VULNERA Pulse

Ivanti — Endpoint Manager Mobile (EPMM) and MobileIron Core

CVE-2023-35082 / Added: Jan. 18, 2024

CRITICAL CVSS 9.80 EPSS Score 92.45 EPSS Percentile 98.79

Ivanti Endpoint Manager Mobile (EPMM) and MobileIron Core contain an authentication bypass vulnerability that allows unauthorized users to access restricted functionality or resources of the application.

Headlines

• Jan. 19, 2024 - Third Ivanti Vulnerability Exploited in the Wild, CISA Reports
• Jan. 19, 2024 - Ivanti EPMM and MobileIron Core vulnerability is actively exploited, CISA confirms (CVE-2023-35082)
• Jan. 19, 2024 - US CISA warns of actively exploited Ivanti EPMM flaw CVE-2023-35082
• Jan. 19, 2024 - Ivanti EPMM Vulnerability Targeted in Attacks as Exploitation of VPN Flaws Increases
• Jan. 19, 2024 - U.S. Cybersecurity Agency Warns of Actively Exploited Ivanti EPMM Vulnerability
• Jan. 18, 2024 - CISA: Critical Ivanti auth bypass bug now actively exploited
• Jan. 5, 2024 - Ivanti fixed a critical EPM flaw that can result in RCE
• Aug. 22, 2023 - Ivanti Warns of Critical New Zero-Day Bug
• Aug. 22, 2023 - More patches arrive from Ivanti
• Aug. 16, 2023 - Ivanti Avalanche vulnerable to attack by unauthenticated, remote attackers (CVE-2023-32560)
• Aug. 8, 2023 - Microsoft, Intel lead this month's security fix emissions
• Aug. 6, 2023 - newsletter Round 431 by Pierluigi Paganini – International edition
• Aug. 6, 2023 - Week in review: AWS SSM agents as RATs, Patch Tuesday forecast
• Aug. 4, 2023 - Exploitation of Ivanti EPMM Flaw Picking Up as New Vulnerability Is Disclosed
• Aug. 3, 2023 - Ivanti discloses another vulnerability in MobileIron Core (CVE-2023-35082)
• Aug. 3, 2023 - Rapid7 found a bypass for the recently patched actively exploited Ivanti EPMM bug
• Aug. 3, 2023 - Ivanti Patches Yet Another Critical Flaw
• Aug. 3, 2023 - CVE-2023-35082: Critical Security Vulnerability in MobileIron Core
• Aug. 3, 2023 - Researchers Discover Bypass for Recently Patched Critical Ivanti EPMM Vulnerability
• Aug. 2, 2023 - Ivanti endpoint security needs security upgrade
• Aug. 2, 2023 - Ivanti discloses new critical auth bypass bug in MobileIron Core

Back to top ↑

Citrix — NetScaler ADC and NetScaler Gateway

CVE-2023-6549 / Added: Jan. 17, 2024

HIGH CVSS 8.20

Citrix NetScaler ADC and NetScaler Gateway contain a buffer overflow vulnerability that allows for a denial-of-service when configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or AAA virtual server.

Headlines

• Jan. 18, 2024 - Citrix Discovers Two Vulnerabilities, Both Exploited in the Wild
• Jan. 18, 2024 - CISA adds Chrome and Citrix NetScaler to its Known Exploited Vulnerabilities catalog
• Jan. 18, 2024 - Two more Citrix NetScaler bugs exploited in the wild
• Jan. 18, 2024 - Citrix Releases Security Updates for NetScaler ADC and NetScaler Gateway | CISA
• Jan. 17, 2024 - CISA pushes federal agencies to patch Citrix RCE within a week
• Jan. 17, 2024 - Citrix warns admins to immediately patch NetScaler for actively exploited zero-days
• Jan. 17, 2024 - CVE-2023-6548 & 6549: Two new Citrix Netscaler zero-days exploited in attacks
• Jan. 16, 2024 - Citrix warns of new Netscaler zero-days exploited in attacks

Back to top ↑

Citrix — NetScaler ADC and NetScaler Gateway

CVE-2023-6548 / Added: Jan. 17, 2024

MEDIUM CVSS 5.50

Citrix NetScaler ADC and NetScaler Gateway contain a code injection vulnerability that allows for authenticated remote code execution on the management interface with access to NSIP, CLIP, or SNIP.

