Top Five Most Exploited Vulnerabilities in January 2024
Below is an in-depth analysis of the most critical vulnerabilities targeted during January.
CVE-2023-46805 and CVE-2024-21887: CISA Warns Against Ivanti Zero-Day Vulnerabilities
On January 19, 2024, the Cybersecurity and Infrastructure Security Agency (CISA) issued an alert regarding two critical zero-day vulnerabilities discovered in Ivanti products:
CVE-2023-46805 and CVE-2024-21887.
Assigned CVSS scores of 8.2 (High) and 9.1 (Critical), these vulnerabilities underscore a significant risk to cybersecurity, marked by their capability for arbitrary command execution. This prompted an emergency directive for immediate mitigation within federal agencies, highlighting the urgent need for action.
Ivanti's Connect Secure and Policy Secure, widely utilized for securing remote connections and managing network access, are the affected products. Revealed in a security advisory by Ivanti on January 10, 2024, CVE-2023-46805 is an authentication bypass issue, while CVE-2024-21887 is a command injection flaw. Both vulnerabilities can be exploited together to execute remote code on the compromised systems. In addition, the discovery of over 17,000 exposed Connect Secure and Policy Secure gateways online underscores the urgency of addressing these vulnerabilities.
CVE-2023-46805 exploits involve a path traversal flaw in the web component of Ivanti products, specifically through an unauthenticated endpoint, allowing attackers to bypass authentication mechanisms. CVE-2024-21887, on the other hand, leverages a command injection vulnerability, enabling attackers to inject and execute malicious payloads. The combination of these vulnerabilities provides a potent vector for attackers to gain unauthorized access and control over affected Ivanti systems, emphasizing the critical need for organizations to implement suggested mitigations promptly.
To gain a deeper understanding of these two zero-day vulnerabilities, please check out our blog, which showcases example PoCs.
CVE-2023-22527: Critical Atlassian Confluence Remote Code Execution Vulnerability
On January 16, 2024, Atlassian disclosed a critical security flaw, CVE-2023-22527, impacting legacy versions of Confluence Data Center and Confluence Server. This vulnerability, rated at the maximum severity of 9.8 on the CVSS 3.1 scale, stems from an Object-Graph Navigation Language (OGNL) injection flaw. Such vulnerabilities arise in Java-based applications, including Atlassian Confluence, due to insufficient sanitization of user inputs before processing in OGNL expressions. This lapse enables attackers to remotely execute arbitrary code by injecting harmful OGNL expressions, posing a significant security threat.
Security researchers observed active exploitation attempts as of January 26, 2024, targeting vulnerable Confluence instances across multiple countries, including China, Singapore, Brazil, the United States, and several others. This global scanning activity underscores the urgency for organizations to secure their instances against such attacks.
Further insights reveal that with a quick search for "services.modules.http.title: Confluence", it is possible to observe more than 4,000 internet-exposed Confluence instances. These instances have been predominantly detected in the United States, Germany, China, Russia, Japan, and the United Kingdom, significantly expanding the potential attack surface.
The vulnerability exploits a template injection issue within certain Confluence versions, specifically through the text-inline.vm velocity template, by manipulating the 'label' parameter, allowing remote execution of arbitrary code without authentication. Exploitation techniques include overcoming a 200-character limit imposed on OGNL expressions, a restriction bypassed by attackers to execute system commands remotely. This method was documented and demonstrated by security researchers, highlighting the vulnerability's technical nuances and the critical need for mitigation.
Given the critical nature of CVE-2023-22527 and its active exploitation, it's paramount for organizations running outdated Confluence versions to urgently update to the latest, secure releases recommended by Atlassian.
To take a look at the publicly available proof of concept (PoC), check our blog.
CVE-2024-20253: Remote Code Execution (RCE) Vulnerability in Cisco Unified Communications Products
Cisco disclosed a critical vulnerability, CVE-2024-20253, on January 24, 2024, affecting several Cisco Unified Communications Manager and Contact Center Solutions products. Rated with a CVSS score of 9.9 for its critical severity, this remote code execution issue significantly endangers the security of affected systems by allowing unauthenticated, remote attackers to execute arbitrary code. This vulnerability arises from the improper handling of user-supplied data that, when manipulated through a specially crafted message sent to a listening port on an affected device, could allow the attacker to execute commands with web services user privileges. Such exploitation could lead to gaining root access, thereby compromising the entire system.
