Summary:
Keypoints:
- Critical vulnerabilities identified in Citrix, Cisco, Fortinet, and other software.
- Threat actors exploiting these vulnerabilities for malicious purposes, including ransomware attacks.
- Urgent security updates and patches are recommended for affected systems.
- Vulnerabilities span across various software versions and products, highlighting the need for comprehensive security measures.
MITRE Techniques
- Web Shell (T1100): Threat actors exploit CVE-2023-3519 to implant webshells on compromised systems.
- Command and Control (T1071): Utilizes multiple command and control domains to maintain communication with compromised systems.
- Exploitation of Remote Services (T1210): Exploits vulnerabilities in remote services such as Citrix and Cisco IOS XE.
- Credential Dumping (T1003): Threat actors may attempt to extract credentials from compromised systems.
- Initial Access (T1078): Exploitation of vulnerabilities for initial access to networks, as seen with CVE-2023-22515 in Atlassian Confluence.
CVE-2023-3519Citrix
NetScaler ADC and NetScaler Gateway:
13.1 before 13.1-49.13
13.0 before 13.0-91.13
NetScaler ADC:
13.1-FIPS before 13.1-37.159
12.1-FIPS before 12.1-55.297
12.1-NDcPP before 12.1-55.297
Citrix ADC and Citrix Gateway Security Bulletin for CVE-2023-3519, CVE-2023-3466, CVE-2023-3467
Threat Actors Exploiting Citrix CVE-2023-3519 to Implant Webshells
Critical Security Update for NetScaler ADC and NetScaler Gateway
CVE-2023-4966Citrix
NetScaler ADC and NetScaler Gateway:
14.1 before 14.1-8.50
13.1 before 13.1-49.15
13.0 before 13.0-92.19
NetScaler ADC:
13.1-FIPS before 13.1-37.164
12.1-FIPS before 12.1-55.300
12.1-NDcPP before 12.1-55.300
NetScaler ADC and NetScaler Gateway Security Bulletin for CVE-2023-4966 and CVE-2023-4967
#StopRansomware: LockBit 3.0 Ransomware Affiliates Exploit CVE 2023-4966 Citrix Bleed Vulnerability
Critical Security Update for NetScaler ADC and NetScaler Gateway
CVE-2023-20198CiscoAny Cisco IOS XE Software with web UI feature enabledMultiple Vulnerabilities in Cisco IOS XE Software Web UI FeatureGuidance for Addressing Cisco IOS XE Web UI VulnerabilitiesCVE-2023-27997Fortinet
FortiOS-6K7K versions:
7.0.10, 7.0.5, 6.4.12
6.4.10, 6.4.8, 6.4.6, 6.4.2
6.2.9 through 6.2.13
6.2.6 through 6.2.7
6.2.4
6.0.12 through 6.0.16
6.0.10
Heap buffer overflow in sslvpn pre-authentication
CVE-2023-34362Progress
MOVEit Transfer:
2023.0.0 (15.0)
2022.1.x (14.1)
2022.0.x (14.0)
2021.1.x (13.1)
2021.0.x (13.0)
2020.1.x (12.1)
2020.0.x (12.0) or older MOVEit Cloud
MOVEit Transfer Critical Vulnerability#StopRansomware: CL0P Ransomware Gang Exploits CVE-2023-34362 MOVEit VulnerabilityCVE-2023-22515Atlassian
8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4
8.1.0, 8.1.1, 8.1.3, 8.1.4
8.2.0, 8.2.1, 8.2.2, 8.2.38.3.0, 8.3.1, 8.3.2
8.4.0, 8.4.1, 8.4.28.5.0, 8.5.1
Broken Access Control Vulnerability in Confluence Data Center and ServerThreat Actors Exploit Atlassian Confluence CVE-2023-22515 for Initial Access to Networks
(Log4Shell)
Apache
Log4j, all versions from 2.0-beta9 to 2.14.1
For other affected vendors and products, see CISA’s GitHub repository.
