In this week's Security Advisory:
Fortra released a patch to address a critical vulnerability in its GoAnywhere MFT, a secure file transfer tool. The vulnerability is being tracked as CVE-2024-0204 and is an authentication bypass that could allow a remote attacker to create an administrative user via the administrative portal and ultimately take over the device. Successful exploitation could lead to an attacker gaining access to sensitive information and installing malware onto the affected system. CVE-2024-0204 received a CVSS score of 9.8 out of a possible 10.
The following versions are affected:
While this vulnerability has not been actively exploited in the wild, a proof-of-concept exploit is available, so it is recommended to apply the patch immediately.
More Reading / Information
Apple released updates to address several vulnerabilities including a zero-day that is actively being exploited in the wild. The zero-day, CVE-2024-23222, impacts iOS, macOS, iPadOS, Safari, and tvOS products and is an issue in the WebKit browser engine that could lead to arbitrary code execution when processing specially crafted web content. At this time, CVE-2024-23222 has not received a CVSS score.
The following products are affected:
More Reading / Information
New threat intel shows that threat actors are actively exploiting a critical vulnerability (CVE-2023-22527) affecting Confluence Data Center and Server. It is recommended to apply the latest update to the affected versions immediately if you still need to do so.
Original Security Advisory - January 17th, 2024:
Atlassian released a patch to fix a critical vulnerability in its Confluence Data Center and Server. The critical vulnerability is being tracked as CVE-2023-22527 and received a CVSS score of 10 out of 10, the highest score a vulnerability can receive. CVE-2023-22527 is a template injection vulnerability that could allow an unauthenticated attacker to execute remote code. This vulnerability affects out-of-date versions of Confluence Data Center and Server, specifically version 8. Atlassian Cloud sites are not affected.
The following versions are affected:
More Reading / Information
New threat intel indicates that a critical vulnerability (CVE-2023-34048) impacting VMware vCenter Server is actively being exploited in the wild by UNC3886, a Chinese espionage group. UNC3886 has been observed exploiting this vulnerability since late 2021 to install backdoors and execute remote code on affected servers. CVE-2023-34048 was previously disclosed in October 2023 and has an existing patch.
Due to the severity of the vulnerability, VMware has made patches available for vCenter Server 8.0U1, as well as end-of-life products with no active support, including vCenter Server 6.7U3, 6.5U3, and VMware Cloud Foundation 3.x. It is strongly recommended to apply the patch to affected vCenter Servers immediately if you still need to do so.
Original Security Advisory - October 25th, 2023:
VMware released updates to address two (2) vulnerabilities in its vCenter Server that could lead to remote code execution. The first vulnerability, CVE-2023-34048, is an out-of-bounds write weakness in vCenter's DCE/RPC protocol implementation and could allow a remote, unauthenticated attacker with network access to execute remote code on the vulnerable server. CVE-2023-34048 has received a CVSS score of 9.8 out of a possible 10. The second vulnerability, CVE-2023-34056, is a partial information disclosure vulnerability that could allow an attacker with non-administrative privileges to the vulnerable server to gain access to unauthorized data. CVE-2023-3405 received a CVSS score of 4.3 out of a possible 10.
The following versions are affected:
More Reading / Information
A Russian nation-state actor called Midnight Blizzard, commonly referred to as Nobelium, Cozy Bear, and APT29, compromised Microsoft corporate email accounts for over two months. The threat actor used a password spray attack to access a legacy non-production test account. Once the attacker gained a foothold, they used the test account's permissions to pivot to other Microsoft corporate email accounts, gaining access to sensitive files and emails from members of leadership and Microsoft employees. It is important to note that there is no evidence that the attacker accessed customer data, source code, or production systems.
This compromise highlights the importance of following security best practices on all systems, including legacy systems. Organizations should use strong, unique passwords for every account and implement multi-factor authentication (MFA) to all accounts wherever possible. Organizations should also monitor their cloud logs to ensure no abnormal activity occurs.
More Reading / Information
There were security updates released by several vendors including Google, Mozilla, and Oracle. The most severe could cause remote code execution.
Google Chrome had a total of seventeen (17) vulnerabilities, with three (3) vulnerabilities given a severity rating of "High." These vulnerabilities affect Windows, Mac, and Linux.
Mozilla released security updates to address vulnerabilities in several of its products that could lead to arbitrary code execution. There was a total of thirty-three (33) vulnerabilities affecting Firefox, Firefox ESR, and Thunderbird, with nine (9) receiving a severity rating of "High." These affect Firefox versions prior to 122, Firefox ESR versions prior to 115.7, and Thunderbird versions prior to 115.7.
Oracle released 389 patches in their quarterly update, which fixed vulnerabilities in several of their products. The most severe can lead to remote code execution, which allows the threat actor to install programs, view, change, or delete information, and potentially gain control of the affected system. It is recommended to update all affected products to their latest version. The full list of affected Oracle products can be found here: https://www.oracle.com/security-alerts/cpujan2024.html
More Reading / Information
Please review your environment to ensure the above-mentioned issues are patched in a timely manner. It is security best practice to regularly update and/or patch software to the latest versions. The vulnerabilities above highlight the security benefits of limiting deployed software to "vendor-supported versions" only. This dramatically increases the likelihood that new vulnerabilities have a patch issued for them. Likewise, Cybersafe strongly encourages maintaining an inventory of current software in your environment, which helps ensure and inform your patch and vulnerability management program.