Vulnerability News - March 17, 2023

Snapshot

March 10, 2023 - March 17, 2023

CISA Known Exploited Vulnerabilities
CVE	Summary	Severity	Vendor	Date Added
CVE-2023-26360	Adobe ColdFusion contains an improper access control vulnerability that allows for remote code execution.	N/A	Adobe	March 15, 2023
CVE-2022-41328	Fortinet FortiOS contains a path traversal vulnerability that may allow a local privileged attacker to read and write files via crafted CLI commands.	HIGH	Fortinet	March 14, 2023
CVE-2023-23397	Microsoft Office Outlook contains a privilege escalation vulnerability that allows for a NTLM Relay attack against another service to authenticate as the user.	CRITICAL	Microsoft	March 14, 2023
CVE-2023-24880	Microsoft Windows SmartScreen contains a security feature bypass vulnerability that could allow an attacker to evade Mark of the Web (MOTW) defenses via a specially crafted malicious file.	MEDIUM	Microsoft	March 14, 2023
CVE-2020-5741	Plex Media Server contains a remote code execution vulnerability that allows an attacker with access to the server administrator's Plex account to upload a malicious file via the Camera Upload feature and have the media server execute it.	HIGH	Plex	March 10, 2023
CVE-2021-39144	XStream contains a remote code execution vulnerability that allows an attacker to manipulate the processed input stream and replace or inject objects that result in the execution of a local command on the server. This vulnerability can affect multiple products, including but not limited to VMware Cloud Foundation.	HIGH	XStream	March 10, 2023
Newswires
Hitachi Energy Confirms Data Breach Following Clop Ransomware Attack Hitachi Energy, a department of Japanese engineering and technology giant Hitachi, confirmed a data breach after the Clop ransomware gang exploited a zero-day vulnerability in Fortra GoAnywhere MFT (Managed File Transfer).				March 17, 2023
Samsung Exynos Chipsets Vulnerable to Remote Hacking White hat hackers at Google’s Project Zero unit discovered multiple vulnerabilities in Samsung’s Exynos chipsets that can be exploited by remote attackers to compromise phones without user interaction.				March 16, 2023
Suspected Chinese Hackers Exploit Fortinet Zero-Day Vulnerability A suspected Chinese hacking group has been linked to a series of attacks on government organizations exploiting a Fortinet zero-day vulnerability (CVE-2022-41328) to deploy malware.				March 16, 2023
CISA Adds Adobe ColdFusion Bug to Known Exploited Vulnerabilities Catalog The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a critical vulnerability in Adobe ColdFusion, tracked as CVE-2023-26360 (CVSS score: 8.6), to its Known Exploited Vulnerabilities Catalog.				March 16, 2023
Microsoft Warns of Outlook Zero-Day Exploitation, Offers Detection Script Microsoft has warned of a critical vulnerability in its flagship Microsoft Outlook software, which is being exploited by a "Russian-based threat actor" in-the-wild.				March 15, 2023
Microsoft Outlook Vulnerability Exploited in NTLM-Relay Attacks Microsoft yesterday released a patch for a critical Microsoft Outlook vulnerability (CVE-2023-23397) that allows hackers to remotely steal hashed passwords by simply receiving an email.				March 15, 2023
US Federal Agency Hacked Using Telerik Bug A US federal agency's Microsoft Internet Information Services (IIS) web server was hacked by exploiting a critical .NET deserialization vulnerability in the Progress Telerik UI for ASP.NET AJAX component (CVE-2019-18935).				March 15, 2023
Rubrik Discloses Data Breach After Exploiting GoAnywhere Zero-Day Cybersecurity firm Rubrik has disclosed a data breach, after a ransomware group exploited a recently disclosed zero-day vulnerability in the Fortra GoAnywhere secure file transfer platform.				March 15, 2023
Aruba Networks Patches ClearPass Bugs Aruba Networks has released patches for eight vulnerabilities in its ClearPass Policy Manager software.				March 15, 2023
Microsoft Patches Outlook Zero-Day Exploited by Russian Hackers Microsoft has patched a critical Outlook zero-day vulnerability (CVE-2023-23397) exploited by a hacking group linked to Russia's military intelligence service GRU to target European organizations.				March 14, 2023
Microsoft Patches Windows Zero-Day Exploited in Ransomware Attacks Microsoft has patched a zero-day bug used by attackers to deploy Magniber ransomware payloads without raising any red flags.				March 14, 2023
Microsoft March 2023 Patch Tuesday Fixes 2 Zero-Days, 83 Flaws Microsoft released its March 2023 Patch Tuesday updates today, fixing two actively exploited zero-day vulnerabilities and a total of 83 flaws.				March 14, 2023
Adobe Warns of Zero-Day Exploits in ColdFusion Adobe has issued an urgent warning about "very limited attacks" exploiting a zero-day vulnerability in its Adobe ColdFusion web app development platform.				March 14, 2023
Fortinet Patches High-Severity FortiOS Bug Used in Zero-Day Attacks Fortinet released security updates on March 7, 2023, to address a high-severity security vulnerability (CVE-2022-41328) in FortiOS that allowed threat actors to execute unauthorized code or commands.				March 13, 2023
Vulnerabilities In The News
CVE	Summary	Severity	Vendor	Risk Context
CVE-2023-23397 (25)	Microsoft Outlook Elevation of Privilege Vulnerability	CRITICAL	Microsoft	CISA Known Exploited Actively Exploited Remote Code Execution Public Exploits Available
CVE-2023-24033 (9)	The Samsung Exynos Modem 5123, Exynos Modem 5300, Exynos 980, Exynos 1080, and Exynos Auto T512 baseband modem chipsets do no...	CRITICAL		Remote Code Execution
CVE-2019-18935 (8)	Progress Telerik UI for ASP.NET AJAX through 2019.3.1023 contains a .NET deserialization vulnerability in the RadAsyncUpload ...	CRITICAL	Progess	CISA Known Exploited Actively Exploited Remote Code Execution Public Exploits Available
CVE-2023-23415 (7)	Internet Control Message Protocol Remote Code Execution Vulnerability	CRITICAL		Remote Code Execution Public Exploits Available
CVE-2023-23392 (7)	HTTP Protocol Stack Remote Code Execution Vulnerability	CRITICAL		Remote Code Execution
CVE-2023-21708 (5)	Remote Procedure Call Runtime Remote Code Execution Vulnerability	CRITICAL		Remote Code Execution
CVE-2022-41328 (11)	A improper limitation of a pathname to a restricted directory vulnerability [CWE-22] in Fortinet FortiOS version 7.2.0 throu...	HIGH	Fortinet	CISA Known Exploited Actively Exploited
CVE-2023-24880 (22)	Windows SmartScreen Security Feature Bypass Vulnerability	MEDIUM	Microsoft	CISA Known Exploited
CVE-2022-44698 (8)	Windows SmartScreen Security Feature Bypass Vulnerability	MEDIUM	Microsoft	CISA Known Exploited

