Threat Bulletins

Zoho‘s ManageEngine ADSelfService Plus, renowned for its integrated self-service password management and single sign-on capabilities for Active Directory and cloud applications, has been compromised. The vulnerability presents a serious security risk. It allows authenticated users to remotely execute code on devices running the affected software. Unusually, the vulnerability resides within the load balancer component, posing a threat even to systems without an active load balancer. By sending a specially crafted request, an attacker could exploit this vulnerability to execute arbitrary code on the system.CVE-2024-0252 - ManageEngine ADSelfService Plus versions 6401 and below are vulnerable to remote code execution due to improper handling in the load balancer component.

Juniper Networks has released a security advisory to address a vulnerability in Junos OS and Junos OS Evolved. A cyber threat actor could exploit this vulnerability to cause a denial-of-service condition.CVE-2024-21611 - A Missing Release of Memory after Effective Lifetime vulnerability in the Routing Protocol Daemon (rpd) of Juniper Networks Junos OS and Junos OS Evolved allows an unauthenticated, network-based attacker to cause a Denial of Service (DoS). In a Juniper Flow Monitoring (jflow) scenario route churn that causes BGP next hops to be updated will cause a slow memory leak and eventually a crash and restart of rpd. Thread level memory utilization for the areas where the leak occurs can be checked using the below command: user@host>; show task memory detail | match so_in so_in6 28 32 344450 11022400 344760 11032320 so_in 8 16 1841629 29466064 1841734 29467744 This issue affects: Junos OS * 21.4 versions earlier than 21.4R3; * 22.1 versions earlier than 22.1R3; * 22.2 versions earlier than 22.2R3. Junos OS Evolved * 21.4-EVO versions earlier than 21.4R3-EVO; * 22.1-EVO versions earlier than 22.1R3-EVO; * 22.2-EVO versions earlier than 22.2R3-EVO. This issue does not affect: Juniper Networks Junos OS versions earlier than 21.4R1. Juniper Networks Junos OS Evolved versions earlier than 21.4R1.Affected Products/Versions:Junos OS21.4 versions earlier than 21.4R3;22.1 versions earlier than 22.1R3;22.2 versions earlier than 22.2R3.Junos OS Evolved21.4-EVO versions earlier than 21.4R3-EVO;22.1-EVO versions earlier than 22.1R3-EVO;22.2-EVO versions earlier than 22.2R3-EVO.

Zoom has released security updates to address vulnerabilities in the Zoom client. A cyber threat actor could exploit some of these vulnerabilities to take control of an affected system.CVE-2023-49647 - Improper access control in Zoom Desktop Client for Windows, Zoom VDI Client for Windows, and Zoom SDKs for Windows before version 5.16.10 may allow an authenticated user to conduct an escalation of privilege via local access.Affected Products:Zoom Desktop Client for Windows before version 5.16.10VDI Client for Windows before version 5.16.10 (excluding 5.14.14 and 5.15.12)Zoom Video SDK for Windows before version 5.16.10Zoom Meeting SDK for Windows before version 5.16.10

Ivanti has released a security update to address an authentication bypass vulnerability and a command injection vulnerability in all supported versions (9.x and 22.x) of Connect Secure and Policy Secure gateways. A cyber threat actor could exploit these vulnerabilities to take control of an affected system.CVE-2023-46805 - An authentication bypass vulnerability in the web component of Ivanti ICS 9.x, 22.x and Ivanti Policy Secure allows a remote attacker to access restricted resources by bypassing control checks.CVE-2024-21887 - A command injection vulnerability in web components of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure allows an authenticated administrator to send specially crafted requests and execute arbitrary commands on the appliance.

Adobe has released an update for Adobe Substance 3D Stager. This update addresses important vulnerabilities in Adobe Substance 3D Stager. Successful exploitation could lead to memory leak and arbitrary code execution in the context of the current user. Affected VersionsAdobe Substance 3D Stager - 2.1.3 and earlier versions

Fortinet has released a security update to address a vulnerability in FortiOS and FortiProxy software. A cyber threat actor could exploit this vulnerability to take control of an affected system.Affected Products:FortiOS 7.4FortiOS 7.2FortiProxy 7.4

Microsoft has released security updates to address vulnerabilities in multiple products. A cyber threat actor could exploit some of these vulnerabilities to take control of an affected system.

