Advisories

1.0 Introduction

On May 3, 2023, Cisco released an advisory to address a critical vulnerability in the web-based management system of the Cisco SPA112 2-Port Phone Adapters. The vulnerability is tracked as CVE-2023-20126 and has a CVSS score of 9.8.

2.0 Impact
A vulnerability in the web-based management interface of Cisco SPA112 2-Port Phone Adapters
could allow an unauthenticated, remote attacker to execute arbitrary code on an affected device. This vulnerability is due to a missing authentication process within the firmware upgrade function. An attacker could exploit this vulnerability by upgrading an affected device to a crafted version of firmware. A successful exploit could allow the attacker to execute arbitrary code on the affected device with full privileges.

There are currently no reports yet of an active exploitation of this vulnerability.

3.0 Affected Products
This vulnerability affects all firmware releases for Cisco SPA112 2-Port Phone Adapters.

Moreover, Cisco has not released and will not release firmware updates to address the vulnerability, because Cisco SPA112 2-Port Phone Adapters have entered the end of-life process and are no longer supported.

4.0 Recommendations
MyCERT encourage constituents to discontinue using the product, as well as verify if any other similar – possibly also no longer supported – products are in use.

Generally, MyCERT advises the users of this devices to be updated with the latest security announcements by the vendor and follow best practice security policies to determine which updates should be applied.

For further enquiries, please contact MyCERT through the following channels:

E-mail: cyber999[at]cybersecurity.my 
Phone: 1-300-88-2999 (monitored during business hours) 
Mobile: +60 19 2665850 (24x7 call incident reporting) 
Business Hours: Mon - Fri 09:00 -18:00 MYT 
Web: https://www.mycert.org.my 
Twitter: https://twitter.com/mycert 
Facebook: https://www.facebook.com/mycert.org.my

5.0    References

• https://cert.europa.eu/static/security-advisories/CERT-EU-SA2023-026.pdf
• https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-spa-unauth-upgrade-UqhyTWW
• https://www.bleepingcomputer.com/news/security/cisco-phone-adapters-vulnerable-to-rce-attacks-no-fix-available/

1.0 Introduction

Chrome is now used by over three billion users worldwide, but every single one of them needs to update their browser urgently. Google’s Threat Analysis Group discovered vulnerability, CVE-2023-2033, stems from a “Type Confusion in V8”. Type confusion in V8 in Google Chrome prior to 112.0.5615.121 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. This occurs when a program uses one method to allocate or initialize a resource but an incompatible method then access that resource, potentially providing unsecured access to the browser’s memory.

2.0 Impact
Allow attackers to trigger browser crashes after successful exploitation by reading or writing memory out of buffer bounds, threat actors can also exploit them for arbitrary code execution on compromised devices.

3.0 Affected System and Devices
Chrome version below 112.0.15615.121 on Windows, Mac and Linux.

4.0 Recommendations
MyCERT encourages users and administrators to review Google’s security updates and apply necessary updates.

To do immediate update, click the overflow menu bar (three vertical dots) in the browser’s top right corner, then Help > About Google Chrome. This will force Chrome to check for browser updates. Once the update is complete, you must restart the browser to be fully protected. 

Kindly refer to the following URLs:

https://www.google.com/chrome/update/

https://chromereleases.googleblog.com/2023/04/stable-channel-update-for-desktop_14.html
(The new version of Google Chrome is available in the Stable Desktop Channel).

Generally, MyCERT advises the users of this devices to be updated with the latest security announcements by the vendor and follow best practice security policies to determine which updates should be applied.

