We’ve got some news about Greenbone Community Edition. Is it exciting news? Well, if you are interested in IT security and open-source cybersecurity tooling, you may be excited to hear that Greenbone has implemented one of the most significant changes to its distributed service architecture in a long time. Let’s dig into the details!

Introducing OpenVASD (openvasd)

Greenbone’s software engineering team is hard at work optimizing its distributed process architecture. Our goals in 2024 include both performance and feature enhancements. Without saying too much, there will be several announcements later in 2024! For now, let’s introduce the newest component in Greenbone Vulnerability Management Solution, openvasd! The benefits of openvasd include better coverage and improved usability when interacting directly with openvas-scanner for high-performance vulnerability scanning.

Openvasd removes the need for a message broker service to interact with the new Rust-based Notus Scanner, and eventually will replace the ospd-openvas API service and OSP (Open-Scanner Protocol) – the legacy XML based protocol with a new RESTful HTTP API.

Notus Wasn’t Rusty, But The New Notus Is!

The original Notus Scanner was implemented in Python, but a new Rust-based version is here! The Notus Scanner, first announced in late 2021, and initially released on July 18, 2022, was implemented to optimize scan performance for local security checks (LSC). Notus Scanner removes the need for multiple processes when assessing a target’s internal host attack surface. Instead of scanning for each potentially vulnerable software component individually, data is collected from the target host with a single remote command and the results are assessed offline, drastically reducing the time required to conduct authenticated scans and compliance assessments.

Instead of acting as a standalone component in Greenbone’s distributed service architecture, the new Rusty version of Notus Scanner is built into openvas-scanner.
Thus, Notus is no longer dependent on Mosquitto MQTT message broker to exchange and queue tasks.

Sunsetting The OSP API

The Open-Scanner Protocol (OSP) has been at the heart of the Greenbone distributed service architecture from the start. OSP is an XML-based API protocol that serves to bind the Greenbone Vulnerability Manager Daemon (gvmd) to the OpenVAS Scanner via the ospd-openvas service. As mentioned above, openvasd will eventually replace ospd-openvas, but that’s not the only change taking place. The XML-based OSP API will also be replaced with an HTTP RESTful API. The new HTTP API is documented online in an OpenAPI Specification (OAS) swagger. The hope is that the new HTTP RESTful API will be easier for users to use than the previous XML-based OSP protocol.

The plan is to integrate this scanner into Greenbone Community Edition first in order to get direct feedback from users in a timely manner. For Greenbone Enterprise Appliances the delivery is planned with the next major version.

Summary

Greenbone Community Edition has introduced significant upgrades with the launch of openvasd, a new multi-purposed core service for Greenbone Vulnerability Manager (GVM) that improves scan performance and usability. Openvasd integrates a new Rust-based Notus Scanner into openvas-scanner and will eventually replace the ospd-openvas API service, transitioning from an XML-based protocol to a RESTful HTTP API. The new HTTP API aims to be more user-friendly, with detailed documentation available via the industry standard API swagger. As these changes roll out, they will be tested in the Community Edition so please feel free to check out the source code, evaluate the performance, and join the conversation in the Greenbone community forum.

In February 2024, Microsoft issued a security alert for a total of 73 security vulnerabilities. The batch included 6 critical severity vulnerabilities, 52 rated as high severity, and 15 as medium severity vulnerabilities. 30 of them are remote code execution vulnerabilities [T1210] and 16 are privilege escalation [TA0004] exploits. From that group, three stand out as being actively exploited; CVE-2024-21410 (CVSS 9.8 Critical), CVE-2024-21412 (CVSS 8.1 High), and CVE-2024-21351 (CVSS 7.6 High).

15 of the 73 CVEs affected Microsoft WDAC OLE DB provider for SQL, 8 were reported in Microsoft Dynamics, a business productivity cloud service that integrates with Microsoft 365, and the Windows kernel had 6 CVEs reported and patched. The full list of vulnerabilities can be found on the official Microsoft advisory report for February 2024.

CVE-2024-21410 in Microsoft Exchange Actively Exploited

The CVE-2024-21410 (CVSS 9.8 Critical) security flaw is an authentication replay attack [CWE-294] on Microsoft Exchange Servers that use the Net-NTLMv2 protocol. The vulnerability allows attackers with the ability to capture a victim’s Net-NTLMv2 credentials to escalate privileges on the system for unauthenticated access. Since CVE-2024-21410 is a pass-the-hash [CWE-836] vulnerability it is considered low complexity to exploit by any attacker with stolen credentials. As such, CVE-2024-21410 represents a high risk to the confidentiality and integrity of an organization’s internal email communication and other data contained in an Exchange Server instance such as contact lists, shared resources or schedules.

CVE-2024-21410 is reported as actively exploited by CISA’s known exploited vulnerabilities (KEV) database. Although no formal attribution has been assigned to the recent attacks, some insider noted that Russian-backed threat actor APT28 is active in exploiting NTLM and is known for attack techniques including Access Token Manipulation [T1134] and Token Impersonation/Theft [T1134.001] for unauthorized access against email servers.

28,500 Microsoft Exchange servers have been identified as vulnerable, while a report from security research firm Shadowserver aggressively estimates that up to 97,000 IPs are potentially affected. Greenbone provides both a local security check (LSC) and remote version checks for identifying Microsoft Exchange servers impacted by CVE-2024-21410.

Here is a description of CVE-2024-21410 and how it is being exploited:

  • CVE-2024-21410 (CVSS 9.8 Critical): An attacker could target an Net-NTLMv2 client such as Outlook from within a compromised endpoint with a credential-leak exploit, via a compromised network position using a tool such as Responder, or via an Adversary in The Middle (AiTM) position by capturing unencrypted network traffic. The leaked credentials can then be relayed against the Exchange server to gain privileges as the victim and to perform operations on the Exchange server on the victim’s behalf. Notably, CVE-2024-21410 does not require the captured Net-NTLMv2 hash to be cracked since it can be replayed directly for exploitation.

What Is NTLM Authentication Protocol?

NTLM (NT LAN Manager) authentication protocol is a proprietary protocol developed by Microsoft dating back to the Windows NT operating system, which was released in 1993. NTLM was replaced as the default authentication protocol in Windows 2000 by Kerberos. The Net-NTLMv1 and Net-NTLMv2 protocols employ the user’s base password, stored as a hash (called the NTHash) in a challenge response authentication handshake to verify an authorized user. A detailed description of the algorithms used in Net-NTLMv1 and Net-NTLMv2 can be found on the medium platform.

