MA-935.052023: MyCERT Advisory - Cisco SPA112 2-Port Phone Adapters Remote Command Execution Vulnerability
1.0 Introduction
On May 3, 2023, Cisco released an advisory to address a critical vulnerability in the web-based management system of the Cisco SPA112 2-Port Phone Adapters. The vulnerability is tracked as CVE-2023-20126 and has a CVSS score of 9.8.
2.0 Impact
A vulnerability in the web-based management interface of Cisco SPA112 2-Port Phone Adapters
could allow an unauthenticated, remote attacker to execute arbitrary code on an affected device. This vulnerability is due to a missing authentication process within the firmware upgrade function. An attacker could exploit this vulnerability by upgrading an affected device to a crafted version of firmware. A successful exploit could allow the attacker to execute arbitrary code on the affected device with full privileges.
There are currently no reports yet of an active exploitation of this vulnerability.
3.0 Affected Products
This vulnerability affects all firmware releases for Cisco SPA112 2-Port Phone Adapters.
Moreover, Cisco has not released and will not release firmware updates to address the vulnerability, because Cisco SPA112 2-Port Phone Adapters have entered the end of-life process and are no longer supported.
4.0 Recommendations
MyCERT encourage constituents to discontinue using the product, as well as verify if any other similar – possibly also no longer supported – products are in use.
Generally, MyCERT advises the users of this devices to be updated with the latest security announcements by the vendor and follow best practice security policies to determine which updates should be applied.
For further enquiries, please contact MyCERT through the following channels:
E-mail: cyber999[at]cybersecurity.my
Phone: 1-300-88-2999 (monitored during business hours)
Mobile: +60 19 2665850 (24x7 call incident reporting)
Business Hours: Mon - Fri 09:00 -18:00 MYT
Web: https://www.mycert.org.my
Twitter: https://twitter.com/mycert
Facebook: https://www.facebook.com/mycert.org.my
5.0 References
MA-930.042023: MyCERT Alert - Google Issues New Warning For 3 Billion Chrome Users
1.0 Introduction
Chrome is now used by over three billion users worldwide, but every single one of them needs to update their browser urgently. Google’s Threat Analysis Group discovered vulnerability, CVE-2023-2033, stems from a “Type Confusion in V8”. Type confusion in V8 in Google Chrome prior to 112.0.5615.121 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. This occurs when a program uses one method to allocate or initialize a resource but an incompatible method then access that resource, potentially providing unsecured access to the browser’s memory.
2.0 Impact
Allow attackers to trigger browser crashes after successful exploitation by reading or writing memory out of buffer bounds, threat actors can also exploit them for arbitrary code execution on compromised devices.
3.0 Affected System and Devices
Chrome version below 112.0.15615.121 on Windows, Mac and Linux.
4.0 Recommendations
MyCERT encourages users and administrators to review Google’s security updates and apply necessary updates.
To do immediate update, click the overflow menu bar (three vertical dots) in the browser’s top right corner, then Help > About Google Chrome. This will force Chrome to check for browser updates. Once the update is complete, you must restart the browser to be fully protected.
Kindly refer to the following URLs:
https://www.google.com/chrome/update/
https://chromereleases.googleblog.com/2023/04/stable-channel-update-for-desktop_14.html
(The new version of Google Chrome is available in the Stable Desktop Channel).
Generally, MyCERT advises the users of this devices to be updated with the latest security announcements by the vendor and follow best practice security policies to determine which updates should be applied.
For further enquiries, please contact MyCERT through the following channels:
E-mail: cyber999[at]cybersecurity.my
Phone: 1-300-88-2999 (monitored during business hours)
Mobile: +60 19 2665850 (24x7 call incident reporting)
Business Hours: Mon - Fri 09:00 -18:00 MYT
Web: https://www.mycert.org.my
Twitter: https://twitter.com/mycert
Facebook: https://www.facebook.com/mycert.org.my
5.0 References
- https://www.forbes.com/sites/gordonkelly/2023/04/15/google-chrome-browser-zero-day-vulnerability-critical-chrome-update/?sh=564c310759ae
- https://www.bleepingcomputer.com/news/security/google-chrome-emergency-update-fixes-first-zero-day-of-2023/
- https://nvd.nist.gov/vuln/detail/CVE-2023-2033
- https://chromereleases.googleblog.com/2023/04/stable-channel-update-for-desktop_14.html
- https://www.google.com/chrome/update/
- https://support.google.com/chrome/answer/95414?hl=en&co=GENIE.Platform%3DDesktop
MA-928.042023: MyCERT Advisory - Known Exploited Vulnerabilities Catalog
1.0 Introduction
Recently, CISA has added one new vulnerability to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.
- CVE-2023-28252 Microsoft Windows Common Log File System (CLFS) Driver Privilege Escalation Vulnerability (https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2023-28252)
2.0 Impact
These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise.
