In this week\u2019s urgent updates, Apple and VMware issued updates for zero-day flaws currently under attack, and researchers detected a rise in attacks on unpatched Apache and Atlassian Confluence servers. Meanwhile, the release of proof-of-concept code starts the countdown to attack on other critical vulnerabilities, including Cisco Enterprise Communication, Fortra GoAnywhere, and GitLab.<\/p>\n\n\n\n
Patch management<\/a> and vulnerability management<\/a> remain critical, but they assume that other fundamental requirements, such as asset management<\/a>, remain in place. \u201cThe most significant risk for enterprises isn\u2019t the speed at which they are applying critical patches; it comes from not applying the patches on every asset,\u201d noted Brian Contos, CSO of Sevco Security<\/a>. \u201cThe simple fact is that most organizations fail to maintain an up-to-date and accurate IT asset inventory.\u201d<\/p>\n\n\n\n Continue reading below to learn more about this week\u2019s vulnerabilities, but don\u2019t forget to double-check IT asset inventories for accuracy.<\/p>\n\n\n\n Type of vulnerability:<\/strong> Remote code execution (RCE) vulnerability.<\/p>\n\n\n\n The problem:<\/strong> Mandiant revealed<\/a> possible 2021 exploitation by Chinese espionage attackers for CVE-2023-34048, an out-of-bounds weakness in protocol implementation first publicly reported in October 2023<\/a>. Mandiant discovered that the VMware Directory Service crashes just prior to the attackers\u2019 backdoor installations enabled by RCE.<\/p>\n\n\n\n The flaw requires no user interaction and affects all versions of VMware\u2019s vSphere product except the very latest versions. Detection of backdoors installed by this attack may be present in log files, but unless an organization keeps extensive log files, there may be no way to rule out compromise.<\/p>\n\n\n\n The fix:<\/strong> Update to the latest version of vSphere as recommended by VMware<\/a>. There are no known workarounds.<\/p>\n\n\n\n Type of vulnerability:<\/strong> A type confusion issue enables arbitrary code execution (ACE) attacks.<\/p>\n\n\n\n The problem:<\/strong> Apple addressed multiple vulnerabilities, but zero-day vulnerability CVE-2024-23222<\/a> leads the list. Although added to the known exploited vulnerability catalog, experts believe attackers used the WebKit vulnerability primarily on specific targets.<\/p>\n\n\n\n The fix:<\/strong> Update to the latest version of the Apple operating system, which is also made available to some older iOS and iPadOS<\/a> versions.<\/p>\n\n\n\n Type of vulnerability:<\/strong> RCE vulnerability.<\/p>\n\n\n\n The problem:<\/strong> Trustwave reported<\/a> a surge in Godzilla Webshell attacks concealed within unknown binary format files. Unpatched ActiveMQ instances still vulnerable to CVE-2023-46604 (which enabled ransomware attacks last November<\/a>) will compile and execute the unknown binary and enable attackers to execute many different types of attacks.<\/p>\n\n\n\n The fix:<\/strong> Deploy the Apache security upgrades available since November 2023.<\/p>\n\n\n\n Type of vulnerability:<\/strong> RCE vulnerability.<\/p>\n\n\n\n The problem:<\/strong> Atlassian disclosed the critical-severity RCE vulnerability, CVE-2023-22527<\/a>, in Confluence Server and Data Center on January 16, 2024 and noted that only outdated versions would be affected. By January 22, the Shadowserver research team reported over 600 IP addresses<\/a> testing for unpatched vulnerabilities. Soon after, DFIR publicized<\/a> that following any success, some attackers will immediately attempt a cryptojacking exploit.<\/p>\n\n\n\n The fix:<\/strong> Update ASAP to the latest versions of Confluence Data Center or Confluence Data Center and Server.<\/p>\n\n\n\n Type of vulnerability:<\/strong> Authentication bypass vulnerability can create new admin users on exposed admin portals.<\/p>\n\n\n\n The problem:<\/strong> Fortra disclosed CVE-2024-0204<\/a>, a critical vulnerability with a CVSS score rated 9.8\/10, to the public on January 23rd after issuing patches and notifying customers on December 7, 2023. Customers concerned about exploitation should analyze the admin user group for new or unknown users.<\/p>\n\n\n\n Tenable estimates that more than 96%<\/a> of GoAnywhere MFT instances remain unpatched after one month of patch availability. Unfortunately for those organizations, the Horizon3 research team released<\/a> a proof of concept and exploit code, which starts the clock for aggressive attack.