper validation of the server certificate chain. ESET’s system erroneously regarded an intermediate certificate signed using MD5 or SHA1 as trustworthy. As a result, a browser on a system with ESET Secure Traffic Scanning enabled could erroneously trust a site secured with such a certificate.
The range of affected products is extensive, including NOD32 Antivirus, Internet Security, Smart Security Premium, Security Ultimate, Endpoint Antivirus, Endpoint Security, Server Security, Mail Security, Security for Microsoft SharePoint Server, and File Security for Microsoft Azure.
ESET has addressed this vulnerability and is deploying patches as part of an automatic update, beginning November 21. Users do not need to take any action to install this patch.
As per ESET’s statement, there have been no observed attacks exploiting this vulnerability.
Ivanti
Ivanti customers are facing yet another update requirement following a series of recent incidents. Adding a somewhat ironic twist, exactly thirteen new critical Remote Code Execution (RCE) vulnerabilities have been identified, a number that might unsettle the superstitious.
These vulnerabilities impact Ivanti’s Avalanche mobile device management (MDM) solution. As detailed by Ivanti, these security issues were identified by Tenable researchers as part of the Zero Day Initiative. They involve the WLAvalancheService stack and a heap-based buffer overflow.
All supported versions of the product, specifically Avalanche version 6.3.1 and later, are affected. These vulnerabilities can be exploited by unauthenticated attackers in low-complexity attacks, which do not require user interaction. Such attacks could lead to remote code execution or trigger a Denial of Service (DoS) condition on systems that have not been patched. Additionally, Ivanti has patched eight other vulnerabilities ranging from moderate to high severity, which could be exploited for DoS, remote code execution, and server-side request forgery (SSRF).
Ivanti has addressed all discovered vulnerabilities in Avalanche v6.4.2.313. Customers are strongly advised to download the Avalanche installer and upgrade to this latest version.
However, given the sheer number of issues, there’s a significant concern that advanced attackers might have already exploited these vulnerabilities. This raises the specter of a potential new major security breach, reminiscent of the “Norwegian” case, looming on the horizon.
OpenSSH
Researchers at Ruhr-Universität Bochum have unveiled a new prefix truncation attack named Terrapin, compromising the integrity of OpenSSH connections under specific encryption modes.
Terrapin exploits vulnerabilities in the SSH transport layer protocol, leveraging cryptographic algorithms and encryption modes introduced by OpenSSH over a decade ago. This attack allows modification of messages in the channel, leading to less secure client authentication algorithms and disabling protection against keystroke timing attacks in OpenSSH 9.5.
The bugs related to this attack are identified as CVE-2023-48795, CVE-2023-46445, and CVE-2023-46446. Attackers need to be in a Man-in-the-Middle (MiTM) position at the network layer to intercept and manipulate the handshake exchange. The connection must be secured using either ChaCha20-Poly1305 or CBC with encryption, then MAC. The content of messages exchanged post-handshake influences the attack’s severity.
Despite specific conditions required for Terrapin, the prevalent use of these encryption modes (77% as per scans) makes the attack a realistic threat. Vendors are progressively addressing this issue, with one solution being the implementation of strict key exchange, which prevents packet injection during the handshake. However, this countermeasure is only effective when implemented on both the client and server side.
The research team has made available a vulnerability scanner named Terrapin on GitHub, enabling administrators to assess if their SSH client or server is susceptible to this attack. Addressing Terrapin is not a straightforward software update; both clients and servers require updates to safeguard against prefix truncation attacks.
Currently, the necessity for a MiTM position to execute Terrapin lessens its immediate threat, which may lead to CVE-2023-48795 not being a top priority for patching in some instances. Detailed information on the Terrapin attack is available in the technical report.
To remedy the Terrapin vulnerability and other issues, OpenSSH 9.6 has been released. This update addresses three security concerns:
-
- CVE-2023-48795 (the “Terrapin” attack): This vulnerability in the SSH protocol allows a MITM attack to downgrade the connection to use less secure authentication algorithms and disables protection against third-party input reconstruction attacks.
- A vulnerability in the ssh utility: This issue allows for the substitution of arbitrary shell commands by manipulating login and host values with special characters. It can be exploited under certain conditions, such as systems using Git submodules.
- A bug in ssh-agent: This issue affects the application of restrictions, only applying them to the first key returned by a PKCS#11 token when adding PKCS#11 private keys. This does not impact regular private keys or FIDO tokens and keys set without restrictions.
Perforce Helix Core Server
Microsoft has identified a critical Remote Code Execution (RCE) vulnerability in Perforce Helix Core Server, a source code management platform extensively utilized in the gaming, government, military, and technology sectors. Alongside this, three other vulnerabilities related to Denial of Service (DoS) have been detected.
To address these issues, Microsoft advises users to upgrade to version 2023.1/2513900 of Perforce Helix Core Server, released on November 7, 2023.
The most severe of these vulnerabilities is CVE-2023-45849, which has been assigned a CVSS score of 10. This vulnerability poses a significant threat, as it could enable an unauthenticated attacker to execute arbitrary code with LocalSystem privileges. Such access would allow the attacker to reach local resources and system files, alter registry settings, and potentially cause further system compromises.
For enhanced protection, Microsoft recommends implementing additional security measures. These include restricting access to the Perforce Server through the use of VPNs or IP whitelisting, employing TLS proxy certificates for user authentication, meticulously logging all accesses to the Perforce Server, and applying network segmentation strategies to contain and control any potential breaches. These proactive steps aim to fortify the security posture against such vulnerabilities.
Dell
Dell has addressed eight vulnerabilities in its PowerProtect DD solutions, several of which are rated as high severity. These vulnerabilities impact a range of products, including PowerProtect Data Domain (DD) Series appliances, APEX Protect Storage, PowerProtect DD Management Center, PowerProtect DP Series appliances, and PowerProtect Data Manager.
The most critical vulnerability, assigned a CVSS score of 8.8, is CVE-2023-44286. This is a DOM-based cross-site scripting vulnerability, which enables a remote, unauthorized attacker to inject malicious HTML or JavaScript code into a victim’s browser DOM environment. Successful exploitation of this vulnerability could lead to client-side request forgery, session theft, and information disclosure.
In addition to CVE-2023-44286, there are several other high-severity vulnerabilities related to operating system command injection and access control flaws. The command injection flaws present a risk of arbitrary command execution on the underlying operating system with the privileges of the vulnerable application, potentially allowing an attacker to take control of the target system. While exploitation typically requires local access and either low or elevated privileges, an attacker could potentially leverage a vulnerability like CVE-2023-44286 to meet authentication requirements.
Furthermore, three moderate vulnerabilities were identified in PowerProtect products. These could be exploited by an authenticated attacker to circumvent security restrictions and gain control of the system, obtain read and write access to operating system files, and execute arbitrary SQL commands on the application’s server database, resulting in read access.
Dell Technologies urges customers to review the DSA-2023-412 advisory and apply the necessary updates. While there has been no observed exploitation of these vulnerabilities, solutions from the vendor have been targeted by Lazarus APTs in the past year. Hence, it’s crucial for users to stay vigilant and ensure their systems are up to date with the latest security patches.
How To Efficiently Patch All of These Vulnerabilities And More
Want to learn about newly released updates as soon as they are available? With Action1, you can — as well as streamline the entire patch management process, from identifying missing updates to compliance reporting, across both Windows OS and third-party software.
