VULNERA Pulse

Microsoft — SharePoint Server

CVE-2023-29357 / Added: Jan. 10, 2024

CRITICAL CVSS 9.80 EPSS Score 10.70 EPSS Percentile 94.54

Microsoft SharePoint Server contains an unspecified vulnerability that allows an unauthenticated attacker, who has gained access to spoofed JWT authentication tokens, to use them for executing a network attack. This attack bypasses authentication, enabling the attacker to gain administrator privileges.

Headlines

• Jan. 12, 2024 - CISA Adds 9.8 'Critical' Microsoft SharePoint Bug to its KEV Catalog
• Jan. 12, 2024 - CISA: Critical SharePoint vuln is under active exploitation
• Jan. 12, 2024 - CISA: Critical Microsoft SharePoint bug now actively exploited
• Jan. 12, 2024 - Act Now: CISA Flags Active Exploitation of Microsoft SharePoint Vulnerability
• Jan. 11, 2024 - CISA adds Ivanti and Microsoft SharePoint bugs to its Known Exploited Vulnerabilities catalog
• Dec. 16, 2023 - PoC Released for SharePoint Pre-Auth RCE Chain (CVE-2023-29357 & CVE-2023-24955)
• Oct. 2, 2023 - OpenRefine's Zip Slip Vulnerability Could Let Attackers Execute Malicious Code
• Sept. 29, 2023 - Exploit released for Microsoft SharePoint Server auth bypass flaw
• Sept. 27, 2023 - Researchers Release Details of New RCE Exploit Chain for SharePoint
• Sept. 27, 2023 - CVE-2023-29357: Privilege Escalation with Microsoft SharePoint Server PoC + Exploit
• June 30, 2023 - Apple, Google, and MOVEit Just Patched Serious Security Flaws
• June 14, 2023 - Microsoft Fixes 69 Bugs, but None Are Zero-Days
• June 14, 2023 - No Zero-Days but PGM Flaws Cause Patch Tuesday Concern
• June 14, 2023 - Microsoft Releases Updates to Patch Critical Flaws in Windows and Other Software
• June 14, 2023 - Microsoft patches 94 vulnerabilities
• June 13, 2023 - June Patch Tuesday 2023: Updates and Analysis | CrowdStrike
• June 13, 2023 - A smorgasbord for June’s Patch Tuesday
• June 13, 2023 - Microsoft Patch Tuesday, June 2023 Edition –
• June 13, 2023 - Meh Microsoft Patch Tuesday, VMware vuln exploited by China
• June 13, 2023 - Microsoft discloses 5 critical vulnerabilities in June's Patch Tuesday, no zero-days
• June 13, 2023 - June 2023 Patch Tuesday: Critical patches for Microsoft Windows, SharePoint, Exchange
• June 13, 2023 - Microsoft June 2023 Patch Tuesday fixes 78 flaws, 38 RCE bugs

Back to top ↑

Ivanti — Connect Secure and Policy Secure

CVE-2024-21887 / Added: Jan. 10, 2024

CRITICAL CVSS 9.10

Ivanti Connect Secure (ICS, formerly known as Pulse Connect Secure) and Ivanti Policy Secure contain a command injection vulnerability in the web components of these products, which can allow an authenticated administrator to send crafted requests to execute code on affected appliances. This vulnerability can be leveraged in conjunction with CVE-2023-46805, an authenticated bypass issue.

Headlines

• Jan. 12, 2024 - Ivanti Connect Secure zero-days exploited to deploy custom malware
• Jan. 12, 2024 - Nation-State Actors Weaponize Ivanti VPN Zero-Days, Deploying 5 Malware Families
• Jan. 11, 2024 - Ivanti Researchers Report Two Critical Zero-Day Vulnerabilities
• Jan. 11, 2024 - CISA adds Ivanti and Microsoft SharePoint bugs to its Known Exploited Vulnerabilities catalog
• Jan. 11, 2024 - Two zero-day bugs in Ivanti Connect Secure actively exploited
• Jan. 11, 2024 - Ivanti Connect Secure zero-days exploited by attackers (CVE-2023-46805, CVE-2024-21887)
• Jan. 11, 2024 - Two Ivanti Zero-Days Actively Exploited in the Wild
• Jan. 11, 2024 - Chinese Hackers Exploit Zero-Day Flaws in Ivanti Connect Secure and Policy Secure
• Jan. 11, 2024 - Ivanti's Critical Security Alert: Two Zero-Days Exploited in the Wild
• Jan. 11, 2024 - Ivanti patches two exploited zero-day bugs
• Jan. 10, 2024 - Ivanti Releases Security Update for Connect Secure and Policy Secure Gateways | CISA

