Start your day with intelligence. Get The OODA Daily Pulse.

Federal Deadlines for Updates to Known Exploited Vulnerabilities and Zero-days Patches

While these deadlines to remediate identified vulnerabilities and patch zero-days are a mandate for federal agencies based on Binding Operational Directive (BOD) 22-01, a review of these recent announcements is an excuse for private sector organizations to revisit their current compliance and risk mitigation measures, as “although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities as part of their vulnerability management practice.” 

While only a cursory, anecdotal, informal research observation on our part, there does seem to be a general uptick so far this year in the volume of Known Exploited Vulnerabilities and Zero-days reported by CISA. MITRE, and NIST.   All the more reason for your organization to take a pause and evaluate these threat vectors. For the C-level and Boards of Directors, what follows is a sampling of the type of threats your CISO and cybersecurity team face in the current threat landscape.  

CISA Adds Seven Known Exploited Vulnerabilities to Catalog

Release Date: 

Based on evidence of active exploitation, CISA has added seven new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog.

  • CVE-2023-25717 Multiple Ruckus Wireless Products CSRF and RCE Vulnerability
  • CVE-2021-3560 Red Hat Polkit Incorrect Authorization Vulnerability
  • CVE-2014-0196 Linux Kernel Race Condition Vulnerability
  • CVE-2010-3904 Linux Kernel Improper Input Validation Vulnerability
  • CVE-2015-5317 Jenkins User Interface (UI) Information Disclosure Vulnerability
  • CVE-2016-3427 Oracle Java SE and JRockit Unspecified Vulnerability
  • CVE-2016-8735 Apache Tomcat Remote Code Execution Vulnerability

These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise. Note: To view other newly added vulnerabilities in the catalog, click on the arrow in the “Date Added to Catalog” column—which will sort by descending dates.

Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the Known Exploited Vulnerabilities Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information.

Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria. (1)

CISA warns of critical Ruckus bug used to infect Wi-Fi access points

As reported by Bleepingcomputer.com:

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) warned today of a critical remote code execution (RCE) flaw in the Ruckus Wireless Admin panel actively exploited by a recently discovered DDoS botnet.  While this security bug (CVE-2023-25717) was addressed in early February, many owners are likely yet to patch their Wi-Fi access points. Furthermore, no patch is available for those who own end-of-life models affected by this issue.  Attackers are abusing the bug to infect vulnerable Wi-Fi APs with AndoryuBot malware (first spotted in February 2023) via unauthenticated HTTP GET requests.

Once compromised, the devices are added to a botnet designed to launch Distributed Denial-of-Service (DDoS) attacks.

The malware supports 12 DDoS attack modes: tcp-raw, tcp-socket, tcp-cnc, tcp-handshake, udp-plain, udp-game, udp-ovh, udp-raw, udp-vse, udp-dstat, udp-bypass, and icmp-echo.  Cybercriminals seeking to launch DDoS (Distributed Denial of Service) attacks can now rent the firepower of the AndoryuBot botnet, as its operators are offering their services to others. Payments for this service are accepted through the CashApp mobile payment service or in various cryptocurrencies, including XMR, BTC, ETH, and USDT.

Malicious HTTP request exploiting CVE-2023-25717 (Fortinet)

​Federal agencies ordered to patch by June 2nd

CISA has given U.S. Federal Civilian Executive Branch Agencies (FCEB) a deadline of June 2nd to secure their devices against the critical CVE-2023-25717 RCE bug, which was added to its list of Known Exploited Vulnerabilities on Friday.

This aligns with a November 2021 binding operational directive that requires federal agencies to check and fix their networks for all security flaws listed in CISA’s KEV catalog.

While the catalog mainly focuses on U.S. federal agencies, private companies are also strongly advised to prioritize addressing vulnerabilities listed in the KEV list since threat actors actively exploit them, thus exposing public and private organizations to increased risks of security breaches. (2)

Three Zero-day Fixes

Release Date: 

CISA has added one new vulnerability to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.

