Patch Tuesday September 2023 Updates – Vulnerability Digest from Action1
This digest explains the most serious vulnerabilities in popular Windows software that have been patched over the past month.
Protect your systems from potential cyber threats and ensure the smooth functioning of your endpoints. For even more information, watch the recorded September 2023 Vulnerability Digest webinar, join our next Patch Tuesday webinar and visit our Patch Tuesday Watch page.
In this issue, you will learn about patches for:
- Microsoft vulnerabilities from Patch Tuesday:
- Microsoft Word Information Disclosure Vulnerability (CVE-2023-36761)
- Microsoft Streaming Service Proxy Elevation of Privilege Vulnerability (CVE-2023-36802)
- Internet Connection Sharing (ICS) Remote Code Execution Vulnerability (CVE-2023-38148)
- Visual Studio Remote Code Execution Vulnerabilities (CVE-2023-36796, CVE-2023-36793, and CVE-2023-36792)
- Microsoft Azure Kubernetes Service Elevation of Privilege Vulnerability (CVE-2023-29332)
- Third-party application vulnerabilities:
Microsoft Vulnerabilities
Welcome to the September Patch Tuesday release.
This Patch Tuesday addresses 61 fixed vulnerabilities from Microsoft, which is fewer than in August. There are only 5 fixed critical vulnerabilities, a decrease from the previous month. Additionally, this month addresses two fixed zero-day vulnerabilities, one of them with a proof of concept (PoC). Below are the details on the most interesting critical updates.
Microsoft Word Information Disclosure Vulnerability
CVE-2023-36761, a zero-day vulnerability in Microsoft Word, carries a local attack vector, has a low complexity of attack, and requires no elevated privileges or user interaction. The scale of affected companies is substantial, as all organizations that use the Microsoft Word application on a daily basis are vulnerable, numbering in the millions.
While its CVSS rating stands at 6.2, which is not exceptionally high, it holds the potential for disclosing NTLM hashes, thereby opening the door for attackers to potentially employ rainbow tables for brute-forcing user passwords. It’s essential to note that this vulnerability affects all versions of Microsoft Office dating back to 2013.
Microsoft has confirmed active exploitation of this vulnerability in the wild and has provided a proof of concept. This particular exploit targets the preview pane, enabling attackers to extract NTLM hashes, provided they have access to the targeted system. This access can be facilitated through the use of Trojan malware. No details on exploitation are available, but we can suggest it is likely to occur through phishing.
Microsoft Streaming Service Proxy Elevation of Privilege Vulnerability
Another zero-day, CVE-2023-36802, exposes a critical vulnerability within Microsoft Streaming Service Proxy. Companies that use Microsoft Streaming Service Proxy are exposed to this vulnerability, as it is a kernel-level driver installed in every Windows 10-11 OS, as well as Windows Server 2019-2022.
This security flaw is characterized by a local attack vector, featuring low attack complexity, minimal privilege prerequisites, and zero user interaction. It holds a CVSS (Common Vulnerability Scoring System) rating of 7.8, signifying its potential criticality. However, its impact is somewhat mitigated by the local attack vector.
The affected platforms include Windows Server 2019 and 2022, along with Windows 10 and 11.
Successful exploitation of this vulnerability could grant an attacker SYSTEM-level privileges, enabling them to execute arbitrary code on the compromised system.
To safeguard against this threat, Microsoft strongly advises promptly applying the provided security updates. It is important to note that Microsoft has confirmed incidents of this vulnerability being exploited, though as of now, no proof of concept has been made available.
Internet Connection Sharing (ICS) Remote Code Execution Vulnerability
CVE-2023-38148 highlights a critical vulnerability within Internet Connection Sharing (ICS). This security flaw is characterized by an adjacent attack vector specific to a particular protocol. It exhibits low attack complexity, requires no privileges, and entails no user interaction. With a CVSS rating of 8.8, it is deemed critical, although it falls short of a perfect 10 due to its reliance on an adjacent attack vector, necessitating the presence of an active Internet Connection Sharing (ICS) configuration. Fortunately, disabling ICS ensures safety from this vulnerability.
This vulnerability impacts Windows Server 2022, Windows 10, and Windows 11.
