While the number of reported vulnerabilities sometimes decrease over the Christmas and New Year\u2019s holidays, active and potential exploits are no less threatening. During the past couple weeks, Google has seen multiple vulnerabilities, including a zero-day in Chrome. SonicWall researchers discovered that an Apache patch was incomplete, still permitting authentication bypass in open-source ERP software Apache OfBiz. And issues with Barracuda’s Email Secure Gateway persist, with an FBI safety warning about an older vulnerability still outstanding.<\/p>\n\n\n\n
Your IT and security teams should stay alert and aware during holidays, consistently patching known vulnerabilities and updating systems to the most recent versions of software. We’ve developed a list of recent vulnerabilities so your team can make any needed updates, including potential product removals.<\/p>\n\n\n
Type of attack:<\/strong> Zero-day remote code execution<\/p>\n\n\n\n The problem:<\/strong> Researchers on Google’s threat analysis team found a zero-day vulnerability in Chrome’s instance of open-source web software WebRTC. The vulnerability is a severe heap buffer overflow issue that can lead to remote code execution. Google has already seen this vulnerability exploited in the wild.<\/p>\n\n\n\n The fix:<\/strong> Access to fix data is currently limited. Google announced an update<\/a> to the desktop stable channel to 120.0.6099.129 on December 20, 2023, which was expected to roll out over the coming days and weeks.<\/p>\n\n\n\n Type of attack:<\/strong> Arbitrary code execution<\/p>\n\n\n\n The problem:<\/strong> We’ve mentioned Barracuda’s Email Secure Gateway vulnerabilities<\/a> before, but now a new one is plaguing customers. Chinese-based threat actor group UNC4841 is suspected to be responsible for exploits of Spreadsheet::ParseExcel, a third-party open source Perl module. The threat actors used this software to deploy an Excel email attachment and attack ESG appliances.<\/p>\n\n\n\n The fix:<\/strong> Barracuda deployed a patch on December 22, 2023, to fix the exploited ESG appliances. On December 24, when Barracuda released the security notice, there was no remediation or patch available for CVE-2023-7101<\/a>, the Spreadsheet::ParseExcel vulnerability, within the open-source library.<\/p>\n\n\n\n Previous vulnerabilities have affected Barracuda ESG. In August 2023, the FBI recommended<\/a> that customers remove their Barracuda ESG appliances altogether after Barracuda discovered a zero-day remote command injection vulnerability in the ESG appliances. While Barracuda automatically rolled out the patch BNSF-36456 to all exploited appliances back in August, according to the FBI, the fix didn’t work \u2014 even patched appliances could still be exploited. If your team doesn’t already know, find out whether your appliances were compromised by CVE-2023-2868.<\/p>\n\n\n\n Type of vulnerability:<\/strong> Authentication bypass<\/p>\n\n\n\n The problem:<\/strong> SonicWall Capture Labs’ threat research team discovered an authentication bypass vulnerability<\/a>, tracked as CVE-2023-51467<\/a>, in Apache OfBiz software. Apache OfBiz is an open-source enterprise resource planning product that’s part of the software supply chain and appears in multiple other products, such as Atlassian JIRA.<\/p>\n\n\n\n Previously, Apache had released a patch for CVE-2023-49070<\/a>, a remote code execution vulnerability. But SonicWall’s researchers realized that the authentication bypass still existed in the patched version of OfBiz. According to SonicWall, an attacker could expose sensitive data or execute code arbitrarily if they exploit the authentication bypass.<\/p>\n\n\n\n The fix:<\/strong> SonicWall recommends that all Apache OfBiz users update their software to version 18.12.11. SonicWall also developed the IPS signature IPS:15949, which is designed to detect exploitation of the OfBiz vulnerability.<\/p>\n\n\n\n Type of vulnerability:<\/strong> Privilege escalation<\/p>\n\n\n\n The problem:<\/strong> According to Google, an attacker could escalate their privileges in a Google Kubernetes cluster by compromising a Fluent Bit logging container and combining that with Anthos Service Mesh privileges. An exploit of Anthos Service Mesh privileges would only be relevant for Kubernetes clusters that have ASM enabled. Google released the initial vulnerability notice<\/a> on December 14. While Google isn’t yet aware of any active exploitation, the vulnerability should be patched immediately.<\/p>\n\n\n\n The fix:<\/strong> Google recommends manually upgrading your instance of Google Kubernetes Engine to one of the following or later:<\/p>\n\n\n\n Also, for in-cluster Anthos Service Mesh, Google recommends a manual upgrade to one of the following versions:<\/p>\n\n\n\n Type of vulnerability:<\/strong> Bypassing privilege access requirements to exploit executables<\/p>\n\n\n\n The problem:<\/strong> Researchers from Security Joes discovered a malicious code execution vulnerability<\/a> in Windows 10 and 11. According to the researchers, these executables are found in the normally trusted WinSxS folder.<\/p>\n\n\n\n The technique that threat actors can use is Dynamic Link Library (DLL) search order hijacking. By bypassing the high privilege requirements, Security Joes said, a threat actor can exploit the executables to execute code in WinSxS and other Windows applications.<\/p>\n\n\n\n The fix:<\/strong> Security Joes recommends studying the relationships between parent-child binaries, particularly focusing on trusted binaries, to find strange processes that involve the WinSxS folder’s binaries. Additionally, Security Joes suggests examining legitimate binaries within the WinSxS folder that create strange or unexpected child processes.<\/p>\n\n\n\n Type of vulnerability:<\/strong> Secure Shell vulnerability that can lead to prefix truncation attacks<\/p>\n\n\n\n The problem:<\/strong> Security researchers from Ruhr University Bochum in Germany found a Secure Shell (SSH) vulnerability that allows attackers to adjust sequence numbers during a handshake process and subtly remove client or server messages. This is a prefix truncation attack known as Terrapin<\/a>. It downgrades communication security, potentially resulting in decreasingly secure client authentication.<\/p>\n\n\n\n The fix:<\/strong> The researchers recommend updating clients and servers so those systems are less vulnerable to prefix truncation attacks. The researchers also provided their contact information in the report.<\/p>\n\n\n\n Read next:<\/strong><\/p>\n\n\n\nDecember 24, 2023<\/h2>\n\n\n\n
Problems Continue for Barracuda’s Email Gateways<\/h3>\n\n\n\n
December 26, 2023<\/h2>\n\n\n\n
SonicWall Discovers Apache OfBiz Patch Was Incomplete<\/h3>\n\n\n\n
December 29, 2023<\/h2>\n\n\n\n
Google Kubernetes Engine Vulnerability Allows Attackers to Escalate Privileges<\/h3>\n\n\n\n
\n
\n
January 1, 2024<\/h2>\n\n\n\n
Windows Vulnerability Allows DLL Exploitation<\/h3>\n\n\n\n
Terrapin Attack Discovered by German Researchers<\/h3>\n\n\n\n