  • CVE-2023-29336 Microsoft Win32k contains an unspecified vulnerability that allows for privilege escalation up to SYSTEM privileges.

These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise. Note: To view other newly added vulnerabilities in the catalog, click on the arrow in the “Date Added to Catalog” column—which will sort by descending dates. (3)

Microsoft’s May 2023 Patch Tuesday

As reported by Bleepingcomputer.com:

May’s Patch Tuesday included three zero-day vulnerabilities, with two exploited in attacks and another publicly disclosed. Microsoft classifies a vulnerability as a zero-day if it is publicly disclosed or actively exploited with no official fix available. The two actively exploited zero-day vulnerabilities in today’s updates are:

CVE-2023-29336 – Win32k Elevation of Privilege Vulnerability

  • Microsoft has fixed a privilege elevation vulnerability in the Win32k Kernel driver that elevates privileges to SYSTEM, Windows’ highest user privilege level.
  • “An attacker who successfully exploited this vulnerability could gain SYSTEM privileges,” reads Microsoft’s advisory.
  • While Microsoft reports that the bug is actively exploited, there are no details on how it was abused.
  • Microsoft says that Jan Vojtešek, Milánek, and Luigino Camastra with Avast discovered the vulnerability.

CVE-2023-24932 – Secure Boot Security Feature Bypass Vulnerability

  • Microsoft has fixed a Secure Boot bypass flaw used by a threat actor to install the BlackLotus UEFI bootkit.
  • “To exploit the vulnerability, an attacker who has physical access or Administrative rights to a target device could install an affected boot policy,” reads Microsoft’s advisory.
  • UEFI bootkits are malware planted in the system firmware and are invisible to security software running within the operating system because the malware loads in the initial stage of the booting sequence.
  • Since October 2022, a threat actor has been selling the BlackLotus bootkit on hacker forums and continues to evolve its features. For example, in March, ESET reported that the developed improved the malware to bypass Secure Boot even on fully patched Windows 11 operating systems.
  • Microsoft released guidance last month on how to detect BlackLotus UEFI bootkit attacks. With today’s Patch Tuesday, Microsoft fixed the vulnerability used by the bootkit but has not enabled it by default.
  • “The security update addresses the vulnerability by updating the Windows Boot Manager, but is not enabled by default,” explains Microsoft’s advisory.
  • “Additional steps are required at this time to mitigate the vulnerability. Please refer to the following for steps to determine the impact on your environment: KB5025885: How to manage the Windows Boot Manager revocations for Secure Boot changes associated with CVE-2023-24932.”
  • Microsoft says this vulnerability is a bypass for the previously fixed CVE-2022-21894 vulnerability.

Microsoft has also released a security update for one publicly disclosed zero-day vulnerability that was not actively exploited.

CVE-2023-29325 – Windows OLE Remote Code Execution Vulnerability

  • Microsoft has fixed a Windows OLE flaw in Microsoft Outlook that can be exploited using specially crafted emails.
  • “In an email attack scenario, an attacker could exploit the vulnerability by sending the specially crafted email to the victim,” warns Microsoft’s advisory.
  • “Exploitation of the vulnerability might involve either a victim opening a specially crafted email with an affected version of Microsoft Outlook software, or a victim’s Outlook application displaying a preview of a specially crafted email.”
  • “This could result in the attacker executing remote code on the victim’s machine.”
  • However, an attacker must win a ‘race’ condition and take additional actions to exploit the flaw successfully.
  • Microsoft says that users can mitigate this vulnerability by reading all messages in plain text format.
  • Will Dormann of Vuln Labs discovered the vulnerability. (4

May 30th federal deadline to patch Windows Zero-day (CVE-2023-29336)

CISA ordered federal agencies to patch a Windows zero-day (CVE-2023-29336) by May 30th as it allows attackers to elevate privileges to gain SYSTEM user permissions on compromised Windows systems.