It’s important to note that this attack is confined to systems within the same network segment as the attacker. Crossing network boundaries, such as a WAN, is not possible; it remains limited to systems connected to the same network switch or virtual network. To exploit this Internet Connection Sharing (ICS) vulnerability, an unauthorized attacker would send a specially crafted network packet to the ICS service, subsequently allowing for the execution of arbitrary code on the targeted system.
While Microsoft has not yet confirmed active exploitation of this vulnerability, they consider it highly likely. Therefore, applying the provided security updates promptly is strongly recommended to mitigate potential risks.
Visual Studio Remote Code Execution Vulnerabilities
CVE-2023-36796, CVE-2023-36793, and CVE-2023-36792 collectively represent a critical vulnerability in Visual Studio. This critical vulnerability exhibits a local attack vector, has low attack complexity, and it does not demand elevated privileges. However, it necessitates user interaction to be successfully exploited. With a CVSS rating of 7.8, it’s considered a significant threat, and its potential severity could be even higher. Nonetheless, exploiting this vulnerability requires an attacker to convincingly persuade a user to open a specially crafted package file within Visual Studio.
These vulnerabilities have an impact on all versions of the .NET Framework from 3.5 onward, as well as .NET 6.0 and 7.0, along with Microsoft Visual Studio versions starting from 2017 and beyond.
It’s noteworthy that Microsoft has reported no instances of this attack being utilized in real-world scenarios, and no proof of concept has surfaced.
The term “remote” in the title pertains to the attacker’s location, but it’s important to clarify that the actual exploit is conducted locally. This implies that both the attacker and the victim must execute code from the same local machine to exploit the vulnerability.
This type of attack is specifically targeted at developers who have Visual Studio installed, aiming to execute arbitrary code through their Visual Studio client on their local workstation.
Microsoft Azure Kubernetes Service Elevation of Privilege Vulnerability
The final critical vulnerability on our radar is CVE-2023-29332, which targets the Microsoft Azure Kubernetes service. This vulnerability has a network-based attack vector, demonstrating low attack complexity and requiring no specific privileges or user interaction. With a CVSS rating of 7.5, it may appear relatively moderate in severity, primarily because it is confined to Microsoft cloud services and not applicable to Windows servers.
The impact of this vulnerability is localized to the Azure Kubernetes service, which is exclusively accessible in the cloud. It’s essential to note that Microsoft should have already provided patches for this service.
According to Microsoft, there have been no reports of active exploitation in the wild, and no proof of concept has been observed.
Successful exploitation of this vulnerability would grant an attacker cluster administrator privileges. The attack vector is categorized as “Network” because it can be remotely exploited over the Internet. The “Low” attack complexity classification indicates that attackers do not require extensive prior knowledge of the cluster or system, making it highly repeatable.
In summary, this vulnerability poses a significant threat, particularly for organizations relying on this service for their business operations, underscoring the urgency of applying the provided fix.
Android
Google’s September security update for Android has tackled a total of 32 vulnerabilities, among which, one stands out as a highly severe bug that has been actively exploited. This Android zero-day vulnerability, known as CVE-2023-35674, pertains to privilege escalation within the Android Framework component. Notably, Google has reported that exploiting this bug does not necessitate any additional execution or user interaction privileges. Furthermore, the company has uncovered evidence of limited targeted exploitation of CVE-2023-35674, though specific attack details remain undisclosed. These targeted attacks are likely associated with spyware, similar to previous instances of patched Android zero-days.
In addition to CVE-2023-35674, five more high-severity vulnerabilities within the Framework component have been remedied. Three of these vulnerabilities lead to privilege escalation, while the other two result in information disclosure.
All six of these issues have been addressed in the Android security update released on September 1, 2023. This comprehensive update also incorporates fixes for 14 vulnerabilities in system components. Of these, four are classified as critical bugs (CVE-2023-35658, CVE-2023-35658, CVE-2023-35673, CVE-2023-35681) that can potentially lead to Remote Code Execution (RCE) without requiring additional privileges or user interaction. The remaining vulnerabilities consist of six that lead to privilege escalation, four that lead to information disclosure, and one that leads to Denial of Service (DoS).
Google has also announced the resolution of two other issues in Project Mainline components, with updates discreetly delivered through Google Play in the background.
The second part of the Android updates for this month will be distributed to devices in the form of a security patch dated September 5, 2023, addressing an additional 12 vulnerabilities in Qualcomm components.
The latest patch level incorporates all security fixes from the initial patch set and includes supplementary patches for third-party closed-source and kernel components, although these may not be applicable to all Android devices.
