10/18/2023-10/25/2023 Critical Citrix NetScaler Flaw, Vulnerability in Synology’s DiskStation Manager, vRealize RCE flaw And More.

1. Critical Citrix NetScaler Flaw Exploited to Target from Government, Tech Firms

Citrix is warning of a critical security flaw (CVE-2023-4966, CVSS 9.4) in NetScaler ADC and Gateway appliances. Exploitation has been observed, and Google-owned Mandiant detected zero-day exploitation starting in late August 2023. The flaw impacts specific versions and requires the device to be configured as a Gateway or authorization and accounting virtual server. While patches were released on October 10, 2023, Citrix reports active abuse of unmitigated appliances. Successful exploitation can hijack authenticated sessions, bypassing multi-factor authentication and potentially leading to further access. The threat actor responsible remains unidentified but has targeted professional services, technology, and government organizations. To mitigate these threats, users must promptly update their instances and terminate all active sessions, even though this isn’t a remote code execution vulnerability.

2. New Admin Takeover Vulnerability Exposed in Synology’s DiskStation Manager

A medium-severity flaw (CVE-2023-2729) in Synology’s DiskStation Manager (DSM) could potentially reveal an administrator’s password, leading to a remote account hijack. The issue was addressed in June 2023. The vulnerability stems from the use of a weak random number generator that relies on the JavaScript Math.random() method to construct the admin password. This “insecure randomness” can allow an attacker to predict the password. However, successful exploitation depends on the attacker extracting certain GUIDs generated during the setup process to reconstruct the seed for the pseudorandom number generator. While the attack requires multiple steps, users should promptly apply the update to mitigate the risk, especially considering the potential account takeover.

3. Backdoor Implanted on Hacked Cisco Devices Modified to Evade Detection

 A backdoor on Cisco devices, created through two zero-day flaws in IOS XE software, has been altered by the threat actor to evade detection. The modified backdoor only responds if the correct Authorization HTTP header is set, making it harder to detect. The attacker uses CVE-2023-20198 and CVE-2023-20273 to compromise devices, create privileged accounts, and install a Lua-based implant. Cisco is releasing security updates to address the vulnerabilities. The threat actor remains unidentified, but the attack has affected thousands of devices. Although the number of compromised devices decreased significantly, hidden changes to the implant explain this drop, as more than 37,000 devices still contain the backdoor. Cisco confirmed the change in behavior and provided a method to check for the implant’s presence.

4. Cross-site Scripting and how to fix it

Cross-site scripting (XSS) is a severe vulnerability enabling attackers to inject malicious code into web applications. It’s a major security concern, affecting websites lacking user input control. Various XSS exploits, such as injecting scripts via HTML forms or email, can compromise websites and servers. To prevent XSS, you should sanitize input and never output data directly to the browser without checking for malicious code. Filtering for XSS is a security feature that blocks malicious content, preventing server-side code execution and thwarting remote attacks. It eliminates risky elements like the <script> tag, JavaScript commands, CSS styles, and hazardous HTML markups, typically done via server-side code or safer library usage.  If you are using Java, then a good place to go is the OWASP Java Encoder Project. For PHP, there is a comprehensive library called HTML Purifier, which boasts strict standards compliance and better features than other filters. Restrict the type of input a user can submit in your form through validation. For instance, if you have an input field for an email, only allow input with the email format. This way, you minimize the chances of attackers submitting bad data. You can also use the validator package for this. This can be done on the backend still using the validator package.

check('username', 'Username must be an email address').isEmail()

The above code makes it paramount that the username the user is submitting is an email, else it displays an error message(“Username must be an email address”). Secure your cookies by implementing the httpOnly and secure flags. These settings are crucial for preventing session hijacking and unauthorized access.

5. VMware warns admins of public exploit for vRealize RCE flaw

VMware has issued a warning regarding a PoC exploit for an authentication bypass vulnerability (CVE-2023-34051) in vRealize Log Insight, now known as VMware Aria Operations for Logs. This flaw enables unauthenticated attackers to remotely execute code with root permissions if specific conditions are met. To exploit it, the attacker must compromise a host in the targeted environment and have permissions to add an extra interface or static IP address. Horizon3 security researchers, who discovered the bug, released a PoC exploit and indicators of compromise (IOCs) to detect exploitation attempts. This vulnerability also acts as a bypass for a chain of critical flaws patched by VMware in January, allowing attackers to gain remote code execution. While it requires some infrastructure setup, it poses a significant threat to previously compromised networks.