Advisories

1.0 Introduction

CVE-2023-39143 is a critical security vulnerability that has been identified in the PaperCut NG/MF print management software. This vulnerability could potentially lead to remote code execution and is a result of unauthenticated attackers exploiting path traversal and file upload weaknesses. This advisory provides a general overview of CVE-2023-39143 and its implications. It is crucial for organizations using PaperCut NG/MF to review the official July 2023 PaperCut security bulletin for comprehensive information and to follow the recommended actions for ensuring the security of their systems.

2.0 Impact
This vulnerability allows unauthenticated attackers to exploit path traversal and file upload vulnerabilities to potentially read, delete, and upload arbitrary files to the PaperCut MF/NG application server. Successful exploitation of this vulnerability could result in remote code execution, especially in configurations where external device integration settings are enabled. PaperCut servers running on Windows with this setting turned on are particularly susceptible.

Threat actors have already demonstrated interest in targeting PaperCut servers. Earlier campaigns have exploited CVE-2023-27350, a previously disclosed unauthenticated remote code execution vulnerability. Unlike CVE-2023-27350, CVE-2023-39143 does not require attackers to possess prior privileges or engage with users. The exploitation of this vulnerability is more complex, involving the chaining of multiple issues rather than being a straightforward "one-shot" remote code execution exploit.

3.0 Affected Products
All PaperCut NG and MF versions prior to 22.1.3 on Windows platforms only (excluding fixed versions named below).

4.0 Incidicators of Compromise (IoC)
A simple command can help identify if a PaperCut server is vulnerable and running on Windows:

A 200 response indicates an unpatched server running on Windows, while a 404 response suggests a patched server or a system not running on Windows.

5.0 Recommendations
The recommended course of action is to upgrade to the latest version of PaperCut NG/MF, which is 22.1.3 at the time of writing. Upgrading will effectively mitigate the vulnerability. Please refer to the following URL for upgrades:

https://www.papercut.com/products/upgrade/

If an immediate upgrade is not feasible, administrators can implement temporary mitigation by configuring an allowlist of device IP addresses permitted to communicate with the PaperCut server. For detailed guidance, please refer to the "IP Address Allow-listing" section of the PaperCut security best practices guide at the following URL: https://www.papercut.com/kb/Main/SecureYourPaperCutServer/

Generally, MyCERT advises the users of this devices to be updated with the latest security announcements by the vendor and follow best practice security policies to determine which updates should be applied.

For further enquiries, please contact MyCERT through the following channels:

E-mail: cyber999[at]cybersecurity.my 
Phone: 1-300-88-2999 (monitored during business hours) 
Mobile: +60 19 2665850 (24x7 call incident reporting) 
Business Hours: Mon - Fri 09:00 -18:00 MYT 
Web: https://www.mycert.org.my 
Twitter: https://twitter.com/mycert 
Facebook: https://www.facebook.com/mycert.org.my

6.0    References

1. https://www.horizon3.ai/cve-2023-39143-papercut-path-traversal-file-upload-rce-vulnerability/
2. https://www.papercut.com/kb/Main/securitybulletinjuly2023/
3. https://www.helpnetsecurity.com/2023/08/07/cve-2023-39143/

1.0 Introduction

Recently, a new identified vulnerability identified as CVE-2023-38646 enables an unauthenticated attacker to execute arbitrary commands on the Metabase server with the same privileges. This can transform the Metabase server into a potential entry point for further attacks, potentially compromising the integrity of the entire system. The impact of CVE-2023-38646 extends to all aspects of the CIA triad (Confidentiality, Integrity, Availability). While there were no known exploitations at the time of the vulnerability disclosure, a proof-of-concept was released on August 9th, significantly elevating the threat landscape.

2.0 Impact
An unauthenticated attacker exploiting this vulnerability could lead to severe data breaches and significant disruptions to business operations. The release of an exploit for this vulnerability amplifies the risks, particularly due to the widespread adoption of Metabase.

