MA-992.112023: MyCERT Advisory - Citrix NetScaler ADC and Gateway Vulnerability CVE-2023-4966, Citrix Bleed

  • 24 Nov 2023
  • Advisory
  • citrix, citrixbleed, vulnerability, netscaler

1.0 Introduction

On October 10, 2023, Citrix released a security bulletin for a sensitive information disclosure vulnerability (CVE-2023-4966) impacting NetScaler ADC and NetScaler Gateway appliances. Citrix Bleed is a critical vulnerability affecting Citrix Netscaler Gateway and Netscaler ADC products—network devices used for load balancing, firewall implementation, traffic management, virtual private network (VPN), and user authentication. 

It has been reported that the LockBit 3.0 ransomware attacks use publicly available exploits the Citrix Bleed vulnerability (CVE-2023-4966) to breach the systems of large organizations, steal data, and encrypt files. Although Citrix made fixes available for CVE-2023-4966 more than a month ago, thousands of internet-exposed endpoints are still running vulnerable appliances worldwide.

2.0 Impact
Successful exploitation could result in the ability to hijack existing authenticated sessions, therefore bypassing multifactor authentication or other strong authentication requirements. The authenticated session hijacking could then result in further downstream access based on the permissions and scope of access that the identity or session was permitted. A threat actor could utilize this method to harvest additional credentials, laterally pivot, and gain access to additional resources within an environment.

3.0 Affected Products
The following supported versions of NetScaler ADC and NetScaler Gateway are affected by the vulnerabilities: 

  • NetScaler ADC and NetScaler Gateway?14.1?before?14.1-8.50
  • NetScaler ADC and NetScaler Gateway?13.1?before?13.1-49.15
  • NetScaler ADC and NetScaler Gateway?13.0?before 13.0-92.19
  • NetScaler ADC 13.1-FIPS before 13.1-37.164
  • NetScaler ADC 12.1-FIPS before 12.1-55.300
  • NetScaler ADC 12.1-NDcPP before 12.1-55.300

Note: NetScaler ADC and NetScaler Gateway version 12.1 is now End-of-Life (EOL) and are vulnerable.

4.0 Recommendations
MyCERT urges organisations to update unpatched appliances to the updated versions listed below: 

  • NetScaler ADC?and NetScaler Gateway 14.1-8.50 and later releases
  • NetScaler ADC?and NetScaler Gateway 13.1-49.15 and later releases of 13.1
  • NetScaler ADC?and NetScaler Gateway 13.0-92.19 and later releases of 13.0?
  • NetScaler ADC 13.1-FIPS 13.1-37.164 and later releases of 13.1-FIPS?
  • NetScaler ADC 12.1-FIPS 12.1-55.300 and later releases of 12.1-FIPS?
  • NetScaler ADC 12.1-NDcPP 12.1-55.300 and later releases of 12.1-NDcPP
  • Note: NetScaler ADC and NetScaler Gateway version 12.1 are now End-of-Life (EOL). Customers are recommended to upgrade their appliances to one of the supported versions that address the vulnerabilities.

Generally, MyCERT advises the users of this devices to be updated with the latest security announcements by the vendor and follow best practice security policies to determine which updates should be applied.

For further enquiries, please contact MyCERT through the following channels:

E-mail: cyber999[at]cybersecurity.my 
Phone: 1-300-88-2999 (monitored during business hours) 
Mobile: +60 19 2665850 (24x7 call incident reporting) 
Business Hours: Mon - Fri 09:00 -18:00 MYT 
Web: https://www.mycert.org.my 
Twitter: https://twitter.com/mycert 
Facebook: https://www.facebook.com/mycert.org.my

5.0    References

MA-991.112023: MyCERT Advisory - Adobe Releases Security Updates for ColdFusion

  • 24 Nov 2023
  • Advisory
  • adobe, coldfusion, vulnerability, update

1.0 Introduction

On Nov. 14, 2023, Adobe released security updates addressing vulnerabilities affecting unpatched ColdFusion software.