Google Chrome
Google has recently made two significant security announcements regarding an update to its Chrome browser, specifically version 116 – 116.0.5845.110 and 116.0.5845.179.
The 116.0.5845.110 update targets five identified vulnerabilities, with four classified as critical and one as medium severity. These vulnerabilities encompass a range of types, including use-after-free and out-of-bounds memory access, affecting various components of Google Chrome, including Vulkan, Loader, CSS, the V8 engine, and fonts.
One notable vulnerability, CVE-2023-4430 (Use-after-free in Vulkan), carries a $10,000 bounty and was discovered by Cassidy Kim. While specific details remain undisclosed, use-after-free vulnerabilities typically involve improper handling of dynamic memory, potentially exploited by malicious actors.
Another crucial flaw, CVE-2023-4429 (Use-after-free in Loader), affects the loader function and necessitated adjustments to the ExtensionLocalizationThrottle::WillProcessResponse. It results from a synchronous call in Blink, potentially leading to a use-after-free issue.
CVE-2023-4428, a critical vulnerability, involves out-of-bounds memory access in the CSS component, reported by Francisco Alonso. This bug affects the CSS function and can lead to out-of-bounds memory access.
CVE-2023-4427, another significant vulnerability, concerns out-of-bounds memory access in the V8 component, identified by Sergei Glazunov. Additionally, a moderate severity vulnerability (CVE-2023-4431) involving out-of-bounds memory access in Fonts was reported by a Microsoft Security Researcher.
Chrome 116 – version 116.0.5845.179 addresses four critical vulnerabilities, encompassing use-after-free, out-of-bounds memory access, type confusion, and incorrect security OU issues, affecting V8, FedCM, Network, and BFCache components. The bounties for these vulnerabilities have not been disclosed, and specific details are limited until most users have updated.
It’s crucial not to underestimate the seriousness of these vulnerabilities, and users are strongly advised to update their Chrome browsers promptly.
Regarding the last vulnerability, the incorrect security UI vulnerability in BFCache relates to a flaw in how the browser handles security-related user interface elements when restoring a page from the cache. This can result in the incorrect display or manipulation of security indicators, potentially deceiving users into thinking they are on a secure site when interacting with a malicious one, leading to security compromises.
Mozilla Firefox
Mozilla has issued an urgent security update to address a critical zero-day vulnerability found in its Firefox browser and Thunderbird email client. This vulnerability, identified as CVE-2023-4863, stems from a heap buffer overflow in the WebP code library (libwebp) and has the potential to lead to various adverse consequences, including Remote Code Execution (RCE). Though specific details about the exploitation of this WebP vulnerability in attacks have not been disclosed publicly, there are indications it may be linked to spyware. In the interim, users are strongly advised to promptly update their Firefox and Thunderbird installations.
Ivanti
Tenable researchers have uncovered critical vulnerabilities in Ivanti, further adding to the challenges faced by the company due to previous security incidents. These vulnerabilities were identified in Avalanche Enterprise MDM, an enterprise mobile device management solution adopted by over 30,000 organizations.
The most severe vulnerability, CVE-2023-32563 (CVSS rating 9.8), is a directory traversal flaw that could enable remote execution of arbitrary code. This issue is associated with the updateSkin MDM solution and can be exploited without authentication, arising from inadequate validation of user-supplied paths used in file operations.
Multiple stack-based buffer overflow vulnerabilities collectively labeled CVE-2023-32560 (CVSS rating 8.8) impact Wavelink Avalanche Manager. These vulnerabilities occur when processing specific data types, potentially allowing an unauthenticated remote attacker to trigger denial of service or code execution by sending a specially crafted message to the service.
In the latest Avalanche release, two high-severity remote code execution vulnerabilities, CVE-2023-32562 and CVE-2023-32564, were patched. Both were discovered via ZDI and stem from improper validation of user-supplied data, permitting attackers to download arbitrary files and potentially execute code with system privileges.
Additionally, three authentication bypass flaws (CVE-2023-32561, CVE-2023-32565, and CVE-2023-32566) were identified in various components of the MDM solution.
Ivanti addressed all seven vulnerabilities in version 6.4.1.207, clarifying that none of these issues have been exploited in actual attacks.