Microsoft acknowledged that the Win32k Kernel driver bug had been exploited in attacks but is yet to provide details on the method of exploitation. (1)

A Recent Barracuda Networks Email Security Gateway (ESG) Appliance Bug Patch

CISA has added one new vulnerability to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.

  • CVE-2023-2868 Barracuda Networks ESG Appliance Improper Input Validation Vulnerability

These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise. (5)

This patch does not have a federal deadline date. 

As reported by Bleepingcomputer.com and the Record:

CISA warns govt agencies of recently patched Barracuda zero-day

  • CISA warned of a recently patched zero-day vulnerability exploited last week to hack into Barracuda Email Security Gateway (ESG) appliances.
  • Barracuda says its security solutions are used by more than 200,000 organizations worldwide, including high-profile companies like Samsung, Mitsubishi, Kraft Heinz, and Delta Airlines.
  • The U.S. cybersecurity agency also added the bug (CVE-2023-2868) to its catalog of security flaws exploited in the wild based on this evidence of active exploitation.
  • Federal Civilian Executive Branch Agencies (FCEB) agencies must patch or mitigate the vulnerability as ordered by the BOD 22-01 binding operational directive.
  • However, this is no longer needed since Barracuda has already patched all vulnerable devices by applying two security patches over the weekend.
  • “Based on our investigation to date, we’ve identified that the vulnerability resulted in unauthorized access to a subset of email gateway appliances,” Barracuda said.
  • “As part of our containment strategy, all ESG appliances have received a second patch on May 21, 2023.”

Affected customers asked to check for network breaches

  • The company said the investigation into the compromised appliances was limited to its ESG product and advised affected customers to review their environments to ensure the attackers didn’t gain access to other devices on their network.
  • Therefore, federal agencies will also have to take CISA’s alert as a warning to check their networks for signs of intrusions.
  • Even though only U.S. federal agencies are required to fix the bugs added to CISA’s Known Exploited Vulnerabilities (KEV) list, private companies are also strongly recommended to prioritize patching them.
  • “These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise,” CISA said.
  • On Monday, federal agencies were warned to secure iPhones and Macs in their environment against three iOS and macOS zero-days, one reported by Google TAG and Amnesty International security researchers and likely exploited in state-backed spyware attacks.
  • One week ago, CISA also added a Samsung ASLR bypass flaw to its KEV catalog, abused as part of an exploit chain to deploy a spyware suite on Samsung mobile devices running Android 11, 12, and 13. (6)

Barracuda Networks issue added to CISA vulnerability list

  • A bug patched recently in email security hardware from Barracuda Networks was added Friday to the federal catalog of exploited vulnerabilities.
  • The company reported earlier this week that it pushed out two separate patches to its Email Security Gateway (ESG) appliance to fix a flaw “in a module which initially screens the attachments of incoming emails.”
  • The bug could allow an attacker to remotely execute system commands, according to the entry in the government’s Known Exploited Vulnerabilities database.
  • In posting the bug, tracked as CVE-2023-2868, the Cybersecurity and Infrastructure Security Agency warned federal agencies and the public that these types of vulnerabilities “are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise.”
  • Barracuda Networks says it serves more than 200,000 customers worldwide, most of them small- and medium-sized enterprises. It did not report how many of the ESG appliances are in circulation.
  • No other Barracuda Networks products were affected, the company said.
  • “Users whose appliances we believe were impacted have been notified via the ESG user interface of actions to take,” the company said. “Barracuda has also reached out to these specific customers.”
  • The patches went out automatically on May 20 and May 21, Barracuda Networks said.
  • “We took immediate steps to investigate this vulnerability,” the company said. “Based on our investigation to date, we’ve identified that the vulnerability resulted in unauthorized access to a subset of email gateway appliances.” (7)

Progress Software Releases Security Advisory for MOVEit Transfer

Updates – June 30, 2023: 

https://oodaloop.com/cyber/2023/06/29/over-130-organizations-millions-of-individuals-believed-to-be-impacted-by-moveit-hack/

On June 21st, Cybersecurity Dive reported that “Progress Software faces federal class action lawsuits as MOVEit breach exposure widens.”

