Prism Platform’s Top Active Exploits – April 2023

Prism Top Active Exploits Blog Header

Prism Platform continuously scans a user’s estate for any issues that are being actively exploited by threat actors in the wild. If any of these vulnerabilities are detected, users are alerted immediately by the platform.

In this article, we have rounded up the top active exploits that are currently being monitored by Prism.

CVE-2023-26360 – Adobe ColdFusion Improper Access Control Vulnerability

Adobe ColdFusion contains an improper access control vulnerability that allows for remote code execution. Users are advised to update and patch.

CVE-2022-41328 – FortiOS Arbitrary Code Execution

The zero-day flaw in question is CVE-2022-41328 (CVSS score: 6.5), a medium security path traversal bug in FortiOS that could lead to arbitrary code execution. “An improper limitation of a pathname to a restricted directory vulnerability (‘path traversal’) [CWE-22] in FortiOS may allow a privileged attacker to read and write arbitrary files via crafted CLI commands,” The shortcoming impacts FortiOS versions 6.0, 6.2, 6.4.0 through 6.4.11, 7.0.0 through 7.0.9, and 7.2.0 through 7.2.3. Fixes are available in versions 6.4.12, 7.0.10, and 7.2.4 respectively. The disclosure comes days after Fortinet released patches to address 15 security flaws, including CVE-2022-41328 and a critical heap-based buffer underflow issue impacting FortiOS and FortiProxy (CVE-2023-25610, CVSS score: 9.3).

CVE-2022-38181 – Arm Mali GPU Vulnerability

The Arm Mali GPU kernel driver allows unprivileged users to access freed memory because GPU memory operations are mishandled. This affects Bifrost r0p0 through r38p1, and r39p0; Valhall r19p0 through r38p1, and r39p0; and Midgard r4p0 through r32p0

CVE-2023-29059 – 3CX Desktop App Embedded Malicious Code

3CX Desktop App through 18.12.416 has embedded malicious code, as exploited in the wild in March 2023. This affects versions 18.12.407 and 18.12.416 of the Electron Windows application shipped in Update 7, and versions 18.11.1213, 18.12.402, 18.12.407, and 18.12.416 of the Electron macOS application.

CVE-2020-5741 – Plex Media Server Remote Code Execution Vulnerability

Deserialization of Untrusted Data in Plex Media Server on Windows allows a remote, authenticated attacker to execute arbitrary Python code. This was used in the Lastpass attack against an employee. Rootshell would recommend that this is fixed if the vulnerability is present.

CVE-2020-0674 – Internet Explorer Remote Code Execution

A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer, aka ‘Scripting Engine Memory Corruption Vulnerability’. This CVE ID is unique from CVE-2020-0673, CVE-2020-0710, CVE-2020-0711, CVE-2020-0712, CVE-2020-0713, CVE-2020-0767

CVE-2022-21894 – BlackLotus Security Bypass Vulnerability

BlackLotus exploits a security flaw known as Baton Drop (CVE-2022-21894) to bypass UEFI Secure Boot protections and establish persistence. Microsoft patched this vulnerability in its January 2022 Patch Tuesday update.

CVE-2022-28810 – Zoho ManageEngine ADSelfService Arbitrary Code Execution

Zoho ManageEngine ADSelfService Plus before build 6122 allows a remote authenticated administrator to execute arbitrary operating OS commands as SYSTEM via the policy custom script feature. Due to the use of a default administrator password, attackers may be able to abuse this functionality with minimal effort. Additionally, a remote and partially authenticated attacker may be able to inject arbitrary commands into the custom script due to an unsanitized password field.

CVE-2023-27905 – Jenkins Server Severe Security Vulnerabilities

A pair of severe security vulnerabilities have been disclosed in the Jenkins open source automation server that could lead to code execution on targeted systems. The flaws, tracked as CVE-2023-27898 and CVE-2023-27905, impact the Jenkins server and Update Center, and have been collectively christened CorePlague by cloud security firm Aqua. All versions of Jenkins versions prior to 2.319.2 are vulnerable and exploitable. “Exploiting these vulnerabilities could allow an unauthenticated attacker to execute arbitrary code on the victim’s Jenkins server, potentially leading to a complete compromise of the Jenkins server.

CVE-2013-3900 – WinVerifyTrust function in Microsoft Windows Vulnerability

The WinVerifyTrust function in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 does not properly validate PE file digests during Authenticode signature verification, which allows remote attackers to execute arbitrary code via a crafted PE file, aka “WinVerifyTrust Signature Validation Vulnerability.”

