The PacketWatch Intelligence Team
We are entering that wonderful time of year when security researchers across the globe race to publish the vulnerability research that they have worked so hard on throughout the year. This report attempts to highlight the most critical vulnerabilities disclosed in recent days that affect the widest range of users.
We've also enriched our original threat intelligence report to include resources from our partner in cyber threat intelligence, SOCRadar. You may need a registered SOCRadar account to view their threat intelligence resources.
Apache Struts RCE – CVE-2023-50164
On December 7, Apache released a patch for their open-source Model-View-Controller (MVC) framework, Apache Struts. This patch is to address a new critical unauthenticated file upload vulnerability that can lead to remote code execution (RCE), assigned to CVE-2023-50164.
The vulnerability affects Apache Struts 2.0.0 through 2.5.32 and Apache Struts 6.0.0 through 6.3.0.1. Proof of exploit code is publicly available and evidence of active exploitation was observed on December 13. Further details on observed exploitation attempts can be read here.
Many 3rd party vendors leverage the Apache Struts framework in their products. Cisco released an advisory detailing which of their products are affected by the vulnerability, which can be found here.
- https://packetwatch.com/resources/threat-intel/cve-2023-50164-apache-struts-remote-code-execution
- https://www.labs.greynoise.io/grimoire/2023-12-12-apache-struts-cve-2023-50164/
- https://trganda.github.io/notes/security/vulnerabilities/apache-struts/Apache-Struts-Remote-Code-Execution-Vulnerability-(-S2-066-CVE-2023-50164)
Related Reading from SOCRadar
LogoFAIL Firmware Attack
Security research firm Binarly recently released details of a new set of firmware vulnerabilities dubbed LogoFAIL.
These vulnerabilities reside in the Unified Extensible Firmware Interfaces (UEFI) that are responsible for booting almost all modern devices that run Windows or Linux.
Successful exploitation allows for a threat actor to replace the legitimate logo (static image seen upon device startup) with an identical-looking logo that has been specially crafted with malicious code attached.
This allows for the malicious code to be run in the Driver Execution Environment (DXE), giving the threat actor full control over the memory and disk of the target device. At this point, a second stage is initiated, where a second-stage payload is placed onto the hard drive before the main OS starts. This chain of events gives the attacker fully undetectable persistence on the device.
In order for this attack to work, the threat actor needs to have full admin privileges on the target device.
Each hardware vendor has their own security advisory and patch timetable for these vulnerabilities. They are currently tracked as CVE-2023-5058, CVE-2023-39538, CVE-2023-39539, and CVE-2023-40238.
Administrators are encouraged to install these UEFI security updates as they are released from the vendors.
- https://arstechnica.com/security/2023/12/just-about-every-windows-and-linux-device-vulnerable-to-new-logofail-firmware-attack/
- https://thehackernews.com/2023/12/logofail-uefi-vulnerabilities-expose.html
Related Reading from SOCRadar
CISA JetBrains Advisory
On December 13, CISA published a joint advisory detailing an ongoing campaign where the Russian Foreign Intelligence Service (SVR), also known as APT 29, has been actively exploiting an authentication bypass and remote code execution vulnerability in JetBrains TeamCity server, CVE-2023-42793.
Per the report, this exploitation allows the threat actor to access source code and signing certificates, and gives the potential for supply chain attacks.
The group has also been observed leveraging this initial access as a foothold in order to elevate privileges, move laterally throughout the victim environment, and establish further persistence.
Administrators are urged to patch this vulnerability immediately if they have not done so already. Proof-of-concept code for the exploit is also available in the wild.
Additional TTPs and IOCs can be found in the detailed report from CISA found here.
APT29 JetBrains TeamCity Exploit IOCs
Network IOCs -
65.20.97.203
65.21.51.58
103.76.128.34
C2 URL -
hxxps://matclick[.]com/wp-query[.]PHP
Related Reading from SOCRadar
CISA Adobe Advisory
On December 12, CISA published an alert for a wide range of vulnerabilities disclosed across multiple Adobe products. Products affected include Adobe Prelude, Illustrator, InDesign, Dimension, Experience Manager, and Substance3D Stager, Sampler, AfterEffects, and Designer. If any of these tools are in use in your environment, please visit the Adobe Security Bulletins linked in the CISA alert and remediate them accordingly.
