The new year brought few new vulnerabilities, and only Ivanti Endpoint Manager (EPM) and Kyber, the quantum resistant encryption algorithm, publicized new vulnerabilities or fixes. Unfortunately, most news derived from the active attacks on multiple older vulnerabilities, which threaten to expose organizations slow to patch.<\/p>\n\n\n\n
Speed remains critical to security, but more importantly, patching teams need to make progress with patch<\/a> and vulnerability management<\/a>. No organization should remain vulnerable six months after vendors issue patches! Struggling teams should engage a managed IT service provider<\/a> (MSP) to provide temporary or ongoing support to prevent expensive breaches.<\/p>\n\n\n\n Here’s a roundup of the week’s major vulnerabilities that security teams should mitigate or patch.<\/p>\n\n\n\n Type of attack:<\/strong> Secure Shell (SSH) vulnerability enables prefix truncation attacks.<\/p>\n\n\n\n The problem:<\/strong> As announced last week<\/a>, attackers able to intercept handshake processes can adjust sequence numbers to downgrade communication security and disable defenses against keystroke timing attacks.<\/p>\n\n\n\n The ShadowServer threat monitoring platform subsequently scanned the internet<\/a> for vulnerable servers and detected nearly 11 million unique IP addresses worldwide comprising 52% of all scanned IPv4 and IPv6 addresses. The countries with the top vulnerabilities include the USA (3.3 million), China (1.3 million), and Germany (1 million).<\/p>\n\n\n\n The fix:<\/strong> Update clients and servers. Researchers also provide a vulnerability scanner<\/a> on GitHub written in Go that can detect vulnerable servers.<\/p>\n\n\n\n Type of attack:<\/strong> Arbitrary (ACE) and remote code execution (RCE) attacks that exploit data import\/export operations in Excel-related functions in web applications and denial of service (DOS) crashes or ACE\/RCE related to heap buffer overflows in Chrome.<\/p>\n\n\n\n The problem:<\/strong> The US Cybersecurity and Infrastructure Security Agency (CISA) added two vulnerabilities to the Known Exploited Vulnerabilities (KEV) catalog. Government agencies have until January 23 to mitigate the issues or stop using affected products.<\/p>\n\n\n\n Versions 0.65 and older of the Perl Spreadsheet::ParseExcel library (CVE-2023-7101<\/a>) contain a RCE vulnerability exploited by Chinese hackers, as noted on December 24th<\/a>. Chrome web browsers experience heap buffer overflow (CVE-2023-7024<\/a>) in the WebRTC real-time communication coding that can crash chrome or allow for code execution.<\/p>\n\n\n\n The fix:<\/strong> For CVE-2023-7101, update applications using Spreadsheet::ParseExcel to version 0.66<\/a> and check for products issuing updates related to the issue such as Barracuda\u2019s Email Security Gateway Appliance<\/a>. For CVE-2023-7024, update to the latest version of Chrome.<\/p>\n\n\n\n Type of attack:<\/strong> SQL injection<\/a> (SQLi) vulnerability permits an RCE attack allows the hijack of enrolled devices or even the core server. This attack requires network access, and the complexity of exploitation leads to a 3.0 rating.<\/p>\n\n\n\n The problem:<\/strong> Ivanti announced CVE-2023-39336<\/a> that affects all versions of EPM prior to and including 2022 SU4. Attackers with internal network access can execute SQLi to retrieve information without verification that can enable control over machines running the EPM agent or on a server configured to use Microsoft SQL Express and running Ivanti EPM.<\/p>\n\n\n\n The fix:<\/strong> Update to 2022 Service Update 5.<\/p>\n\n\n\n Type of attack:<\/strong> Critical RCE vulnerability in unpatched or partially patched RocketMQ services.<\/p>\n\n\n\n The problem:<\/strong> The ShadowServer Foundation logs show hundreds<\/a> of hosts scanning for exposed RocketMQ systems still vulnerable to the original critical RCE vulnerability, CVE-2023-33246, patched earlier<\/a> in 2023. However, the patch didn\u2019t fully solve<\/a> the vulnerability, leading to a second announced vulnerability, CVE-2023-37582<\/a>, rated 9.8\/10.0 for severity.<\/p>\n\n\n\n Apache released patches for both of these vulnerabilities in July 2023, yet over six months later, attackers still search for potential victims. This should lend some urgency to patch systems affected by this flaw or the incomplete OfBiz Patch covered last week<\/a>.<\/p>\n\n\n\n The fix:<\/strong> Update<\/a> to Apache NameServer version 5.1.2 or later, RocketMQ 5.x or 4.9.7 or above.<\/p>\n\n\n\n Type of attack:<\/strong> Timing-based attack on Kyber Encryption implementations can expose encryption<\/a> keys.<\/p>\n\n\n\n The problem:<\/strong> Researchers at Cryspen<\/a> discovered that some services allow multiple operation requests toward the same encryption key pair. The Kyber key decapsulation process uses division operations, and timing-based attacks \u2014 dubbed KyberSlash<\/a> \u2014 can allow the encryption key to be determined in as many as two out of three attacks.<\/p>\n\n\n\n Researchers reported the first vulnerability, KyberSlash1, to Kyber\u2019s developers in November 2023 and discovered KyberSlash2 in December. The Kyber development team patched both vulnerabilities promptly, but not all projects and tools incorporating patches patched as quickly.<\/p>\n\n\n\n The fix:<\/strong> First, check the list of projects impacted<\/a> by the issue and their current status. The vulnerability does not impact some libraries and tools, and some libraries fully patched for all known vulnerabilities. For unpatched libraries and tools that could leak a secret key, consider altering implementations to suspend multiple operation requests or switch tools and libraries to fully patched options.<\/p>\n\n\n\n Read next:<\/strong><\/p>\n\n\n\nJanuary 3, 2024<\/h2>\n\n\n\n
52% of Exposed SSH Servers Vulnerable to Terrapin Attack<\/h3>\n\n\n\n
CISA Adds Chrome & Perl Library Bugs to Active Exploitation List<\/h3>\n\n\n\n
January 4, 2024<\/h2>\n\n\n\n
Ivaniti Endpoint Manager (EPM) Vulnerability Could Expose Data<\/h3>\n\n\n\n
January 5, 2024<\/h2>\n\n\n\n
Attackers Target Unpatched Apache RocketMQ NameServers<\/h3>\n\n\n\n
January 7, 2024<\/h2>\n\n\n\n
Some Quantum Encryption Vulnerable to KyberSlash Attacks<\/h3>\n\n\n\n
\n