Microsoft, Intel lead this month's security fix emissions
Downfall processor leaks, Teams holes, VPN clients at risk, and more
Patch Tuesday Microsoft's August patch party seems almost boring compared to the other security fires it's been putting out lately.
Of the almost 90 flaws addressed today, two are listed as being under active exploitation. Redmond deemed six of the August CVE-tagged bugs as critical, though we note there are 26 vulnerabilities that can lead to remote code execution (RCE).
One of the two that miscreants have already found and exploited doesn't yet have a patch. The advisory for that flaw, ADV230003, is related to last month's CVE-2023-36884 in Microsoft Office, and as the IT giant notes, it's a "defense in depth update." Installing the update "stops the attack chain leading to the Windows Search security feature bypass vulnerability," we're told.
So until an official patch is released, here's hoping the update works in stalling attacks while we wait for a proper fix.
The second bug that has already been exploited, CVE-2023-38180, could allow a distributed denial of service attack on .NET applications and Visual Studio. And that is all the info Redmond has provided about this flaw.
Meanwhile, the Zero Day Initiative, which found and reported three of this month's vulnerabilities to Redmond, details a handful of the "more interesting" CVEs this month, so let's take a look at some of these.
First off: CVE-2023-38181, a Microsoft Exchange Server Spoofing Vulnerability. As ZDI's Dustin Childs explains, "This is a patch bypass of CVE-2023-32031, which itself was a bypass of CVE-2023-21529, which was a bypass of CVE-2022-41082, which was under active attack."
While CVE-2023-38181 does require authentication, exploitation could allow miscreants to "access a user's Net-NTLMv2 hash which could be used as a basis of an NTLM Relay attack against another service to authenticate as the user," Microsoft explained.
You can block TCP port 1801 as a mitigation, but the better choice is to test and deploy the update quickly
Next: three Messaging Queuing service RCEs, CVE-2023-35385, CVE-2023-36910, and CVE-2023-36911, all of which received a 9.8-out-of-10 CVSS severity rating, could allow a remote attacker to run code on an exploited vulnerable Windows system at the level of the Message Queuing service. We're told that proof-of-concept exploit code exists for these.
"There are 11 total bugs impacting Message Queuing getting fixed this month, and it's clear that the research community is paying close attention to this service," Childs noted. "While we haven't detected active exploits targeting Message Queuing yet, it's like just a matter of time as example PoCs exist. You can block TCP port 1801 as a mitigation, but the better choice is to test and deploy the update quickly."
And while Redmond recently warned about Russia's Cozy Bear using Microsoft Teams chats in attempts to phish marks in governments, NGOs, and IT businesses, today Microsoft patched two critical RCE bugs in Teams, CVE-2023-29328 and CVE-2023-29330. If an attacker can trick a victim into joining a malicious Teams meeting, they can then exploit these bugs to remotely execute code on the victim's machine.
Adobe security updates
Adobe today released security updates for its Acrobat and Reader, Commerce and Magento Open Source, Dimension, and XMP-Toolkit-SDK products, and says it's not aware of any of their vulnerabilities being exploited in the wild.
The Acrobat and Reader update addressed 30 critical, important, and moderate CVEs that could lead to application denial-of-service, security feature bypass, memory leaks, and arbitrary code execution.
Three critical and important vulnerabilities in Adobe Commerce and Magento Open Source could lead to arbitrary code execution, privilege escalation, and arbitrary file system reading.
There's another three critical and moderate CVEs in Adobe Dimension that could lead to arbitrary code execution and memory leaks in the context of the current user.
And finally the XMP-Toolkit-SDK update plugs an important security hole that could lead to application denial of service.
SAP pushes 20 new and updated patches
SAP released 20 new and updated security patches including two HotNews Notes and eight High Priority Notes.
The updated HotNews Note 3350297, which garnered a CVSS score of 9.1, requires special attention. This one was first issued in July, and it addresses an OS command injection flaw in IS-OIL. This bug, we're told, cannot be exploited without IS-OIL and two switches, OIB_QCI and OI0_COMMON_2, being activated.
As SAP warns: "Do not activate IS-OIL or any Business Function or Switch related to it just to implement SAP Note #3350297. Most IS-OIL switches are not reversible and may cause damage to systems that are not IS-OIL relevant."
- Russia's Cozy Bear is back and hitting Microsoft Teams to phish top targets
- Microsoft hits back at Tenable criticism of its infosec practices
- Prepare for plenty more pain from Ivanti's MDM flaws, warn cyber agencies
- Bad news: Another data-leaking CPU flaw. Good news: It's utterly impractical
Meanwhile the August HotNews Note 3341460, with a 9.8 CVSS rating, patches two bugs in SAP PowerDesigner. It affects customers with SAP PowerDesigner Client connecting to a shared model repository through a SAP PowerDesigner Proxy. Exploitation could allow an unauthenticated attacker to run arbitrary queries against the back-end database via a proxy, Thomas Fritsch, an SAP security researcher at Onapsis, told The Register.