Contrary to the initial summary, Cisco's advisory does indeed acknowledge that while there are no direct workarounds to completely resolve the vulnerability, a mitigation strategy is recommended. This involves implementing access control lists (ACLs) on intermediary devices to regulate access to the ports of deployed services, effectively narrowing the potential avenues for exploitation. This mitigation technique is aimed at reducing the attack surface by controlling network traffic to and from the vulnerable systems, although it is not a replacement for applying the necessary security updates.
The affected Cisco products include various versions of the Unified Communications Manager, Unified Communications Manager IM & Presence Service, Unified Communications Manager Session Management Edition, Unified Contact Center Express, Unity Connection, and the Virtualized Voice Browser.
Cisco has released free software updates to address this vulnerability , and organizations are strongly advised to install these updates as soon as possible to mitigate the risk posed by CVE-2024-20253. Implementing the recommended mitigation measures can help protect systems until the updates are applied, but they should not be considered a long-term solution to the underlying security issue.
CVE-2023-34048: vCenter Server Vulnerability Exploited in the Wild
UNC3886, a sophisticated espionage group with links to China, has been exploiting a vulnerability in VMware's vCenter systems identified as CVE-2023-34048 since late 2021, well before it was publicly reported and subsequently patched in October 2023. This group is adept at exploiting zero-day vulnerabilities in technologies lacking Endpoint Detection and Response (EDR) tools.
The attack process employed by UNC3886 is detailed as follows:
The CVE-2023-34048 vulnerability was exploited to implant a backdoor into the vCenter System.
The attacker then retrieved clear text credentials for ESXi hosts connected to the vCenter, listing all ESXi hosts and their respective guest VMs.
Using these credentials, the attacker connected to ESXi hosts from the vCenter server.
Two backdoors, VIRTUALPITA and VIRTUALPIE, were installed through malicious VIB installations on the ESXi hosts.
This allowed the attacker to connect directly to the ESXi hosts or VMs via the backdoors.
Another vulnerability, CVE-2023-20867, was exploited on the ESXi hosts for unauthenticated command execution and file transfers on guest VMs.
The attacker carried out unauthenticated, privileged commands and transferred files to and from the guest VMs.
The evidence of these intrusions was partly found in the VMware service crash logs, where entries indicated the "vmdird" service crashing moments before the backdoors were deployed. The exploitation of CVE-2023-34048, an out-of-bounds write vCenter vulnerability, was associated with these crashes and allowed for unauthenticated remote command execution.
The core dumps from these crashes, which are typically preserved indefinitely in VMware's default configurations, were often missing, suggesting intentional deletion by the attackers to conceal their presence. To protect against this kind of exploitation, users are advised to upgrade to the latest supported version of vCenter.
CVE-2023-6548 and CVE-2023-6549: Citrix NetScaler Vulnerabilities Actively Exploited
On January 16, 2024, Citrix announced an advisory regarding two zero-day vulnerabilities identified as CVE-2023-6548 and CVE-2023-6549, found within its NetScaler Application Delivery Controller (ADC) and NetScaler Gateway appliances.
CVE-2023-6548, an authenticated remote code execution (RCE) vulnerability, poses a medium severity threat that allows attackers with low-level privileges to execute arbitrary code if they have access to the NetScaler IP (NSIP), Subnet IP (SNIP), or Cluster Management IP (CLIP) with access to the appliance's management interface. On the other hand, CVE-2023-6549, a high-severity denial of service (DoS) vulnerability, affects appliances configured as a Gateway or AAA virtual server, potentially allowing attackers to disrupt service operations.
These vulnerabilities are particularly concerning as they have been exploited in the wild, underscoring the urgency for affected organizations to apply the necessary patches. Following the disclosure of a critical flaw named "CitrixBleed" (CVE-2023-4966) in October, which was widely exploited, these new vulnerabilities mark the second and third zero-day vulnerabilities in Citrix NetScaler appliances disclosed in the last four months.
Citrix has responded by releasing patches for the affected products and versions, advising customers to update their appliances to the fixed versions as soon as possible. To mitigate the risk of exploitation, Citrix also strongly recommends isolating network traffic to the appliance’s management interface and ensuring that the management interface is not exposed to the internet, alongside upgrading appliances from the now End Of Life (EOL) version 12.1 to a supported version that addresses these vulnerabilities.
Comments
Post a Comment