Back to top ↑

Ivanti — Connect Secure and Policy Secure

CVE-2023-46805 / Added: Jan. 10, 2024

HIGH CVSS 8.20

Ivanti Connect Secure (ICS, formerly known as Pulse Connect Secure) and Ivanti Policy Secure gateways contain an authentication bypass vulnerability in the web component that allows an attacker to access restricted resources by bypassing control checks. This vulnerability can be leveraged in conjunction with CVE-2024-21887, a command injection vulnerability.

Headlines

• Jan. 12, 2024 - Ivanti Connect Secure zero-days exploited to deploy custom malware
• Jan. 12, 2024 - Nation-State Actors Weaponize Ivanti VPN Zero-Days, Deploying 5 Malware Families
• Jan. 11, 2024 - Ivanti Researchers Report Two Critical Zero-Day Vulnerabilities
• Jan. 11, 2024 - CISA adds Ivanti and Microsoft SharePoint bugs to its Known Exploited Vulnerabilities catalog
• Jan. 11, 2024 - Two zero-day bugs in Ivanti Connect Secure actively exploited
• Jan. 11, 2024 - Ivanti Connect Secure zero-days exploited by attackers (CVE-2023-46805, CVE-2024-21887)
• Jan. 11, 2024 - Two Ivanti Zero-Days Actively Exploited in the Wild
• Jan. 11, 2024 - Chinese Hackers Exploit Zero-Day Flaws in Ivanti Connect Secure and Policy Secure
• Jan. 11, 2024 - Ivanti's Critical Security Alert: Two Zero-Days Exploited in the Wild
• Jan. 11, 2024 - Ivanti patches two exploited zero-day bugs
• Jan. 10, 2024 - Ivanti Releases Security Update for Connect Secure and Policy Secure Gateways | CISA

Back to top ↑

Adobe — ColdFusion

CVE-2023-38203 / Added: Jan. 8, 2024

CRITICAL CVSS 9.80 EPSS Score 50.97 EPSS Percentile 97.26

Adobe ColdFusion contains a deserialization of untrusted data vulnerability that allows for code execution.

Headlines

• Jan. 9, 2024 - CISA warns agencies of fourth flaw used in Triangulation spyware attacks
• July 20, 2023 - Adobe Rolls Out New Patches for Actively Exploited ColdFusion Vulnerability
• July 19, 2023 - Zero-Day Attacks Exploited Critical Vulnerability in Citrix ADC and Gateway
• July 18, 2023 - Cybercriminals Exploiting WooCommerce Payments Plugin Flaw to Hijack Websites
• July 17, 2023 - Critical ColdFusion flaws exploited in attacks to drop webshells
• July 17, 2023 - Adobe warns of critical Colfdusion RCE bug exploited in attacks
• July 17, 2023 - Adobe warns of critical ColdFusion RCE bug exploited in attacks
• July 17, 2023 - Exploitation of ColdFusion Vulnerability Reported as Adobe Patches Another Critical Flaw

Back to top ↑

D-Link — DSL-2750B Devices

CVE-2016-20017 / Added: Jan. 8, 2024

CRITICAL CVSS 9.80 EPSS Score 0.69 EPSS Percentile 77.90

D-Link DSL-2750B devices contain a command injection vulnerability that allows remote, unauthenticated command injection via the login.cgi cli parameter.

Headlines

• Oct. 10, 2023 - Mirai reloads exploit arsenal before latest expansion drive
• Oct. 10, 2023 - Mirai Variant IZ1H9 Adds 13 Exploits to Arsenal
• Dec. 22, 2022 - A new Zerobot variant spreads by exploiting Apache flaws

Back to top ↑

Apache — Superset

CVE-2023-27524 / Added: Jan. 8, 2024

CRITICAL CVSS 9.80 EPSS Score 96.22 EPSS Percentile 99.41

Apache Superset contains an insecure default initialization of a resource vulnerability that allows an attacker to authenticate and access unauthorized resources on installations that have not altered the default configured SECRET_KEY according to installation instructions.

