There are more devices connected to the internet than ever before. This is music to an attacker’s ears, as they make good use of machines like printers and cameras which were never designed to ward off sophisticated invasions. It’s led companies and individuals alike to rethink how safe their networks are.
As the amount of these incidents rises, so does the way we need to classify the dangers they pose to businesses and consumers alike. Three of the most common terms thrown around when discussing cyber risks are vulnerabilities, exploits, and threats.
TheCyberThrone has covered each of the vulnerabilities in detail over the past one year, Here’s a breakdown summary of most exploited vulnerabilities in 2023.
MOVEit Transfer Injection Vulnerability
The vulnerability tracked as CVE-2023-34362 with a CVSS score of 9.8, a severe vulnerability in MOVEit Transfer, a well-known file transfer solution by Progress Software Corporation. This vulnerability paves the way for SQL injection attacks where attackers can inject malicious data into databases to execute arbitrary code and precipitate widespread disruptions. Clop ransomware gang have extracted substantial amounts of files from compromised MOVEit systems.
PaperCut NG/MF Multiple Security Vulnerabilities
This vulnerability tracked as CVE-2023-27350 with a CVSS score of 9.8. It affects the popular print management software PaperCut and poses an urgent and significant threat to network security across many organizations.
Originating from inadequate access control measures within the Setup Completed Java class, it allows malicious actors to bypass authentication procedures and execute arbitrary codes with heightened privileges on targeted systems. Incidents using this vulnerability have deployed ransomware. Given its capacity to compromise the integrity of entire networks, the need for immediate action is paramount.
Citrix ADC NetScaler Gateway disclosure
This vulnerability tracked as CVE-2023-4966 with a CVSS score of 9.4, is a Sensitive information disclosure flaw in NetScaler ADC and NetScaler Gateway when configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy). A sensitive information disclosure vulnerability that allows an attacker to read large amounts of memory after the end of a buffer. Notably, that memory includes session tokens, which permits an attacker to impersonate another authenticated user
Fortra GoAnywhere Managed File Transfer (MFT)
The vulnerability tracked as CVE-2023-0669 with a CVSS score of 7.2, is a significant threat to organizations using Fortra’s GoAnywhere Managed File Transfer (MFT) tool, a platform centralizing control over internal and external file transfers. This command injection flaw allows attackers with public internet access to the tool’s administrative console to execute remote code on unpatched versions, potentially leading to extensive data breaches and financial extortion.
Microsoft Outlook Elevation of Privilege Vulnerability
The vulnerability tracked as CVE-2023-23397 with a CVSS score of 9.8, is an elevation of privilege vulnerability in all supported versions of the Microsoft Outlook email client for Windows. This flaw allows attackers to bypass authentication measures, facilitating unauthorized access to confidential data and enabling user impersonation within organizations.
The exploit requires zero user interaction — attackers can initiate it simply by sending an email that activates the vulnerability upon processing by Outlook, which bypasses preventative measures such as the Preview Pane.
Windows SmartScreen Security Feature Bypass Vulnerability
The vulnerability tracked as CVE-2023-24880 with a CVSS score of 4.4 considered as low and it resides within a windows SmartScreen security feature, a vital defense mechanism for protecting users from malicious software and phishing sites. This flaw enables attackers to bypass the Mark of the Web (MOTW) defenses integral to SmartScreen and Microsoft Office’s Protected View, making it easier to spread malware through crafted malicious files that evade essential security checks and distribute malware more freely across systems.
3CX Desktop Client Supply Chain Vulnerability
The vulnerability tracked as CVE-2023-29059 with a CVSS score of 7.8, is a set of critical supply chain vulnerabilities in the widely used 3CX VOIP desktop client tool used by more than 600,000 customers globally. This was a multi-stage incursion where hackers Trojanized a legitimate version of the 3CX desktop app, embedding malicious code into the MSI installer accessible on the official website or as an update to existing installations. This tactic enabled the compromise of both Windows and macOS platforms to allow the harvesting of extensive system details and siphoning of stored credentials from various browsers.
Windows Common Log File System Driver Elevation of Privilege Vulnerability
This vulnerability tracked as CVE-2023-28252 with a CVSS score pf 7.8, a critical risk that affects CLFS driver is a pivotal logging subsystem initiated in Windows 2003 R2. The vulnerability allows the transformation of the subsystem into a gateway for attackers to acquire supreme system-level privileges, amplifying the prospects of severe damage. This vulnerability has been weaponized to distribute exploitative ransomware associated with a major malware strain known for multiple breaches.
Barracuda Email Security Gateway Vulnerability
This vulnerability tracked as CVE-2023-2868 with a CVSS score of 9.8, a critical remote command injection flaw found in the parsing logic for processing TAR files; it permits unsanitized user inputs to be executed as a system command, which grants attackers the ability to remotely manipulate system commands with significant privileges.