Headlines

• Jan. 18, 2024 - Citrix Discovers Two Vulnerabilities, Both Exploited in the Wild
• Jan. 18, 2024 - CISA adds Chrome and Citrix NetScaler to its Known Exploited Vulnerabilities catalog
• Jan. 18, 2024 - Two more Citrix NetScaler bugs exploited in the wild
• Jan. 18, 2024 - Citrix Releases Security Updates for NetScaler ADC and NetScaler Gateway | CISA
• Jan. 17, 2024 - CISA pushes federal agencies to patch Citrix RCE within a week
• Jan. 17, 2024 - Citrix warns admins to immediately patch NetScaler for actively exploited zero-days
• Jan. 17, 2024 - CVE-2023-6548 & 6549: Two new Citrix Netscaler zero-days exploited in attacks
• Jan. 16, 2024 - Citrix warns of new Netscaler zero-days exploited in attacks

Back to top ↑

Google — Chromium V8

CVE-2024-0519 / Added: Jan. 17, 2024

CVSS Not Assigned

Google Chromium V8 contains an out-of-bounds memory access vulnerability. Specific impacts from exploitation are not available at this time.

Headlines

• Jan. 18, 2024 - CISA adds Chrome and Citrix NetScaler to its Known Exploited Vulnerabilities catalog
• Jan. 17, 2024 - Google Chrome Zero-Day Bug Under Attack, Allows Code Injection
• Jan. 17, 2024 - CISA pushes federal agencies to patch Citrix RCE within a week
• Jan. 17, 2024 - Multiple Vulnerabilities in Google Chrome Could Allow for Arbitrary Code Execution
• Jan. 17, 2024 - Google fixes actively exploited Chrome zero-day (CVE-2024-0519)
• Jan. 17, 2024 - Zero-Day Alert: Update Chrome Now to Fix New Actively Exploited Vulnerability
• Jan. 16, 2024 - Google fixed the first actively exploited Chrome zero-day of 2024
• Jan. 16, 2024 - CVE-2024-0519: Google Chrome's Latest Zero-Day Vulnerability
• Jan. 16, 2024 - Google fixes first actively exploited Chrome zero-day of 2024

Back to top ↑

Laravel — Laravel Framework

CVE-2018-15133 / Added: Jan. 16, 2024

HIGH CVSS 8.10 EPSS Score 62.42 EPSS Percentile 97.56

Laravel Framework contains a deserialization of untrusted data vulnerability, allowing for remote command execution. This vulnerability may only be exploited if a malicious user has accessed the application encryption key (APP_KEY environment variable).

Headlines

• Jan. 17, 2024 - Feds Warn of AndroxGh0st Botnet Targeting AWS, Azure, and Office 365 Credentials
• Jan. 17, 2024 - CISA Warns of Actively Exploited Laravel Framework RCE Flaw
• Jan. 17, 2024 - FBI: Beware of cloud-credential thieves building botnets
• Jan. 16, 2024 - FBI: Androxgh0st malware botnet steals AWS, Microsoft credentials

Back to top ↑

CVE-2023-22527

CRITICAL CVSS 10.00 EPSS Score 0.04 EPSS Percentile 8.15

Actively Exploited Remote Code Execution Public Exploits Available

Published: Jan. 16, 2024

A template injection vulnerability on older versions of Confluence Data Center and Server allows an unauthenticated attacker to achieve RCE on an affected instance. Customers using an affected version must take immediate action. Most recent supported versions of Confluence Data Center and Server are not affected by this vulnerability as it was ultimately mitigated during regular version updates. However, Atlassian recommends that customers take care to install the latest version to protect their instances from non-critical vulnerabilities outlined in Atlassian’s January Security Bulletin.