Net-NTLMv2 (NT LAN Manager version 2) is an improvement over the older NTLM protocol, offering better security features against certain types of attack. Net-NTLMv2 is still supported by various Microsoft products and services within Windows-based networks. However, due to the potential for simple replay attacks using stolen credentials [CWE-294], NTLM has already been directly issued a CVE (CVE-2021-31958) itself and its use presents serious security risk to unauthorized access. Also, considering that Microsoft officially acknowledged the security risks of NTLM in 2021, it should broadly be considered as a vulnerable protocol and it should be replaced with a more secure public-key based authentication wherever it is in use.

Some of the key products that still support the use of Net-NTLMv2: include all Windows operating systems, Active Directory (AD), Microsoft Exchange Server, Microsoft SQL Server, Internet Information Services (IIS), SMB Protocol, Remote Desktop Services, and other third-party applications.

Mitigating CVE-2024-21410

The 2024 H1 Cumulative Update 14 (CU14) for Exchange Server 2019 has been released by Microsoft allowing operators of the affected versions to patch their vulnerable product. The CU14 update enables Extended Protection for Authentication (EPA) by default which had otherwise required manual setup.

If installing CU14 is not feasible or for administrators of Exchange Server 2016, the Exchange Extended Protection documentation and ExchangeExtendedProtectionManagement.ps1 script can be used to enable EPA for Exchange Servers. Microsoft also points to its own workaround techniques for mitigating pass-the-hash attacks in reference to mitigating the risk of CVE-2024-21410.

Pivoting From CVE-2024-21410 to CVE-2024-21378

It’s also probable that attackers who can gain unauthorized access to a vulnerable Microsoft Exchange server could continue their exploit chain by leveraging another vulnerability disclosed in the February 2024 group; CVE-2024-21378 (CVSS 8.0 High) to cause high impact to endpoints running Microsoft Outlook 2016 client or Microsoft Office 365 (2016 Click-to-Run). CVE-2024-21378 is a remote code execution vulnerability that requires user interaction. Also, a prerequisite for exploiting CVE-2024-21378 is authenticated access to a Microsoft Exchange server or other Microsoft LAN service allowing an attacker to compromise users on the same domain controller via delivery of a malicious file. Furthermore, CVE-2024-21378 can be exploited simply by previewing the malicious file.

Greenbone can identify systems affected by CVE-2024-21378 with local security checks for Microsoft Outlook 2016 and Microsoft Office 365 (2016 Click-to-Run).

CVE-2024-21351 Windows SmartScreen Security Bypass

CVE-2024-21351 (CVSS 7.6 High) is a remote code execution (RCE) vulnerability in the Windows SmartScreen security feature. Exploiting CVE-2024-21351 could expose sensitive data and compromise file integrity and availability. This requires human interaction. The victim must click to open a malicious file delivered by the attacker. CVE-2024-21351 was added to CISA’s catalog of known exploited vulnerabilities (KEV) on February 13, 2024 along with CVE-2024-21412.

CVE-2024-21412 Internet Shortcut Files Security Bypass

CVE-2024-21412 (CVSS 8.1 High) is a vulnerability in the security feature of Internet Shortcut Files that allows an unauthenticated attacker to distribute a specially crafted file intended to circumvent visible security measures. While the attacker cannot compel a user to access content under their control, they must persuade the user to actively click on the file link to initiate the exploit.

Mitigating CVE-2024-21351 and CVE-2024-21412

CVE-2024-21351 and CVE-2024-21412 can be patched by installing Microsoft’s February 2024 cumulative patch. Known as “Patch Tuesday”, Microsoft issues cumulative patches on the second Tuesday of each month. Since Windows 7 is past end-of-life support from Microsoft, patches will not be issued to remediate these vulnerabilities. Affected versions of Microsoft Windows that will receive patches include:

  • Microsoft Windows Server 2022 & 2019
  • Microsoft Windows 11 version 21H2, 22H2 & 23H2 for x64-based Systems
  • Microsoft Windows 10 Versions 1809, 21H2 & 22H2 for 32-bit and x64-based Systems
Back to Portal Entry

We believe that everyone should be able to understand cyber security – so we are happy to present to you our new community video on demystifying Greenbone!

In this one, Joseph touches on everything from our name to how our software architecture operates. Filling you in with some of our history this video is only as technical as it needs to be while still giving an overview of our product to get you started or deepen your understanding.

Do you have questions or comments? Please let us know at the Greenbone Community Forum or on the Fediverse/Mastodon at greenbone.social

Back to Portal Entry

Two security vulnerabilities in Sharepoint – both from last year – are currently causing trouble for Sharepoint administrators. Because attackers are increasingly exploiting a combination of the two vulnerabilities, the Cybersecurity Infrastructure Security Agency CISA is now also issuing a warning. Affected customers of the Greenbone Enterprise Feed have been warned since June 2023.

Tracking-News: Critical Vunerability in MS Sharepoint

Remote Privilege Execution

The two vulnerabilities CVE-2023-29357 and CVE-2023-24955 together allow attackers to remotely gain administrator rights in a company’s SharePoint server. Details of the attack were published back in September 2023 at the Pwn2Own conference in Vancouver 2023 and can be found on the Singapore Starlabs blog, for example.

Massive attacks have now led to CISA recently issuing a warning about these vulnerabilities and including CVE-2023-29357 in its catalog of known exploited vulnerabilities. However, Greenbone has already had authenticated version checks for both CVEs since around June 2023 and an active check for CVE-2023-29357 since October 2023. Customers of the enterprise products have been receiving these CVEs as a threat for several months – in authenticated and unauthenticated scan mode.

Microsoft advises its customers on its website to update to the SharePoint Server 2019 version of June 13, 2023, (KB5002402), which fixes five critical vulnerabilities, including the first CVE mentioned by CISA. Furthermore, all administrators should install the antivirus software AMSI and activate Microsoft Defender in the SharePoint server. Otherwise, attackers could bypass authentication with fake authentication tokens and gain administrator rights.

Recognising and detecting vulnerabilities in the company at an early stage is important, as the many reports of damaging vulnerabilities show. Greenbone products can take on a lot of work here and ensure security – as a hardware- or virtual appliance or as a cloud service. The Greenbone Enterprise Feed, which feeds all Greenbone security products, receives daily updates and therefore covers a high percentage of risks.

Back to Portal Entry

CVE-2023-46604 Intelligence Summary

Enterprise | CVSS 9.8

Apache ActiveMQ is vulnerable to a CVSS 9.8 high-severity remote code execution (RCE) vulnerability tracked as CVE-2023-46604 that leverages deserialization of untrusted data [CWE-502] in the OpenWire protocol. The Apache ActiveMQ message broker can be exploited remotely [T1210] for execution of arbitrary shell commands at the privilege level of the ActiveMQ process [T1068]. CISA added CVE-2023-46604 to its actively exploited catalog on November 2nd, and its exploitation is considered trivial complexity. Attacks leveraging CVE-2023-46604 have included ransomware deployment consistent with the HelloKitty and TellYouThePass ransomware variants and Kinsing cryptomining malware. Greenbone added detection for CVE-2023-46604 to the Enterprise vulnerability feed on November 7th, 2023.

