Prism Platform continuously scans a user’s estate for any issues that are being actively exploited by threat actors in the wild. If any of these vulnerabilities are detected, users are alerted immediately by the platform.
In this article, we have rounded up the top active exploits that are currently being monitored by Prism.
CVE-2023-24932 | Secure Boot – Security Bypass
CVE-2023-24932 allows attackers to bypass the Secure Boot protections. It is being leveraged by the BlackLotus bootkit to exploit CVE-2022-21894, another Secure Boot bypass flaw that has been fixed last year. “This vulnerability allows an attacker to execute self-signed code at the Unified Extensible Firmware Interface (UEFI) level while Secure Boot is enabled. This is used by threat actors primarily as a persistence and defense evasion mechanism,” Microsoft shared. “Successful exploitation relies on the attacker having physical access or local admin privileges on the targeted device.” The security update addresses the vulnerability by updating the Windows Boot Manager, but is not enabled by default, the company added, because it could cause disruption and prevent a system from starting up.
CVE-2023-2868 | Barracuda – Remote Code Injection
Email protection and network security services provider Barracuda is warning users about a zero-day flaw that it said has been exploited to breach the company’s Email Security Gateway (ESG) appliances. The zero-day is being tracked as CVE-2023-2868 and has been described as a Remote Code injection vulnerability affecting versions 5.1.3.001 through 9.2.0.006. The California-headquartered firm said the issue is rooted in a component that screens the attachments of incoming emails. “The vulnerability arises out of a failure to comprehensively sanitize the processing of .tar file
CVE-2023-25690 | Apache HTTP Server – Access Controls Bypass
Some mod_proxy configurations on Apache HTTP Server versions 2.4.0 through 2.4.55 allow a HTTP Request Smuggling attack. Configurations are affected when mod_proxy is enabled along with some form of RewriteRule or ProxyPassMatch in which a non-specific pattern matches some portion of the user-supplied request-target (URL) data and is then re-inserted into the proxied request-target using variable substitution. For example, something like: RewriteEngine on RewriteRule “^/here/(.*)” http://example.com:8080/elsewhere?$1; [P] ProxyPassReverse /here/ http://example.com:8080/ Request splitting/smuggling could result in bypass of access controls in the proxy server, proxying unintended URLs to existing origin servers, and cache poisoning. Users are recommended to update to at least version 2.4.56 of Apache HTTP Server.
CVE-2023-1389 | TP-Link – Command Injection
TP-Link Archer AX21 (AX1800) firmware versions before 1.1.4 Build 20230219 contained a command injection vulnerability in the country form of the /cgi-bin/luci;stok=/locale endpoint on the web management interface. Specifically, the country parameter of the write operation was not sanitized before being used in a call to popen(), allowing an unauthenticated attacker to inject commands, which would be run as root, with a simple POST request.
CVE-2023-2825 | Gitlab – Critical Security Flaw
On May 23, 2023 GitLab released version 16.0.1 which fixed a critical vulnerability, CVE-2023-2825, affecting the Community Edition (CE) and Enterprise Edition (EE) version 16.0.0. The vulnerability allows unauthenticated users to read arbitrary files through a path traversal bug. It was discovered by pwnie on HackerOne through the bug bounty program. An unauthenticated malicious user can use a path traversal vulnerability to read arbitrary files on the server when an attachment exists in a public project nested within at least five groups. This is a critical severity issue (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N, 10.0).
CVE-2023-21839 | Oracle WebLogic – Authentication Bypass
Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Core). Supported versions that are affected are 12.2.1.3.0, 12.2.1.4.0 and 14.1.1.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via T3, IIOP to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle WebLogic Server accessible data. CVSS 3.1 Base Score 7.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).
CVE-2023-33009 | Zyxel – Critical Security Flaw
Zyxel has released software updates to address two critical security flaws affecting select firewall and VPN products that could be abused by remote attackers to achieve Code Execution. Both the flaws – CVE-2023-33009 and CVE-2023-33010 – are buffer overflow vulnerabilities and are rated 9.8 out of 10 on the CVSS scoring system. A brief description of the two issues is below – CVE-2023-33009 – A buffer overflow vulnerability in the notification function that could enable an unauthenticated attacker to cause a denial-of-service (DoS) condition and Remote Code Execution. CVE-2023-33010 – A buffer overflow vulnerability in the ID processing function that could enable an unauthenticated attacker to cause a denial-of-service (DoS) condition and remote code execution.
