Patch Tuesday October 2023

Patch Tuesday October 2023 Updates – Vulnerability Digest from Action1

This digest explains the most serious vulnerabilities in popular Windows software that have been patched over the past month.

Protect your systems from potential cyber threats and ensure the smooth functioning of your endpoints. For even more information, watch the recorded October 2023 Vulnerability Digest webinar, join our next Patch Tuesday webinar and visit our Patch Tuesday Watch page.

In this issue, you will learn about patches for:

• ^ Microsoft vulnerabilities from Patch Tuesday:
  • ^ HTTP/2 Rapid Reset Attack (CVE-2023-44487)
  • ^ Skype for Business Elevation of Privilege Vulnerability (CVE-2023-41763)
  • ^ Microsoft WordPad Information Disclosure Vulnerability (CVE-2023-36563)
  • ^ Remote Code Execution Vulnerabilities in Layer 2 Tunneling Protocol (CVE-2023-41774, CVE-2023-41773, CVE-2023-41771, CVE-2023-41770, CVE-2023-41769, CVE-2023-41768, CVE-2023-41767, CVE-2023-41765, and CVE-2023-38166)
  • ^ Microsoft Message Queuing Remote Code Execution Vulnerability (CVE-2023-35349)
• ^ Third-party application vulnerabilities:
  • • ^ Google Chrome
    • ^ Mozilla Firefox
    • ^ Apple
    • ^ Linux
    • ^ Atlassian
    • ^ Progress Software WS_FTP
    • ^ Jet Brains Team City
    • ^ Exim
    • ^ RSA
    • ^ Cisco
    • ^ Libre Office
    • ^ Nagios
    • ^ Kubernetes
    • ^ Supermicro IPMI
    • ^ Qualcomm Compute DSP
    • ^ NTFS GRUB2

Microsoft Vulnerabilities

Welcome to October 2023’s Patch Tuesday, a significant milestone as we celebrate the 20th anniversary of both Patch Tuesday and Cybersecurity Awareness Month. This month has witnessed a remarkable surge in vulnerabilities being addressed, not only by Microsoft but also by various third-party vendors. The sheer volume of vulnerabilities being patched is truly impressive, signaling a resurgence in security risks across the industry.

This Patch Tuesday, Microsoft has addressed 103 vulnerabilities, surpassing the number from September. Notably, there are 16 critical vulnerabilities fixed this month, a significant increase compared to the previous month. Furthermore, three zero-day vulnerabilities are addressed, with proof of concept available for two of them. Below are the details on the most interesting critical updates.

HTTP/2 Rapid Reset Attack

CVE-2023-44487, HTTP/2 Rapid Reset Attack, is a zero-day Denial of Service vulnerability. It is considered a critical issue affecting Microsoft Windows 10 and later, as well as Microsoft Windows Server 2016 and later. The vulnerability is associated with the HTTP protocol version 2, impacting all web servers running on Microsoft Windows. While it doesn’t have an assigned CVSS rating, it holds significant importance in Microsoft’s security landscape.

A workaround is available by disabling the HTTP/2 protocol on your web server through the registry editor. However, Microsoft strongly recommends applying the provided updates for this vulnerability as a more robust and lasting solution.

Microsoft has confirmed active exploitation of this attack in the wild, although there is currently no available proof of concept.

Skype for Business Elevation of Privilege Vulnerability

A zero-day vulnerability, CVE-2023-41763, has been identified in Skype for Business, impacting versions 2015 and 2019. This vulnerability is characterized by its network-based attack vector, low attack complexity, and requires no user privileges or interaction. Its Common Vulnerability Scoring System (CVSS) rating is 5.3, indicating a relatively low risk due to the non-critical nature of the exposed information.

An attacker could exploit this vulnerability by initiating a specially crafted network call to the targeted Skype for Business server. This action could lead to the parsing of an HTTP request sent to an arbitrary address, potentially revealing IP addresses and port numbers. While some sensitive information may be exposed, it’s important to note that the attacker cannot modify the exposed data or restrict access to the affected resource. In specific cases, the disclosed sensitive information may grant access to internal networks.

Microsoft has confirmed this vulnerability is exploited in the wild, and a proof of concept is available to demonstrate its exploitability.

Microsoft WordPad Information Disclosure Vulnerability

CVE-2023-36563 is a zero-day vulnerability that pertains to Microsoft WordPad and is the final one addressed in this patch. It possesses a network-based attack vector with low complexity, requiring user interaction but not user privileges. The vulnerability is rated with a CVSS score of 6.5, indicating a moderate risk as it exposes NTLM hashes.

The vulnerability impacts Windows 10 and later, as well as Windows Server 2008 and later.

To exploit this vulnerability, an attacker must first gain access to the system. Subsequently, they would run a specially crafted application designed to take advantage of the vulnerability and seize control of the affected system. Alternatively, the attacker could persuade a local user to open a malicious file. This persuasion might involve enticing the user to click a link, often via email or instant message, and then convincing them to open the specially crafted file.

Once the attacker acquires NTLM hashes, they can attempt to crack them using methods such as rainbow tables, particularly with a higher chance of success if the password is shorter than ten characters.