3.0 Affected Products
Multiple versions of Microsoft Windows operating systems.
4.0 Recommendations
MyCERT strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities as part of their vulnerability management practice. Kindly refer to the link here: https://www.cisa.gov/known-exploited-vulnerabilities-catalog
Generally, MyCERT advises the users of this devices to be updated with the latest security announcements by the vendor and follow best practice security policies to determine which updates should be applied.
For further enquiries, please contact MyCERT through the following channels:
E-mail: cyber999[at]cybersecurity.my
Phone: 1-300-88-2999 (monitored during business hours)
Mobile: +60 19 2665850 (24x7 call incident reporting)
Business Hours: Mon - Fri 09:00 -18:00 MYT
Web: https://www.mycert.org.my
Twitter: https://twitter.com/mycert
Facebook: https://www.facebook.com/mycert.org.my
5.0 References
MA-927.042023: MyCERT Advisory - Fortinet Releases April 2023 Vulnerability Advisories
1.0 Introduction
Recently, Fortinet has released its April 2023 Vulnerability Advisories to address vulnerabilities affecting multiple products.
2.0 Impact
An attacker could exploit one of these vulnerabilities to take control of an affected system.
3.0 Affected Products
Multiple Fortinet products
4.0 Recommendations
MyCERT encourages users and administrators to review the Fortinet April 2023 Vulnerability Advisories page for more information and apply the necessary updates.
Kindly refer to the following URL: https://www.fortiguard.com/psirt-monthly-advisory/april-2023-vulnerability-advisories
Generally, MyCERT advises the users of this devices to be updated with the latest security announcements by the vendor and follow best practice security policies to determine which updates should be applied.
For further enquiries, please contact MyCERT through the following channels:
E-mail: cyber999[at]cybersecurity.my
Phone: 1-300-88-2999 (monitored during business hours)
Mobile: +60 19 2665850 (24x7 call incident reporting)
Business Hours: Mon - Fri 09:00 -18:00 MYT
Web: https://www.mycert.org.my
Twitter: https://twitter.com/mycert
Facebook: https://www.facebook.com/mycert.org.my
5.0 References
https://www.cisa.gov/news-events/alerts/2023/04/11/fortinet-releases-april-2023-vulnerability-advisories
MA-925.042023: MyCERT Advisory - CISA Adds 1 Known Exploited Vulnerability to Catalog
1.0 Introduction
Recently, CISA has added one new vulnerability to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.
- CVE-2023-28252 Microsoft Windows Common Log File System (CLFS) Driver Privilege Escalation Vulnerability
2.0 Impact
These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise
3.0 Affected Products
Microsoft Windows OS
4.0 Recommendations
MyCERT strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities as part of their vulnerability management practice.
Kindly refer to the following URL : https://www.cisa.gov/known-exploited-vulnerabilities-catalog
Generally, MyCERT advises the users of this devices to be updated with the latest security announcements by the vendor and follow best practice security policies to determine which updates should be applied.
For further enquiries, please contact MyCERT through the following channels:
E-mail: cyber999[at]cybersecurity.my
Phone: 1-300-88-2999 (monitored during business hours)
Mobile: +60 19 2665850 (24x7 call incident reporting)
Business Hours: Mon - Fri 09:00 -18:00 MYT
Web: https://www.mycert.org.my
Twitter: https://twitter.com/mycert
Facebook: https://www.facebook.com/mycert.org.my
5.0 References
https://www.cisa.gov/news-events/alerts/2023/04/11/cisa-adds-one-known-exploited-vulnerability-catalog
MA-908.022023: MyCERT Advisory - Ransomware campaign actively exploiting a vulnerability (CVE-2021-21974) in unpatched VMware ESXi servers
1.0 Introduction
CISA has released a recovery script for organization that have fallen victim to ESXiArgs ransomware.
2.0 Impact
The ESXiArgs ransomware encrypts configuration files on vulnerable ESXi servers, potentially rendering virtual machines (VMs) unusable.
3.0 Affected Products
- VMware ESXi
- VMware Workstation Pro / Player (Workstation)
- VMware Fusion Pro / Fusion (Fusion)
- VMware Cloud Foundation
- VMware vRealize Network Insight (vRNI)
4.0 Recommendations
MyCERT recommends user, administrators and organizations impacted by EXSiArgs evaluate the scripts and guidance provided in the accompanying README file to determine if it is fit for attempting to recover access to files in their environment.
Organizations can access the recovery scripts by referring link below:
Generally, MyCERT advises the users of this devices to be updated with the latest security announcements by the vendor and follow best practice security policies to determine which updates should be applied.
