In this week's Security Advisory:
- Lace Tempest Exploits Critical Zero-Day (CVE-2023-47246) in SysAid
- Critical Vulnerability (CVE-2023-34060) in VMware Cloud Director Appliance
- Microsoft Patch Tuesday Fixes Several Zero-Days and Critical Vulnerability in Azure CLI
- Security Updates Released for Google Chrome Desktop Browser and Adobe Products
Lace Tempest Exploits Critical Zero-Day (CVE-2023-47246) in SysAid
A threat actor group called Lace Tempest is actively exploiting a critical zero-day in SysAid, an IT support and management software solution. The zero-day is being tracked as CVE-2023-47246 and is a path traversal vulnerability that could lead to arbitrary code execution within the SysAid on-premise software. Threat actors exploited this vulnerability and uploaded a WAR archive containing a web shell and other payloads into the webroot of the SysAid Tomcat web service. The web shell enabled the attacker to gain control of the affected system. This zero-day only affects on-premise server installations of SysAid.
The following versions are affected:
SysAid On-Premise Server Installations before version 23.3.36
More Reading/Information
- https://www.sysaid.com/blog/service-desk/on-premise-software-security-vulnerability-notification
- https://www.rapid7.com/blog/post/2023/11/09/etr-cve-2023-47246-sysaid-zero-day-vulnerability-exploited-by-lace-tempest/
- https://www.bleepingcomputer.com/news/security/microsoft-sysaid-zero-day-flaw-exploited-in-clop-ransomware-attacks/
- https://www.huntress.com/blog/critical-vulnerability-sysaid-cve-2023-47246
- https://nvd.nist.gov/vuln/detail/CVE-2023-47246
Critical Vulnerability (CVE-2023-34060) in VMware Cloud Director Appliance
VMware disclosed a critical authentication bypass vulnerability in its Cloud Director Appliance. The vulnerability is being tracked as CVE-2023-34060 and can allow an attacker with network access to the appliance to bypass login restrictions when authenticating on either port 22 (SSH) or port 5480 (appliance management console). CVE-2023-34060 received a CVSS score of 9.8 out of a possible 10.
VMware states that this vulnerability only affects VMware Cloud Director Appliance deployments that have upgraded to 10.5 from an older release. This vulnerability does not impact Linux deployments or new deployments of 10.5.
While no patch has been released for CVE-2023-34060, VMware has released a workaround that could be implemented until a patch becomes available. Those instructions can be found here: https://kb.vmware.com/s/article/95534.
More Reading/Information
- https://www.vmware.com/security/advisories/VMSA-2023-0026.html
- https://www.bleepingcomputer.com/news/security/vmware-discloses-critical-vcd-appliance-auth-bypass-with-no-patch/
- https://kb.vmware.com/s/article/95534
- https://nvd.nist.gov/vuln/detail/CVE-2023-34060
Microsoft Patch Tuesday Fixes Several Zero-Days and Critical Vulnerability in Azure CLI
This month's Patch Tuesday fixes several issues, including five (5) zero-days and a critical information disclosure vulnerability in Azure CLI.
The zero-days are being tracked as CVE-2023-36025, CVE-2023-36033, CVE-2023-36036, CVE-2023-36038, CVE-2023-36413, CVE-2023-36025 allows an attacker to bypass the Windows SmartScreen security feature by sending a specially crafted URL. CVE-2023-36033 and CVE-2023-36036 could allow a user to gain SYSTEM privileges. CVE-2023-36038 is a denial-of-service vulnerability in ASP.NET that could lead to loss of availability. CVE-2023-36413 enables an attacker to bypass the Office Protected View security feature and effectively opens the file in editing mode rather than protected mode.
The critical information disclosure vulnerability in Azure CLI is being tracked as CVE-2023-36052 and could expose sensitive information like credentials through GitHub Actions or Azure DevOps logs. CVE-2023-36052 received a CVSS score of 8.6 out of a possible 10.
More Reading/Information
- https://msrc.microsoft.com/update-guide/releaseNote/2023-Nov
- https://www.bleepingcomputer.com/news/microsoft/microsoft-november-2023-patch-tuesday-fixes-5-zero-days-58-flaws/
- https://msrc.microsoft.com/blog/2023/11/microsoft-guidance-regarding-credentials-leaked-to-github-actions-logs-through-azure-cli/
- https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2023-36052
Security Updates Released for Google Chrome Desktop Browser and Adobe Products
There were security updates released for Google Chrome Desktop Browser and Adobe products. The most severe could lead to arbitrary code execution.
Google Chrome addressed four (4) vulnerabilities, with two (2) given a severity rating of "High." These vulnerabilities affect Windows, Mac, and Linux.
Adobe fixed over seventy (70) vulnerabilities in several of its products, of which the most severe can lead to arbitrary code execution.
More Reading/Information
- https://chromereleases.googleblog.com/2023/11/stable-channel-update-for-desktop_14.html
- https://helpx.adobe.com/security/Home.html
- https://www.securityweek.com/adobe-patch-tuesday-critical-bugs-in-acrobat-reader-coldfusion/
Recommendations
Please review your environment to ensure the above-mentioned issues are patched in a timely manner. It is security best practice to regularly update and/or patch software to the latest versions. The vulnerabilities above highlight the security benefits of limiting deployed software to "vendor-supported versions" only. This dramatically increases the likelihood that new vulnerabilities have a patch issued for them. Likewise, Cybersafe strongly encourages maintaining an inventory of current software in your environment, which helps ensure and inform your patch and vulnerability management program.