Microsoft has acknowledged the exploitation of this vulnerability, and a proof of concept demonstrating its impact is available.

Remote Code Execution Vulnerabilities in Layer 2 Tunneling Protocol

Nine vulnerabilities have come to light within the Layer 2 Tunneling Protocol, identified as CVE-2023-41774, CVE-2023-41773, CVE-2023-41771, CVE-2023-41770, CVE-2023-41769, CVE-2023-41768, CVE-2023-41767, CVE-2023-41765, and CVE-2023-38166. Collectively, these vulnerabilities are characterized as Layer 2 Tunneling Protocol Remote Code Execution Vulnerabilities. They possess a network-based attack vector, have a high level of complexity for successful exploitation, do not require any special privileges, and demand no user interaction. The Common Vulnerability Scoring System (CVSS) rates these vulnerabilities at 8.1, indicating their severity, although their exploitation is notably intricate.

These vulnerabilities impact Windows 10 and later versions, as well as Windows Server 2008 and its subsequent iterations.

Notably, Microsoft has reported that there is no evidence of active exploitation of these vulnerabilities in the wild, and no proof of concept has surfaced as of now.

To successfully exploit these vulnerabilities, an attacker must overcome a race condition. An unauthenticated attacker could achieve this by sending a carefully crafted protocol message to a Routing and Remote Access Service (RRAS) server, potentially leading to remote code execution (RCE) on the targeted RRAS server computer.

Microsoft Message Queuing Remote Code Execution Vulnerability

The most severe among critical vulnerabilities, labeled CVE-2023-35349, targets the Microsoft Message Queuing Service. This vulnerability possesses a network-based attack vector, a low level of attack complexity, requires no special privileges, and demands no user interaction. Notably, it carries a CVSS rating of 9.8, signifying its extreme severity, as the successful exploitation of this vulnerability could empower an unauthenticated attacker to remotely execute code on the vulnerable server. This threat extends its reach to Windows 10 and later versions, as well as Windows Server 2008 and beyond.

Microsoft has confirmed that there is no ongoing exploitation of this vulnerability in the wild, and no proof of concept has surfaced to date.

However, there exists a mitigation strategy for this vulnerability. Mitigation, in this context, refers to a default setting, common configuration, or general best practice that can be employed to reduce the vulnerability’s impact. Specifically, the Windows Message Queuing Service, a component of the Windows operating system, must be enabled for a system to be susceptible to this vulnerability. Users can manage this feature through the Control Panel. To verify if a service named “Message Queuing” is active and listening on TCP port 1801 on your computer, and if it is not needed for your business operations, it is advisable to disable this service.

Google Chrome

Google has rolled out an update for its Chrome browser, version 117.0.5938.132, addressing a zero-day vulnerability (CVE-2023-5217) found in the libvpx library. This particular vulnerability triggers a buffer overflow when utilizing P8 encoding functions. Unlike the recently uncovered WebP image decoder vulnerability, the issue with the VP8 encoder is classified as high severity, although it does not reach the critical level. This means that while it poses a substantial risk, it doesn’t grant attackers the ability to bypass all browser defenses, and its exploitation necessitates the presence of other vulnerabilities to execute code outside of the browser’s sandbox environment. This vulnerability came to light during the analysis of an existing, actively used exploit in the wild, employed by attackers in zero-day attacks.

Exploiting this vulnerability entails opening a specially crafted webpage that invokes VP8 encoding functions. It’s important to note that this issue affects libvpx and any applications reliant on this library, including the Chromium engine and the Electron platform. However, successful exploitation hinges on the ability to execute JavaScript code within the application, predominantly affecting web browsers. Additionally, it’s plausible (though not confirmed) that a similar vulnerability may exist in Firefox, which also employs the libvpx library for processing VP8 format.

In a separate critical vulnerability related to the libwebp library, exploitation can occur when processing a specially crafted image. This vulnerability impacts Chrome, Safari, Firefox, Thunderbird, and a multitude of products relying on libwebp, the Chromium engine, or the Electron platform. This extensive list encompasses Discord, GitHub Desktop, Mattermost, Signal, Edge, Brave, Opera, Slack, Twitch, Visual Studio Code, Android, 1Password, and Telegram. Take advantage of the Action1 report pinpointing software that has either been identified to have the WebP vulnerability or that the vendor has released a patch for.

To safeguard against potential XSS attacks capable of executing malicious code within victims’ browsers, it’s imperative that all users promptly update their browsers to patch version 117.0.5938.132. This update also addresses critical vulnerabilities, namely CVE-2023-5186 (Use after free in passwords) and CVE-2023-5187 (Use after free in extensions). Google refrains from disclosing detailed information about these non-zero-day vulnerabilities until the majority of browsers have been updated.

Mozilla Firefox

The release of Firefox 117.0.1 includes a patch that addresses a security vulnerability among other issues. While the specific details of the vulnerability report have not yet been disclosed, the code fixes within the release point to the resolution of a critical vulnerability ( CVE-2023-4863) within the libwebp library. This vulnerability had the potential to enable code execution when processing specially formatted images in the WebP format.

