Vulnerabilities in cloud platforms
Otorio’s team of researchers found 11 vulnerabilities affecting different cloud management platform providers. Sierra Wireless, Teltonika Networks and InHand Networks are the affected companies.
The security flaws affecting Teltonika Networks are CVE-2023-32346, CVE-2023-32347, CVE-2023-32348, CVE-2023-2586, CVE-2023-2587 and CVE-2023-2588 identified in the remote management system (RMS). Their exploitation could expose confidential information and allow remote code execution (RCE).
Regarding the vulnerabilities in InHand Networks CVE-2023-22600, CVE-2023-22598, CVE-2023-22599, CVE-2023-22597 and CVE-2023-2261 these could be exploited by malicious actors to perform RCE.
Lastly, the flaws identified in Sierra Wireless CVE-2023-31279 and CVE-2023-31280 could allow an attacker to search for unregistered devices that are connected to the cloud, obtain their serial numbers and register them to an account under their control for the purpose of executing commands.
The new .zip TLD under the researchers’ magnifying glass
Google has opened the registration of new domains on May 3 under eight new TLDs including .dad, .esq, .prof, .phd, .nexus, .foo, .mov and especially .zip. The registration of the latter is generating a lot of controversy among the security community as it can be used in phishing campaigns distributing compressed .zip files.
Some researchers have already managed to exploit the existence of these domains together with the use of special characters in the address bar and disguise links to malicious files under URLs that appear to be legitimate.
An adversary could do this by using special Unicode characters such as the U+2044 (⁄) and U+2215 (∕) slashes that visually resemble the conventional slash character, U+002F (/) and exploit the way some browsers interpret the at (@) character in a URL to achieve unwanted redirects.
For this reason, it is recommended to pay attention to all those links containing the characters U+2044 (⁄) and U+2215 (∕), which also include an at-arrow and point to allegedly compressed .zip files since they could actually include a disguised redirect to domains of this new TLD..
Critical Vulnerabilities in Cisco Small Business Series Switches
Cisco has issued a security advisory stating that it has fixed nine critical vulnerabilities in its Small Business Series Switches products.
The vulnerabilities have been assigned the following CVEs and CVSS: CVE-2023-20159 (CVSS: 9.8), CVE-2023-20160 (CVSS: 9.8), CVE-2023-20161 (CVSS: 9.8), CVE-2023-20189 (CVSS: 9.8), CVE-2023-20024 (CVSS: 8.6), CVE-2023-20156 (CVSS: 8.6), CVE-2023-20157 (CVSS: 8.6), CVE-2023-20158 (CVSS: 8.6), CVE-2023-20162 (CVSS: 7.5).
All of the security holes affect Small Business Series Switches versions 200, 250, 300, 350, 350X and 500 and are due to improper validation of requests sent to the web interface. This could allow an unauthenticated remote threat actor to cause a denial of service (DoS) condition or execute arbitrary code with root privileges on an affected device.
Cisco reports that it has issued software updates that address these vulnerabilities and that there are no workarounds, so it is recommended to upgrade to the latest version available.
Google fixes critical vulnerability in Chrome 113
Google has issued a security update for Chrome 113 that fixes a total of 12 vulnerabilities, one of them critical. This last one, identified as CVE-2023-2721 and still pending CVSS, is a use-after-free (UAF) vulnerability that would allow a remote attacker to create an HTML page that triggers a heap corruption situation when a user accesses it.
For an attacker to exploit this security flaw, it would be necessary to convince the user to visit the page. This and five other fixed vulnerabilities have been reported to Google by external researchers for rewards ranging from $1500 to $7000.
This update is available for versions 113.0.5672.126 on Mac and Linux devices and 113.0.5672.126/.127 for Windows.
Apple fixes three 0-day vulnerabilities and dozens of other CVEs across its portfolio
Apple has recently issued security updates for iOS, iPadOS, macOS, tvOS, watchOS and the Safari web browser; and warned about three 0-day vulnerabilities that would be actively exploited.
Those security flaws affect the WebKit browser engine that Apple employs in its Safari browser, and requires it to be used by other browsers on iOS. The first vulnerability (CVE-2023-32409) is a sandbox leak that allows remote attackers to escape web content sandboxes.
The other two (CVE-2023-28204 and CVE-2023-32373) consist of an out-of-bounds read that allows threat actors to gain access to sensitive information and achieve arbitrary code execution on compromised devices.
The CVEs were recently assigned, so detailed information is not available. Apple recommends that all users update their devices to the latest version available.