2.0 Impact
Exploitation of some of these vulnerabilities may allow a malicious cyber actor to take control of an affected system.

3.0 Affected Products

ProductUpdate numberPlatform
ColdFusion 2023
 
Update 5 and earlier versions
  
All
ColdFusion 2021
 
Update 11 and earlier versionsAll

4.0 Recommendations
MyCERT urges organizations to review Adobe ColdFusion security bulletin APSB23-52 for more information and to:

Kindly visit https://helpx.adobe.com/security/products/coldfusion/apsb23-52.html for more information.

Generally, MyCERT advises the users of this devices to be updated with the latest security announcements by the vendor and follow best practice security policies to determine which updates should be applied.

For further enquiries, please contact MyCERT through the following channels:

E-mail: cyber999[at]cybersecurity.my 
Phone: 1-300-88-2999 (monitored during business hours) 
Mobile: +60 19 2665850 (24x7 call incident reporting) 
Business Hours: Mon - Fri 09:00 -18:00 MYT 
Web: https://www.mycert.org.my 
Twitter: https://twitter.com/mycert 
Facebook: https://www.facebook.com/mycert.org.my

5.0    References

MA-988.112023: MyCERT Advisory - VMware Releases Security Update for Cloud Director Appliance

  • 21 Nov 2023
  • Advisory
  • vmware, cloud, director, update, vulnerability

1.0 Introduction

Recently, VMware has released a security advisory addressing a vulnerability in VMWare Cloud Director Appliance. 

2.0 Impact
Cyber threat actors may exploit this vulnerability to take control of an affected system.

3.0 Affected Products
VMware Cloud Director Appliance (VCD Appliance)

4.0 Recommendations
MyCERT encourages users and administrators to review the following VMware security advisory and apply the recommended updates:

Generally, MyCERT advises the users of this devices to be updated with the latest security announcements by the vendor and follow best practice security policies to determine which updates should be applied.

For further enquiries, please contact MyCERT through the following channels:

E-mail: cyber999[at]cybersecurity.my 
Phone: 1-300-88-2999 (monitored during business hours) 
Mobile: +60 19 2665850 (24x7 call incident reporting) 
Business Hours: Mon - Fri 09:00 -18:00 MYT 
Web: https://www.mycert.org.my 
Twitter: https://twitter.com/mycert 
Facebook: https://www.facebook.com/mycert.org.my

5.0    References

MA-987.112023: MyCERT Advisory - Fortinet Releases Security Updates for FortiClient and FortiGate

  • 21 Nov 2023
  • Advisory
  • fortinet, fortigate, forticlient, security, update, vulnerability

1.0 Introduction

Recently, Fortinet has released security advisories addressing vulnerabilities in FortiClient and FortiGate.

2.0 Impact
Cyber threat actors may exploit some of these vulnerabilities to take control of an affected system.

3.0 Affected Products
Fortinet FortiClient and FortiGate.

4.0 Recommendations
MyCERT encourages users and administrators to review the following Fortinet security advisories and apply the recommended updates:

Generally, MyCERT advises the users of this devices to be updated with the latest security announcements by the vendor and follow best practice security policies to determine which updates should be applied.

For further enquiries, please contact MyCERT through the following channels:

E-mail: cyber999[at]cybersecurity.my 
Phone: 1-300-88-2999 (monitored during business hours) 
Mobile: +60 19 2665850 (24x7 call incident reporting) 
Business Hours: Mon - Fri 09:00 -18:00 MYT 
Web: https://www.mycert.org.my 
Twitter: https://twitter.com/mycert 
Facebook: https://www.facebook.com/mycert.org.my

5.0    References

MA-984.112023: MyCERT Advisory - Cisco Releases Security Advisories for Multiple Products

  • 10 Nov 2023
  • Advisory
  • cisco, update, vulnerability

1.0 Introduction

Recently, Cisco released security advisories for vulnerabilities affecting multiple Cisco products.

