In this week's Security Advisory:
Twenty (20) vulnerabilities have been reported in Ivanti Avalanche, an enterprise mobile device management solution. Of the vulnerabilities found, thirteen (13) received a severity rating of "Critical." These vulnerabilities are present in the WLAvalancheService and WLInfoRailService components. An attacker could successfully exploit these vulnerabilities by sending a specially crafted packet to the Mobile Device Server, resulting in a denial-of-service attack or remote code execution. These vulnerabilities impact Ivanti Avalanche on-premise products.
The following versions are affected:
More Reading/Information:
ESET patched a vulnerability in its SSL/TLS protocol scanning feature that could allow the product to trust sites certificates it should not. The vulnerability, CVE-2023-5594, may allow a browser to trust a certificate signed with outdated or insecure algorithms (ex. MD5 or SHA1). CVE-2023-5594 received a CVSS score of 7.5 out of a possible 10.
The following ESET products are affected:
More Reading/Information:
Threat actors are exploiting a 6 year-old vulnerability (CVE-2017-11882) in unpatched versions of Microsoft Office to deliver Agent Tesla malware. Successful exploitation could allow an attacker to execute arbitrary code in the context of the current user and potentially take over the affected system. Threat actors are leveraging this vulnerability via a phishing campaign by tricking users into opening a specially crafted file to exploit a vulnerable version of Microsoft Office. Once the malware is downloaded, it will monitor keystrokes, take screenshots, steal credentials, and exfiltrate data.
CVE-2017-11882 was previously disclosed in November 2017 and has an existing patch. It is recommended to apply the patch to affected systems immediately if you have not already done so.
More Reading/Information:
There were security updates released by Google and Mozilla to address several vulnerabilities in each product.
Google Chrome fixed a zero-day that is actively being exploited in the wild. The zero-day is being tracked as CVE-2023-7024 and is a heap-based buffer overflow weakness in the WebRTC framework. Successful exploitation of this vulnerability can lead to the threat actor executing arbitrary code on the victim's host or the user's browser crashing leading to a denial-of-service attack.
Mozilla released security updates to address vulnerabilities in several of its products that could lead to arbitrary code execution. There was a total of forty (40) vulnerabilities affecting Firefox, Firefox ESR, and Thunderbird, with twelve (12) receiving a severity rating of "High". These affect Firefox prior to 121, Firefox ESR prior to 115.6, and Thunderbird prior to 115.6.
More Reading/Information:
Please review your environment to ensure the above-mentioned issues are patched in a timely manner. It is security best practice to regularly update and/or patch software to the latest versions. The vulnerabilities above highlight the security benefits of limiting deployed software to "vendor-supported versions" only. This dramatically increases the likelihood that new vulnerabilities have a patch issued for them. Likewise, Cybersafe strongly encourages maintaining an inventory of current software in your environment, which helps ensure and inform your patch and vulnerability management program.