CISA Known Exploited Vulnerabilities

CISA added six vulnerabilities to the known exploited vulnerabilities list.

Adobe — ColdFusion

CVE-2023-26360 / Added: March 15, 2023

CVSS Not Assigned

Adobe ColdFusion contains an improper access control vulnerability that allows for remote code execution.

Headlines

March 16, 2023 - CISA adds Adobe ColdFusion bug to Known Exploited Vulnerabilities Catalog
March 16, 2023 - CISA Issues Urgent Warning: Adobe ColdFusion Vulnerability Exploited in the Wild
March 15, 2023 - CISA warns of Adobe ColdFusion bug exploited as a zero-day
March 15, 2023 - Multiple Vulnerabilities in Adobe Products Could Allow for Arbitrary Code Execution
March 14, 2023 - Adobe fixed ColdFusion flaw listed as under active exploit
March 14, 2023 - Microsoft Warns of Outlook Zero-Day Exploitation, Patches 80 Security Vulns
March 14, 2023 - Adobe Warns of ‘Very Limited Attacks’ Exploiting ColdFusion Zero-Day

Fortinet — FortiOS

CVE-2022-41328 / Added: March 14, 2023

HIGH CVSS 7.10

Fortinet FortiOS contains a path traversal vulnerability that may allow a local privileged attacker to read and write files via crafted CLI commands.