For further enquiries, please contact MyCERT through the following channels:

E-mail: cyber999[at]cybersecurity.my 
Phone: 1-300-88-2999 (monitored during business hours)  
Mobile: +60 19 2665850 (24x7 call incident reporting) 
Business Hours: Mon - Fri 09:00 -18:00 MYT 
Web: https://www.mycert.org.my 
Twitter: https://twitter.com/mycert 
Facebook: https://www.facebook.com/mycert.org.my

5.0    References

• https://www.forbes.com/sites/gordonkelly/2023/04/15/google-chrome-browser-zero-day-vulnerability-critical-chrome-update/?sh=564c310759ae
• https://www.bleepingcomputer.com/news/security/google-chrome-emergency-update-fixes-first-zero-day-of-2023/
• https://nvd.nist.gov/vuln/detail/CVE-2023-2033
• https://chromereleases.googleblog.com/2023/04/stable-channel-update-for-desktop_14.html
• https://www.google.com/chrome/update/
• https://support.google.com/chrome/answer/95414?hl=en&co=GENIE.Platform%3DDesktop

1.0 Introduction

Recently, CISA has added one new vulnerability to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.

• CVE-2023-28252 Microsoft Windows Common Log File System (CLFS) Driver Privilege Escalation Vulnerability (https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2023-28252)

2.0 Impact
These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise.

3.0 Affected Products
Multiple versions of Microsoft Windows operating systems.

4.0 Recommendations
MyCERT strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities as part of their vulnerability management practice. Kindly refer to the link here: https://www.cisa.gov/known-exploited-vulnerabilities-catalog

Generally, MyCERT advises the users of this devices to be updated with the latest security announcements by the vendor and follow best practice security policies to determine which updates should be applied.

For further enquiries, please contact MyCERT through the following channels:

E-mail: cyber999[at]cybersecurity.my 
Phone: 1-300-88-2999 (monitored during business hours) 
Mobile: +60 19 2665850 (24x7 call incident reporting) 
Business Hours: Mon - Fri 09:00 -18:00 MYT 
Web: https://www.mycert.org.my 
Twitter: https://twitter.com/mycert 
Facebook: https://www.facebook.com/mycert.org.my

5.0    References

• https://www.cisa.gov/news-events/alerts/2023/04/11/cisa-adds-one-known-exploited-vulnerability-catalog

1.0 Introduction

Recently, Fortinet has released its April 2023 Vulnerability Advisories to address vulnerabilities affecting multiple products.

2.0 Impact
An attacker could exploit one of these vulnerabilities to take control of an affected system.

3.0 Affected Products
Multiple Fortinet products

4.0 Recommendations
MyCERT encourages users and administrators to review the Fortinet April 2023 Vulnerability Advisories page for more information and apply the necessary updates.

Kindly refer to the following URL: https://www.fortiguard.com/psirt-monthly-advisory/april-2023-vulnerability-advisories

Generally, MyCERT advises the users of this devices to be updated with the latest security announcements by the vendor and follow best practice security policies to determine which updates should be applied.

For further enquiries, please contact MyCERT through the following channels:

E-mail: cyber999[at]cybersecurity.my 
Phone: 1-300-88-2999 (monitored during business hours) 
Mobile: +60 19 2665850 (24x7 call incident reporting) 
Business Hours: Mon - Fri 09:00 -18:00 MYT 
Web: https://www.mycert.org.my 
Twitter: https://twitter.com/mycert 
Facebook: https://www.facebook.com/mycert.org.my

5.0    References
https://www.cisa.gov/news-events/alerts/2023/04/11/fortinet-releases-april-2023-vulnerability-advisories

1.0 Introduction

Recently, CISA has added one new vulnerability to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.

• CVE-2023-28252 Microsoft Windows Common Log File System (CLFS) Driver Privilege Escalation Vulnerability

2.0 Impact
These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise

3.0 Affected Products
Microsoft Windows OS

4.0 Recommendations
MyCERT strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities as part of their vulnerability management practice.

Kindly refer to the following URL : https://www.cisa.gov/known-exploited-vulnerabilities-catalog

Generally, MyCERT advises the users of this devices to be updated with the latest security announcements by the vendor and follow best practice security policies to determine which updates should be applied.