Notably, the previously reported 0-day attack on EPMM had broader implications beyond the 12 Norwegian government agencies initially affected. Hackers also compromised the personal data of over 2,800 police officers in Bern, Switzerland, in mid-July, likely using the same 0-day vulnerability in the Ivanti EPMM server. Although the local NCSC alerted Bern cantonal police to the MobileIron vulnerability on July 21 and it was swiftly fixed, the data had already been exposed. The stolen information included comprehensive credentials and phone numbers of police officers. To date, the culprits remain unknown, and it’s unclear if the data has been disseminated online.
Switzerland has been experiencing a surge in cyberattacks, with various entities, including the Federal Office of Police (Fedpol) and the Federal Office for Customs and Border Protection, falling victim to successful attacks and data breaches.
Given the prevalence of these vulnerabilities in attacks, it’s imperative to promptly update Ivanti systems.
SCADA
A zero-day SCADA vulnerability, discovered as part of the Zeroday initiative, continues to remain unpatched even after a 90-day deadline and the disclosure of vulnerability details. Chinese researcher Y4er recently published an analysis of CVE-2023-39476 (CVSS 9.8), an Remote Code Execution (RCE) vulnerability found in Inductive Automation Ignition. It’s important to highlight that the Ignition platform serves as a central control and automation hub for SCADA equipment in various manufacturing facilities.
This specific vulnerability impacts the JavaSerializationCodec class and stems from inadequate validation of user-supplied data, potentially leading to the deserialization of unreliable data. Notably, no authentication is required for exploiting this vulnerability, granting remote attackers the capability to execute arbitrary code on vulnerable Inductive Automation Ignition installations. Despite being publicly disclosed in August, the vulnerability remains unpatched.
The vendor acknowledges the issue and states that it is in development; however, an exact timeline for a fix is currently unavailable.
Citrix
A critical Remote Code Execution (RCE) vulnerability, CVE-2023-3519, has resulted in the compromise of nearly 2,000 Citrix NetScaler servers as part of an extensive malware campaign. Of these, over 1,200 servers fell victim before the patches, released on July 18, were applied, leaving them vulnerable due to a lack of scanning for signs of exploitation.
This large-scale malware campaign came to light through the efforts of researchers at Fox-IT (a division of the NCC) and the Dutch DIVD Institute. Prior to this discovery, the Shadowserver Foundation had already alerted more than 640 Citrix NetScaler servers to their infection.
Over the past two months, Fox-IT has actively responded to multiple incidents involving CVE-2023-3519 exploitation, uncovering servers with multiple web shells. Armed with this backdoor information, Fox-IT and DIVD conducted scans across the internet, leading to the identification of 1,952 compromised NetScaler servers. This suggests the utilization of an automated approach to exploit the vulnerability on a significant scale. In total, hackers managed to infect over 6% of the 31,127 vulnerable Citrix NetScaler instances. The majority of impacted servers were located in Germany, France, and Switzerland.
Notably, the researchers observed thousands of vulnerable NetScaler servers in Canada, Russia, and the United States as of July 21, with minimal signs of attack. They caution that even fully patched NetScaler servers may harbor a backdoor and recommend administrators to perform system scans using a Python script and the Dissect toolkit.
Mandiant has also released a scanner designed to detect signs of compromise related to CVE-2023-3519.
Adobe
Adobe has released updates to counteract a zero-day vulnerability in Acrobat and Reader, which is currently being actively exploited in real-world attacks. Although additional information about these attacks remains undisclosed, it is established that this zero-day affects both Windows and macOS systems, with the attacks having a limited scope.
The CVE-2023-26369 vulnerability enables attackers to achieve RCE through low-complexity attacks that do not necessitate special privileges. However, it is only exploitable by attackers with localized access and requires user interaction.
Consequently, Adobe strongly recommends that customers apply this update as swiftly as possible, ideally within a 72-hour timeframe. Additionally, Adobe has addressed other vulnerabilities in Connect (CVE-2023-29305 and CVE-2023-29306) and Experience Manager (CVE-2023-38214 and CVE-2023-38215), which could potentially be leveraged for Cross-Site Scripting (XSS) attacks.
Splunk
Splunk has taken action to address multiple significant vulnerabilities impacting Splunk Enterprise and IT Service Intelligence, including issues associated with third-party packages.
