March 11, 2025
Proactive Defense: The Importance of Incident Response Planning in Cybersecurity
Rewterz Threat Advisory – CVE-2023-49647 – Zoom Products Vulnerability
January 10, 2024Rewterz Threat Advisory – ICS: Multiple Siemens Teamcenter Visualization and JT2Go Vulnerabilities
January 10, 2024Rewterz Threat Advisory – CVE-2023-49647 – Zoom Products Vulnerability
January 10, 2024Rewterz Threat Advisory – ICS: Multiple Siemens Teamcenter Visualization and JT2Go Vulnerabilities
January 10, 2024
Severity
High
Analysis Summary
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added six heavily exploited flaws to its Known Exploited Vulnerabilities catalog that are impacting multiple products from Adobe, Apache, Apple, D-Link, and Joomla.
The Known Exploited Vulnerabilities (KEV) catalog holds information about security vulnerabilities that are being actively exploited in the wild. It is used widely by organizations worldwide for their vulnerability management and prioritization process. CISA’s notice states that these kinds of flaws are frequently used attack vectors for threat actors and are very risky to the federal enterprise. The agencies are urged to patch the six actively exploited vulnerabilities by January 29 or cease using the flawed products for their safety.
Some of the flaws were used in attacks that were uncovered recently. The six highlighted vulnerabilities are:
- CVE-2023-27524 (CVSS: 9.1) – Apache Superset could allow a remote attacker to bypass security restrictions, caused by a session validation flaw when using provided default SECRET_KEY. By sending a specially crafted request, an attacker could exploit this vulnerability to bypass access restrictions and gain unauthorized resources.
- CVE-2023-23752 (CVSS: 7.5) – Joomla! CMS could allow a remote attacker to bypass security restrictions, caused by improper access control. By sending a specially crafted request, an attacker could exploit this vulnerability to gain unauthorized access to web service endpoints.
- CVE-2023-41990 (CVSS: 7.8) – Apple iOS and iPadOS could allow a remote attacker to execute arbitrary code on the system, caused by improper handling of caches in the FontParser. By persuading a victim to open a specially crafted font file, an attacker could exploit this vulnerability to execute arbitrary code on the system.
- CVE-2023-38203 (CVSS: 9.8) – Adobe ColdFusion could allow a remote attacker to execute arbitrary code on the system, caused by the deserialization of untrusted data. An attacker could exploit this vulnerability to execute arbitrary code on the system.
- CVE-2023-29300 (CVSS: 9.8) – Adobe ColdFusion could allow a remote attacker to execute arbitrary code on the system, caused by the deserialization of untrusted data. By persuading a victim to open a specially crafted file, an attacker could exploit this vulnerability to execute arbitrary code on the system.
- CVE-2016-20017 (CVSS: 7.3) – D-Link router DSL-2750B could allow a remote attacker to execute arbitrary commands on the system, caused by improper validation of cli parameter. By sending a specially crafted POST request, an attacker could exploit this vulnerability to execute arbitrary commands on the system.
CVE-2023-41990 was leveraged in the campaign called “Operation Triangulation” which has been active since at least 2019 but was discovered in June 2023 when some of Kaspersky’s researchers’ systems got infected. It is also exploited by attackers along with three other flaws to bypass security measures in iPhones that are owned by many targets worldwide, especially in Europe.
CVE-2023-38203 and CVE-2023-29300 have been abused by threat actors since the middle of 2023 after researchers showed proof-of-concept (PoC) of bypassing the vendor’s patches. Other vulnerabilities such as CVE-2023-27524 had their PoC exploits made public in September 2023, which increased its exploitation by cybercriminals.
Federal agencies and organizations are highly advised to test their assets for the aforementioned vulnerabilities, as well as any other flaws that are listed in the KEV catalog, and apply the available security patches or mitigation steps as soon as possible.
Impact
- Cyber Espionage
- Command Execution
- Security Bypass
Remediation
- Organizations must test their assets for the aforementioned vulnerabilities and apply the available security patches or mitigation steps as soon as possible.
- Implement multi-factor authentication to add an extra layer of security to login processes.
- Regularly monitor network activity for any unusual behavior, as this may indicate that a cyberattack is underway.
- Organizations need to stay vigilant and follow best practices for cybersecurity to protect their systems and data from potential threats. This includes regularly updating software and implementing strong access controls and monitoring tools.
- Develop a comprehensive incident response plan to respond effectively in case of a security breach or data leakage.
- Maintain regular backups of critical data and systems to ensure data recovery in case of a security incident.
- Adhere to security best practices, including the principle of least privilege, and ensure that users and applications have only the necessary permissions.
- Establish a robust patch management process to ensure that security patches are evaluated, tested, and applied promptly.
- Conduct security audits and assessments to evaluate the overall security posture of your systems and networks.
- Implement network segmentation to contain and isolate potential threats to limit their impact on critical systems.