Due to the wild exploitation nature, Barracuda Networks, urged customers not merely to patch their systems but to completely replace the affected devices to prevent persistent backdoor access — highlighting the severe risk posed to email security infrastructures worldwide.
VMware Aria Operations for Networks Command Injection Vulnerability
This vulnerability tracked as CVE-2023-20887 with a CVSS score of 9.8, a critical vulnerability that facilitates a command injection opportunity. It allows an unauthorized entity equipped with network access to remotely execute code with administrative privileges and seize substantial control of the affected system.
SugarCRM Remote Code Execution Vulnerability
This vulnerability tracked as CVE-2023-22952 with a CVSS score of 9.8, is a critical zero-day authentication bypass and remote code execution flaw allows malicious actors to inject malicious PHP code through a CRM platform module and amplifies the repercussions of an attack if the system is not securely configured.
An extensive pool of sensitive data stored in SugarCRM databases allows threat actors to escalate the intrusion to AWS environments by using misconfigurations to broaden their illicit access.
WinRAR Vulnerability
The vulnerability traced as CVE-2023-38831, with a CVSS score of 7.8, RARLAB WinRAR before 6.23 allows attackers to execute arbitrary code when a user attempts to view a benign file within a ZIP archive. The issue occurs because a ZIP archive may include a benign file (such as an ordinary .JPG file) and a folder that has the same name as the benign file, and the contents of the folder are processed during an attempt to access only the benign file. This was exploited in the wild in April through October 2023.
Oracle WebLogic Vulnerability
The vulnerability tracked as CVE-2023-21839 with a CVSS of 7.5, resides in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Core). Supported versions that are affected are 12.2.1.3.0, 12.2.1.4.0 and 14.1.1.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via T3, IIOP to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle WebLogic Server accessible data.
SLP Protocol Abused
The vulnerability tracked as CVE-2023-29552 with a CVSS score of 8.6 , resides in SLP (Service Location Protocol), a service discovery protocol enabling devices to find services in local networks, has been identified as vulnerable, potentially leading to amplification attacks. The attack technique allows an unauthenticated, remote attacker to register arbitrary services. This would enable the attacker to use spoofed UDP traffic to conduct a denial-of-service attack with a significant amplification factor.
Atlassian Confluence
The vulnerability tracked as CVE-2023-22518 with a CVSS score of 9.8, a Improper Authorization vulnerability allows an unauthenticated attacker to reset Confluence and create a Confluence instance administrator account. Using this account, an attacker can then perform all administrative actions that are available to Confluence instance administrator leading to a full loss of confidentiality, integrity and availability.
Apache ActiveMQ Remote Code Execution
The vulnerability tracked as CVE-2023-46604, with a CVSS score: 9.8, a vulnerability in Apache ActiveMQ, this vulnerability poses a significant risk of remote code execution (RCE) attacks. The Java OpenWire protocol marshaller is vulnerable to Remote Code Execution. This vulnerability may allow a remote attacker with network access to either a Java-based OpenWire broker or client to run arbitrary shell commands by manipulating serialized class types in the OpenWire protocol to cause either the client or the broker to instantiate any class on the classpath.
F5 BIG IP
The first vulnerability tracked as CVE-2023-46747 with a CVSS score of 9.8 was discovered in F5 BIG-IP products, allowing unauthenticated remote code execution. identified as a request smuggling bug within the Apache JServ Protocol (AJP). The flaw could potentially allow unauthenticated attackers with network access to the BIG-IP system through the management port and/or self-IP addresses to execute arbitrary system commands.
The Second vulnerability tracked as CVE-2023-46748 with a CVSS score of 8.8, has been used in combination with CVE-2023-46747 in attacks. This vulnerability may allow an authenticated attacker with network access to the Configuration utility through the BIG-IP management port and/or self IP addresses to execute arbitrary system commands. There is no data plane exposure; this is a control plane issue only.
Cisco IOS XE Web UI
The first vulnerability tracked as CVE-2023-20273 with a CVSS score of 7.2, A vulnerability in the web UI feature of Cisco IOS XE Software could allow an authenticated, remote attacker to inject commands with the privileges of root. This vulnerability is due to insufficient input validation. An attacker could exploit this vulnerability by sending crafted input to the web UI. A successful exploit could allow the attacker to inject commands to the underlying operating system with root privileges.
The second vulnerability tracked as CVE-2023-20198 with a CVSS score of 10, to gain initial access and issued a privilege 15 command to create a local user and password combination. This allowed the user to log in with normal user access. The attacker then exploited another component of the web UI feature, leveraging the new local user to elevate privilege to root and write the implant to the file system.
This brings end of this security coverage. Thanks for visiting TheCyberThrone. If you like us please follow us on Facebook, Twitter, Instagram