Apache Log4j Security Vulnerabilities
For additional information, see joint advisory: Mitigating Log4Shell and Other Log4j-Related Vulnerabilities
Malicious Cyber Actors Continue to Exploit Log4Shell in VMware Horizon SystemsCVE-2023-2868Barracuda Networks5.1.3.001 through 9.2.0.006Barracuda Email Security Gateway Appliance (ESG) Vulnerability
CVE-2022-47966ZohoMultiple products, multiple versions. (For more details, see Security advisory for remote code execution vulnerability in multiple ManageEngine products)Security advisory for remote code execution vulnerability in multiple ManageEngine products
CVE-2023-27350PaperCut
PaperCut MF or NG version 8.0 or later (excluding patched versions) on all OS platforms. This includes:
version 8.0.0 to 19.2.7 (inclusive)
version 20.0.0 to 20.1.6 (inclusive)
version 21.0.0 to 21.2.10 (inclusive)
version 22.0.0 to 22.0.8 (inclusive)
URGENT MF/NG vulnerability bulletin (March 2023)Malicious Actors Exploit CVE-2023-27350 in PaperCut MF and NGCVE-2020-1472MicrosoftNetlogonNetlogon Elevation of Privilege VulnerabilityRussian Military Cyber Actors Target U.S. and Global Critical InfrastructureCVE-2023-23397MicrosoftOutlookMicrosoft Outlook Elevation of Privilege VulnerabilityRussian Cyber Actors Use Compromised Routers to Facilitate Cyber OperationsCVE-2023-49103ownCloudgraphapiDisclosure of Sensitive Credentials and Configuration in Containerized Deployments
CVE-2023-20273CiscoCisco IOS XE Software with web UI feature enabledMultiple Vulnerabilities in Cisco IOS XE Software Web UI FeatureGuidance for Addressing Cisco IOS XE Web UI VulnerabilitiesCVE-2023-42793JetBrainsIn JetBrains TeamCity before 2023.05.4CVE-2023-42793 Vulnerability in TeamCity: Post-MortemRussian Foreign Intelligence Service (SVR) Exploiting JetBrains TeamCity CVE GloballyCVE-2023-22518AtlassianAll versions of Confluence Data Cetner and Confluence ServerImproper Authorization in Confluence Data Center and Server
CVE-2023-29492———
CVE-2021-27860 FatPipe
WARP, MPVPN, IPVPN
10.1.2 and 10.2.2
FatPipe CVE List
CVE-2021-40539 ZohoManageEngine ADSelfService Plus builds up to 6113Security advisory – ADSelfService Plus authentication bypass vulnerability
ACSC Alert:
Critical vulnerability in ManageEngine ADSelfService Plus exploited by cyber actors
CVE-2023-0669FortraGoAnywhere versions 2.3 through 7.1.2Fortra deserialization RCE#StopRansomware: CL0P Ransomware Gang Exploits CVE-2023-34362 MOVEit VulnerabilityCVE-2021-22986F5
BIG-IP versions:
16.0.x before 16.0.1.1, 15.1.x before 15.1.2.1, 14.1.x before 14.1.4, 13.1.x before 13.1.3.6, and 12.1.x before 12.1.5.3 and BIG-IQ 7.1.0.x before 7.1.0.3 and 7.0.0.x before 7.0.0.2
K03009991: iControl REST unauthenticated remote command execution vulnerability CVE-2021-22986
CVE-2019-0708MicrosoftRemote Desktop ServicesRemote Desktop Services Remote Code Execution Vulnerability
CVE-2018-13379FortinetFortiOS and FortiProxy 2.0.2, 2.0.1, 2.0.0, 1.2.8, 1.2.7, 1.2.6, 1.2.5, 1.2.4, 1.2.3, 1.2.2, 1.2.1, 1.2.0, 1.1.6FortiProxy – system file leak through SSL VPN special crafted HTTP resource requests
CVE-2023-35078 Ivanti
All supported versions of Endpoint Manager Mobile (EPMM), including:
Version 11.4 releases 11.10, 11.9 and 11.8
CVE-2023-35078 – New Ivanti EPMM VulnerabilityThreat Actors Exploiting Ivanti EPMM VulnerabilitiesCVE-2023-35081 IvantiAll supported versions of Endpoint Manager Mobile (EPMM), including 11.10, 11.9 and 11.8CVE-2023-35081 – Remote Arbitrary File WriteThreat Actors Exploiting Ivanti EPMM VulnerabilitiesCVE-2023-36844Juniper
Juniper Networks Junos OS on SRX Series and EX Series:
All versions prior to 20.4R3-S9;
21.1 version 21.1R1 and later versions;
21.2 versions prior to 21.2R3-S7;
21.3 versions prior to 21.3R3-S5;
21.4 versions prior to 21.4R3-S5;
22.1 versions prior to 22.1R3-S4;
22.2 versions prior to 22.2R3-S2;
22.3 versions prior to 22.3R2-S2, 22.3R3-S1;
22.4 versions prior to 22.4R2-S1, 22.4R3;
23.2 versions prior to 23.2R1-S1, 23.2R2.