For further enquiries, please contact MyCERT through the following channels:

E-mail: cyber999[at]cybersecurity.my 
Phone: 1-300-88-2999 (monitored during business hours) 
Mobile: +60 19 2665850 (24x7 call incident reporting) 
Business Hours: Mon - Fri 09:00 -18:00 MYT 
Web: https://www.mycert.org.my 
Twitter: https://twitter.com/mycert 
Facebook: https://www.facebook.com/mycert.org.my

5.0    References
https://www.cisa.gov/news-events/alerts/2023/04/11/cisa-adds-one-known-exploited-vulnerability-catalog

1.0 Introduction

CISA has released a recovery script for organization that have fallen victim to ESXiArgs ransomware. 

2.0 Impact
The ESXiArgs ransomware encrypts configuration files on vulnerable ESXi servers, potentially rendering virtual machines (VMs) unusable.

3.0 Affected Products

• VMware ESXi
• VMware Workstation Pro / Player (Workstation)
• VMware Fusion Pro / Fusion (Fusion)
• VMware Cloud Foundation
• VMware vRealize Network Insight (vRNI)

4.0 Recommendations
MyCERT recommends user, administrators and organizations impacted by EXSiArgs evaluate the scripts and guidance provided in the accompanying README file to determine if it is fit for attempting to recover access to files in their environment.

Organizations can access the recovery scripts by referring link below:

• https://github.com/cisagov/ESXiArgs-Recover

Generally, MyCERT advises the users of this devices to be updated with the latest security announcements by the vendor and follow best practice security policies to determine which updates should be applied.

For further enquiries, please contact MyCERT through the following channels:

E-mail: cyber999[at]cybersecurity.my 
Phone: 1-300-88-2999 (monitored during business hours) 
Mobile: +60 19 2665850 (24x7 call incident reporting) 
Business Hours: Mon - Fri 09:00 -18:00 MYT 
Web: https://www.mycert.org.my 
Twitter: https://twitter.com/mycert 
Facebook: https://www.facebook.com/mycert.org.my

5.0    References

• https://www.cisa.gov/uscert/ncas/current-activity/2023/02/07/cisa-releases-esxiargs-ransomware-recovery-script
• https://github.com/cisagov/ESXiArgs-Recover
• https://www.mycert.org.my/portal/advisory?id=MA-902.122022
• https://www.mycert.org.my/portal/advisory?id=MA-881.102022
• https://www.mycert.org.my/portal/advisory?id=MA-868.092022
• https://www.mycert.org.my/portal/advisory?id=MA-852.082022

1.0 Introduction

Recently, The Samba Team has released security updates to address vulnerabilities in multiple versions of Samba.

2.0 Impact
An attacker could exploit some of these vulnerabilities to take control of an affected system. 

3.0 Affected Products

• All versions of Samba

4.0 Recommendations
MyCERT encourages users and administrators to review the following Samba security announcements and apply the necessary updates. Kindly refer to the links below:

• CVE-2022-38023
• CVE-2022-37966 
• CVE-2022-37967
• CVE-2022-45141

Generally, MyCERT advises the users of this devices to be updated with the latest security announcements by the vendor and follow best practice security policies to determine which updates should be applied.

For further enquiries, please contact MyCERT through the following channels:

E-mail: cyber999[at]cybersecurity.my 
Phone: 1-300-88-2999 (monitored during business hours) 
Mobile: +60 19 2665850 (24x7 call incident reporting) 
Business Hours: Mon - Fri 09:00 -18:00 MYT 
Web: https://www.mycert.org.my 
Twitter: https://twitter.com/mycert 
Facebook: https://www.facebook.com/mycert.org.my

5.0    References

• https://www.samba.org/samba/security/CVE-2022-38023.html
• https://www.samba.org/samba/security/CVE-2022-37966.html
• https://www.samba.org/samba/security/CVE-2022-37967.html
• https://www.samba.org/samba/security/CVE-2022-45141.html
• https://www.cisa.gov/uscert/ncas/current-activity/2022/12/16/samba-releases-security-updates

1.0 Introduction

Recently, Drupal has released security updates to address vulnerabilities affecting H5P and the File (Field) Paths modules for Drupal 7.x.

