Prism Platform’s Top Active Exploits – May 2023

Prism Top Active Exploits Blog Header

Prism Platform continuously scans a user’s estate for any issues that are being actively exploited by threat actors in the wild. If any of these vulnerabilities are detected, users are alerted immediately by the platform.

In this article, we have rounded up the top active exploits that are currently being monitored by Prism.

CVE-2023-27524 | Apache Superset – Session Validation Attack

Session Validation attacks in Apache Superset versions up to and including 2.0.1. Installations that have not altered the default configured SECRET_KEY according to installation instructions allow for an attacker to authenticate and access unauthorized resources. This does not affect Superset administrators who have changed the default value for SECRET_KEY config.

CVE-2023-28771 | Zyxel – Critical Security Flaw

Networking equipment maker Zyxel has released patches for a critical security flaw in its firewall devices that could be exploited to achieve remote code execution on affected systems. The issue, tracked as CVE-2023-28771, is rated 9.8 on the CVSS scoring system. “Improper error message handling in some firewall versions could allow an unauthenticated attacker to execute some OS commands remotely by sending crafted packets to an affected device,” Zyxel said in an advisory on April 25, 2023.

CVE-2023-23529 | IOS – Arbitrary Code Execution

A type confusion issue was addressed with improved checks. This issue is fixed in macOS Ventura 13.2.1, iOS 16.3.1 and iPadOS 16.3.1, Safari 16.3. Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.

CVE-2023-21554 | Microsoft Message Queueing – Remote Code Execution

CVE-2023-21554 is a RCE vulnerability affecting Microsoft Message Queuing (MSMQ) with a CVSSv3 score of 9.8. An attacker could exploit this flaw by sending a specially crafted MSMQ packet to an affected MSMQ server. Microsoft’s advisory notes that exploitation of this flaw requires the Windows message queuing service to be enabled. When enabled, TCP port 1801 will be listening on the host.

CVE-2023-28231 | DHCP Server Service- Remote Code Execution

CVE-2023-28231 is a RCE vulnerability affecting the Dynamic Host Configuration Protocol (DHCP) server service. Microsoft rates this vulnerability as “Exploitation More Likely” according to the Microsoft Exploitability Index. With a CVSSv3 score of 8.8, successful exploitation requires an attacker to be on an adjacent network prior to using a crafted RPC call to exploit the flaw.

CVE-2019-1388 | Windows Certificate Dialog – Escalation of Privilege

An elevation of privilege vulnerability exists in the Windows Certificate Dialog when it does not properly enforce user privileges, aka ‘Windows Certificate Dialog Elevation of Privilege Vulnerability.

CVE-2023-29199 | Vm2 JavaScript – Remote Code Execution

There exists a vulnerability in source code transformer (exception sanitization logic) of vm2 for versions up to 3.9.15, allowing attackers to bypass `handleException()` and leak unsanitized host exceptions which can be used to escape the sandbox and run arbitrary code in host context. A threat actor can bypass the sandbox protections to gain remote code execution rights on the host running the sandbox. This vulnerability was patched in the release of version `3.9.16` of `vm2.

CVE-2021-27878 | Veritas Backup – Arbitrary Code Execution

An issue was discovered in Veritas Backup Exec before 21.2. The communication between a client and an Agent requires successful authentication, which is typically completed over a secure TLS communication. However, due to a vulnerability in the SHA Authentication scheme, an attacker is able to gain unauthorized access and complete the authentication process. Subsequently, the client can execute data management protocol commands on the authenticated connection. The attacker could use one of these commands to execute an arbitrary command on the system using system privileges.

CVE-2023-28205 | IOS – Arbitrary Code Execution

A use after free issue was addressed with improved memory management. This issue is fixed in iOS 15.7.5 and iPadOS 15.7.5, Safari 16.4.1, iOS 16.4.1 and iPadOS 16.4.1, macOS Ventura 13.3.1. Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.

