Threat Bulletin | January 26

Sources: 

• https://thehackernews.com/2024/01/apple-issues-patch-for-critical-zero.html 
• https://nvd.nist.gov/vuln/detail/CVE-2024-23222   

Entities:  

• Apple, iOS, iPadOS, macOS, tvOS, Safari, Threat actors  

Attack Vectors:  

• Type confusion bug exploited through maliciously crafted web content, leading to arbitrary code execution. 

Impact:  

• Potential for unauthorized code execution and compromise of affected devices. 

Detailed Description: 

• Apple issues security updates addressing a critical zero-day vulnerability (CVE-2024-23222) actively exploited in iPhones, Macs, and other devices.  
• The type confusion bug allows threat actors to execute arbitrary code through malicious web content.  
• Apple acknowledges the reported exploitation but provides minimal details.  
• Users are urged to update their devices promptly to mitigate the risk of unauthorized code execution and potential compromise. 

Recommendation: 

• Users should apply the security updates immediately to all affected devices, including iOS, iPadOS, macOS, tvOS, and Safari.  
• Please reference the recent Security Releases from Apple. 

Sources: 

• https://thehackernews.com/2024/01/apache-activemq-flaw-exploited-in-new.html 

Entities:  

• Apache ActiveMQ 

Attack Vectors:  

• Exploitation of Apache ActiveMQ vulnerability enabling remote code execution 

Impact:  

• Severe (CVSS score: 10.0); Active deployment of ransomware, rootkits, cryptocurrency miners, and DDoS botnets. 

Detailed Description: 

• A significant increase in threat actor activity exploiting a now-patched flaw in Apache ActiveMQ. 
• CVE-2023-46604, a severe vulnerability in Apache ActiveMQ disclosed in late October 2023, is actively exploited.  
• Threat actors deploy JSP-based web shells, targeting vulnerable instances within the “admin” folder of ActiveMQ installations.  
• Named Godzilla, the web shell is a sophisticated backdoor capable of parsing HTTP POST requests, executing content, and returning results. 

Recommendation: 

• Immediately update Apache ActiveMQ to the latest version to mitigate the identified vulnerability. 

Sources: 

• https://thehackernews.com/2024/01/alert-ivanti-releases-patch-for.html  

Entities:  

• Ivanti Endpoint Manager (EPM) Solution 

Attack Vectors:  

• Unspecified SQL injection leading to remote code execution (RCE) 

Impact:  

• High, potential for unauthorized execution of arbitrary SQL queries and RCE on susceptible servers 

Detailed Description: 

• Ivanti’s Endpoint Manager Solution is affected by a critical vulnerability (CVE-2023-39336) that could result in remote code execution.  
• Rated 9.6 out of 10 on the CVSS scoring system, the flaw impacts EPM 2021 and EPM 2022 prior to SU5. 
• The flaw arises from an unspecified SQL injection, allowing an attacker with internal network access to execute arbitrary SQL queries without authentication.  
• This could grant the attacker control over machines with the EPM agent, with the potential for RCE on the core server if configured to use SQL express. Ivanti has provided security updates to address this vulnerability. 

Recommendation: 

• Immediately apply the provided security updates for Ivanti Endpoint Manager (EPM) Solution to remediate the critical vulnerability. 
• Please refer to the Ivanti security release that addresses this CVE and others associated with the release of version 6.4.2. 