CVE-2021-45046 | Apache Log4j – Remote Code Execution
It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. This could allow attackers with control over Thread Context Map (MDC) input data when the logging configuration uses a non-default Pattern Layout with either a Context Lookup (for example, $${ctx:loginId}) or a Thread Context Map pattern (%X, %mdc, or %MDC) to craft malicious input data using a JNDI Lookup pattern resulting in an information leak and remote code execution in some environments and local code execution in all environments. Log4j 2.16.0 (Java 8) and 2.12.2 (Java 7) fix this issue by removing support for message lookup patterns and disabling JNDI functionality by default.
CVE-2023-20159 | Cisco Switch DOS – Arbitrary Code Execution
Cisco has released updates to address a set of nine security flaws in its Small Business Series Switches that could be exploited by an unauthenticated, remote attacker to run arbitrary code or cause a denial-of-service (DoS) condition. “These vulnerabilities are due to improper validation of requests that are sent to the web interface,” Cisco said, crediting an unnamed external researcher for reporting the issues. Four of the nine vulnerabilities are rated 9.8 out of 10 on the CVSS scoring system, making them critical in nature. The nine flaws affect the following product lines – 250 Series Smart Switches (Fixed in firmware version 2.5.9.16) 350 Series Managed Switches (Fixed in firmware version 2.5.9.16) 350X Series Stackable Managed Switches (Fixed in firmware version 2.5.9.16) 550X Series Stackable Managed Switches (Fixed in firmware version 2.5.9.16) Business 250 Series Smart Switches (Fixed in firmware version 3.3.0.16) Business 350 Series Managed Switches (Fixed in firmware version 3.3.0.16) Small Business 200 Series Smart Switches (Will not be patched) Small Business 300 Series Managed Switches (Will not be patched) Small Business 500 Series Stackable Managed Switches (Will not be patched)
CVE-2022-47986 | IBM Aspera Faspex – Arbitrary Code Execution
IBM Aspera Faspex 4.4.2 Patch Level 1 and earlier could allow a remote attacker to execute arbitrary code on the system, caused by a YAML deserialization flaw. By sending a specially crafted obsolete API call, an attacker could exploit this vulnerability to execute arbitrary code on the system. The obsolete API call was removed in Faspex 4.4.2 PL2
CVE-2021-40539 | Zoho ManageEngine – Authentication Bypass
Zoho ManageEngine ADSelfService Plus version 6113 and prior is vulnerable to REST API authentication bypass with resultant remote code execution.
CVE-2023-29336 | Win32k – Escalation of Privilage
CVE-2023-29336 is a vulnerability that allows attackers to gain SYSTEM privileges. Flagged by researchers with AV maker Avast, it seems probable that it’s being exploited to deliver malware. Microsoft has offered no details about the context of its exploitation
CVE-2023-32409 | Apple IOS – Arbitrary Code Execution
In affected versions of Confluence Server and Data Center, an OGNL injection vulnerability exists that would allow an unauthenticated attacker to execute arbitrary code on a Confluence Server or Data Center instance. The affected versions are from 1.3.0 before 7.4.17, from 7.13.0 before 7.13.7, from 7.14.0 before 7.14.3, from 7.15.0 before 7.15.2, from 7.16.0 before 7.16.4, from 7.17.0 before 7.17.4, and from 7.18.0 before 7.18.1
CVE-2023-2131 | ME RTU Remote Terminal Units – Remote Code Execution
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday released an Industrial Control Systems (ICS) advisory about a critical flaw affecting ME RTU remote terminal units. The security vulnerability, tracked as CVE-2023-2131, has received the highest severity rating of 10.0 on the CVSS scoring system for its low attack complexity. “Successful exploitation of this vulnerability could allow remote code execution,” CISA said, describing it as a case of command injection affecting versions of INEA ME RTU firmware prior to version 3.36.
CVE-2023-29325 | Windows OLE – Remote Code Execution
Successful exploitation of this vulnerability requires an attacker to win a race condition and also to take additional actions prior to exploitation to prepare the target environment. In an email attack scenario, an attacker could exploit the vulnerability by sending the specially crafted email to the victim. Exploitation of the vulnerability might involve either a victim opening a specially crafted email with an affected version of Microsoft Outlook software, or a victim’s Outlook application displaying a preview of a specially crafted email . This could result in the attacker executing remote code on the victim’s machine.
CVE-2023-24941 | NFS – Critical Security Flaw
CVE-2023-24941 is a critical RCE in Windows Network File System (NFS) that can be exploited by sending an unauthenticated, specially crafted call to a NFS service.