<\/p>\n\n\n\n The fix:<\/strong> Apply the patches released in December 2023 ASAP. Additionally, Fortra recommends a four step remediation process:<\/p>\n\n\n\n Type of vulnerability:<\/strong> Account takeover from password-reset emails sent to unverified email addresses. <\/p>\n\n\n\n The problem:<\/strong> Gitlab issued a critical advisory<\/a> and patch on January 11, 2024 to publicize the fix and CVE-2023-7028, which earns the most dangerous 10\/10 CVSS score. As of January 24th, Shadowserver researchers still detected 5,300<\/a> older and internet-exposed GitLab accounts.<\/p>\n\n\n\n The fix:<\/strong> GitLab recommends immediate patching that will also fix three other vulnerabilities. However, the flaw does not bypass two-factor authentication (2FA), so implementation of MFA can provide initial remediation.<\/p>\n\n\n\n To check for potential exploitation, Gilab recommends checking internal files:<\/p>\n\n\n\n Type of vulnerability:<\/strong> Arbitrary file read vulnerability that can allow RCE.<\/p>\n\n\n\n The problem:<\/strong> The research team at Sonar announced CVE-2024-23897<\/a>, a critical vulnerability in the Jenkins continuous integration\/continuous delivery (CI\/CD) automation software that automatically replaces \u201c@\u201d characters followed by a file path with the contents of the file at that path. Attackers can use this feature to read arbitrary files, delete items from Jenkins, or execute code remotely.<\/p>\n\n\n\n Sonar also discovered a similar high severity cross-site WebSocket hijacking vulnerability that also uses the command line to execute ACE attacks if a victim clicks a link. Researchers published proof of concept code on GitHub on January 28, 2024 so attacks should begin shortly.<\/p>\n\n\n\n The fix:<\/strong> Update to Jenkins 2.442 (or LTS 2.426.3) that disables the \u201c@\u201d character feature. As a workaround, older versions of Jenkins can disable access to the command line interface.<\/p>\n\n\n\n Type of vulnerability:<\/strong> RCE attacks that possibly establish root access.<\/p>\n\n\n\n The problem:<\/strong> Cisco announced CVE-2024-20253<\/a>, with a CVSS score of 9.9\/10, within the Unified Communications and Contact Center Solutions (UC\/CC) that provide integrated voice, video, and messaging services.<\/p>\n\n\n\n The fix:<\/strong> Cisco primarily recommends application of the free software updates for potentially vulnerable products. While no workarounds exist, access control lists may be established on intermediary devices to restrict access to the specific ports for deployed services and mitigate attacks on vulnerable systems.<\/p>\n\n\n\n Type of vulnerability:<\/strong> Sophos researchers discovered<\/a> three vulnerabilities: pool memory corruption, out-of-bounds-read, and arbitrary read.<\/p>\n\n\n\n The problem:<\/strong> WatchGuard confirmed these three vulnerabilities in WatchGuard Endpoint Protection, Detection, and Response (EPDR), Panda Dome, and Panda Adaptive Defense 360. The pool memory corruption vulnerability, CVE-2023-6330<\/a> (CVE 6.4), does not authenticate registry information, which could lead to kernel memory pool overflow, denial of service conditions, and possibly ACE with system-level privileges.<\/p>\n\n\n\n Similarly, out-of-bounds vulnerability CVE-2023-6331<\/a> (CVSS 6.4) can create a denial of service condition and allow ACE with system-level privileges. The lower risk arbitrary read vulnerability CVE-2023-6332<\/a> (CVSS 4.1) could allow users with admin privileges to leak data from kernel memory, <\/p>\n\n\n\n The fix:<\/strong> Although not high severity, attackers will find potential denial of service attacks attractive because they could disable local endpoint protection. WatchGuard recommends updating to the most recent versions of the products to eliminate the vulnerabilities.<\/p>\n\n\n\n Read next:<\/strong><\/p>\n\n\n\nJanuary 19, 2024<\/h2>\n\n\n\n
Critical VMware vCenter Server Zero-Day Under Attack Since 2021<\/h3>\n\n\n\n
January 22, 2024<\/h2>\n\n\n\n
Apple Fixes 16 Vulnerabilities, Including Exploited Zero Days<\/h3>\n\n\n\n
Critical Apache ActiveMQ Vulnerability Under Active Attack<\/h3>\n\n\n\n
Attackers Prey Upon Outdated Atlassian Confluence Servers<\/h3>\n\n\n\n
January 23, 2024<\/h2>\n\n\n\n
POC Released, 96% of Fortra GoAnywhere MFT Still Vulnerable<\/h3>\n\n\n\n
\n
January 24, 2024<\/h2>\n\n\n\n
5,300 Internet Exposed GitLab Accounts Remain Vulnerable to Takeover<\/h3>\n\n\n\n
\n
Jenkins Command Line Vulnerability Permits RCE<\/h3>\n\n\n\n
January 25, 2024<\/h2>\n\n\n\n
Cisco Enterprise Communication Software Critical RCE Vulnerability<\/h3>\n\n\n\n
WatchGuard EPDR, Panda Dome, & Panda AD360 Driver Vulnerabilities<\/h3>\n\n\n\n