Quotes

• Ultimately mitigated during regular updates
• Must take immediate action to protect their Confluence instances
• Exploits of these CVEs on unmitigated appliances have been observed
• The possibility of multiple entry points, along with chained attacks, makes it difficult to list all possible indicators of compromise
• Most recent supported versions of Confluence Data Center and Server are not affected by this vulnerability as it was ultimately mitigated during regular updates
• A template injection vulnerability on out-of-date versions of Confluence Data Center and Server allows an unauthenticated attacker to achieve RCE on an affected version. Customers using an affected version must take immediate action
• The only supported upgrade path after applying the patch is to version 8.16. VMware strongly recommends this version. If you upgrade to an intermediate version, the vulnerability will be reintroduced, requiring an additional round of patching

Headlines

• Jan. 18, 2024 - Atlassian Releases Security Updates for Multiple Products | CISA
• Jan. 17, 2024 - Citrix, VMware, and Atlassian Hit with Critical Flaws — Patch ASAP!
• Jan. 17, 2024 - Atlassian issues urgent Confluence patch
• Jan. 16, 2024 - Atlassian fixed critical RCE in older Confluence versions
• Jan. 16, 2024 - Patch now: Critical VMware, Atlassian flaws found
• Jan. 16, 2024 - Patch ASAP: Max-Critical Atlassian Bug Allows Unauthenticated RCE
• Jan. 16, 2024 - Atlassian reveals critical Confluence RCE flaw, urges "immediate action" (CVE-2023-22527)
• Jan. 16, 2024 - Atlassian warns of critical RCE flaw in older Confluence versions
• Jan. 16, 2024 - CVE-2023-22527 (CVSS 10): Critical RCE Flaw in Confluence Data Center and Server

CVE-2023-34063

CRITICAL CVSS 9.90 EPSS Score 0.04 EPSS Percentile 6.82

Remote Code Execution

Published: Jan. 16, 2024

Aria Automation contains a Missing Access Control vulnerability. An authenticated malicious actor may exploit this vulnerability leading to unauthorized access to remote organizations and workflows.

Quotes

• Aria Automation contains a Missing Access Control vulnerability
• Exploits of these CVEs on unmitigated appliances have been observed
• This situation qualifies as an emergency change, necessitating prompt action from your organization
• An authenticated malicious actor may exploit this vulnerability leading to unauthorized access to remote organizations and workflows
• The only supported upgrade path after applying the patch is to version 8.16. VMware strongly recommends this version. If you upgrade to an intermediate version, the vulnerability will be reintroduced, requiring an additional round of patching
• In ITIL terms, this situation qualifies as an emergency change, necessitating prompt action from your organization. However, the appropriate security response varies depending on specific circumstances. It’s important to consult with your organization’s information security staff to decide the best course of action tailored to your organization’s needs

Headlines

• Jan. 18, 2024 - VMware: Plug critical Aria Automation hole immediately! (CVE-2023-34063)
• Jan. 17, 2024 - VMware Releases Security Advisory for Aria Operations | CISA
• Jan. 17, 2024 - VMware Releases Security Advisory for Aria Automation | CISA
• Jan. 17, 2024 - Citrix, VMware, and Atlassian Hit with Critical Flaws — Patch ASAP!
• Jan. 16, 2024 - Patch now: Critical VMware, Atlassian flaws found
• Jan. 16, 2024 - VMware fixed a critical flaw in Aria Automation. Patch it now!
• Jan. 16, 2024 - VMware Urges Customers to Patch Critical Aria Automation Vulnerability
• Jan. 16, 2024 - CVE-2023-34063 (CVSS 9.9): A Critical Flaw in VMware Aria Automation

CVE-2023-35078

CRITICAL CVSS 9.80 EPSS Score 95.34 EPSS Percentile 99.20

CISA Known Exploited Actively Exploited Remote Code Execution Public Exploits Available

Published: July 25, 2023

An authentication bypass vulnerability in Ivanti EPMM allows unauthorized users to access restricted functionality or resources of the application without proper authentication.

