Cybersafe Solutions Security Advisory Bulletin Sept 29, 2023

In this week's Security Advisory:

• Three Zero-Days (CVE-2023-41993, CVE-2023-41992 & CVE-2023-41991) in Apple Products Could Allow for Arbitrary Code Execution
• Zero-Day (CVE-2023-4863) Previously Disclosed by Google Assigned New CVE ID (CVE-2023-5129)
• Proof-of-Concept Exploit Released for Microsoft SharePoint Server Elevation of Privilege Vulnerability (CVE-2023-29357)
• Okta Provides Customers With Additional Security Measures to Protect Against Social Engineering Campaigns

Three Zero-Days (CVE-2023-41993, CVE-2023-41992 & CVE-2023-41991) in Apple Products Could Allow for Arbitrary Code Execution

Apple released updates to address three (3) zero-days being actively exploited in Apple devices. The first zero-day, CVE-2023-41993, allows an attacker to execute arbitrary code when processing specially crafted web content. CVE-2023-41992 received a CVSS score of 9.8 out of a possible 10. The second zero-day, CVE-2023-41992, allows a local attacker to elevate their privileges. CVE-2023-41992 received a CVSS score of 7.8 out of a possible 10. The third zero-day, CVE-2023-41991, allows a malicious app to bypass signature validation and gain arbitrary code execution. CVE-2023-41991 received a CVSS score of 5.5 out of a possible 10. There are reports of these vulnerabilities being actively exploited against versions of iOS before iOS 16.7.

The following products are affected:

• iOS and iPadOS prior to 16.7 (iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later)
• iOS 17.0.1 and iPadOS prior to 17.0.1 (iPhone XS and later, iPad Pro 12.9-inch 2nd generation and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 6th generation and later, and iPad mini 5th generation and later)
• watchOS prior to 9.6.3
• macOS Ventura prior to 13.6
• macOS Monterey prior to 12.7
• macOS Sonoma prior to 14
• Safari prior to 16.6.1 (available for macOS Big Sur and Monterey)
• Safari prior to 17 (available for macOS Monterey and macOS Ventura)

More Reading/Information

• https://support.apple.com/en-us/HT201222
• https://www.bleepingcomputer.com/news/apple/apple-emergency-updates-fix-3-new-zero-days-exploited-in-attacks/
• https://www.helpnetsecurity.com/2023/09/22/cve-2023-41992-cve-2023-41991-cve-2023-41993/
• https://nvd.nist.gov/vuln/detail/CVE-2023-41991
• https://nvd.nist.gov/vuln/detail/CVE-2023-41992
• https://nvd.nist.gov/vuln/detail/CVE-2023-41993

Zero-Day (CVE-2023-4863) Previously Disclosed by Google Assigned New CVE ID (CVE-2023-5129)

On September 12, 2023, Google disclosed a critical zero-day (CVE-2023-4863) affecting the WebP code library (libwebp) that could allow for arbitrary code execution or a denial-of-service attack. However, new information indicates that this vulnerability is not just in Google products but in libwebp, which is in many applications. The zero-day is now being tracked as CVE-2023-5129 and received a new CVSS score of 10 out of 10, the highest score a vulnerability can receive.

The following versions are affected:

• libwebp versions 0.5.0 to 1.3.1

More Reading/Information

• https://www.helpnetsecurity.com/2023/09/27/cve-2023-5129/
• https://www.bleepingcomputer.com/news/security/google-assigns-new-maximum-rated-cve-to-libwebp-bug-exploited-in-attacks/
• https://nvd.nist.gov/vuln/detail/CVE-2023-5129

Proof-of-Concept Exploit Released for Microsoft SharePoint Server Elevation of Privilege Vulnerability (CVE-2023-29357)

A proof-of-concept exploit has been released for a critical vulnerability (CVE-2023-29357) affecting Microsoft SharePoint Server. CVE-2023-29357 was previously disclosed by Microsoft as part of their June 2023 Patch Tuesday rollout. This vulnerability could allow an unauthenticated attacker to gain administrator-level privileges. Researchers have also found a way to chain this with another remote code execution vulnerability to severely compromise the SharePoint server.

The following versions are affected:

• SharePoint Server 2019

More Reading/Information

• https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2023-29357
• https://socradar.io/microsoft-sharepoint-server-elevation-of-privilege-vulnerability-exploit-cve-2023-29357/

Okta Provides Customers With Additional Security Measures to Protect Against Social Engineering Campaigns

Cybersafe wants to ensure organizations that utilize Okta are aware of their recent release of additional security measures that customers should review to protect their environment against social engineering campaigns. Okta customers have experienced an uptick in social engineering attacks against their IT service desk personnel, which has led to attackers gaining access to highly privileged Okta Super Administrator accounts. This access has allowed attackers to impersonate users and compromise the entire organization. Okta has outlined several security measures to protect against these attacks and has asked customers to implement as they see fit. To review the list of recommendations, navigate to the following link: https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection

More Reading/Information

• https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection

Recommendations

Please review your environment to ensure the above-mentioned issues are patched in a timely manner. It is security best practice to regularly update and/or patch software to the latest versions. The vulnerabilities above highlight the security benefits of limiting deployed software to "vendor-supported versions" only. This dramatically increases the likelihood that new vulnerabilities have a patch issued for them. Likewise, Cybersafe Solutions strongly encourages maintaining an inventory of current software in your environment, which helps ensure and inform your patch and vulnerability management program.