In this week's Security Advisory:
- Two Zero-Days Found in Apple Products
- Security Advisory Update: Microsoft Patch Tuesday Fixes Two Zero-Days
- Security Advisory Update: Critical Vulnerability (CVE-2023-34060) in VMware Cloud Director Appliance
- Android Malware Downloaded 12 Million Times on Google Play Store
- Multiple Vulnerabilities in Android Products and Google Chrome
Two Zero-Days Found in Apple Products
Apple released updates to address two (2) zero-days in its products that are actively being exploited in the wild. The first zero-day, CVE-2023-42916, could allow for the disclosure of sensitive information when processing specially crafted web content. The second zero-day, CVE-2023-42917, could allow for arbitrary code execution when processing specially crafted web content. Both zero-days affect Safari, iPadOS, and macOS. There are reports of these vulnerabilities actively being exploited against versions of iOS before iOS 16.7.1.
The following products are affected:
- iOS and iPadOS versions prior to 17.1.2 (iPhone XS and later, iPad Pro 12.9-inch 2nd generation and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 6th generation and later, and iPad mini 5th generation and later)
- Safari versions prior to 17.1.2
- macOS Sonoma versions prior to 14.1.2
More Reading/Information
- https://support.apple.com/en-us/HT201222
- https://www.bleepingcomputer.com/news/apple/apple-fixes-two-new-ios-zero-days-in-emergency-updates/
- https://www.csoonline.com/article/1250374/apple-patches-info-stealing-zero-day-bugs-in-ipads-and-macs.html
- https://www.helpnetsecurity.com/2023/12/01/cve-2023-42916-cve-2023-42917/
- https://nvd.nist.gov/vuln/detail/CVE-2023-42916
- https://nvd.nist.gov/vuln/detail/CVE-2023-42917
Security Advisory Update: Microsoft Patch Tuesday Fixes Two Zero-Days
New threat intel indicates that the vulnerability (CVE-2023-23397) impacting Microsoft Outlook is actively being exploited in the wild by the APT28 hacking group. APT28 is exploiting this vulnerability to hijack Microsoft Exchange accounts and steal sensitive information. CVE-2023-23397 was previously disclosed in March 2023 by Microsoft and has an existing patch. It is recommended to apply the existing updates released in March 2023 to mitigate this vulnerability if you have not already done so.
Original Security Advisory - March 15th, 2023:
This month's Patch Tuesday includes fixes for two (2) zero-days that are actively being exploited in the wild. The two (2) zero-days are being tracked as CVE-2023-23397 and CVE-2023-24880 and have received a CVSS scores of 9.8 and 5.4 out of a possible 10, respectively.
The first zero-day, CVE-2023-23397, is a critical elevation of privilege vulnerability in Microsoft Outlook that is triggered automatically when the victim's Outlook client receives and processes a specially crafted email sent by the attacker. This attack requires no user interaction and can affect a user before the email is viewed in the Preview Pane. This vulnerability allows an attacker to steal NTLM hashes via NTLM negotiation requests, essentially allowing the threat actor to authenticate as the victim, as well as laterally move throughout the network and modify Outlook mailbox folder permissions.
This vulnerability affects Microsoft Outlook for Windows. However, this vulnerability does not affect Outlook for Android, iOS, or macOS versions, Outlook on the Web, and Microsoft 365 services.
The second zero-day, CVE-2023-24880, is a vulnerability that allows attackers to bypass the Windows SmartScreen security feature by sending a specially crafted MSI file. When this file is opened by the victim, it will bypass Mark-of-the-Web security warnings and will effectively prevent Windows SmartScreen and Microsoft Office Protected View from triggering. Windows SmartScreen and Microsoft Office Protected Preview rely on Mark-of-the-Web security feature which displays a warning when a file is downloaded from an untrusted or unknown source. If this bypassed, an attacker can execute malicious code and potentially gain control of the affected system.
