Security Advisory for the week ending October 13, 2023

• Cisco Releases Security Advisory for IOS XE Software Web UI
• Fortinet Releases Security Updates for Multiple Products
• Palo Alto Networks Security Advisory – October 2023
• Citrix Releases Security Updates for Multiple Products
• Apple Releases Security Updates for iOS and iPadOS
• Atlassian Releases Security Advisory for Confluence Data Center and Server
• Cisco Releases Security Advisories for Multiple Products
• CISA, NSA, FBI, and International Partners Release Updated Secure by Design Guidance

Cisco Releases Security Advisory for IOS XE Software Web UI

Situation:
Cisco has released a security advisory to address a vulnerability (CVE-2023-20198) affecting IOS XE Software Web UI.

Problem:
An active exploitation exists for a vulnerability in the web UI feature of Cisco IOS XE Software when exposed to the internet or to untrusted networks.

Implication:
Systems running Cisco IOS XE that have the Web UI enabled can be exploited by a remote, unauthenticated attacker to create an account on an affected system with privilege level 15 access. The attacker can then use that account to gain control of the affected system.

Need:
We recommend that if possible, customers disable the HTTP Server feature on all internet-facing systems, as there are no current workarounds to address this vulnerability.

Additional Resources:

Cisco IOS XE Software Web UI Privilege Escalation Vulnerability:
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-webui-privesc-j22SaA4z

Cisco Releases Security Advisory for IOS XE Software Web UI:
https://www.cisa.gov/news-events/alerts/2023/10/16/cisco-releases-security-advisory-ios-xe-software-web-ui

BOD 23-02: Mitigating the Risk from Internet-Exposed Management Interfaces:
https://www.cisa.gov/news-events/directives/binding-operational-directive-23-02

Fortinet Releases Security Updates for Multiple Products

Situation:
Fortinet has released security advisories addressing vulnerabilities in multiple products.

Problem:
The unpatched systems are vulnerable to attack from malicious users.

Implication:
These vulnerabilities may allow cyber threat actors to take control of the affected systems.

Need:
We encourage users and administrators to review the following Fortinet security advisories and apply the recommended updates.

Additional Resources:

Fortinet Releases Security Updates for Multiple Products:
https://www.cisa.gov/news-events/alerts/2023/10/11/fortinet-releases-security-updates-multiple-products

FG-IR-23-189:
https://www.fortiguard.com/psirt/FG-IR-23-189

FG-IR-23-062:
https://www.fortiguard.com/psirt/FG-IR-23-062

FG-IR-23-167:
https://www.fortiguard.com/psirt/FG-IR-23-167

FG-IR-22-352:
https://www.fortiguard.com/psirt/FG-IR-22-352

FG-IR-23-318:
https://www.fortiguard.com/psirt/FG-IR-23-318

FG-IR-23-085:
https://fortiguard.fortinet.com/psirt/FG-IR-23-085

Palo Alto Networks Security Advisory – October 2023

Situation:
Palo Alto Networks releases Security Advisory

Problem:
Palo Alto Networks Security Assurance team is evaluating a recently disclosed denial-of-service (DoS) vulnerabilities in the HTTP/2 protocol including Rapid Reset (CVE-2023-44487 and CVE-2023-35945). There is also a problem with the Cortex XSOAR Kafka v3 integration that can result in the cleartext exposure of the configured Kafka client certificate key (CVE-2023-3281).

Implication:
In regards to CVE-2023-44487 and CVE-2023-35945, PAN-OS firewall web interface, GlobalProtect portals, and GlobalProtect gateways are not impacted by these vulnerabilities. The impact of these issues on inspection of decrypted HTTP/2 traffic in PAN-OS software is under investigation.

In regards to CVE-2023-3281, the product stores sensitive information in cleartext within a resource that might be accessible to another control sphere.

Need:
This issue is fixed in the Cortex XSOAR Kafka v3 integration in version 2.0.16 and all later versions of the integration.
A new Kafka client certificate key should be used by the Kafka v3 integration after you upgrade it to a fixed version. You should also revoke the existing Kafka client certificate key to prevent the misuse of a previously exposed secret key.