2.0 Impact
A cyber threat actor could exploit some of these vulnerabilities to take control of an affected system.

3.0 Affected Products

  • Cisco Firepower Management Center Software
  • Cisco Identity Services Engine
  • Cisco Firepower Threat Defense Software for Cisco Firepower 2100 Series Firewalls
  • Cisco Firepower Threat Defense Software
  • Cisco Firepower Threat Defense Software and Firepower Management Center Software 
  • Cisco Firepower Management Center Software
  • Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software 

4.0 Recommendations
MyCERT encourages users and administrators to review the following advisories and apply the necessary updates:

For updates addressing lower severity vulnerabilities, see the Cisco Security Advisories page.

Generally, MyCERT advises the users of this devices to be updated with the latest security announcements by the vendor and follow best practice security policies to determine which updates should be applied.

For further enquiries, please contact MyCERT through the following channels:

E-mail: cyber999[at]cybersecurity.my 
Phone: 1-300-88-2999 (monitored during business hours) 
Mobile: +60 19 2665850 (24x7 call incident reporting) 
Business Hours: Mon - Fri 09:00 -18:00 MYT 
Web: https://www.mycert.org.my 
Twitter: https://twitter.com/mycert 
Facebook: https://www.facebook.com/mycert.org.my

5.0    References
https://www.cisa.gov/news-events/alerts/2023/11/03/cisco-releases-security-advisories-multiple-products

MA-982.112023: MyCERT Advisory - Critical Vulnerability in F5 BIG-IP Product

  • 02 Nov 2023
  • Advisory
  • big, ip, f5, firewall, vulnerability, update

1.0 Introduction

MyCERT has observed a critical vulnerability in the F5 BIG-IP product that could be exploited to execute malicious code on vulnerable systems.

The F5 BIG-IP Configuration Utility contains an unauthenticated remote code execution (RCE) vulnerability that allows an attacker with network access to the BIG-IP system through the management port and/or self IP addresses to execute arbitrary system commands. The vulnerability is caused by an improper authentication mechanism in the Configuration Utility.

2.0 Impact
Successful exploitation could allow a threat actor to execute arbitrary system commands on the BIG-IP system by sending specially crafted HTTP requests to the BIG-IP system.

3.0 Affected Products

  • BIG-IP (all modules)
    • 17.1.0
    • 16.1.0 - 16.1.4
    • 15.1.0 - 15.1.10
    • 14.1.0 - 14.1.5
    • 13.1.0 - 13.1.5

4.0 Recommendations
MyCERT recommends upgrading affected versions to the fixed or most recent version released by F5. Kindly refer to the following link for more information:
https://my.f5.com/manage/s/article/K000137353

Generally, MyCERT advises the users of this devices to be updated with the latest security announcements by the vendor and follow best practice security policies to determine which updates should be applied.

For further enquiries, please contact MyCERT through the following channels:

E-mail: cyber999[at]cybersecurity.my 
Phone: 1-300-88-2999 (monitored during business hours) 
Mobile: +60 19 2665850 (24x7 call incident reporting) 
Business Hours: Mon - Fri 09:00 -18:00 MYT 
Web: https://www.mycert.org.my 
Twitter: https://twitter.com/mycert 
Facebook: https://www.facebook.com/mycert.org.my

5.0    References

MA-980.112023: MyCERT Advisory - Critical Vulnerability in Confluence Server and Data Center

  • 02 Nov 2023
  • Advisory
  • atlassian, confluence, vulnerability, update

1.0 Introduction

Recently, Atlassian has been made aware of an issue reported by a handful of customers where external attackers may have exploited a previously unknown vulnerability in publicly accessible Confluence Data Center and Server instances to create unauthorized Confluence administrator accounts and access Confluence instances.

2.0 Impact
This recently disclosed vulnerability affects certain versions of Atlassian Confluence Data Center and Server, enabling malicious cyber threat actors to obtain initial access to Confluence instances by creating unauthorized Confluence administrator accounts. Threat actors exploited CVE-2023-22515 as a zero-day to obtain access to victim systems and continue active exploitation post-patch.