Advisories: 

https://oodaloop.com/archive/2023/06/28/us-state-department-puts-10m-bounty-on-clop-ransomware-gang-responsible-for-the-ongoing-moveit-zero-day-vulnerability-rampage/

Update:  June 1, 2023

This zero-day just came over the wire (June 1, 2023).  It does not have a specific federal deadline, but is subject to the (BOD) 22-01 directives. 

Release Date: 

Progress Software has released a security advisory for a vulnerability in MOVEit Transfer—a Managed File Transfer Software. A cyber threat actor could exploit this vulnerability to take over an affected system.

CISA urgers users and organizations to review the MOVEit Transfer Advisory, follow the mitigation steps, apply the necessary updates, and hunt for any malicious activity.

The Record Reports: “Experts warn of MOVEit Transfer tool exploitation using zero-day bug”

Hackers are exploiting a new zero-day vulnerability affecting a popular file transfer tool used by thousands of major companies.

BleepingComputer was first to report that hackers were exploiting the vulnerability affecting MOVEit software, and security company Rapid7 said it is also seeing exploitation of the bug “across multiple customer environments.”

The tool was created by Progress Software, which published an advisory about the issue on Wednesday.

“Progress has discovered a vulnerability in MOVEit Transfer that could lead to escalated privileges and potential unauthorized access to the environment. If you are a MOVEit Transfer customer, it is extremely important that you take immediate action as noted below in order to help protect your MOVEit Transfer environment, while our team produces a patch,” the company said.

The company urged customers to disable all HTTP and HTTPs traffic to their MOVEit Transfer environment. They also said customers should be on the lookout for unexpected and large file downloads or the creation of unexpected files in certain folders on all of their MOVEit Transfer instances, including back-ups.

The company said patches for the bug are being tested right now and will be released as soon as possible.

In a statement provided to Recorded Future News, a spokesperson from the company said: “When we identified the issue, we took immediate action, including bringing down MOVEit Cloud, to ensure the safety of our customers, while we reviewed the severity of the situation. We also notified our customers, first providing instructions for immediate actions, followed by the release of a patch.”

Rapid7 Senior Manager of Vulnerability Research Caitlin Condon said as of May 31 there were roughly 2,500 instances of MOVEit Transfer exposed to the public internet, the majority appearing to be in the United States. Cybersecurity researcher Kevin Beaumont shared images of at least one instance connected to the U.S. Department of Homeland Security.

Image Source:  The RecordInstances of MOVEit Transfer exposed to the public internet. (Image: Shodan)

“Huge US footprint, including US government. It’s quite expensive, so mostly Western enterprises,” Beaumont wrote in posts on the Mastodon social media site.

“Everyone online is still vulnerable. This includes some big banks etc. – Webshells started being planted a few weeks ago, multiple incidents running at multiple orgs during that timeframe who detected activity.”

Condon explained that there is evidence that hackers have already automated exploitation of the issue, and BleepingComputer reported that hackers have already begun to mass-download data from affected companies.

The attack on MOVEit would be the latest involving a popular file transfer tool used by large organizations this year. In February, ransomware groups exploited a vulnerability affecting Fortra’s GoAnywhere MFT file-transfer product.

The governments of Toronto and Tasmania were affected by the incident alongside corporate giants like Proctor & GambleVirgin and Hitachi.

The ransomware group behind the exploitation – the Cl0p gang – was previously behind another widespread attack on another file transfer tool in 2021.

The gang targeted the Accellion file transfer tool to steal data from some of the biggest companies and schools in the world, including the University of ColoradoKrogerMorgan Stanley and Shell.

Updated at 2:17pm to include a statement from Progress Software. (8)

 

Daniel Pereira

About the Author

Daniel Pereira

Daniel Pereira is research director at OODA. He is a foresight strategist, creative technologist, and an information communication technology (ICT) and digital media researcher with 20+ years of experience directing public/private partnerships and strategic innovation initiatives.