Featured Story
VMware fixes critical code execution flaw in vCenter Server
VMware issued security updates to fix a critical vCenter Server vulnerability that can be exploited to gain remote code execution attacks on vulnerable servers.
The vulnerability (CVE-2023-34048) was reported by Grigory Dorodnov of Trend Micro’s Zero Day Initiative and is due to an out-of-bounds write weakness in vCenter’s DCE/RPC protocol implementation.
Unauthenticated attackers can exploit it remotely in low-complexity attacks that don’t require user interaction. The company says it has no evidence that the CVE-2023-34048 RCE bug is currently used in attacks.
Security patches addressing this issue are now accessible through the standard vCenter Server update mechanisms. Due to the critical nature of this bug, VMware has also issued patches for multiple end-of-life products that are no longer under active support.
This vulnerability emphasizes the risks of exposed enterprise infrastructure. Its ability for unauthenticated remote exploitation makes immediate patching crucial.
In addition to patching, we want to emphasise the importance of prioritising network segmentation and monitoring vCenter activity to detect potential exploits.
Other Stories
F5 Issues Warning: BIG-IP Vulnerability Allows Remote Code Execution
F5 has alerted customers of a critical security vulnerability impacting BIG-IP that could result in unauthenticated remote code execution.
The issue, rooted in the configuration utility component, has been assigned the CVE identifier CVE-2023-46747, and carries a CVSS score of 9.8 out of a maximum of 10.
“This vulnerability may allow an unauthenticated attacker with network access to the BIG-IP system through the management port and/or self IP addresses to execute arbitrary system commands,” F5 said. “There is no data plane exposure; this is a control plane issue only.”
With a high CVSS score of 9.8, this control plane-only issue requires swift attention. Users should apply provided mitigations cautiously.
The following versions were found to be vulnerable:
– 17.1.0 (Fixed in 17.1.0.3 + Hotfix-BIGIP-17.1.0.3.0.75.4-ENG)
– 16.1.0 – 16.1.4 (Fixed in 16.1.4.1 + Hotfix-BIGIP-16.1.4.1.0.50.5-ENG)
– 15.1.0 – 15.1.10 (Fixed in 15.1.10.2 + Hotfix-BIGIP-15.1.10.2.0.44.2-ENG)
– 14.1.0 – 14.1.5 (Fixed in 14.1.5.6 + Hotfix-BIGIP-14.1.5.6.0.10.6-ENG)
– 13.1.0 – 13.1.5 (Fixed in 13.1.5.1 + Hotfix-BIGIP-13.1.5.1.0.20.2-ENG)
Mitigations are also provided in a MyF5 security advisory.
Citrix Bleed exploit lets hackers hijack NetScaler accounts
A proof-of-concept (PoC) exploit is released for the ‘Citrix Bleed’ vulnerability, tracked as CVE-2023-4966, that allows attackers to retrieve authentication session cookies from vulnerable Citrix NetScaler ADC and NetScaler Gateway appliances.
Threat monitoring service Shadowserver reports spikes of exploitation attempts following the publication of Assetnote’s PoC, so the malicious activity has already started.
As these types of vulnerabilities are commonly used for ransomware and data theft attacks, it is strongly advised that system administrators immediately deploy patches to resolve the flaw.
The spike in exploitation attempts post PoC publication is alarming. Given its potential for ransomware and data breaches, organizations should expedite patching Citrix NetScaler devices and monitor for unusual activity.
1Password Becomes Latest Victim of Okta Customer Service Breach
Okta, a cloud-based, enterprise-grade identity and access management (IAM) service used by more than 17,000 customers globally, disclosed that a threat actor had used stolen credentials to access its customer support case management system.
The attacker then leveraged its access to penetrate some of those customers, including 1Password. On Sept. 29, 1Password observed suspicious activity within its Okta instance, which was quickly terminated. No user, employee data, or sensitive systems were compromised.
Okta has informed other potentially affected customers, and more incidents may be reported.
Even security-focused platforms aren’t impenetrable. The attacker’s pivot from Okta’s support system to its customers, such as 1Password, demonstrates the interconnected risks in the modern digital landscape.
Businesses should re-evaluate their security posture and ensure robust monitoring, especially if they have engagements with Okta.
Warning: Multiple Critical vulnerabilities affect the SolarWinds Access Rights Manager tool
Trend Micro’s Zero Day Initiative has discovered several high and critical severity vulnerabilities in the SolarWinds Access Rights Manager (ARM) tool. Exploitation allows a remote unauthenticated attacker to execute arbitrary code with SYSTEM privileges.
ARM provides Active Directory integration and role-based access control to help IT and security administrators manage user access rights.
Organizations using ARM should forensically examine vulnerable systems to determine if they have been compromised and if any data exfiltration has occurred.
The recommended actions described in the article are what we would like to emphasize.
Given ARM’s role in access control, any compromise could result in extensive access. Organizations should prioritize patching, conduct forensic investigations on vulnerable systems, and assess access logs to detect and mitigate potential breaches.