2023-08 Out-of-Cycle Security Bulletin: Junos OS: SRX Series and EX Series: Multiple vulnerabilities in J-Web can be combined to allow a preAuth Remote Code Execution
CVE-2023-36845Juniper
Juniper Networks Junos OS on SRX Series and EX Series:
All versions prior to 20.4R3-S9;
21.1 version 21.1R1 and later versions;
21.2 versions prior to 21.2R3-S7;
21.3 versions prior to 21.3R3-S5;
21.4 versions prior to 21.4R3-S5;
22.1 versions prior to 22.1R3-S4;
22.2 versions prior to 22.2R3-S2;
22.3 versions prior to 22.3R2-S2, 22.3R3-S1;
22.4 versions prior to 22.4R2-S1, 22.4R3;
23.2 versions prior to 23.2R1-S1, 23.2R2.
2023-08 Out-of-Cycle Security Bulletin: Junos OS: SRX Series and EX Series: Multiple vulnerabilities in J-Web can be combined to allow a preAuth Remote Code Execution
CVE-2023-36846Juniper
Juniper Networks Junos OS on SRX Series and EX Series:
All versions prior to 20.4R3-S9;
21.1 version 21.1R1 and later versions;
21.2 versions prior to 21.2R3-S7;
21.3 versions prior to 21.3R3-S5;
21.4 versions prior to 21.4R3-S5;
22.1 versions prior to 22.1R3-S4;
22.2 versions prior to 22.2R3-S2;
22.3 versions prior to 22.3R2-S2, 22.3R3-S1;
22.4 versions prior to 22.4R2-S1, 22.4R3;
23.2 versions prior to 23.2R1-S1, 23.2R2.
2023-08 Out-of-Cycle Security Bulletin: Junos OS: SRX Series and EX Series: Multiple vulnerabilities in J-Web can be combined to allow a preAuth Remote Code Execution
CVE-2023-36847Juniper
Juniper Networks Junos OS on SRX Series and EX Series:
All versions prior to 20.4R3-S9;
21.1 version 21.1R1 and later versions;
21.2 versions prior to 21.2R3-S7;
21.3 versions prior to 21.3R3-S5;
21.4 versions prior to 21.4R3-S5;
22.1 versions prior to 22.1R3-S4;
22.2 versions prior to 22.2R3-S2;
22.3 versions prior to 22.3R2-S2, 22.3R3-S1;
22.4 versions prior to 22.4R2-S1, 22.4R3;
23.2 versions prior to 23.2R1-S1, 23.2R2.