The Apache ActiveMQ broker service uses the OpenWire protocol for language-agnostic communication between software components or systems on port 61616 by default. The exploit occurs by manipulating serialized class types to cause the broker to instantiate any class on the classpath. Serialization (or marshalling) is the process of converting data objects (such as functions, classes, or arrays) into an encoded format for transmission over a network or to be stored for later use. Deserialization (or unmarshalling) is the reverse process whereby the serialized data is reconstructed into the format used by a programming language – in this case The Java programming language.

ActiveMQ is built on the Spring Java Framework. CVE-2023-46604 is exploited by specifying the `ClassPathXmlApplicationContext` class for the type of data to be unmarshalled. The `ClassPathXmlApplicationContext` class will fetch a remote XML file, allowing the attacker to specify their own malicious XML hosted anywhere on the Internet to be imported. The malicious XML file can include system commands to be called via the `java.lang.ProcessBuilder.start` function. Rapid7 has posted the most detailed technical analysis on how CVE-2023-46604 can be exploited for RCE.

Mitigating CVE-2023-46604

Several Proof of concept (PoC) for CVE-2023-46604 [1][2][3] are publically available as well as a Metasploit module which will make the exploitation of an estimated 3,000 vulnerable Apache ActiveMQ servers highly probable and increasing the urgency for remediation.

Several versions of Apache ActiveMQ, ActiveMQ Artemis, and Apache ActiveMQ Legacy OpenWire Module are affected. Users are strongly urged to upgrade affected brokers and clients to fixed versions 5.15.16, 5.16.7, 5.17.6, 5.18.3, or later. Patched versions were released in late October, 2023 and ActiveMQ version 6.0.0 was released on November 17th.

Although there is no alternative workaround for preventing exploitation of CVE-2023-46604 available for ActiveMQ itself, firewall rules may be used to whitelist trusted brokers and clients to prevent access by untrusted IP addresses.

What Is A “Message Broker” Anyway?

Message Brokers (also known as Message Queue broker or “MQ”) are software services that facilitate exchange of messages between different processes on the same system or between different systems. These message queues allow “senders” and “receivers” to operate asynchronously and thus independently and also enable the creation of interconnected software systems across a distributed IT architecture. There are many popular MQs available.

Greenbone OpenVas Democratizes Cybersecurity In Galicia

The global cyber threat landscape is increasingly challenging organizations around the world to be proactive about cybersecurity. According to Bitkom the total sum of all IT-related crime will cost Germany 206 billion euros ($224 billion) in 2023. Globally, the costs of a single data breach are equally staggering. An adequate response requires more cybersecurity talent and more efficient use of existing cybersecurity talent. Here is a story of how Greenbone’s open-source approach impacts the interplay of these factors by democratizing cybersecurity, distributing the burden of cybersecurity solution development, and improving the value proposition for organizations seeking to defend their operations from cyber attacks.

Investing in Small and Medium-sized Enterprises (SMEs) that deliver cybersecurity products – especially those that deliver open-source solutions – is a multifaceted value proposition that smashes the glass ceiling for organizations of all sizes caught in the crosshairs of cybersecurity risk.

Galencia Adopts Greenbone’s OpenVAS For Its Value Proposition

Innovation has a perfect ally in technology and in the companies that develop it. Hence the importance of projects like OpenVAS developed here at Greenbone AG.

Considering the need for cyber R&D, talent growth, and investment, it’s no surprise that Galencia’s Núñez Feijóo has invested in the new Research and Innovation Strategies for Smart Specialisations (RIS3), and has chosen Greenbone’s foundational OpenVAS vulnerability management solution. The GaiásTech Center of the Agency for Technological Modernization of Galicia (Amtega) champions this proposal that democratizes cybersecurity and has recently published the new OpenVAS cloud application on its web platform GaiásTech Cloud, for businesses and users to evaluate the cybersecurity posture of publicly accessible IT infrastructure.

Galencia’s investment makes essential tools available for burgeoning EU businesses, enabling more sustainable growth across diverse industries. Furthermore, this investment cultivates exportable cybersecurity capabilities, enriching the national economy, and bolstering national security, while underscoring the imperative of innovation in combating the ongoing cybersecurity crisis.

OpenVAS is first and foremost a vulnerability scanning engine that executes vulnerability tests against targeted IT infrastructure to detect security weaknesses that a cyber attacker could exploit to gain unauthorized access. Vulnerability scanning with OpenVAS represents a proactive approach to security. The results of a vulnerability scan give all stakeholders an attestation that software updates and security patches have been applied and that existing system configurations are hardened against attack.

Aligning these investments with the Research and Innovation Strategies for Smart Specialization (RIS3) framework is prudent, recognizing the global need, including within the EU, to synchronize cybersecurity capabilities with the risks posed by rapid technological advancement, digitization, and the increasing technologization of critical infrastructure. RIS3 represents a structured model for strategic investment, enabling nations and regions to harness their unique strengths in advancing cybersecurity readiness and resilience.

How Does OpenVAS Democratize Cybersecurity?

In a broad sense, “democratizing” something, such as cybersecurity, means making it more accessible, inclusive, and equitable to a larger and more diverse group of people or organizations. It involves breaking down barriers and providing opportunities for broader participation, understanding, and empowerment in that particular domain.

The most obvious contribution that the Open Vulnerability Assessment System (aka OpenVAS) makes to democratizing cybersecurity is obvious by the use of the word “Open” in its name referring to the project’s “open-source” development model. The concept of open-source software has been around since the 1980s when MIT’s Richard Stallman launched the GNU Project to develop a complete Unix-like operating system composed entirely of free and open-source software, which users could use, modify, and distribute freely. However, the term “open source software” and the practical advantages of the open-source development model didn’t emerge until 1998 through the works of Eric S. Raymond and Bruce Perens. Greenbone’s OpenVAS and related tools are released under various open-source licenses, including the GNU General Public License (GPL) version 2, and Open Database License (ODbL) version 1.

Here we can seek to understand the particular nuanced ways that open-source software supports the democratization of cybersecurity:

  • Increased Accessibility To Cybersecurity Tools: Open source solutions ensure that cybersecurity resources, tools, and knowledge are readily available and accessible to a wide range of users, regardless of their technical expertise, financial resources, or geographic location. This enables individuals and smaller organizations, non-profit organizations, and underserved communities to protect themselves against cyber threats.

  • Community Involvement In Security-Minded Discourse: Encouraging community participation and collaboration in cybersecurity efforts is crucial. This includes fostering a culture of information sharing, crowdsourcing threat intelligence, and engaging in collaborative security initiatives and services to provide direct access to cybersecurity professionals of all levels of expertise and experience.

