Hot off the press! CISA adds CVE-2023-43770 (6.1 medium) Roundcube Webmail Persistent Cross-Site Scripting (XSS) Vulnerability to the Known Exploited Vulnerabilities (KEV) Catalog.
🔗 (to be replaced later) https://www.cisa.gov/known-exploited-vulnerabilities-catalog
Why you should care about CVE-2023-43770:
ESET Research previously reported on 25 October 2023 that the Winter Vivern APT was exploiting a similar RoundCube cross-site scripting vulnerability CVE-2023-5631 as a zero-day against European overnmental entities and a think tank.
New Fortinet zero-day:
CVE-2024-21762 (9.6 critical) FortiOS - Out-of-bound Write in sslvpnd: A out-of-bounds write vulnerability [CWE-787] in FortiOS may allow a remote unauthenticated attacker to execute arbitrary code or command via specially crafted HTTP requests.
Note: This is potentially being exploited in the wild.
Fortinet vulnerabilities have historically been targeted by People’s Republic of China (PRC) state-sponsored cyber actors. On 19 January 2023, Mandiant reported the exploitation of FortiOS SSL VPN vulnerability CVE-2022-42475 as a zero-day by suspected Chinese threat actors. Mandiant published a subsequent blog post on 16 March 2023 detailing the exploitation of another FortiOS zero-day CVE-2022-41328 by the Chinese threat actor UNC3886. CISA, FBI and NSA assess that PRC state-sponsored cyber actors are seeking to position themselves on IT networks for disruptive or destructive cyberattacks against U.S. critical infrastructure in the event of a major crisis or conflict with the United States. CISA’s joint cybersecurity advisory on 07 February 2024 states that Chinese Advanced Persistent Threat (APT) Volt Typhoon likely obtained initial access by exploiting CVE-2022-42475 in a network perimeter FortiGate 300D firewall that was not patched. Fortinet also provided case studies of Volt Typhoon targeting of manufacturing, consulting, local government, and internet service provider sectors, and post-exploitation activity described as Living Off the Land (LotL) techniques.
Hot off the press! CISA adds CVE-2023-4762 (8.8 high Google Chrome Type Confusion in V8 JavaScript Engine) to the Known Exploited Vulnerabilities Catalog.
🔗 (to be replaced later) https://www.cisa.gov/known-exploited-vulnerabilities-catalog
Horizon3 analyzed critical vulnerabilities from the CISA KEV catalog starting from January 2023 through January 2024, categorized the vulnerability root causes, and attempted to analyze if the current efforts in the information security industry match with the current threat vectors being abused.
🔗 https://www.horizon3.ai/analysis-of-2023s-known-exploited-vulnerabilities/
Volexity recently disclosed details related to exploitation of Ivanti Connect Secure VPN, revealing how the attacker chained two zero-day vulnerabilities to achieve remote code execution. When investigating the source of compromise, Volexity employed memory forensics, analyzing a memory sample collected from a suspected compromised VPN device, which allowed Volexity to zero in on the source of the compromise. "The lesson for analysts is to independently verify the integrity and trustworthiness of high-value targets using memory forensics, rather than only relying on tools that run on a potentially compromised device."
🔗 https://www.volexity.com/blog/2024/02/01/how-memory-forensics-revealed-exploitation-of-ivanti-connect-secure-vpn-zero-day-vulnerabilities/
watchTowr reports additional zero-days uncovered on a fully patched Ivanti appliance. No further information due to 90 day vulnerability disclosure policy.
In CISA's ICS advisory, they revealed that several Hitron Systems Security Camera DVR denial of service vulnerabilities were being actively exploited. These are Zero days reported by Akamai.
CVE-2024-22768 (7.4 high) improper input validation to Denial of Service
CVE-2024-22769 (7.4 high) improper input validation to Denial of Service
CVE-2024-22770 (7.4 high) improper input validation to Denial of Service
CVE-2024-22771 (7.4 high) improper input validation to Denial of Service
CVE-2024-22772 (7.4 high) improper input validation to Denial of Service
CVE-2024-23842 (7.4 high) improper input validation to Denial of Service
Horizon3 discusses factors that could significantly increase the criticality of Jenkins RCE CVE-2024-23897 (9.8 critical): "There are two dangerous Jenkins configuration options that allow unauthenticated attackers to effectively act like authenticated attackers. The “Allow users to sign up” option allows anyone with access to the Jenkins instance to self-register an account. And the “Allow anonymous read access” option gives everyone the Overall/Read permission." The impact matrix alone was worth taking a look at.
🔗 https://www.horizon3.ai/cve-2024-23897-assessing-the-impact-of-the-jenkins-arbitrary-file-leak-vulnerability/
Just your periodic update from Ivanti regarding their CVE-2023-46805 (8.2 high) and CVE-2024-21887 (9.1 critical) zero-days (both disclosed 10 January 2024 as exploited in the wild, has Proofs of Concept, mass exploitation):
"Update 26 January: The targeted release of patches for supported versions is delayed, this delay impacts all subsequent planned patch releases. We are now targeting next week to release a patch for Ivanti Connect Secure (versions 9.1R17x, 9.1R18x, 22.4R2x and 22.5R1.1), Ivanti Policy Secure (versions 9.1R17x, 9.1R18x and 22.5R1x) and ZTA version 22.6R1x.
Patches for supported versions will still be released on a staggered schedule. Instructions on how to upgrade to a supported version will also be provided. The timing of patch release is subject to change as we prioritize the security and quality of each release. Please ensure you are following this article to receive updates as they become available."
🔗 https://forums.ivanti.com/s/article/KB-CVE-2023-46805-Authentication-Bypass-CVE-2024-21887-Command-Injection-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure-Gateways?language=en_US
Jenkins RCE CVE-2024-23897 (9.8 critical, proofs of concept publicly available) allegedly being exploited in the wild, reported 3 days ago by a graduate student researcher* of Sky Computing Lab, UC Berkeley.
Hot off the press: Apple zero day: CVE-2024-23222 affects Webkit: Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been exploited.
CISA issues Emergency Directive 24-01: Mitigate Ivanti Connect Secure and Ivanti Policy Secure Vulnerabilities in response to CVE-2023-46805 (8.2 high, disclosed by Ivanti on 10 January 2024 as exploited zero-days) authentication bypass in Ivanti Connect Secure VPN Version 9.x and 22.x and CVE-2024-21887 (9.1 critical) command injection in Ivanti Connect Secure VPN Version 9.x and 22.x
VMware updated their advisory for CVE-2023-34048 (9.8 critical, disclosed 25 October 2023, VMware vCenter Server Out-of-Bounds Write Vulnerability, allows RCE) "VMware has confirmed that exploitation of CVE-2023-34048 has occurred in the wild."
🔗 https://www.vmware.com/security/advisories/VMSA-2023-0023.html
CISA and FBI released a joint Cybersecurity Advisory (CSA), Known Indicators of Compromise Associated with Androxgh0st Malware, to disseminate known indicators of compromise (IOCs) and tactics, techniques, and procedures (TTPs) associated with threat actors deploying Androxgh0st malware.
🔗 https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-016a