CVE-2023-2033 | Google Chrome – High Severity Vulnerability

Google released out-of-band updates to resolve an actively exploited zero-day flaw in its Chrome web browser, making it the first such bug to be addressed since the start of the year 2023. Tracked as CVE-2023-2033, the high-severity vulnerability has been described as a type confusion issue in the V8 JavaScript engine. Clement Lecigne of Google’s Threat Analysis Group (TAG) has been credited with reporting the issue on April 11, 2023. “Type confusion in V8 in Google Chrome prior to 112.0.5615.121 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page,” according to the NIST’s National Vulnerability Database (NVD). The tech giant acknowledged that “an exploit for CVE-2023-2033 exists in the wild,” but stopped short of sharing additional technical specifics or indicators of compromise (IoCs) to prevent further exploitation by threat actors.

CVE-2023-28252 | Windows Common Log File System Driver – Escalation of Privilege

CVE-2023-28252 is an EoP vulnerability in the Windows Common Log File System (CLFS) Driver, a logging service used by kernel-mode and user-mode applications. It was assigned a CVSSv3 score of 7.8. This vulnerability is a post-compromise flaw, meaning an attacker could exploit it after gaining access to a vulnerable target. Successful exploitation would elevate an attacker’s privileges SYSTEM. According to Microsoft, it was exploited in the wild as a zero day.

CVE-2021-27876 | Veritas Backup – Arbitrary File Access

An issue was discovered in Veritas Backup Exec before 21.2. The communication between a client and an Agent requires successful authentication, which is typically completed over a secure TLS communication. However, due to a vulnerability in the SHA Authentication scheme, an attacker is able to gain unauthorized access and complete the authentication process. Subsequently, the client can execute data management protocol commands on the authenticated connection. By using crafted input parameters in one of these commands, an attacker can access an arbitrary file on the system using System privileges.

CVE-2022-26134 | Confluence Server and Data Center – Arbitrary Code Execution

In affected versions of Confluence Server and Data Center, an OGNL injection vulnerability exists that would allow an unauthenticated attacker to execute arbitrary code on a Confluence Server or Data Center instance. The affected versions are from 1.3.0 before 7.4.17, from 7.13.0 before 7.13.7, from 7.14.0 before 7.14.3, from 7.15.0 before 7.15.2, from 7.16.0 before 7.16.4, from 7.17.0 before 7.17.4, and from 7.18.0 before 7.18.1

CVE-2017-7494 | Samba – Remote Code Execution

Samba since version 3.5.0 and before 4.6.4, 4.5.10 and 4.4.14 is vulnerable to remote code execution vulnerability, allowing a malicious client to upload a shared library to a writable share, and then cause the server to load and execute it.

CVE-2021-27877 | Veritas Backup – Remote Code Execution

An issue was discovered in Veritas Backup Exec before 21.2. It supports multiple authentication schemes: SHA authentication is one of these. This authentication scheme is no longer used in current versions of the product, but hadn’t yet been disabled. An attacker could remotely exploit this scheme to gain unauthorized access to an Agent and execute privileged commands.

CVE-2023-27350 | PaperCut NG – Authentication Bypass

This vulnerability allows remote attackers to bypass authentication on affected installations of PaperCut NG 22.0.5 (Build 63914). Authentication is not required to exploit this vulnerability. The specific flaw exists within the SetupCompleted class. The issue results from improper access control. An attacker can leverage this vulnerability to bypass authentication and execute arbitrary code in the context of SYSTEM. Was ZDI-CAN-18987.

CVE-2018-13379 | Fortinet FortiOS – Authentication Bypass

An Improper Limitation of a Pathname to a Restricted Directory (“Path Traversal”) in Fortinet FortiOS 6.0.0 to 6.0.4, 5.6.3 to 5.6.7 and 5.4.6 to 5.4.12 and FortiProxy 2.0.0, 1.2.0 to 1.2.8, 1.1.0 to 1.1.6, 1.0.0 to 1.0.7 under SSL VPN web portal allows an unauthenticated attacker to download system files via special crafted HTTP resource requests.

CVE-2022-27926 | Zimbra Collaboration – Authentication Bypass

A reflected cross-site scripting (XSS) vulnerability in the /public/launchNewWindow.jsp component of Zimbra Collaboration (aka ZCS) 9.0 allows unauthenticated attackers to execute arbitrary web script or HTML via request parameters.

CVE-2023-2136 | Skia – High Severity Vulnerability

Integer overflow in Skia in Google Chrome prior to 112.0.5615.137 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)



source https://www.rootshellsecurity.net/prism-platforms-top-active-exploits-may-2023/

Comments