  • Education and Awareness: Democratizing cybersecurity involves educating and raising awareness among users about the importance of cybersecurity practices and hygiene. It empowers individuals and organizations with the knowledge to protect themselves.

  • Better Products Through Collaboration: Open source software and open standards often play a role in making cybersecurity technologies, standards, and information openly available for scrutiny and collaboration. in this process.

  • Reducing Dependence: Reducing dependence on a single vendor or entity for cybersecurity solutions results in a more sustainable software ecosystem. This also fosters competition and choice, enabling users to select solutions that best meet their needs and preferences and gives them a solid foundation to start building their own custom solutions.

  • Global Reach: Democratizing cybersecurity recognizes that cyber threats are global and that solutions should be accessible and relevant to a global audience. It seeks to address cybersecurity challenges on a global scale.

  • Adaptability: Democratization involves adapting cybersecurity measures to different contexts and environments. This recognizes that one-size-fits-all solutions may not work for everyone and that those who require custom tools can draw from an existing repository of open-source software created by community efforts.

OpenVAS being part of Greenbone’s broader open-source technology stack, represents a greater public value than the mere sum of its parts as a vulnerability management solution. Greenbone supports the democratization of cybersecurity in the following ways:

  • The source code building blocks of open-source software are publicly available for download and review by anyone, as opposed to a proprietary closed-source software product model where code is protected as a form of intellectual property. The development of OpenVAS contributes to a shareable economy of cybersecurity infrastructure that can be leveraged without the added costs of software licensing.

  • While Greenbone Enterprise Edition is available for larger organizations with a need for increased security assurances, Greenbone’s Community Edition provides a complete platform for vulnerability management free of charge.

Summary

The financial threat of cybercrime looms large, putting pressure on organizations to make more efficient use of their existing IT security talent and simultaneously grow the next generation of skilled IT security professionals. The need for more investment into cybersecurity research and development is an important ongoing factor that will ultimately determine the cyber-resilience of global organizations of all shapes and sizes. SMEs and organizations within marginalized groups will especially face the most difficulty in allocating an adequate budget for advanced cybersecurity defenses.

Also, as our societies continue to digitize, the risks to critical infrastructures, personal data, and business continuity impact everyone in society to some degree and it is especially encouraging to see exemplary leaders such as Núñez Feijóo of Gaicia taking measures to ensure not only better IT security posture for themselves, but also, supporting open source cybersecurity initiatives that foster a culture of democratization of IT security.

In the November 2023 Vulnerability Tracking Update, several critical vulnerabilities and security threats have come to light. Cisco’s Internetworking Operating System (IOS) XE Software Web User Interface (UI) was found to be vulnerable to two actively exploited critical vulnerabilities, allowing attackers to execute arbitrary code remotely. The curl command-line tool, widely used across various platforms, faced a serious vulnerability that could result in arbitrary code execution during SOCKS5 proxy handshakes. VMware is urging immediate updates for its vCenter Server due to a critical vulnerability potentially leading to remote code execution. Multiple vulnerabilities were found in versions of PHP 8; one is a particularly critical deserialization vulnerability in the PHAR extraction process. Additionally, SolarWinds Access Rights Manager (ARM) was found susceptible to multiple critical vulnerabilities, emphasizing the urgency to update to version 2023.2.1. Lastly, two F5 BIG-IP vulnerabilities were discovered to be actively exploited, with mitigation options available and outlined below.

Cisco IOS XE: Multiple Critical Vulnerabilities

Two actively exploited critical CVSS 10 vulnerabilities were discovered in Cisco’s Internetworking Operating System (IOS) XE Software Web User Interface (UI); CVE-2023-20198 and CVE-2023-20273. Combined, they allow an attacker to remotely execute arbitrary code as the system user and are estimated to have been used to exploit tens of thousands of vulnerable devices within the past few weeks. Greenbone has added detection for both the vulnerable product by version [1], and another aimed at detecting the BadCandy implanted configuration file [2]. Both are VTs included in Greenbone’s Enterprise vulnerability feed.

Cisco IOS was created in the 1980s and used as the embedded OS in the networking technology giant’s routers. Fast forward to 2023, IOS XE is a leading enterprise networking full-stack software solution that powers Cisco platforms for access, distribution, core, wireless, and WAN. IOS XE is Linux-based, and specially optimized for networking and IT infrastructure, routing, switching, network security, and management. Cisco devices are pervasive in global IT infrastructure and used by organizations of all sizes, including large-scale enterprises, government agencies, critical infrastructure, and educational institutions.

Here’s how the two recently disclosed CVEs work:

CVE-2023-20198 (CVSS 10 Critical): Allows a remote, unauthenticated attacker to create an account [T1136] on an affected system with privilege level 15 (aka privileged EXEC level) access [CWE-269]. Privilege level 15 is the highest level of access to Cisco IOS. The attacker can then use that account to gain control of the affected system.
CVE-2023-20273 (CVSS 7.2 High): A regular user logged into the IOS XE web UI, can inject commands [CWE-77] that are subsequently executed on the underlying system with the system (root) privileges. This vulnerability is caused by insufficient input validation [CWE-20]. CVE is also associated with a Lua-based web-shell [T1505.003] implant dubbed “BadCandy”. BadCandy consists of an Nginx configuration file named `cisco_service.conf` that establishes a URI path to interact with the web-shell implant but requires the webserver to be restarted.

Cisco has released software updates for mitigating both CVEs in IOS XE software releases, including versions 17.9, 17.6, 17.3, and 16.12 as well as available Software Maintenance Upgrades (SMUs) and IT security teams are strongly advised to urgently install them. Cisco has also released associated indicators of compromise (IoC), Snort rules for detecting active attacks, and a TAC Technical FAQs page. Disabling the web UI prevents exploitation of these vulnerabilities and may be suitable mitigation until affected devices can be upgraded. Publicly released proof of concept (PoC) code [1][2] and a Metasploit module further increase the urgency to apply the available security updates.

Critical Vulnerability In The Curl Tool

A widespread vulnerability has been discovered in the popular curl command line tool, libcurl, and the many software applications that leverage them across a wide number of platforms. Tracked as CVE-2023-38545 (CVSS 9.8 Critical), the flaw makes curl overflow a heap-based buffer [CWE-122]] in the SOCKS5 proxy handshake that can result in arbitrary code execution [T1203]. Greenbone’s community feed includes several NVTs [1] to detect many of the affected software products and will add additional detections for CVE-2023-38545 as more vulnerable products are identified.