Vendor Impacted: Ivanti

Products Impacted: Endpoint Manager Mobile (Epmm), Endpoint Manager Mobile

Quotes

• Ivanti has an RPM script available now. We recommend customers first upgrade to a supported version and then apply the RPM script
• Ivanti has been informed of exploitation by a few customers who have been exploited since the details were made publicly available by Rapid7
• If exploited, this vulnerability enables an unauthorized, remote (internet-facing) actor to potentially access users' personally identifiable information and make limited changes to the server
• Victims are globally distributed and vary greatly in size, from small businesses to some of the largest organizations in the world, including multiple Fortune 500 companies across multiple industry verticals

Headlines

• Jan. 19, 2024 - Third Ivanti Vulnerability Exploited in the Wild, CISA Reports
• Jan. 19, 2024 - Ivanti EPMM and MobileIron Core vulnerability is actively exploited, CISA confirms (CVE-2023-35082)
• Jan. 19, 2024 - US CISA warns of actively exploited Ivanti EPMM flaw CVE-2023-35082
• Jan. 19, 2024 - Ivanti EPMM Vulnerability Targeted in Attacks as Exploitation of VPN Flaws Increases
• Jan. 19, 2024 - U.S. Cybersecurity Agency Warns of Actively Exploited Ivanti EPMM Vulnerability
• Jan. 18, 2024 - CISA: Critical Ivanti auth bypass bug now actively exploited
• Jan. 16, 2024 - Ivanti Connect Secure zero-days now under mass exploitation

CVE-2023-35082

CRITICAL CVSS 9.80 EPSS Score 92.45 EPSS Percentile 98.79

CISA Known Exploited Remote Code Execution Public Exploits Available

Published: Aug. 15, 2023

An authentication bypass vulnerability in Ivanti EPMM 11.10 and older, allows unauthorized users to access restricted functionality or resources of the application without proper authentication. This vulnerability is unique to CVE-2023-35078 announced earlier.

Vendor Impacted: Ivanti

Products Impacted: Endpoint Manager Mobile (Epmm) And Mobileiron Core, Endpoint Manager Mobile

Quotes

• Ivanti has an RPM script available now. We recommend customers first upgrade to a supported version and then apply the RPM script
• Ivanti has been informed of exploitation by a few customers who have been exploited since the details were made publicly available by Rapid7
• If exploited, this vulnerability enables an unauthorized, remote (internet-facing) actor to potentially access users' personally identifiable information and make limited changes to the server

Headlines

• Jan. 19, 2024 - Third Ivanti Vulnerability Exploited in the Wild, CISA Reports
• Jan. 19, 2024 - Ivanti EPMM and MobileIron Core vulnerability is actively exploited, CISA confirms (CVE-2023-35082)
• Jan. 19, 2024 - US CISA warns of actively exploited Ivanti EPMM flaw CVE-2023-35082
• Jan. 19, 2024 - Ivanti EPMM Vulnerability Targeted in Attacks as Exploitation of VPN Flaws Increases
• Jan. 19, 2024 - U.S. Cybersecurity Agency Warns of Actively Exploited Ivanti EPMM Vulnerability
• Jan. 18, 2024 - CISA: Critical Ivanti auth bypass bug now actively exploited

CVE-2024-21887

CRITICAL CVSS 9.10 EPSS Score 95.69 EPSS Percentile 99.29

CISA Known Exploited Public Exploits Available

Published: Jan. 12, 2024

A command injection vulnerability in web components of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) allows an authenticated administrator to send specially crafted requests and execute arbitrary commands on the appliance.

