It’s that Festive Patching Season all over again and CVEs dangle like glimmering baubles on the Tree of Broken Software. Try not to doze in front of the fire: criminals do tend to strike ahead of holidays. Here’s what you need to look out for on December’s Patch Tuesday/Wednesday.
There’s a light 33 patches from Microsoft, four critical; none exploited yet. Adobe has pushed nine patches covering a notable 212 CVEs. Again, none reported exploited in the wild yet. A massive 186 of these CVEs are in Experience Manager and are all cross-site scripting (XSS) bugs.
From Microsoft, CVSS 9.6-rated CVE-2023-36019 is the most critical, on paper. This is a connector spoofing vulnerability that affects Microsoft Power Plattform and Azure Logic Apps. (A Connector is a proxy or a wrapper around an API that allows the underlying service to talk to Power Automate, Power Apps, and Azure Logic Apps. It provides a way for users to connect their accounts and leverage a set of prebuilt actions. Microsoft offers over 1,000 connectors to connect to verified services and people also build custom connectors. Spoofing them sounds like a clever attack...)
Better security for "Connectors" is coming...
As Microsoft notes in a separate advisory, "newly created custom connectors that use OAuth 2.0 to authenticate automatically have a per connector redirect URI. Existing OAuth 2.0 connectors must be updated to use a per-connector redirect URI before February 17, 2024.
- If you created your custom connectors with the web interface, edit your custom connectors, go to the Security tab and check the box, Update to unique redirect URL, and then save to enable the per connector redirect URI.
- If you created your custom connectors with multi-auth using the command line interface (CLI) tool, you need to update your connector using the CLI tool to set
"redirectMode": "GlobalPerConnector". - Once the custom connectors have been updated to use the per connector redirect URI (either through the setting in the Security tab or using the CLI tool), you should remove the global redirect URI from your OAuth 2.0 apps, and add the newly generated unique redirect URL to your OAuth 2.0 apps.
- We will enforce this update for existing OAuth 2.0 custom connectors starting on February 17, 2024. Any custom connector that has not been updated to use a per connector redirect URI will stop working for new connections, and show an error message to the user."
The vulnerability exists on the web server but requires a crafted link to be sent. If followed, a malicious script executes on the client’s browser.
Microsoft also notified affected users of this bug via the Microsoft 365 Admin Center and those running it should read the bulletin for details, i.e. it's significant enough that Microsoft notified affected customers about protective actions last month. (For mitigation, Redmond noted that "as of November 17, 2023, newly created custom connectors that use OAuth 2.0 to authenticate will automatically have a per connector redirect URI. Existing OAuth 2.0 connectors must be updated... before February 17th, 2024.")
See also: Microsoft pledges a dramatic software security overhaul, as Amazon veteran shakes the tree
This month also brings patches for a pair of critical RCE vulnerabilities in Internet Connection Sharing. As Rapid7's Adam Barnett notes: "CVE-2023-35630 and CVE-2023-35641 share a number of similarities: a base CVSS v3.1 score of 8.8, Microsoft critical severity ranking, low attack complexity, and presumably execution in SYSTEM context on the target machine, although the advisories do not specify execution context. Description of the exploitation method does differ between the two, however. CVE-2023-35630 requires the attacker to modify an option->length field in a DHCPv6 DHCPV6_MESSAGE_INFORMATION_REQUEST input message. Exploitation of CVE-2023-35641 is also via a maliciously crafted DHCP message to an ICS server, but the advisory gives no further clues. A broadly similar ICS vulnerability in September 2023 led to RCE in a SYSTEM context on the ICS server. In all three cases, a mitigating factor is the requirement for the attack to be launched from the same network segment as the ICS server. It seems improbable that either of this month’s ICS vulnerabilities are exploitable against a target on which ICS is not running, although Microsoft does not explicitly deny the possibility."
Apache Struts
Cisco has also published a security advisory about a vulnerability in Apache Struts that affects myriad products containing the software, after the Apache Software Foundation disclosed the critical RCE bug, allocated CVE-2023-50164, earlier this month: "An attacker can manipulate file upload params to enable paths traversal and under some circumstances this can lead to uploading a malicious file which can be used to perform Remote Code Execution," the foundation explained at the time. Users should update to Struts 2.5.33, Struts 6.3.0.2 or greater.
Dial 1111 for your PLC's default password
Not strictly part of December Patch Tuesday, but another vulnerability this week that *is* being actively exploited in the wild deserves attention and was flagged by CISA on Tuesday as coming under attack. That’s CVE-2023-6448, a CVSS 9.8 vulnerability in Unitronics programmable logic controllers (PLCs) used in the Water and Wastewater Systems (WWS) Sector that ships with a default password of 1111.
As well as implementing strong passwords and changing that default, putting in place a Firewall/VPN in front of the PLC to control network access to the remote PLC (table stakes, but…) CISA said: “If possible, utilize a TCP port that is different than the default port TCP 20256.
“Cyber actors are actively targeting TCP 20256 after identifying it through network probing as a port associated to Unitronics PLC. Once identified, they leverage scripts specific to PCOM/TCP to query and validate the system, allowing for further probing and connection. If available, use PCOM/TCP filters to parse out the packets,” the agency added.
December Patch Tuesday also belatedly fixes a low-severity AMD bug first disclosed in August which remains unpatched by the semiconductor company. (CVE-2023-20588 comes with the guidance that “for affected products, AMD recommends following software development best practices," per an earlier AMD bulletin. "Developers can mitigate this issue by ensuring that no privileged data is used in division operations prior to changing privilege boundaries. AMD believes that the potential impact of this vulnerability is low because it requires local access.”
The ZDI and Qualys are among those with more details. CVE-2023-36019 aside it doesn't look too bad this month. Have another mince pie.