CVE-2023-38545 is a client-side vulnerability exploitable when passing a hostname to the SOCKS5 proxy that exceeds the maximum length of 255 bytes. If supplied with an excessively long hostname, curl is supposed to use local name resolution and pass it on to the resolved address only. However, due to the CVE-2023-38545 flaw, curl may actually copy the overly long hostname to the target buffer instead of copying just the resolved address there. The target buffer, being a heap-based buffer, and the hostname coming from the URL results in the heap-based overflow.

While the severity of the vulnerability is considered high because it can be exploited remotely and has a high impact to the confidentiality, integrity, and availability (CIA) of the underlying system, the SOCKS5 proxy method is not the default connection mode and must be declared explicitly. Additionally, for an overflow to happen an attacker also needs to cause a slow enough SOCKS5 handshake to trigger the bug. All versions of curl are affected between v7.69.0 (released March 4th, 2020) until v8.3.0. The vulnerable code was patched in v8.4.0 commit 4a4b63daaa.

VMware vCenter Server: Multiple Vulnerabilities

CVE-2023-34048 is a critical severity vulnerability that could allow a malicious actor with network access to vCenter Server to cause an out-of-bounds write [CWE-787] potentially leading to remote code execution (RCE). The affected software includes VMware vCenter Server versions 6.5, 6.7, 7.0, and 8.0. VMWare has issued a security advisory to address both vulnerabilities which states that there are no known mitigations other than installing the provided updates. Both vulnerabilities can be detected by Greenbone’s enterprise vulnerability feed [1]. The vCenter Server patch also fixes CVE-2023-34056, a medium-severity information disclosure resulting from improper authorization [CWE-285].

Although there are no reports that CVE-2023-34048 is being actively exploited in the wild attackers have proven adept at swiftly converting threat intelligence into exploit code. Research by Palo Alto Networks Unit 42 threat research group shows that on average an exploit is published 37 days after a security patch is released.

Here are some brief details on both CVEs:

CVE-2023-34048 (CVSS 9.8 Critical): vCenter Server contains an out-of-bounds write [CWE-787] vulnerability in the implementation of the DCERPC protocol. A malicious actor with network access to vCenter Server may trigger this vulnerability to achieve remote code execution (RCE). The Distributed Computing Environment Remote Procedure Call (DCERPC) protocol facilitates remote procedure calls (RPC) in distributed computing environments, allowing applications to communicate and invoke functions across networked systems.
CVE-2023-34056 (CVSS 4.3 Medium): vCenter Server contains a partial information disclosure vulnerability. A malicious actor with non-administrative privileges to vCenter Server may leverage this issue to access unauthorized data.

Multiple Vulnerabilities Discovered In PHP 8

Several vulnerabilities were identified in PHP 8.0.X before 8.0.28, 8.1.X before 8.1.16 and 8.2.X before 8.2.3. Although the group of vulnerabilities does include one critical and two high-severity vulnerabilities, these require particular contexts to be present for exploitation; either deserializing PHP applications using PHAR or else using PHP’s core path resolution functions on untrusted input. Greenbone’s enterprise VT feed includes multiple detection tests for these vulnerabilities across multiple platforms.

Here are brief descriptions of the most severe recent PHP 8 vulnerabilities:

CVE-2023-3824 (CVSS 9.8 Critical): A PHAR file (short for PHP Archive) is a compressed packaging format in PHP, which is used to distribute and deploy complete PHP applications in a single archive file. While reading directory entries during the PHAR archive loading process, insufficient length checking may lead to a stack buffer overflow [CWE-121], potentially leading to memory corruption or remote code execution (RCE).
CVE-2023-0568 (CVSS 8.1 High): PHP’s core path resolution function allocates a buffer one byte too small. When resolving paths with lengths close to the system `MAXPATHLEN` setting, this may lead to the byte after the allocated buffer being overwritten with NULL value, which might lead to unauthorized data access or modification. PHP’s core path resolution is used for the `realpath()` and `dirname()` functions, when including other files using the `include()`, `include_once()`, `require()`, and `require_once()`, and during the process of resolving PHP’s “magic” constants” such as `__FILE__` and `__DIR__`.
CVE-2023-0567 (CVSS 6.2 Medium): PHP’s `password_verify()` function may accept some invalid Blowfish hashes as valid. If such an invalid hash ever ends up in the password database, it may lead to an application allowing any password for this entry as valid [CWE-287]. Notably, this vulnerability has been assigned different CVSS scores by NIST (CVSS 6.2 Medium) and the PHP group CNA (CVSS 7.7 High), the difference being that the PHP Group CNA considers CVE-2023-0567 a high risk to confidentiality while NIST does not. CNAs are a group of independent vendors, researchers, open source software developers, CERT, hosted service, and bug bounty organizations authorized by the CVE Program to assign CVE IDs and publish CVE records within their own specific scopes of coverage.

SolarWinds Access Rights Manager (ARM): Multiple Critical Vulnerabilities

SolarWinds Access Rights Manager (ARM) prior to version 2023.2.1 is vulnerable to 8 different exploits; one critical and two additional high-severity vulnerabilities (CVE-2023-35182, CVE-2023-35185, and CVE-2023-35187). These include authenticated and unauthenticated privilege escalation [CWE-269], directory traversal [CWE-22], and remote code execution (RCE) at the most privileged “SYSTEM” level. Greebone’s Enterprise vulnerability feed includes both local security check (LSC) [1] and remote HTTP detection [2].

SolarWinds ARM is an enterprise access control software for Windows Active Directory (AD) networks and other resources such as Windows File Servers, Microsoft Exchange services, and Microsoft SharePoint as well as virtualization environments, cloud services, NAS devices, and more. The widespread use of ARM and other SolarWinds software products means that its vulnerabilities have a high potential to impact a wide range of large organizations including critical infrastructure.

These and more recent vulnerabilities are disclosed in SolarWinds’ security advisories. Although no reports of active exploitation have been released, mitigation is highly recommended and available by installing SolarWinds ARM version 2023.2.1.

F5 BIG-IP: Unauthenticated RCE And Authenticated SQL Injection Vulnerabilities

Two RCE vulnerabilities in F5 BIG-IP, CVE-2023-46747 (CVSS 9.8 Critical) and CVE-2023-46748 (CVSS 8.8 High), have been observed by CISA to be actively exploited in the wild soon after PoC code was released for CVE-2023-46747. A Metasploit exploit module has also since been published. F5 BIG-IP is a family of hardware and software IT security products for ensuring that applications are always secure and perform the way they should. The platform is produced by F5 Networks, and it focuses on application services ranging from access and delivery to security. Greenbone has added detection for both CVEs [1][2].

CVE-2023-46747 is a remote authentication bypass [CWE-288] vulnerability while CVE-2023-46748 is a remote SQL injection vulnerability [CWE-89] that can only be exploited by an authenticated user. The affected products include the second minor release (X.1) for major versions 14-17 of BIG-IP Advanced Firewall Manager (AFM) and F5 Networks BIG-IP Application Security Manager (ASM).