Mozilla has also announced Firefox 118, which incorporates fixes for a total of 16 vulnerabilities. Of these, thirteen vulnerabilities, including eight grouped under CVE-2023-5176, are classified as dangerous. They have the potential to trigger memory handling problems such as buffer overflows and access to memory areas that have previously been freed. These issues, if exploited, could lead to the execution of malicious code when opening specially crafted web pages.

Apple

Apple has recently issued unscheduled patches to address three more actively exploited zero-day vulnerabilities, affecting both iPhone and Mac users. These vulnerabilities are suspected to have been exploited through spyware. Among them, two were discovered in the WebKit browser kernel, identified as CVE-2023-41993 and CVE-2023-41991. These vulnerabilities enable attackers to bypass signature verification via malicious applications and execute arbitrary code through malicious websites. The third vulnerability, CVE-2023-41992, was found in the kernel framework, which provides support for kernel extensions and resident device drivers. This particular vulnerability could be exploited by local attackers to gain elevated privileges.

The affected devices encompass a wide range of models, including iPhone 8 and later, iPad mini 5th generation and later, Macs running macOS Monterey and later, and Apple Watch Series 4 and later. Apple has released macOS 12.7/13.6, iOS 16.7/17.0.1, iPadOS 16.7/17.0.1, and watchOS 9.6.3/10.0.1 updates, addressing these vulnerabilities by fixing certificate validation issues and enhancing security checks. Apple did acknowledge that these issues might have been active in earlier iOS versions before iOS 16.7, although no additional details were provided.

These attacks and newly discovered zero-day vulnerabilities were initially reported by researchers at Citizen Lab and Google TAG, raising concerns about potential involvement of commercial spyware. Notably, these zero-day vulnerabilities were exploited in a zero-click exploit chain called BLASTPASS, which targeted fully patched iPhones with NSO Group’s Pegasus commercial spyware.

In addition to these zero-day vulnerabilities, Apple issued emergency security updates to address another critical vulnerability, CVE-2023-42824, which has been used in exploit chains against iPhones and iPads running iOS versions prior to iOS 16.6. This vulnerability affects the XNU kernel and allows local attackers to escalate privileges on unpatched devices. Apple resolved this issue in iOS 17.0.3 and iPadOS 17.0.3 with enhanced security checks, though the identity of the discoverer remains undisclosed.

Furthermore, Apple addressed CVE-2023-5217, stemming from a heap buffer overflow issue in the VP8 encoding of the open-source libvpx video codec library, potentially leading to remote code execution if successfully exploited. Notably, this marks the 17th zero-day vulnerability patched by Apple since the start of the year, with many of them being exploited by spyware.

Additionally, the updated iOS 17.0.3 addresses an overheating issue previously seen in iOS 17.0.2 and earlier versions.

Researcher Adam Chester recently unearthed a vulnerability that allows malicious processes to hijack MacOS application permissions. Dubbed “DirtyNIB,” this exploit involves replacing NIB files within application packages without disrupting application permissions or gatekeeper validation. Chester had originally discovered this vulnerability, formerly known as CVE-2022-48505, and decided to revisit it after Apple’s attempts to fix it. Astonishingly, the vulnerability remained functional, despite certain caveats in later MacOS versions. Specifically, this vulnerability affects MacOS Sonoma and remains a zero-day issue as it awaits resolution from Apple.

Linux

A recently unearthed Linux vulnerability, coined as “Looney Tunables,” has come to light, allowing local attackers to gain root privileges by exploiting buffer overflow issues within the GNU C library’s ld.so dynamic loader. The GNU C library (glibc) is a fundamental component of the GNU system, extensively used in most Linux kernel-based systems, providing essential functions and system calls such as open, malloc, printf, exit, and more, essential for program execution. The dynamic loader within glibc plays a pivotal role in the preparation and execution of programs on Linux systems utilizing glibc.

This vulnerability, officially designated as CVE-2023-4911 and discovered by Qualys, was initially detected in April 2021 with the release of glibc 2.34. It was introduced as part of a commit addressing the SXID_ERASE behavior in programs employing setuid. The vulnerability is activated when processing the GLIBC_TUNABLES environment variable within standard installations of Debian 12 and 13, Ubuntu 22.04 and 23.04, and Fedora 37 and 38 (with Alpine Linux being an exception). Successful exploitation results in the acquisition of root privileges.

In the words of Red Hat, this issue permits a local attacker to exploit maliciously crafted GLIBC_TUNABLES environment variables when executing SUID-enabled binaries, thereby executing code with elevated privileges. Even low-privilege attackers could potentially exploit this grave vulnerability to carry out low-complexity attacks that do not necessitate user interaction.

Exploits targeting this vulnerability have already surfaced online. Since Qualys unveiled this vulnerability, several researchers have managed to submit Proof of Concept (PoC) exploits that function on select system configurations.

Due to the significant threat posed by this vulnerability, granting root access to systems running the latest versions of widely used Linux platforms like Fedora, Ubuntu, and Debian, administrators are urged to take immediate action.

