Cybersafe Solutions Security Advisory Bulletin Jan. 19, 2024

In this week's Security Advisory:

• Critical Remote Code Execution Vulnerability in Confluence Data Center and Server
• Two Actively Exploited Zero-Days in Citrix NetScaler ADC and NetScaler Gateway
• Zero-Day in Google Chrome Desktop Browser
• Security Advisory Update: Proof-of-Concept Exploit Released for Microsoft SharePoint Server Elevation of Privilege Vulnerability (CVE-2023-29357)
• Juniper Networks Patches Critical Vulnerability in SRX Series Firewalls and EX Series Switches
• Critical Vulnerability in GitLab Could Lead to Account Takeover
• Two Critical Vulnerabilities in Apache OFBiz
• Vulnerability in Cisco Unity Connection Could Lead to Arbitrary Code Execution

Critical Remote Code Execution Vulnerability in Confluence Data Center and Server

Atlassian released a patch to fix a critical vulnerability in its Confluence Data Center and Server. The critical vulnerability is being tracked as CVE-2023-22527 and received a CVSS score of 10 out of 10, the highest score a vulnerability can receive. CVE-2023-22527 is a template injection vulnerability that could allow an unauthenticated attacker to execute remote code. This vulnerability affects out-of-date versions of Confluence Data Center and Server, specifically version 8. Atlassian Cloud sites are not affected.

The following versions are affected:

• 8.0.x
• 8.1.x
• 8.2.x
• 8.3.x
• 8.4.x
• 8.5.0-8.5.3

More Reading / Information

• https://confluence.atlassian.com/security/cve-2023-22527-rce-remote-code-execution-vulnerability-in-confluence-data-center-and-confluence-server-1333990257.html
• https://www.scmagazine.com/news/atlassian-confluence-vulnerability-enables-remote-code-execution
• https://www.darkreading.com/application-security/patch-max-critical-atlassian-bug-unauthenticated-rce
• https://nvd.nist.gov/vuln/detail/CVE-2023-22527

Two Actively Exploited Zero-Days in Citrix NetScaler ADC and NetScaler Gateway

Two (2) zero-days were discovered in NetScaler ADC (formerly Citrix ADC) and NetScaler Gateway (formerly Citrix Gateway) that are actively being exploited in the wild. CVE-2023-6548 could allow an authenticated, remote attacker to execute code on the management interface. The attacker is required to have access to either NSIP, CLIP, or SNIP and must have management interface access to successfully exploit this zero-day. CVE-2023-6549 could cause a denial-of-service (DoS) attack on vulnerable devices. CVE-2023-6549 could be exploited if the appliance is configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or AAA virtual server.

The following versions are affected:

• NetScaler ADC and NetScaler Gateway 14.1 before 14.1-12.35
• NetScaler ADC and NetScaler Gateway 13.1 before 13.1-51.15
• NetScaler ADC and NetScaler Gateway 13.0 before 13.0-92.21
• NetScaler ADC 13.1-FIPS before 13.1-37.176
• NetScaler ADC 12.1-FIPS before 12.1-55.302
• NetScaler ADC 12.1-NDcPP before 12.1-55.302

Of note, NetScaler ADC and NetScaler Gateway version 12.1 reached End-of-Life and is vulnerable. Citrix cloud-based management services have been updated. Customers who use these cloud services do not need to take any further action.

More Reading / Information

• https://support.citrix.com/article/CTX584986/netscaler-adc-and-netscaler-gateway-security-bulletin-for-cve20236548-and-cve20236549
• https://www.bleepingcomputer.com/news/security/citrix-warns-of-new-netscaler-zero-days-exploited-in-attacks/
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-6548
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-6549

Zero-Day in Google Chrome Desktop Browser

Google released patches for its Desktop Browser to address multiple vulnerabilities, including one zero-day that is actively being exploited in the wild. The zero-day, CVE-2024-0519, is due to an out-of-bounds memory access issue in the Chrome V8 JavaScript engine. Successful exploitation can lead to a threat actor gaining access to sensitive data or causing the user’s browser to crash. CVE-2024-0519 has not received a CVSS score. 

More Reading / Information

• https://chromereleases.googleblog.com/2024/01/stable-channel-update-for-desktop_16.html
• https://www.bleepingcomputer.com/news/security/google-fixes-first-actively-exploited-chrome-zero-day-of-2024/
• https://nvd.nist.gov/vuln/detail/CVE-2024-0519

Security Advisory Update: Proof-of-Concept Exploit Released for Microsoft SharePoint Server Elevation of Privilege Vulnerability (CVE-2023-29357)

Threat actors are actively exploiting a critical vulnerability (CVE-2023-29357) in unpatched Microsoft SharePoint Servers. CVE-2023-29357 was previously disclosed in September 2023 and has an existing patch. It is recommended that the patch be applied to affected systems immediately if you still need to do so.

Original Security Advisory – September 27th, 2023:

A proof-of-concept exploit has been released for a critical vulnerability (CVE-2023-29357) affecting Microsoft SharePoint Server. CVE-2023-29357 was previously disclosed by Microsoft as part of their June 2023 Patch Tuesday rollout. This vulnerability could allow an unauthenticated attacker to gain administrator-level privileges. Researchers have also found a way to chain this with another remote code execution vulnerability to severely compromise the SharePoint server.

The following versions are affected:

• SharePoint Server 2019

While there is no evidence of active exploitation, it is likely that attackers will start targeting unpatched Microsoft SharePoint Servers. It is recommended that organizations apply the latest patch to mitigate this vulnerability if they have not already done so.