If you are running an affected version you can eliminate this vulnerability by installing the vendor-provided HOTFIX updates [1][2]. The term “hotfix” implies that the patch can be applied to a system while it is running and operational, without the need for a shutdown or reboot. If updating is not an option, CVE-2023-46747 can be mitigated by downloading and running a bash script that adds or updates the `requiredSecret` attribute in the Tomcat configuration, which is used for authentication between Apache and Tomcat, and CVE-2023-46748 can be mitigated by restricting access to the Configuration utility to allow only trusted networks or devices, and ensuring only trusted user accounts exist thereby limiting the attack surface.

Back to Portal Entry

We are pleased to announce another installment in our video series on learning Greenbone!

This time Joseph (@rippledj) will take you through Greenbone’s filters, providing a useful overview of filter functionalities. From the basic filter interface and report customization to understanding the power filter syntax and useful tips and trick – this video will help you get started using this powerful feature or dig even deeper if you are a seasoned user!

Please note: Clicking on the video will open Youtube in a new tab.

Find the mentioned python-gvm documentation here: Python-gvm documentation

Enjoy honing your skills and stay safe!

Back to Portal Entry

CVE-2023-4863 and CVE-2023-5217 are two critical zero-click remote code execution (RCE) vulnerabilities in common image rendering libraries used by all Chromium-based web browsers as well as many other popular mobile and desktop applications. Both share the same CVSS score of 8.8. More specifically, CVE-2023-4863 is a vulnerability in the libwebp library while CVE-2023-5217 is a vulnerability in the libvpx library.  Neither  CVE-2023-4863 or CVE-2023-5217 require user interaction and both are remote code execution (RCE) vulnerabilities that can be exploited when malicious content is supplied to any client application that uses the affected image processing libraries. In a typical attack a victim could simply visit a website that includes a malicious WebP image or otherwise these vulnerabilities may be used to target specific individuals directly via social media messages, phishing, or other social engineering techniques.

Both CVEs have been observed to be actively exploited in the wild and have been added to CISA’s Known Exploited Vulnerabilities Catalog. CVE-2023-4863 was first discovered and reported by Citizen Lab on September 9th, 2023.  Dubbed BLASTPASS, it was uncovered that the flaw was being actively used to infect devices with NSO Group’s infamous Pegasus spyware. Being actively exploited greatly increases the risk associated with these vulnerabilities and updates to all impacted should be given the highest priority.

Scope Of Impact

The scope of impact for CVE-2023-4863 and CVE-2023-5217 includes any applications or other resources that rely on libwebp (for WebM video format) or libvpx (for WebP image for image). Both CVEs are client-side vulnerabilities, meaning that the end user of an affected application (such as a malicious website) is at risk of being exploited. The use of the WebP and WebM formats is not unique to Chrome or even web browsers but is incorporated in many other applications across all major OS platforms including Windows, macOS, and Linux, so the use of libwebp and libvpx are widespread throughout the digital media ecosystem.

Examples of technologies that are confirmed to be impacted include:

A Complete Attack Trajectory and Associated ATT&CK TTP

These two vulnerabilities have all the prerequisites to be classified as high severity.  They are considered “zero-click” meaning that an attacker does not need to use sophisticated social engineering techniques to exploit them.  These flaws can be exploited when a victim simply visits a website that hosts an infected WebP resource, making a watering hole attack a very viable infection path.  However, individuals may be targeted with social engineering contexts enticing them to open malicious links or files.

MITRE ATT&CK TTP of the exploit chain are:

  • Drive-By Compromise [T1189]: Adversaries may gain access to a system through a user visiting a website over the normal course of browsing. Unlike Exploit Public-Facing Application [T1190], the focus of this technique is to exploit software on a client endpoint upon visiting a website.
  • Shared Modules [T1203]: Adversaries may execute malicious payloads via loading shared modules.
  • Exploitation for Client Execution [T1203]: Adversaries may exploit software vulnerabilities in client applications to execute code.
  • Command and Control [TA0011]: Attackers control a system within a victim network to remotely execute arbitrary commands, import additional malware tools, and avoid detection.

MITRE Common Weakness Enumeration (CWE) references include:

  • Out-of-bounds Write [CWE-787]: Writing data past the end, or before the beginning, of the intended memory buffer.
  • Stack-based Buffer Overflow [CWE-121]: A stack-based buffer overflow condition is a condition where the buffer being overwritten is allocated on the stack.
  • Heap-based Buffer Overflow [CWE-122]: A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory.

After initial infection, the attack trajectory depends on the nature of the attacker-supplied code that is executed. Initially attackers will leverage the run-time permission context of the exploited application to download and install a second-stage malware payload with more advanced capabilities and to establish remote command and control (C2).  If the attacker successfully gains C2, they will seek to establish persistence, meaning their malware will be loaded every time the infected system reboots, and attempt to escalate privileges, enumerate the local network, move laterally to higher value targets, and execute on objectives.

The final stage objectives also heavily depends on the particular goals of the threat actor but typically may include stealing sensitive data [TA0010] such as account credentials [TA0006] to be cracked offline [T1110.002] and subsequently used for account takeover, importing and executing ransomware [T1486] and demanding payment for a decryptor, or installing a rootkit [TA1014] for the purpose of maintaining persistent [TA0003] and covert spyware.

What is VP8 encoding?

VP8 is a video codec developed as an open and royalty-free alternative to proprietary codecs like H.264. The Internet Engineering Task Force (IETF) published the VP8 Data Format and Decoding Guide as RFC 6386 in November 2011. The protocol itself was developed by On2 Technologies. Google acquired On2 Technologies in February 2010, and later open-sourced VP8 as part of the WebM project. The VP8 video codec is widely used for web video, real-time communication (WebRTC), and various other applications. The libvpx library is a cross-platform, open-source software library that provides an implementation of VP8 and VP9 video codecs.

Summary

CVE-2023-4863 and CVE-2023-5217 are actively exploited client-side, zero-click, remote code execution (RCE) vulnerabilities in widely-used image rendering libraries. Rated with CVSS 8.8 critical severity, they impact all Chromium-based web browsers and numerous desktop and mobile applications. As of October 27th, 2023, security updates are currently at various stages of being prepared.

CVE-2023-4863 resides in the libwebp library, while CVE-2023-5217 is linked to libvpx and they allow attackers to achieve zero-click RCE by providing malicious WebM formatted video or WebP formatted image content to a vulnerable application on a victim’s device.

Victims may encounter these threats by visiting compromised websites or opening other malicious content such as images or videos Security teams should assess their organization’s degree of exposure to CVE-2023-4863 and CVE-2023-5217 and apply updates as soon as they become available.

Back to Portal Entry

Introduction to the Vulnerability Tracking Update!

