In this week's Security Advisory:
Two vulnerabilities were found in NetScaler ADC (formerly Citrix ADC) and NetScaler Gateway (formerly Citrix Gateway) that could allow for the disclosure of sensitive information. The vulnerabilities are being tracked as CVE-2023-4966 and CVE-2023-4967 and have been given CVSS scores of 9.4 and 8.2 out of a possible 10, respectively. CVE-2023-4966 can lead to the disclosure of sensitive information while CVE-2023-4967 can cause a denial-of-service (DoS) on vulnerable devices.
To exploit either vulnerability, the appliance must be configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or AAA virtual server.
The following versions are affected:
Of note, NetScaler ADC and NetScaler Gateway version 12.1 reached End-of-Life and is vulnerable. Citrix cloud-based management services have been updated. Customers who use these cloud services do not need to take any further action.
More Reading/Information
Apple released updates to address two (2) zero-days in iOS and iPadOS. The first zero-day, CVE-2023-42824, allows a local attacker to elevate their privileges. CVE-2023-42824 received a CVSS score of 7.8 out of a possible 10. The second zero-day, CVE-2023-5217, is a heap buffer overflow in the VP8 encoding of the libvpx video codec library. Successful exploitation of this vulnerability could lead to the threat actor executing arbitrary code on the victim's host. CVE-2023-5217 received a CVSS score of 8.8 out of a possible 10. There are reports of these vulnerabilities being actively exploited against versions of iOS before iOS 16.6.
The following products are affected:
More Reading/Information
Threat actors are exploiting a zero-day (CVE-2023-44487) in the HTTP/2 protocol to cause a Distributed Denial-of-Service (DDoS) attack against internet-exposed HTTP/2 endpoints. This attack has been exploited in the wild since August 2023 and has been dubbed 'HTTP/2 Rapid Reset'. CVE-2023-44487 is a flaw in the HTTP/2 protocol that allows an attacker to continuously send and cancel requests, ultimately overwhelming the target server and imposing a Denial-of-Service state. Security vendors like Microsoft, Amazon Web Services, Cloudflare, and Google have released updates to protect against this attack.
More Reading/Information
This month's Patch Tuesday includes fixes for three (3) actively exploited zero-days. The first zero-day, CVE-2023-44487, abuses the HTTP/2 protocol and could allow an attacker to cause a distributed denial-of-service (DDoS) attack. CVE-2023-44487 is not specific to Windows but affects any internet-exposed HTTP/2 endpoints. The second zero-day, CVE-2023-41763, is an elevation of privilege vulnerability in Skype for Business. The third zero-day, CVE-2023-36563, is an information disclosure vulnerability in Microsoft WordPad that could allow an attacker to steal NTLM hashes when a user opens a specially crafted document in WordPad.
More Reading/Information
There were security updates released for Google Chrome and Adobe products. The most severe could lead to arbitrary code execution.
Google Chrome addressed twenty (20) vulnerabilities, with one (1) given a severity rating of "Critical". These vulnerabilities affect Windows, Mac, and Linux.
Adobe fixed a total of thirteen (13) vulnerabilities, including eight (8) given a severity rating of "Critical". These vulnerabilities affect Adobe Bridge, Adobe Commerce, Magento Open Source, and Adobe Photoshop.
More Reading/Information
Please review your environment to ensure the above-mentioned issues are patched in a timely manner. It is security best practice to regularly update and/or patch software to the latest versions. The vulnerabilities above highlight the security benefits of limiting deployed software to "vendor-supported versions" only. This dramatically increases the likelihood that new vulnerabilities have a patch issued for them. Likewise, Cybersafe strongly encourages maintaining an inventory of current software in your environment, which helps ensure and inform your patch and vulnerability management program.