07/13/2023-07/19/2023 Vulnerabilities in SonicWall and Fortinet Network, Fake PoC for Linux Kernel Vulnerability on GitHub, Microsoft Word Vulnerabilities And More.

1. New Vulnerabilities Disclosed in SonicWall and Fortinet Network Security Products

SonicWall urged customers of Global Management System (GMS) firewall management and Analytics network reporting engine software to apply the latest fixes to secure against a set of 15 security flaws that could be exploited by a threat actor to circumvent authentication and access sensitive information. Of the 15 shortcomings (tracked from CVE-2023-34123 through CVE-2023-34137), four are rated Critical, four are rated High, and seven are rated Medium in severity. The flaws impact on-premise versions of GMS 9.3.2-SP1 and before and Analytics 2.5.0.4-R7 and before. Fixes are available in versions GMS 9.3.3 and Analytics 2.5.2. The suite of vulnerabilities allows an attacker to view data that they are not normally able to retrieve. This might include data belonging to other users, or any other data that the application itself is able to access. In many cases, an attacker can modify or delete this data, causing persistent changes to the application’s content or behavior.

The disclosure comes as Fortinet revealed a critical flaw affecting FortiOS and FortiProxy (CVE-2023-33308, CVSS score: 9.8) that could enable an adversary to achieve remote code execution under certain circumstances. It said the issue was resolved in a previous release, without an advisory.

Recommendation 

For customers who cannot apply the updates immediately, Fortinet is recommending that they disable HTTP/2 support on SSL inspection profiles used by proxy policies or firewall policies with proxy mode.

2. Fake PoC for Linux Kernel Vulnerability on GitHub Exposes Researchers to Malware

Cybersecurity researchers have detected a proof-of-concept (PoC) on GitHub containing a concealed backdoor using a clever persistence method. The PoC pretends to be a harmless learning tool but actually operates as a downloader, surreptitiously executing a Linux bash script while disguising its activities as a kernel-level process. Disguised as a PoC for a high-severity flaw in the Linux kernel (CVE-2023-35829), the repository was taken down after being forked 25 times. Additionally, a second GitHub profile harbored a fake PoC for CVE-2023-35829, still available and forked 19 times. The backdoor has extensive capabilities, enabling data theft and remote access via the addition of malicious SSH keys to the .ssh/authorized_keys file.

Recommendation 

To mitigate risks, users who downloaded and executed these PoCs should remove unauthorized SSH keys, delete the kworker file, eliminate the kworker path from the bashrc file, and check /tmp/.iCE-unix.pid for potential threats.

# 3. Critical Security Flaws Uncovered in Honeywell Experion DCS and QuickBlox Services
Multiple security vulnerabilities have been found in various services, including Honeywell Experion DCS and QuickBlox, that could lead to severe compromises. Dubbed Crit.IX, the nine flaws in Honeywell Experion DCS enable unauthorized remote code execution, allowing attackers to take over devices and alter DCS controller operations while concealing changes from the engineering workstation. The flaws stem from encryption and authentication issues in the Control Data Access (CDA) protocol. Similarly, QuickBlox, used in telemedicine and IoT, was found to have major vulnerabilities, allowing attackers to leak user databases and perform account takeover attacks.

Additional disclosed flaws affect Aerohive/Extreme Networks access points, the Ghostscript library, Owncast, EaseProbe, and Technicolor TG670 DSL gateway routers, exposing various attack vectors.

4. Cybercriminals Exploit Microsoft Word Vulnerabilities to Deploy LokiBot Malware

Microsoft Word documents exploiting known remote code execution flaws are being used as phishing lures to drop malware called LokiBot on compromised systems. The cybersecurity company said the attacks take advantage of CVE-2021-40444 and CVE-2022-30190 (aka Follina) to achieve code execution. The Word file that weaponizes CVE-2021-40444 contains an external GoFile link embedded within an XML file that leads to the download of an HTML file, which exploits Follina to download a next-stage payload, an injector module written in Visual Basic that decrypts and launches LokiBot. The injector also features evasion techniques to check for the presence of debuggers and determine if it’s running in a virtualized environment. 

An alternative chain discovered towards the end of May starts with a Word document incorporating a VBA script that executes a macro immediately upon opening the document using the “Auto_Open” and “Document_Open” functions.
The macro script subsequently acts as a conduit to deliver an interim payload from a remote server, which also functions as an injector to load LokiBot and connect to a command-and-control (C2) server.

5. Zero-Day Attacks Exploited Critical Vulnerability in Citrix ADC and Gateway

Citrix is alerting users of a critical security flaw in NetScaler Application Delivery Controller (ADC) and Gateway that it said is being actively exploited in the wild.
Tracked as CVE-2023-3519 (CVSS score: 9.8), the issue relates to a case of code injection that could result in unauthenticated remote code execution. It impacts the following versions:

• NetScaler ADC and NetScaler Gateway 13.1 before 13.1-49.13
• NetScaler ADC and NetScaler Gateway 13.0 before 13.0-91.13
• NetScaler ADC and NetScaler Gateway version 12.1 (currently end-of-life)
• NetScaler ADC 13.1-FIPS before 13.1-37.159
• NetScaler ADC 12.1-FIPS before 12.1-55.297, and
• NetScaler ADC 12.1-NDcPP before 12.1-55.297

The company did not give further details on the flaw tied to CVE-2023-3519 other than to say that exploits for the flaw have been observed on “unmitigated appliances.” However, successful exploitation requires the device to be configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or authorization and accounting (AAA) virtual server.

The development comes amid active exploitation of security flaws discovered in Adobe ColdFusion (CVE-2023-29298 and CVE-2023-38203) and the WooCommerce Payments WordPress plugin (CVE-2023-28121).

6. Bad.Build Flaw in Google Cloud Build Raises Concerns of Privilege Escalation

A privilege escalation vulnerability, named Bad.Build, has been discovered in Google Cloud’s Build service, posing a supply chain attack risk. The flaw allows attackers to manipulate images in the Google Artifact Registry and inject malicious code, impacting applications built from those images. Google has released a partial fix but acknowledges that the privilege escalation vector remains, categorizing it as a low-severity issue. The vulnerability stems from excessive permissions granted to the default service account created by Cloud Build, which can facilitate lateral movement and privilege escalation. Attackers can impersonate the Cloud Build service account, exfiltrate and modify images, and execute code on Docker containers with root access. Users should monitor the service account’s behavior and apply the principle of least privilege to minimize potential risks.