Headlines

• Jan. 10, 2024 - CISA Flags 6 Vulnerabilities - Apple, Apache, Adobe , D-Link, Joomla Under Attack
• Jan. 9, 2024 - CISA warns agencies of fourth flaw used in Triangulation spyware attacks
• Jan. 9, 2024 - CISA adds Apache Superset bug to its Known Exploited Vulnerabilities catalog
• Sept. 11, 2023 - PoC Exploit for CVE-2023-27524 in Apache Superset Leads to RCE Released
• Sept. 7, 2023 - Two flaws in Apache SuperSet allow to remotely hack servers
• Sept. 7, 2023 - Alert: Apache SuperSet Vulnerabilities Expose Servers to Remote Code Execution Attacks
• June 9, 2023 - Fortinet and PaperCut: Unveiling Critical Vulnerabilities in 2023
• April 30, 2023 - newsletter Round 417 by Pierluigi Paganini – International edition
• April 30, 2023 - Week in review: PaperCut vulnerabilities, VMware fixes critical flaws, RSA Conference 2023
• April 26, 2023 - Common insecure configuration opens Apache Superset servers to compromise
• April 26, 2023 - Thousands of publicly-exposed Apache Superset installs exposed to RCE attacks
• April 26, 2023 - Organizations Warned of Security Risk in Default Apache Superset Configurations
• April 26, 2023 - Apache Superset Vulnerability: Insecure Default Configuration Exposes Servers to RCE Attacks
• April 25, 2023 - Apache Superset: Insecure defaults leave systems vulnerable

Back to top ↑

Adobe — ColdFusion

CVE-2023-29300 / Added: Jan. 8, 2024

CRITICAL CVSS 9.80 EPSS Score 93.31 EPSS Percentile 98.89

Adobe ColdFusion contains a deserialization of untrusted data vulnerability that allows for code execution.

Headlines

• Jan. 9, 2024 - CISA warns agencies of fourth flaw used in Triangulation spyware attacks
• July 17, 2023 - Adobe warns customers of a critical ColdFusion RCE exploited in attacks
• July 17, 2023 - Adobe warns of critical ColdFusion RCE bug exploited in attacks
• July 17, 2023 - Critical ColdFusion flaws exploited in attacks to drop webshells
• July 17, 2023 - Adobe warns of critical Colfdusion RCE bug exploited in attacks
• July 17, 2023 - Exploitation of ColdFusion Vulnerability Reported as Adobe Patches Another Critical Flaw
• July 11, 2023 - Microsoft Warns of Office Zero-Day Attacks, No Patch Available
• July 11, 2023 - July’s Patch Tuesday: A rich harvest
• July 11, 2023 - Adobe Patch Tuesday: Critical Flaws Haunt InDesign, ColdFusion

Back to top ↑

Apple — Multiple Products

CVE-2023-41990 / Added: Jan. 8, 2024

HIGH CVSS 7.80 EPSS Score 0.07 EPSS Percentile 30.40

Apple iOS, iPadOS, macOS, tvOS, and watchOS contain an unspecified vulnerability that allows for code execution when processing a font file.

Headlines

• Jan. 10, 2024 - CISA Flags 6 Vulnerabilities - Apple, Apache, Adobe , D-Link, Joomla Under Attack
• Jan. 9, 2024 - CISA warns agencies of fourth flaw used in Triangulation spyware attacks
• Jan. 8, 2024 - "Forgotten" debugging registers enabled Triangulation exploit against iPhones
• Dec. 29, 2023 - ‘Operation Triangulation’ Spyware Attackers Bypass iPhone Memory Protections
• Dec. 28, 2023 - Operation Triangulation attacks relied on an undocumented hardware feature
• Dec. 28, 2023 - Most Sophisticated iPhone Hack Ever Exploited Apple's Hidden Hardware Feature
• Dec. 28, 2023 - Mysterious Apple SoC Feature Exploited to Hack Kaspersky Employee iPhones
• Dec. 28, 2023 - Beyond Zero-Day: Operation Triangulation Redefines iPhone Hacking
• Nov. 4, 2023 - Inside Operation Triangulation: How Kaspersky Catch iOS Exploits
• Oct. 27, 2023 - SAS 2023: Key Research
• Oct. 26, 2023 - Apple issued another patch to stop TriangleDB cyber snooping
• Oct. 26, 2023 - Operation Triangulation iOS Attack Details Revealed

Back to top ↑

Joomla! — Joomla!

