Contact

DataEndure | Managed Cybersecurity. It's about time.

Under Attack?
Home > Security Advisories > Security Advisory for the week ending September 29, 2023

Security Advisory for the week ending September 29, 2023

• Mozilla Releases Security Updates for Multiple Products
• Apple Releases Security Updates for Multiple Products
• Cisco Releases Security Advisories for Multiple Products
• NSA, FBI, CISA, and Japanese Partners Release Advisory on PRC-Linked Cyber Actors
• Snatch Ransomware Security Advisory

Mozilla Releases Security Updates for Multiple Products

Situation:
Mozilla has released security updates to address a vulnerability affecting Firefox, Firefox ESR, Firefox Focus for Android, and Firefox for Android.

Problem:
A heap-based buffer overflow vulnerability (CVE2-2023-5217) was discovered in lbvpx, a multimedia library for the VP8 video codec.

Implication:
Specific handling of an attacker-controlled VP8 media stream could lead to a heap buffer overflow in the content process, which may result in the execution of arbitrary code. Besides overwriting important user data, heap-based buffer overflows can be used to overwrite function pointers that may be living in memory, pointing it to the attacker’s code instead.

Need:
We encourage users to update their Firefox products to the following versions where the vulnerability has been fixed:

  • Firefox 118.0.1
  • Firefox ESR 115.3.1
  • Firefox Focus for Android 118.1
  • Firefox for Android 118.1
  • Thunderbird 115.3.1

Additional Resources:

Mozilla Foundation Security Advisory 2023-44:

https://www.mozilla.org/en-US/security/advisories/mfsa2023-44/#CVE-2023-5217

Mozilla Releases Security Updates for Multiple Products:
https://www.cisa.gov/news-events/alerts/2023/09/29/mozilla-releases-security-updates-multiple-products
CVE-2023-5217 Detail:

https://nvd.nist.gov/vuln/detail/cve-2023-5217
Apple Releases Security Updates for Multiple Products

Situation:
Apple has created a security updates for their macOS operating systems; macOS Monterey, macOS Ventura. This update addresses a security vulnerability where visiting a website on Safari containing maliciously framed content could lead to UI spoofing. This vulnerability is identified as CVE-2023-40417. Additionally macOS Sonoma 14, also released updates for the following Mac devices; Mac Studio (2022 and later), iMac (2019 and later), Mac Pro (2019 and later), Mac mini (2018 and later), MacBook Air (2018 and later), MacBook Pro (2018 and later), and iMac Pro (2017). This update addresses an issue where an application could potentially access sensitive location information. The vulnerability is identified as CVE-2023-40384.

Problem:
The problem in Safari 17 was that when you visit a website that contained malicious content, the web browser could potentially display fake or misleading information to users. This is known as “UI spoofing,” where the user interface (what you see on the screen) could be manipulated to deceive users.  In macOS Sonoma 14, the problem was that certain apps had the potential to access sensitive location information on your Mac computer. This could be a privacy concern because some apps might not need access to your location but could still get that information.

Implication:
For Safari 17 if this issue isn’t fixed, it could be exploited by malicious websites to trick users. Attackers might create fake login pages to impersonate legitimate websites, and when users put in their login credentials, there is a risk  that your personal information could be compromised. For macOS Sonoma 14 if this issue isn’t fixed, it could lead to a privacy breach. Apps that access your location without your permission might track your movements or use this information for malicious purposes.

Need:

  • Update the software for both Safari 17 and macOS14 Sonoma.
  • Enable Automatic Updates
  • Stay cautious when visiting websites, avoid clicking suspicious links or downloading files from untrusted sites.
  • Review the permissions you have granted to apps on your device, make sure you are not giving out unnecessary information to apps.

Additional Resources:

Safari 17
https://support.apple.com/en-us/HT213941

macOS Sonoma 14
https://support.apple.com/en-us/HT213940

Apple Security Releases
https://support.apple.com/en-us/HT201222
Cisco Releases Security Advisories for Multiple Products

Situation:
Cisco has released security advisories for vulnerabilities affecting multiple Cisco products.

Problem:
Cisco has released security advisories for vulnerabilities affecting multiple Cisco products ranging from Cisco Catalyst SD-WAN Manager Vulnerabilities, Cisco IOS, and IOS XE Software Command Authorization Bypass Vulnerabilities, and many more.

The affected products are as follows:

Cisco Catalyst SD-WAN Manager Vulnerabilities
Cisco IOS XE Software Web UI Command Injection Vulnerability
Cisco IOS XE Software for ASR 1000 Series Aggregation Services Routers IPv6 Multicast Denial of Service Vulnerability
Cisco IOS XE Software Layer 2 Tunneling Protocol Denial of Service Vulnerability
Cisco DNA Center API Insufficient Access Control Vulnerability
Cisco IOS XE Software for Catalyst 3650 and Catalyst 3850 Series Switches Denial of Service Vulnerability
Cisco IOS XE Software Application Quality of Experience and Unified Threat Defense Denial of Service Vulnerability
Cisco IOS and IOS XE Software Command Authorization Bypass Vulnerability

Implication:
A remote cyber threat actor could exploit some of these vulnerabilities to take control of an affected system.