Atlassian Cloud sites are not affected by this vulnerability. If your Confluence site is accessed via an atlassian.net domain, it is hosted by Atlassian and is not vulnerable to this issue.

3.0 Affected Products
The Confluence Data Center and Server versions listed below are affected by this vulnerability. Customers using these versions should upgrade your instance as soon as possible.

Versions prior to 8.0.0 are not affected by this vulnerability.

ProductAffected Versions
Confluence Data Center and Confluence Server
  • 8.0.0
  • 8.0.1
  • 8.0.2
  • 8.0.3
  • 8.0.4
  • 8.1.0
  • 8.1.1
  • 8.1.3
  • 8.1.4
  • 8.2.0
  • 8.2.1
  • 8.2.2
  • 8.2.3
  • 8.3.0
  • 8.3.1
  • 8.3.2
  • 8.4.0
  • 8.4.1
  • 8.4.2
  • 8.5.0
  • 8.5.1

Atlassian recommends that you upgrade each of your affected installations to one of the listed fixed versions (or any later version) below.

ProductFixed Versions
Confluence Data Center and Confluence Server
  • 8.3.3 or later
  • 8.4.3 or later
  • 8.5.2 (Long Term Support release) or later

For a full description of the latest versions of Confluence Data Center and Confluence Server, see the release notes, here. You can download the latest version from the download center, here.

4.0 Recommendations
4.1 Upgrade to a fixed version. (See: Upgrade Instructions)

Customers with Confluence Data Center and Server instances accessible to the public internet including with user authentication, should restrict external network access until you can upgrade.

If you cannot restrict external network access before your upgrade, apply the following interim measures to mitigate known attack vectors by blocking access to the /setup/* endpoints on Confluence instances. This is possible at the network layer or by making the following changes to Confluence configuration files.

  • On each node, modify /<confluence-install-dir>/confluence/WEB-INF/web.xml  and add the following block of code (just before the </web-app> tag at the end of the file):
    • <security-constraint>      <web-resource-collection>        <url-pattern>/setup/*</url-pattern> <http-method-omission>*</http-method-omission> </web-resource-collection>      <auth-constraint /> </security-constraint>
  • Restart Confluence.

This action will block access to setup pages that are not required for typical Confluence usage, for further details see the FAQ page below.

Note: These mitigation actions are limited and not a replacement for upgrading your instance; you must upgrade as soon as possible.

4.2 Threat detection

Atlassian cannot confirm if your instances have been affected by this vulnerability. Work with your security team to check all affected Confluence instances for evidence of compromise, as outlined below. If any evidence is found, you should assume that your instance has been compromised and evaluate the risk of flow-on effects. If your Confluence instances have been compromised, these threat attackers hold full administrative access and can perform any number of unfettered actions including - but not limited to - exfiltration of content and system credentials, and installation of malicious plugins.

Evidence of compromise may include:

  • unexpected members of the confluence-administrators group
  • unexpected newly created user accounts
  • requests to /setup/*.action in network access logs
  • presence of /setup/setupadministrator.action in an exception message in atlassian-confluence-security.log in the Confluence home directory

If you believe you were compromised, please raise a support request as Atlassian assistance is required to recover and protect your instance.

Generally, MyCERT advises the users of this devices to be updated with the latest security announcements by the vendor and follow best practice security policies to determine which updates should be applied.