CVE-2023-23752 / Added: Jan. 8, 2024

MEDIUM CVSS 5.30 EPSS Score 96.19 EPSS Percentile 99.40

Joomla! contains an improper access control vulnerability that allows unauthorized access to webservice endpoints.

Headlines

• Dec. 14, 2023 - New Hacker Group 'GambleForce' Tageting APAC Firms Using SQL Injection Attacks
• Feb. 24, 2023 - This Week In Security: GoDaddy, Joomla, And ClamAV

Back to top ↑

CVE-2023-7028

CRITICAL CVSS 10.00

Public Exploits Available

Published: Jan. 12, 2024

An issue has been discovered in GitLab CE/EE affecting all versions from 16.1 prior to 16.1.6, 16.2 prior to 16.2.9, 16.3 prior to 16.3.7, 16.4 prior to 16.4.5, 16.5 prior to 16.5.6, 16.6 prior to 16.6.4, and 16.7 prior to 16.7.2 in which user account password reset emails could be delivered to an unverified email address.

Quotes

• Within these versions, all authentication mechanisms are impacted
• No specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, this means all types are affected
• A change was made in 16.1.0 to allow users to reset their password through a secondary email address. The vulnerability is a result of a bug in the email verification process
• We have not detected any abuse of this vulnerability on platforms managed by GitLab, including GitLab.com and GitLab Dedicated instances. Self-managed customers can review their logs to check for possible attempts to exploit this vulnerability

Headlines

• Jan. 12, 2024 - GitLab Releases Updates to Address Critical Vulnerabilities
• Jan. 12, 2024 - GitLab warns of critical zero-click account hijacking vulnerability
• Jan. 12, 2024 - Urgent: GitLab Releases Patch for Critical Vulnerabilities - Update ASAP
• Jan. 12, 2024 - Critical GitLab flaw allows account takeover without user interaction, patch quickly! (CVE-2023-7028)
• Jan. 12, 2024 - CVE-2023-7028 & 5356: GitLab Addresses Account Takeover & Command Flaws

CVE-2023-29357

CRITICAL CVSS 9.80 EPSS Score 10.70 EPSS Percentile 94.54

CISA Known Exploited Actively Exploited Remote Code Execution Public Exploits Available

Published: June 14, 2023

Microsoft SharePoint Server Elevation of Privilege Vulnerability

Vendor Impacted: Microsoft

Product Impacted: Sharepoint Server

Quotes

• Nearly a year of meticulous effort and research
• I am aware of one ransomware group that finally has a working exploit for this
• An attacker who has gained access to spoofed JWT authentication tokens can use them to execute a network attack which bypasses authentication and allows them to gain access to the privileges of an authenticated user

Headlines

• Jan. 12, 2024 - CISA Adds 9.8 'Critical' Microsoft SharePoint Bug to its KEV Catalog
• Jan. 12, 2024 - CISA: Critical SharePoint vuln is under active exploitation
• Jan. 12, 2024 - CISA: Critical Microsoft SharePoint bug now actively exploited
• Jan. 12, 2024 - Act Now: CISA Flags Active Exploitation of Microsoft SharePoint Vulnerability
• Jan. 11, 2024 - CISA adds Ivanti and Microsoft SharePoint bugs to its Known Exploited Vulnerabilities catalog

CVE-2023-5356

CRITICAL CVSS 9.60

Risk Context N/A

Published: Jan. 12, 2024

Incorrect authorization checks in GitLab CE/EE from all versions starting from 8.13 before 16.5.6, all versions starting from 16.6 before 16.6.4, all versions starting from 16.7 before 16.7.2, allows a user to abuse slack/mattermost integrations to execute slash commands as another user.

