Monthly Advisory • 10 MIN READ
October 2023 Threat Advisory Top 5
by Eleanor Barlow • Oct 2023
SecurityHQ’s Monthly Threat Report, Drawn from Recent Advisories of October 2023.
Apple Released Security Update to Fix Vulnerability Affecting Multiple Apple Products
Threat Reference: Global
Risks: Arbitrary Code Execution
Advisory Type: Updates/Patches
Priority: Standard
Apple has released a patch to fix vulnerability in their products. Successful exploitation of this vulnerability could lead to Arbitrary Code Execution.
Notable CVE: CVE-2023-5217 – A local attacker may be able to elevate their privileges.
Affected Products include iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later.
Recommendation: For a permanent fix, it is recommended to update all the affected products to its latest available patch version.
Cisco Fixes Critical Vulnerability in Cisco IOS XE Software Web UI
Threat Reference: Global
Risks: Privilege Escalation, Remote Code Execution
Advisory Type: Updates/Patches
Priority: Standard
Cisco has recently fixed a critical vulnerability (CVE-2023-20198) in Cisco IOS XE software Web UI having CVSS 10 score.
This vulnerability can be exploited by a remote, unauthenticated attacker which can take over the vulnerable system. The attacker can also create a new account on an affected system with privileged level 15 access.
Recommendations
• It is recommended to update affected products to their latest available versions/patch level.
• Disable Web UI if not required from affected product.
• Disable HTTP server feature on all internet facing systems.
• It is recommended to not expose Web UI and management services internet.
HTTP/2 ‘Rapid Reset’ DDoS Attack Impacting Multiple Products
Threat Reference: Global
Risks: Denial of Service (DOS)
Advisory Type: Zero Day Exploits
Priority: Elevated
Security Researchers have discovered high-severity vulnerability (CVE-2023-44487) in web servers supporting HTTP/2, allowing threat actors to abuse the ‘stream multiplexing’ feature by repeatedly sending requests and immediately cancelling them which leads to ‘Rapid Reset’ attack causing Denial of Service.
Additionally, security researchers have unveiled two variants of the HTTP/2 Rapid Reset attack.
Variant 1
In the first variant streams are not cancelled, however the requests are sent in groups, which stays idle for a while, and then cancelled. This allows the user to evade Rate of Inbound Frames per second.
Variant 2
In the second variant, the attacker attempts to send more requests concurrently to the server. This method maintains a continuous flow of requests, avoiding delays caused by client-proxy and proxy-server communication which request pipeline consistently busy, making it more challenging to defend against DDoS attacks compared to the standard HTTP/2 method.
Affected vendors include Apache Tomcat, AWS, F5, Microsoft IIS, Microsoft MsQuic, Nginx, and nghttp2 library.
Note that Web apps that are behind the following DDoS protection providers / CDNs should not be impacted: AWS, Cloudflare, Google Cloud, and Microsoft Azure.
Workaround: For NGINX
keepalive_requests should be kept at the default setting of 1000 requests.
http2_max_concurrent_streams should be kept at the default setting of 128 streams.
limit_conn and limit_req should be set “with a reasonable setting balancing application performance and security”.
Note that other vendors can refer to the latest available patch version.
Recommendation
SecurityHQ recommends implementing DDoS protection / CDNs (WAF).
Microsoft Released October 2023 Patch Tuesday for 104 Flaws Including 3 Zero-days.
Threat Reference: Global
Risks: Remote Code Execution, Elevation of Privilege, Security Feature Bypass, Information Disclosure, Spoofing and Denial of Service
Advisory Type: Updates/Patches
Priority: Standard
Microsoft has released their Patch Tuesday for October 2023 with security updates for 104 flaws, including 3 actively exploited vulnerabilities.
Successful exploitation of these vulnerabilities could result in Remote Code Execution, Elevation of Privilege, Security Feature Bypass, Information Disclosure, Spoofing and Denial of Service.
Affected Microsoft Products include Windows, ESU, Microsoft Dynamics, Exchange Server, Microsoft Office, Azure, Developer Tools, SQL Server.
