This week saw the publication of 493 new CVE IDs. Of those, 58 have not yet been assigned official CVSS scores, however, of the ones that were, approximately 18% were of critical severity, 24% were high, 57% were medium, and 1% were low. Listed below are the vulnerabilities that caught our attention:
The modern threat landscape represents an ever-changing vista of vulnerabilities, tools, tactics, and procedures which pose an existential threat to the security of organizations’ IT infrastructures. A key part of an evergreen security program is to maintain an up-to-date knowledge base of actionable threat intelligence that an organization can leverage to improve its security posture. Where dozens of novel threats and vulnerabilities become public each week, it can be challenging for IT professionals to keep pace. Control Gap intends to separate the signal from the noise by highlighting in this weekly segment newly disclosed vulnerabilities that have been assigned a CVE ID and which may be exceedingly novel, widespread, critical, or otherwise noteworthy.
The available threat intelligence at time of writing is documented below. Updates will be clearly marked.
Real-World Exploitability High |
Exploited in the Wild No |
Available Public Exploits Unknown |
Disturbingly, Fortinet has disclosed another critical vulnerability affecting its products this week, and this time it’s a buffer overflow vulnerability affecting FortiOS and FortiProxy which could result in remote code execution. The vulnerability, tracked as CVE-2023-25610, affects a complex group of Fortinet products. The big ones which Fortinet believes could be exploited to achieve remote code execution are FortiOS and FortiProxy, but there are several others including FortiGate and FortiWifi that could be exploited to achieve a denial-of-service condition. A full list of the affected products can be found in the official Fortinet disclosure. Unauthenticated remote code execution vulnerabilities in perimeter products such as those created and sold by Fortinet are particularly concerning as they provide a vector for threat actors to gain access to an organization’s internal infrastructure. Fortinet has stated in their disclosure that they are not aware of any public exploitation of this vulnerability although this is coming off the back of CISA issuing a warning that threat actors are actively exploiting other Fortinet vulnerabilities with a focus on government organizations.
Real-World Exploitability High |
Exploited in the Wild Unknown |
Available Public Exploits No |
Google has disclosed and patched two unique remote code execution vulnerabilities in its Android mobile operating system this week. The two vulnerabilities, tracked as CVE-2023-20951 and CVE-2023-20954, affect multiple versions of Android and Google has announced that it is intentionally holding back technical details surrounding the vulnerabilities to prevent exploit development by threat actors. Threat actors frequently seek out vulnerabilities in mobile applications and frameworks as mobile devices have increasingly come to represent “crown jewel” assets sought out by highly motivated and financed attackers. For a complete list of patches and affected Android versions check the Google disclosure.
Real-World Exploitability High |
Exploited in the Wild Unknown |
Available Public Exploits Unknown |
Veeam has patched and disclosed a vulnerability which would allow an attacker to retrieve and utilize encrypted credentials from an affected Veeam Backup & Replication service. Based on the Veeam advisory it is unclear how an attacker could leverage these “encrypted” credentials to access the backup service, however, the assigned CVSS score of 7.5 would suggest that the credentials are not secure in their encrypted state. While it is only speculation, it is very possible Veeam was using hardcoded or otherwise insecure keys to manage the services credentials resulting in trivial attacks succeeding in compromising privileged credentials. The vulnerability, which is tracked as CVE-2023-27532, affects all versions of Veeam Backup & Replication and patches have been released for versions 11 and 12. For those who cannot upgrade their Veeam product, a workaround has been developed which involves disabling network access to port 9401 on the Veeam system. This vulnerability is particularly concerning as Veeam is a prolific backup solution which commonly contains sensitive files such as key disaster recovery backups or privileged information.
|
Real-World Exploitability High |
Exploited in the Wild Unknown |
Available Public Exploits No |
A lingering vulnerability in Microsoft Word that is at least a year old has finally been publicly acknowledged and patched by Microsoft this past week. Security researcher Joshua Drake (@jduck on Twitter) discovered the vulnerability and famously developed an exploit payload which could fit within a tweet. The vulnerability is focused around the rich text format “RTF” parser and can result in remote code execution. Exploit payloads could be delivered via email and Microsoft has confirmed that just viewing the preview pane of the file could exploit the vulnerability. Microsoft has been making great strides with regards to mitigating malspam and other internet based local attacks, but the enormous surface area of Microsoft products means that threat actors will almost certainly continue developing novel avenues of attack in the near future. The vulnerability is currently tracked as CVE-2023-21716 and Microsoft is urging customers to apply the latest available update. More information can be found in the Microsoft advisory.