Vendor Impacted: Ivanti

Products Impacted: Connect Secure, Connect Secure And Policy Secure, Policy Secure

Quotes

• How much [of both] is enough
• The main fear is that, at a lot of organizations, this gives unfettered access — an immediate way to get into their network
• Additional threat actors beyond UTA0178 appear to now have access to the exploit and are actively trying to exploit devices
• Ivanti has an RPM script available now. We recommend customers first upgrade to a supported version and then apply the RPM script
• Ivanti has been informed of exploitation by a few customers who have been exploited since the details were made publicly available by Rapid7
• CISA has determined these conditions pose an unacceptable risk to Federal Civilian Executive Branch (FCEB) agencies and require emergency action
• If exploited, this vulnerability enables an unauthorized, remote (internet-facing) actor to potentially access users' personally identifiable information and make limited changes to the server
• If CVE-2024-21887 is used in conjunction with CVE-2023-46805, exploitation does not require authentication and enables a threat actor to craft malicious requests and execute arbitrary commands on the system
• Victims are globally distributed and vary greatly in size, from small businesses to some of the largest organizations in the world, including multiple Fortune 500 companies across multiple industry verticals
• Volexity assesses with medium confidence that this widespread exploitation was undertaken by UTA0178. This assessment is based on the use of an identical webshell to that used in the previous exploitation, and the speed at which it was undertaken following publication of details relating to the exploit
• The vulnerabilities in these products pose significant, unacceptable risks to the security of the federal civilian enterprise. As America’s cyber defense agency and the operational lead for federal civilian cybersecurity, we must take urgent action to reduce risks to the federal systems upon which Americans depend

Headlines

• Jan. 19, 2024 - CISA emergency directive: Mitigate Ivanti zero-days immediately
• Jan. 19, 2024 - Third Ivanti Vulnerability Exploited in the Wild, CISA Reports
• Jan. 19, 2024 - Ivanti EPMM and MobileIron Core vulnerability is actively exploited, CISA confirms (CVE-2023-35082)
• Jan. 19, 2024 - CISA Issues Emergency Directive Requiring Federal Agencies to Mitigate Ivanti Connect Secure and Policy Secure Vulnerabilities | CISA
• Jan. 19, 2024 - Ivanti EPMM Vulnerability Targeted in Attacks as Exploitation of VPN Flaws Increases
• Jan. 19, 2024 - Over 2,100 Ivanti VPNs Compromised: The GIFTEDVISITOR Webshell Threat
• Jan. 19, 2024 - U.S. Cybersecurity Agency Warns of Actively Exploited Ivanti EPMM Vulnerability
• Jan. 18, 2024 - CISA: Critical Ivanti auth bypass bug now actively exploited
• Jan. 18, 2024 - What to do with that fancy new internet-connected device you got as a holiday gift
• Jan. 16, 2024 - Ivanti Zero-Day Exploits Skyrocket Worldwide; No Patches Yet
• Jan. 16, 2024 - 1,700 Ivanti VPN devices compromised. Are yours among them?
• Jan. 16, 2024 - Experts warn of mass exploitation of Ivanti Connect Secure VPN flaws
• Jan. 16, 2024 - Ivanti Zero-Days Exploited By Multiple Actors Globally
• Jan. 16, 2024 - Government, Military Targeted as Widespread Exploitation of Ivanti Zero-Days Begins
• Jan. 16, 2024 - Ivanti Connect Secure zero-days now under mass exploitation
• Jan. 14, 2024 - Week in review: GitLab account takeover flaw, attackers exploiting Ivanti Connect Secure zero-days
• Jan. 13, 2024 - newsletter Round 454 by Pierluigi Paganini

CVE-2023-36025

HIGH CVSS 8.80 EPSS Score 0.69 EPSS Percentile 78.08

CISA Known Exploited Actively Exploited Remote Code Execution Public Exploits Available

