Weekly Top 10 – 10.30.2023- Critical Vulnerabilities in SolarWinds Access Rights Manager, Zero-Day in Roundcube Exploited by Nation State Actors, VMWare VCenter Security Flaw Patched in End-of-Life Products, Vulnerabilities in Google Chrome Lead to Remote Code Execution

WEEKLY TOP TEN | October 30, 2023 15:00 GMT

1. Three Critical Vulnerabilities Discovered in SolarWinds Access Rights Manager
   On June 22^nd Trend Micro’s Zero Day Initiative (ZDI) disclosed three critical vulnerabilities in SolarWinds Access Rights Manager, which have now been patched. Each of these vulnerabilities occur pre-authentication and allow for attackers to gain remote code execution as the SYSTEM user. According to the advisory details from ZDI these vulnerabilities were all caused by lack of proper sanitization and validation of user input.
2. ExelaStealer Malware is the New Kid on the Block
   
   For a long time, RedLineStealer and Vidar have been the main InfoStealer malware types, however, Fortinet labs researchers have recently examined a new type, ExelaStealer. The commit history of the ExelaStealer GitHub repository only goes back to July of this year. This malware is written mostly in Python, and much of its code base is open source, however paid premium features are being sold on darknet marketplaces and telegram channels.
3. Zero-Day in Roundcube Exploited by Nation State Actors
   The Russian affiliated threat actor Winter Vivern was observed targeting European governments with a zero-day vulnerability in the Roundcube webmail client. This vulnerability (CVE-2023-5631 CVSS Score 5.4) allows for an attacker to load malicious JavaScript code by sending the victim a phishing email containing a maliciously crafted SVG document. Roundcube appears to be the target of choice for Winter Vivern, as they were observed using a different vulnerability in this software for similar attacks as early as August.
4. VMWare VCenter Security Flaw Patched in End-of-Life Products
   
   Trend Micro Zero Day Initiative (ZDI) disclosed a critical vulnerability to VMWare regarding their VCenter product. This vulnerability (CVE-2023-34048 CVSS Score 9.8) allows for an out-of-bounds write, which can lead to remote code execution. Due to the severe nature of this vulnerability, and the integral status of VCenter in virtualization implementations, VMWare quickly released patches for devices including VCenter 6.7U3, 6.5U3, and VCF 3.x, which have all passed end-of-life, and are not supposed to receive updates.
5. Vulnerabilities in Google Chrome Lead to Remote Code Execution
   
   A new use-after free vulnerability was disclosed in the patch notes for the latest release of Google Chrome. The vulnerability, currently tracked as CVE-2023-5472, is rated as high by Google, however the NVD is still analyzing this issue. Exploitation is performed using a crafted HTML page, which causes a heap corruption, allowing for remote code to be run on victim computers.
6. iLeakage Attack Allows Attackers to Extract Data from Safari
   
   A team of academic researchers from Georgia Tech, University of Michigan, and Ruhr University Bochum have released demos for a new attack against browsers on iOS devices using Apple Silicon CPUs. In the demos released, the research team steals emails, passwords, and YouTube watch history. iLeakage is based on the Spectre attacks disclosed by Google in 2018, leveraging a feature in modern CPUs called speculative execution.
7. NetScaler Devices at Risk Due to Citrix Bleed Vulnerability
   
   On October 10th, Citrix patched CVE-2023-4966, which is an information leakage vulnerability in NetScaler devices. More recently, on October 17^th, security firm Mandiant disclosed that zero-day exploitation of this flaw has been seen as early as the end of August. Attackers can exploit this flaw to steal session cookies from vulnerable devices, this allows for login without the need for a password and may bypass any MFA requirements. Proof of concepts have now been published publicly, which will likely lead to an increase in related attacks.
8. OAuth Misconfigurations Cause a Pass-The-Token Attack
   
   OAuth is an industry standard for authentication via single-sign-on. This allows the popular “Login with Google” or similar types of sign-in, however, when misconfigured, the token used by OAuth to authenticate a user is not properly validated. This allows for a token to be taken from a different site and passed to the misconfigured one. So while the OAuth standard is still secure, improper implementation can leave users vulnerable to account takeovers.
9. Highly Sophisticated StripedFly Malware Passes Over One Million Infected Systems
   
   The security firm, Kaspersky discovered the StripedFly malware strain in 2022, with indicators of infections as early as 2017. After going undetected for five years, this malware has over one million Windows and Linux hosts. StripedFly uses custom exploits targeting SSH and SMBv1. A Monero cryptocurrency miner is present in this malware, however it seems likely this is a diversion from the more sinister functions such as C2 (command & control), botnet-like functions, and providing an access point to victim networks.
10. ServiceNow Patches Eight-Year-Old Security Flaw
    
    A known flaw in ServiceNow’s widget feature allowed for unauthenticated users to steal data due to a misconfiguration of the access control lists used by widgets, which were blank by default. ServiceNow states that they commonly worked with customers to make sure these configurations were changed to be secure, however on October 20^th they released a security patch fixing this issue.