Welcome to the first Greenbone Vulnerability Tracking blog post! This series of blog posts will summarize the most important new vulnerability tests (VTs) added to the Greenbone community and enterprise vulnerability feeds. The blog series will provide updates about new vulnerability detection capabilities that have been added to Greenbone’s community and enterprise vulnerability feeds and support the learning curve into cybersecurity vulnerability management (VM).

That being said, let’s dive into some recent events making waves in the global threat landscape!

Summary

In October 2023, several high-severity vulnerabilities in the QNAP Turbo NAS System were exposed rendering many QNAP products vulnerable and a DoS attack dubbed the “Rapid Reset Attack,” was identified in many implementations of the HTTP/2 protocol. The amplification magnitude of the HTTP/2 DoS vulnerability was evidenced by record-breaking DDoS attacks against CloudFlare and Google.

Google Chrome is again the subject of multiple high-severity vulnerabilities, building upon those previously identified in CVE-2023-4863 and CVE-2023-5217. Finally, Greenbone’s VTs can also detect several new vulnerabilities in the WordPress core and several plugins. WordPress users are encouraged to adopt proactive security practices such as enabling automatic updates and only implementing plugins that have a broad user base and receive regular updates.

Greenbone’s vulnerability feed includes detection for all items discussed in this report as well as over 160,000 other vulnerabilities in total. IT security teams are urged to conduct regular vulnerability scanning for all assets and update any impacted systems according to the appropriate mitigation methods.

Multiple Vulnerabilities In QNAP OS

Three Days after the publication of the vulnerability, Greenbone released detection for CVE-2023-32974, CVE-2023-32970, and CVE-2023-32973. These all impact “QTS” (QNAP Turbo NAS System), a proprietary Linux-based operating system developed by QNAP Systems, Inc., which is the embedded OS in the company’s Network-Attached Storage (NAS) devices. Greenbone community vulnerability feed now includes vulnerability tests to address CVE-2023-32974, CVE-2023-32970, and CVE-2023-32973 [1][2][3][4][5].

QNAP has released security updates for:

  • QTS 5.0.1.2425 build 20230609 and later

  • QTS 4.5.4.2467 build 20230718 and later

  • QuTS hero h5.1.0.2424 build 20230609 and later

  • QuTS hero h4.5.4.2476 build 20230728 and later

  • QuTScloud c5.1.0.2498 and later

Here is a summary of each vulnerability:

  • CVE-2023-32974 (CVSS 7.5 High): A path traversal vulnerability [CWE-22] affecting several versions of QTS can be triggered remotely via a network connection adding to the severity of its impact. “Path traversal” vulnerabilities are typically caused by improperly sanitized input allowing an attacker to supply malicious input that references resources outside of the intended scope, potentially leading to unauthorized data access or execution of malicious code.

  • CVE-2023-32970 (CVSS 4.9 Medium): A NULL pointer dereference [CWE 476] vulnerability affecting several versions of QTS. If exploited, the vulnerability could allow authenticated administrators to launch a denial-of-service (DoS) attack remotely. QNAP Enterprise Storage (QES) is not affected.

  • CVE-2023-32973 (CVSS 7.2 High): A buffer copy without checking the size of input [CWE-120] vulnerability has been reported for several versions of QTS. The vulnerability could allow authenticated administrators to execute arbitrary code via a network connection.

QNAP has published mitigation advisories QSA-23-42 and QSA-23-41 with instructions for installing the available firmware updates. Those using QNAP products built with the QTS operating system, as well as the QuTS hero cloud NAS solution or QuTScloud should update their systems as soon as possible.

The HTTP/2 “Rapid Reset Attack” Emerges

Several unrelated DoS vulnerabilities [T1464] were identified and disclosed in the HTTP/2 application layer protocol. HTTP/2 makes up about 65% percent of the internet traffic while less than 10% still uses HTTP/1 and the newer HTTP/3 makes up almost 25%. The weakness in HTTP/2 was disclosed by Internet WAF provider CloudFlare which claims to have mitigated a record-breaking DDoS attack, exceeding 201 million requests per second (RPS). For context, the entire Internet has between 1 and 3 billion requests per second.

CloudFlare named the attack “Rapid Reset Attack”. The attack works by leveraging a sizable botnet to abuse HTTP/2’s stream cancellation feature by continuously sending and then immediately canceling connection requests. HTTP/2’s stream multiplexing feature allows a single connection to manage multiple concurrent streams without requiring an individual connection for each request. The Rapid Reset Attack leverages this multiplexing feature to open many parallel streams per “round-trip” connection request triggering the target server to open an equivalent number of parallel processes and imposing a high resource cost. The attacker can then quickly issue a large number of RST_STREAM frames to cancel all the requested streams, also in a single round-trip, and repeat the process.

While the size of the botnet required to carry out the attack depends on the target’s resources, the Rapid Reset Attack is considered to be a substantial improvement over other known forms of amplification DoS attacks. The vulnerability is tracked as CVE-2023-44487 allowing various software vendors to reference it in any mitigation advisories or security patches.

Here are CVE references to the HTTP/2 Rapid Reset CVE and two other previously disclosed HTTP/2 DoS vulnerabilities that were recently added to Greenbone’s detection NVTs:

  • CVE-2023-44487 aka “HTTP/2 Rapid Reset Attack” (CVSS 7.5 High): The HTTP/2 protocol allows a denial of service (DoS) due to server resource consumption because request cancellation can quickly reset multiple streams at once.CVE-2023-44487 has been observed being actively exploited during August and October 2023.

  • CVE-2020-11080 (CVSS 7.5 High): nghttp2, a C library for implementing HTTP/2 and HTTP/3 protocols is vulnerable to an attack that leverages an overly large HTTP/2 SETTINGS frame to achieve DoS. nghttp2 before version 1.41.0 are vulnerable. A proof of concept attack is reportedly available which induces a CPU spike reaching 100% consumption. The vulnerability exploits [CWE-400] “Uncontrolled Resource Consumption” and [CWE-707] “Improper Neutralization”. nghttp2 v1.41.0 fixes this vulnerability, and a workaround is available for those who cannot update. The workaround involves implementing the `nghttp2_on_frame_recv_callback` setting, and if the received frame is SETTINGS frame and the number of settings entries is large (e.g., > 32), drop the connection.

  • CVE-2023-36478 (CVSS 7.5 High): In versions 11.0.0 through 11.0.15, 10.0.0 through 10.0.15, and 9.0.0 through 9.4.52 of Eclipse Jetty, an integer overflow [CWE-190] in `MetaDataBuilder.checkSize` allows for HTTP/2 HPACK header values to exceed their size limit. Although there are no known workarounds, the issue has been fixed in versions 11.0.16, 10.0.16, and 9.4.53.

How Is HTTP/3 Different Than HTTP/2?