Notable CVE ID and details:
[Critical] – CVE-2023-41774 – Layer 2 Tunnelling Protocol Remote Code Execution Vulnerability
[Critical] – CVE-2023-41773 – Layer 2 Tunnelling Protocol Remote Code Execution Vulnerability
[Critical] – CVE-2023-41771 – Layer 2 Tunnelling Protocol Remote Code Execution Vulnerability
[Critical] – CVE-2023-41770 – Layer 2 Tunnelling Protocol Remote Code Execution Vulnerability
[Critical] – CVE-2023-41769 – Layer 2 Tunnelling Protocol Remote Code Execution Vulnerability
[Critical] – CVE-2023-41768 – Layer 2 Tunnelling Protocol Remote Code Execution Vulnerability
[Critical] – CVE-2023-41767 – Layer 2 Tunnelling Protocol Remote Code Execution Vulnerability
[Critical] – CVE-2023-41765 – Layer 2 Tunnelling Protocol Remote Code Execution Vulnerability
[Critical] – CVE-2023-38166 – Layer 2 Tunnelling Protocol Remote Code Execution Vulnerability
[Critical] – CVE-2023-36718 – Microsoft Virtual Trusted Platform Module Remote Code Execution Vulnerability
[Critical] – CVE-2023-36697 – Microsoft Message Queuing Remote Code Execution Vulnerability
[Critical] – CVE-2023-36566 – Microsoft Common Data Model SDK Denial of Service Vulnerability
[Critical] – CVE-2023-35349 – Microsoft Message Queuing Remote Code Execution Vulnerability
[Zero-Day] – [Important] – CVE-2023-41763 – Skype for Business Elevation of Privilege Vulnerability
[Zero-Day] – [Important] – CVE-2023-36563 – Microsoft WordPad Information Disclosure Vulnerability
[Zero-Day] – [Important] – CVE-2023-44487 – HTTP/2 Rapid Reset Attack
[Important] – CVE-2023-41772 – Win32k Elevation of Privilege Vulnerability
[Important] – CVE-2023-38159 – Windows Graphics Component Elevation of Privilege Vulnerability
[Important] – CVE-2023-36780 – Skype for Business Remote Code Execution Vulnerability
[Important] – CVE-2023-36778 – Microsoft Exchange Server Remote Code Execution Vulnerability
[Important] – CVE-2023-36776 – Win32k Elevation of Privilege Vulnerability
[Important] – CVE-2023-36743 – Win32k Elevation of Privilege Vulnerability
[Important] – CVE-2023-36732 – Win32k Elevation of Privilege Vulnerability
[Important] – CVE-2023-36731 – Win32k Elevation of Privilege Vulnerability
[Important] – CVE-2023-36713 – Windows Common Log File System Driver Information Disclosure Vulnerability
[Important] – CVE-2023-36594 – Windows Graphics Component Elevation of Privilege Vulnerability
Recommendation
For a permanent fix it is recommended to keep applications and operating systems running at the current released patch level, and to run software with the least privileges.
Fortinet Addressed a High Severity Vulnerability Related to Improper Authorization Through Prof-Admin Profile
Threat Reference: Global
Risks: Privilege Escalation
Advisory Type: Updates/Patches
Priority: Standard
Fortinet has released a security update to patch a high severity vulnerability. CCVE-2023-41841[ CVSSv3 Score:7.4]: A improper authorization vulnerability identified within the FortiOS WEB UI component. Successful exploits can allow an attacker, one belongs to the prof-admin profile, to perform Privilege Escalation.
Affected Products includes FortiOS version 7.2.0 through 7.2.4, and FortiOS version 7.0.0 through 7.0.11.
Recommendation
It is recommended to update the affected products to their latest available versions.
Threat Intelligence for the Future
SecurityHQ’s Threat Intelligence team is a cohesive global unit dedicated to Cyber Threat
Intelligence. Our team is focused on researching emerging threats, tracking activities of threat-actors, ransomware groups, and campaigns, to ensure that they stay ahead of potential risks.
Beyond their investigative work, the Intelligence team provides actionable threat intelligence and
research, enriching the understanding of SecurityHQ’s customers worldwide. United by a
common commitment, the SecurityHQ Threat Intelligence team delivers the insights needed to
confidently navigate the intricacies of the cyber security threat landscape.
For more information on these threats, speak to an expert here. Or if you suspect a security incident, you can report an incident here.
Related Content
6 Cloud Vulnerabilities to Look Out For in 2023
Most companies are highly dependent on cloud hosting for storage and computing. As much as it helps as a central storage and processing unit, the cyber risks associated with Cloud are on the rise.
September Threat Advisory – Top 5
SecurityHQ’s Monthly Threat Report, Drawn from Recent Advisories of September 2022. Top 5!
Enhancing Firewall & Proxy Perimeter Controls
There are numerous neglected controls that can be leveraged to escalate cyber security attacks within any organisation. This blog outlines these additional controls, that can be used alongside necessary standard controls to enhance security posture.
The job of a Proxy is to provide a gateway between the users and the internet. A good quality, well configured Proxy assists in keeping users and the internal network protected from the nefarious content published and accessible on the internet. ‘If you’re like most people, you probably associate proxy servers with unblocking Netflix content […]
