Cybersafe Solutions Security Advisory Bulletin Jan 26, 2024

In this week's Security Advisory:

• Critical Vulnerability in Fortra's GoAnywhere MFT
• Zero-Day in Apple Products Could Allow for Arbitrary Code Execution
• Security Advisory Update: Critical Remote Code Execution Vulnerability in Confluence Data Center and Server
• Security Advisory Update: Vulnerabilities (CVE-2023-34048 and CVE-2023-34056) in VMware vCenter Server Could Lead to Remote Code Execution
• Microsoft Corporate Email Accounts Compromised by Russian Nation-State Actor
• Security Updates Released for Google Chrome Desktop Browser, Mozilla, and Oracle Products

Critical Vulnerability in Fortra's GoAnywhere MFT

Fortra released a patch to address a critical vulnerability in its GoAnywhere MFT, a secure file transfer tool.  The vulnerability is being tracked as CVE-2024-0204 and is an authentication bypass that could allow a remote attacker to create an administrative user via the administrative portal and ultimately take over the device.  Successful exploitation could lead to an attacker gaining access to sensitive information and installing malware onto the affected system.  CVE-2024-0204 received a CVSS score of 9.8 out of a possible 10.

The following versions are affected:

• Fortra GoAnywhere MFT 6.x from 6.0.1
• Fortra GoAnywhere MFT 7.x before 7.4.1

While this vulnerability has not been actively exploited in the wild, a proof-of-concept exploit is available, so it is recommended to apply the patch immediately.

More Reading / Information

• https://www.fortra.com/security/advisory/fi-2024-001
• https://www.bleepingcomputer.com/news/security/fortra-warns-of-new-critical-goanywhere-mft-auth-bypass-patch-now/
• https://www.rapid7.com/blog/post/2024/01/23/etr-cve-2024-0204-critical-authentication-bypass-in-fortra-goanywhere-mft/
• https://www.securityweek.com/poc-code-published-for-just-disclosed-fortra-goanywhere-vulnerability/
• https://nvd.nist.gov/vuln/detail/CVE-2024-0204

Zero-Day in Apple Products Could Allow for Arbitrary Code Execution

Apple released updates to address several vulnerabilities including a zero-day that is actively being exploited in the wild.  The zero-day, CVE-2024-23222, impacts iOS, macOS, iPadOS, Safari, and tvOS products and is an issue in the WebKit browser engine that could lead to arbitrary code execution when processing specially crafted web content.  At this time, CVE-2024-23222 has not received a CVSS score.

The following products are affected: 

• iOS and iPadOS prior to version 17.3 (iPhone XS and later, iPad Pro 12.9-inch 2nd generation and later, iPad Pro 10.5-inch, iPadPro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 6th generation and later, and iPad mini 5th generation and later)
• iOS and iPadOS prior to version 16.7.5 (iPhone 8, iPhone 8 Plus, iPhone X, iPad 5th generation, iPad Pro 9.7-inch, and iPad Pro 12.9-inch 1st generation)
• iOS and iPadOS prior to version 15.8.1 (iPhone 6s (all models), iPhone 7 (all models), iPhone SE (1st generation), iPad Air 2, iPad mini (4th generation), and iPod touch (7th generation))
• macOS Sonoma prior to version 14.3
• macOS Ventura prior to version 13.6.4
• macOS Monterey prior to version 12.7.3
• Safari prior to version 17.3
• watchOS prior to version 10.3
• tvOS prior to version 17.3

More Reading / Information

• https://support.apple.com/en-us/HT201222
• https://www.bleepingcomputer.com/news/apple/apple-fixes-first-zero-day-bug-exploited-in-attacks-this-year/
• https://www.scmagazine.com/news/apple-patches-zero-day-affecting-operating-systems-for-devices-macs
• https://nvd.nist.gov/vuln/detail/CVE-2024-23222

Security Advisory Update: Critical Remote Code Execution Vulnerability in Confluence Data Center and Server

New threat intel shows that threat actors are actively exploiting a critical vulnerability (CVE-2023-22527) affecting Confluence Data Center and Server.  It is recommended to apply the latest update to the affected versions immediately if you still need to do so.

Original Security Advisory - January 17th, 2024:

Atlassian released a patch to fix a critical vulnerability in its Confluence Data Center and Server.  The critical vulnerability is being tracked as CVE-2023-22527 and received a CVSS score of 10 out of 10, the highest score a vulnerability can receive.  CVE-2023-22527 is a template injection vulnerability that could allow an unauthenticated attacker to execute remote code.  This vulnerability affects out-of-date versions of Confluence Data Center and Server, specifically version 8.  Atlassian Cloud sites are not affected.

The following versions are affected:

• 8.0.x
• 8.1.x
• 8.2.x
• 8.3.x
• 8.4.x
• 8.5.0-8.5.3

More Reading / Information

• https://confluence.atlassian.com/security/cve-2023-22527-rce-remote-code-execution-vulnerability-in-confluence-data-center-and-confluence-server-1333990257.html
• https://www.scmagazine.com/news/atlassian-confluence-vulnerability-enables-remote-code-execution
• https://www.darkreading.com/application-security/patch-max-critical-atlassian-bug-unauthenticated-rce
• https://nvd.nist.gov/vuln/detail/CVE-2023-22527
• https://www.bleepingcomputer.com/news/security/hackers-start-exploiting-critical-atlassian-confluence-rce-flaw/

Security Advisory Update: Vulnerabilities (CVE-2023-34048 and CVE-2023-34056) in VMware vCenter Server Could Lead to Remote Code Execution

New threat intel indicates that a critical vulnerability (CVE-2023-34048) impacting VMware vCenter Server is actively being exploited in the wild by UNC3886, a Chinese espionage group.  UNC3886 has been observed exploiting this vulnerability since late 2021 to install backdoors and execute remote code on affected servers.  CVE-2023-34048 was previously disclosed in October 2023 and has an existing patch.

