CISA Issues Emergency Directive to Federal Agencies on Ivanti Zero-Day Exploits
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Friday issued an emergency directive urging Federal Civilian Executive Branch (FCEB) agencies to implement mitigations against two actively exploited zero-day flaws in Ivanti Connect Secure (ICS) and Ivanti Policy Secure (IPS) products.
The development came after the vulnerabilities – an authentication bypass (CVE-2023-46805) and a code injection bug (CVE-2024-21887) – came under widespread exploitation of vulnerabilities by multiple threat actors. The flaws allow a malicious actor to craft malicious requests and execute arbitrary commands on the system.
The U.S. company acknowledged in an advisory that it has witnessed a „sharp increase in threat actor activity“ starting on January 11, 2024, after the shortcomings were publicly disclosed.
Source: The hacker news / Bleeping computer / Dark reading / Securityweek / CISA vulnerability catalog
Link: https://thehackernews.com/2024/01/cisa-issues-emergency-directive-to.html
Link: https://www.securityweek.com/cisa-issues-emergency-directive-on-ivanti-zero-days/
Link: https://www.cisa.gov/known-exploited-vulnerabilities-catalog
VMware confirms critical vCenter flaw now exploited in attacks
VMware has confirmed that a critical vCenter Server remote code execution vulnerability patched in October is now under active exploitation.
vCenter Server is a management platform for VMware vSphere environments that helps administrators manage ESX and ESXi servers and virtual machines (VMs).
„VMware has confirmed that exploitation of CVE-2023-34048 has occurred in the wild,“ the company said in an update added to the original advisory this week.
The vulnerability was reported by Trend Micro vulnerability researcher Grigory Dorodnov and is caused by an out-of-bounds write weakness in vCenter’s DCE/RPC protocol implementation.
Attackers can exploit it remotely in low-complexity attacks with high confidentiality, integrity, and availability impact that don’t require authentication or user interaction. Due to its critical nature, VMware has also issued security patches for multiple end-of-life products without active support.
Source: Bleeping computer / The hacker news / Securityweek
Link: https://thehackernews.com/2024/01/citrix-vmware-and-atlassian-hit-with.html
Link: https://www.securityweek.com/vmware-vcenter-server-vulnerability-exploited-in-wild/
Citrix warns of new Netscaler zero-days exploited in attacks
Citrix urged customers on Tuesday to immediately patch Netscaler ADC and Gateway appliances exposed online against two actively exploited zero-day vulnerabilities.
The two zero-days (tracked as CVE-2023-6548 and CVE-2023-6549) impact the Netscaler management interface and expose unpatched Netscaler instances to remote code execution and denial-of-service attacks, respectively.
However, to gain code execution, attackers must be logged in to low-privilege accounts on the targeted instance and need access to NSIP, CLIP, or SNIP with management interface access. Also, the appliances must be configured as a gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or an AAA virtual server to be vulnerable to DoS attacks.
The company says that only customer-managed NetScaler appliances are impacted by the zero-days, while Citrix-managed cloud services or Citrix-managed Adaptive Authentication are not affected.
Source: Bleeping computer / The hacker news / Dark reading / Securityweek / CITRIX knowledge center
Link: https://thehackernews.com/2024/01/citrix-vmware-and-atlassian-hit-with.html
Link: https://www.securityweek.com/citrix-warns-netscaler-adc-customers-of-new-zero-day-exploitation/
Atlassian warns of critical RCE flaw in older Confluence versions
Atlassian Confluence Data Center and Confluence Server are vulnerable to a critical remote code execution (RCE) vulnerability that impacts versions released before December 5, 2023, including out-of-support releases.
The flaw is tracked as CVE-2023-22527, rated critical (CVSS v3: 10.0), and is a template injection vulnerability allowing unauthenticated attackers to perform remote code execution on impacted Confluence endpoints. „Most recent supported versions of Confluence Data Center and Server are not affected by this vulnerability as it was ultimately mitigated during regular updates,“ reads Atlassian’s security bulletin.
Source: Bleeping computer / The hacker news / Securityweek / Atlassian security advisory
Link: https://thehackernews.com/2024/01/citrix-vmware-and-atlassian-hit-with.html
Exploring malicious Windows drivers (Part 1): Introduction to the kernel and drivers
Drivers have long been of interest to threat actors, whether they are exploiting vulnerable drivers or creating malicious ones. Malicious drivers are difficult to detect and successfully leveraging one can give an attacker full access to a system. Real-world examples can be found in our previous research into the driver-based browser hijacker RedDriver and HookSignTool — a signature timestamp forging tool.
With the existence of malicious drivers, there is a need for those who can analyze identified samples. This analysis requires specific knowledge of the Windows operating system, which can be difficult to acquire. Windows drivers and the kernel can be overwhelming to learn about, as these topics are vast and highly complex. The documentation available on these subjects is daunting and difficult to navigate for newcomers, even for those with programming experience. This initial hurdle and steep learning curve create a high barrier of entry into the subject. To many, the kernel space seems to be an arcane and hidden part of the operating system.
Source: CISCO Talos intelligence group