Need:
CISA encourages users and administrators to review the following advisories and apply the necessary updates.

Additional Resources:

Cisco Releases Security Advisories for Multiple Products:
https://www.cisa.gov/news-events/alerts/2023/09/28/cisco-releases-security-advisories-multiple-products

Cisco Catalyst SD-WAN Manager Vulnerabilities:
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-vman-sc-LRLfu2z
Cisco IOS XE Software Web UI Command Injection Vulnerability:

title=”http://link.dataendure.com/c/7/eyJhaSI6NTgyMTc0MzUsImUiOiJqZGlja2Vuc0BkYXRhZW5kdXJlLmNvbSIsInJpIjoiY29udGFjdC03YWZlODk3OTMzNTNlYTExYTgxMjAwMGQzYTM3OGM0Yi1jM2EyMjBmYWMzYzM0ZGY1YjY4YzVhNWIxMmVhNjM1NSIsInJxIjoiMDItYjIzMjc3LTA2NTk0YWJiYmM0MjQ1N2JhMzZhYWU4YjdkNzZmZDdhIiwicGgiOm51bGwsIm0iOmZhbHNlLCJ1aSI6IjEwIiwidW4iOiIiLCJ1IjoiaHR0cHM6Ly9zZWMuY2xvdWRhcHBzLmNpc2NvLmNvbS9zZWN1cml0eS9jZW50ZXIvY29udGVudC9DaXNjb1NlY3VyaXR5QWR2aXNvcnkvY2lzY28tc2EtbWxyZS1IOTNGc3dSej9fY2xkZWU9RzVvNzBITHdYRjhlNDdOTnl5RzhlRjJBbUNBbzRFQTdaclcyVzhDVkU0QUJ4QkxCWnFOLVE0OW85VklQUjI0TyZyZWNpcGllbnRpZD1jb250YWN0LTdhZmU4OTc5MzM1M2VhMTFhODEyMDAwZDNhMzc4YzRiLWMzYTIyMGZhYzNjMzRkZjViNjhjNWE1YjEyZWE2MzU1JmVzaWQ9MThhZjhhNWUtMTM2Mi1lZTExLWJlNmUtMDAyMjQ4MDVmMTA4In0/oMeCfJoLRnt53tXeLmnYeQ” contenteditable=”false” href=”http://link.dataendure.com/c/7/eyJhaSI6NTgyMTc0MzUsImUiOiJqZGlja2Vuc0BkYXRhZW5kdXJlLmNvbSIsInJpIjoiY29udGFjdC03YWZlODk3OTMzNTNlYTExYTgxMjAwMGQzYTM3OGM0Yi1jM2EyMjBmYWMzYzM0ZGY1YjY4YzVhNWIxMmVhNjM1NSIsInJxIjoiMDItYjIzMjc3LTA2NTk0YWJiYmM0MjQ1N2JhMzZhYWU4YjdkNzZmZDdhIiwicGgiOm51bGwsIm0iOmZhbHNlLCJ1aSI6IjEwIiwidW4iOiIiLCJ1IjoiaHR0cHM6Ly9zZWMuY2xvdWRhcHBzLmNpc2NvLmNvbS9zZWN1cml0eS9jZW50ZXIvY29udGVudC9DaXNjb1NlY3VyaXR5QWR2aXNvcnkvY2lzY28tc2EtbWxyZS1IOTNGc3dSej9fY2xkZWU9RzVvNzBITHdYRjhlNDdOTnl5RzhlRjJBbUNBbzRFQTdaclcyVzhDVkU0QUJ4QkxCWnFOLVE0OW85VklQUjI0TyZyZWNpcGllbnRpZD1jb250YWN0LTdhZmU4OTc5MzM1M2VhMTFhODEyMDAwZDNhMzc4YzRiLWMzYTIyMGZhYzNjMzRkZjViNjhjNWE1YjEyZWE2MzU1JmVzaWQ9MThhZjhhNWUtMTM2Mi1lZTExLWJlNmUtMDAyMjQ4MDVmMTA4In0/oMeCfJoLRnt53tXeLmnYeQ”>https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-mlre-H93FswRz

Cisco IOS XE Software for ASR 1000 Series Aggregation Services Routers IPv6 Multicast Denial of Service Vulnerability:
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-mlre-H93FswRz

Cisco IOS XE Software Layer 2 Tunneling Protocol Denial of Service Vulnerability:
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ios-xe-l2tp-dos-eB5tuFmV