Sources: 

• https://www.bleepingcomputer.com/news/security/vmware-confirms-critical-vcenter-flaw-now-exploited-in-attacks/ 

Entities:  

• VMware vCenter Server, ESX servers, ESXi servers, Virtual Machines (VMs) 

Attack Vectors:  

• Remote exploitation through DCE/RPC protocol implementation 

Impact:  

• High impact on confidentiality, integrity, and availability; Active exploitation reported 

Detailed Description: 

• VMware confirms active exploitation of a critical vCenter Server vulnerability (CVE-2023-34048) patched in October. 
• vCenter Server, managing VMware vSphere environments, is vulnerable to remote code execution. 
• Attackers can exploit it remotely with low-complexity attacks, impacting confidentiality, integrity, and availability without authentication. 
• VMware issued security patches, including for end-of-life products, emphasizing the critical nature of the vulnerability. 
• Ransomware groups, such as Royal, Black Basta, and LockBit, target VMware ESXi servers for file theft and encryption. 
• Shodan data reveals over 2,000 exposed VMware Center servers, posing breach risks to corporate networks. 
• VMware advises strict network access control for vSphere management components in the absence of a workaround. 
• Specific network ports (2012/tcp, 2014/tcp, 2020/tcp) are linked to potential exploitation. 

Recommendation: 

• Please review the following security advisory from VMware from October that addresses this vulnerability. 
• To remediate this CVE, apply the updates listed in the ‘Fixed Version’ column of the Response Matrix within the advisory. 

Sources: 

• https://arstechnica.com/security/2023/12/just-about-every-windows-and-linux-device-vulnerable-to-new-logofail-firmware-attack/  
• https://usa.kaspersky.com/blog/logofail-uefi-vulnerabilities/29588/ 

Entities:  

• Windows, Linux, UEFI (Unified Extensible Firmware Interface), Various hardware manufacturers (e.g., Lenovo, Dell, HP), Intel, AMD, ARM  

Attack Vectors:  

• Logo image replacement, Image parser vulnerabilities in UEFI, Remote and physical attacks 

Impact:  

• Execution of malicious firmware, Bypassing security defenses (Secure Boot, Intel’s Secure Boot, etc.), Full control over memory and disk, Persistent infections, Undetectable by traditional security measures 

Detailed Description: 

• LogoFAIL is a firmware attack leveraging two dozen vulnerabilities in the UEFI, affecting a wide range of Windows and Linux devices.  
• These vulnerabilities allow for the remote or physical replacement of logo images during the boot process, enabling the execution of malicious code at a critical stage, bypassing various security defenses.  
• This poses a significant threat to platform security, allowing attackers to gain control over the device’s memory and disk.  
• The attack is fileless, making detection challenging, and persists even after operating system reinstallation. 
• LogoFAIL vulnerabilities are tracked under the following designations. However, the list is currently incomplete. 
  • CVE-2023-5058 
  • CVE-2023-39538 
  • CVE-2023-39539 
  • CVE-2023-40238  

Recommendation: 

• Users are advised to apply UEFI security updates promptly, provided by device manufacturers or motherboard suppliers.  
• Configuration of additional defenses, such as Secure Boot, Intel Boot Guard, and Intel BIOS Guard, is recommended where available. 

Sources: 

• https://thehackernews.com/2024/01/microsofts-january-2024-windows-update.html 
• https://msrc.microsoft.com/update-guide/releaseNote/2024-Jan 

Entities:  

• Microsoft Windows, Chromium-based Edge browser 

Attack Vectors:  

• Various vectors including network spoofing, privilege escalation, and security bypass. 

Impact:  

• Critical vulnerabilities allow for security feature bypass, remote code execution, and decryption of TLS traffic. Successful exploitation could result in machine-in-the-middle attacks and remote code execution. 

Detailed Description: 

• Microsoft’s latest update covers 48 security flaws, including critical issues like Krberos Security Feature Bypass and Hyper-V Remote Code Execution. 
• While some vulnerabilities demand authenticated access to restricted networks, others, like CVE-2024-20700, enable remote code execution without user interaction. 
• Notably, CVE-2024-0056 is a security bypass affecting System.Data.SqlClient and Microsoft.Data.SqlClient that exposes TLS traffic to potential decryption and modification. 
• Microsoft is disabling FBX file insertion in various applications due to a flaw (CVE-2024-20677) that might lead to remote code execution. 

