Cybersafe Solutions Security Advisory Bulletin November 3, 2023

In this week's Security Advisory:

• Critical Vulnerability (CVE-2023-22518) in Confluence Data Center and Server
• Security Advisory Update: Two Vulnerabilities (CVE-2023-4966 & CVE-2023-4967) in Citrix NetScaler ADC and NetScaler Gateway
• F5 Patches Critical Remote Code Execution Vulnerability (CVE-2023-46747) in BIG-IP
• Security Updates Released for Google Chrome Desktop Browser and Apple Products

Critical Vulnerability (CVE-2023-22518) in Confluence Data Center and Server

Atlassian released a patch to fix a critical vulnerability in its Confluence Data Center and Server. The critical vulnerability is being tracked as CVE-2023-22518 and is an improper authorization vulnerability that could lead to significant data loss if exploited.  CVE-2023-22518 received a CVSS score of 9.1 out of a possible 10.  This vulnerability affects on-premise instances of Confluence Data Center and Server.  Atlassian Cloud sites are not affected.

The following versions of Confluence Data Center and Server (on-premise) are affected:

• Confluence Data Center and Server prior to 7.19.16
• Confluence Data Center and Server prior to 8.3.4
• Confluence Data Center and Server prior to 8.4.4
• Confluence Data Center and Server prior to 8.5.3
• Confluence Data Center and Server prior to 8.6.1

Organizations that cannot apply the patch immediately should strict access to Confluence Server and Data Center from the internet or disable external access.

More Reading/Information:

• https://confluence.atlassian.com/security/cve-2023-22518-improper-authorization-vulnerability-in-confluence-data-center-and-confluence-server-1311473907.html
• https://www.helpnetsecurity.com/2023/10/31/cve-2023-22518/
• https://www.securityweek.com/atlassian-ciso-urges-quick-action-to-protect-confluence-instances-from-critical-vulnerability/
• https://nvd.nist.gov/vuln/detail/CVE-2023-22518 

Security Advisory Update: Two Vulnerabilities (CVE-2023-4966 & CVE-2023-4967) in Citrix NetScaler ADC and NetScaler Gateway

New information suggests that the critical vulnerability (CVE-2023-4966) affecting Citrix NetScaler ADC and NetScaler Gateway is now under mass exploitation. This significant rise in exploitation is due to researchers releasing a proof-of-concept last week.  It is recommended to apply the latest patch released on October 10th to avoid potential compromise.

https://www.theregister.com/2023/10/31/mass_exploitation_citrix_bleed/

https://www.helpnetsecurity.com/2023/10/30/cve-2023-4966-exploited/

Updated Security Advisory - October 18th, 2023

New information suggests that a critical vulnerability (CVE-2023-4966) affecting NetScaler ADC (formerly Citrix ADC) and NetScaler Gateway (formerly Citrix Gateway) has been actively exploited in the wild since late August 2023.  It is recommended to apply the latest patches to the affected systems immediately to avoid potential compromise.

https://support.citrix.com/article/CTX579459/netscaler-adc-and-netscaler-gateway-security-bulletin-for-cve20234966-and-cve20234967

https://www.mandiant.com/resources/blog/remediation-netscaler-adc-gateway-cve-2023-4966

Original Security Advisory - October 11th, 2023

Two vulnerabilities were found in NetScaler ADC (formerly Citrix ADC) and NetScaler Gateway (formerly Citrix Gateway) that could allow for the disclosure of sensitive information.  The vulnerabilities are being tracked as CVE-2023-4966 and CVE-2023-4967 and have been given CVSS scores of 9.4 and 8.2 out of possible 10, respectively.  CVE-2023-4966 can lead to the disclosure of sensitive information while CVE-2023-4967 can cause a denial-of-service (DoS) on vulnerable devices. 

To exploit either vulnerability, the appliance must be configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or AAA virtual server.

The following versions are affected:

• NetScaler ADC and NetScaler Gateway 14.1 before 14.1-8.50
• NetScaler ADC and NetScaler Gateway 13.1 before 13.1-49.15
• NetScaler ADC and NetScaler Gateway 13.0 before 13.0-92.19
• NetScaler ADC 13.1-FIPS before 13.1-37.164
• NetScaler ADC 12.1-FIPS before 12.1-55.300
• NetScaler ADC 12.1-NDcPP before 12.1-55.300

Of note, NetScaler ADC and NetScaler Gateway version 12.1 reached End-of-Life and is vulnerable. Citrix cloud-based management services have been updated.  Customers who use these cloud services do not need to take any further action.

