First up, Apple issued an emergency patch, then yanked, and re-issued it. The problem was a Remote Code Execution (RCE) vulnerability in WebKit — the basis of Apple’s cross-platform web browser. The downside of a shared code base,is that bugs too are write-once, exploit-anywhere. And with Apple’s walled garden insisting that every browser on iOS actually run WebKit under the hood, there’s not much relief without a patch like this one.
The vulnerability in question, CVE-2023-37450, is a bit light on further details except to say that it’s known to be exploited in the wild. The first fix also bumped the browser’s user-agent string, adding an
(a) to denote the minor update. This was apparently enough to break some brittle user-agent detection code on popular websites, resulting in an unhelpful “This web browser is no longer supported” message. The second patch gets rid of the notification.
Microsoft Loses It
Microsoft has announced that on May 15th, an attack from Storm-0558 managed to breach the email accounts of roughly 25 customers. This was pulled off via “an acquired Microsoft account (MSA) consumer signing key.” The big outstanding question is how Microsoft lost control of that particular key. According to an anonymous source speaking to The Washington Post, some of the targeted accounts were government employees, including a member of cabinet. Apparently the FBI is asking Microsoft this very same question.
Speaking of Microsoft, there’s also CVE-2023-36884, a vulnerability in Microsoft Office. This one appears to be related to the handling of HTML content embedded in Office documents, and results in code execution upon opening the document. This along with another vulnerability (CVE-2023-36874) was being used by storm- another unknown threat actor, Storm-0978 in an ongoing attack.
There’s an interesting note that this vulnerability can be mitigated by an Attack Surface Reduction (ASR) rule, that blocks Office from launching child processes. This might be a worthwhile mitigation step for this and future vulnerabilities in office.
Ghost in the Script
To complete the trifecta, we have a bug in the Open Source Ghostscript, that might just have the longest tail of the three. The problem here is pipes. Ghostscript first runs a path simplification routine, and that routine wasn’t properly handling paths with embedded pipes. And of course, once such a location string is actually accessed, it can commit arbitrary command execution.
The bug is fixed, but GhostScript is used in many other projects, and in some cases embedded as a static library. There’s sure to be a bunch of follow-on problems, where applications, web sites, and appliances get bit by this particular bug. Researchers at Kroll were able to reverse-engineer a Proof-of-Concept from the patches. That PoC doesn’t appear to be public yet, but it’s likely just a matter of time before this issue is used in attacks.
More File-sharing Vulnerabilities
Up first is a path traversal bug, where part of the filename is sanitized, and then concatenated with another user-provided value that isn’t sanitized. Whoops. Then a decryption routine blocks unauthenticated uploads. Except, it doesn’t actually check the decrypted data before allowing the file upload, so all it takes is a value that has properly formatted padding. That combined with the path traversal means unauthenticated arbitrary file upload — an easy webshell. Citrix has published an update, so go grab it!
Bits and Bytes
Sonicwall’s Global Management System (GMS) and Analytics products have a pair of 9.8 vulnerabilities, in addition to a pair of 9.4 and lower severity vulnerabilities. The combination of authentication bypasses, arbitrary file uploads, and information leaks is probably enough to string together a nasty attack chain.
Solarview is an Industrial Control System (ICS), apparently under attack by the Mirai botnet. The vulnerability in question, CVE-2022-29303, is a pre-auth command injection bug, leading to full compromise. The wrinkle here is that the CVE was marked as fixed in release 6.20, but it looks like the
conf_mail.php endpoint wasn’t properly secured until release 8.00. “Less than one third of the internet-facing SolerView series systems are patched against CVE-2022029303.” Eek!
What do you do when you get your hands on a retired Google Search appliance box? Obviously, you break into it, and convince it to spill its secrets. That took some doing, as the machine’s BIOS was locked down, and the drives used self-encryption to prevent read access. No problem, just find a vulnerability in the machine’s admin console, and use a Line Feed (LF) injection to pop a shell. There’s more fun to be had in the full write-up, enjoy!