HTTP/3 was published in 2022 and uses QUIC protocol which runs on top of UDP instead of TCP. This is different from HTTP/1 and HTTP/2 which both use TCP as a transport layer protocol. HTTP/3 is enabled on over one-quarter of all websites and is at least partially supported by most web browsers.

HTTP/3 has lower latency due to QUIC’s ability to initialize an encrypted connection using fewer round trips than TCP, and it also leverages multiplexing – allowing a single connection to relay multiple streams of data simultaneously. However, Google believes that HTTP/3 is not susceptible to the Rapid Reset Attack.

More High Severity Vulnerabilities In Chromium

The Chromium browser engine is again subject to a significant set of vulnerabilities in close succession to CVE-2023-4863 and CVE-2023-5217. The additional disclosures include several high-severity CVSS 8.8 CVEs that impact any Chromium-based browsers earlier than version 118.0.5993.70 across all OS platforms including Google Chrome, Microsoft Edge, Opera, and others.

This most recent group of vulnerabilities spans a wide range of components in Chrome. The most severe were found in Chrome’s Site Isolation feature, its Blink rendering engine, and the Chromium PDF renderer. All allow a remote attacker to execute arbitrary code by supplying a victim with specially crafted resources such as a malicious HTML web page or PDF file.

These vulnerabilities do not grant an attacker elevated privileges and exploitation requires at least the minimal form of user interaction preventing them from receiving the highest possible CVSS score of 10. The less severe vulnerabilities disclosed in the group range from CVSS 6.5 to 4.3, classifying them as medium severity. Their technical impacts range from allowing an attacker to change the security UI of the browser or gaining access to limited information.

Here are the specific details of each associated CVE:

  • CVE-2023-5218 (CVSS 8.8 High): Use after free [CWE-416] in Site Isolation allows a remote attacker to potentially exploit heap corruption via a crafted HTML page. Site Isolation is a security feature designed to prevent cross-site data leaks that exploit vulnerabilities in modern processors such as Spectre and Meltdown by isolating each browser tab into its own system process.

  • CVE-2023-5476 (CVSS 8.8 High): Use after free [CWE-416] in Blink History allows a remote attacker to potentially exploit heap corruption via a crafted HTML page. Microsoft is tracking this vulnerability as CVE-2023-4074. Blink is a critical component of the Chromium browser engine responsible for rendering web pages and displaying content on the screen.

  • CVE-2023-5474 (CVSS 8.8 High): Heap buffer overflow [CWE-122] in Chrome’s PDF rendering engine allows a remote attacker to execute arbitrary commands on a victim’s computer via a maliciously crafted PDF file [T1204.002] opened in the browser.

  • CVE-2023-5487 (CVSS 6.5 Medium): Inappropriate implementation in full-screen allows an attacker who convinced a user to install a malicious extension to bypass navigation restrictions via a crafted Chrome Extension.

  • CVE-2023-5484, CVE-2023-5483, CVE-2023-5481, and CVE-2023-5486 (CVSS 6.5 – 4.3 Medium): Inappropriate implementation in Navigation allows a remote attacker to spoof the security UI via a crafted HTML page. These security UI elements typically include visual cues or warnings displayed in the web browser to help users assess the trustworthiness of a website such as the SSL/TLS certificate validation icon, information about the website’s identity such as the organization’s name or the website’s verified identity, and the contents of the URL bar.

  • CVE-2023-5479 (CVSS 6.5 Medium): Inappropriate implementation in Extensions API allows an attacker who convinced a user to install a malicious extension [T1204] to bypass an enterprise policy [CWE-284] via a crafted HTML page.

  • CVE-2023-5485 (CVSS 4.3 Medium): Inappropriate implementation in Autofill allows a remote attacker to bypass autofill restrictions via a crafted HTML page.

  • CVE-2023-5478 (CVSS 4.3 Medium): Inappropriate implementation in Autofill allows a remote attacker to leak cross-origin data [CWE-200] via a crafted HTML page.

  • CVE-2023-5477 (CVSS 4.3 Medium): Inappropriate implementation in the installer allows a local attacker to bypass discretionary access control [CWE-284] via a crafted command.

  • CVE-2023-5473 (CVSS 4.3 Medium): Use after free [CWE-416] in Cast in Google Chrome allows a remote attacker who had compromised the renderer process to potentially exploit heap corruption [CWE-122] via a crafted HTML page [T1204.001].

How Can Zero-Day Browser Vulnerabilities Be Mitigated?

Browser client-based attacks are especially hard to avoid because accessing internet resources is so fundamental to business operations and daily life. Browser isolation is a virtualization technology that helps increase security when handling web-based content. Browser isolation is designed to prevent attackers from gaining initial access to a device through browser-based vulnerabilities such as the ones mentioned above. Fundamentally, browser isolation sandboxes web browsers so that they operate within a controlled environment, shielding the user’s underlying device and OS from being accessed by malicious web content [T1611] including zero-day vulnerabilities.

Browser isolation comes in two primary forms: process-level isolation and remote browser isolation (RBI). Process-level isolation creates isolated containers for each browsing session, preventing a compromise in one session from affecting others or the underlying host system. RBI goes a step further by operating the browser application on a remote server and using a remote desktop protocol like VNC or RDP to replay the web content and allow users to interact seamlessly. RBI solutions allow the browser to look and operate in the same way as a browser installed locally.

A New Round Of WordPress Vulnerabilities

Greenbone has also added detection for several new CVEs that impact all versions of WordPress up to version 6.3.2. The exploits in WordPress core reported by WordPress security vendor WordFence were called the “most significant security fixes we’ve seen in a while”.

The release of WordPress core 6.3.2 fixes arbitrary shortcode execution resulting from improper input validation [CWE-20]. The WordFence Intelligence Database has added an extensive list of shortcode-related vulnerabilities. Several XSS vulnerabilities were also patched that allow attackers to execute client-side attacks via specially crafted URLs. Greenbone has added detection for the missing security updates [1][2].

A summary of the issues reported include:

  • Potential disclosure [CWE-200] of user email addresses

  • Remote code execution (RCE) [CWE-94] POP Chains vulnerability

  • Cross-site scripting (XSS) [CWE-725] issue in the post-link navigation block

  • Comments on private posts could be leaked to other users [CWE-200]

  • A way for low-privileged logged-in users to execute any shortcode [CWE-78]

  • XSS vulnerability [CWE-725] in the application password screen

  • XSS vulnerability [CWE-725] in the footnotes block

  • Cache poisoning [CAPEC-14

Whenever possible it is a good idea to enable automatic WordPress updates and avoid the use of unnecessary plugins or those that represent a high potential for security risk. In general, plugins that have a high number of total installations and regularly receive updates are better choices than less popular or unmaintained plugins.

Back to Portal Entry