Ivanti has issued security updates for a critical flaw in its Endpoint Manager (EPM) solution, which, if exploited, could lead to remote code execution on vulnerable servers. The vulnerability affects all supported EPM versions and has been fixed in version 2022 Service Update 5. Attackers with internal network access can exploit the flaw with low-complexity attacks, requiring no privileges or user interaction.CVE-2023-39336 - If exploited, an attacker with access to the internal network can leverage an unspecified SQL injection to execute arbitrary SQL queries and retrieve output without the need for authentication. This can then allow the attacker control over machines running the EPM agent. When the core server is configured to use SQL Express, this might lead to RCE on the core server.

Juniper released a security advisory to address multiple vulnerabilities affecting Juniper Secure Analytics. A cyber threat actor could exploit one of these vulnerabilities to take control of an affected system.CVE-2023-22045CVE-2023-22049CVE-2023-26049CVE-2023-32233CVE-2023-34040CVE-2023-35001CVE-2023-36478CVE-2023-36479CVE-2023-40167CVE-2023-40787CVE-2023-41080CVE-2023-41835CVE-2023-42795CVE-2023-44487CVE-2023-45648CVE-2023-46589CVE-2023-46604CVE-2023-47146

Security researchers from Ruhr University Bochum have discovered a vulnerability in the Secure Shell (SSH) cryptographic network protocol that could allow an attacker to downgrade the connection's security by breaking the integrity of the secure channel.CVE-2023-48795: The SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remote attackers to bypass integrity checks such that some packets are omitted (from the extension negotiation message), and a client and server may consequently end up with a connection for which some security features have been downgraded or disabled, aka a Terrapin attack. This occurs because the SSH Binary Packet Protocol (BPP), implemented by these extensions, mishandles the handshake phase and mishandles use of sequence numbers. For example, there is an effective attack against SSH's use of ChaCha20-Poly1305 (and CBC with Encrypt-then-MAC). The bypass occurs in chacha20-poly1305@openssh.com and (if CBC is used) the -etm@openssh.com MAC algorithms. This also affects Maverick Synergy Java SSH API before 3.1.0-SNAPSHOT, Dropbear through 2022.83, Ssh before 5.1.1 in Erlang/OTP, PuTTY before 0.80, AsyncSSH before 2.14.2, golang.org/x/crypto before 0.17.0, libssh before 0.10.6, libssh2 through 1.11.0, Thorn Tech SFTP Gateway before 3.4.6, Tera Term before 5.1, Paramiko before 3.4.0, jsch before 0.2.15, SFTPGo before 2.5.6, Netgate pfSense Plus through 23.09.1, Netgate pfSense CE through 2.7.2, HPN-SSH through 18.2.0, ProFTPD before 1.3.8b (and before 1.3.9rc2), ORYX CycloneSSH before 2.3.4, NetSarang XShell 7 before Build 0144, CrushFTP before 10.6.0, ConnectBot SSH library before 2.2.22, Apache MINA sshd through 2.11.0, sshj through 0.37.0, TinySSH through 20230101, trilead-ssh2 6401, LANCOM LCOS and LANconfig, FileZilla before 3.66.4, Nova before 11.8, PKIX-SSH before 14.4, SecureCRT before 9.4.3, Transmit5 before 5.10.4, Win32-OpenSSH before 9.5.0.0p1-Beta, WinSCP before 6.2.2, Bitvise SSH Server before 9.32, Bitvise SSH Client before 9.33, KiTTY through 0.76.1.13, the net-ssh gem 7.2.0 for Ruby, the mscdex ssh2 module before 1.15.0 for Node.js, the thrussh library before 0.35.1 for Rust, and the Russh crate before 0.40.2 for Rust.