Headlines

Microsoft — Office

CVE-2023-23397 / Added: March 14, 2023

CRITICAL CVSS 9.80

Microsoft Office Outlook contains a privilege escalation vulnerability that allows for a NTLM Relay attack against another service to authenticate as the user.

Headlines

Microsoft — Windows

CVE-2023-24880 / Added: March 14, 2023

MEDIUM CVSS 5.40

Microsoft Windows SmartScreen contains a security feature bypass vulnerability that could allow an attacker to evade Mark of the Web (MOTW) defenses via a specially crafted malicious file.

Headlines

Plex — Media Server

CVE-2020-5741 / Added: March 10, 2023

HIGH CVSS 7.20

Plex Media Server contains a remote code execution vulnerability that allows an attacker with access to the server administrator's Plex account to upload a malicious file via the Camera Upload feature and have the media server execute it.

Headlines

XStream — XStream

CVE-2021-39144 / Added: March 10, 2023

HIGH CVSS 8.50

XStream contains a remote code execution vulnerability that allows an attacker to manipulate the processed input stream and replace or inject objects that result in the execution of a local command on the server. This vulnerability can affect multiple products, including but not limited to VMware Cloud Foundation.

Headlines

In The News

Vulnerabilities receiving the most attention in traditional news media.

CVE-2023-23397

CRITICAL CVSS 9.80

CISA Known Exploited Actively Exploited Remote Code Execution Public Exploits Available

Published: March 14, 2023

Microsoft Outlook Elevation of Privilege Vulnerability

Vendor Impacted: Microsoft

Product Impacted: Office

Quotes

The attacker could exploit this vulnerability by sending a specially crafted email which triggers automatically when it is retrieved and processed by the Outlook client
No indications that Ring has experienced a ransomware event
Triggered when an attacker sends a message with an extended MAPI property with a UNC path to an SMB (TCP 445) share on a threat actor-controlled server. No interaction is required
This could lead to exploitation BEFORE the email is viewed in the Preview Pane
We strongly recommend all customers update Microsoft Outlook for Windows to remain secure
Proof I know my own password right now
A message with an extended MAPI property with a UNC path to an SMB (TCP 445) share on a threat actor-controlled server
The vulnerability effectively lets the attacker authenticate as a trusted individual without having to know the person’s password
External attackers could send specially crafted emails that will cause a connection from the victim to an external UNC location of attackers' control
Microsoft Threat Intelligence discovered limited, targeted abuse of a vulnerability in Microsoft Outlook for Windows that allows for new technology LAN manager (NTLM) credential theft
The attack can be executed without any user interaction by sending a specially crafted email which triggers automatically when retrieved by the email server. This can lead to exploitation before the email is even viewed in the Preview Pane
Triggered when an attacker sends a message with an extended MAPI property with a UNC path to an SMB (TCP 445) share on a threat actor-controlled server
An attacker who successfully exploited this vulnerability could access a user's Net-NTLMv2 hash which could be used as a basis of an NTLM Relay attack against another service to authenticate as the user
An attacker who successfully exploited this vulnerability could access a user’s Net-NTLMv2 hash which could be used as a basis of an NTLM Relay attack against another service to authenticate as the user
This is because the vulnerability is triggered on the email server side, meaning exploitation would occur before a victim views the malicious email
The connection to the remote SMB server sends the user's NTLM negotiation message, which the attacker can then relay for authentication against other systems that support NTLM authentication
CVE-2023-23397 is a critical EoP vulnerability in Microsoft Outlook that is triggered when an attacker sends a message with an extended MAPI property with a UNC path to an SMB (TCP 445) share on a threat actor-controlled server. No user interaction is required
External attackers could send specially crafted emails that will cause a connection from the victim to an external UNC location of attackers' control. This will leak the Net-NTLMv2 hash of the victim to the attacker who can then relay this to another service and authenticate as the victim

Headlines

CVE-2023-24033

CRITICAL CVSS 9.80

Remote Code Execution

Published: March 13, 2023

The Samsung Exynos Modem 5123, Exynos Modem 5300, Exynos 980, Exynos 1080, and Exynos Auto T512 baseband modem chipsets do not properly check format types specified by the Session Description Protocol (SDP) module, which can lead to a denial of service.

