Cybersafe Solutions Security Advisory Bulletin Oct 13, 2023

In this week's Security Advisory:

• Two Vulnerabilities (CVE-2023-4966 & CVE-2023-4967) in Citrix NetScaler ADC and NetScaler Gateway
• Two Zero Days (CVE-2023-42824 & CVE-2023-5217) in Apple Products
• 'HTTP/2 Rapid Reset' Zero-Day Exploited in Largest Distributed Denial-of-Service Attack
• Microsoft Patch Tuesday Fixes Three Zero-Days (CVE-2023-44487, CVE-2023-41763, and CVE-2023-36563)
• Security Updates Released for Google Chrome and Adobe Products

Two Vulnerabilities (CVE-2023-4966 & CVE-2023-4967) in Citrix NetScaler ADC and NetScaler Gateway

Two vulnerabilities were found in NetScaler ADC (formerly Citrix ADC) and NetScaler Gateway (formerly Citrix Gateway) that could allow for the disclosure of sensitive information.  The vulnerabilities are being tracked as CVE-2023-4966 and CVE-2023-4967 and have been given CVSS scores of 9.4 and 8.2 out of a possible 10, respectively. CVE-2023-4966 can lead to the disclosure of sensitive information while CVE-2023-4967 can cause a denial-of-service (DoS) on vulnerable devices.

To exploit either vulnerability, the appliance must be configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or AAA virtual server. 

The following versions are affected:

• NetScaler ADC and NetScaler Gateway 14.1 before 14.1-8.50
• NetScaler ADC and NetScaler Gateway 13.1 before 13.1-49.15
• NetScaler ADC and NetScaler Gateway 13.0 before 13.0-92.19
• NetScaler ADC 13.1-FIPS before 13.1-37.164
• NetScaler ADC 12.1-FIPS before 12.1-55.300
• NetScaler ADC 12.1-NDcPP before 12.1-55.300

Of note, NetScaler ADC and NetScaler Gateway version 12.1 reached End-of-Life and is vulnerable.  Citrix cloud-based management services have been updated.  Customers who use these cloud services do not need to take any further action.

More Reading/Information

• https://support.citrix.com/article/CTX579459/netscaler-adc-and-netscaler-gateway-security-bulletin-for-cve20234966-and-cve20234967   
• https://www.bleepingcomputer.com/news/security/new-critical-citrix-netscaler-flaw-exposes-sensitive-data/  
• https://www.securityweek.com/citrix-patches-critical-netscaler-adc-gateway-vulnerability/
• https://nvd.nist.gov/vuln/detail/CVE-2023-4966  
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4967

Two Zero-Days (CVE-2023-42824 & CVE-2023-5217) in Apple Products

Apple released updates to address two (2) zero-days in iOS and iPadOS.  The first zero-day, CVE-2023-42824, allows a local attacker to elevate their privileges.  CVE-2023-42824 received a CVSS score of 7.8 out of a possible 10.  The second zero-day, CVE-2023-5217, is a heap buffer overflow in the VP8 encoding of the libvpx video codec library.  Successful exploitation of this vulnerability could lead to the threat actor executing arbitrary code on the victim's host.  CVE-2023-5217 received a CVSS score of 8.8 out of a possible 10.  There are reports of these vulnerabilities being actively exploited against versions of iOS before iOS 16.6.

The following products are affected:

• iOS and iPadOS versions prior to 16.7.1 (iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later)
• iOS and iPadOS versions prior to 17.0.3 (iPhone XS and later, iPad Pro 12.9-inch 2nd generation and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 6th generation and later, and iPad mini 5th generation and later)

More Reading/Information

• https://support.apple.com/en-us/HT201222
• https://www.bleepingcomputer.com/news/apple/apple-emergency-update-fixes-new-zero-day-used-to-hack-iphones/  
• https://nvd.nist.gov/vuln/detail/CVE-2023-42824  
• https://nvd.nist.gov/vuln/detail/CVE-2023-5217 

