Critical Security Zero Day Vulnerabilities in Critix products - NetScaler ADC and NetScaler Gateway

Citrix, a leading technology company, has issued a warning to its customers about a critical-severity RCE vulnerability (CVE-2023-3519) in its NetScaler ADC and NetScaler Gateway products. The severity of the issue is highlighted as critical and a CVSS score of 9.8. The exploits for this vulnerability are out in the wild and an adversary can use it to exploit Critix ADC versions up to 13.1 build 48.47.1.

If this vulnerability is not fixed, adversaries would be able to exploit it to execute remote code without any authentication. The vulnerable appliance must, however, be set up as a gateway (VPN virtual server, ICA proxy, CVPN, RDP proxy), or as an authentication virtual server (often known as the AAA server), for attackers to take advantage of this security weakness.

Along with this Critix also addressed two other vulnerabilities: Reflected Cross-Site Scripting (CVE-2023-3466) and Privilege Escalation (CVE-2023-3467). Both being critical vulnerabilities, have a severity score of 8.3 and 8.0 respectively. The reflected cross-site scripting (XSS) issue requires a victim to load a link from an attacker on the same network. The Privilege Escalation vulnerability enables attackers to elevate privileges to those of a root administrator if they have authenticated access to the NetScaler appliances IP address (NSIP) or a SubNet IP (SNIP) with access to the management interface.

Accorian strongly recommends the users of NetScaler ADC and NetScaler Gateway to update to the latest versions to fix all three issues at hand. The recommended versions are:

NetScaler ADC and NetScaler Gateway 13.1-49.13 and later releases
NetScaler ADC and NetScaler Gateway 13.0-91.13 and later releases of 13.0
NetScaler ADC 13.1-FIPS 13.1-37.159 and later releases of 13.1-FIPS
NetScaler ADC 12.1-FIPS 12.1-65.36 and later releases of 12.1-FIPS
NetScaler ADC 12.1-NDcPP 12.1-65.36 and later releases of 12.1-NDcPP

Source: New critical Citrix ADC and Gateway flaw exploited as zero-day (bleepingcomputer.com)

Threat Advisory

Team Accorian

Article

Manufacturing Sector Vulnerable to RCE Flaw

Description PTC, a leading software provider for critical manufacturing organizations, has recently addressed an RCE flaw tracked as CVE-2024-6071. The vulnerability, rated CVSS 10, exists in the PTC Creo Elements/Direct license server. It enables unauthorized remote command execution and lateral movement within critical manufacturing and industrial organizations, including Volvo, Lufthansa, Medtronic, HP, Merck, and GE. Impact The flaw impacted the license server of Creo Elements/Direct, a direct modeling CAD software used for creating 3D designs. Although PTC claims the flaw has not been exploited, its severity prompted immediate patching. Exploitation requires network access, as the license server is typically not exposed to the internet. Affected Versions Thomas Riedmaier discovered a vulnerability in the Creo Elements/Direct license server: Versions 20.7.0.0 and earlier Remediation Apply PTC's patch for Creo Elements/Direct. Confirm that the license server is not exposed to the internet. Limit access to authorized personnel. Isolate license servers from critical systems. Monitor logs for unusual activities. Perform vulnerability scans and penetration tests. Include CVE-2024-6071 in the incident response plan. Stay updated with PTC for new patches or information. Verify security standards meet industry standards and regulations. Source: https://www.databreachtoday.com/patched-rce-flaw-that-affects-critical-manufacturing-a-25699?rf=2024-07-04_ENEWS_SUB_DBT__Slot8_ART25699&mkt_tok=MDUxLVpYSS0yMzcAAAGUHWCLsDa8Alxx89nmcsSkjc0bON4Bwse5npVDdr3B95f5QKt3z4jov6Sh9a9st3fsPv5nXDXDKzV_xxTJ6PXLupMU0TxzCH1TswlToT_AzdymozuPuw Contact us to schedule a scan and discuss your specific security needs. For any further assistance, kindly reach out to us at info@accorian.com