Quotes

• Within these versions, all authentication mechanisms are impacted
• No specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, this means all types are affected
• A change was made in 16.1.0 to allow users to reset their password through a secondary email address. The vulnerability is a result of a bug in the email verification process

Headlines

• Jan. 12, 2024 - GitLab Releases Updates to Address Critical Vulnerabilities
• Jan. 12, 2024 - GitLab warns of critical zero-click account hijacking vulnerability
• Jan. 12, 2024 - Urgent: GitLab Releases Patch for Critical Vulnerabilities - Update ASAP
• Jan. 12, 2024 - CVE-2023-7028 & 5356: GitLab Addresses Account Takeover & Command Flaws

CVE-2024-21887

CRITICAL CVSS 9.10

CISA Known Exploited

Published: Jan. 12, 2024

A command injection vulnerability in web components of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) allows an authenticated administrator to send specially crafted requests and execute arbitrary commands on the appliance.

Vendor Impacted: Ivanti

Products Impacted: Connect Secure, Policy Secure, Connect Secure And Policy Secure

Quotes

• Reason to believe … is a Chinese nation-state level threat actor
• These families allow the threat actors to circumvent authentication and provide backdoor access to these devices
• We are providing mitigation now while the patch is in development to prioritize the best interest of our customers. It is critical that you immediately take action to ensure you are fully protected
• If CVE-2024-21887 is used in conjunction with CVE-2023-46805, exploitation does not require authentication and enables a threat actor to craft malicious requests and execute arbitrary commands on the system
• ZIPLINE is the most notable of these families, it is a passive backdoor that hijacks an exported function accept() from libsecure\.so. ZIPLINE intercepts incoming network traffic and supports file transfer, reverse shell, tunneling, and proxying
• During the second week of December 2023, Volexity detected suspicious lateral movement on the network of one of its Network Security Monitoring service customers. Upon closer inspection, Volexity found that an attacker was placing webshells on multiple internal and external-facing web servers

Headlines

• Jan. 12, 2024 - Ivanti Connect Secure zero-days exploited to deploy custom malware
• Jan. 12, 2024 - Nation-State Actors Weaponize Ivanti VPN Zero-Days, Deploying 5 Malware Families
• Jan. 11, 2024 - Ivanti Researchers Report Two Critical Zero-Day Vulnerabilities
• Jan. 11, 2024 - CISA adds Ivanti and Microsoft SharePoint bugs to its Known Exploited Vulnerabilities catalog
• Jan. 11, 2024 - Two zero-day bugs in Ivanti Connect Secure actively exploited
• Jan. 11, 2024 - Ivanti Connect Secure zero-days exploited by attackers (CVE-2023-46805, CVE-2024-21887)
• Jan. 11, 2024 - Two Ivanti Zero-Days Actively Exploited in the Wild
• Jan. 11, 2024 - Chinese Hackers Exploit Zero-Day Flaws in Ivanti Connect Secure and Policy Secure
• Jan. 11, 2024 - Ivanti's Critical Security Alert: Two Zero-Days Exploited in the Wild
• Jan. 11, 2024 - Ivanti patches two exploited zero-day bugs
• Jan. 10, 2024 - Ivanti Releases Security Update for Connect Secure and Policy Secure Gateways | CISA

CVE-2024-20674

HIGH CVSS 8.80

Risk Context N/A

Published: Jan. 9, 2024

Windows Kerberos Security Feature Bypass Vulnerability

Quotes

• Attackers can exploit this flaw via a machine-in-the-middle (MitM) attack
• The authentication feature could be bypassed as this vulnerability allows impersonation
• According to the CVSS metric, the attack vector for this vulnerability is categorized as ‘adjacent’ (AV:A), indicating that the attacker must first gain access to a restricted network to launch the attack successfully
• A security vulnerability exists in FBX that could lead to remote code execution. To mitigate this vulnerability, the ability to insert FBX files has been disabled in Word, Excel, PowerPoint and Outlook for Windows and Mac
• An authenticated attacker could exploit this vulnerability by establishing a machine-in-the-middle (MITM) attack or other local network spoofing technique, then sending a malicious Kerberos message to the client victim machine to spoof itself as the Kerberos authentication server
• An unauthenticated attacker could exploit this vulnerability by establishing a machine-in-the-middle (MITM) attack or other local network spoofing technique, then sending a malicious Kerberos message to the client victim machine to spoof itself as the Kerberos authentication server