For further enquiries, please contact MyCERT through the following channels:
E-mail: cyber999[at]cybersecurity.my
Phone: 1-300-88-2999 (monitored during business hours)
Mobile: +60 19 2665850 (24x7 call incident reporting)
Business Hours: Mon - Fri 09:00 -18:00 MYT
Web: https://www.mycert.org.my
Twitter: https://twitter.com/mycert
Facebook: https://www.facebook.com/mycert.org.my
5.0 References
- https://www.cisa.gov/uscert/ncas/current-activity/2023/02/07/cisa-releases-esxiargs-ransomware-recovery-script
- https://github.com/cisagov/ESXiArgs-Recover
- https://www.mycert.org.my/portal/advisory?id=MA-902.122022
- https://www.mycert.org.my/portal/advisory?id=MA-881.102022
- https://www.mycert.org.my/portal/advisory?id=MA-868.092022
- https://www.mycert.org.my/portal/advisory?id=MA-852.082022
MA-901.122022: MyCERT Advisory - Samba Releases Security Updates
1.0 Introduction
Recently, The Samba Team has released security updates to address vulnerabilities in multiple versions of Samba.
2.0 Impact
An attacker could exploit some of these vulnerabilities to take control of an affected system.
3.0 Affected Products
- All versions of Samba
4.0 Recommendations
MyCERT encourages users and administrators to review the following Samba security announcements and apply the necessary updates. Kindly refer to the links below:
Generally, MyCERT advises the users of this devices to be updated with the latest security announcements by the vendor and follow best practice security policies to determine which updates should be applied.
For further enquiries, please contact MyCERT through the following channels:
E-mail: cyber999[at]cybersecurity.my
Phone: 1-300-88-2999 (monitored during business hours)
Mobile: +60 19 2665850 (24x7 call incident reporting)
Business Hours: Mon - Fri 09:00 -18:00 MYT
Web: https://www.mycert.org.my
Twitter: https://twitter.com/mycert
Facebook: https://www.facebook.com/mycert.org.my
5.0 References
- https://www.samba.org/samba/security/CVE-2022-38023.html
- https://www.samba.org/samba/security/CVE-2022-37966.html
- https://www.samba.org/samba/security/CVE-2022-37967.html
- https://www.samba.org/samba/security/CVE-2022-45141.html
- https://www.cisa.gov/uscert/ncas/current-activity/2022/12/16/samba-releases-security-updates
MA-900.122022: MyCERT Advisory - Drupal Releases Security Updates to Address Vulnerabilities in H5P and File (Field) Paths
1.0 Introduction
Recently, Drupal has released security updates to address vulnerabilities affecting H5P and the File (Field) Paths modules for Drupal 7.x.
2.0 Impact
An attacker could exploit these vulnerabilities to access sensitive information and remotely execute code.
3.0 Affected Products
- Drupal 7.x versions
4.0 Recommendations
MyCERT encourages users and administrators to review Drupal’s security advisories SA-CONTRIB-2022-064 and SA-CONTRIB-2022-065 and apply the necessary update.
Kindly refer to the URLs below:
Generally, MyCERT advises the users of this devices to be updated with the latest security announcements by the vendor and follow best practice security policies to determine which updates should be applied.
For further enquiries, please contact MyCERT through the following channels:
E-mail: cyber999[at]cybersecurity.my
Phone: 1-300-88-2999 (monitored during business hours)
Mobile: +60 19 2665850 (24x7 call incident reporting)
Business Hours: Mon - Fri 09:00 -18:00 MYT
Web: https://www.mycert.org.my
Twitter: https://twitter.com/mycert
Facebook: https://www.facebook.com/mycert.org.my
5.0 References
MA-894.122022: MyCERT Advisory - Fortinet Authentication Bypass Vulnerability
1.0 Introduction
Fortinet released a security advisory regarding the CVE-2022-40684 vulnerability that is affecting multiple Fortinet devices and services.
2.0 Impact
An authentication bypass using an alternate path or channel vulnerability [CWE-288] in FortiOS, FortiProxy, and FortiSwitchManager may allow an unauthenticated attacker to perform operations on the administrative interface via specially crafted HTTP or HTTPS requests.
3.0 Affected Products
- FortiOS version 7.2.0 through 7.2.1
- FortiOS version 7.0.0 through 7.0.6
- FortiProxy version 7.2.0
- FortiProxy version 7.0.0 through 7.0.6
- FortiSwitchManager version 7.2.0
- FortiSwitchManager version 7.0.0
- FortiOS versions 5.x, 6.x are NOT impacted.
4.0 Indicators of Compromise
Exploitation Status:
- Fortinet is aware of an instance where this vulnerability was exploited and recommends immediately validating your systems against the following indicator of compromise in the device's logs:
user="Local_Process_Access"
Please contact customer support for assistance.