More Reading/Information

• https://support.citrix.com/article/CTX579459/netscaler-adc-and-netscaler-gateway-security-bulletin-for-cve20234966-and-cve20234967   
• https://www.bleepingcomputer.com/news/security/new-critical-citrix-netscaler-flaw-exposes-sensitive-data/  
• https://www.securityweek.com/citrix-patches-critical-netscaler-adc-gateway-vulnerability/
• https://nvd.nist.gov/vuln/detail/CVE-2023-4966  
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4967
• https://support.citrix.com/article/CTX579459/netscaler-adc-and-netscaler-gateway-security-bulletin-for-cve20234966-and-cve20234967
• https://www.mandiant.com/resources/blog/remediation-netscaler-adc-gateway-cve-2023-4966

F5 Patches Critical Remote Code Execution Vulnerability (CVE-2023-46747) in BIG-IP

F5 released a patch to fix a critical vulnerability in its BIG-IP that could lead to remote code execution. The critical vulnerability, CVE-2023-46747, is in the Traffic Management User Interface (TMUI), also known as the Configuration utility, and could allow an unauthenticated attacker with network access to the BIG-IP system to execute remote code. CVE-2023-46747 can only be exploited if the Traffic Management User Interface (TMUI) is exposed to the internet.  CVE-2023-46747 received a CVSS score of 9.8 out of a possible 10.

The following versions are affected:

• BIG-IP (all modules) versions 13.1.0-13.1.5
• BIG-IP (all modules) versions 14.1.0-14.1.5
• BIG-IP (all modules) versions 15.1.0-15.1.10
• BIG-IP (all modules) versions 16.1.0-16.1.4
• BIG-IP (all modules) versions 17.1.0

More Reading/Information

• https://my.f5.com/manage/s/article/K000137353
• https://www.securityweek.com/f5-warns-of-critical-remote-code-execution-vulnerability-in-big-ip/
• https://www.helpnetsecurity.com/2023/10/30/cve-2023-46747/
• https://nvd.nist.gov/vuln/detail/CVE-2023-46747

Security Updates Released for Google Chrome Desktop Browser and Apple Products

There were security updates released for Google Chrome Desktop Browser and Apple products.  The most severe could lead to arbitrary code execution.

Google Chrome addressed fifteen (15) vulnerabilities, with three (3) given a severity rating of "High".  These vulnerabilities affect Windows, Mac, and Linux.

Apple addressed at least sixty-five (65) vulnerabilities in several of its products. The following versions are affected:

• iOS and iPadOS version prior to 15.8 (iPhone 6s (all models), iPhone 7 (all models), iPhone SE (1st generation), iPad Air 2, iPad mini (4th generation), and iPod touch (7th generation))
• iOS and iPadOS version prior to 16.7.2 (iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later)
• iOS and iPadOS versions prior to 17.1(iPhone XS and later, iPad Pro 12.9-inch 2nd generation and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 6th generation and later, and iPad mini 5th generation and later
• macOS Ventura versions prior to 13.6.1
• macOS Sonoma versions prior to 14.1
• macOS Monterey versions prior to 12.7.1
• Safari versions prior to 17.1
• watchOS versions prior to 10.1
• tvOS versions prior to 17.1

More Reading/Information

• https://chromereleases.googleblog.com/2023/10/stable-channel-update-for-desktop_31.html
• https://support.apple.com/en-us/HT201222
• https://www.securityweek.com/apple-ships-major-ios-macos-security-updates/

Recommendations

Please review your environment to ensure the above-mentioned issues are patched in a timely manner.  It is security best practice to regularly update and/or patch software to the latest versions.  The vulnerabilities above highlight the security benefits of limiting deployed software to "vendor-supported versions" only.  This dramatically increases the likelihood that new vulnerabilities have a patch issued for them.  Likewise, Cybersafe strongly encourages maintaining an inventory of current software in your environment, which helps ensure and inform your patch and vulnerability management program.