Headlines

• Jan. 12, 2024 - For Patch Tuesday, 48 updates, no zero-day flaws
• Jan. 10, 2024 - Microsoft Fixes 12 RCE Bugs in January Patch Tuesday
• Jan. 10, 2024 - Microsoft's January 2024 Windows Update Patches 48 New Vulnerabilities
• Jan. 10, 2024 - CVE-2024-20674 & 20700: Two Critical Flaws in Microsoft Patch Tuesday January 2024
• Jan. 9, 2024 - Microsoft fixes ancient Kerberos impersonation bug
• Jan. 9, 2024 - Patch Now: Critical Windows Kerberos Bug Bypasses Microsoft Security
• Jan. 9, 2024 - January Patch Tuesday: New year, new Windows' bugs
• Jan. 9, 2024 - 2024’s first Patch Tuesday steps lightly
• Jan. 9, 2024 - Microsoft fixes critical flaws in Windows Kerberos, Hyper-V (CVE-2024-20674, CVE-2024-20700)
• Jan. 9, 2024 - Microsoft January 2024 Patch Tuesday fixes 49 flaws, 12 RCE bugs
• Jan. 9, 2024 - Microsoft starts off new year with relatively light Patch Tuesday, no zero-days

CVE-2024-0056

HIGH CVSS 8.70

Risk Context N/A

Published: Jan. 9, 2024

Microsoft.Data.SqlClient and System.Data.SqlClient SQL Data Provider Security Feature Bypass Vulnerability

Quotes

• Attackers can exploit this flaw via a machine-in-the-middle (MitM) attack
• The authentication feature could be bypassed as this vulnerability allows impersonation
• According to the CVSS metric, the attack vector for this vulnerability is categorized as ‘adjacent’ (AV:A), indicating that the attacker must first gain access to a restricted network to launch the attack successfully
• An authenticated attacker could exploit this vulnerability by establishing a machine-in-the-middle (MITM) attack or other local network spoofing technique, then sending a malicious Kerberos message to the client victim machine to spoof itself as the Kerberos authentication server

Headlines

• Jan. 12, 2024 - For Patch Tuesday, 48 updates, no zero-day flaws
• Jan. 10, 2024 - Microsoft Fixes 12 RCE Bugs in January Patch Tuesday
• Jan. 10, 2024 - Microsoft's January 2024 Windows Update Patches 48 New Vulnerabilities
• Jan. 10, 2024 - CVE-2024-20674 & 20700: Two Critical Flaws in Microsoft Patch Tuesday January 2024
• Jan. 9, 2024 - Patch Now: Critical Windows Kerberos Bug Bypasses Microsoft Security

CVE-2023-46805

HIGH CVSS 8.20

CISA Known Exploited Remote Code Execution

Published: Jan. 12, 2024

An authentication bypass vulnerability in the web component of Ivanti ICS 9.x, 22.x and Ivanti Policy Secure allows a remote attacker to access restricted resources by bypassing control checks.

Vendor Impacted: Ivanti

Products Impacted: Connect Secure, Policy Secure, Connect Secure And Policy Secure

Quotes

• Reason to believe … is a Chinese nation-state level threat actor
• These families allow the threat actors to circumvent authentication and provide backdoor access to these devices
• We are providing mitigation now while the patch is in development to prioritize the best interest of our customers. It is critical that you immediately take action to ensure you are fully protected
• If CVE-2024-21887 is used in conjunction with CVE-2023-46805, exploitation does not require authentication and enables a threat actor to craft malicious requests and execute arbitrary commands on the system
• ZIPLINE is the most notable of these families, it is a passive backdoor that hijacks an exported function accept() from libsecure\.so. ZIPLINE intercepts incoming network traffic and supports file transfer, reverse shell, tunneling, and proxying
• During the second week of December 2023, Volexity detected suspicious lateral movement on the network of one of its Network Security Monitoring service customers. Upon closer inspection, Volexity found that an attacker was placing webshells on multiple internal and external-facing web servers