CVE-2022-22706 – Arm Mali GPU Kernel Driver

Arm Mali GPU Kernel Driver allows a non-privileged user to achieve write access to read-only memory pages. This affects Midgard r26p0 through r31p0, Bifrost r0p0 through r35p0, and Valhall r19p0 through r35p0.

CVE-2021-30900 – Apple iOS, iPadOS, and macOS Out-of-Bounds Write Vulnerability

An out-of-bounds write issue was addressed with improved bounds checking. This issue is fixed in iOS 14.8.1 and iPadOS 14.8.1, iOS 15.1 and iPadOS 15.1. A malicious application may be able to execute arbitrary code with kernel privileges.

CVE-2021-35394 – Realtek Jungle SDK Arbitrary Command Injection

Realtek Jungle SDK version v2.x up to v3.4.14B provides a diagnostic tool called ‘MP Daemon’ that is usually compiled as ‘UDPServer’ binary. The binary is affected by multiple memory corruption vulnerabilities and an arbitrary command injection vulnerability that can be exploited by remote unauthenticated attackers.

CVE-2021-26411 – Microsoft Internet Explorer and Edge Memory Corruption Vulnerability

Typically, this can result in corruption of data, a crash, or code execution. The product may modify an index or perform pointer arithmetic that references a memory location that is outside of the boundaries of the buffer. A subsequent write operation then produces undefined or unexpected results.

CVE-2023-23383 – Azure Service Fabric Explorer (SFX) Remote Code Execution

Details have emerged about a now-patched vulnerability in Azure Service Fabric Explorer (SFX) that could lead to unauthenticated remote code execution. Tracked as CVE-2023-23383 (CVSS score: 8.2), the issue has been dubbed “Super FabriXss” by Orca Security, a nod to the FabriXss flaw (CVE-2022-35829, CVSS score: 6.2) that was fixed by Microsoft in October 2022. “The Super FabriXss vulnerability enables remote attackers to leverage an XSS vulnerability to achieve remote code execution on a container hosted on a Service Fabric node without the need for authentication.

CVE-2023-25610 – FortiOS and FortiProxy Critical Security Flaws

Fortinet has released fixes to address 15 security flaws, including one critical vulnerability impacting FortiOS and FortiProxy that could enable a threat actor to take control of affected systems. The issue, tracked as CVE-2023-25610, is rated 9.3 out of 10 for severity and was internally discovered and reported by its security teams. “A buffer underwrite (‘buffer underflow’) vulnerability in FortiOS and FortiProxy administrative interface may allow a remote unauthenticated attacker to execute arbitrary code on the device and/or perform a DoS on the GUI, via specifically crafted requests,” Fortinet said in an advisory.

CVE-2023-23397 – Microsoft Outlook Elevation of Privilege Vulnerability

A vulnerability, which was classified as critical, was found in Microsoft Outlook 365 Apps for Enterprise/2013 RT SP1/2013 SP1/2016/2019 (Groupware Software). This is going to have an impact on confidentiality, integrity, and availability. The weakness was disclosed 03/14/2023 as confirmed security guidance (Website). The advisory is shared for download at portal.msrc.microsoft.com. This vulnerability is traded as CVE-2023-23397.

CVE-2023-24880 – Windows SmartScreen Security Feature Bypass

CVE-2023-24880 is a vulnerability that allows attackers to bypass the Windows SmartScreen feature. “When you download a file from the internet, Windows adds the zone identifier or Mark of the Web (MOTW) as an NTFS stream to the file. So, when you run the file, Windows SmartScreen checks if there is a zone identifier Alternate Data Stream (ADS) attached to the file. If the ADS indicates ZoneId=3 which means that the file was downloaded from the internet, the SmartScreen does a reputation check,” Microsoft clarifies. This vulnerability can be exploited by crafting a malicious file that will evade the MOTW defenses, which means that protective measures like Windows SmartScreen and Microsoft Office Protected View won’t be triggered. The in-the-wild exploitation of the vulnerability was reported to Microsoft by researchers Benoît Sevens and Vlad Stolyarov of the Google’s Threat Analysis Group (TAG), which spotted it being exploited to deliver the Magniber ransomware. “The attackers are delivering MSI files signed with an invalid but specially crafted Authenticode signature. The malformed signature causes SmartScreen to return an error that results in bypassing the security warning dialog displayed to users when an untrusted file contains a Mark-of-the-Web (MotW), which indicates a potentially malicious file has been downloaded from the internet.



source https://www.rootshellsecurity.net/prism-platforms-top-active-exploits-april-2023/

Comments