Google Cloud has addressed a medium-severity security flaw in its platform that could be abused by an attacker who already has access to a Kubernetes cluster to escalate their privileges.CVE-2023-3390: A use-after-free vulnerability was found in the Linux kernel's netfilter subsystem in net/netfilter/nf_tables_api.c. Mishandled error handling with NFT_MSG_NEWRULE makes it possible to use a dangling pointer in the same transaction causing a use-after-free vulnerability. This flaw allows a local attacker with user access to cause a privilege escalation issue. We recommend upgrading past commit 1240eb93f0616b21c675416516ff3d74798fdc97.There is no evidence that the issue has been exploited in the wild. It has been addressed in the following versions of Google Kubernetes Engine (GKE) and Anthos Service Mesh (ASM) :1.25.16-gke.10200001.26.10-gke.12350001.27.7-gke.12930001.28.4-gke.10830001.17.8-asm.81.18.6-asm.21.19.5-asm.4

Barracuda has revealed that Chinese threat actors exploited a new zero-day in its Email Security Gateway (ESG) appliances to deploy backdoors on a "limited number" of devices. The issue relates to a case of arbitrary code execution that resides within a third-party and open-source library named Spreadsheet::ParseExcel that's used by the Amavis scanner within the gateway.CVE-2023-7102: Use of a third-party library produced a vulnerability in Barracuda Networks Inc. Barracuda ESG Appliance which allowed Parameter Injection.This issue affected Barracuda ESG Appliance, from 5.1.3.001 through 9.2.1.001, until Barracuda removed the vulnerable logic.CVE-2023-7101: Spreadsheet::ParseExcel version 0.65 is a Perl module used for parsing Excel files. Spreadsheet::ParseExcel is vulnerable to an arbitrary code execution (ACE) vulnerability due to passing unvalidated input from a file into a string-type “eval”. Specifically, the issue stems from the evaluation of Number format strings (not to be confused with printf-style format strings) within the Excel parsing logic.For further information, please refer to the following articles:https://www.bleepingcomputer.com/news/security/barracuda-fixes-new-esg-zero-day-exploited-by-chinese-hackers/#google_vignette

A new zero-day security flaw has been discovered in the Apache OfBiz, an open-source Enterprise Resource Planning (ERP) system that could be exploited to bypass authentication protections.The vulnerability is tracked as: CVE-2023-51467: The vulnerability allows attackers to bypass authentication to achieve a simple Server-Side Request Forgery (SSRF)CVE-2023-49070: Pre-auth RCE in Apache Ofbiz 18.12.09. It's due to XML-RPC no longer maintained still present. This issue affects Apache OFBiz: before 18.12.10.  Users are recommended to upgrade to version 18.12.10

Apple has released security updates to address vulnerabilities in Safari, iOS, iPadOS, and macOS Sonoma. A cyber threat actor could exploit one of these vulnerabilities to obtain sensitive information.

Mozilla has released security updates to address vulnerabilities in Firefox and Thunderbird. A cyber threat actor could exploit some of these vulnerabilities to take control of an affected system.Affected Products:Firefox 121Thunderbird 115.6Firefox ESR 115.6

Ivanti has released security vulnerabilities in the company's Avalanche enterprise mobile device management (MDM) solution.This release corrects multiple memory corruption vulnerabilities, covered in these security advisories:CVE-2023-41727CVE-2023-46216CVE-2023-46217CVE-2023-46220CVE-2023-46221CVE-2023-46222CVE-2023-46223CVE-2023-46224CVE-2023-46225CVE-2023-46257CVE-2023-46258CVE-2023-46259CVE-2023-46260CVE-2023-46261CVE-2023-46262CVE-2023-46263CVE-2021-22962CVE-2023-46264CVE-2023-46265CVE-2023-46266

Google has rolled out security updates for the Chrome web browser to address a high-severity zero-day flaw that it said has been exploited in the wild. The vulnerability, assigned the CVE identifier CVE-2023-7024.

Netgate has released security updates to address vulnerabilities in the pfSense firewall.pfSense Vulnerabilities Impact:CVE-2023-42325CVE-2023-42327CVE-2023-42326

The Akamai Security Intelligence Response Team (SIRT) has issued an additional update to the InfectedSlurs advisory series now that one of the affected vendors has released advisory information and guidance. The vulnerability within QNAP was identified in the wild CVE ID:CVE-2023-47565The malicious payloads captured in the wild install a Mirai-based malware with the intention of creating a distributed denial-of-service (DDoS) botnet.

Business communication company 3CX is urging customers to disable SQL database integrations to prevent a vulnerability that occurs in certain configurations. The company revealed that 3CX versions 18 and 20 are impacted by an integration bug. According to 3CX, customers using MongoDB, MsSQL, MySQL, and PostgreSQL databases should disable their SQL database integrations until further notice.Affected Version(s):Version 18 Version 20