More Reading / Information

• https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2023-29357    
• https://socradar.io/microsoft-sharepoint-server-elevation-of-privilege-vulnerability-exploit-cve-2023-29357/ 
• https://www.bleepingcomputer.com/news/security/cisa-critical-microsoft-sharepoint-bug-now-actively-exploited/   
• https://www.scmagazine.com/news/cisa-flags-active-exploitation-of-critical-microsoft-sharepoint-bug 

Juniper Networks Patches Critical Vulnerability in SRX Series Firewalls and EX Series Switches

Juniper Networks released a patch to fix a critical vulnerability affecting the J-Web component of Junos OS on SRX Series Firewalls and EX Series Switches. The vulnerability, CVE-2024-21591, is an out-of-bounds write vulnerability that could allow an unauthenticated, network-based attacker to execute remote code on the affected system. CVE-2024-21591 received a CVSS score of 9.8 out of a possible 10.

The following versions are affected:

• Junos OS versions earlier than 20.4R3-S9
• Junos OS 21.2 versions earlier than 21.2R3-S7
• Junos OS 21.3 versions earlier than 21.3R3-S5
• Junos OS 21.4 versions earlier than 21.4R3-S5
• Junos OS 22.1 versions earlier than 22.1R3-S4
• Junos OS 22.2 versions earlier than 22.2R3-S3
• Junos OS 22.3 versions earlier than 22.3R3-S2
• Junos OS 22.4 versions earlier than 22.4R2-S2, 22.4R3

More Reading / Information

• https://supportportal.juniper.net/s/article/2024-01-Security-Bulletin-Junos-OS-SRX-Series-and-EX-Series-Security-Vulnerability-in-J-web-allows-a-preAuth-Remote-Code-Execution-CVE-2024-21591?language=en_US
• https://www.helpnetsecurity.com/2024/01/15/cve-2024-21591/
• https://www.bleepingcomputer.com/news/security/juniper-warns-of-critical-rce-bug-in-its-firewalls-and-switches/
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-21591

Critical Vulnerability in GitLab Could Lead to Account Takeover

GitLab fixed a critical vulnerability in its Community and Enterprise Edition that could lead to an account takeover without user interaction. The vulnerability is being tracked as CVE-2023-7028 and received a CVSS score of 10 out of 10, the highest score a vulnerability could receive. CVE-2023-7028 is a flaw in the email verification process which allows password reset emails to be sent to an unverified email address. Accounts that have two-factor authentication (2FA) enabled are not vulnerable to account takeover, however, they are vulnerable to a password reset. It is important to apply the latest patch and to implement 2FA on GitLab accounts to remove this vector.

The following versions of GitLab are affected:

• GitLab versions 16.1 to 16.1.5
• GitLab versions 16.2 to 16.2.8
• GitLab versions 16.3 to 16.3.6
• GitLab versions 16.4 to 16.4.4
• GitLab versions 16.5 to 16.5.5
• GitLab versions 16.6 to 16.6.3
• GitLab versions 16.7 to 16.7.1

More Reading / Information

• https://about.gitlab.com/releases/2024/01/11/critical-security-release-gitlab-16-7-2-released/
• https://www.helpnetsecurity.com/2024/01/12/cve-2023-7028/
• https://www.bleepingcomputer.com/news/security/gitlab-warns-of-critical-zero-click-account-hijacking-vulnerability/
• https://nvd.nist.gov/vuln/detail/CVE-2023-7028

Two Critical Vulnerabilities in Apache OFBiz

Two (2) critical vulnerabilities in Apache OFBiz, an open-source enterprise resource planning system, are actively being exploited in the wild. The vulnerabilities are being tracked as CVE-2023-51467 and CVE-2023-49070, and both received a CVSS score of 9.8 out of a possible 10. CVE-2023-51467 and CVE-2023-49070 are authentication bypass vulnerabilities that could allow an attacker to execute remote code and gain access to sensitive data without having to authenticate. 

The following versions are affected:

• Apache OFBiz versions 18.12.10 and below

More Reading / Information

• https://thehackernews.com/2024/01/new-poc-exploit-for-apache-ofbiz.html
• https://www.theregister.com/2024/01/08/apache_ofbiz_zeroday/
• https://nvd.nist.gov/vuln/detail/CVE-2023-49070
• https://nvd.nist.gov/vuln/detail/CVE-2023-51467

Vulnerability in Cisco Unity Connection Could Lead to Arbitrary Code Execution

A vulnerability was discovered in Cisco Unity Connection, a unified messaging and voicemail solution, which could lead to arbitrary code execution. The vulnerability is being tracked as CVE-2024-20272 and received a CVSS score of 7.3 out of a possible 10. CVE-2024-20272 is an unauthenticated arbitrary file upload vulnerability in the web-based management interface. Successful exploitation could allow a remote, unauthenticated attacker to upload arbitrary files, execute code, and gain root privileges.

The following versions are affected:

• Cisco Unity Connection versions prior to 12.5.1.19017-4
• Cisco Unity Connection versions prior to 14.0.1.14006-5

More Reading / Information

• https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cuc-unauth-afu-FROYsCsD
• https://www.helpnetsecurity.com/2024/01/11/cve-2024-20272/
• https://www.securityweek.com/cisco-patches-critical-vulnerability-in-unity-connection-product/
• https://nvd.nist.gov/vuln/detail/CVE-2024-20272

Recommendations

Please review your environment to ensure the above-mentioned issues are patched in a timely manner.  It is security best practice to regularly update and/or patch software to the latest versions.  The vulnerabilities above highlight the security benefits of limiting deployed software to "vendor-supported versions" only.  This dramatically increases the likelihood that new vulnerabilities have a patch issued for them.  Likewise, Cybersafe strongly encourages maintaining an inventory of current software in your environment, which helps ensure and inform your patch and vulnerability management program.