In this week's Security Advisory:
- Juniper Networks Patches Vulnerabilities in SRX Series Firewalls and EX Series Switches
- Critical Remote Code Execution Vulnerability in Several Cisco Unified Communications and Contact Center Solutions Products
- Vulnerability in GNU C Library Affects Multiple Linux Distributions
- Security Updates Released for Google Chrome Desktop Browser
Juniper Networks Patches Vulnerabilities in SRX Series Firewalls and EX Series Switches
Juniper Networks released an out-of-band patch to fix four (4) vulnerabilities affecting the J-Web component of Junos OS on SRX Series Firewalls and EX Series Switches. The vulnerabilities are being tracked as CVE-2024-21619, CVE-2023-36846, CVE-2024-21620, and CVE-2023-36851 and each received a CVSS score of 5.3, 5.3, 8.8, and 5.3 out of a possible 10, respectively. CVE-2023-36846 and CVE-2023-36851 were disclosed in August 2023 and could allow an unauthenticated, network-based attacker to modify files on the affected system. CVE-2024-21619 allows an unauthenticated, network-based attacker to access sensitive data. CVE-2024-21620 is a cross-site scripting vulnerability that could be exploited if a victim visits a maliciously crafted website. Successful exploitation could lead to an attacker obtaining access to sensitive data or executing arbitrary commands on the affected system.
These vulnerabilities affect all versions of Junos OS on SRX Series Firewalls and EX Series Switches.
More Reading / Information
- https://supportportal.juniper.net/s/article/2024-01-Out-of-Cycle-Security-Bulletin-Junos-OS-SRX-Series-and-EX-Series-Multiple-vulnerabilities-in-J-Web-have-been-addressed?language=en_US
- https://thehackernews.com/2024/01/juniper-networks-releases-urgent-junos.html
- https://labs.watchtowr.com/the-second-wednesday-of-the-first-month-of-every-quarter-juniper-0day-revisited/
- https://nvd.nist.gov/vuln/detail/CVE-2024-21619
- https://nvd.nist.gov/vuln/detail/CVE-2023-36846
- https://nvd.nist.gov/vuln/detail/CVE-2024-21620
Critical Remote Code Execution Vulnerability in Several Cisco Unified Communications and Contact Center Solutions Products
Cisco released patches for several Unified Communications and Contact Center Solutions products to fix a critical remote code execution vulnerability. The vulnerability is being tracked as CVE-2024-20253 and is due to improper processing of user supplied data. An unauthenticated attacker could exploit this vulnerability by sending a specially crafted message to a listening port on an affected device and gain remote code execution. CVE-2024-20253 received a CVSS score of 9.9 out of a possible 10.
The following versions are affected:
- Unified Communications Manager versions 11.5, 12.5(1), and 14
- Unified Communications Manager IM & Presence Service versions 11.5(1), 12.5(1), and 14
- Unified Communications Manager Session Management Edition versions 11.5, 12.5(1), and 14
- Unified Contact Center Express versions 12.0 and earlier and 12.5(1)
- Unity Connection versions 11.5(1), 12.5(1), and 14
- Virtualized Voice Browser versions 12.0 and earlier, 12.5(1), and 12.5(2)
More Reading / Information
- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cucm-rce-bWNzQcUm
- https://www.darkreading.com/remote-workforce/critical-cisco-unified-communications-rce-bug-root-access
- https://thehackernews.com/2024/01/critical-cisco-flaw-lets-hackers.html
- https://nvd.nist.gov/vuln/detail/CVE-2024-20253
Vulnerability in GNU C Library Affects Multiple Linux Distributions
Four (4) vulnerabilities were discovered in the GNU C Library (glibc) in multiple Linux distributions. GNU C Library (glibc) is a fundamental part of most Linux distributions and provides low-level functionality to the operating system and other applications. Of the vulnerabilities found, the most severe, CVE-2023-6246, is a heap-based buffer overflow vulnerability that could allow a user to elevate their privileges to root. CVE-2023-6246 received a CVSS score of 8.4 out of a possible 10.
As of now, the following distributions are vulnerable to CVE-2023-6246:
- Debian 12 and 13
- Ubuntu 23.04 and 23.10
- Fedora 37 to 39
More Reading / Information
- https://blog.qualys.com/vulnerabilities-threat-research/2024/01/30/qualys-tru-discovers-important-vulnerabilities-in-gnu-c-librarys-syslog
- https://thehackernews.com/2024/01/new-glibc-flaw-grants-attackers-root.html
- https://www.bleepingcomputer.com/news/security/new-linux-glibc-flaw-lets-attackers-get-root-on-major-distros/#google_vignette
- https://nvd.nist.gov/vuln/detail/CVE-2023-6246
Security Updates Released for Google Chrome Desktop Browser
Google Chrome had a total of four (4) vulnerabilities, with three (3) given a severity rating of "High." The most severe can lead to arbitrary code execution and currently affects Windows, Mac, and Linux. There are no reports of these vulnerabilities being exploited in the wild.
More Reading / Information
https://chromereleases.googleblog.com/2024/01/stable-channel-update-for-desktop_30.html
Recommendations
Please review your environment to ensure the above-mentioned issues are patched in a timely manner. It is security best practice to regularly update and/or patch software to the latest versions. The vulnerabilities above highlight the security benefits of limiting deployed software to "vendor-supported versions" only. This dramatically increases the likelihood that new vulnerabilities have a patch issued for them. Likewise, Cybersafe strongly encourages maintaining an inventory of current software in your environment, which helps ensure and inform your patch and vulnerability management program.