2023-08 Out-of-Cycle Security Bulletin: Junos OS: SRX Series and EX Series: Multiple vulnerabilities in J-Web can be combined to allow a preAuth Remote Code Execution
CVE-2023-41064 Apple
Versions prior to:
iOS 16.6.1 and iPadOS 16.6.1, macOS Monterey 12.6.9, macOS Ventura 13.5.2, iOS 15.7.9 and iPadOS 15.7.9, macOS Big Sur 11.7.10
About the security content of iOS 16.6.1 and iPadOS 16.6.1
About the security content of macOS Ventura 13.5.2
About the security content of iOS 15.7.9 and iPadOS 15.7.9
About the security content of macOS Monterey 12.6.9
About the security content of macOS Big Sur 11.7.10
CVE-2023-41061AppleVersions prior to:
watchOS 9.6.2, iOS 16.6.1 and iPadOS 16.6.1
About the security content of watchOS 9.6.2
About the security content of iOS 16.6.1 and iPadOS 16.6.1
CVE-2021-22205GitLabAll versions starting from 11.9RCE when removing metadata with ExifTool
CVE-2019-11510IvantiPulse Secure Pulse Connect Secure versions, 9.0R1 to 9.0R3.3, 8.3R1 to 8.3R7, and 8.2R1 to 8.2R12SA44101 – 2019-04: Out-of-Cycle Advisory: Multiple vulnerabilities resolved in Pulse Connect Secure / Pulse Policy Secure 9.0RX
CVE-2023-6448 Unitronics
VisiLogic versions before
9.9.00
Unitronics Cybersecurity Advisory 2023-001: Default administrative password
CVE-2017-6742CiscoSimple Network Management Protocol subsystem of Cisco IOS 12.0 through 12.4 and 15.0 through 15.6 and IOS XE 2.2 through 3.17SNMP Remote Code Execution Vulnerabilities in Cisco IOS and IOS XE Software
CVE-2021-4034Red Hat
Red Hat Enterprise Linux 6
Red Hat Enterprise Linux 7
Red Hat Enterprise Linux 8
Red Hat Virtualization 4
Any Red Hat product supported on Red Hat Enterprise Linux (including RHEL CoreOS) is also potentially impacted.
RHSB-2022-001 Polkit Privilege Escalation – (CVE-2021-4034)Joint CSA: Russian Military Cyber Actors Target U.S. and Global Critical InfrastructureCVE-2021-26084AtlassianConfluence Server and Data Center, versions 6.13.23, from version 6.14.0 before 7.4.11, from version 7.5.0 before 7.11.6, and from version 7.12.0 before 7.12.5.Jira Atlassian: Confluence Server Webwork OGNL injection – CVE-2021-26084Joint CSA: Russian Military Cyber Actors Target U.S. and Global Critical InfrastructureCVE-2021-33044DahuaVarious products—Joint CSA: Russian Military Cyber Actors Target U.S. and Global Critical InfrastructureCVE-2021-33045DahuaVarious products—Joint CSA: Russian Military Cyber Actors Target U.S. and Global Critical InfrastructureCVE-2022-3236SophosSophos Firewall v19.0 MR1 (19.0.1) and olderResolved RCE in Sophos Firewall (CVE-2022-3236)Joint CSA: Russian Military Cyber Actors Target U.S. and Global Critical InfrastructureCVE-2022-26134AtlassianConfluence Server and Data Center, versions: 7.4.17, 7.13.7, 7.14.3, 7.15.2, 7.16.4, 7.17.4, 7.18.1Confluence Security Advisory 2022-06-02Joint CSA: Russian Military Cyber Actors Target U.S. and Global Critical InfrastructureCVE-2022-41040MicrosoftMicrosoft Exchange serversMicrosoft Exchange Server Elevation of Privilege Vulnerability
CVE-2023-38831RARLABWinRAR Versions prior to 6.23 Beta 1WinRAR 6.23 Beta 1 Released
CVE-2019-18935Progress TelerikTelerik.Web.UI.dll versions:Allows JavaScriptSerializer DeserializationThreat Actors Exploit Progress Telerik Vulnerabilities in Multiple U.S. Government IIS ServersCVE-2021-34473Microsoft
Exchange Server, Multiple Versions:
Q1 2011 (2011.1.315) to R2 2017 SP1 (2017.2.621)
R2 2017 SP2 (2017.2.711) to R3 2019 (2019.3.917)
R3 2019 SP1 (2019.3.1023)
R1 2020 (2020.1.114) and later
Microsoft Exchange Server Remote Code Execution Vulnerability, CVE-2021-34473Iranian Government-Sponsored APT Cyber Actors Exploiting Microsoft Exchange and Fortinet Vulnerabilities in Furtherance of Malicious Activities
Source: Original Post