In this week's Security Advisory:
- Multiple Zero-Days in Exim Could Allow for Remote Code Execution
- Microsoft Fixes Two Zero-Days (CVE-2023-4863 and CVE-2023-5217) in Edge, Teams, Skype, and Webp Image Extensions
- Multiple Vulnerabilities in Cisco Catalyst SD-WAN Manager
- Multiple Vulnerabilities Patched in Google Chrome, Android, and Qualcomm Products
Multiple Zero-Days in Exim Could Allow for Remote Code Execution
There were six (6) zero-days discovered in Exim mail servers, the most severe could lead to remote code execution. Exim is a widely used Mail Transfer Agent and is responsible for transferring mail across the network for Linux devices. The most critical of the zero-days is being tracked as CVE-2023-42115 and is an out-of-bounds write issue in the SMTP service that could lead to an unauthenticated attacker gaining remote code execution on the vulnerable server. CVE-2023-42115 received a CVSS score of 9.8 out of 10.
The following versions are affected:
- Exim version 4.96 and prior
Currently, three of six zero-days were patched in the latest update. It is recommended to apply the latest updates as they become available.
More Reading/Information
- https://www.zerodayinitiative.com/advisories/ZDI-23-1469/
- https://www.exim.org/static/doc/security/CVE-2023-zdi.txt
- https://www.scmagazine.com/news/six-zero-days-in-exim-mail-transfer-agent-could-impact-more-than-253000-servers?nbd=zoNf5X8B1_eZHpRdMqJG&nbd_source=mrkto&mkt_tok=MTg4LVVOWi02NjAAAAGOk_U1OsByP9ctke36GAHPRcls18Ec5I_2Z50DIARbrxAbvu_JYip6zYjWFKZfdS_2p2qeNixd5udC7nq3R_MrBjV48kY7s9LX6Vyb1muw1Lg
- https://www.bleepingcomputer.com/news/security/exim-patches-three-of-six-zero-day-bugs-disclosed-last-week/
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-42115
Microsoft Fixes Two Zero-Days (CVE-2023-4863 and CVE-2023-5217) in Edge, Teams, Skype and Webp Image Extensions
Microsoft released emergency updates for Edge, Teams, Skype, and Webp Image Extensions to fix two (2) zero-days that are being actively exploited in the wild. The first zero-day, CVE-2023-4863, is a heap buffer overflow in the Webp code library (libwebp). The second zero-day, CVE-2023-5217, is a heap buffer overflow in the VP8 encoding of the libvpx video codec library. Successful exploitation of either of these vulnerabilities could lead to the threat actor executing arbitrary code on the victim's host or the user's browser crashing, leading to a denial-of-service attack. Both vulnerabilities received a CVSS score of 8.8 out of 10.
Each affected product should be automatically updated. If not, please see the 'Security Updates' section in the following link to manually apply the latest update: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-4863
Of note, the Microsoft Store will automatically update all affected Webp Image Extensions. However, if automatic updates are disabled for Microsoft Store, it is critical that you manually apply the updates.
More Reading/Information
- https://msrc.microsoft.com/blog/2023/10/microsofts-response-to-open-source-vulnerabilities-cve-2023-4863-and-cve-2023-5217/
- https://www.bleepingcomputer.com/news/microsoft/microsoft-edge-teams-get-fixes-for-zero-days-in-open-source-libraries/
- https://nvd.nist.gov/vuln/detail/CVE-2023-4863
- https://nvd.nist.gov/vuln/detail/CVE-2023-5217
Multiple Vulnerabilities in Cisco Catalyst SD-WAN Manager
Cisco disclosed five (5) vulnerabilities affecting its Catalyst SD-WAN Manager. Catalyst SD-WAN is a network management software that allows admins to manage devices on wide area networks (WAN). The most severe is being tracked as CVE-2023-20252 received a CVSS score of 9.8 out of 10.
For a full list of versions affected, please navigate to the Fixed Releases section in the following link: : https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-vman-sc-LRLfu2z
Of note, these vulnerabilities do not affect IOS XE Software, SD-WAN cEdge Routers, and SD-WAN vEdge Routers.
More Information/Reading
- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-vman-sc-LRLfu2z
- https://www.bleepingcomputer.com/news/security/cisco-catalyst-sd-wan-manager-flaw-allows-remote-server-access/
- https://nvd.nist.gov/vuln/detail/CVE-2023-20252
Multiple Vulnerabilities Patched in Google Chrome, Android, and Qualcomm Products
There were security updates released for Google, Android, and Qualcomm products. The most severe could lead to remote code execution.
Google fixed one (1) vulnerability in its Chrome Desktop Browser for Windows, Mac, and Linux. The vulnerability, CVE-2023-5346, is a high severity type confusion weakness in the Chrome V8 JavaScript engine and has not received a CVSS score yet.
Android had a total of fifty-four (54) vulnerabilities, with two (2) being actively exploited. These vulnerabilities affect Android OS security patch levels prior to 2023-10-06.
Qualcomm released patches for multiple vulnerabilities in its Adreno GPU and Compute DSP drivers. The following vulnerabilities (CVE-2023-33106, CVE-2023-33107, CVE-2022-22071, and CVE-2023-33063) may be under limited, targeted exploitation. Qualcomm plans to disclose more details surrounding these vulnerabilities in its December 2023 security bulletin. However, patches are available for these vulnerabilities, and users are advised to apply the updates from original equipment manufacturers (OEMs) as soon as possible.
More Reading/Information
- https://chromereleases.googleblog.com/2023/10/stable-channel-update-for-desktop.html
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-5346
- https://source.android.com/docs/security/bulletin/2023-10-01
- https://www.bleepingcomputer.com/news/security/android-october-security-update-fixes-zero-days-exploited-in-attacks/
- https://docs.qualcomm.com/product/publicresources/securitybulletin/october-2023-bulletin.html
- https://www.helpnetsecurity.com/2023/10/04/qualcomm-vulnerabilities-exploited/
Recommendations
Please review your environment to ensure the above-mentioned issues are patched in a timely manner. It is security best practice to regularly update and/or patch software to the latest versions. The vulnerabilities above highlight the security benefits of limiting deployed software to "vendor-supported versions" only. This dramatically increases the likelihood that new vulnerabilities have a patch issued for them. Likewise, Cybersafe strongly encourages maintaining an inventory of current software in your environment, which helps ensure and inform your patch and vulnerability management program.