In addition to Looney Tunables, other recently discovered vulnerabilities in the Linux ecosystem include:

• CVE-2023-39191: A vulnerability within the eBPF subsystem, potentially allowing local users to escalate privileges and execute code at the kernel level. This vulnerability arises from improper validation of eBPF programs provided by the user, contingent on the ability to load their BPF program, especially when the kernel.unprivileged_bpf_disabled parameter is set to 0, as in the case of Ubuntu 20.04, for instance.
• CVE-2023-42753: A flaw in array indexing within the ipset implementation in the netfilter kernel subsystem, potentially leading to pointer manipulation and conditions for reading or writing memory outside allocated buffers. An exploit prototype for this vulnerability has already been detected in real-world incidents. The remedy for this issue is incorporated into kernel releases 5.4.257, 6.5.3, 6.4.16, 6.1.53, 5.10.195, and 5.15.132.
• CVE-2023-39192, CVE-2023-39193, CVE-2023-39193: Multiple vulnerabilities within the Linux kernel that result in kernel memory leaks due to the ability to read beyond allocated buffer boundaries in the netfilter subsystem’s match_flags and u32_match_it functions, as well as in the state filter processing code.
• CVE-2023-42755: A vulnerability allowing unprivileged local users to induce a kernel crash due to a flaw in pointer handling within the rsvp traffic classifier. This issue spans across LTS kernels 6.1, 5.15, 5.10, 5.4, 4.19, and 4.14. A prototype exploit has been prepared, although the fix is still pending inclusion into the kernel and is presently available as a patch.
• CVE-2023-42756: A race condition in the NetFilter kernel subsystem, potentially enabling local users to trigger a Panic state. A prototype exploit has been developed, functioning in at least 6.5.rc7, 6.1, and 5.10 kernels. Similar to the previous case, the fix is awaiting acceptance as part of the kernel and is accessible as a patch.
• CVE-2023-4527: A stack overflow issue within the glibc library occurring during the processing of DNS responses larger than 2048 bytes when using the no-aaa option in /etc/resolv.conf with Glibc versions newer than 2.36. This vulnerability could result in a stack leak or system crash.
• CVE-2023-40474, CVE-2023-40475: Vulnerabilities within the GStreamer multimedia framework, caused by integer overflows in MXF video file handlers, potentially leading to the execution of arbitrary code when processing specially formatted MXF files in applications employing GStreamer. These issues have been resolved in the gst-plugins-bad 1.22.6 package.
• CVE-2023-40476: A buffer overflow in GStreamer’s proposed H.265 video handler, allowing for arbitrary code execution when processing specially crafted video content. This vulnerability has been rectified in the gst-plugins-bad 1.22.6 package.
• CVE-2023-36664: An exploit targeting the CVE-2023-36664 vulnerability in the Ghostscript package, enabling the execution of arbitrary code when opening specially formatted PostScript documents. This problem arose due to incorrect handling of filenames beginning with the “|” character or the %pipe% prefix. The vulnerability has been resolved in Ghostscript 10.01.2.
• CVE-2023-3341, CVE-2023-4236: Vulnerabilities within the BIND 9 DNS server that could cause the named process to crash when processing specially formatted control messages under certain high loads in DNS-over-TLS mode. These vulnerabilities have been addressed in BIND 9.16.44, 9.18.19, and 9.19.17.
• CVE-2023-4504: A vulnerability in the CUPS print server and libppd library, potentially leading to a buffer overflow when parsing specially formatted Postscript documents. This vulnerability could be exploited to execute arbitrary code on the system. The issue has been rectified in CUPS 2.4.7 (patch) and libppd 2.0.0 (patch).

Atlassian

Atlassian has identified significant vulnerabilities in its solutions that could potentially be exploited for Denial of Service (DoS) and Remote Code Execution (RCE) attacks. The Australian software vendor has responded promptly by releasing patches for these vulnerabilities in the latest versions of Jira, Confluence, Bitbucket, and Bamboo.

Firstly, CVE-2023-22513 (CVSS: 8.5) is described as an RCE vulnerability found in Bitbucket. What makes this vulnerability particularly concerning is that an authenticated attacker can exploit it without any user interaction. This issue was identified in Bitbucket version 8.0.0 and affects most versions prior to 8.14.0.

The second vulnerability, CVE-2023-22512 (CVSS 7.5), pertains to a DoS problem affecting the Confluence Data Center and Server products. It has been observed in product versions starting from 5.6 and impacting releases up to and including 8.5.0. An unauthenticated attacker could exploit this vulnerability to obstruct access to resources and disrupt the service of a vulnerable host on the network, either temporarily or indefinitely.

CVE-2023-28709 (CVSS 7.5) is classified as a DoS bug occurring in the Apache Tomcat server, which affects Bamboo. This vulnerability exists because the previous fix for another vulnerability, CVE-2023-24998, was not entirely effective.

For Jira, updates have been provided to address CVE-2022-25647 (CVSS 7.5), which relates to a deserialization issue within Google’s Gson package and has an impact on Jira Service Management patching.