The most critical of these vulnerabilities, CVE-2023-40595 (CVSS rating 8.8), is characterized as a remote code execution flaw that can be exploited through specially crafted requests. To execute this exploit, the attacker utilizes the Collect SPL command, which writes a file to a Splunk Enterprise installation. Subsequently, the attacker can leverage this file to dispatch a serialized payload, potentially resulting in Remote Code Execution (RCE) within the payload.
Another vulnerability, CVE-2023-40598, involves command injection and affects an outdated internal function, which can be exploited for RCE. This vulnerability is tied to the runshellscript functionality, used by scripted alert actions. By manipulating this command in conjunction with external command searching, an attacker can inject and execute commands within a privileged context from a Splunk platform instance.
Recent releases of Splunk Enterprise also tackle additional vulnerabilities, including Cross-Site Scripting (XSS) (CVE-2023-40592), an absolute path traversal issue leading to RCE (CVE-2023-40597), and a privilege escalation flaw stemming from an insecure path reference in a Dynamic Link Library (DLL) (CVE-2023-40596).
These vulnerabilities have all been effectively addressed through the release of Splunk Enterprise versions 8.2.12, 9.0.6, and 9.1.1. This update also resolves two moderate Denial of Service (DoS) vulnerabilities. Furthermore, Splunk has introduced a patch for an unauthenticated log injection vulnerability (CVE-2023-4571, CVSS rating 8.6) found in IT Service Intelligence. This issue enables attackers to inject ANSI escape codes into log files, potentially leading to RCE when these manipulated log files are read in a vulnerable terminal application. While the vulnerability doesn’t have a direct impact on IT Service Intelligence, the potential for exploitation arises from the permissions of the terminal application and the user’s interaction with the compromised log files.
Splunk has promptly patched this IT Service Intelligence vulnerability in versions 4.13.3 and 4.15.3. Notably, there is no mention of any of these vulnerabilities being actively exploited in real-world attacks by the software developer.
Notepad++
Notepad++ has been found to harbor four critical vulnerabilities, with one of them carrying a CVSS rating of 7.8. All of these vulnerabilities are rooted in buffer overflows within the program.
For instance, CVE-2023-40031 triggers a buffer overflow in the UTF encoding conversion function, while CVE-2023-40166 leads to a buffer overflow when determining the language of the opened file. CVE-2023-40164 represents a buffer overflow in the uchardet library. The least critical among them, CVE-2023-40036, scores a 5.5 and obstructs the buffer during character parsing.
These zero-day vulnerabilities could be leveraged by attackers to execute arbitrary code on PCs.
Juniper
Researchers have released a Proof-of-Concept (PoC) exploit for vulnerabilities identified in Juniper SRX firewalls, enabling Remote Code Execution (RCE) within JunOS.
In mid-August, Juniper took measures to address medium-severity vulnerabilities (CVE-2023-36844, CVE-2023-36845, CVE-2023-36846, CVE-2023-36847) affecting the J-Web component of Juniper Networks Junos OS on the SRX and EX series, with a CVSS score of 5.3. Alongside the patches, the company recommended mitigations such as disabling J-Web or limiting access to trusted hosts. However, when these vulnerabilities are combined, an unauthenticated network attacker gains the ability to execute code remotely within JunOS on vulnerable devices.
Researchers leveraged the pre-authentication download vulnerability (CVE-2023-36846) to introduce an arbitrary PHP file into a restricted directory with a random filename. Subsequently, they employed the same vulnerability to load a PHP configuration file that references the previously introduced file, employing the auto_prepend_file directive. Since HTTP requests can manipulate all environment variables, CVE-2023-36845 was utilized to overwrite the environment variable PHPRC, thereby downloading the PHP configuration file and initiating the execution of the initially downloaded PHP file.
Furthermore, the researchers provided a meticulous, step-by-step explanation of how to reproduce, combine, and exploit these vulnerabilities.
With PoCs now publicly accessible and the vulnerabilities easily exploitable, coupled with the privileged network position of JunOS devices, researchers caution that widespread exploitation of these issues is virtually inevitable.
Apple
Citizen Lab has uncovered an actively exploited “zero-click” vulnerability during an examination of an iPhone belonging to a public organization employee in the United States.
This exploit enables attackers to utilize the NSO Group’s Pegasus spyware to compromise iPhones running the latest iOS version (16.6) without requiring any action from the victim. Apple’s description reveals that many of these vulnerabilities allowed malicious code to execute with kernel privileges. The breach led to the development of an exploit known as Blastpass, repeatedly and successfully employed to compromise devices ranging from the iPhone 8 to the latest iPads and Macs.