More Reading/Information
- https://msrc.microsoft.com/update-guide/releaseNote/2023-Mar
- https://www.bleepingcomputer.com/news/microsoft/microsoft-fixes-outlook-zero-day-used-by-russian-hackers-since-april-2022/
- https://www.helpnetsecurity.com/2023/03/14/cve-2023-23397-cve-2023-24880/
- https://techcommunity.microsoft.com/t5/exchange-team-blog/released-march-2023-exchange-server-security-updates/ba-p/3764224
- https://msrc.microsoft.com/blog/2023/03/microsoft-mitigates-outlook-elevation-of-privilege-vulnerability/
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-23397
- https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2023-24880
- https://www.bleepingcomputer.com/news/microsoft/russian-hackers-exploiting-outlook-bug-to-hijack-exchange-accounts/
Security Advisory Update: Critical Vulnerability (CVE-2023-34060) in VMware Cloud Director Appliance
VMware has released a patch for a critical authentication bypass vulnerability affecting its Cloud Director Appliance that was previously disclosed on November 14th, 2023. Organizations should update Cloud Director Appliance to the latest version (version 10.5.1) to mitigate this vulnerability. If organizations cannot apply the current patch, it is recommended to implement the workaround provided by VMware. The workaround can be found here: https://kb.vmware.com/s/article/95534
Original Security Advisory - November 15th, 2023:
VMware disclosed a critical authentication bypass vulnerability in its Cloud Director Appliance. The vulnerability is being tracked as CVE-2023-34060 and can allow an attacker with network access to the appliance to bypass login restrictions when authenticating on either port 22 (SSH) or port 5480 (appliance management console). CVE-2023-34060 received a CVSS score of 9.8 out of a possible 10.
VMware states that this vulnerability only affects VMware Cloud Director Appliance deployments that have upgraded to 10.5 from an older release. This vulnerability does not impact Linux deployments or new deployments of 10.5.
While no patch has been released for CVE-2023-34060, VMware has released a workaround that could be implemented until a patch becomes available. Those instructions can be found here: https://kb.vmware.com/s/article/95534.
More Reading/Information
- https://www.vmware.com/security/advisories/VMSA-2023-0026.html
- https://www.bleepingcomputer.com/news/security/vmware-discloses-critical-vcd-appliance-auth-bypass-with-no-patch/
- https://kb.vmware.com/s/article/95534
- https://nvd.nist.gov/vuln/detail/CVE-2023-34060
- https://www.bleepingcomputer.com/news/security/vmware-fixes-critical-cloud-director-auth-bypass-unpatched-for-2-weeks/
Android Malware Downloaded 12 Million Times on Google Play Store
A new Android malware called SpyLoan is disguising itself as legitimate apps on the Google Play Store and is reported to have over 12 million downloads. The malicious apps claim to offer financial services that provide personal loans. Once downloaded, the malware steals personal data from the device such as contacts, location data, text messages, device info, call logs, installed apps, network information, etc., and the threat actor uses this data to blackmail the victim. Google has removed several apps containing this malware from the Google Play Store.
More Reading/Information
- https://www.bleepingcomputer.com/news/security/spyloan-android-malware-on-google-play-downloaded-12-million-times/#google_vignette
- https://www.darkreading.com/cyber-risk/spyloan-malicious-app-downloaded-over-12m-times-in-googleplay
- https://www.infosecurity-magazine.com/news/spyloan-scams-target-android/
Multiple Vulnerabilities in Android Products and Google Chrome
Android released updates to address eight-five (85) vulnerabilities, five (5) given a severity rating of "Critical." The most severe is being tracked as CVE-2023-40088 and is a vulnerability in the System component that could lead to an attacker executing remote code on the affected system without requiring user interaction. These vulnerabilities affect Android OS security patch levels prior to 2023-12-05.
Google Chrome addressed ten (10) vulnerabilities, with two (2) given a severity rating of "High." The most severe could lead to arbitrary code execution. These vulnerabilities affect Windows, Mac, and Linux.
More Reading/Information
- https://source.android.com/docs/security/bulletin/2023-12-01
- https://www.bleepingcomputer.com/news/security/december-android-updates-fix-critical-zero-click-rce-flaw/
- https://nvd.nist.gov/vuln/detail/CVE-2023-40088
- https://chromereleases.googleblog.com/2023/12/stable-channel-update-for-desktop.html
- https://www.securityweek.com/chrome-120-patches-10-vulnerabilities/
Recommendations
Please review your environment to ensure the above-mentioned issues are patched in a timely manner. It is security best practice to regularly update and/or patch software to the latest versions. The vulnerabilities above highlight the security benefits of limiting deployed software to "vendor-supported versions" only. This dramatically increases the likelihood that new vulnerabilities have a patch issued for them. Likewise, Cybersafe strongly encourages maintaining an inventory of current software in your environment, which helps ensure and inform your patch and vulnerability management program.
