Cyber Security Weekly Briefing, 6 – 12 May

Telefónica Tech    16 May, 2023

Security updates vulnerabilities in Fortinet products

Fortinet has announced a set of security updates that fix up to a total of 9 vulnerabilities, 2 of which are considered high severity and affect FortiADC, FortiOS and FortiProx.

On the one hand, there is the security flaw registered as CVE-2023-27999 that affects FortiADC versions 7.2.0, 7.1.1 and 7.1.0. A malicious actor could exploit this flaw through crafted arguments to existing commands, allowing them to execute unauthorized commands.

On the other hand, there is vulnerability CVE-2023-22640, which arises from a bug in the sslvpnd component of FortiOS versions 7.2.x, 7.0.x, 6.4.x, 6.2.x and 6.0.x and in FortiOS versions 7.2.x, 7.0.x, 2.0.x and 1.xx of FortiProxy.

This bug allows an authenticated attacker to send specially crafted requests for the purpose of arbitrary code execution. Fortinet recommends updating assets to the latest version available to correct these bugs.

More info

Intel investigates private key leak after MSI incident

MSI recently confirmed a data breach suffered in a security incident that would have caused the leakage of private keys affecting numerous devices.

As a result, Intel is investigating a possible leak of Intel Boot Guard private keys. This asset is a security feature that protects the operating system boot process on Intel processors.

Malicious actors could then use this leak to disable the Boot Guard protection on affected systems, allowing them to insert malicious software into the boot process.

The Binarly research team has published a list of affected MSI hardware.

More info

Microsoft Patch Tuesday includes actively exploited 0-day vulnerabilities

In its latest security update, Microsoft has fixed a total of 38 vulnerabilities affecting several of its products, including Microsoft Windows, SharePoint and Office, of which 6 have been categorized as critical and 32 as important.

Among all of them, three 0-day vulnerabilities stand out, two of which are being actively exploited. These vulnerabilities, registered as CVE-2023-29336, CVSSv3 of 7.8 according to the manufacturer, are a flaw in the Win32k kernel that could be exploited by malicious actors in order to obtain SYSTEM privileges.

On the other hand, the security flaw registered as CVE-2023-24932, CVSSv3 of 6.7 according to manufacturer, is a security flaw in the secure boot mode that could be used to install the BlackLotus UEFI malware.

The last of the 0-day vulnerabilities catalogued as CVE-2023-29325, CVSSv3 of 8.1 according to the manufacturer, although it has not been actively exploited, is a security flaw in Windows OLE of Microsoft Outlook that can be exploited by means of specially crafted emails and trigger remote code execution.

More info → 

SAP fixes 28 vulnerabilities at its May patch day

SAP has released 24 security notes, including a total of 28 vulnerabilities, two of which are classified as critical and nine of which are high priority. Note No. 3328495, considered critical with a CVSS score of 9.8, fixes five vulnerabilities in version 14.2 of the Reprise License Manager (RLM) component used with SAP 3D Visual Enterprise License Manager.

On the one hand, the one identified as CVE-2021-44151, would allow an attacker to hijack the session through brute force.

On the other hand, the one classified as CVE-2021-44152, could lead to an unauthenticated user changing the password of any user, gaining access to their account. CVE-2021-44153 could be exploited to execute a malicious binary. CVE-2021-44154 could cause a buffer overflow.

Lastly, the one identified as CVE-2021-44155, would allow an attacker to enumerate valid users. It is recommended to upgrade SAP 3D Visual Entreprise License Manager to version 15.0.1-sap2, in addition to disabling the RLM web interface.

Additionally, #3307833, with CVSS 9.1, includes information disclosure bug fixes for SAP BusinessObjects Business Intelligence Platform.

More info

​​New details about the distribution of Amadey and Redline Stealer

McAfee Labs has published an analysis of the malicious executable with which various types of malware such as Amadey and Redline Stealer are distributed. Its original name is wextract.exe.mui and, inside it, there is a CAB file, which contains an attribute called RUNPROGRAM, used to start cydn.exe, which contains two other executables, aydx.exe and mika.exe, which are deployed as malware.

On the other hand, there is another attribute, POSTRUNPROGRAM, which contains an instruction to run vona.exe.

All these executables are placed in the TEMP folder as temporary files, and are linked, along with other executables from their secondary processes to Redline Stealer and Amadey, as well as disabling security mechanisms.

More info →  

Featured photo: Freepik.

Leave a Reply

Your email address will not be published. Required fields are marked *