Cybersafe Solutions Security Advisory Bulletin Sept 15, 2023

In this week's Security Advisory:

• Zero-Day (CVE-2023-20269) in Cisco Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD)
• Two Zero-Days (CVE-2023-41064 & CVE-2023-41061) in Apple Products Could Allow for Arbitrary Code Execution
• Microsoft Patch Tuesday Fixes Two Zero-Days (CVE-2023-36802 & CVE-2023-36761)
• Multiple Vulnerabilities in Adobe, Google Chrome, Mozilla, and Notepad++

Zero Day (CVE-2023-20269) in Cisco Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD)

There is a zero-day in the VPN feature of Cisco Adaptive Security Appliance (ASA) and Cisco Firepower Threat Defense (FTD) software which could allow an attacker to gain access to the vulnerable device. According to Cisco, the zero-day, CVE-2023-20269, is "due to improper separation of authentication, authorization, and accounting (AAA) between the remote access VPN feature and the HTTPS management and site-to-site VPN features." To exploit this vulnerability, an attacker needs to obtain valid credentials through a brute-force attack. Once authenticated, a remote attacker could establish a clientless SSL VPN session with an unauthorized user.

Of note, the following Cisco products are not affected by this zero-day: Firepower Management Center (FMC) Software, FXOS Software, IOS Software, IOS XE Software, IOS XR Software, and NX-OS Software.

Cisco has not released a patch for this zero-day. However, there is a workaround that users can apply until the patch is released. Navigate to the following link to learn more: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-ravpn-auth-8LyfCkeC

More Reading/Information

• https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-ravpn-auth-8LyfCkeC
• https://www.helpnetsecurity.com/2023/09/08/cve-2023-20269/
• https://www.bleepingcomputer.com/news/security/cisco-warns-of-vpn-zero-day-exploited-by-ransomware-gangs/
• https://nvd.nist.gov/vuln/detail/CVE-2023-20269

Two Zero-Days (CVE-2023-41064 & CVE-2023-41061) in Apple Products Could Allow for Arbitrary Code Execution

Apple released updates to address two (2) zero-days being actively exploited in iPhone and Mac devices. The first zero-day, CVE-2023-41064, is a buffer overflow vulnerability that could lead to arbitrary code execution when processing specially crafted images. CVE-2023-41064 received a CVSS score of 7.8 out of a possible 10. The second zero-day, CVE-2023-41061, is a validation issue in Apple's Wallet which could lead to arbitrary code execution when processing specially crafted attachments. CVE-2023-41061 received a CVSS score of 7.8 out of a possible 10. It is believed that the zero-days were actively used in a zero-click exploit chain dubbed BLASTPASS which deployed NSO Group's Pegasus mercenary spyware onto iOS devices.

The following products are affected:

• iOS and iPadOS prior to version 16.6.1 (iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later)
• iOS and iPadOS prior to version 15.7.9 (iPhone 6s (all models), iPhone 7 (all models), iPhone SE (1st generation), iPad Air 2, iPad mini (4th generation), and iPod touch (7th generation))
• macOS Monterey prior to version 12.6.9
• macOS Big Sur prior to version 11.7.10
• macOS Ventura prior to version 13.5.2
• watchOS prior to version 9.6.2

• https://support.apple.com/en-us/HT201222
• https://citizenlab.ca/2023/09/blastpass-nso-group-iphone-zero-click-zero-day-exploit-captured-in-the-wild/
• https://www.helpnetsecurity.com/2023/09/08/cve-2023-41064-cve-2023-41061/
• https://www.bleepingcomputer.com/news/apple/apple-discloses-2-new-zero-days-exploited-to-attack-iphones-macs/
• https://nvd.nist.gov/vuln/detail/CVE-2023-41064
• https://nvd.nist.gov/vuln/detail/CVE-2023-41061

Microsoft Patch Tuesday Fixes Two Zero-Days (CVE-2023-36802 & CVE-2023-36761)

This month's Patch Tuesday includes fixes for two (2) zero-days. The two (2) zero-days are being tracked as CVE-2023-36802, is a local privilege elevation vulnerability in the Microsoft Streaming Service Proxy that could allow an attacker to gain SYSTEM level privilege if exploited. The second zero-day, CVE-2023-36761, is an information disclosure vulnerability in Microsoft Word and could allow an attacker to steal NTLM hashes. This attack can be triggered when a user opens a document or views a document in the Preview Pane.

More Reading/Information

• https://msrc.microsoft.com/update-guide/releaseNote/2023-Sep
• https://www.bleepingcomputer.com/news/microsoft/microsoft-september-2023-patch-tuesday-fixes-2-zero-days-59-flaws/
• https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36802
• https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36761
  

Multiple Vulnerabilities in Adobe, Google Chrome, Mozilla, and Notepad++

There were security updates released for multiple vendors including Adobe, Google Chrome, and Mozilla. The most severe could lead to arbitrary code execution.

Adobe fixed a total of five (5) vulnerabilities, including a zero-day in Adobe Acrobat and Reader that is being actively exploited in the wild. This zero-day is being tracked as CVE-2023-26369 and is an out-of-bounds write issue that could be exploited to gain arbitrary code execution.

Google Chrome Desktop Browser addressed sixteen (16) vulnerabilities, with one (1) given a severity rating of "Critical". These vulnerabilities affect Windows, Mac, and Linux.

Mozilla fixed a critical zero-day that is being actively exploited in the wild. The zero-day is being tracked as CVE-2023-4863 and is a heap buffer overflow in the WebP code library (libwebp). Successful exploitation of this vulnerability can lead to the threat actor executing arbitrary code on the victim's host or the user's browser crashing leading to a denial-of-service attack. This zero-day affects Firefox, Firefox ESR, and Thunderbird.

Notepad++ released updates to address four (4) vulnerabilities. The most severe, CVE-2023-40031, is a high severity heap buffer overflow vulnerability and has received a CVSS score of 7.8 out of a possible 10. CVE-2023-40031 could be exploited to achieve arbitrary code execution. CVE-2023-40031 affects versions prior to 8.5.7.

More Reading/Information

• https://helpx.adobe.com/security.html 
• https://chromereleases.googleblog.com/2023/09/stable-channel-update-for-desktop_12.html 
• https://www.mozilla.org/en-US/security/advisories/mfsa2023-40/ 
• https://www.bleepingcomputer.com/news/security/mozilla-patches-firefox-thunderbird-against-zero-day-exploited-in-attacks/ 
• https://nvd.nist.gov/vuln/detail/CVE-2023-4863 
• https://www.bleepingcomputer.com/news/security/notepad-plus-plus-857-released-with-fixes-for-four-security-vulnerabilities/
• https://nvd.nist.gov/vuln/detail/CVE-2023-40031

Recommendations

Please review your environment to ensure the above-mentioned issues are patched in a timely manner. It is security best practice to regularly update and/or patch software to the latest versions. The vulnerabilities above highlight the security benefits of limiting deployed software to "vendor-supported versions" only. This dramatically increases the likelihood that new vulnerabilities have a patch issued for them. Likewise, Cybersafe Solutions strongly encourages maintaining an inventory of current software in your environment, which helps ensure and inform your patch and vulnerability management program.