Quotes

Why did company X get an extra three weeks to fix their bug, while company Y did not
Those four vulnerabilities allow an attacker to remotely compromise a phone at the baseband level with no user interaction and require only that the attacker know the victim’s phone number
Tests conducted by Project Zero confirm that those four vulnerabilities allow an attacker to remotely compromise a phone at the baseband level with no user interaction, and require only that the attacker know the victim's phone number. With limited additional research and development, we believe that skilled attackers would be able to quickly create an operational exploit to compromise affected devices silently and remotely
With limited additional research and development, we believe that skilled attackers would be able to quickly create an operational exploit to compromise affected devices silently and remotely
Tests conducted by Project Zero confirm that those four vulnerabilities allow an attacker to remotely compromise a phone at the baseband level with no user interaction and require only that the attacker know the victim's phone number
Allow an attacker to remotely compromise a phone at the baseband level with no user interaction, and require only that the attacker know the victim's phone number
Tests conducted by Project Zero confirm that those four vulnerabilities allow an attacker to remotely compromise a phone at the baseband level with no user interaction, and require only that the attacker know the victim’s phone number
The baseband software does not properly check the format types of accept-type attribute specified by the SDP, which can lead to a denial of service or code execution in Samsung Baseband Modem

Headlines

CVE-2019-18935

CRITICAL CVSS 9.80

CISA Known Exploited Actively Exploited Remote Code Execution Public Exploits Available

Published: Dec. 11, 2019

Progress Telerik UI for ASP.NET AJAX through 2019.3.1023 contains a .NET deserialization vulnerability in the RadAsyncUpload function. This is exploitable when the encryption keys are known due to the presence of CVE-2017-11317 or CVE-2017-11357, or other means. Exploitation can result in remote code execution. (As of 2020.1.114, a default setting prevents the exploit. In 2019.3.1023, but not earlier versions, a non-default setting can prevent exploitation.)

Vendor Impacted: Progess

Product Impacted: Asp.net Ajax

Quotes

Though the agency’s vulnerability scanner had the appropriate plugin for CVE-2019-18935, it failed to detect the vulnerability due to the Telerik UI software being installed in a file path it does not typically scan
CISA analysts determined that multiple cyber threat actors, including an Advanced Persistent Threat (APT) actor, exploited a .NET deserialization vulnerability in Progress Telerik user interface for ASP.NET AJAX. Exploitation of this vulnerability allowed malicious actors to successfully execute remote code on a federal civilian executive branch (FCEB) agency’s Microsoft Internet Information Services (IIS) web server
Exploitation of this vulnerability allowed malicious actors to successfully execute remote code on a federal civilian executive branch (FCEB) agency's Microsoft Internet Information Services (IIS) web server
Analysts determined that multiple cyber threat actors, including an APT actor, were able to exploit a .NET deserialization vulnerability (CVE-2019-18935) in Progress Telerik user interface (UI) for ASP.NET AJAX, located in the agency's Microsoft Internet Information Services (IIS) web server
No webshells were observed to be dropped on the target system, likely due to the abused service account having restrictive write permissions

Headlines

CVE-2023-23415

CRITICAL CVSS 9.80

Remote Code Execution Public Exploits Available

Published: March 14, 2023

Internet Control Message Protocol (ICMP) Remote Code Execution Vulnerability

Quotes

Triggered when an attacker sends a message with an extended MAPI property with a UNC path to an SMB (TCP 445) share on a threat actor-controlled server
An attacker who successfully exploited this vulnerability could access a user's Net-NTLMv2 hash which could be used as a basis of an NTLM Relay attack against another service to authenticate as the user
The attacker could exploit this vulnerability by sending a specially crafted email which triggers automatically when it is retrieved and processed by the Outlook client
This is because the vulnerability is triggered on the email server side, meaning exploitation would occur before a victim views the malicious email