2.0 Impact
An attacker could exploit these vulnerabilities to access sensitive information and remotely execute code.

3.0 Affected Products

• Drupal 7.x versions

4.0 Recommendations
MyCERT encourages users and administrators to review Drupal’s security advisories SA-CONTRIB-2022-064 and SA-CONTRIB-2022-065 and apply the necessary update.

Kindly refer to the URLs below: 

• https://www.drupal.org/sa-contrib-2022-064
• https://www.drupal.org/sa-contrib-2022-065

Generally, MyCERT advises the users of this devices to be updated with the latest security announcements by the vendor and follow best practice security policies to determine which updates should be applied.

For further enquiries, please contact MyCERT through the following channels:

E-mail: cyber999[at]cybersecurity.my 
Phone: 1-300-88-2999 (monitored during business hours) 
Mobile: +60 19 2665850 (24x7 call incident reporting) 
Business Hours: Mon - Fri 09:00 -18:00 MYT 
Web: https://www.mycert.org.my 
Twitter: https://twitter.com/mycert 
Facebook: https://www.facebook.com/mycert.org.my

5.0    References

• https://www.drupal.org/sa-contrib-2022-065
• https://www.drupal.org/sa-contrib-2022-064
• https://www.cisa.gov/uscert/ncas/current-activity/2022/12/15/drupal-releases-security-updates-address-vulnerabilities-h5p-and

1.0 Introduction

Fortinet released a security advisory regarding the CVE-2022-40684 vulnerability that is affecting multiple Fortinet devices and services.

2.0 Impact
An authentication bypass using an alternate path or channel vulnerability [CWE-288] in FortiOS, FortiProxy, and FortiSwitchManager may allow an unauthenticated attacker to perform operations on the administrative interface via specially crafted HTTP or HTTPS requests.

3.0 Affected Products

• FortiOS version 7.2.0 through 7.2.1
• FortiOS version 7.0.0 through 7.0.6
• FortiProxy version 7.2.0
• FortiProxy version 7.0.0 through 7.0.6
• FortiSwitchManager version 7.2.0
• FortiSwitchManager version 7.0.0
• FortiOS versions 5.x, 6.x are NOT impacted.

4.0 Indicators of Compromise

Exploitation Status:

• Fortinet is aware of an instance where this vulnerability was exploited and recommends immediately validating your systems against the following indicator of compromise in the device's logs:

           user="Local_Process_Access" 

           Please contact customer support for assistance.

• Fortinet is aware of instances where this vulnerability was exploited to download the config file from the targeted devices and to add a malicious super_admin account called  "fortigate-tech-support":

           # show system admin
          edit "fortigate-tech-support"
          set accprofile "super_admin"
          set vdom "root"
          set password ENC [...]
          next

          Please contact customer support for assistance.

Workaround:

• FortiOS:

           Disable HTTP/HTTPS administrative interface

           OR

           Limit IP addresses that can reach the administrative interface:
           config firewall address
           edit "my_allowed_addresses"
           set subnet <MY IP> <MY SUBNET>
           end

          Then create an Address Group:
          config firewall addrgrp
          edit "MGMT_IPs"
          set member "my_allowed_addresses"
          end

          Create the Local in Policy to restrict access only to the predefined group on the management interface (here:               port1):

          config firewall local-in-policy
          edit 1
          set intf port1
          set srcaddr "MGMT_IPs"
          set dstaddr "all"
          set action accept
          set service HTTPS HTTP
          set schedule "always"
          set status enable
          next
          edit 2
          set intf "any"
          set srcaddr "all"
          set dstaddr "all"
          set action deny
          set service HTTPS HTTP
          set schedule "always"
          set status enable
          end

          If using non-default ports, create an appropriate service object for GUI administrative access:

          config firewall service custom
          edit GUI_HTTPS
          set tcp-portrange <admin-sport>
          next
          edit GUI_HTTP
          set tcp-portrange <admin-port>
          end

          Use these objects instead of "HTTPS HTTP "in the local-in policy 1 and 2 below.