Related Reading from SOCRadar
Fortinet Vulnerabilities
On December 14, CISA published an alert addressing a set of vulnerabilities found across multiple Fortinet products. It should be noted that while all three vulnerabilities involve remote code execution, they all require interaction from an authenticated user.
- CVE-2023-41678 - Vulnerability in FortiOS and FortiPAM HTTPSd daemon allows for an authenticated attacker to achieve remote code execution (RCE). Official advisory can be viewed here.
- CVE-2022-27488 - Vulnerability in FortiMail, FortiNDR, FortiRecorder, FortiSwitch, and FortiVoiceEnterprise allows for a remote unauthenticated attacker to execute CLI commands by tricking an authenticatedadministrator to execute malicious GET requests. Official advisory can be viewed here.
- CVE-2023-36639 - Vulnerability in the HTTPsd daemon of FortiOS, FortiProxy, and FortiPAM allows for an authenticated user to execute unauthorized code or commands with specially crafted API requests. Official advisory can be viewed here.
Atlassian Advisories
Atlassian recently published a series of security advisories addressing critical vulnerabilities discovered in Confluence, Jira, and BitBucket servers.
- CVE-2023-22522 - Allows authenticated users, including users with anonymous access, to inject unsafe input into a Confluence page. Affects Confluence Data Center and Server versions 4.0.0 through 8.5.3.
- CVE-2023-22523 - Remote code execution vulnerability in the Assets Discovery agent that impacts Jira Service Management Cloud, Server, and Data Center. Asset Discovery Cloud below 3.2.0 and Data Center and Server 6.2.0 and below are impacted.
- CVE-2023-22524 - Blocklist bypass vulnerability in macOS Gatekeeper on the companion app for Confluence Server and Data Center on macOS, affecting versions 2.0.0 and prior.
- CVE-2022-1471 - Remote code execution vulnerability in the SnakeYAML library which affects Jira, BitBucket, and Confluence products.
Full listings of vulnerable versions and the fixed versions of the software can be found in the CVE links above.
3CX VOIP Warning
On Dec 15, 3CX published a security advisory warning customers of a potential vulnerability in versions 18 and 20 of their VoIP product. While no real details or even a CVE were disclosed in the advisory, 3CX states that the customers using SQL Database integrations are potentially vulnerable and should disable the integration immediately until further notice. These integrations include MongoDB, MSSQL, MySQL, and PostgreSQL. It should be noted that all web-based CRM integrations are not affected, and all affected customers have been notified directly from the vendor.
WordPress Elementor RCE
A file upload vulnerability that can lead to remote code execution (CVE-2023-48777) was discovered in Elementor, a popular plug-in for WordPress used on more than 5 million sites. The vulnerability allows accounts with 'edit post permissions' to upload potentially malicious files to achieve RCE. This vulnerability was discovered in version 3.3.0, and the fixed version is 3.18.2. WordPress administrators using this plugin are urged to patch it as soon as possible.
Apple Security Updates
Last week, Apple released a wide range of security updates across multiple products, including iOS, iPadOS, macOS, tvOS, watchOS, and the Safari web browser. Most notable in these security fixes are CVE-2023-42890 and CVE-2023-42883 found in Safari, which could lead to arbitrary code execution and denial-of-service, respectively. Administrators are encouraged to apply these fixes as soon as possible.
pfSense Firewall Vulnerabilities
Last week, three new vulnerabilities were disclosed by Oskar Zeino-Mahmalat for the popular open-source firewall pfSense. The firewall is vulnerable to two cross-site scripting (XSS) and one command injection vulnerability, which, when chained together, can achieve arbitrary code execution. To carry out a successful exploit, the attacker must trick an authenticated user into clicking on a malicious link containing an XSS payload, which in turn exploits the command injection vulnerability. Affected versions are pfSense CE 2.7.0 and below and pfSense Plus 23.05.1 and below. Administrators are urged to upgrade to pfSense CE 2.7.1 and pfSense Plus 23.09 as soon as possible.
PacketWatch publishes this report and other cybersecurity threat intel to the security community for free via our blog. If you are interested in personalized threat intel, contact us today to learn about our enterprise threat intelligence services.
Disclaimer
Kindly be advised that the information contained in this article is presented with no final evaluation and should be considered raw data. The sole purpose of this information is to provide situational awareness based on the currently available knowledge. We recommend exercising caution and conducting further research as necessary before making any decisions based on this information.