3.0 Affected Products
The vulnerability affects the following supported versions:

• Metabase open source before 0.46.6.1
• Metabase Enterprise before 1.46.6.1

4.0 Recommendations
Metabase has released patches and instructions to address the vulnerability. Immediate upgrading is strongly advised. You can find patches at: 

https://www.metabase.com/blog/security-advisory

Metabase has provided the following instructions:

For Metabase Enterprise customers, access the latest patched release version at: 

• JAR: https://downloads.metabase.com/enterprise/v1.46.7/metabase.jar
• Docker image via metabase/metabase-enterprise:latest or metabase/metabase-enterprise:v1.46.6.1

For open-source Metabase users, access the latest patched release version at:

• JAR: https://downloads.metabase.com/v0.46.7/metabase.jar
• Docker image via metabase/metabase:latest or metabase/metabase:v0.46.6.1

For older versions, patches are available at: https://github.com/metabase/metabase/releases

Given the critical severity, prompt patching is essential, system administrators are urged by MyCERT to apply patches as soon as possible. Additionally, analyze system and network logs for any unusual activity. 

Generally, MyCERT advises the users of this devices to be updated with the latest security announcements by the vendor and follow best practice security policies to determine which updates should be applied.

For further enquiries, please contact MyCERT through the following channels:

E-mail: cyber999[at]cybersecurity.my 
Phone: 1-300-88-2999 (monitored during business hours) 
Mobile: +60 19 2665850 (24x7 call incident reporting) 
Business Hours: Mon - Fri 09:00 -18:00 MYT 
Web: https://www.mycert.org.my 
Twitter: https://twitter.com/mycert 
Facebook: https://www.facebook.com/mycert.org.my

5.0    References

1. https://www.metabase.com/blog/security-advisory
2. https://cert.be/en/warningexploit-was-released-cve-2023-38646-critical-vulnerability-metabase-open-source-and-metabase

1.0 Introduction

MyCERT received information from trusted security parties about the exploitation of CVE-2023-3519, a critical unauthenticated remote code execution (RCE) vulnerability affecting NetScaler (formerly Citrix) Application Delivery Controller (ADC) and NetScaler Gateway. Security researchers from the Shadowserver Foundation, a non-profit organization dedicated to enhancing internet security, revealed this week that at least 15,000 appliances were identified as exposed to attacks leveraging the flaw (CVE-2023-3519) based on their version information. The vulnerability is rated CVSS 9.8 critical.

Hence, we are issuing this security advisory to alert organizations about the exploitation of CVE-2023-3519, a critical unauthenticated remote code execution (RCE) vulnerability affecting Citrix NetScaler ADC and NetScaler Gateway. This advisory provides comprehensive information regarding the threat actors' activities, detection methods, incident response, and recommended mitigations. The exploitation of CVE-2023-3519 poses a significant threat to organizations using Citrix NetScaler ADC and NetScaler Gateway. By understanding the threat actor's tactics, techniques, and procedures outlined in this advisory, organizations can enhance their defence mechanisms, quickly detect compromise, and effectively respond to incidents. It is crucial to apply the recommended mitigations and continuously validate security controls to reduce the risk of successful exploitation.

2.0 Impact
The vulnerability allows attackers to execute arbitrary code on the affected systems, potentially leading to the implantation of webshells and unauthorized access to sensitive information.

3.0 Threat Actor Activity

In June 2023, threat actors exploited CVE-2023-3519, using it as a zero-day vulnerability to compromise a critical infrastructure organization's non-production NetScaler ADC appliance. The attackers utilized a multi-stage attack chain, uploading a TGZ file containing a generic webshell, a discovery script, and a setuid binary onto the appliance. The attackers proceeded to conduct SMB scanning, AD enumeration, and exfiltration of AD data using the webshell.

Specifically, the threat actors performed the following actions:

• Accessed configuration files to retrieve encrypted passwords and decryption keys.
• Used decrypted credentials to query Active Directory for users, computers, groups, and other objects.
• Encrypted collected discovery data and exfiltrated it as an image file.
• Attempted network and subnet-wide discovery and lateral movement, which was thwarted by network-segmentation controls.