Published: Nov. 14, 2023

Windows SmartScreen Security Feature Bypass Vulnerability

Vendor Impacted: Microsoft

Products Impacted: Windows Server 2008, Windows Server 2022, Windows 10 1507, Windows 11 23h2, Windows Server 2016, Windows Server 2012, Windows, Windows 11 21h2, Windows 10 22h2, Windows 10 21h2, Windows 10 1607, Windows 11 22h2, Windows Server 2019, Windows 10 1809

Quotes

• The attacker would be able to bypass Windows Defender SmartScreen checks and their associated prompts
• Phemedrone targets web browsers and data from cryptocurrency wallets and messaging apps such as Telegram, Steam, and Discord
• Organizations must make sure to update Microsoft Windows installations to prevent being exposed to the Microsoft Windows Defender SmartScreen Bypass
• The user would have to click on a specially crafted Internet Shortcut (.URL) or a hyperlink pointing to an Internet Shortcut file to be compromised by the attacker
• When the malicious .cpl file is executed through the Windows Control Panel process binary, it in turn calls rundll32.exe to execute the DLL. This malicious DLL acts as a loader that then calls on Windows PowerShell to download and execute the next stage of the attack, hosted on GitHub
• Once the malicious .url file exploiting CVE-2023-36025 is executed, it connects to an attacker-controlled server to download and execute a control panel item (.cpl) file. Microsoft Windows Defender SmartScreen should warn users with a security prompt before executing the .url file from an untrusted source

Headlines

• Jan. 16, 2024 - Phemedrone Stealer Targets Windows Defender Flaw Despite Patch
• Jan. 16, 2024 - Hackers Weaponize Windows Flaw to Deploy Crypto-Siphoning Phemedrone Stealer
• Jan. 15, 2024 - Windows SmartScreen flaw exploited to drop Phemedrone malware
• Jan. 15, 2024 - Phemedrone campaign exploits Windows smartScreen bypass
• Jan. 15, 2024 - Windows SmartScreen bug exploited to deliver powerful info-stealer (CVE-2023-36025)
• Jan. 15, 2024 - Information Stealer Exploits Windows SmartScreen Bypass
• Jan. 15, 2024 - Phemedrone Stealer: Exploiting CVE-2023-36025 for Defense Evasion

CVE-2023-46805

HIGH CVSS 8.20 EPSS Score 92.41 EPSS Percentile 98.78

CISA Known Exploited Remote Code Execution Public Exploits Available

Published: Jan. 12, 2024

An authentication bypass vulnerability in the web component of Ivanti ICS 9.x, 22.x and Ivanti Policy Secure allows a remote attacker to access restricted resources by bypassing control checks.

Vendor Impacted: Ivanti

Products Impacted: Connect Secure, Connect Secure And Policy Secure, Policy Secure

Quotes

• How much [of both] is enough
• The main fear is that, at a lot of organizations, this gives unfettered access — an immediate way to get into their network
• Additional threat actors beyond UTA0178 appear to now have access to the exploit and are actively trying to exploit devices
• Ivanti has an RPM script available now. We recommend customers first upgrade to a supported version and then apply the RPM script
• Ivanti has been informed of exploitation by a few customers who have been exploited since the details were made publicly available by Rapid7
• CISA has determined these conditions pose an unacceptable risk to Federal Civilian Executive Branch (FCEB) agencies and require emergency action
• If exploited, this vulnerability enables an unauthorized, remote (internet-facing) actor to potentially access users' personally identifiable information and make limited changes to the server
• If CVE-2024-21887 is used in conjunction with CVE-2023-46805, exploitation does not require authentication and enables a threat actor to craft malicious requests and execute arbitrary commands on the system
• Victims are globally distributed and vary greatly in size, from small businesses to some of the largest organizations in the world, including multiple Fortune 500 companies across multiple industry verticals
• Volexity assesses with medium confidence that this widespread exploitation was undertaken by UTA0178. This assessment is based on the use of an identical webshell to that used in the previous exploitation, and the speed at which it was undertaken following publication of details relating to the exploit
• The vulnerabilities in these products pose significant, unacceptable risks to the security of the federal civilian enterprise. As America’s cyber defense agency and the operational lead for federal civilian cybersecurity, we must take urgent action to reduce risks to the federal systems upon which Americans depend