Article

Remote Code Execution Vulnerability CVE-2024-6387 in glibc-based Linux Systems

Description The Qualys Threat Research Unit issued an advisory for CVE-2024-6387 on July 1 regarding a vulnerability affecting glibc-based Linux systems that allow unauthenticated remote code execution known as “regreSSHion.” It is a regression of CVE-2006-5051, reintroduced with OpenSSH version 8.5p1. While exploitation is challenging, it can have severe impacts. Lab tests show it requires about 10,000 attempts over 6-8 hours against 32-bit hosts, with 64-bit hosts theoretically at risk but not publicly proven. Impact This vulnerability may allow attackers to escalate privileges fully if a client fails to authenticate within 120 seconds (600 seconds for legacy OpenSSH versions). Exploiting the regeSSHion vulnerability could enable attackers to: ● Fully compromise a susceptible host ● Exfiltrate sensitive data ● Propagate laterally within the network to internal hosts ● Encrypt and hold critical data for ransom Affected Versions ● OpenSSH versions before 4.4p1 ● OpenSSH versions between 8.5p1 and 9.7p1 Previous patches for CVE-2006-5051 and CVE-2008-4109 have resolved the flaw. OpenBSD systems are unaffected. OpenSSH versions in Red Hat Enterprise Linux 6, 7, and 8 are not vulnerable, as the regression was introduced in OpenSSH 8.5p1, which postdates these versions. Remediation To deal with this menace, ensure timely upgrades of OpenSSH upon patch availability. Set LoginGraceTime to 0, acknowledging the potential risk of denial of service if simultaneous connections exceed MaxStartups. Restrict SSH access to internet-exposed hosts and implement network segmentation to curtail lateral movement effectively. Source: https://www.lacework.com/blog/critical-rce-vulnerability-on-open-ssh-detecting-and-mitigating-cve-2024-6387-regre-ss-hion

Article

Snowflake Customers Hit With ‘Significant’ Data Theft In Attacks: Mandiant

Description Mandiant researchers have identified a recent breach of the Snowflake Cloud Data Platform by the Uncategorized Threat Actor Group (UNC5537) that could potentially expose approximately 165 organizations. The data theft, which occurred in mid-April 2024, appears to have exploited Snowflake's stolen customer credentials obtained through infostealer malware campaigns on non-Snowflake systems. Impact The absence of multi-factor authentication (MFA) on the affected accounts facilitated the breach. Notable organizations affected include Ticketmaster, Santander Bank, and Advance Auto Parts. Over 100 customers were confirmed as impacted. Remediation ● Add an extra layer of security by enabling MFA for all accounts. ● Strengthen Password Policies by implementing long, complex passwords and changing them regularly. ● Regularly audit and monitor accounts for suspicious activity. ● Enforce secure configurations and keep systems updated with patches. ● Conduct frequent security assessments and penetration testing. Source: https://www.crn.com/news/security/2024/snowflake-customers-hit-with-significant-data-theft-in-attacks-mandiant?itc=refresh Contact us to schedule a scan and discuss your specific security needs. For any further assistance, kindly reach out to us at info@accorian.com

Article

CVE-2024-23897: Check Critical Jenkins Arbitrary File Leak Vulnerability Now!

On 24 January 2024, the Jenkins team issued a security advisory disclosing a critical vulnerability that affects the Jenkins CI/CD tool. Jenkins is a Java-based open-source automation server run by over 1 million users that helps developers build, test and deploy applications, enabling continuous integration and continuous delivery. The critical vulnerability is tracked as CVE-2024-23897 and affects Jenkins 2.441 and earlier. LTS 2.426.2 and earlier does not disable a feature of its CLI command parser that replaces the ‘@’ character followed by a file path in an argument with the file’s contents, allowing unauthenticated attackers to read arbitrary files on the Jenkins controller file system that can lead to RCE. According to security researchers from ShadowServer, there are approximately 45,000 unpatched Jenkins instances, most of which are in China (12,000) and the United States (11,830). Two Proof of Concepts (PoCs) exploits have been released to the public and could be leveraged by attackers to compromise unpatched Jenkins servers. According to the Cyber Security Agency (CSA) of Singapore, as of 30 January 2024, the vulnerability is reportedly being actively exploited. Who Is Affected? Anyone who is running Jenkins 2.441 and earlier is affected by this vulnerability. How Can I Fix It? Jenkins users are urged to upgrade to Jenkins 2.442 and LTS 2.426.3. How Can NodeZero Help? All NodeZero™️ users can run an autonomous pentest to determine if their systems are vulnerable to the Jenkins vulnerability. We also recommend running a follow-on pentest to verify that any remediation steps taken, such as patching, are effective. Example Top Weaknesses and Impacts: Example Attack Path: If you want to read more, please read Horizon3.ai’s Attack Team’s blog titled, “CVE-2024-23897: Assessing the Impact of the Jenkins Arbitrary File Leak Vulnerability.” Source: CVE-2024-23897: Check Critical Jenkins Arbitrary File Leak Vulnerability Now! – Horizon3.ai Contact us to schedule a scan and discuss your specific security needs. For any further assistance, kindly reach out to us on info@accorian.com Threat Advisory Team Accorian