The most critical among these vulnerabilities is CVE-2023-22515, which involves privilege escalation and affects Confluence Data Center and Server versions 8.0.0 and later. This vulnerability allows for remote exploitation through low-complexity attacks that do not necessitate user interaction. Notably, Atlassian Cloud remains unaffected by this issue. To safeguard their systems, customers using vulnerable versions of Confluence Data Center and Server are strongly encouraged to upgrade to one of the fixed versions (8.3.3 or later, 8.4.3 or later, 8.5.2 or later) as soon as possible. Administrators can further enhance security by denying access to the /setup/* endpoints within Confluence instances and diligently checking all instances for any signs of compromise.

In addition to promptly applying updates and mitigation measures, Atlassian advises customers to consider disabling affected instances or isolating them from the Internet if an immediate patch cannot be implemented. Researchers anticipate that, given the high demand for these solutions in the cyber underground, attackers will soon scrutinize these patches to understand the vulnerabilities, with the intent to develop functional exploits.

Progress Software WS_FTP

Progress Software, known for its MOVEit transfer platform and regrettably infamous due to a series of associated incidents, has issued a critical warning to its customers regarding a high-severity vulnerability found in its WS_FTP Server software.

This software is widely employed in enterprise environments across the globe for secure file transfers. Among the patched vulnerabilities affecting WS_FTP, two are categorized as critical. Notably, one of them, identified as CVE-2023-40044, received the maximum severity score of 10/10. This particular vulnerability grants unauthenticated attackers the ability to execute remote commands. Equally critical is CVE-2023-42657, which constitutes a directory traversal flaw, enabling attackers to conduct file operations beyond the authorized path within WS_FTP, potentially compromising the base operating system. Both vulnerabilities are susceptible to exploitation through low-complexity attacks that do not necessitate user interaction.

Progress Software has expressed deep concern over the fact that Assetnote researchers have publicly disclosed technical details along with a Proof of Concept (PoC) for CVE-2023-40044. This vulnerability stemmed from a .NET deserialization issue within the Ad Hoc Transfer module, allowing unauthenticated attackers to remotely execute commands within the underlying operating system through a simple HTTP request. This issue persisted for an extended duration, rendering most versions of WS_FTP susceptible.

The WS_FTP Progress Team strongly advises customers to upgrade to the latest version, 8.8.2. The sole effective method of resolving this issue is by upgrading to the patched version using the full installer. Furthermore, the vendor has furnished instructions on disabling the vulnerable ad hoc transfer module of the WS_FTP server when it is not in active use.

As of the current date, there are approximately 2,000 Internet-hosted instances of WS_FTP (with an open Web server, crucial for exploitation). Most of these instances belong to prominent corporations, government agencies, and educational institutions.

Alarmingly, on the same day that the PoC exploit was made public, Rapid7 researchers detected signs of a concerted campaign aimed at the mass exploitation of vulnerable WS_FTP servers, occurring on the evening of September 30. Notably, all these incidents shared the same Burpsuite domain, suggesting the involvement of a single actor orchestrating these activities. Given the complexity of this situation, further compounded by the consequences of a prior incident involving another compromised MOVEit transfer solution, Progress Software’s management has expressed strong criticism of the researchers. They argue that the researchers’ actions inadvertently provided cybercriminals with a potent tool for targeting customers. Additionally, the developers expressed a hope that the security community would cease the practice of irresponsibly releasing PoCs immediately following the release of security updates. While this plea may be heard, it may not be enough to shield Progress Software from the potential repercussions of another incident akin to the MOVEit transfer breach.

Jet Brains Team City

Researchers at SonarSource have uncovered a critical vulnerability in TeamCity that poses a severe threat, potentially enabling attackers to execute arbitrary code and gain control of vulnerable servers. TeamCity, developed by JetBrains, is a widely adopted build management and continuous integration (CI/CD) platform available for on-premises installation and as a cloud service.

This vulnerability, identified as CVE-2023-42793, holds a CVSS rating of 9.8 and is characterized as an authentication bypass issue affecting all local TeamCity instances, including versions up to and including 2023.05.3. It’s important to note that TeamCity Cloud remains unaffected by this vulnerability. What makes this particularly concerning is that the vulnerability can be exploited remotely without the need for authentication. This allows attackers to execute arbitrary code and attain administrative control over a vulnerable server, enabling them to pilfer sources, secrets, private keys, and even inject malicious code into the build process. Such an attack jeopardizes the integrity of software releases and can potentially trigger a full-scale assault on the software supply chain.

The good news is that this vulnerability has been addressed in TeamCity version 2023.05.4. JetBrains has also taken additional steps by releasing a security patch plugin for TeamCity versions 8.0 and above, with no rollback option available.

Switzerland-based SonarSource, the entity behind this discovery, chose to publish full technical details of the vulnerability merely a week after JetBrains issued the fix on September 21 through TeamCity 2023.05.4.

The seriousness of this issue is underscored by the fact that there are 1,240 unpatched and vulnerable TeamCity servers accessible online, according to the Shadowserver Foundation’s data. Furthermore, TeamCity is employed by developers in over 30,000 organizations worldwide, including prominent names such as Citibank, Ubisoft, HP, Nike, and Ferrari.