Headlines

• Jan. 19, 2024 - CISA emergency directive: Mitigate Ivanti zero-days immediately
• Jan. 19, 2024 - Third Ivanti Vulnerability Exploited in the Wild, CISA Reports
• Jan. 19, 2024 - Ivanti EPMM and MobileIron Core vulnerability is actively exploited, CISA confirms (CVE-2023-35082)
• Jan. 19, 2024 - CISA Issues Emergency Directive Requiring Federal Agencies to Mitigate Ivanti Connect Secure and Policy Secure Vulnerabilities | CISA
• Jan. 19, 2024 - Ivanti EPMM Vulnerability Targeted in Attacks as Exploitation of VPN Flaws Increases
• Jan. 19, 2024 - Over 2,100 Ivanti VPNs Compromised: The GIFTEDVISITOR Webshell Threat
• Jan. 19, 2024 - U.S. Cybersecurity Agency Warns of Actively Exploited Ivanti EPMM Vulnerability
• Jan. 18, 2024 - CISA: Critical Ivanti auth bypass bug now actively exploited
• Jan. 18, 2024 - What to do with that fancy new internet-connected device you got as a holiday gift
• Jan. 16, 2024 - Ivanti Zero-Day Exploits Skyrocket Worldwide; No Patches Yet
• Jan. 16, 2024 - 1,700 Ivanti VPN devices compromised. Are yours among them?
• Jan. 16, 2024 - Experts warn of mass exploitation of Ivanti Connect Secure VPN flaws
• Jan. 16, 2024 - Ivanti Zero-Days Exploited By Multiple Actors Globally
• Jan. 16, 2024 - Government, Military Targeted as Widespread Exploitation of Ivanti Zero-Days Begins
• Jan. 16, 2024 - Ivanti Connect Secure zero-days now under mass exploitation
• Jan. 14, 2024 - Week in review: GitLab account takeover flaw, attackers exploiting Ivanti Connect Secure zero-days
• Jan. 13, 2024 - newsletter Round 454 by Pierluigi Paganini

CVE-2023-6549

HIGH CVSS 8.20

CISA Known Exploited

Published: Jan. 17, 2024

Improper Restriction of Operations within the Bounds of a Memory Buffer in NetScaler ADC and NetScaler Gateway allows Unauthenticated Denial of Service

Vendor Impacted: Citrix

Product Impacted: Netscaler Adc And Netscaler Gateway

Quotes

• Frequent attack vectors for malicious cyber actors
• Exploits of these CVEs on unmitigated appliances have been observed. Cloud Software Group strongly urges affected customers of NetScaler ADC and NetScaler Gateway to install the relevant updated versions as soon as possible
• Network traffic to the appliance's management interface [should be] separated, either physically or logically, from normal network traffic. In addition, we recommend that you do not expose the management interface to the Internet

Headlines

• Jan. 18, 2024 - Citrix Discovers Two Vulnerabilities, Both Exploited in the Wild
• Jan. 18, 2024 - CISA adds Chrome and Citrix NetScaler to its Known Exploited Vulnerabilities catalog
• Jan. 18, 2024 - Two more Citrix NetScaler bugs exploited in the wild
• Jan. 18, 2024 - Citrix Releases Security Updates for NetScaler ADC and NetScaler Gateway | CISA
• Jan. 17, 2024 - CISA pushes federal agencies to patch Citrix RCE within a week
• Jan. 17, 2024 - Citrix warns admins to immediately patch NetScaler for actively exploited zero-days
• Jan. 17, 2024 - CVE-2023-6548 & 6549: Two new Citrix Netscaler zero-days exploited in attacks
• Jan. 16, 2024 - Citrix warns of new Netscaler zero-days exploited in attacks

CVE-2023-6548

MEDIUM CVSS 5.50

CISA Known Exploited Remote Code Execution

Published: Jan. 17, 2024

Improper Control of Generation of Code ('Code Injection') in NetScaler ADC and NetScaler Gateway allows an attacker with access to NSIP, CLIP or SNIP with management interface to perform Authenticated (low privileged) remote code execution on Management Interface.