Recommendation: 

• Promptly apply Microsoft’s January 2024 updates, prioritize critical patches, and monitor for further advisories from affected vendors. 
• Avoid FBX file insertion in Office applications and consider using GLB file formats instead. 

Sources: 

• https://www.bleepingcomputer.com/news/security/google-fixes-first-actively-exploited-chrome-zero-day-of-2024/  
• https://nvd.nist.gov/vuln/detail/CVE-2024-0519  
• https://chromereleases.googleblog.com/2024/01/stable-channel-update-for-desktop_16.html 

Entities:  

• Google Chrome 

Attack Vectors:  

• Out-of-bounds memory access 

Impact:  

• Actively exploited vulnerability, Unauthorized access, Potential code execution, Data compromise 

Detailed Description: 

• The actively exploited zero-day (CVE-2024-0519) in Google Chrome involves a high-severity vulnerability in the Chrome V8 JavaScript engine.  
• Attackers can exploit out-of-bounds memory access, potentially leading to unauthorized access to sensitive data or system crashes.  
• The vulnerability may also be used to bypass protection mechanisms.  
• Google has swiftly addressed the issue with patches for Windows, Mac, and Linux users.  
• While details about the exploits are limited for security reasons, users are urged to update their browsers immediately to mitigate the risk of exploitation.  
• Google also patched additional V8 engine vulnerabilities (CVE-2024-0517 and CVE-2024-0518) that could allow arbitrary code execution on compromised devices. 

Recommendation: 

• Users are strongly advised to update their Google Chrome browsers. Information on this update and related security fixes can be found at the following link. 

Sources: 

• https://www.bleepingcomputer.com/news/security/cisco-says-critical-unity-connection-bug-lets-attackers-get-root/ 
• https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cuc-unauth-afu-FROYsCsD 

Entities:  

• Cisco Unity Connection 

Attack Vectors:  

• Remote unauthenticated attackers exploiting web-based management interface. 

Impact:  

• Successful exploitation allows attackers to execute arbitrary commands with root privileges, compromising the targeted system. 

Detailed Description: 

• The critical vulnerability in Cisco Unity Connection (CVE-2024-20272) allows remote, unauthenticated attackers to gain root privileges by exploiting a flaw in the software’s web-based management interface.  
• Successful exploitation may lead to the execution of arbitrary commands on the underlying operating system and elevation of privileges to root. 
• Cisco has addressed the issue in the affected versions and recommends prompt updates to mitigate the risk. 
• Cisco has also patched medium-severity vulnerabilities, including one in the web-based management interface of the WAP371 Wireless Access Point (CVE-2024-20287).  
• While proof-of-concept exploit code exists, exploitation requires administrative credentials. 
• Cisco will not release firmware updates for CVE-2024-20287 due to end-of-life status and advises migration to the Cisco Business 240AC Access Point. 

Recommendation: 

• Immediately apply the provided patches for Cisco Unity Connection as per the release schedule: 
  • 12.5 and earlier: Update to 12.5.1.19017-4 
  • Version 14: Update to 14.0.1.14006-5 

Sources: 

• https://www.bleepingcomputer.com/news/security/ivanti-warns-of-connect-secure-zero-days-exploited-in-attacks/ 

Entities:  

• Ivanti Connect Secure, Ivanti Policy Secure 

Attack Vectors:  

• Remote attackers exploiting authentication bypass and command injection vulnerabilities in gateways’ web components. 

Impact:  

• Successful exploitation allows arbitrary command execution, compromising targeted gateways. Chaining the two zero-days enables attackers to run arbitrary commands on all supported product versions. 

