Cybersafe Solutions Security Advisory Bulletin May 10, 2024

In this week's Security Advisory:

• High-Severity Vulnerability in Citrix  NetScaler ADC and NetScaler Gateway
• Critical Vulnerability in Tinyproxy Could Lead to Remote Code Execution
• Multiple Vulnerabilities in Aruba Products Could Lead to Remote Code Execution
• Security Advisory Update: Critical Vulnerability in GitLab Could Lead to Account Takeover
• Security Updates Released for Google Chrome Desktop Browser and Android Products

High-Severity Vulnerability in Citrix NetScaler ADC and NetScaler Gateway

A high-severity vulnerability was found in NetScaler ADC (formerly Citrix ADC) and NetScaler Gateway (formerly Citrix Gateway) that could allow for the disclosure of sensitive information. The vulnerability has not been assigned a CVE ID; however, it is an unauthenticated out-of-bounds read issue that allows an attacker to obtain sensitive information such as HTTP requests which could include credentials submitted by the user.

To exploit this vulnerability, the appliance must be configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or AAA virtual server.

The following versions are affected:

NetScaler ADC and NetScaler Gateway version 13.1-50.23

Citrix has patched this vulnerability in version 13.1-51.15. Organizations should ensure that their NetScaler ADC and NetScaler Gateway appliances are running version 13.1-51.15 or later.

More Reading/Information

• https://bishopfox.com/blog/netscaler-adc-and-gateway-advisory
• https://www.darkreading.com/cyber-risk/citrix-addresses-high-severity-flaw-in-netscaler-adc-and-gateway
• https://www.csoonline.com/article/2098805/citrix-quietly-fixes-a-new-critical-vulnerability-similar-to-citrix-bleed.html

Critical Vulnerability in Tinyproxy Could Lead to Remote Code Execution

A critical vulnerability was found in Tinyproxy, a lightweight HTTP/HTTPS proxy daemon for POSIX operating systems, that could allow an attacker to execute remote code. The critical vulnerability is being tracked as CVE-2023-49606 and received a CVSS score of 9.8 out of a possible 10.  CVE-2023-49606 is due to an improper memory handling within the HTTP request parsing mechanism that could allow an unauthenticated attacker to send specially crafted HTTP requests to the affected server and cause a denial-of-service attack and potentially execute remote code.

The following versions are affected:

• Tinyproxy version 1.10.0
• Tinyproxy version 1.11.1

More Reading/Information

• https://talosintelligence.com/vulnerability_reports/TALOS-2023-1889
• https://www.scmagazine.com/brief/widespread-rce-compromise-likely-with-critical-tinyproxy-bug    
• https://www.bleepingcomputer.com/news/security/over-50-000-tinyproxy-servers-vulnerable-to-critical-rce-flaw/
• https://nvd.nist.gov/vuln/detail/CVE-2023-49606

Multiple Vulnerabilities in Aruba Products Could Lead to Remote Code Execution

Ten (10) vulnerabilities were found in ArubaOS, of which four (4) were deemed critical and could lead to remote code execution. These vulnerabilities affect Aruba Mobility Conductor, Aruba Mobility Controller, and WLAN Gateways and SD-WAN Gateways managed by Aruba Central. All four (4) critical vulnerabilities are caused by a buffer overflow in the underlying components of ArubaOS and could be exploited by an authenticated attacker to achieve remote code execution.

The following versions are affected:

• ArubaOS versions 10.5.1.0 and below
• ArubaOS versions 10.4.1.0 and below
• ArubaOS versions 8.11.2.1 and below
• ArubaOS versions 8.10.0.10 and below

Of note, the following versions are impacted by these vulnerabilities, however they will not receive patches due to them being End of Life: ArubaOS 10.3.x.x, ArubaOS 8.9.x.x, ArubaOS 8.8.x.x, ArubaOS 8.7.x.x, ArubaOS 8.6.x.x, ArubaOS 6.5.4.x, SD-WAN 8.7.0.0-2.3.0.x, SD-WAN 8.6.0.4-2.2.x.x.

More Reading/Information

• https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2024-004.txt
• https://www.bleepingcomputer.com/news/security/hpe-aruba-networking-fixes-four-critical-rce-flaws-in-arubaos/
• https://www.theregister.com/2024/05/02/hpe_aruba_patches/

Security Advisory Update: Critical Vulnerability in GitLab Could Lead to Account Takeover

New threat intel indicates that the vulnerability (CVE-2023-7028) impacting GitLab is now actively being exploited in the wild. It is recommended to update GitLab Community and Enterprise Editions to the latest version immediately.

Original Security Advisory - January 17th, 2024:

GitLab fixed a critical vulnerability in its Community and Enterprise Edition that could lead to an account takeover without user interaction. The vulnerability is being tracked as CVE-2023-7028 and received a CVSS score of 10 out of 10, the highest score a vulnerability could receive. CVE-2023-7028 is a flaw in the email verification process which allows password reset emails to be sent to an unverified email address. Accounts that have two-factor authentication (2FA) enabled are not vulnerable to account takeover, however, they are vulnerable to a password reset. It is important to apply the latest patch and to implement 2FA on GitLab accounts to remove this vector.

The following versions of GitLab are affected:

• GitLab versions 16.1 to 16.1.5
• GitLab versions 16.2 to 16.2.8
• GitLab versions 16.3 to 16.3.6
• GitLab versions 16.4 to 16.4.4
• GitLab versions 16.5 to 16.5.5
• GitLab versions 16.6 to 16.6.3
• GitLab versions 16.7 to 16.7.1

More Reading/Information

• https://about.gitlab.com/releases/2024/01/11/critical-security-release-gitlab-16-7-2-released/
• https://www.helpnetsecurity.com/2024/01/12/cve-2023-7028/
• https://www.bleepingcomputer.com/news/security/gitlab-warns-of-critical-zero-click-account-hijacking-vulnerability/
• https://nvd.nist.gov/vuln/detail/CVE-2023-7028
• https://www.bleepingcomputer.com/news/security/cisa-says-gitlab-account-takeover-bug-is-actively-exploited-in-attacks/
• https://docs.gitlab.com/ee/security/responding_to_security_incidents.html#suspected-compromised-user-account

Security Updates Released for Google Chrome Desktop Browser and Android Products

There were security updates released for vulnerabilities found in Google Chrome and Android.

Google Chrome had a total of two (2) vulnerabilities, both receiving a severity rating of "High." They affect Windows, Mac, and Linux operating systems.

Android released updates to address twenty-nine (29) vulnerabilities, with one (1) given a severity rating of "Critical." The most severe is being tracked as CVE-2024-23706 and is a vulnerability in the System component that could lead to privilege escalation. These vulnerabilities affect Android OS security patch levels prior to 2024-05-05.

More Reading/Information

• https://chromereleases.googleblog.com/2024/05/stable-channel-update-for-desktop_7.html
• https://source.android.com/docs/security/bulletin/2024-05-01

Recommendations

Please review your environment to ensure the above-mentioned issues are patched in a timely manner.  It is security best practice to regularly update and/or patch software to the latest versions.  The vulnerabilities above highlight the security benefits of limiting deployed software to "vendor-supported versions" only.  This dramatically increases the likelihood that new vulnerabilities have a patch issued for them.  Likewise, Cybersafe strongly encourages maintaining an inventory of current software in your environment, which helps ensure and inform your patch and vulnerability management program.