Headlines

• Jan. 12, 2024 - Ivanti Connect Secure zero-days exploited to deploy custom malware
• Jan. 12, 2024 - Nation-State Actors Weaponize Ivanti VPN Zero-Days, Deploying 5 Malware Families
• Jan. 11, 2024 - Ivanti Researchers Report Two Critical Zero-Day Vulnerabilities
• Jan. 11, 2024 - CISA adds Ivanti and Microsoft SharePoint bugs to its Known Exploited Vulnerabilities catalog
• Jan. 11, 2024 - Two zero-day bugs in Ivanti Connect Secure actively exploited
• Jan. 11, 2024 - Ivanti Connect Secure zero-days exploited by attackers (CVE-2023-46805, CVE-2024-21887)
• Jan. 11, 2024 - Two Ivanti Zero-Days Actively Exploited in the Wild
• Jan. 11, 2024 - Chinese Hackers Exploit Zero-Day Flaws in Ivanti Connect Secure and Policy Secure
• Jan. 11, 2024 - Ivanti's Critical Security Alert: Two Zero-Days Exploited in the Wild
• Jan. 11, 2024 - Ivanti patches two exploited zero-day bugs
• Jan. 10, 2024 - Ivanti Releases Security Update for Connect Secure and Policy Secure Gateways | CISA

CVE-2024-20700

HIGH CVSS 7.50

Remote Code Execution

Published: Jan. 9, 2024

Windows Hyper-V Remote Code Execution Vulnerability

Vendor Impacted: Microsoft

Products Impacted: Windows 10 22h2, Windows 10 1809, Windows 10 21h2, Windows 11 23h2, Windows 11 22h2, Windows Server 2022, Windows Server 2019, Windows Server 2022 23h2, Windows 11 21h2

Quotes

• Attackers can exploit this flaw via a machine-in-the-middle (MitM) attack
• The authentication feature could be bypassed as this vulnerability allows impersonation
• According to the CVSS metric, the attack vector for this vulnerability is categorized as ‘adjacent’ (AV:A), indicating that the attacker must first gain access to a restricted network to launch the attack successfully
• An authenticated attacker could exploit this vulnerability by establishing a machine-in-the-middle (MITM) attack or other local network spoofing technique, then sending a malicious Kerberos message to the client victim machine to spoof itself as the Kerberos authentication server
• An unauthenticated attacker could exploit this vulnerability by establishing a machine-in-the-middle (MITM) attack or other local network spoofing technique, then sending a malicious Kerberos message to the client victim machine to spoof itself as the Kerberos authentication server

Headlines

• Jan. 12, 2024 - For Patch Tuesday, 48 updates, no zero-day flaws
• Jan. 10, 2024 - Microsoft Fixes 12 RCE Bugs in January Patch Tuesday
• Jan. 10, 2024 - Microsoft's January 2024 Windows Update Patches 48 New Vulnerabilities
• Jan. 10, 2024 - CVE-2024-20674 & 20700: Two Critical Flaws in Microsoft Patch Tuesday January 2024
• Jan. 9, 2024 - Microsoft fixes ancient Kerberos impersonation bug
• Jan. 9, 2024 - Patch Now: Critical Windows Kerberos Bug Bypasses Microsoft Security
• Jan. 9, 2024 - January Patch Tuesday: New year, new Windows' bugs
• Jan. 9, 2024 - Microsoft fixes critical flaws in Windows Kerberos, Hyper-V (CVE-2024-20674, CVE-2024-20700)
• Jan. 9, 2024 - Microsoft starts off new year with relatively light Patch Tuesday, no zero-days

CVE-2024-20666

MEDIUM CVSS 6.60

Risk Context N/A

Published: Jan. 9, 2024

BitLocker Security Feature Bypass Vulnerability

Quotes

• Windows Recovery Environment servicing failed. (CBS_E_INSUFFICIENT_DISK_SPACE
• There were some problems installing updates, but we'll try again later. If you keep seeing this and want to search the web or contact support for information, this may help: (0x80070643)

Headlines

• Jan. 12, 2024 - Windows 10 users with KB5034441 update failure need to manually resize partitions to fix the problem
• Jan. 11, 2024 - Microsoft shares script to update Windows 10 WinRE with BitLocker fixes
• Jan. 10, 2024 - Windows 10 KB5034441 security update fails with 0x80070643 errors
• Jan. 9, 2024 - 2024’s first Patch Tuesday steps lightly