In a disconcerting development, just a few days later, GreyNoise and PRODAFT observed the initial attempts to exploit this critical authentication bypass vulnerability. PRODAFT has even speculated that several ransomware groups have already incorporated CVE-2023-42793 exploits into their arsenal, using them to compromise vulnerable TeamCity servers. This has unfortunately resulted in victims being impacted by these attacks. GreyNoise has documented that the onslaught on JetBrains’ TeamCity servers, accessible on the internet, is being launched from 56 distinct IP addresses as part of a single campaign. Notably, two days prior to this revelation, GreyNoise cautioned organizations that had not updated their servers by September 29, indicating that their systems were likely already compromised. The looming specter of follow-on attacks, often triggered after the compromise of software supply chains, is now an imminent concern.

Exim

The Exim mail transfer agent (MTA) software, in all its versions, is currently exposed to a critical zero-day vulnerability, which permits malicious actors to execute remote code on publicly accessible servers without the need for authentication. This vulnerability was discovered by an anonymous security researcher and subsequently disclosed through Trend Micro’s Zero Day Initiative (ZDI). It is assigned CVE-2023-42115 with a CVSS score of 9.8 and relates to an out-of-bounds recording vulnerability.

Traditionally, such vulnerabilities can result in software crashes or data corruption if successfully exploited. However, they can also serve as a means to execute arbitrary code or commands on vulnerable servers. In this specific instance, the vulnerability resides within the SMTP service, which, by default, listens on TCP port 25. The issue arises from the absence of proper validation of user-supplied data, which could potentially lead to out-of-buffer writing. A potential attacker could exploit this flaw for remote code execution within the context of a service account. Although the ZDI team has rated Exim at 9.8 out of 10 in terms of severity, the vendor argues that successful exploitation of CVE-2023-42115, the most critical among the six vulnerabilities disclosed recently, hinges on the use of external authentication against target servers. According to Shodan, such a condition significantly reduces the number of potentially vulnerable Exim mail servers, which stands at 3.5 million in total across the network.

ZDI initially reported this issue to the Exim team in June 2022 and resubmitted it to the vendor in May 2023. However, developers did not provide any updates. On September 27, ZDI published advisories outlining CVE-2023-42115 and disclosed five other lower-severity zero-days in Exim.

The Exim developers have since released patches for three of these zero-days, including one that enables unauthenticated attackers to achieve remote code execution (CVE-2023-42115). The fixes are readily available in a secure repository and are poised for distribution by maintainers.

Among the remaining zero-days yet to be patched are CVE-2023-42117 (remote code execution vulnerability, CVSS v3.0 8.1), CVE-2023-42118 (exim libspf2 remote integer overflow vulnerability, CVSS v3.0 7.5), and CVE-2023-42119 (out-of-bounds read disclosure vulnerability, CVSS v3.0 3.1). It’s important to note that these zero-days demand very specific environments for potential exploitation. Researchers advise users not to be overly concerned about potential exploitation but instead encourage prompt application of patches once they become available.

RSA

The “timing attack,” an old method of compromising RSA encryption, has resurfaced as a pertinent concern. This vulnerability, initially unearthed by Daniel Bleichenbacher in 1998, has proven to still be effective in decrypting RSA messages today, as revealed by Red Hat researcher Hubert Karyo.

The crux of this vulnerability lies in an attacker’s ability to observe the timing of a private key decryption operation, thereby gaining the capability to decrypt intercepted RSA messages. While this vulnerability had been addressed and patched over time, a new attack, referred to as the “Marvin attack” by the Czech researcher, has been introduced. This attack employs statistically rigorous methods and can successfully compromise various cryptographic implementations. Affected implementations include OpenSSL, GnuTLS, Mozilla’s NSS (which, despite a patch, remains susceptible according to Kario), pyca/cryptography (only partially patched), M2Crypto, and OpenSSL-ibmca.

Karyo has diligently worked on this issue for several years and highlighted that while patches have been released, they do not provide a comprehensive solution. Bleichenbacher-style attacks on RSA decryption remain feasible, and these vulnerable implementations continue to be widely used. Karyo demonstrated successful attacks on multiple implementations solely by measuring decryption operation times and asserted that numerous others are also at risk. The researcher has even shared scripts to test implementations for vulnerabilities, adding that system logs may offer clues indicating whether an attack has been launched against a system. The primary recommendation is to discontinue the use of RSA PKCS#1 v1.5 encryption, even if it appears necessary for compatibility reasons.

Cisco

Cisco has recently unveiled a series of patches aimed at addressing various vulnerabilities, among them a moderately severe vulnerability found in IOS and IOS XE software that has exhibited signs of exploitation.

Designated as CVE-2023-20109, this vulnerability pertains to the Group Encrypted Transport VPN (GET VPN) feature within IOS and IOS XE and carries the potential for Remote Code Execution (RCE). To successfully exploit this vulnerability, an attacker necessitates valid credentials and administrative control over a group member or key server. The root issue stems from inadequate attribute validation within the Group Domain of Interpretation (GDOI) and G-IKEv2 protocols utilized in the GET VPN function.

