Securin’s Threat Intelligence: Apr 24, 2023 – Apr 28, 2023

This edition brings you early warnings, trending news about cyber threats, and the accurate threat context. Check out which threat group is on the rampage, what vulnerability it could soon weaponize, and more.

Why play catch up when you can fix your gaps now?

Trending Threats

Vulnerabilities to Watch Out For

Trending Threats

CISA Adds More Vulnerabilities to the KEV Catalog

CISA added the following 3 vulnerabilities on April 21, 2023: 

CVE-2023-28432 is a MinIO information disclosure vulnerability. The bug exposes payment-related information, first and last name, email address, payment address, payment card expiration date, etc., of subscribers.

CVE-2023-27350 is a PaperCut MF/NG improper access control vulnerability. It allows remote attackers to bypass authentication and run arbitrary code.

Update: A proof-of-concept is available for this vulnerability and two threat actor groups (Clop and Lockbit ransomware) are actively exploiting it in attacks with PowerShell commands that install Atera and Syncro remote management software.

CVE-2023-2136 is a Google Chrome Skia integer overflow vulnerability that allows threat actors to perform a sandbox escape via a crafted HTML page.

All federal entities are expected to patch these vulnerabilities by May 12, 2023.

Vulnerabilities to Watch Out For

CVE-2023-1389: TP-LINK WAN-Side Vulnerability

The CVE-2023-1389 vulnerability affects the TP-Link Archer AX21 Wi-Fi router. It is an unauthenticated command injection vulnerability in the local API available via the web management interface. This vulnerability was recently added to the arsenal of the Mirai Botnet threat actors, who are already actively exploiting it in the wild. Attackers can exploit this vulnerability by making  HTTP requests to the Mirai command and control (C2) servers to download and execute a series of binary payloads after gaining initial access. After this, they can launch Distributed-Denial-of-Service attacks and even imitate legitimate traffic, making it more difficult to separate DDoS traffic from legitimate network traffic.

TP-Link has released a patch for this CVE, and users are recommended to apply it immediately.

Multiple Vulnerabilities in UPS Software

The following three vulnerabilities affect APC Easy UPS Online Monitoring Software and Schneider Electric Easy UPS Online Monitoring Software. 

  1. CVE-2023-29411 is a missing authentication for critical functions. It allows an attacker to change admin credentials and execute arbitrary code on the Java RMI interface.
  2. CVE-2023-29412 is a vulnerability caused due to improper handling of case sensitivity. It allows an attacker to run arbitrary code when manipulating internal methods through the Java RMI interface.
  3. CVE-2023-29413 is a vulnerability caused due to the missing authentication for critical functions. It could enable an unauthenticated attacker to impose a denial-of-service (DoS) condition. 

Windows 10, 11, and Windows Server 2016, 2019, and 2022 are impacted by these vulnerabilities.

Users are recommended to upgrade their software versions to patch these vulnerabilities.

VMware’s Zero-Day Vulnerabilities

A security vulnerability tracked as CVE-2023-20869 has been identified in the Bluetooth device-sharing feature. This vulnerability enables local attackers to execute code as the virtual machine’s VMX process running on the host by exploiting a stack-based buffer-overflow issue.

An information disclosure vulnerability identified as CVE-2023-20870 also affects the Bluetooth device-sharing feature. This weakness allows malicious actors to read privileged information from a VM by exploiting the functionality for sharing host Bluetooth devices, which can be found in hypervisor memory.

A VMware Fusion Raw Disk vulnerability, tracked as CVE-2023-20871, has been identified as a local privilege escalation flaw. This vulnerability can be exploited by attackers with read/write access to the host operating system, allowing them to escalate privileges and obtain root access to the host OS. It has been categorized as a high-severity vulnerability.

CVE-2023-20872 is an out-of-bounds read/write vulnerability, affecting both Workstation and Fusion products. The vulnerability lies in the SCSI CD/DVD device emulation feature. This flaw can be exploited by local attackers with access to VMs configured to use a virtual SCSI controller and have a physical CD/DVD drive attached. By exploiting this vulnerability, attackers can gain code execution on the hypervisor from the VM. VMware has a temporary workaround for this.

VMware has addressed all these vulnerabilities in a security advisory.

CVE-2023-29552: SLP’s DDoS Bug

CVE-2023-29552 is a vulnerability in the Service Location Protocol (SLP), an old internet protocol, that affects devices used by over 2,000 organizations. The flaw exposes around 54,000 exploitable SLP instances, which the attackers can leverage to launch reflective DoS amplification attacks on targets. The exploitation of CVE-2023-29552 can lead to an increase in the UDP response size of a server. This can be achieved by registering new services until the response buffer reaches its limit.

In order to safeguard your company’s resources against potential misuse, it is recommended that SLP be turned off on systems that are accessible via the internet or untrusted networks. VMware has released a bulletin addressing this issue, indicating that it only affects outdated ESXi versions that are no longer supported and recommending that administrators avoid exposing them to untrusted networks.

CVE-2023-20060: Cisco XSS Zero-Day Flaw

CVE-2023-20060 is a vulnerability found in the web-based management interface of Cisco PCD 14. It can allow unauthenticated attackers to launch cross-site scripting attacks remotely. However, the exploitation requires user interaction.

CISCO patched this vulnerability and urged users to apply it and also not click any suspicious link.

Vulnerabilities in PrestaShop

PrestaShop addressed a few vulnerabilities that impact its software. They are:

CVE-2023-30839 is a critical vulnerability that allows users to perform unauthorized modifications on the online store’s database. An attacker can exploit this vulnerability to cause significant damage or even service outage to an impacted business. It can also allow injection of malicious code, backdoors and access to the SQL database.

CVE-2023-30535 is an arbitrary file read vulnerability that gives unauthorized users access to critical information.

CVE-2023-30838 is an XSS injection issue that can hijack every HTML element on the site and is triggered without interaction.

CVE-2023-27524: Apache Superset Vulnerabilities

At default configurations, Apache Superset can be susceptible to authentication bypass and remote code execution, potentially giving attackers access to modify data, harvest credentials, and execute commands. The vulnerability is tracked as CVE-2023-27524 and has been detected in about 2,000 internet-exposed servers, including those belonging to government organizations, corporations of various sizes, and universities. Attackers can use flask-unsign and generate their own cookies to gain administrator access, allowing them to execute arbitrary SQL statements on the application server or access connected databases.

Apache has addressed this vulnerability in a security advisory.

Unauthenticated RCE Vulnerability Exploitation in Avaya Aura Device Services

An incident involving the exploitation of an unauthenticated remote code execution (RCE) vulnerability in Avaya Aura Device Services, affecting versions preceding was discovered. Multiple web shells were found in the PhoneBackup directory and there were attempts to introduce the XMRig cryptocurrency miner over several months starting in February. It appears that the attackers are not targeting specific industries or organizations, but rather any vulnerable devices regardless of their industry or organization. There are over 1,000,000 internet-exposed devices under the Avaya name, with an estimated 10% of those being vulnerable Aura Device Services. 

Avaya released a security guidance for its users to safeguard against this unassigned vulnerability.

CVE-2023-21554: Microsoft Vulnerability

This is an unauthenticated remote code execution (RCE) vulnerability in the Message Queuing (MSMQ) service. By default, the vulnerable component is not found, but it is frequently installed on Windows servers. Microsoft fixed this vulnerability and released a patch for it. Here’s how you can check if you have MSMQ enabled in your system.

Follow our weekly blog and podcast to get proactive alerts on trending threats.

Leverage our expertise and manage your threats continuously to stay safe from attackers. Talk to Us!

Share This Post On