Additional Resources:

Palo Alto Networks Security Advisories:
https://security.paloaltonetworks.com/

Impact of Rapid Reset and HTTP/2 DoS Vulnerabilities (CVE-2023-44487, CVE-2023-35945):
https://security.paloaltonetworks.com/CVE-2023-44487

CVE-2023-3281 Cortex XSOAR: Cleartext Exposure of Client Certificate Key in Kafka v3 Integration:
https://security.paloaltonetworks.com/CVE-2023-3281

Citrix Releases Security Updates for Multiple Products

Situation:
Citrix Releases Security Updates for Multiple Products

Problem:
Citrix has released security updates to address vulnerabilities affecting multiple products:

NetScaler ADC and NetScaler Gateway Security Bulletin for CVE-2023-4966 and CVE-2023-4967
Citrix Hypervisor Multiple Security Updates

Implication:
NetScaler ADC and NetScaler Gateway :

CVE-2023-4966
- Sensitive information disclosure
- Pre-requisite: Appliance must be configured as a
  Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy)
  OR
  AAA virtual server
CVE-2023-4967
- Denial of service
- Pre-requisite: Appliance must be configured as a
  Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy)
  OR
  AAA virtual server

Citrix Hypervisor:

Applicable Products: Citrix Hypervisor, XenServer

Several issues have been discovered that affect Citrix Hypervisor 8.2 CU1 LTSR and may allow malicious privileged code in a guest VM to:
- Compromise an AMD-based host via a passed through PCI device: CVE-2023-34326
- Compromise the host when a specific administrative action is taken (see Mitigating Factors below): CVE-2022-1304
- Cause the host to crash or become unresponsive: CVE-2023-34324
- Cause a different VM running on the AMD-based host to crash: CVE-2023-34327
Mitigating factors:
- CVE-2023-34326 only affects systems that have both of a) a PCI device passed through to the guest VM by the host administrator and also b) an AMD CPU. Customers who are not using AMD CPUs and customers who are not using the PCI passthrough feature are not affected by this issue.
- CVE-2022-1304 is only exploitable at the point that the host administrator uses the “Restore Virtual Machine Metatdata” sub-option of the “Backup, Restore and Update” menu item in the on-host xsconsole interface. Customers who do not use this sub-option are not affected by this issue.
- CVE-2023-34327 only affects systems running on AMD CPUs. Customers who are not using AMD CPUs are not affected by this issue.
- CVE-2023-20588 only affects systems running on AMD Zen1 CPUs. Customers who are using other generations of AMD CPUs or who are not using AMD CPUs are not affected by this issue.

Need:
NetScaler ADC and NetScaler Gateway:

We strongly urge affected customers of NetScaler ADC and NetScaler Gateway to install the relevant updated versions of NetScaler ADC and NetScaler Gateway as soon as possible:
NetScaler ADC and NetScaler Gateway 14.1-8.50 and later releases
NetScaler ADC and NetScaler Gateway  13.1-49.15 and later releases of 13.1
NetScaler ADC and NetScaler Gateway 13.0-92.19 and later releases of 13.0
NetScaler ADC 13.1-FIPS 13.1-37.164 and later releases of 13.1-FIPS
NetScaler ADC 12.1-FIPS 12.1-55.300 and later releases of 12.1-FIPS
NetScaler ADC 12.1-NDcPP 12.1-55.300 and later releases of 12.1-NDcPP

Note: NetScaler ADC and NetScaler Gateway version 12.1 is now End-of-Life (EOL). Customers are recommended to upgrade their appliances to one of the supported versions that address the vulnerabilities.

Citrix Hypervisor:

Hotfixes have been released to address these issues. We recommend that affected customers install these hotfixes and follow the instructions in the linked articles as their update schedule permits. The hotfixes can be downloaded from the following locations:
CTX575070 – https://support.citrix.com/article/CTX575070
CTX579955 – https://support.citrix.com/article/CTX579955
CTX580401 – https://support.citrix.com/article/CTX580401
CTX581053 – https://support.citrix.com/article/CTX581053
CTX581108 – https://support.citrix.com/article/CTX581108

Note that there is not a one-to-one correlation between these hotfixes and the addressed issues; we recommend that you always apply all of the hotfixes.

Additional Resources:

Citrix Releases Security Updates for Multiple Products
https://www.cisa.gov/news-events/alerts/2023/10/10/citrix-releases-security-updates-multiple-products

NetScaler ADC and NetScaler Gateway Security Bulletin for CVE-2023-4966 and CVE-2023-4967 :
https://support.citrix.com/article/CTX579459/netscaler-adc-and-netscaler-gateway-security-bulletin-for-cve20234966-and-cve20234967

Citrix Hypervisor Multiple Security Updates:
https://support.citrix.com/article/CTX575089/citrix-hypervisor-multiple-security-updates

Apple Releases Security Updates for iOS and iPadOS

Situation:
There are two vulnerabilities (CVE-2023-42824) and (CVE-2023-5217) that have been patched for these Apple devices; Phone XS and later, iPad Pro 12.9-inch 2nd generation and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 6th generation and later, and iPad mini 5th generation and later.

Problem:
One of the vulnerabilities (CVE-2023-42824) allows local attacker may be able to elevate their privileges. (CVE-2023-5217) Is a vulnerability related to a buffer overflow, which is a type of software vulnerability that can potentially lead to running malicious code on the device without permission.