This vulnerability affects all Cisco products operating on vulnerable versions of IOS or IOS XE with the GDOI or G-IKEv2 protocol enabled. Unfortunately, there exists no viable workaround for this vulnerability, thus prompting Cisco to strongly recommend that customers apply updates. This is especially crucial considering documented attempts to exploit this vulnerability uncovered in an internal investigation.

Additionally, Cisco has rolled out patches for various vulnerabilities in the Catalyst SD-WAN Manager product, including a critical vulnerability (CVE-2023-20252) within the SAML APIs. This vulnerability carries a CVSS rating of 9.8 and could potentially enable an unauthenticated attacker to gain unauthorized access to the application on behalf of an arbitrary user. This vulnerability was addressed alongside four other high-severity issues, each posing unique threats, such as bypassing authorization and rollback of controller configurations, accessing the Elasticsearch system database, reaching another tenant managed on the same instance, or causing a Denial of Service (DoS) situation.

Cisco has also taken measures to rectify other significant issues, spanning RCE, DoS, unauthorized data access, and file theft, through software updates for IOS, IOS XE, and Cisco DNA Center. Additionally, the company has addressed several moderately severe issues impacting its products.

It’s noteworthy that, aside from CVE-2023-20109, Cisco currently possesses no knowledge of these vulnerabilities being actively exploited in any attacks.

Libre Office

The Document Foundation organization has officially announced the release of unscheduled maintenance updates for LibreOffice versions 7.6.2 and 7.5.7, an office suite that has been impacted by a critical vulnerability (CVE-2023-4863, CVE-2023-5129) residing in the libwebp library.

LibreOffice is equipped to facilitate the insertion of images in WebP format and leverages code from the libwebp library, which has proven to be susceptible to this vulnerability. The flaw permits an attacker’s code to be executed when LibreOffice undertakes the processing of specially formatted WebP data, thereby rendering the office suite vulnerable when dealing with this particular format.

It’s imperative to note that this vulnerability isn’t exclusive to LibreOffice; it extends its reach to impact a host of other applications, including Chrome, Safari, Firefox, Thunderbird, and numerous products that rely on libwebp, the Chromium engine, or the Electron platform. Prominent examples of indirectly affected products encompass Discord, GitHub Desktop, Mattermost, Signal, Edge, Brave, Opera, Slack, Twitch, Visual Studio Code, Android, 1Password, and Telegram. The presence of a publicly available prototype exploit further underscores the urgency of addressing this vulnerability. Take advantage of the Action1 report pinpointing software that has either been identified to have the WebP vulnerability or that the vendor has released a patch for.

Nagios

Multiple security vulnerabilities have been unearthed in the Nagios XI network monitoring software, raising concerns about potential privilege escalation and information disclosure.

These vulnerabilities, identified as CVE-2023-40931 through CVE-2023-40934, have been found to affect Nagios XI 5.11.1 and earlier versions. They were initially disclosed on August 4 and subsequently addressed with the release of version 5.11.2 on September 11. Research conducted by Outpost24 has determined that three of these vulnerabilities (CVE-2023-40931, CVE-2023-40933, and CVE-2023-40934) open the door for users with varying privilege levels to access database fields via SQL injection. Exploiting these weaknesses can lead to escalated privileges within the product and the acquisition of sensitive user information, including password hashes and API tokens. In contrast, CVE-2023-40932 is an XSS (Cross-Site Scripting) vulnerability impacting a custom logo component. This vulnerability can be exploited to read sensitive data, including plaintext passwords, from the login page. Successful exploitation of the three SQL injection vulnerabilities could enable authenticated attackers to execute arbitrary SQL commands, while the XSS flaw could be leveraged to inject arbitrary JavaScript code, affording access to read and manipulate page data.

It’s crucial to note that these recent Nagios XI issues, while distinct from those uncovered in 2021 by researchers Skylight Cyber and Claroty, are still considered critical and necessitate prompt updates to the product.

Kubernetes

Three critical vulnerabilities have been uncovered in Kubernetes, posing a significant threat of Remote Code Execution (RCE) with elevated privileges on Windows endpoints within the same cluster.

These vulnerabilities are closely related and are currently tracked as CVE-2023-3676, CVE-2023-3893, and CVE-2023-3955, all carrying a CVSS rating of 8.8. Notably, these vulnerabilities impact all Kubernetes environments utilizing Windows hosts, and their exploitation requires the deployment of a malicious YAML file within the cluster.

CVE-2023-3676 enables an attacker with “apply” privileges to interact with the Kubernetes API, facilitating the injection of arbitrary code that can be executed on remote Windows machines, granting SYSTEM-level privileges. This vulnerability, much like CVE-2023-3955, arises from inadequate input sanitization, allowing a specifically crafted path string to be parsed as a PowerShell command parameter, ultimately leading to command execution.

CVE-2023-3893, on the other hand, is a privilege escalation issue located in the Container Storage Interface (CSI) proxy. This flaw could potentially enable an attacker to attain administrative access to a host.

The disclosure of these vulnerabilities came from Akamai researchers on July 13, 2023, and patches were made available on August 23. Leading cloud service providers such as Amazon Web Services, Google Cloud, and Microsoft Azure have issued advisories to address these vulnerabilities, impacting Kubelet versionsearlier than v1.28.1, v1.27.5, v1.26.8, v1.25.13, and v1.24.17.