4.0 Affected Products

• NetScaler ADC and NetScaler Gateway?13.1?before?13.1-49.13 
• NetScaler ADC and NetScaler Gateway?13.0?before 13.0-91.13 
• NetScaler ADC 13.1-FIPS before 13.1-37.159
• NetScaler ADC 12.1-FIPS before 12.1-55.297
• NetScaler ADC 12.1-NDcPP before 12.1-55.297

The affected appliance must be configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or authentication, authorization, and auditing (AAA)?virtual?server for exploitation.

Note: NetScaler ADC and NetScaler Gateway version 12.1 is now End Of Life (EOL) and is vulnerable.

5.0 Recommendations
To detect potential compromise or unauthorized activity related to CVE-2023-3519, organizations are advised to perform the following actions:

• Monitor for files created or modified after the last installation date.
• Inspect HTTP error logs for unusual requests containing ".sh" and ".php" extensions.
• Check shell logs for unauthorized post-exploitation commands.
• Review network and firewall logs for subnet-wide scanning and spikes in AD/LDAP traffic.
• Examine large outbound transfers from the affected device over a short period of session time as it can indicate signs of data exfiltration.
• Review logs for unusual authentication attempts and connections.
• Implement robust network segmentation controls on NetScaler appliances.

Organisations should also follow these mitigations and best practices:

• Apply the latest patches provided by Citrix for the affected versions as soon as possible. See Citrix ADC and Citrix Gateway Security Bulletin for CVE-2023-3519, CVE-2023-3466, and CVE-2023-3467 for patch information.
• Enforce phishing-resistant multifactor authentication (MFA) for all staff and services.
• Implement network segmentation controls on internet-facing devices.
• Continually test and validate security controls against the techniques outlined in this advisory using the MITRE ATT&CK framework.

In case of compromise, organisations should:

1. Quarantine or take affected hosts offline.
2. Reimage compromised hosts.
3. Provision new account credentials.
4. Collect and review relevant artefacts and logs.
5. Report the compromise to relevant authorities, your service provider or to MyCERT.

Generally, MyCERT advises the users of this devices to be updated with the latest security announcements by the vendor and follow best practice security policies to determine which updates should be applied.

For further enquiries, please contact MyCERT through the following channels:

E-mail: cyber999[at]cybersecurity.my 
Phone: 1-300-88-2999 (monitored during business hours) 
Mobile: +60 19 2665850 (24x7 call incident reporting) 
Business Hours: Mon - Fri 09:00 -18:00 MYT 
Web: https://www.mycert.org.my 
Twitter: https://twitter.com/mycert 
Facebook: https://www.facebook.com/mycert.org.my

6.0    References

1. https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-201a
2. https://support.citrix.com/article/CTX561482/citrix-adc-and-citrix-gateway-security-bulletin-for-cve20233519-cve20233466-cve20233467
3. https://www.shadowserver.org/news/technical-summary-of-observed-citrix-cve-2023-3519-incidents/
4. https://www.bleepingcomputer.com/news/security/over-15k-citrix-servers-vulnerable-to-cve-2023-3519-rce-attacks/

1.0 Introduction

Recently, Adobe has released security updates to address multiple vulnerabilities in Adobe software.

2.0 Impact
An attacker can exploit some of these vulnerabilities to take control of an affected system.

3.0 Affected Products

• Adobe Acrobat and Reader
• Adobe Commerce
• Adobe Dimension
• Adobe XMP Toolkit SDK

4.0 Recommendations
MyCERT encourages users and administrators to review the following Adobe Security Bulletins and apply the necessary updates.

• Adobe Acrobat and Reader: APSB23-30 : https://helpx.adobe.com/security/products/acrobat/apsb23-30.html
• Adobe Commerce: APSB23-42 : https://helpx.adobe.com/security/products/magento/apsb23-42.html
• Adobe Dimension: APSB23-44 : https://helpx.adobe.com/security/products/dimension/apsb23-44.html
• Adobe XMP Toolkit SDK: APSB23-45 : https://helpx.adobe.com/security/products/xmpcore/apsb23-45.html

Generally, MyCERT advises the users of this devices to be updated with the latest security announcements by the vendor and follow best practice security policies to determine which updates should be applied.

