Weekly Vulnerability Summary: 7 New Vulnerabilities for the week of November 5, 2023

Our weekly vulnerability summary covers all the latest findings for the week. Catch yourself up with our concise summaries and determine if your organization is at risk.

1. Atlassian Confluence Upgrades Vulnerability Severity

   Our last weekly summary referenced a vulnerability in Confluence. Atlassian has since upgraded this vulnerability to a 10/10 critical finding due to the ability for attackers to exploit it. CVE-2023-22518 is being targeted by Cerber Ransomware actively, and customers are urged to patch Confluence Server and Data Center as soon as possible.

2. Android’s November Patch Release

   You may have noticed updates for your Android phone this week. 37 vulnerabilities were patched in the latest release, including several critical and many high severity findings. These include denial-of-service, information disclosure, and remote code execution vulnerabilities. These vulnerabilities affected many components, especially the Framework, System and Qualcomm components. To check your version, you can use this guide, be sure to look for the 2023-11-05 patch level version.

3. Veeam RCE and Hash Theft Vulnerabilities

   Veeam announced four vulnerabilities recently, including two critical and two medium severity findings. CVE-2023-38547 allows for an unauthenticated attacker to gain information about the SQL server connection which can result in remote code execution on the SQL server hosting the Veeam ONE configuration database. CVE-2023-38548 allows for an authenticated user without privileges to the Veeam ONE Web Client to acquire the NTLM hash of the service account used by Veeam ONE Reporting. Hotfixes are available for Veeam versions that are affected: 12.0.1.2591, 11.0.1.1880, 11.0.0.1379.

4. Lenovo Vulnerabilities Allow Arbitrary Code Execution

   Lenovo reported several vulnerabilities in many of their products’ BIOS that could lead to arbitrary code execution. CVE-2023-5075 allows a local user to elevate their privileges and execute arbitrary code. CVE-2023-5078 could allow an attacker with physical access to the system to escalate their privileges and modify BIOS firmware. Desktop, Notebook, ThinkPad, Smart Edge and ThinkStation products all were reported with privilege escalation vulnerabilities in their BIOS. Lenovo is advising customers to upgrade their firmware as soon as they can.

5. QNAP Command Injection Vulnerabilities

   QNAP released several advisories this week detailing remote code execution and command injection vulnerabilities. CVE-2023-23368 and CVE-2023-23369 both allow for remote attackers to run commands on the network. Administrators can update the firmware by logging in and navigating to Control Panel > System > Firmware Update, and click on "Check for Update" under Live Update to download and install the latest version. Updates are also available as manual downloads from QNAP's website for systems that do not have internet access. It is important to patch these devices as soon as possible, as they often store large amount of data, and QNAP has been targeted before by ransomware using zero-day vulnerabilities.

6. EEG Software Vulnerability

   Natus NeuroWorks EEG Software was discovered to use default Microsoft SQL (MSSQL) credentials that are easily accessible, and cannot be changed for proper operation of the software. Normally default credentials vary in severity based on the device, but given that this device operates within healthcare/HIPAA environments, it presents a foothold for attackers. This is especially common as medical devices often use local administrators and lack anti-virus. This vulnerability arose from common misunderstandings between how users and attackers think, as attackers will take advantage of any weakness and chain it together to take over systems. The vendor has released a patch, introduced in version 8.4 GMA3, that allows for administrators to change the default credentials while maintaing proper use of the system.

7. Hashicorp Vault Denial-of-Service

   Hashicorp announced a vulnerability in their Vault and Vault Enterprise (“Vault”) products. This finding stems from inbound client requests triggering a policy check can lead to an unbounded consumption of memory, where an excessive number of these requests may lead to denial-of-service. This issue, CVE-2023-5954, was introduced in Vault 1.15.0, 1.14.3, and 1.13.7 where the inbound client requests create a logger that is never removed from memory. It is fixed in Vault 1.15.2, 1.14.6, and 1.13.10.

Glassportal can help you understand your risk from these vulnerabilities, so you can focus on those that matter most to your organization. Schedule a demo with us: demo@glassportal.io