Detailed Description: 

• Ivanti has disclosed two zero-days (CVE-2023-46805 and CVE-2024-21887) in Connect Secure (ICS) and Policy Secure, allowing remote attackers to execute arbitrary commands.  
• The first flaw enables authentication bypass in the web component, granting access to restricted resources.  
• The second flaw is a command injection vulnerability, allowing authenticated admins to execute arbitrary commands by sending crafted requests. 
• When both zero-days are chained, exploitation does not require authentication, posing a severe risk.  
• Patches are in development, and a mitigation file is available for immediate application. 
• The vulnerabilities have been exploited in the wild, with evidence suggesting a Chinese state-backed threat actor. 

Recommendation: 

• Immediately apply the provided mitigation file (mitigation.release.20240107.1.xml) available through Ivanti’s download portal. 
• Run Ivanti’s external Integrity Checker Tool (ICT) as a precautionary measure. 

Sources: 

• https://hitechglitz.com/exploit-for-under-siege-sharepoint-vulnerability-reportedly-in-hands-of-ransomware-crew-the-register 

Entities:  

• Microsoft SharePoint, Ransomware Crew, CISA. 

Attack Vectors:  

• Remote Code Execution (RCE) through SharePoint vulnerabilities. 

Impact:  

• Cybercriminals have a working exploit for a critical vulnerability in Microsoft SharePoint, potentially leading to remote code execution. The vulnerability is actively exploited by ransomware crews. 

Detailed Description: 

• A functional exploit for a nearly year-old critical vulnerability (CVE-2023-29357) in Microsoft SharePoint is reportedly in the hands of a ransomware crew. 
• The vulnerability, initially identified by Nguyễn Tiến Giang during the Pwn2Own competition, allows unauthenticated RCE on a SharePoint server. 
• CISA has added the vulnerability to its list of known exploited vulnerabilities (KEV), indicating active exploitation by cybercriminals. 
• The delay in exploitation may be attributed to the complexity of chaining CVE-2023-29357 to CVE-2023-24955, requiring meticulous effort and research. 

Recommendation:  

• Immediately apply manual, SharePoint-specific patches for CVE-2023-29357 and CVE-2023-24955 to mitigate the risk of exploitation. 
• Please use the following Security Update documentation on this CVE. 

Sources: 

• https://thehackernews.com/2024/01/citrix-vmware-and-atlassian-hit-with.html 

Entities:  

• Citrix (NetScaler ADC, NetScaler Gateway), VMware (Aria Automation, Cloud Foundation), Atlassian (Confluence Data Center, Confluence Server) 

Attack Vectors:  

• Remote code execution, Denial-of-service, Missing access control, Template injection vulnerability 

Impact:  

• Active exploitation, Unauthorized access, Web shell deployment, Authenticated session hijacking, Remote code execution 

Detailed Description: 

• Several critical vulnerabilities have been identified in Citrix, VMware, and Atlassian products, posing significant risks to organizations. Citrix has reported two zero-day security vulnerabilities (CVE-2023-6548 and CVE-2023-6549) actively exploited in the wild affecting NetScaler ADC and NetScaler Gateway. These vulnerabilities can lead to authenticated remote code execution and denial-of-service.  
• VMware has disclosed a critical access control flaw (CVE-2023-34063) in Aria Automation, impacting versions 8.11.x to 8.14.x and VMware Cloud Foundation 4.x and 5.x. An authenticated attacker could gain unauthorized access to remote organizations and workflows.  
• Atlassian has addressed a critical remote code execution vulnerability (CVE-2023-22527) in Confluence Data Center and Confluence Server. The flaw, a template injection vulnerability, allows unauthenticated attackers to achieve remote code execution on affected versions. 

Recommendation: 

• Organizations using Citrix, VMware, and Atlassian products should prioritize applying the provided security patches immediately.  
• Citrix: Please review the following Citrix Security Bulletin for information regarding affected products and mitigation 
• VMware: Upgrading to patch 8.16 is the only mitigation for this vulnerability. Please review the following VMware Security Advisory for relevant patching information. 
• Atlassian: Review the following link for Atlassian Support detailing affected versions and patch immediately to the latest version.