The CyberScotland Technical Bulletin is designed to provide you with information about updates, exploits and countermeasures.
Please subscribe to our CyberScotland mailing list to be notified by email when a new bulletin is published.
Microsoft Patch Tuesday
Microsoft’s Patch Tuesday in March 2023 has released security updates that address 83 vulnerabilities, including two actively exploited zero-day vulnerabilities. Among these, nine were classified as ‘Critical’ due to their potential to enable remote code execution, denial of service, or elevation of privileges attacks.
Zero-day vulnerabilities are particularly concerning as they are either publicly disclosed or actively exploited with no official fix available. The two zero-day vulnerabilities that were addressed in this month’s updates are CVE-2023-23397 and CVE-2023-24880.
CVE-2023-23397 was a Microsoft Outlook Elevation of Privilege Vulnerability that could be exploited via specially crafted emails to force a target’s device to connect to a remote URL and transmit the Windows account’s Net-NTLMv2 hash. Microsoft has issued a patch for this vulnerability as part of the latest update.
CVE-2023-24880, on the other hand, was a Windows SmartScreen Security Feature Bypass Vulnerability that was actively exploited in attacks. This vulnerability enabled the creation of executables that could bypass the Windows Mark of the Web security warning. Attackers could leverage this vulnerability to evade Mark of the Web (MOTW) defences, causing a limited loss of integrity and availability of security features such as Protected View in Microsoft Office, which rely on MOTW tagging.
It is highly recommended that users update their systems as soon as possible to minimize the risk of security breaches.
VMWare patches critical vulnerability
VMware recently issued a security alert regarding the detection of critical vulnerabilities that impact the Carbon Black App Control and vRealize products. The identified vulnerabilities are considered high-risk and can potentially expose sensitive information, bypass XML parsing restrictions, or escalate privileges, thereby affecting the integrity of the systems.
The Carbon Black App Control vulnerability (CVE-2023-20858), rated with a high CVSS score of 9.1, can compromise versions 8.7.x, 8.8.x, and 8.9.x. To exploit this vulnerability, a malicious actor with privileged access to the App Control administration console can use specially crafted input to obtain access to the underlying server operating system. VMware recommends users of affected versions upgrade to versions 8.7.8, 8.8.6, or 8.9.4 to protect against exploitation.
Additionally, the vRealize products, such as Orchestrator, Automation, and Cloud Foundation, have also been impacted by the XML External Entity (XXE) vulnerability (CVE-2023-20855), rated with a CVSS score of 8.8. A bad actor with non-administrative access to vRealize Orchestrator could exploit this vulnerability by using specifically crafted input to bypass XML parsing restrictions, which may lead to the unauthorized disclosure of sensitive information or elevation of privileges.
VMware vulnerabilities are frequently exploited by threat actors in their attacks. Therefore, it is highly recommended that users install security patches as soon as possible to avoid exploitation. It is recommended that users using affected products upgrade to the latest versions to secure their systems against potential threats.
SyS01stealer – A new threat using Facebook Ads
VMware has issued a statement regarding the recent ransomware attacks targeting unpatched and unsecured VMware ESXi servers worldwide. The company stated that they have found no evidence of the attackers using a zero-day flaw in VMware’s software. To protect against known issues, VMware is recommending users upgrade to the latest supported releases of vSphere components and disable the OpenSLP service in ESXi.
This announcement comes after the large-scale ransomware campaign dubbed “ESXiArgs” has targeted servers likely by exploiting a two-year-old bug that was patched in February 2021. The vulnerability, CVE-2021-21974, is a heap-based buffer overflow vulnerability that allows unauthenticated threat actors to gain remote code execution.
Cybersecurity researchers have advised ESXi customers to back up their data and update their installations to a fixed version as soon as possible to avoid potential attacks. In addition, they recommend not exposing ESXi instances to the internet if possible.