Cybersafe Solutions Security Advisory Bulletin Dec. 15, 2023

In this week's Security Advisory:

• Apple Fixes Two Actively Exploited Zero-Days in Older Devices
• Security Advisory Update: Multiple Vulnerabilities in Adobe Products Could Allow for Arbitrary Code Execution
• Security Advisory Update: Zero-Day Remote Code Execution Vulnerability in Sophos Firewall
• Critical Vulnerability in WordPress Plugin 'Backup Migration' Could Lead to Remote Code Execution
• Multiple Vulnerabilities in Microsoft, Google Chrome, and Adobe Products

Apple Fixes Two Actively Exploited Zero-Days in Older Devices

Apple released security updates to address vulnerabilities in several of its products, including two (2) actively exploited zero-days affecting older devices.  The zero-days (CVE-2023-42916 and CVE-2023-42917) were disclosed at the beginning of December and could lead to the disclosure of sensitive information or arbitrary code execution when processing specially crafted web content.  There are reports of these vulnerabilities actively being exploited against versions of iOS before iOS 16.7.1.

The following versions are affected:

• iOS and iPadOS prior to version 17.2 (iPhone XS and later, iPad Pro 12.9-inch 2nd generation and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 6th generation and later, and iPad mini 5th generation and later)
• iOS and iPadOS prior to version 16.7.3 (iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later)
• Safari prior to version 17.2
• macOS Sonoma prior to version 14.2
• macOS Ventura prior to version 13.6.3
• macOS Monterey prior to version 12.7.2
• tvOS prior to version 17.2
• watchOS prior to version 10.2

More Reading/Information:

• https://support.apple.com/en-us/HT201222
• https://www.bleepingcomputer.com/news/apple/apple-emergency-updates-fix-recent-zero-days-on-older-iphones/
• https://nvd.nist.gov/vuln/detail/CVE-2023-42916
• https://nvd.nist.gov/vuln/detail/CVE-2023-42917

Security Advisory Update: Multiple Vulnerabilities in Adobe Products Could Allow for Arbitrary Code Execution

Threat actors are actively exploiting a critical vulnerability (CVE-2023-26360) in unpatched Adobe ColdFusion servers.  CVE-2023-26360 was previously disclosed in March 2023 and has an existing patch.  It is recommended to apply the patch to affected systems immediately if you have not already done so.

Original Security Advisory - March 13th, 2023:

Adobe released patches for several of its products, including a critical vulnerability in Adobe ColdFusion.  The vulnerability is being tracked as CVE-2023-26360 and could lead to arbitrary code execution, giving an attacker the ability to view, change or delete information on the affected system.  CVE-2023-26360 has been given a CVSS score of 8.6 out of a possible 10 and is actively being exploited in the wild.  Along with this vulnerability, there were a total of one hundred and six (106) vulnerabilities, and sixty-one (61) vulnerabilities receiving a severity rating of "critical".

The following products are affected:

• ColdFusion 2018 Update 15 and earlier versions
• ColdFusion 2021 Update 5 and earlier versions
• Adobe Commerce 2.4.4-p2 and earlier versions
• Adobe Commerce 2.4.4-p1 and earlier versions
• Magento Open Source 2.4.4-p2 and earlier versions
• Magento Open Source 2.4.4-p1 and earlier versions
• Adobe Experience Manager (AEM) AEM Cloud Service (CS)
• Adobe Experience Manger (AEM) 6.5.15.0 and earlier versions
• Illustrator 2023 27.2.0 and earlier versions for Windows and macOS
• Adobe Dimension 3.4.7 and earlier versions for Windows and macOS
• Creative Cloud Desktop Application 5.9.1 and earlier version for Windows
• Adobe Substance 3D Stager 2.0.0 and earlier versions for Windows and macOS
• PhotoShop 2022 23.5.3 and earlier versions for Windows and macOS
• PhotoShop 2023 24.1.1 and earlier versions for Windows and macOS

Adobe has released updated versions of all products above and should be applied immediately.  The security updates can be found at the following link: https://helpx.adobe.com/security.html

More Reading/Information:

• https://helpx.adobe.com/security.html 
• https://www.securityweek.com/adobe-warns-of-very-limited-attacks-exploiting-coldfusion-zero-day/ 
• https://www.bleepingcomputer.com/news/security/hackers-breach-us-govt-agencies-using-adobe-coldfusion-exploit/ 
• https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-339a 
• https://nvd.nist.gov/vuln/detail/CVE-2023-26360
• https://www.scmagazine.com/news/unpatched-coldfusion-bug-led-to-double-breach-of-us-federal-agency 

Security Advisory Update: Zero-Day Remote Code Execution Vulnerability in Sophos Firewall

New threat intel indicates that threat actors are actively exploiting a critical vulnerability (CVE-2022-32360) in older, unsupported versions of Sophos Firewall.  CVE-2022-32360 was previously disclosed in September 2022 and has an existing patch.  However, to mitigate this threat against older, unsupported versions of Sophos Firewall, Sophos has released patches for devices running end-of-life firmware.  By default, automatic updates are enabled in Sophos Firewall, so there is no further action required for customers.  However, if this setting is disabled, users are required to upgrade their end-of-life devices and firmware to the latest version.

