Microsoft, Forti, Apple, Adobe and SAP Release Critical Updates - PATCH NOW

CYREBRO insta a todos los clientes que utilizan los productos vulnerables a actualizar sus productos afectados a la versión más reciente para mitigar las vulnerabilidades.

*** Please note this CTI Alert contains 5 sections –  Microsoft, Forti, Apple, Adobe and SAP advisories ***

 

Microsoft Patches Actively-Exploited 0-Day & 45 RCE Vulnerabilities

As part of April monthly security rollup updates, Microsoft has patched Zero-Day vulnerability and 45 Remote Code Execution (RCE) vulnerabilities.

Among the remote code execution vulnerabilities, Microsoft addressed a critical vulnerability in Windows Message Queuing (MSMQ) that may be utilized in low-complexity attacks that don't require user interaction.

Overall, Microsoft has patched 97 vulnerabilities across Windows, VS, Active Directory, Office and others.

The Zero-day Vulnerability

  • CVE-2023-23397, (CVSS 3.1: 7.8, High-Severity) – Privilege elevation vulnerability in the Windows CLFS driver, Threat actors can exploit the vulnerability to gain SYSTEM privileges.

The MSMQ Critical Vulnerability

  • CVE-2023-21554, (CVSS 3.1: 9.8, Critical) – Remote Code Execution vulnerability in the Windows Message Queuing (MSMQ) middleware service. Threat actors can exploit the vulnerability to perform remote code execution on unpatched Windows servers through specifically created malicious MSMQ packets in low-complexity attacks that do not require user interaction. 
  • The vulnerability has been fixed, a workaround for the vulnerability can be found in the link above under the heading "Mitigations".

For the full patched vulnerabilities list, including the 45 RCEs, visit Microsoft April 2023 Security Updates.

Affected Systems

The Vulnerability affects all Windows versions under support, including the latest client and server releases, Windows 11 and Windows Server 2022.

Mitigation

CYREBRO urges all clients to implement the latest available Microsoft security/monthly rollup updates in all relevant systems as soon as possible.

References: Microsoft April 2023 Security Updates.

 

Fortinet Patches 21 Vulnerabilities Affecting a Variety of Products Including Critical RCE

As part of April monthly security rollup updates, Fortinet patched 21 vulnerabilities in various products, including a Critical severity vulnerability in FortiPresence.

The Critical Vulnerability

  • CVE-2022-41331 (CVSS 3.1: 9.3, Critical)  - A missing authentication for critical function vulnerability in FortiPresence on-prem infrastructure server, successful exploitation may allow a remote, unauthenticated attacker to access the Redis and MongoDB instances via crafted authentication requests.

Affected Products

 

Besides the critical vulnerability that affects FortiPresence, Fortinet fixed many vulnerabilities in a variety of products, including:

  • FortiClientWindows (High-Severity)
  • FortiProxy (High-Severity)
  • FortiOS (High-Severity)
  • FortiWeb (High-Severity)
  • FortiADC (High-Severity)
  • FortiSandbox (High-Severity)
  • FortiAuthenticator (High-Severity)
  • FortiSIEM (High-Severity)
  • FortiDDoS (High-Severity)
  • FortiSOAR (High-Severity)
  • FortiDDoS-F (High-Severity)
  • FortiDeceptor (High-Severity)
  • FortiAnalyzer (Medium-Severity)
  • FortiManager (Medium-Severity)
  • FortiNAC (Medium-Severity)
  • FortiClientMac (Medium-Severity)

The specific vulnerable versions can be seen in Forti Advisory.

 

Mitigation

 

CYREBRO strongly urges all Forti customers to update to the patched versions of the affected products.

References: FortiGuard PSIRT Advisories

 

Apple Patches 2 Zero-Days RCE Vulnerabilities
Affect macOS Big Sur & Monterey

Following the two RCE zero-day vulnerabilities that were fixed by Apple for Safari and macOS Ventura, the company additionally released software upgrades to address the vulnerabilities in the operating systems macOS Monterey and macOS Big Sur.

The 0-Day Vulnerabilities

  • CVE-2023-28205 - (CVSS 3.1: 5.5, Medium) - WebKit use-after-free vulnerability, allows a threat actor to perform remote code execution (RCE) after the vulnerable device processes maliciously crafted web content.
  • CVE-2023-28206 - (CVSS 3.1: 8.8, High) - IOSurfaceAccelerator out-of-bounds write vulnerability, allows a threat actor to perform remote code execution (RCE) with kernel privileges on affected devices using maliciously crafted app.

Vulnerable Products

Mitigation

CYREBRO urges all clients using macOS Ventura to update to version 13.3.1.

References: Apple Security Updates

 

 

Adobe Patches 14 Critical Vulnerabilities in Acrobat

Adobe has released a major security update for Acrobat and Reader products, addressing 16 vulnerabilities, 14 of which are defined as critical and may lead to arbitrary code execution attacks.

It is important to note that the vulnerabilities may also be described as RCE because it does not need the presence of the attacker on the network, but rather the entry of a document received by email or downloaded from the Internet to allow the attacker to exploit the vulnerabilities.

The Critical Vulnerabilities

The full list of vulnerabilities, including the 14 Critical vulnerabilities appears in the following advisory under the heading Vulnerability Details.

Affected Products

  • Acrobat DC Continuous
  • Acrobat Reader DC Continuous
  • Acrobat 2020 Classic 2020           
  • Acrobat Reader 2020 Classic 2020 

Mitigation

CYREBRO urges all clients to update their software installations to the latest versions.

References: Adobe Advisory

 

SAP Patches 3 Critical Severity Vulnerabilities Affects Several Products 

As part of April monthly security rollup updates, SAP has released patches to resolve several critical vulnerabilities which affect SAP Diagnostics Agent, SAP BusinessObjects and SAP NetWeaver.

The Critical Vulnerabilities

  • CVE-2023-27497 (CVSS 3.1: 10.0, Critical) -Insufficient input validation and missing authentication vulnerabilities impacting the OSCommand Bridge of SAP Diagnostics Agent.
     Successful exploitation may allow an attacker to execute scripts on connected agents and completely compromise the system.
  • CVE-2023-28765 (CVSS 3.1: 9.8, Critical) - Information disclosure vulnerability impacting SAP BusinessObjects Business Intelligence Platform.
    Successful exploitation may allow an attacker with basic privileges to gain access to the platform's users' passwords and take over their accounts.
  • CVE-2023-29186 (CVSS 3.1: 8.7, High-Severity) Directory traversal vulnerability in SAP NetWeaver .
    Successful exploitation may allow an attacker to upload and overwrite files on the vulnerable SAP server.

Affected Products

  • The Critical vulnerabilities affects:
    • SAP Diagnostics Agent (OSCommand Bridge and
      EventLogServiceCollector) - version 720.
    • SAP BusinessObjects Business Intelligence Platform (Promotion Management) -  versions 420 and 430.
    • SAP NetWeaver -  versions 707, 737, 747, and 757.

Furthermore, SAP has published additional patches to address another vulnerabilities affecting several products.

The full list of affected products can be seen in SAP Advisory.

Mitigation

CYREBRO urges all clients who use the vulnerable products to update their affected products to the most recent version in order to mitigate the vulnerabilities.

References: SAP Advisory