Cisco DNA Center API Insufficient Access Control Vulnerability:
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-dnac-ins-acc-con-nHAVDRBZ

Cisco IOS XE Software for Catalyst 3650 and Catalyst 3850 Series Switches Denial of Service Vulnerability:
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cat3k-dos-ZZA4Gb3r

Cisco IOS XE Software Application Quality of Experience and Unified Threat Defense Denial of Service Vulnerability:
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-appqoe-utd-dos-p8O57p5y

Cisco IOS and IOS XE Software Command Authorization Bypass Vulnerability:
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-aaascp-Tyj4fEJm
NSA, FBI, CISA, and Japanese Partners Release Advisory on PRC-Linked Cyber Actors

Situation:
The U.S. National Security Agency (NSA), Federal Bureau of Investigation (FBI), and Cybersecurity and Infrastructure Security Agency (CISA), along with the Japan National Police Agency (NPA) and the Japan National Center of Incident Readiness and Strategy for Cybersecurity (NISC) released joint Cybersecurity Advisory (CSA) People’s Republic of China-Linked Cyber Actors Hide in Router Firmware. The CSA details activity by cyber actors, known as BlackTech, linked to the People’s Republic of China (PRC).

Problem:
The advisory provides BlackTech tactics, techniques, and procedures (TTPs) and urges multinational corporations to review all subsidiary connections, verify access, and consider implementing zero trust models to limit the extent of a potential BlackTech compromise.

Implication:
BlackTech has demonstrated capabilities in modifying router firmware without detection and exploiting routers’ domain-trust relationships to pivot from international subsidiaries to headquarters in Japan and the United States, which are the primary targets.

Need:
We strongly recommend organizations review the advisory and implement the detection and mitigation techniques described to protect devices and networks.

Additional Resources:

NSA, FBI, CISA, and Japanese Partners Release Advisory on PRC-Linked Cyber Actors:
https://www.cisa.gov/news-events/alerts/2023/09/27/nsa-fbi-cisa-and-japanese-partners-release-advisory-prc-linked-cyber-actors

People’s Republic of China-Linked Cyber Actors Hide in Router Firmware:
https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-270a

People’s Republic of China State-Sponsored Cyber Actors Exploit Network Providers and Devices:
https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-158a

China Cyber Threat Overview and Advisories:
https://www.cisa.gov/topics/cyber-threats-and-advisories/advanced-persistent-threats/china

Snatch Ransomware Security Advisory

Situation:
The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) are releasing this joint CSA to disseminate known ransomware IOCs and TTPs associated with the Snatch ransomware variant identified through FBI investigations as recently as June 1, 2023

Problem:
Since mid-2021, Snatch threat actors have consistently evolved their tactics to take advantage of current trends in the cybercriminal space and leveraged successes of other ransomware variants’ operations.

Implication:
Snatch threat actors conduct ransomware operations involving data exfiltration and double extortion. After data exfiltration often involving direct communications with victims demanding ransom, Snatch threat actors may threaten victims with double extortion, where the victims’ data will be posted on Snatch’s extortion blog if the ransom goes unpaid.

Need:
We encourage customers to do the following: Reduce threat of malicious actors using remote access tools. Implement application controls to manage and control execution of software, including allowlisting remote access programs. Strictly limit the use of RDP and other remote desktop services. Disable command-line and scripting activities and permissions. Review domain controllers, servers, workstations, and active directories for new and/or unrecognized accounts​​​​​​​. Audit user accounts with administrative privileges and configure access controls according to the principle of least privilege​​​​​​​. Place domain admin accounts in the protected users’ group to prevent caching of password hashes locally and refrain from storing plaintext credentials in scripts. Implement time-based access for accounts​​​​​​​. Implement a recovery plan. Maintain offline backups of data​​​​​​​. Require all accounts with password logins to comply with NIST’s standards for developing and managing password policies. Require phishing-resistant multifactor authentication (MFA)​​​​​​​. Keep all operating systems, software, and firmware up to date. Segment networks to prevent the spread of ransomware. Identify, detect, and investigate abnormal activity and potential traversal of the indicated ransomware with a networking monitoring tool. Install, regularly update, and enable real time detection for antivirus software​​​​​​​. Disable unused ports and protocols​​​​​​​. Consider adding an email banner to emails​​​​​​​. Disable hyperlinks in received emails and Ensure all backup data is encrypted, immutable.

Additional Resources:

#StopRansomware: Snatch Ransomware
https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-263a

Get started today!

We're here to help. Talk to us to learn more about how we can help your organization achieve digital resilience with solutions custom-built to meet the needs of your business.

DataEndure
590 Laurelwood Drive
Santa Clara, CA 95054
800.969.4268

DataEndure © 2025. All Rights Reserved.  Privacy Policy