Due to the severity of the vulnerability, VMware has made patches available for vCenter Server 8.0U1, as well as end-of-life products with no active support, including vCenter Server 6.7U3, 6.5U3, and VMware Cloud Foundation 3.x.  It is strongly recommended to apply the patch to affected vCenter Servers immediately if you still need to do so.

Original Security Advisory - October 25th, 2023:

VMware released updates to address two (2) vulnerabilities in its vCenter Server that could lead to remote code execution.  The first vulnerability, CVE-2023-34048, is an out-of-bounds write weakness in vCenter's DCE/RPC protocol implementation and could allow a remote, unauthenticated attacker with network access to execute remote code on the vulnerable server.  CVE-2023-34048 has received a CVSS score of 9.8 out of a possible 10.  The second vulnerability, CVE-2023-34056, is a partial information disclosure vulnerability that could allow an attacker with non-administrative privileges to the vulnerable server to gain access to unauthorized data.  CVE-2023-3405 received a CVSS score of 4.3 out of a possible 10.

The following versions are affected:

• VMware vCenter Server prior to version 8.0 (8.0U1d or 8.0U2)
• VMware vCenter Server prior to version 7.0 (7.0U3o)
• VMware Cloud Foundation prior to versions 5.x and 4.x

More Reading / Information

• https://www.vmware.com/security/advisories/VMSA-2023-0023.html
• https://www.bleepingcomputer.com/news/security/vmware-fixes-critical-code-execution-flaw-in-vcenter-server/
• https://www.helpnetsecurity.com/2023/10/25/cve-2023-34048/
• https://nvd.nist.gov/vuln/detail/CVE-2023-34056
• https://www.bleepingcomputer.com/news/security/vmware-confirms-critical-vcenter-flaw-now-exploited-in-attacks/
• https://www.mandiant.com/resources/blog/chinese-vmware-exploitation-since-2021
• https://nvd.nist.gov/vuln/detail/CVE-2023-34048

Microsoft Corporate Email Accounts Compromised by Russian Nation-State Actor

A Russian nation-state actor called Midnight Blizzard, commonly referred to as Nobelium, Cozy Bear, and APT29, compromised Microsoft corporate email accounts for over two months.  The threat actor used a password spray attack to access a legacy non-production test account.  Once the attacker gained a foothold, they used the test account's permissions to pivot to other Microsoft corporate email accounts, gaining access to sensitive files and emails from members of leadership and Microsoft employees.  It is important to note that there is no evidence that the attacker accessed customer data, source code, or production systems.

This compromise highlights the importance of following security best practices on all systems, including legacy systems.  Organizations should use strong, unique passwords for every account and implement multi-factor authentication (MFA) to all accounts wherever possible.  Organizations should also monitor their cloud logs to ensure no abnormal activity occurs.

More Reading / Information

• https://msrc.microsoft.com/blog/2024/01/microsoft-actions-following-attack-by-nation-state-actor-midnight-blizzard/ 
• https://www.scmagazine.com/news/microsoft-reveals-in-sec-filing-that-executive-emails-breached-by-russian-apt
• https://www.techtarget.com/searchsecurity/news/366567157/Microsoft-breached-by-Russian-APT-behind-SolarWinds-attack 

Security Updates Released for Google Chrome Desktop Browser, Mozilla, and Oracle Products

There were security updates released by several vendors including Google, Mozilla, and Oracle. The most severe could cause remote code execution. 

Google Chrome had a total of seventeen (17) vulnerabilities, with three (3) vulnerabilities given a severity rating of "High." These vulnerabilities affect Windows, Mac, and Linux.

Mozilla released security updates to address vulnerabilities in several of its products that could lead to arbitrary code execution. There was a total of thirty-three (33) vulnerabilities affecting Firefox, Firefox ESR, and Thunderbird, with nine (9) receiving a severity rating of "High." These affect Firefox versions prior to 122, Firefox ESR versions prior to 115.7, and Thunderbird versions prior to 115.7.

Oracle released 389 patches in their quarterly update, which fixed vulnerabilities in several of their products. The most severe can lead to remote code execution, which allows the threat actor to install programs, view, change, or delete information, and potentially gain control of the affected system. It is recommended to update all affected products to their latest version. The full list of affected Oracle products can be found here: https://www.oracle.com/security-alerts/cpujan2024.html

More Reading / Information

• https://chromereleases.googleblog.com/2024/01/stable-channel-update-for-desktop_23.html
• https://www.mozilla.org/en-US/security/advisories/
• https://www.oracle.com/security-alerts/cpujan2024.html

Recommendations

Please review your environment to ensure the above-mentioned issues are patched in a timely manner.  It is security best practice to regularly update and/or patch software to the latest versions.  The vulnerabilities above highlight the security benefits of limiting deployed software to "vendor-supported versions" only.  This dramatically increases the likelihood that new vulnerabilities have a patch issued for them.  Likewise, Cybersafe strongly encourages maintaining an inventory of current software in your environment, which helps ensure and inform your patch and vulnerability management program.