In this week's Security Advisory:
- Multiple Critical Remote Code Execution Vulnerabilities in Ivanti Avalanche
- ESET Fixes Vulnerability in Secure Traffic Scanning Feature
- Threat Actors Exploit 6 Year-Old Microsoft Vulnerability to Deliver Agent Tesla Malware
- Security Vulnerabilities in Google Chrome Desktop Browser and Mozilla Products
Multiple Critical Remote Code Execution Vulnerabilities in Ivanti Avalanche
Twenty (20) vulnerabilities have been reported in Ivanti Avalanche, an enterprise mobile device management solution. Of the vulnerabilities found, thirteen (13) received a severity rating of "Critical." These vulnerabilities are present in the WLAvalancheService and WLInfoRailService components. An attacker could successfully exploit these vulnerabilities by sending a specially crafted packet to the Mobile Device Server, resulting in a denial-of-service attack or remote code execution. These vulnerabilities impact Ivanti Avalanche on-premise products.
The following versions are affected:
- Ivanti Avalanche (on-premise) version prior to 6.4.2
More Reading/Information:
- https://forums.ivanti.com/s/article/Avalanche-6-4-2-Security-Hardening-and-CVEs-addressed?language=en_US
- https://www.ivanti.com/blog/new-ivanti-avalanche-vulnerabilities
- https://www.bleepingcomputer.com/news/security/ivanti-releases-patches-for-13-critical-avalanche-rce-flaws/
ESET Fixes Vulnerability in Secure Traffic Scanning Feature
ESET patched a vulnerability in its SSL/TLS protocol scanning feature that could allow the product to trust sites certificates it should not. The vulnerability, CVE-2023-5594, may allow a browser to trust a certificate signed with outdated or insecure algorithms (ex. MD5 or SHA1). CVE-2023-5594 received a CVSS score of 7.5 out of a possible 10.
The following ESET products are affected:
- ESET NOD32 Antivirus
- ESET Internet Security
- ESET Smart Security Premium
- ESET Security Ultimate
- ESET Endpoint Antivirus for Windows and ESET Endpoint Security for Windows
- ESET Endpoint Antivirus for Linux 10.0 and above
- ESET Server Security for Windows Server (File Security for Microsoft Windows Server)
- ESET Mail Security for Microsoft Exchange Server
- ESET Mail Security for IBM Domino
- ESET Security for Microsoft SharePoint Server
- ESET File Security for Microsoft Azure
- ESET Server Security for Linux 10.1 and above
More Reading/Information:
- https://support.eset.com/en/ca8562-eset-customer-advisory-improper-following-of-a-certificates-chain-of-trust-in-eset-security-products-fixed
- https://www.securityweek.com/eset-patches-high-severity-vulnerability-in-secure-traffic-scanning-feature/
- https://help.eset.com/protect_admin/90/en-US/auto_updates.html
- https://nvd.nist.gov/vuln/detail/CVE-2023-5594
Threat Actors Exploit 6 Year-Old Microsoft Vulnerability to Deliver Agent Tesla Malware
Threat actors are exploiting a 6 year-old vulnerability (CVE-2017-11882) in unpatched versions of Microsoft Office to deliver Agent Tesla malware. Successful exploitation could allow an attacker to execute arbitrary code in the context of the current user and potentially take over the affected system. Threat actors are leveraging this vulnerability via a phishing campaign by tricking users into opening a specially crafted file to exploit a vulnerable version of Microsoft Office. Once the malware is downloaded, it will monitor keystrokes, take screenshots, steal credentials, and exfiltrate data.
CVE-2017-11882 was previously disclosed in November 2017 and has an existing patch. It is recommended to apply the patch to affected systems immediately if you have not already done so.
More Reading/Information:
- https://www.zscaler.com/blogs/security-research/threat-actors-exploit-cve-2017-11882-deliver-agent-tesla
- https://www.darkreading.com/cloud-security/attackers-exploit-microsoft-office-bug-spyware
- https://www.scmagazine.com/news/threat-actors-use-six-year-old-flaw-to-spread-agent-tesla-via-vulnerable-excel-files
- https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-11882
- https://nvd.nist.gov/vuln/detail/cve-2017-11882
Security Vulnerabilities in Google Chrome Desktop Browser and Mozilla Products
There were security updates released by Google and Mozilla to address several vulnerabilities in each product.
Google Chrome fixed a zero-day that is actively being exploited in the wild. The zero-day is being tracked as CVE-2023-7024 and is a heap-based buffer overflow weakness in the WebRTC framework. Successful exploitation of this vulnerability can lead to the threat actor executing arbitrary code on the victim's host or the user's browser crashing leading to a denial-of-service attack.
Mozilla released security updates to address vulnerabilities in several of its products that could lead to arbitrary code execution. There was a total of forty (40) vulnerabilities affecting Firefox, Firefox ESR, and Thunderbird, with twelve (12) receiving a severity rating of "High". These affect Firefox prior to 121, Firefox ESR prior to 115.6, and Thunderbird prior to 115.6.
More Reading/Information:
- https://chromereleases.googleblog.com/2023/12/stable-channel-update-for-desktop_20.html
- https://thehackernews.com/2023/12/urgent-new-chrome-zero-day.html
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-7024
- https://www.mozilla.org/en-US/security/advisories/
Recommendations
Please review your environment to ensure the above-mentioned issues are patched in a timely manner. It is security best practice to regularly update and/or patch software to the latest versions. The vulnerabilities above highlight the security benefits of limiting deployed software to "vendor-supported versions" only. This dramatically increases the likelihood that new vulnerabilities have a patch issued for them. Likewise, Cybersafe strongly encourages maintaining an inventory of current software in your environment, which helps ensure and inform your patch and vulnerability management program.