          UPDATE: When using an HA reserved management interface, the local in policy needs to be configured
          slightly differently - please see: https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-
          configure-a-local-in-policy-on-a-HA/ta-p/222005

          Please contact customer support for assistance.

• FortiProxy:

          Disable HTTP/HTTPS administrative interface

          OR

          For FortiProxy VM, all versions of FortiProxy appliance 7.0.6:

          Limit IP addresses that can reach the administrative interface (here: port1):

          config system interface
          edit port1
          set dedicated-to management
          set trust-ip-1 <MY IP> <MY SUBNET>
          end

          Please contact customer support for assistance.

• FortiSwitchManager:

          Disable HTTP/HTTPS administrative interface
          Please contact customer support for assistance.

5.0 Recommendations
MyCERT recommends that customers validate their configuration to ensure that no unauthorized changes have been implemented by a malicious third party, regardless of whether they have upgraded. 

MyCERT also strongly recommend system administrators follow the update steps below:

• Please upgrade to FortiOS version 7.2.2 or above
• Please upgrade to FortiOS version 7.0.7 or above
• Please upgrade to FortiProxy version 7.2.1 or above
• Please upgrade to FortiProxy version 7.0.7 or above
• Please upgrade to FortiSwitchManager version 7.2.1 or above
• Please upgrade to FortiSwitchManager version 7.0.1 or above
• Please upgrade to FortiOS version 7.0.5 B8001 or above for FG6000F and 7000E/F series platforms

Generally, MyCERT advises the users of these devices to be updated with the latest security announcements by the vendor and follow best practice security policies to determine which updates should be applied.

For further enquiries, please contact MyCERT through the following channels:

E-mail: cyber999[at]cybersecurity.my 
Phone: 1-300-88-2999 (monitored during business hours) 
Mobile: +60 19 2665850 (24x7 call incident reporting) 
Business Hours: Mon - Fri 09:00 -18:00 MYT 
Web: https://www.mycert.org.my 
Twitter: https://twitter.com/mycert 
Facebook: https://www.facebook.com/mycert.org.my

5.0    References

• https://www.fortiguard.com/psirt/FG-IR-22-377
• http://blog.cyble.com/

1.0 Introduction

Recently, Cisco has released security updates for vulnerabilities affecting Cisco Identity Services Engine (ISE).

2.0 Impact
A remote attacker could exploit some of these vulnerabilities to bypass authorization and access system files.

3.0 Affected Products
Cisco Identity Services Engine (ISE)

4.0 Recommendations
For updates addressing vulnerabilities, see the Cisco Security Advisories page.   

MyCERT encourages users and administrators to review the following advisories and apply the necessary updates:

• Cisco Identity Services Engine Insufficient Access Control Vulnerability
• Cisco Identity Services Engine Cross-Site Scripting Vulnerability

Generally, MyCERT advises the users of these devices to be updated with the latest security announcements by the vendor and follow best practice security policies to determine which updates should be applied.

For further enquiries, please contact MyCERT through the following channels:

E-mail: cyber999[at]cybersecurity.my 
Phone: 1-300-88-2999 (monitored during business hours) 
Mobile: +60 19 2665850 (24x7 call incident reporting) 
Business Hours: Mon - Fri 09:00 -18:00 MYT 
Web: https://www.mycert.org.my 
Twitter: https://twitter.com/mycert 
Facebook: https://www.facebook.com/mycert.org.my

5.0    References
https://www.cisa.gov/uscert/ncas/current-activity/2022/11/16/cisco-releases-security-updates-identity-services-engine