Weekly Vulnerability Summary: 7 New Vulnerabilities for the week of October 29, 2023
A continuation of our weekly series summarizing all the latest vulnerabilities that were discovered, we have 7 more vulnerabilities you should know about.
Improper Authorization Vulnerability In Confluence
Atlassian Confluence fell victim to a zero day vulnerability, CVE-20230-22518, that was reported by customers to have been actively exploited. Atlassian urged all customers to take immediate action to patch their Confluence Server/Data Center instances. The fixed versions are: 7.19.16, 8.3.4, 8.4.4, 8.5.3, 8.6.1. Beyond this, if patching is not possible, Atlassian released a guide on temporary mitigations. Proof of concept scanners have been released on GitHub to check if your version is vulnerable, beyond just checking the version numbers.
The vulnerability is only limited to data loss and a denial of service, no data leakage appears to be possible at the moment. If the instance is exploited, it could result in the complete loss of data on Confluence.
UPDATE: This vulnerability has had its severity increased and Atlassian is urging customers to update as soon as possible, as instances are being targeted by ransomware.
Apache ActiveMQ Remote Code Execution Ransomware
A new Apache remote code execution (RCE) vulnerability was discovered in ActiveMQ, which was actively being targeted by ransomware campaigns. The vulnerability allows for a remote attacker with network access to run arbitrary commands. It is recommended to upgrade to version 5.15.16, 5.16.7, 5.17.6, or 5.18.3, which fixes this vulnerability. CVE-2023-46604 is an insecure deserialization vulnerability that seems to have been targeted by HelloKitty Ransomware. Currently there are numerous publicly available proof of concept exploits on GitHub.
If you use ActiveMQ and suspect you may have been attacked, you can view our blog post on the indicators of compromise. If you’ve never heard of Deserialization Vulnerabilities, we have an “Explain It Like I’m 5” post on that as well. For more information, Bleeping Computer has a great, in-depth write-up.
Chrome 119 patches 15 Vulnerabilities
Google released an update advisory that addresses 15 vulnerabilities, most of which were reported by external researchers. Three of the findings were rated as high severity, with the rest being medium or low. Many of these are use-after-free (UAF) vulnerabilities. Google has not published any proof-of-concept code or significant details yet, as expected, as they usually wait for most users to upgrade to the patched versions first. Currently the latest version is 119.0.6045.105 for Linux and macOS, and 119.0.6045.105/.106 for Windows.
Cisco’s Vulnerable Security Products
Cisco’s security products Adaptive Security Appliance (ASA), Firepower Management Center (FMC), and Firepower Threat Defense (FTD) received patches this week. Cumulatively the patches address 27 vulnerabilities. Many of the high and critical vulnerabilities result in a denial of service or command injection exploits. The most severe of which is CVE-2023-20048, a vulnerability in the web services interface of Cisco Firepower Management Center (FMC) may allow an authenticated, remote attacker to execute commands on a Firepower Threat Defense (FTD).
While all of this is great news, at least one vulnerability had been identified in mid-2022 and took over a year to patch. Luckily, despite publicly available proof of concept exploits being available, there was no evidence it was taken advantage of in the wild. This delay highlights the need for vendors to not release vulnerability details until a patch is available, which is counter to the potential EU legislation that is asking for it to be disclosed on discovery, not patch availability.
NGINX Ingress Controller for Kubernetes Vulnerabilities
Our earlier post on NGINX Ingress Controller for Kubernetes’ vulnerabilities covers this finding on three new findings that allow for authenticated attackers to steal secrets through privilege escalation flaws and the ability to redirect API data flows. The default Ingress Controller configuration is both public facing and allows for it to access API secrets, so when combined with these vulnerabilities, it can be dangerous. Be sure to upgrade to the latest version (version > 1.9.0).
Microsoft Edge Remote Code Execution Flaw
Microsoft released a set of patches for remote code execution and spoofing vulnerabilities in Edge. The two remote code execution vulnerabilities, CVE-2023-36022 & CVE-2023-36034, allow for an unauthenticated, remote attacker to execute arbitrary commands by getting the user to run a malicious file. This tends to be quite common for browser exploits, but do not underestimate its effectiveness, getting a user to run a malicious file can be surprisingly easy via social engineering and phishing, especially with AI.
The spoofing vulnerability (CVE-2023-36029) requires the attacker to be on the network, though they can be unauthenticated. Like the above vulnerabilities, it too requires user interaction to exploit. As of now, no publicly available exploits exist, but Microsoft is asking for Edge users to update their software.
Kubernetes Privilege Escalation Vulnerability
A vulnerability was discovered in Kubernetes clusters that include Windows nodes. If there are no Windows nodes in the cluster, it is secure. The vulnerability, CVE-2023-3676, allows for users that can create pods on Windows nodes to gain admin privileges on those nodes. This privilege escalation vulnerability has patches released for it, so be sure to update your clusters containing Windows nodes as soon as possible. If you aren’t sure what kinds of nodes they contain, you can run the following command:
kubectl get nodes -l kubernetes.io/os=windowsIf you discover you have Windows nodes, looking for artifacts like: pod-create events, embedded PowerShell commands in config maps or secrets mounted to pods, or just embedded PowerShell commands you don’t recognize; can all be a sign of compromise.
If you are feeling a little overwhelmed managing your vulnerabilities and risk, get a demo of Glassportal today: demo@glassportal.io