Headlines

CVE-2023-23392

CRITICAL CVSS 9.80

Remote Code Execution

Published: March 14, 2023

HTTP Protocol Stack Remote Code Execution Vulnerability

Quotes

Triggered when an attacker sends a message with an extended MAPI property with a UNC path to an SMB (TCP 445) share on a threat actor-controlled server
An attacker who successfully exploited this vulnerability could access a user's Net-NTLMv2 hash which could be used as a basis of an NTLM Relay attack against another service to authenticate as the user
The attacker could exploit this vulnerability by sending a specially crafted email which triggers automatically when it is retrieved and processed by the Outlook client
This is because the vulnerability is triggered on the email server side, meaning exploitation would occur before a victim views the malicious email

Headlines

CVE-2023-21708

CRITICAL CVSS 9.80

Remote Code Execution

Published: March 14, 2023

Remote Procedure Call Runtime Remote Code Execution Vulnerability

Quotes

The attack can be executed without any user interaction by sending a specially crafted email which triggers automatically when retrieved by the email server. This can lead to exploitation before the email is even viewed in the Preview Pane
Triggered when an attacker sends a message with an extended MAPI property with a UNC path to an SMB (TCP 445) share on a threat actor-controlled server
An attacker who successfully exploited this vulnerability could access a user's Net-NTLMv2 hash which could be used as a basis of an NTLM Relay attack against another service to authenticate as the user
The attacker could exploit this vulnerability by sending a specially crafted email which triggers automatically when it is retrieved and processed by the Outlook client

Headlines

CVE-2022-41328

HIGH CVSS 7.10

CISA Known Exploited Actively Exploited

Published: March 7, 2023

A improper limitation of a pathname to a restricted directory vulnerability ('path traversal') [CWE-22] in Fortinet FortiOS version 7.2.0 through 7.2.3, 7.0.0 through 7.0.9 and before 6.4.11 allows a privileged attacker to read and write files on the underlying Linux system via crafted CLI commands.

Vendor Impacted: Fortinet

Product Impacted: Fortios

Quotes

A improper limitation of a pathname to a restricted directory vulnerability (‘path traversal’) [CWE-22] in FortiOS may allow a privileged attacker to read and write arbitrary files via crafted CLI commands
We believe the targeting of these devices will continue to be the go to technique for espionage groups attempting to access hard targets
The complexity of the exploit suggests an advanced actor and that it is highly targeted at governmental or government-related targets
The attack is highly targeted, with some hints of preferred governmental or government-related targets
Attackers smell blood in the water
To read and write arbitrary files via crafted CLI commands
The attacker could exploit this vulnerability by sending a specially crafted email which triggers automatically when it is retrieved and processed by the Outlook client
An improper limitation of a pathname to a restricted directory vulnerability (‘path traversal’) in FortiOS may allow a privileged attacker to read and write arbitrary files via crafted CLI commands
A improper limitation of a pathname to a restricted directory vulnerability ('path traversal') [CWE-22] in FortiOS may allow a privileged attacker to read and write arbitrary files via crafted CLI commands

