In this week's Security Advisory:
- Critical Vulnerability in Ivanti's Endpoint Manager (EPM)
- High-Severity Vulnerability in FortiOS and FortiProxy
- RE#TURGENCE Attack Targets Misconfigured Microsoft SQL Servers to Deploy MIMIC Ransomware
- Security Updates Released for Microsoft, QNAP, Google Chrome Desktop Browser, and Adobe Products
Critical Vulnerability in Ivanti's Endpoint Manager (EPM)
Ivanti fixed a critical vulnerability in its Endpoint Manager (EPM) that could allow a threat actor with internal access to the network to execute remote code. The vulnerability is being tracked as CVE-2023-39336 and received a CVSS score of 9.6 out of a possible 10. CVE-2023-39336 is a SQL injection vulnerability that could allow a threat actor to execute arbitrary SQL queries and access data without authenticating. If successfully exploited, an attacker could take control over machines running an EPM agent, including all instances of MSSQL. Ivanti reports that core servers may be vulnerable to remote code execution if configured to use Microsoft SQL Express.
This vulnerability affects the following versions:
- Ivanti EPM 2021 and EPM 2022 before Service Update 5
More Reading/Information:
- https://www.ivanti.com/blog/security-update-for-ivanti-epm
- https://forums.ivanti.com/s/article/SA-2023-12-19-CVE-2023-39336?language=en_US
- https://www.scmagazine.com/news/ivanti-patches-critical-flaw-in-its-epm-software
- https://nvd.nist.gov/vuln/detail/CVE-2023-39336
High-Severity Vulnerability in FortiOS and FortiProxy
Fortinet fixed a high-severity vulnerability in its FortiOS and FortiProxy that could lead to arbitrary code execution. The vulnerability is being tracked as CVE-2023-44250 and received a CVSS score of 8.3 out of a possible 10. CVE-2023-44250 is an improper privilege management vulnerability that could allow an authenticated attacker to execute arbitrary code by sending specially crafted HTTP or HTTPS requests.
The following versions are affected:
- FortiOS versions 7.4.0 through 7.4.1
- FortiOS version 7.2.5
- FortiProxy versions 7.4.0 through 7.4.1
More Reading/Information:
- https://www.fortiguard.com/psirt/FG-IR-23-315
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-44250
RE#TURGENCE Attack Targets Misconfigured Microsoft SQL Servers to Deploy MIMIC Ransomware
Threat actors are exploiting a feature in misconfigured Microsoft SQL (MSSQL) servers to deploy MIMIC ransomware in a recent campaign called "RE#TURGENCE." Threat actors are gaining access by brute-forcing or reusing credentials against the xp_cmdshell tool of publicly exposed MSSQL servers. xp_cmdshell comes built into MSSQL but is disabled by default on newer installations because it can allow remote users to execute arbitrary commands on the server. By enabling xp_cmdshell and allowing remote access to the server, a threat actor can steal or brute force credentials, leading to compromise of the Domain and deployment of ransomware.
More Reading/Information:
- https://www.securonix.com/blog/securonix-threat-research-security-advisory-new-returgence-attack-campaign-turkish-hackers-target-mssql-servers-to-deliver-domain-wide-mimic-ransomware/
- https://www.bleepingcomputer.com/news/security/hackers-target-microsoft-sql-servers-in-mimic-ransomware-attacks/
- https://www.csoonline.com/article/1289668/turkish-ransomware-campaign-hacks-into-weak-mssql-servers-report.html#:~:text=The%20financial%20cyberthreat%20campaign%20named,Cobalt%20Strike%20and%20FreeWorld%20ransomware.
Security Updates Released for Microsoft, QNAP, Google Chrome Desktop Browser, and Adobe Products
Microsoft addressed forty-eight (48) vulnerabilities in its January 2024 Patch Tuesday release. Of the vulnerabilities disclosed, two (2) vulnerabilities received a severity rating of "Critical." This release did not contain any vulnerabilities actively exploited in the wild.
QNAP released fixes for twelve (12) vulnerabilities affecting QTS and QuTS hero, QuMagie, Netatalk and Video Station. The most severe could lead to remote code execution.
Google released a security update to fix one (1) high-severity vulnerability in its Chrome Desktop Browser for Windows, Mac, and Linux.
Adobe had six (6) vulnerabilities, the most severe of which could cause arbitrary code execution. These vulnerabilities affect Windows and macOS versions of Adobe Substance 3D Stager.
More Reading/Information:
- https://msrc.microsoft.com/update-guide/releaseNote/2024-Jan
- https://www.bleepingcomputer.com/news/microsoft/microsoft-january-2024-patch-tuesday-fixes-49-flaws-12-rce-bugs/
- https://chromereleases.googleblog.com/2024/01/stable-channel-update-for-desktop_9.html
- https://helpx.adobe.com/security/products/substance3d_stager/apsb24-06.html
Recommendations
Please review your environment to ensure the above-mentioned issues are patched in a timely manner. It is security best practice to regularly update and/or patch software to the latest versions. The vulnerabilities above highlight the security benefits of limiting deployed software to "vendor-supported versions" only. This dramatically increases the likelihood that new vulnerabilities have a patch issued for them. Likewise, Cybersafe strongly encourages maintaining an inventory of current software in your environment, which helps ensure and inform your patch and vulnerability management program.