Normally, ‘ace’ implies something great, such as to ace an exam or to draw an ace in Blackjack. Unfortunately, arbitrary code execution (ACE) means that an attacker can use a vulnerability to execute any code they want on a device.
In the vulnerabilities covered this week, attackers used an ACE vulnerability to install webshells and similar backdoors on vulnerable systems. The backdoor enables the attackers to potentially maintain a foothold on the system even after the vulnerability is patched.
When it comes to vulnerabilities that enable ACE, speed is the key requirement for effective patch and vulnerability management. However, some of these systems (Citrix ShareFile, Ivanti Avalanche, etc.) may fall outside of the typical patching process, which focuses on endpoints and major operating systems (Windows, macOS, Linux, etc.). An organization that cannot quickly patch these systems may need to engage a managed IT service provider (MSP) to provide temporary or on-going support.
Here’s a roundup of the week’s major vulnerabilities that security teams should mitigate or patch.
August 18, 2023
Vulnerability Allows Code Execution When Opening WinRAR Archives
Vulnerability CVE-2023-40477 in the popular WinRAR utility allows for arbitrary code execution (ACE) to automatically occur during the opening of the archive container. Rarlab released an updated version (6.23) of the software, which should be updated as soon as possible. Organizations may need to quarantine .rar, .zip and other archival file formats until the update is installed.
August 16, 2023
CISA Adds Citrix ShareFile Vulnerability to Actively-Exploited List
The Cybersecurity and Infrastructure Security Agency (CISA) added the Citrix ShareFile vulnerability CVE-2023-24489 to the list of vulnerabilities that are actively exploited by adversaries. A few small errors in the implementation of AES Encryption allows for unauthenticated ACE, and the security firm GreyNoise notes a significant spike in attackers trying to exploit this vulnerability.
August 15, 2023
Ivanti Avalanche EMM Vulnerable to Arbitrary Code Execution
Tenable discovered vulnerability CVE-2023-32560, which affects Ivanti’s enterprise mobility management solution (EMM), Avalanche. Attackers can use specially crafted data packets to create buffer stack overflow and execute an ACE attack without any check for permissions. Patches for this vulnerability and six others are available and should be applied as soon as possible.
Mandiant Scanner Detects More Than 1,900 Compromised Servers
Mandiant released a free scanner to look for indicators of compromise (IoCs) on Citrix NetScaler Application Delivery Controllers (ADC) and NetScaler Gateway Appliances. Attackers exploited CVE-2023-3519 to install webshell backdoors on servers, and Fox-IT – in a joint effort with the Dutch Institute of Vulnerability Disclosure (DIVD) – scanned the internet and found over 1,900 backdoored NetScaler servers. Organizations are urged to scan, remediate, and patch these NetScaler devices.
Synopsis Discovers OpenNMS Meridian and Horizon Vulnerability
Synopsis found a permissive XML parser vulnerability, CVE-2023-0871, that affects both the open source and subscription versions of the OpenNMS network monitoring software. Patches are available now and unpatched systems will be vulnerable to malicious http requests that can exfiltrate files from the server or cause denial of service.
Last week’s major vulnerabilities: Weekly Vulnerability Recap – August 14, 2023 – Old or New, Vulnerabilities Need Management