Supermicro IPMI

Binarly experts have identified seven vulnerabilities within Supermicro’s older BMC motherboard management controllers, which could potentially grant remote attackers root access. These vulnerabilities are exclusively present in the Intelligent Platform Management Interface (IPMI) firmware, impacting various motherboard models including X11, H11, B11, CMM, M11, and H12.

The primary vulnerability, CVE-2023-40289, empowers an attacker to execute malicious code on BMCs. However, this particular exploit necessitates administrator privileges within the web interface. These administrator privileges can be acquired by exploiting the other six vulnerabilities, primarily facilitating XSS (Cross-Site Scripting) attacks. Binarly experts have classified these vulnerabilities as critical, assigning them a CVSS rating of 9.6. It is important to note that successful exploitation presumes the attacker has knowledge of the BMC web server’s IP address and the administrator’s email address, which is utilized for phishing emails. Binarly’s investigation primarily centered on the web server since it represents the most accessible and likely avenue of attack.

Remarkably, Binarly discovered over 70,000 instances where Supermicro IPMI web interfaces were publicly accessible on the internet. Notably, all these vulnerabilities pertain to the IPMI firmware, which is developed by a third-party vendor, ATEN. Although ATEN addressed CVE-2023-40289 six months ago, this patch has not yet been incorporated into the firmware. It’s worth mentioning that Supermicro assigned vulnerability ratings ranging from 7.2 to 8.3 out of 10, while Binarly assessed them as ranging from 8.3 to 9.6 out of 10.

Qualcomm Compute DSP

Qualcomm has taken action to address more than two dozen vulnerabilities, including three zero-day vulnerabilities in its GPU and Compute DSP drivers that have been actively exploited by spyware vendors.

Google’s Threat Analysis Group (TAG) and Project Zero researchers detected limited, targeted exploitation of CVE-2023-33106, CVE-2023-33107, CVE-2022-22071, and CVE-2023-33063. Qualcomm received notification of these vulnerabilities and promptly addressed them. CVE-2022-22071, discovered in May 2022, is a post-release exploit that affects popular chips like SD855, SD865 5G, and SD888 5G. While Qualcomm did not provide specific details about the other vulnerabilities, they have committed to disclosing more information in their December 2023 bulletin.

Additionally, three remotely exploitable critical vulnerabilities were resolved:

• CVE-2023-24855: Memory corruption in a modem component during the processing of security-related configurations (CVSS v3.1: 9.8).
• CVE-2023-28540: Cryptographic issue in the data modem component due to incorrect authentication during TLS communication establishment (CVSS v3.1: 9.1).
• CVE-2023-33028: Memory corruption in WLAN firmware as a result of copying pmk cache memory without performing size verification (CVSS v3.1: 9.8).

Furthermore, Qualcomm addressed 13 significant bugs and three additional critical vulnerabilities identified by its own engineers. These issues primarily impact modems, WLAN firmware, and automotive products, with descriptions involving memory corruption and information disclosure problems. Memory-related vulnerabilities often have the potential to lead to remote code execution (RCE) or denial of service (DoS) attacks. Qualcomm has issued security updates containing fixes for these vulnerabilities and has notified affected OEMs, who should have disseminated these updates to end users through OEM channels.

NTFS GRUB2

A vulnerability identified as CVE-2023-4692 has been detected in the NTFS file system handling driver within the GRUB2 boot loader. This flaw enables the orchestration of its code at the loader level when accessing a specially crafted file system image. What’s concerning is that this vulnerability can potentially bypass the UEFI Secure Boot verified boot mechanism.

The root cause of this vulnerability lies in the NTFS attribute parsing code, specifically within the $ATTRIBUTE_LIST section (grub-core/fs/ntfs.c). It can be exploited to write user-controlled data to a memory location that extends beyond the allocated buffer. When dealing with a meticulously crafted NTFS image, an overflow occurs, leading to the overwriting of a portion of GRUB memory. Under specific conditions, this could result in the corruption of the UEFI firmware memory space. Consequently, there’s a potential avenue for the execution of arbitrary code at the bootloader or firmware level.

Additionally, another vulnerability (CVE-2023-4693) has been uncovered in the GRUB2 NTFS driver. This flaw allows for the extraction of data from an arbitrary memory location by parsing the $DATA attribute within a specially crafted NTFS image. This vulnerability opens up the possibility of retrieving cached sensitive data from memory or determining the values of EFI variables.

It’s important to note that these issues have been addressed solely through a patch. To rectify the problems in GRUB2, a mere package update is insufficient. It’s necessary to generate new internal digital signatures and update various components, including installers, loaders, kernel packages, fwupd firmware, and the shim layer. The status of these fixes within different distributions can be checked on the following pages: Debian, Ubuntu, SUSE, RHEL, and Fedora.

How To Efficiently Patch All of These Vulnerabilities And More

Want to learn about newly released updates as soon as they are available? With Action1, you can — as well as streamline the entire patch management process, from identifying missing updates to compliance reporting, across both Windows OS and third-party software.

Webinar Recording: October 2023 Vulnerability Digest from Action1