For further enquiries, please contact MyCERT through the following channels:

E-mail: cyber999[at]cybersecurity.my 
Phone: 1-300-88-2999 (monitored during business hours) 
Mobile: +60 19 2665850 (24x7 call incident reporting) 
Business Hours: Mon - Fri 09:00 -18:00 MYT 
Web: https://www.mycert.org.my 
Twitter: https://twitter.com/mycert 
Facebook: https://www.facebook.com/mycert.org.my

5.0    References

• Adobe Acrobat and Reader: APSB23-30 : https://helpx.adobe.com/security/products/acrobat/apsb23-30.html
• Adobe Commerce: APSB23-42 : https://helpx.adobe.com/security/products/magento/apsb23-42.html
• Adobe Dimension: APSB23-44 : https://helpx.adobe.com/security/products/dimension/apsb23-44.html
• Adobe XMP Toolkit SDK: APSB23-45 : https://helpx.adobe.com/security/products/xmpcore/apsb23-45.html
• https://www.cisa.gov/news-events/alerts/2023/08/08/adobe-releases-security-updates-multiple-products

1.0 Introduction

Recently, Fortinet has released a security update to address a vulnerability (CVE-2023-29182) affecting FortiOS.

2.0 Impact
A remote attacker can exploit this vulnerability to take control of an affected system.

3.0 Affected Products

• FortiOS version 7.0.0 through 7.0.3
• FortiOS 6.4 all versions
• FortiOS 6.2 all versions

4.0 Recommendations
MyCERT encourages users and administrators to review the Fortinet security release [FG-IR-23-149] and apply the necessary updates.

Kindly refer to the following URL for more information: https://www.fortiguard.com/psirt/FG-IR-23-149

Generally, MyCERT advises the users of this devices to be updated with the latest security announcements by the vendor and follow best practice security policies to determine which updates should be applied.

For further enquiries, please contact MyCERT through the following channels:

E-mail: cyber999[at]cybersecurity.my 
Phone: 1-300-88-2999 (monitored during business hours) 
Mobile: +60 19 2665850 (24x7 call incident reporting) 
Business Hours: Mon - Fri 09:00 -18:00 MYT 
Web: https://www.mycert.org.my 
Twitter: https://twitter.com/mycert 
Facebook: https://www.facebook.com/mycert.org.my

5.0    References

• https://www.fortiguard.com/psirt/FG-IR-23-149
• https://www.cisa.gov/news-events/alerts/2023/08/08/fortinet-releases-security-update-fortios

1.0 Introduction

Recently, Microsoft has released updates to address multiple vulnerabilities in Microsoft software.

2.0 Impact
An attacker can exploit some of these vulnerabilities to take control of an affected system.

3.0 Affected Products

4.0 Recommendations
MyCERT encourages users and administrators to review Microsoft’s August 2023 Security Update Guide and apply the necessary updates.

Kindly refer to the following URL for more information: https://msrc.microsoft.com/update-guide/releaseNote/2023-Aug

Generally, MyCERT advises the users of this devices to be updated with the latest security announcements by the vendor and follow best practice security policies to determine which updates should be applied.

For further enquiries, please contact MyCERT through the following channels:

E-mail: cyber999[at]cybersecurity.my 
Phone: 1-300-88-2999 (monitored during business hours) 
Mobile: +60 19 2665850 (24x7 call incident reporting) 
Business Hours: Mon - Fri 09:00 -18:00 MYT 
Web: https://www.mycert.org.my 
Twitter: https://twitter.com/mycert 
Facebook: https://www.facebook.com/mycert.org.my

5.0    References

• https://msrc.microsoft.com/update-guide/releaseNote/2023-Aug
• https://www.cisa.gov/news-events/alerts/2023/08/08/microsoft-releases-august-2023-security-updates

1.0 Introduction

A cyberespionage group known as APT29 or Midnight Blizzard has been launching phishing attacks against organizations, by using fake security messages via Microsoft Teams in an attempt to defeat Microsoft’s two-factor authentication (2FA) push notification method that relies on number matching. Based on Microsoft’s report, this campaign has affected fewer than 40 unique global organizations, likely indicate specific espionage objectives by this group directed at the government, non-government organizations (NGOs), IT services, technology, discrete manufacturing, and media sectors.