Specifically, two zero-day vulnerabilities were employed as part of the iMessage zero-click BLASTPASS exploit chain to deploy NSO Group’s Pegasus on fully patched devices through PassKit attachments. These vulnerabilities impact the Image I/O and Wallet platforms and are tracked as CVE-2023-41064 (discovered by security researcher Citizen Lab) and CVE-2023-41061 (discovered by Apple).
The first vulnerability, CVE-2023-41064, is a buffer overflow triggered by malicious image manipulation, potentially leading to Remote Code Execution (RCE) on unpatched devices.
The second, CVE-2023-41061, involves a validation issue exploitable through a malicious attachment, resulting in RCE on targeted devices.
In an urgent response, Apple has issued patches for macOS Ventura 13.5.2, iOS 16.6.1, iPadOS 16.6.1, and watchOS 9.6.2 to enhance logic and memory handling. Since the beginning of the year, the company has closed a total of 13 actively exploited vulnerabilities, and the situation may not be limited to these cases.
Skype
A vulnerability in Skype has been unearthed, enabling an attacker to easily access a user’s IP address by sending a link via the service’s mobile application. The researcher who identified this flaw asserts that Skype inherently exposes IP information to all chat participants as a default behavior. The vulnerability is rooted in fundamental architectural shortcomings and necessitates Microsoft to introduce supplementary technical measures centered on safeguarding the privacy of chat participants.
In response to this issue, Microsoft’s stance was, as expected, consistent with previous instances. The company asserted that “IP address disclosure is not considered a security vulnerability and does not compromise the integrity, availability, or confidentiality of any Microsoft application.”
WinRAR
The developers of WinRAR have addressed a significant vulnerability that could permit attackers to execute Remote Code Execution (RCE) upon opening a specifically crafted RAR file.
CVE-2023-40477, identified by the researcher goodbyeselene from the Zero Day Initiative and reported to RARLAB on June 8, 2023, relates to the processing of recovery volumes and arises from inadequate validation of user data. This oversight can lead to memory accesses beyond an allocated buffer, resulting in an allocated buffer overflow. While the vulnerability carries a CVSS severity score of 7.8, it’s worth noting that potential attackers must persuade the victim to open the manipulated archive. Nevertheless, given the extensive user base of WinRAR, the feasibility of successful exploitation remains a concern from a practical perspective.
RARLAB has responded by releasing WinRAR version 6.23, which addresses CVE-2023-40477. Additionally, this update resolves a separate high-severity vulnerability related to incorrectly launched files from specially crafted archives. Considering past instances of WinRAR vulnerabilities being exploited, such as Checkpoint’s report of a malware campaign in 2019 targeting a vulnerability in the UNACEV2.DLL library, users are strongly advised to promptly apply the update.
Group-IB researchers have also unveiled details of a zero-day WinRAR campaign that has been targeting merchants since April 2023. The extent of infected devices and potential financial damages remains uncertain, with up to 130 devices still believed to be compromised.
On July 10, 2023, during an investigation into DarkMe malware incidents, Group-IB researchers uncovered a previously undisclosed vulnerability in WinRAR’s handling of ZIP files. Exploiting this vulnerability allowed attackers to use ZIP archives as carriers for various malware families, including DarkMe, GuLoader, and Remcos RAT. These malicious archives were distributed on coaching forums, allowing the attackers to disguise the launch of a malicious script within an archive masquerading as various file formats (e.g., jpg, txt). Once extracted and executed, the malware enabled attackers to withdraw money from brokerage accounts, and the same tool used in the DarkCasino campaign reported by NSFOCUS was delivered using this zero-day.
MITRE subsequently assigned the vulnerability identifier CVE-2023-38831 on August 15.
The beta version of the patch was initially released on July 20, 2023, with the latest updated version of WinRAR (version 6.23) becoming available on August 2. Users with WinRAR are strongly urged to promptly apply this essential patch.
Intel
Intel processors are susceptible to a serious vulnerability that exposes sensitive data to potential theft.
This issue, named “Downfall” and reported by Daniel Moghimi, a senior researcher at Google, enables the unauthorized reading of data from various programs and memory segments. This flaw poses a significant risk, allowing attackers, including malicious applications obtained from sources like the App Store, to pilfer sensitive information such as passwords, encryption keys, and personal details like bank information and emails.