Article

Log4j is back!!

Two years after disclosing the Log4Shell vulnerability (CVE-2021-44228), a critical remote code execution (RCE) flaw in the open-source Java logging utility Log4j continues to pose a significant threat. Despite widespread patching efforts, nearly one in four applications still rely on outdated Log4j libraries, rendering them susceptible to exploitation. Notably, the Lazarus hacking group has initiated a new cyber campaign called "Operation Blacksmith," targeting manufacturing, agriculture, and physical security companies globally. Exploiting the Log4Shell vulnerability, the group employs three previously unseen malware families coded in the rarely used D programming language: NineRAT: A remote access trojan (RAT) communicates via the Telegram API for command and control, data exfiltration, and persistence. DLRAT: This trojan and downloader serve to introduce additional payloads and collect system information. BottomLoader: Functioning as a downloader, it fetches and executes payloads, establishes persistence, and exfiltrates files. Over 38% of applications using Log4j remain vulnerable to security issues, including the critical Log4Shell exploit (CVE-2021-44228). This unauthenticated RCE flaw permits attackers to completely control systems utilizing vulnerable Log4j versions (2.0-beta9 through 2.15.0). Impact: Successful exploitation could allow attackers to control affected systems remotely, steal data, deploy malware, or disrupt operations. Even patched versions of Log4j (2.17) are vulnerable to another RCE bug (CVE-2021-44832). EOL versions of Log4j are susceptible to seven high and critical-rated vulnerabilities, including Log4Shell. Exploited systems can face operational disruptions, data theft, and compromised credentials. Who is Affected? Applications and systems using Log4j versions 2.0-beta9 through 2.15.0 (pre-2015 EOL versions) are directly vulnerable to Log4Shell. Applications using Log4j 2.17 are vulnerable to CVE-2021-44832. Organizations unaware of their open-source software dependencies are at increased risk. Manufacturing, agriculture, and physical security companies are the primary targets, but any organization using vulnerable Log4j is at risk. Remediation: Update Log4j to the latest patched version: Log4j 2.17.1 (Java 8) Log4j 2.13.4 (Java 7) Log4j 2.3.2 (Java 6) Implement Software Composition Analysis (SCA) tools to identify and track vulnerable libraries. Train developers on secure coding practices and open-source software security risks. Limit public exposure of VMware Horizon servers and restrict access with strong authentication. Monitor systems for suspicious activity and implement intrusion detection/prevention systems. How Can Accorian Help: Quick Detection Scan: Accorian can offer a quick detection scan to identify potential Log4Shell vulnerabilities within your systems. Furthermore, Accorian offers a range of security solutions to help you mitigate the risk of Log4Shell and other cyber threats: Vulnerability Assessment and Penetration Testing: Identify and remediate vulnerabilities in your systems, including Log4j. Security Information and Event Management (SIEM): Monitor your network for suspicious activity and detect potential breaches. Incident Response: Respond to cyberattacks quickly and effectively to minimize damage. Source: https://www.scmagazine.com/news/lazarus-group-uses-novel-malware-in-latest-log4j-campaign Contact us to schedule a scan and discuss your specific security needs. For any further assistance, kindly reach out to us on info@accorian.com Threat Advisory Team Accorian

Penetration Testing

Security Compliance

Security Consulting

Staffing

Resources

Case Studies

Webinars

News

Articles & Blogs

Threat Advisory

Podcast

About Us

Leadership

Contact Us

Careers

Threat Advisory