Technical Expertise,Security Vulnerability Advisory

October 20, 2023   •   10 minute read

Cybersafe Solutions Security Advisory Bulletin Oct 20, 2023

In this week's Security Advisory:

  • Updated Advisory: Zero-Day (CVE-2023-20198) in Cisco IOS XE Software Web UI
  • Updated Advisory: Two Vulnerabilities (CVE-2023-4966 & CVE-2023-4967) in Citrix NetScaler ADC and NetScaler Gateway
  • Updated Advisory: Critical Vulnerabilities (CVE-2023-40044 & CVE-2023-42657) in WS_FTP Server
  • Be Aware of Recent Phishing Campaign Seen Targeting Customers

Updated Advisory: Zero-Day (CVE-2023-20198) in Cisco IOS XE Software Web UI

New information suggests that attackers have infected over 10,000 Cisco IOS XE devices with malicious code. Threat actors are not only exploiting CVE-2023-20198 to create local user accounts but are leveraging an older, patched vulnerability (CVE-2021-1435) to assist in infecting target hosts. This implanted code allows an attacker to execute arbitrary code on affected systems.

While no patch or workaround has been released for CVE-2023-20198, organizations should strongly consider disabling the HTTP server feature on internet-facing systems, or at a minimum restricting it to a trusted set of known authorized IP addresses.

Source: https://www.bleepingcomputer.com/news/security/over-10-000-cisco-devices-hacked-in-ios-xe-zero-day-attacks/

Original Security Advisory – October 16th, 2023

Cisco disclosed a zero-day in the web User Interface (Web UI) feature of IOS XE Software that is being actively exploited in the wild. The zero-day, CVE-2023-20198, allows a remote, unauthenticated attacker to create a highly privileged account on the device, effectively granting the unauthorized user full control of the affected system. Cisco has given the zero-day a CVSS score of 10 out of 10, the highest score a vulnerability can receive.

This zero-day affects Cisco IOS XE Software if the web UI feature is enabled.

Cisco has not released a patch for this zero-day. However, they recommend that customers disable the HTTP server feature on internet-facing systems until a patch becomes available.

Navigate to the following link for instructions on how to disable this feature: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-webui-privesc-j22SaA4z

More Reading/Information


Updated Advisory: Two Vulnerabilities (CVE-2023-4966 & CVE-2023-4967) in Citrix NetScaler ADC and NetScaler Gateway

New information suggests that a critical vulnerability (CVE-2023-4966) affecting NetScaler ADC (formerly Citrix ADC) and NetScaler Gateway (formerly Citrix Gateway) has been actively exploited in the wild since late August 2023. It is recommended to apply the latest patches to the affected systems immediately to avoid potential compromise.

Sources

Original Security Advisory – October 11th, 2023

Two vulnerabilities were found in NetScaler ADC (formerly Citrix ADC) and NetScaler Gateway (formerly Citrix Gateway) that could allow for the disclosure of sensitive information. The vulnerabilities are being tracked as CVE-2023-4966 and CVE-2023-4967 and have been given CVSS scores of 9.4 and 8.2 out of a possible 10, respectively. CVE-2023-4966 can lead to the disclosure of sensitive information while CVE-2023-4967 can cause a denial-of-service (DoS) on vulnerable devices.

To exploit either vulnerability, the appliance must be configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or AAA virtual server.

The following versions are affected:

  • NetScaler ADC and NetScaler Gateway 14.1 before 14.1-8.50
  • NetScaler ADC and NetScaler Gateway 13.1 before 13.1-49.15
  • NetScaler ADC and NetScaler Gateway 13.0 before 13.0-92.19
  • NetScaler ADC 13.1-FIPS before 13.1-37.164
  • NetScaler ADC 12.1-FIPS before 12.1-55.300
  • NetScaler ADC 12.1-NDcPP before 12.1-55.300

Of note, NetScaler ADC and NetScaler Gateway version 12.1 reached End-of-Life and is vulnerable. Citrix cloud-based management services have been updated. Customers who use these cloud services do not need to take any further action.

More Reading/Information


Updated Advisory: Critical Vulnerabilities (CVE-2023-40044 & CVE-2023-42657) in WS_FTP Server

New information suggests that a critical vulnerability (CVE-2023-40044) affecting WS_FTP Server is being actively exploited in the wild to deploy ransomware. It is recommended to apply the latest patches to the affected systems immediately to avoid potential compromise.

Source: https://www.bleepingcomputer.com/news/security/ransomware-attacks-now-target-unpatched-ws-ftp-servers/  

Original Security Advisory – October 2nd, 2023

Due to credible reports that these vulnerabilities are being actively exploited in the wild, Cybersafe would like to notify you of the following:

Progress Software released an update to fix two (2) critical vulnerabilities in its WS_FTP Server, a file transfer software product. The first critical vulnerability is being tracked as CVE-2023-40044 and received a CVSS score of 10 out of 10, the highest score a vulnerability can receive. CVE-2023-40044 is due to a .NET deserialization vulnerability in the Ad Hoc Transfer module and allows an unauthenticated attacker to execute remote code on the underlying operating system. An attacker can exploit this vulnerability by sending a specially crafted POST request to a vulnerable system and gain remote code execution. All versions of the WS_FTP Server Ad Hoc Transfer module are affected. The second vulnerability is being tracked as CVE-2023-42657 and received a CVSS score of 9.9 out of 10. CVE-2023-42657 is a directory traversal vulnerability that allows an unauthorized user to access and modify files and folders in paths outside of the authorized WS_FTP folder path, along with the underlying operating system.

The following versions are affected:

  • WS_FTP Server versions before 8.7.4 and 8.8.2

Customers who cannot apply the latest update and are using WS_FTP with the Ad Hoc Transfer module installed should remove or disable the module.

More information can be found here: https://community.progress.com/s/article/Removing-or-Disabling-the-WS-FTP-Server-Ad-hoc-Transfer-Module

More Reading/Information


Be Aware of Recent Phishing Campaign Seen Targeting Customers

Cybersafe wants to make you aware of an active phishing campaign urging customers to settle their debts immediately. In this campaign, the threat actors are spoofing email addresses to make the emails look like the recipient is sending the email to themselves. The subject of these emails has also been seen as: “Subject: There is an overdue payment under your name. Please, settle your debts ASAP.”

Cybersafe’s SOC is currently seeing this campaign target customers across varying industries, geography, and company size. This campaign is likely to persist, so it is important to stay vigilant and take the necessary steps to reduce the likelihood of falling victim to this phishing campaign.


Recommendations

Please review your environment to ensure the above-mentioned issues are patched in a timely manner. It is security best practice to regularly update and/or patch software to the latest versions. The vulnerabilities above highlight the security benefits of limiting deployed software to "vendor-supported versions" only. This dramatically increases the likelihood that new vulnerabilities have a patch issued for them. Likewise, Cybersafe strongly encourages maintaining an inventory of current software in your environment, which helps ensure and inform your patch and vulnerability management program.