Midnight Blizzard is Microsoft’s newly designated name for APT29, also known in the security industry as Cozy Bear or NOBELIUM, was behind the 2020 SolarWinds software supply chain attack that impacted thousands of organizations worldwide. This group was also responsible for attacks against many government institutions, diplomatic missions and military industrial base companies worldwide.

2.0 Impact
Post-compromise activity by the threat actor, typically involves information theft from the compromised Microsoft 365 tenant.

3.0 Techniques, Tactics and Procedures (TTPs)
In this activity, Midnight Blizzard either has obtained valid account credentials for the users they are targeting, or they are targeting users with passwordless authentication configured on their account – both of which require the user to enter a code that is displayed during the authentication flow into the prompt on the Microsoft Authenticator app on their mobile device.

After the threat actor attempted to authenticate to an account, where this form of MFA is required, the threat actor is then presented with a code that the targeted user would need to enter in their authenticator app on their smartphones. The targeted user receive the prompt for code entry on their device or smartphone. The threat actor then sends a message to the targeted user over Microsoft Teams eliciting the user to enter the code into the prompt on their device. The targeted users believe the message is unsuspiciously from Microsoft and enters the code given by the threat actor onto their devices or smartphones.

Step 1: Teams request to chat

The targeted user receive a Microsoft Teams message request from an external user masquerading as a Microsoft technical support or security team.

Figure 1: Screenshot of a Microsoft Teams message request from a Midnight Blizzard-controlled account

Step 2: Request authentication app action

If the targeted user accepts the message request, the user then receives a Microsoft Teams message from the attacker attempting to convince them to enter a code into the Microsoft Authenticator app on targeted user’s mobile device.

Figure 2: A Microsoft Teams prompt with a code and instructions.

Step 3: Successful MFA authentication

If the targeted user accepts the message request and enters the code into the Microsoft Authenticator app, the threat actor is granted a token to authenticate as the targeted user. The actor gains access to the user’s Microsoft 365 account, having completed the authentication flow.

The threat actor then proceeds to conduct a post-compromise activity, which typically involves information theft from the compromised Microsoft 365 tenant. In some cases, the actor attempts to add a device to the organisation as a managed device via Microsoft Entra ID (formerly Azure Active Directory), likely an attempt to circumvent conditional access policies configured to restrict access to specific resources to managed devices only.

4.0 Indicators of Compromise

Table 1: Indicators of Compromise (Malicious Domain names used in the attack)

Figure 3: Message sent by the threat actor

5.0 Recommendations
Microsoft recommends the following mitigations to reduce the risk of this threat:

• Pilot and start deploying phishing-resistant authentication methods for users.
• Implement Conditional Access authentication strength to require phishing-resistant authentication for employees and external users for critical apps.
• Specify trusted Microsoft 365 organizations to define which external domains are allowed or blocked to chat and meet.
• Keep Microsoft 365 auditing enabled so that audit records could be investigated if required.
• Understand and select the best access settings for external collaboration for your organization.
• Allow only known devices that adhere to Microsoft’s recommended security baselines.
• Educate users about social engineering and credential phishing attacks, including refraining from entering MFA codes sent via any form of unsolicited messages.
• Educate Microsoft Teams users to verify ‘External’ tagging on communication attempts from external entities, be cautious about what they share, and , and never share their account information or authorize sign-in requests over chat.
• Educate users to review sign-in activity and mark suspicious sign-in attempts as “This wasn’t me”.
• Implement Conditional Access App Control in Microsoft Defender for Cloud Apps for users connecting from unmanaged devices.
• Always remember never to simply share credentials and personal information over the Internet.
• Report to relevant authorities or CERTs on detecting suspicious activities on the Internet or on your devices.

Generally, MyCERT advises the users of this devices to be updated with the latest security announcements by the vendor and follow best practice security policies to determine which updates should be applied.