Headlines

CVE-2023-24880

MEDIUM CVSS 5.40

CISA Known Exploited

Published: March 14, 2023

Windows SmartScreen Security Feature Bypass Vulnerability

Vendor Impacted: Microsoft

Product Impacted: Windows

Quotes

The attacker could exploit this vulnerability by sending a specially crafted email which triggers automatically when it is retrieved and processed by the Outlook client
We strongly recommend all customers update Microsoft Outlook for Windows to remain secure
Proof I know my own password right now
External attackers could send specially crafted emails that will cause a connection from the victim to an external UNC location of attackers' control
The attack can be executed without any user interaction by sending a specially crafted email which triggers automatically when retrieved by the email server. This can lead to exploitation before the email is even viewed in the Preview Pane
Triggered when an attacker sends a message with an extended MAPI property with a UNC path to an SMB (TCP 445) share on a threat actor-controlled server
An attacker who successfully exploited this vulnerability could access a user's Net-NTLMv2 hash which could be used as a basis of an NTLM Relay attack against another service to authenticate as the user
An attacker who successfully exploited this vulnerability could access a user’s Net-NTLMv2 hash which could be used as a basis of an NTLM Relay attack against another service to authenticate as the user
This is because the vulnerability is triggered on the email server side, meaning exploitation would occur before a victim views the malicious email
This security bypass is an example of a larger trend Project Zero has highlighted previously: vendors often release narrow patches, creating an opportunity for attackers to iterate and discover new variants
TAG has observed over 100,000 downloads of the malicious MSI files since January 2023, with over 80% to users in Europe - a notable divergence from Magniber's typical targeting, which usually focuses on South Korea and Taiwan
External attackers could send specially crafted emails that will cause a connection from the victim to an external UNC location of attackers' control. This will leak the Net-NTLMv2 hash of the victim to the attacker who can then relay this to another service and authenticate as the victim

Headlines

CVE-2022-44698

MEDIUM CVSS 5.40

CISA Known Exploited

Published: Dec. 13, 2022

Windows SmartScreen Security Feature Bypass Vulnerability

Vendor Impacted: Microsoft

Products Impacted: Windows 11, Windows Server 2022, Defender, Windows 10, Windows Server 2019, Windows Server 2016

Quotes

The attacker could exploit this vulnerability by sending a specially crafted email which triggers automatically when it is retrieved and processed by the Outlook client
Triggered when an attacker sends a message with an extended MAPI property with a UNC path to an SMB (TCP 445) share on a threat actor-controlled server
This security bypass is an example of a larger trend Project Zero has highlighted previously: vendors often release narrow patches, creating an opportunity for attackers to iterate and discover new variants
Microsoft patched CVE-2022-44698 in smartscreen.exe, by not raising an error in this specific case, but rather taking an alternative path
TAG has observed over 100,000 downloads of the malicious MSI files since January 2023, with over 80% to users in Europe - a notable divergence from Magniber's typical targeting, which usually focuses on South Korea and Taiwan

Headlines

Vulnerability and threat intelligence direct to your inbox every week.

Subscribe to Pulse

Accelerate Security Teams

Schedule a free consultation with a vulnerability expert to discuss your use cases and to see a demo.

Request a Demo

Solutions

By Solution

By Feature

I Want To…

Learn More

VULNERA vs Vulnerability Scanners

Who It’s For

CISO’s

IT & Security Teams

Risk & Compliance

Security Assessment Buyers Guide

Resources

Resources

Blog

Threat Intelligence

I Want To…

Learn More

Top 10 Vulnerability Management Questions Answered

About

About

Partners

I Want To…

Learn More

Simplifying Vulnerability Management

VULNERA Pulse

A digest of noteworthy issues being discussed in the information security industry.

March 17, 2023

Subscribe

Accelerate Security Teams

Quick Menu

Solutions

Features

CISO Challenges

IT Challenges

Compliance

Subscribe

By Solution

By Feature

I Want To…

Learn More

VULNERA vs Vulnerability Scanners

Security Assessment Buyers Guide

Resources

Resources

Blog

Threat Intelligence

I Want To…

Learn More

Top 10 Vulnerability Management Questions Answered

About

About

Partners

I Want To…

Learn More

Simplifying Vulnerability Management

VULNERA Pulse

A digest of noteworthy issues being discussed in the information security industry.

March 17, 2023

Snapshot

CISA Known Exploited Vulnerabilities

Newswires

Vulnerabilities In The News

CISA Known Exploited Vulnerabilities

Adobe — ColdFusion

Fortinet — FortiOS

Microsoft — Office

Microsoft — Windows

Plex — Media Server

XStream — XStream

In The News

Subscribe

Accelerate Security Teams

Quick Menu

Features

Subscribe