The vulnerability is identified as CVE-2022-40982, named for the year Intel was informed about it, namely, August 24, 2022. However, the disclosure was withheld until now to grant Intel the opportunity to develop microcode updates for resolving the vulnerability.
While the most recent firmware updates do address the vulnerability, they come at the cost of performance. The researcher provided a comprehensive explanation of the vulnerability, including examples across various Intel microarchitectures from Skylake to Ice Lake. This issue affects billions of Intel processors utilized in personal computers and cloud servers. Intel recommends that users of affected processors update their firmware to the latest version, though this may result in a performance decrease of up to 50 percent.
Notably, this vulnerability affects any PC or laptop equipped with Intel Core processors, spanning from the 6th generation “Skylake” to the 11th generation “Tiger Lake.” This indicates that the bug has persisted since at least 2015 when Skylake was introduced. Additionally, Intel Xeon processors are also at risk, given their prevalence in the server processor domain, potentially impacting a wide range of internet users.
AMD
Researchers have unveiled details of a new side-channel attack named Inception, targeting AMD processors, with the potential to expose sensitive data like passwords and encryption keys from anywhere in memory on an AMD Zen processor-based system.
Inception operates as a timed execution attack employing Transient Execution Learning (TTE) and leverages Phantom Speculation (CVE-2022-23825). Tracked as CVE-2023-20569, Inception combines these concepts, tricking the CPU into misinterpreting an XOR (simple binary operation) instruction as a recursive call instruction. This triggers an overflow in the return stack buffer at an attacker-controlled address, enabling the unauthorized access of data from unprivileged processes across all AMD Zen processors. Inception’s data leakage rate is approximately 39 bytes per second, meaning it could pilfer a 16-character password in half a second and an RSA key in 6.5 seconds. Researchers have published separate articles detailing Inception and Phantom attacks, an Inception PoC, and a video illustrating the exploit.
AMD acknowledges the findings in its bulletin and highlights the potential for Inception to lead to data exposure. The chipmaker has released microcode patches and other mitigations, in addition to recommending customers follow security best practices. AMD draws parallels between this attack and previous branch prediction-based attacks like Spectrev2 and Branch Type Confusion (BTC)/RetBleed. As with similar attacks, speculation is confined to the current address space, necessitating knowledge of and control over an adequate number of registers during RET (return from procedure) speculation for successful exploitation.
AMD emphasizes that the vulnerability is likely exploitable only locally, potentially through malware, and as of now, there is no record of malicious exploitation.
Siemens
During August’s Patch Tuesday, Siemens released 13 bulletins addressing over 30 vulnerabilities across their product portfolio.
Among these bulletins, three were dedicated to addressing critical vulnerabilities in Ruggedcom products. One bulletin specifically targets five vulnerabilities, comprising four critical and one high-severity issue, all found within Ruggedcom’s Crossbow server application. These vulnerabilities can potentially lead to Denial of Service (DoS) attacks, privilege escalation, execution of arbitrary SQL database queries, and unauthorized writing of files on the targeted system. All of these vulnerabilities were discovered and reported by the UK NCSC.
Siemens has also alerted its customers to a critical mirror port isolation vulnerability present in Ruggedcom ROS devices. These affected products fail to adequately block data transfers through the port to the mirror network. This vulnerability could be exploited by attackers to transmit malicious packets to systems on the mirror network, potentially disrupting their configuration and runtime behavior.
ROS devices also face a high-severity DoS vulnerability, as reported in a separate bulletin by Siemens. This industrial giant has identified high-severity vulnerabilities that can be exploited through specially crafted files. The impacted products include Sicam Toolbox II, Parasolid, Teamcenter Visualization, JT2Go, JT Open, JT Utilities, Solid Edge, and Siemens Software Center (SSC).
Additionally, two bulletins detail the impact of two OpenSSL vulnerabilities, ranging from moderate to high severity, on Simatic products.
In contrast to its competitors, Schneider Electric issued only one new advisory. This advisory addresses a medium-severity memory corruption issue affecting its Pro-face GP-Pro EX HMI screen editor and logic programming software.
How To Efficiently Patch All of These Vulnerabilities And More
Want to learn about newly released updates as soon as they are available? With Action1, you can — as well as streamline the entire patch management process, from identifying missing updates to compliance reporting, across both Windows OS and third-party software.