For further enquiries, please contact MyCERT through the following channels:

E-mail: cyber999[at]cybersecurity.my 
Phone: 1-300-88-2999 (monitored during business hours) 
Mobile: +60 19 2665850 (24x7 call incident reporting) 
Business Hours: Mon - Fri 09:00 -18:00 MYT 
Web: https://www.mycert.org.my 
Twitter: https://twitter.com/mycert 
Facebook: https://www.facebook.com/mycert.org.my

6.0    References

• https://www.microsoft.com/en-us/security/blog/tag/midnight-blizzard-nobelium/
• https://www.csoonline.com/article/648626/russian-cyberspies-defeat-microsoft-number-matching-2fa-policy-with-fake-teams-messages.html
• https://aka.ms/threatintelblog

1.0 Introduction

Recently, Mozilla has released security updates to address vulnerabilities for Firefox 116, Firefox ESR 115.1, Firefox ESR 102.14, Thunderbird 115.1, and Thunderbird 102.14.

2.0 Impact
An attacker could exploit some of these vulnerabilities to take control of an affected system.

3.0 Affected Products

• Firefox 116
• Firefox ESR 115.1
• Firefox ESR 102.14 
• Thunderbird 115.1
• Thunderbird 102.14

4.0 Recommendations
MyCERT encourages users and administrators to review Mozilla’s security advisories for Firefox 116, Firefox ESR 115.1, Firefox ESR 102.14, Thunderbird 115.1, and Thunderbird 102.14 for more information and apply the necessary updates.

Kindly visit the URLs below:

• https://www.mozilla.org/en-US/security/advisories/mfsa2023-29/
• https://www.mozilla.org/en-US/security/advisories/mfsa2023-31/
• https://www.mozilla.org/en-US/security/advisories/mfsa2023-30/
• https://www.mozilla.org/en-US/security/advisories/mfsa2023-33/
• https://www.mozilla.org/en-US/security/advisories/mfsa2023-32/

Generally, MyCERT advises the users of this devices to be updated with the latest security announcements by the vendor and follow best practice security policies to determine which updates should be applied.

For further enquiries, please contact MyCERT through the following channels:

E-mail: cyber999[at]cybersecurity.my 
Phone: 1-300-88-2999 (monitored during business hours) 
Mobile: +60 19 2665850 (24x7 call incident reporting) 
Business Hours: Mon - Fri 09:00 -18:00 MYT 
Web: https://www.mycert.org.my 
Twitter: https://twitter.com/mycert 
Facebook: https://www.facebook.com/mycert.org.my

5.0    References

• https://www.mozilla.org/en-US/security/advisories/mfsa2023-29/
• https://www.mozilla.org/en-US/security/advisories/mfsa2023-31/
• https://www.mozilla.org/en-US/security/advisories/mfsa2023-30/
• https://www.mozilla.org/en-US/security/advisories/mfsa2023-33/
• https://www.mozilla.org/en-US/security/advisories/mfsa2023-32/
• Mozilla Releases Security Updates for Multiple Products | CISA

1.0 Introduction

Recently, a vulnerability in the web-based management interface of Cisco BroadWorks CommPilot Application Software could allow an authenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the interface.

2.0 Impact
This vulnerability exists because the web-based management interface does not properly validate user-supplied input. An attacker could exploit this vulnerability by persuading a user to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information.

3.0 Affected Products
At the time of publication, this vulnerability affected the following Cisco products:

• BroadWorks Application Delivery Platform
• BroadWorks Application Server (AS)
• BroadWorks Xtended Services Platform (XSP)

4.0 Recommendations
There are no workarounds that address this vulnerability. The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory.

In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers.

Kindly visit https://www.cisco.com/go/psirt for more information.

Generally, MyCERT advises the users of this devices to be updated with the latest security announcements by the vendor and follow best practice security policies to determine which updates should be applied.

For further enquiries, please contact MyCERT through the following channels:

E-mail: cyber999[at]cybersecurity.my 
Phone: 1-300-88-2999 (monitored during business hours) 
Mobile: +60 19 2665850 (24x7 call incident reporting) 
Business Hours: Mon - Fri 09:00 -18:00 MYT 
Web: https://www.mycert.org.my 
Twitter: https://twitter.com/mycert 
Facebook: https://www.facebook.com/mycert.org.my

5.0    References
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-commpilot-xss-jC46sezF