For further enquiries, please contact MyCERT through the following channels:

E-mail: cyber999[at]cybersecurity.my 
Phone: 1-300-88-2999 (monitored during business hours) 
Mobile: +60 19 2665850 (24x7 call incident reporting) 
Business Hours: Mon - Fri 09:00 -18:00 MYT 
Web: https://www.mycert.org.my 
Twitter: https://twitter.com/mycert 
Facebook: https://www.facebook.com/mycert.org.my

5.0    References
[1]   Atlassian: CVE-2023-22515 - Broken Access Control Vulnerability in Confluence Data Center and Server
[2]   Rapid7: CVE-2023-22515 Analysis
[3]   Microsoft: CVE-2023-22515 Exploit IP Addresses
[4]   Proofpoint: Emerging Threats Rulesets
[5]   Confluence CVE-2023-22515 Proof of Concept - vulhub
[6]   Atlassian Support: Upgrading Confluence

MA-979.112023: MyCERT Advisory - VMware Releases Advisory for VMware Tools Vulnerabilities

  • 02 Nov 2023
  • Advisory
  • vmware, security, update, vulnerability

1.0 Introduction

Recently, VMware released a security advisory addressing multiple vulnerabilities (CVE-2023-34057, CVE-2023-34058) in VMware Tools.

2.0 Impact
A cyber actor could exploit one of these vulnerabilities to take control of an affected system.

3.0 Affected Products
VMware Tools

4.0 Recommendations
MyCERT encourages users and administrators to review the VMware advisory VMSA-2023-0024 and apply the necessary updates.

Kindly refer to the following link: https://www.vmware.com/security/advisories/VMSA-2023-0024.html

Generally, MyCERT advises the users of this devices to be updated with the latest security announcements by the vendor and follow best practice security policies to determine which updates should be applied.

For further enquiries, please contact MyCERT through the following channels:

E-mail: cyber999[at]cybersecurity.my 
Phone: 1-300-88-2999 (monitored during business hours) 
Mobile: +60 19 2665850 (24x7 call incident reporting) 
Business Hours: Mon - Fri 09:00 -18:00 MYT 
Web: https://www.mycert.org.my 
Twitter: https://twitter.com/mycert 
Facebook: https://www.facebook.com/mycert.org.my

5.0    References

MA-978.112023: MyCERT Advisory - Multiple Vulnerabilities in Kubernetes Ingress Controller

  • 02 Nov 2023
  • Advisory
  • kubernetes, controller, ingress, vulnerability

1.0 Introduction

Recently, MyCERT has observed multiple vulnerabilities in Kubernetes Ingress Controller which could be exploited to steal credentials.

2.0 Impact
Three new security flaws discovered in the NGINX Ingress Controller for Kubernetes. These flaws are CVE-2022-4886, CVE-2023-5043, and CVE-2023-5044.

  1. CVE-2022-4886(CVSS score: 8.8)- is a vulnerability in the way the path field is used in the Ingress routing definitions. 
    • An attacker who can control the Ingress object can exploit this vulnerability to steal Kubernetes API credentials from the ingress controller.
  2. CVE-2023-5043 (CVSS score: 7.6) and CVE-2023-5044 (CVSS score: 7.6) are vulnerabilities in the way the configuration-snippet and permanent-redirect annotations are handled by the ingress controller. 
    • An attacker who can control the configuration of the Ingress object can exploit these vulnerabilities to inject arbitrary code into the ingress controller process and get access to everything this process has access to including secret credentials.

3.0 Affected Products
Kubernetes Ingress Controller versions <v1.9.0

4.0 Recommendations
MyCERT recommends the following mitigations to prevent these vulnerabilities to be exploited:

  • Enable strict path type validation in Ingress objects to prevent attackers from creating Ingress objects with invalid paths. (CVE-2022-4886)
  • Ingress Administrators should set the --enable-annotation-validation flag to enforce restrictions on the contents of ingress-nginx annotation fields. (CVE-2023-5043 and CVE-2023-5044)

Kindly refer to the following for more information:

Generally, MyCERT advises the users of this devices to be updated with the latest security announcements by the vendor and follow best practice security policies to determine which updates should be applied.