Vendor Impacted: Citrix

Product Impacted: Netscaler Adc And Netscaler Gateway

Quotes

• Frequent attack vectors for malicious cyber actors
• Exploits of these CVEs on unmitigated appliances have been observed. Cloud Software Group strongly urges affected customers of NetScaler ADC and NetScaler Gateway to install the relevant updated versions as soon as possible
• Network traffic to the appliance's management interface [should be] separated, either physically or logically, from normal network traffic. In addition, we recommend that you do not expose the management interface to the Internet

Headlines

• Jan. 18, 2024 - Citrix Discovers Two Vulnerabilities, Both Exploited in the Wild
• Jan. 18, 2024 - CISA adds Chrome and Citrix NetScaler to its Known Exploited Vulnerabilities catalog
• Jan. 18, 2024 - Two more Citrix NetScaler bugs exploited in the wild
• Jan. 18, 2024 - Citrix Releases Security Updates for NetScaler ADC and NetScaler Gateway | CISA
• Jan. 17, 2024 - CISA pushes federal agencies to patch Citrix RCE within a week
• Jan. 17, 2024 - Citrix warns admins to immediately patch NetScaler for actively exploited zero-days
• Jan. 17, 2024 - CVE-2023-6548 & 6549: Two new Citrix Netscaler zero-days exploited in attacks
• Jan. 16, 2024 - Citrix warns of new Netscaler zero-days exploited in attacks

CVE-2024-0519

CVSS Not Assigned

CISA Known Exploited Actively Exploited Remote Code Execution

Published: Jan. 16, 2024

Out of bounds memory access in V8 in Google Chrome prior to 120.0.6099.224 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

Vendor Impacted: Google

Product Impacted: Chromium V8

Quotes

• Frequent attack vectors for malicious cyber actors
• Google is aware of reports that an exploit for CVE-2024-0519 exists in the wild
• Allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page
• The Stable channel has been updated to 120.0.6099.234 for Mac and 120.0.6099.224 for Linux and 120.0.6099.224/225 to Windows which will roll out over the coming days/weeks
• Besides unauthorized memory access, CVE-2024-0519 could also be exploited to circumvent protection mechanisms such as ASLR, making it easier to execute code via another vulnerability
• Exploits of these CVEs on unmitigated appliances have been observed. Cloud Software Group strongly urges affected customers of NetScaler ADC and NetScaler Gateway to install the relevant updated versions as soon as possible
• By reading out-of-bounds memory, an attacker might be able to get secret values, such as memory addresses, which can be bypass protection mechanisms such as ASLR in order to improve the reliability and likelihood of exploiting a separate weakness to achieve code execution instead of just denial of service

Headlines

• Jan. 18, 2024 - CISA adds Chrome and Citrix NetScaler to its Known Exploited Vulnerabilities catalog
• Jan. 17, 2024 - Google Chrome Zero-Day Bug Under Attack, Allows Code Injection
• Jan. 17, 2024 - CISA pushes federal agencies to patch Citrix RCE within a week
• Jan. 17, 2024 - Multiple Vulnerabilities in Google Chrome Could Allow for Arbitrary Code Execution
• Jan. 17, 2024 - Google fixes actively exploited Chrome zero-day (CVE-2024-0519)
• Jan. 17, 2024 - Zero-Day Alert: Update Chrome Now to Fix New Actively Exploited Vulnerability
• Jan. 16, 2024 - Google fixed the first actively exploited Chrome zero-day of 2024
• Jan. 16, 2024 - CVE-2024-0519: Google Chrome's Latest Zero-Day Vulnerability
• Jan. 16, 2024 - Google fixes first actively exploited Chrome zero-day of 2024