Implication:
For (CVE-2023-42824) if someone had physical access to the device, they might have been able to gain unauthorized access possibly leading to malicious actions. For (CVE-2023-5217) It could allow an attacker to take control of the device by overflowing a memory buffer.

Need:
We recommend immediately updating your iPhone or iPad to the latest available iOS or iPadOS to iOS version 16.6 or later.

Additional Resources:

17.0.3 and iPadOS 17.0.3
https://support.apple.com/en-us/HT213961

CVE-2023-42824
https://nvd.nist.gov/vuln/detail/CVE-2023-42824

CVE-2023-5217
https://nvd.nist.gov/vuln/detail/CVE-2023-42824

Atlassian Releases Security Advisory for Confluence Data Center and Server

Situation:
Atlassian released a security advisory to address a vulnerability affecting Confluence Data Center and Confluence Server.

Problem:
Atlassian has been made aware of an issue reported by a handful of customers where external attackers may have exploited a previously unknown vulnerability in publicly accessible Confluence Data Center and Server instances to create unauthorized Confluence administrator accounts and access Confluence instances.

Implication:
A remote cyber threat actor could exploit this vulnerability to take control of an affected system.

Need:
We encourage users and administrators to review the advisory below and apply the necessary updates.

Additional Resources:

Atlassian Releases Security Advisory for Confluence Data Center and Server:
https://www.cisa.gov/news-events/alerts/2023/10/05/atlassian-releases-security-advisory-confluence-data-center-and-server

CVE-2023-22515 – Broken Access Control Vulnerability in Confluence Data Center and Server:
https://confluence.atlassian.com/security/cve-2023-22515-privilege-escalation-vulnerability-in-confluence-data-center-and-server-1295682276.html

Cisco Releases Security Advisories for Multiple Products

Situation:
Cisco released security advisories for vulnerabilities affecting multiple Cisco products.

Problem:
A vulnerability in Cisco Emergency Responder 12.5 could allow an unauthenticated, remote attacker to login in to an affected device using the root account.

A vulnerability in an API endpoint could allow an unauthenticated, remote attacker to cause high CPU utilization, which could impact access to the web-based management interface and cause delays with call processing. This vulnerability affects the following Cisco Unified Communications Products:

Cisco Emergency Responder Release 14
Cisco Prime Collaboration Deployment Release 14
Cisco Unified CM and Unified CM SME Release 12.5 and 14
Cisco Unified CM IM&P Release 12.5 and 14
Cisco Unity Connection Release 14

Implication:
The vulnerability in Cisco Emergency Responder is due to the presence of static user credentials for the root account that are typically reserved for use during development. A successful exploit could allow the attacker to log into the affected system and execute arbitrary commands as the root user.

The vulnerability in Cisco Unified Communications Products is due to improper API authentication and incomplete validation of the API request. A successful exploit could allow the attacker to cause a denial of service condition due to high CPU utilization, which could negatively impact user traffic and management access.

Need:
We recommend updating affected Cisco products to the fixed releases, by following the links provided below.

Additional Resources:

Multiple Cisco Unified Communications Products Unauthenticated API High CPU Utilization Denial of Service Vulnerability:
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cucm-apidos-PGsDcdNF

Cisco Emergency Responder Static Credentials Vulnerability:
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cer-priv-esc-B9t3hqk9

Cisco Releases Security Advisories for Multiple Products:
https://www.cisa.gov/news-events/alerts/2023/10/05/cisco-releases-security-advisories-multiple-products

CISA, NSA, FBI, and International Partners Release Updated Secure by Design Guidance

Situation:

The U.S. Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), and Federal Bureau of Investigation (FBI) released an update to Shifting the Balance of Cybersecurity Risk: Principles and Approaches for Security-by- Design and -Default with numerous international partners.

Problem:
This update to the original April 2023 guidance provides additional recommendations for software manufacturers—including manufacturers of artificial intelligence software systems and models—to improve the security of their products.

Implication:
By not adhering to best practices and keeping your software up to date, it is left vulnerable to threat actors for malicious purposes.

Need:
We strongly encourage all software manufacturers read the updated guidance as well as the CISA blog post about the update.

Additional Resources:

CISA, NSA, FBI, and International Partners Release Updated Secure by Design Guidance:
https://www.cisa.gov/news-events/alerts/2023/10/16/cisa-nsa-fbi-and-international-partners-release-updated-secure-design-guidance

Secure-by-Design:
https://www.cisa.gov/resources-tools/resources/secure-by-design

The Next Chapter of Secure by Design:
https://www.cisa.gov/news-events/news/next-chapter-secure-design

Shifting the Balance of Cybersecurity Risk: Principles and Approaches for Security-by -Design and -Default:
https://www.cisa.gov/sites/default/files/2023-06/principles_approaches_for_security-by-design-default_508c.pdf