Original Security Advisory - September 28th, 2022:

Sophos released a patch for a code injection vulnerability found in the User Portal and Webadmin components of the Firewall that could allow for remote code execution.  This critical vulnerability (CVE-2022-3236) affects Sophos Firewall v19.0 MR1 (19.0.1) and older and has been given a CVSS score of 9.8 out of a possible 10.  If successfully exploited, an attacker can install programs, view, change, or delete information, and potentially gain control of the affected system.

By default, automatic updates are enabled in Sophos Firewall, so there is no further action required for customers.  However, if this setting is disabled, users are required to upgrade to the latest version to receive this patch.

More Reading/Information:

• https://www.sophos.com/en-us/security-advisories/sophos-sa-20220923-sfos-rce
• https://www.bleepingcomputer.com/news/security/sophos-warns-of-new-firewall-rce-bug-exploited-in-attacks/
• https://thehackernews.com/2022/09/hackers-actively-exploiting-new-sophos.html
• https://nvd.nist.gov/vuln/detail/CVE-2022-3236
• https://www.sophos.com/en-us/security-advisories/sophos-sa-20220923-sfos-rce
• https://www.bleepingcomputer.com/news/security/sophos-backports-rce-fix-after-attacks-on-unsupported-firewalls/ 

Critical Vulnerability in WordPress Plugin 'Backup Migration' Could Lead to Remote Code Execution

WordPress disclosed a critical vulnerability in the plugin, Backup Migration, which could lead to remote code execution.  The WordPress plugin has over 90,000 active installations and is vulnerable to CVE-2023-6553, a PHP code injection vulnerability.  This vulnerability allows an unauthenticated attacker to execute remote code and potentially gain control over the vulnerable website.  CVE-2023-6553 received a CVSS score of 9.8 out of a possible 10.

This vulnerability affects the following versions:

• Backup Migration prior to version 1.3.8

More Reading/Information:

• https://www.wordfence.com/blog/2023/12/critical-unauthenticated-remote-code-execution-found-in-backup-migration-plugin/
• https://www.darkreading.com/cloud-security/critical-wordpress-plugin-rce-bug-exposes-websites-takeover
• https://www.cve.org/CVERecord?id=CVE-2023-6553

Multiple Vulnerabilities in Microsoft, Google Chrome, and Adobe Products

There were security updates released for Microsoft, Google Chrome desktop browser, and Adobe products.  The most severe could lead to arbitrary code execution.  There are no reports of any of these vulnerabilities being exploited in the wild.

Microsoft addressed a total of thirty-four (34) vulnerabilities in its December 2023 Patch Tuesday release.  Of the vulnerabilities disclosed, there were four (4) vulnerabilities that received a severity rating of "Critical".  This release did not contain any vulnerabilities that have been actively exploited in the wild. 

Google Chrome had a total of nine (9) vulnerabilities, with five (5) vulnerabilities given a severity rating of "High".  These vulnerabilities affect Windows, Mac, and Linux.  At this time, only a patch for Mac and Linux has been released while a patch for Windows is expected to be released shortly. 

Adobe had over two hundred (200) vulnerabilities, with thirteen (13) vulnerabilities given a severity rating of "Critical".  These vulnerabilities affect Adobe Prelude, Illustrator, InDesign, Dimension, Experience Manager, Substance3D Stager, Substance3D Sampler, Substance3D After Effects, and Substance3D Designer.

More Reading/Information:

• https://msrc.microsoft.com/update-guide/releaseNote/2023-Dec
• https://isc.sans.edu/diary/Microsoft%20Patch%20Tuesday%20December%202023/30480
• https://krebsonsecurity.com/2023/12/microsoft-patch-tuesday-december-2023-edition/
• https://chromereleases.googleblog.com/2023/12/stable-channel-update-for-desktop_12.html
• https://helpx.adobe.com/security/security-bulletin.html

Recommendations

Please review your environment to ensure the above-mentioned issues are patched in a timely manner.  It is security best practice to regularly update and/or patch software to the latest versions.  The vulnerabilities above highlight the security benefits of limiting deployed software to "vendor-supported versions" only.  This dramatically increases the likelihood that new vulnerabilities have a patch issued for them.  Likewise, Cybersafe strongly encourages maintaining an inventory of current software in your environment, which helps ensure and inform your patch and vulnerability management program.