VMware fixes critical code execution flaw in vCenter Server
VMware issued security updates to fix a critical vCenter Server vulnerability that can be exploited to gain remote code execution attacks on vulnerable servers.
The vulnerability (CVE-2023-34048) was reported by Grigory Dorodnov of Trend Micro’s Zero Day Initiative and is due to an out-of-bounds write weakness in vCenter’s DCE/RPC protocol implementation.
Unauthenticated attackers can exploit it remotely in low-complexity attacks that don’t require user interaction. The company says it has no evidence that the CVE-2023-34048 RCE bug is currently used in attacks.
Security patches addressing this issue are now accessible through the standard vCenter Server update mechanisms. Due to the critical nature of this bug, VMware has also issued patches for multiple end-of-life products that are no longer under active support.
Analysis from our SOC team
This vulnerability emphasizes the risks of exposed enterprise infrastructure. Its ability for unauthenticated remote exploitation makes immediate patching crucial.
In addition to patching, we want to emphasise the importance of prioritising network segmentation and monitoring vCenter activity to detect potential exploits.
F5 has alerted customers of a critical security vulnerability impacting BIG-IP that could result in unauthenticated remote code execution.
The issue, rooted in the configuration utility component, has been assigned the CVE identifier CVE-2023-46747, and carries a CVSS score of 9.8 out of a maximum of 10.
« This vulnerability may allow an unauthenticated attacker with network access to the BIG-IP system through the management port and/or self IP addresses to execute arbitrary system commands, » F5 said in an advisory released Thursday. « There is no data plane exposure; this is a control plane issue only. »
Analysis from our SOC team
With a high CVSS score of 9.8, this control plane-only issue requires swift attention. Users should apply provided mitigations cautiously.
The following versions were found to be vulnerable:
– 17.1.0 (Fixed in 17.1.0.3 + Hotfix-BIGIP-17.1.0.3.0.75.4-ENG)
– 16.1.0 – 16.1.4 (Fixed in 16.1.4.1 + Hotfix-BIGIP-16.1.4.1.0.50.5-ENG)
– 15.1.0 – 15.1.10 (Fixed in 15.1.10.2 + Hotfix-BIGIP-15.1.10.2.0.44.2-ENG)
– 14.1.0 – 14.1.5 (Fixed in 14.1.5.6 + Hotfix-BIGIP-14.1.5.6.0.10.6-ENG)
– 13.1.0 – 13.1.5 (Fixed in 13.1.5.1 + Hotfix-BIGIP-13.1.5.1.0.20.2-ENG)
Mitigations are also provided in a MyF5 security advisory.
A proof-of-concept (PoC) exploit is released for the ‘Citrix Bleed’ vulnerability, tracked as CVE-2023-4966, that allows attackers to retrieve authentication session cookies from vulnerable Citrix NetScaler ADC and NetScaler Gateway appliances.
Threat monitoring service Shadowserver reports spikes of exploitation attempts following the publication of Assetnote’s PoC, so the malicious activity has already started.
As these types of vulnerabilities are commonly used for ransomware and data theft attacks, it is strongly advised that system administrators immediately deploy patches to resolve the flaw.
Analysis from our SOC team
The spike in exploitation attempts post PoC publication is alarming. Given its potential for ransomware and data breaches, organizations should expedite patching Citrix NetScaler devices and monitor for unusual activity.
Okta, a cloud-based, enterprise-grade identity and access management (IAM) service that connects enterprise users across applications and devices, is used by more than 17,000 customers globally.
Last week, it disclosed that a threat actor had used stolen credentials to access its customer support case management system. The attacker then leveraged its access to penetrate some of those thousands of customers via their recent customer support engagements.
This is what happened with 1Password. On Sept. 29, the password-management company observed suspicious activity within the Okta instance that it uses for managing its employee-facing apps, according to a company statement. The activity was quickly terminated, and while it didn’t detail the extent of the infestation into employee apps, it did say that no user or employee data or other sensitive systems were compromised.
News of more victims may yet be coming. Okta recently wrote that it has informed other potentially affected customers.
Analysis from our SOC team
Even security-focused platforms aren’t impenetrable. The attacker’s pivot from Okta’s support system to its customers, such as 1Password, demonstrates the interconnected risks in the modern digital landscape.
Businesses should re-evaluate their security posture and ensure robust monitoring, especially if they have engagements with Okta.
Trend Micro’s Zero Day Initiative has discovered several high and critical severity vulnerabilities in the SolarWinds Access Right Manager (ARM) tool. Successful exploitation allows a remote unauthenticated attacker to execute arbitrary code with SYSTEM privileges.
SolarWinds ARM provides Microsoft Active Directory integration and role-based access control. SolarWinds ARM is designed to help IT and security administrators quickly and easily provision, deprovision, manage and audit user access rights to systems, data and files to help protect their organisations from the potential risks of data loss and breaches.
Any organisation using SolarWinds ARM should forensically examine vulnerable systems to determine if they have been compromised and if there has been any data exfiltration.
Analysis from our SOC team
The recommended actions described in the article is what we would like to emphasize on as well.
Given ARM’s role in access control, any compromise could result in extensive access. Organizations should prioritize patching, conduct forensic investigations on vulnerable systems, and assess access logs to detect and mitigate potential breaches.