'HTTP/2 Rapid Reset' Zero-Day Exploited in Largest Distributed Denial-of-Service Attack

Threat actors are exploiting a zero-day (CVE-2023-44487) in the HTTP/2 protocol to cause a Distributed Denial-of-Service (DDoS) attack against internet-exposed HTTP/2 endpoints.  This attack has been exploited in the wild since August 2023 and has been dubbed 'HTTP/2 Rapid Reset'.  CVE-2023-44487 is a flaw in the HTTP/2 protocol that allows an attacker to continuously send and cancel requests, ultimately overwhelming the target server and imposing a Denial-of-Service state.  Security vendors like Microsoft, Amazon Web Services, Cloudflare, and Google have released updates to protect against this attack.

More Reading/Information

• https://www.bleepingcomputer.com/news/security/new-http-2-rapid-reset-zero-day-attack-breaks-ddos-records/ 
• https://msrc.microsoft.com/blog/2023/10/microsoft-response-to-distributed-denial-of-service-ddos-attacks-against-http/2/ 
• https://www.theregister.com/2023/10/10/http2_rapid_reset_zeroday/ 
• https://www.cisa.gov/news-events/alerts/2023/10/10/http2-rapid-reset-vulnerability-cve-2023-44487 
• https://www.cisa.gov/sites/default/files/publications/understanding-and-responding-to-ddos-attacks_508c.pdf
• https://nvd.nist.gov/vuln/detail/CVE-2023-44487 

Microsoft Patch Tuesday Fixes Three Zero-Days (CVE-2023-44487, CVE-2023-41763, and CVE-2023-36563)

This month's Patch Tuesday includes fixes for three (3) actively exploited zero-days.  The first zero-day, CVE-2023-44487, abuses the HTTP/2 protocol and could allow an attacker to cause a distributed denial-of-service (DDoS) attack.  CVE-2023-44487 is not specific to Windows but affects any internet-exposed HTTP/2 endpoints.  The second zero-day, CVE-2023-41763, is an elevation of privilege vulnerability in Skype for Business.  The third zero-day, CVE-2023-36563, is an information disclosure vulnerability in Microsoft WordPad that could allow an attacker to steal NTLM hashes when a user opens a specially crafted document in WordPad.

More Reading/Information

• https://www.bleepingcomputer.com/news/microsoft/microsoft-october-2023-patch-tuesday-fixes-3-zero-days-104-flaws/   
• https://krebsonsecurity.com/2023/10/patch-tuesday-october-2023-edition/ 
• https://www.theregister.com/2023/10/10/http2_rapid_reset_zeroday/ 
• https://nvd.nist.gov/vuln/detail/CVE-2023-44487 
• https://nvd.nist.gov/vuln/detail/CVE-2023-41763
• https://nvd.nist.gov/vuln/detail/CVE-2023-36563 

Security Updates Released for Google Chrome and Adobe Products

There were security updates released for Google Chrome and Adobe products.  The most severe could lead to arbitrary code execution.

Google Chrome addressed twenty (20) vulnerabilities, with one (1) given a severity rating of "Critical".  These vulnerabilities affect Windows, Mac, and Linux.

Adobe fixed a total of thirteen (13) vulnerabilities, including eight (8) given a severity rating of "Critical".  These vulnerabilities affect Adobe Bridge, Adobe Commerce, Magento Open Source, and Adobe Photoshop.

More Reading/Information

• https://chromereleases.googleblog.com/2023/10/stable-channel-update-for-desktop_10.html  
• https://helpx.adobe.com/security/security-bulletin.html  

Recommendations

Please review your environment to ensure the above-mentioned issues are patched in a timely manner.  It is security best practice to regularly update and/or patch software to the latest versions.  The vulnerabilities above highlight the security benefits of limiting deployed software to "vendor-supported versions" only.  This dramatically increases the likelihood that new vulnerabilities have a patch issued for them.  Likewise, Cybersafe strongly encourages maintaining an inventory of current software in your environment, which helps ensure and inform your patch and vulnerability management program.