For further enquiries, please contact MyCERT through the following channels:

E-mail: cyber999[at]cybersecurity.my 
Phone: 1-300-88-2999 (monitored during business hours) 
Mobile: +60 19 2665850 (24x7 call incident reporting) 
Business Hours: Mon - Fri 09:00 -18:00 MYT 
Web: https://www.mycert.org.my 
Twitter: https://twitter.com/mycert 
Facebook: https://www.facebook.com/mycert.org.my

5.0    References

MA-966.082023: MyCERT Advisory - CVE-2023-39143 - PaperCut Path Traversal/File Upload RCE Vulnerability

  • 23 Aug 2023
  • Advisory
  • papercut, file, upload, vulnerability, update

1.0 Introduction

CVE-2023-39143 is a critical security vulnerability that has been identified in the PaperCut NG/MF print management software. This vulnerability could potentially lead to remote code execution and is a result of unauthenticated attackers exploiting path traversal and file upload weaknesses. This advisory provides a general overview of CVE-2023-39143 and its implications. It is crucial for organizations using PaperCut NG/MF to review the official July 2023 PaperCut security bulletin for comprehensive information and to follow the recommended actions for ensuring the security of their systems.

2.0 Impact
This vulnerability allows unauthenticated attackers to exploit path traversal and file upload vulnerabilities to potentially read, delete, and upload arbitrary files to the PaperCut MF/NG application server. Successful exploitation of this vulnerability could result in remote code execution, especially in configurations where external device integration settings are enabled. PaperCut servers running on Windows with this setting turned on are particularly susceptible.

Threat actors have already demonstrated interest in targeting PaperCut servers. Earlier campaigns have exploited CVE-2023-27350, a previously disclosed unauthenticated remote code execution vulnerability. Unlike CVE-2023-27350, CVE-2023-39143 does not require attackers to possess prior privileges or engage with users. The exploitation of this vulnerability is more complex, involving the chaining of multiple issues rather than being a straightforward "one-shot" remote code execution exploit.

3.0 Affected Products
All PaperCut NG and MF versions prior to 22.1.3 on Windows platforms only (excluding fixed versions named below).

4.0 Incidicators of Compromise (IoC)
A simple command can help identify if a PaperCut server is vulnerable and running on Windows:

curl -w "%{http_code}" -k --path-as-is "https://<IP>:<port>/custom-report-example/..\..\..\deployment\sharp\icons\home-app.png"

A 200 response indicates an unpatched server running on Windows, while a 404 response suggests a patched server or a system not running on Windows.

5.0 Recommendations
The recommended course of action is to upgrade to the latest version of PaperCut NG/MF, which is 22.1.3 at the time of writing. Upgrading will effectively mitigate the vulnerability. Please refer to the following URL for upgrades:

https://www.papercut.com/products/upgrade/

If an immediate upgrade is not feasible, administrators can implement temporary mitigation by configuring an allowlist of device IP addresses permitted to communicate with the PaperCut server. For detailed guidance, please refer to the "IP Address Allow-listing" section of the PaperCut security best practices guide at the following URL: https://www.papercut.com/kb/Main/SecureYourPaperCutServer/

Generally, MyCERT advises the users of this devices to be updated with the latest security announcements by the vendor and follow best practice security policies to determine which updates should be applied.

For further enquiries, please contact MyCERT through the following channels:

E-mail: cyber999[at]cybersecurity.my 
Phone: 1-300-88-2999 (monitored during business hours) 
Mobile: +60 19 2665850 (24x7 call incident reporting) 
Business Hours: Mon - Fri 09:00 -18:00 MYT 
Web: https://www.mycert.org.my 
Twitter: https://twitter.com/mycert 
Facebook: https://www.facebook.com/mycert.org.my

6.0    References

  1. https://www.horizon3.ai/cve-2023-39143-papercut-path-traversal-file-upload-rce-vulnerability/
  2. https://www.papercut.com/kb/Main/securitybulletinjuly2023/
  3. https://www.helpnetsecurity.com/2023/08/07/cve-2023-39143/
Showing 1-10 of 178 items.
(not set)
(not set)
(not set)
(not set)
(not set)
(not set)
(not set)
(not set)
(not set)
(not set)