- Fortinet is aware of instances where this vulnerability was exploited to download the config file from the targeted devices and to add a malicious super_admin account called "fortigate-tech-support":
# show system admin
edit "fortigate-tech-support"
set accprofile "super_admin"
set vdom "root"
set password ENC [...]
next
Please contact customer support for assistance.
Workaround:
- FortiOS:
Disable HTTP/HTTPS administrative interface
OR
Limit IP addresses that can reach the administrative interface:
config firewall address
edit "my_allowed_addresses"
set subnet <MY IP> <MY SUBNET>
end
Then create an Address Group:
config firewall addrgrp
edit "MGMT_IPs"
set member "my_allowed_addresses"
end
Create the Local in Policy to restrict access only to the predefined group on the management interface (here: port1):
config firewall local-in-policy
edit 1
set intf port1
set srcaddr "MGMT_IPs"
set dstaddr "all"
set action accept
set service HTTPS HTTP
set schedule "always"
set status enable
next
edit 2
set intf "any"
set srcaddr "all"
set dstaddr "all"
set action deny
set service HTTPS HTTP
set schedule "always"
set status enable
end
If using non-default ports, create an appropriate service object for GUI administrative access:
config firewall service custom
edit GUI_HTTPS
set tcp-portrange <admin-sport>
next
edit GUI_HTTP
set tcp-portrange <admin-port>
end
Use these objects instead of "HTTPS HTTP "in the local-in policy 1 and 2 below.
UPDATE: When using an HA reserved management interface, the local in policy needs to be configured
slightly differently - please see: https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-
configure-a-local-in-policy-on-a-HA/ta-p/222005
Please contact customer support for assistance.
- FortiProxy:
Disable HTTP/HTTPS administrative interface
OR
For FortiProxy VM, all versions of FortiProxy appliance 7.0.6:
Limit IP addresses that can reach the administrative interface (here: port1):
config system interface
edit port1
set dedicated-to management
set trust-ip-1 <MY IP> <MY SUBNET>
end
Please contact customer support for assistance.
- FortiSwitchManager:
Disable HTTP/HTTPS administrative interface
Please contact customer support for assistance.
5.0 Recommendations
MyCERT recommends that customers validate their configuration to ensure that no unauthorized changes have been implemented by a malicious third party, regardless of whether they have upgraded.
MyCERT also strongly recommend system administrators follow the update steps below:
- Please upgrade to FortiOS version 7.2.2 or above
- Please upgrade to FortiOS version 7.0.7 or above
- Please upgrade to FortiProxy version 7.2.1 or above
- Please upgrade to FortiProxy version 7.0.7 or above
- Please upgrade to FortiSwitchManager version 7.2.1 or above
- Please upgrade to FortiSwitchManager version 7.0.1 or above
- Please upgrade to FortiOS version 7.0.5 B8001 or above for FG6000F and 7000E/F series platforms
Generally, MyCERT advises the users of these devices to be updated with the latest security announcements by the vendor and follow best practice security policies to determine which updates should be applied.
For further enquiries, please contact MyCERT through the following channels:
E-mail: cyber999[at]cybersecurity.my
Phone: 1-300-88-2999 (monitored during business hours)
Mobile: +60 19 2665850 (24x7 call incident reporting)
Business Hours: Mon - Fri 09:00 -18:00 MYT
Web: https://www.mycert.org.my
Twitter: https://twitter.com/mycert
Facebook: https://www.facebook.com/mycert.org.my
5.0 References
MA-891.112022: MyCERT Advisory - Cisco Releases Security Updates for Identity Services Engine
1.0 Introduction
Recently, Cisco has released security updates for vulnerabilities affecting Cisco Identity Services Engine (ISE).
2.0 Impact
A remote attacker could exploit some of these vulnerabilities to bypass authorization and access system files.
3.0 Affected Products
Cisco Identity Services Engine (ISE)
4.0 Recommendations
For updates addressing vulnerabilities, see the Cisco Security Advisories page.
MyCERT encourages users and administrators to review the following advisories and apply the necessary updates:
- Cisco Identity Services Engine Insufficient Access Control Vulnerability
- Cisco Identity Services Engine Cross-Site Scripting Vulnerability
Generally, MyCERT advises the users of these devices to be updated with the latest security announcements by the vendor and follow best practice security policies to determine which updates should be applied.
For further enquiries, please contact MyCERT through the following channels:
E-mail: cyber999[at]cybersecurity.my
Phone: 1-300-88-2999 (monitored during business hours)
Mobile: +60 19 2665850 (24x7 call incident reporting)
Business Hours: Mon - Fri 09:00 -18:00 MYT
Web: https://www.mycert.org.my
Twitter: https://twitter.com/mycert
Facebook: https://www.facebook.com/mycert.org.my
5.0 References
https://www.cisa.gov/uscert/ncas/current-activity/2022/11/16/cisco-releases-security-updates-identity-services-engine