Additionally, while High Priority Note 3344295 doesn't have the highest CVSS score (it earned a 7.5), "it may affect a majority of SAP customers since it is related to the SAP Message Server," Fritsch said.
It's an improper authorization check flaw, and could lead to unauthorized reading and writing of data.
Intel and AMD join the patch party
Intel today released a full load of advisories. For example, there's four alerts for its RealSense Software Development Kit, Intelligent Test System (ITS) software, MAVinci Desktop software for Intel Falcon 8+, and its Unite android application.
Three of those four — CVE-2023-32663, CVE-2023-32543, and CVE-2023-32547 — are 6.7-rated escalation-of-privilege vulnerabilities that affect RealSense SDKs, ITS software, and MAVinci Desktop software, respectively.
The fourth, CVE-2023-32609 in Intel's Unite android app, could allow information disclosure.
Then there's CVE-2022-40982, aka Downfall, another data-leaking vulnerability in Intel Skylake (6th generation) to Tiger Lake (11th generation) processors. It can be abused by malicious programs and rogue users to steal information, such as passwords and secrets, held in memory from other users of a shared system. It works against cloud environments, too.
This can be fixed with a microcode firmware update, and also with software-level mitigations. We have more on that here: it's due to be discussed at this week's Black Hat USA conference in Las Vegas, and was found by Googler Daniel Moghimi. Proof-of-concept exploit code is here.
Then there's the rest from Intel – dozens in total.
Additionally, AMD today released nine security updates to fix 13 flaws.
Ivanti critical bug gets worse
On Monday, Ivanti said CVE-2023-35082, a remote unauthenticated API access vulnerability, affects all versions of Ivanti Endpoint Manager Mobile (EPMM), formerly called MobileIron Core, as opposed to just MobileIron Core 11.2 and earlier.
This, of course, is the critical bug that was exploited last month and used to compromise 12 Norwegian government agencies before Ivanti issued a fix.
"Since originally reporting CVE-2023-35082 on 2 August 2023 at 10:00 MDT, Ivanti has continued its investigation and has found that this vulnerability impacts all versions of Ivanti Endpoint Manager Mobile (EPMM) 11.10, 11.9 and 11.8 and MobileIron Core 11.7 and below," the vendor warned. "The risk of exploitation depends on the individual customer's configurations."
Cisco cautioned that a paper released today, "Bypassing Tunnels: Leaking VPN Client Traffic by Abusing Routing Tables," [PDF] discusses two attacks, collectively dubbed TunnelCrack, that exploit CVE-2023-36672 and CVE-2023-36673, and affect Cisco Secure Client AnyConnect VPN for iOS regardless of client configuration.
These attacks do not affect Cisco Secure Client AnyConnect for Android.
Mathy Vanhoef, of KU Leuven, who co-authored the Usenix-accepted paper with colleagues at New York University and New York University Abu Dhabi, and reported the bugs to Cisco, also released proof-of-concept exploit code and further details for these attacks. It sounds fairly serious, and we're looking into the claims: it's said weaknesses Vanhoef et al found in a number of VPN solutions can be abused to cause a victim's network traffic to be unexpectedly routed outside of a VPN tunnel among other things.
The TunnelCrack researchers explained:
Our first set of vulnerabilities, called LocalNet attacks, can be exploited when a user connects to an untrusted Wi-Fi network. Our second set of vulnerabilities, called ServerIP attacks, can be exploited by untrusted Wi-Fi networks and by malicious Internet service providers. Both attacks manipulate the victim's routing table to trick the victim into sending traffic outside the protected VPN tunnel, allowing an adversary to read and intercept transmitted traffic.
Cisco described it thus: an attacker "can manipulate routing exceptions that are maintained by the client to redirect traffic to a device that they control without the benefit of the VPN tunnel encryption." That said, the biz reckoned suitable firewall rules, if necessary, are enough to defeat these diversions.
"For customers who have configured clients to allow local LAN access, Cisco recommends applying client firewall rules to allow access to necessary resources only," the networking giant said.
Fortinet fixes FortiOS
Fortinet today issued an update to fix a 6.4-CVSS-rated stack-based buffer overflow bug in FortiOS.
It's tracked as CVE-2023-29182, and it can allow crooks to execute arbitrary code via specially crafted CLI commands and take full control of a compromised system.
Android plugs a critical bug
And finally, Google pushed its Android August security updates yesterday to fix bugs affecting those devices.
"The most severe of these issues is a critical security vulnerability in the System component that could lead to remote (proximal/adjacent) code execution with no additional execution privileges needed," Google warned, adding that this vulnerability doesn't need any user interaction for exploitation. ®