In this week's Security Advisory:
- Critical Vulnerabilities (CVE-2023-38547 and CVE-2023-38548) in Veeam ONE
- QNAP Fixes Two Critical Vulnerabilities (CVE-2023-23368 and CVE-2023-23369)
- 7-Zip Patched Remote Code Execution Vulnerability (CVE-2023-31102)
- Multiple Vulnerabilities in Android Products
Critical Vulnerabilities (CVE-2023-38547 and CVE-2023-38548) in Veeam ONE
Multiple vulnerabilities were patched in Veeam ONE, an IT infrastructure monitoring and analytics platform, including two (2) critical vulnerabilities that could lead to remote code execution. The first vulnerability, CVE-2023-38547, could allow an unauthenticated attacker to execute remote code on the SQL Server Veeam ONE uses to access its configuration database. CVE-2023-38547 received a CVSS score of 9.9 out of a possible 10. The second vulnerability, CVE-2023-38548, could allow an attacker with access to the Veeam ONE Web Client to leverage this vulnerability and steal the NTLM hash of the account used by the Veeam ONE Reporting Service. CVE-2023-38548 received a CVSS score of 9.8 out of a possible 10.
The following versions are affected:
- Veeam ONE versions 11, 11a, 12
More Reading/Information
- https://www.veeam.com/kb4508
- https://www.bleepingcomputer.com/news/security/veeam-warns-of-critical-bugs-in-veeam-one-monitoring-platform/
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-38547
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-38548
QNAP Fixes Two Critical Vulnerabilities (CVE-2023-23368 and CVE-2023-23369)
QNAP released updates to fix two (2) critical vulnerabilities affecting several QNAP operating system versions and applications on its NAS devices, including QTS, QuTS hero, QuTScloud, Multimedia Console, and Media Streaming add-on. The vulnerabilities are being tracked as CVE-2023-23368 and CVE-2023-23369 and are OS command injection flaws that could allow an attacker to execute remote code on the affected system. CVE-2023-23368 and CVE-2023-23369 received CVSS scores of 9.8 and 9.0 out of a possible 10, respectively.
The following versions are affected:
- QTS versions 5.1.x, 5.0.x, 4.5.x, 4.3.6, 4.3.4, 4.3.3, 4.2.x
- QuTS hero versions h5.0.x and h4.5.x
- QuTScloud version c5.0.1
- Multimedia Console versions 2.1.x, 1.4.x
- Media Streaming add-on versions 500.1.x, 500.0.x
More Reading/Information
- https://www.qnap.com/en-uk/security-advisory/qsa-23-31
- https://www.qnap.com/en-uk/security-advisory/qsa-23-35
- https://www.bleepingcomputer.com/news/security/qnap-warns-of-critical-command-injection-flaws-in-qts-os-apps/
- https://nvd.nist.gov/vuln/detail/CVE-2023-23368
- https://nvd.nist.gov/vuln/detail/CVE-2023-23369
7-Zip Patched Remote Code Execution Vulnerability (CVE-2023-31102)
7-Zip patched a remote code execution vulnerability affecting its Linux versions. The vulnerability, CVE-2023-31102, exists within the parsing of 7Z files and is caused by a lack of proper input sanitization. If exploited, an attacker could cause an integer underflow and gain the ability to execute remote code in the context of the current process. To exploit this vulnerability, a user is required to visit a maliciously crafted website or open a maliciously crafted file. CVE-2023-31102 received a CVSS score of 7.8 out of a possible 10.
The following versions are affected:
- 7-Zip versions prior to 23.00 on Linux
More Reading/Information
- https://www.zerodayinitiative.com/advisories/ZDI-23-1165/
- https://www.rapid7.com/db/vulnerabilities/7-zip-cve-2023-31102/
- https://nvd.nist.gov/vuln/detail/CVE-2023-31102
Multiple Vulnerabilities in Android Products
Android released updates to address thirty-nine (39) vulnerabilities, with five (5) given a severity rating of "Critical." The most severe of these vulnerabilities could lead to privilege escalation. These vulnerabilities affect Android OS security patch levels prior to 2023-11-05. There are no reports of these vulnerabilities being exploited in the wild.
More Reading/Information
Recommendations
Please review your environment to ensure the above-mentioned issues are patched in a timely manner. It is security best practice to regularly update and/or patch software to the latest versions. The vulnerabilities above highlight the security benefits of limiting deployed software to "vendor-supported versions" only. This dramatically increases the likelihood that new vulnerabilities have a patch issued for them. Likewise, Cybersafe strongly encourages maintaining an inventory of current software in your environment, which helps ensure and inform your patch and vulnerability management program.
