Daily Brief

Intel patched a high-severity vulnerability, codenamed Reptar, affecting desktop, mobile, and server CPUs. CVE-2023-23583 vulnerability, with a CVSS score of 8.8, could lead to privilege escalation, information disclosure, or denial of service. Google Cloud identified the severe impact in multi-tenant virtualized environments, where exploitation on a guest machine could crash the host. Researcher Tavis Normandy found the flaw could be used to corrupt system state and cause a machine-check exception. Intel issued microcode updates in November 2023 for all affected processors; a full list of impacted CPUs is available. No evidence currently suggests active exploitation of this vulnerability, which requires the execution of arbitrary code for malignant use. The release of Intel's patches coincided with AMD addressing a separate vulnerability, CacheWarp (CVE-2023-20592), affecting AMD processors.

Microsoft has released patches for 63 security issues, including five new zero-day vulnerabilities, three of which are actively being exploited. Among the vulnerabilities, three are rated Critical, 56 Important, and four Moderate in terms of severity, with updates also covering over 35 Edge browser issues. CVE-2023-36033 and CVE-2023-36036 enable SYSTEM privilege escalation, while CVE-2023-36025 allows bypassing of Windows Defender SmartScreen checks. There is no detailed information from Microsoft on the exploitation tactics or identities of the threat actors utilizing these vulnerabilities. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has included these three exploited vulnerabilities in its KEV catalog, advising federal agencies to implement the patches by December 5, 2023. The update includes critical fixes for remote code execution flaws and a significant heap-based buffer overflow flaw in the curl library. An information disclosure vulnerability in Azure CLI could permit attackers to access plaintext passwords and usernames, for which Microsoft has now hardened Azure CLI commands to prevent secret exposure. Security updates from other vendors have also been issued to address additional vulnerabilities.

VMware has issued a warning about a critical, unaddressed security vulnerability (CVE-2023-34060) in Cloud Director. The flaw, rated 9.8 in severity, allows attackers to bypass authentication on upgraded instances to version 10.5 via ports 22 and 5480. This authentication bypass does not affect new installations of VMware Cloud Director Appliance 10.5 or access through port 443. The vulnerability originates from an outdated version of sssd in Photon OS, which VMware Cloud Director utilizes. Dustin Hartle from Ideal Integrations is credited with discovering the issue, which has not yet been resolved by VMware. A temporary workaround is available through a provided shell script, which requires no system downtime and does not impact functionality. This advisory follows recent patches for another significant vulnerability in VMware's vCenter Server.

Microsoft's November Patch Tuesday remediated roughly 60 vulnerabilities, including three exploited in the wild. PATCHED: CVE-2023-36033 and CVE-2023-36036 are critical Windows vulnerabilities allowing elevation of privilege to SYSTEM level. A Windows Defender SmartScreen bypass (CVE-2023-36025) exploited in phishing campaigns was among the patched vulnerabilities. Two other vulnerabilities CVE-2023-36038 (DoS in ASP.NET Core) and CVE-2023-36413 (Microsoft Office security bypass) are publicly known but not yet exploited. The highest severity issue from Microsoft, CVE-2023-36397, rated 9.8, allows remote code execution in specific Windows environments. An Azure Command Line Interface flaw (CVE-2023-36052) disclosed sensitive information, leading to changes across multiple Microsoft products. Adobe released patches for 76 flaws across various products, but none of these had been actively exploited. VMware addressed CVE-2023-34060, a critical authentication bypass vulnerability in Cloud Director appliances.

The FBI has successfully dismantled the IPStorm botnet, a network that allowed cybercriminals to anonymously channel malicious traffic. The Russian-Moldovan national behind IPStorm, Sergei Makinin, pleaded guilty to computer fraud charges with a potential sentence of up to 10 years in prison. IPStorm facilitated anonymous online activity for scammers by utilizing over 23,000 proxies across various device platforms, including Windows, Linux, Mac, and Android. Victims of the botnet had their devices commandeered for cybercrime use, resulting in bandwidth theft and the potential for further malware infection. The botnet operated from at least June 2019 to December 2022, turning infected devices into proxies as part of a profitable scheme advertised on Makinin's websites. Makinin profited at least $550,000 from selling proxy services and has agreed to forfeit the cryptocurrency derived from the criminal proceeds. Though the botnet infrastructure has been taken down, affected victim computers have not been addressed by the law enforcement operation. Law enforcement agencies from several countries, including Spain, the Dominican Republic, and the U.S., collaborated in the investigation and takedown of the IPStorm network.

The WP Fastest Cache plugin for WordPress has a severe SQL injection vulnerability, potentially affecting over 600,000 websites. Unauthenticated attackers can exploit the vulnerability to access sensitive information from the site's database. WP Fastest Cache is a popular plugin that enhances website performance and search engine ranking by improving page load times. The specific flaw is within the 'is_user_admin' function, where unsanitized user input can lead to database access and data leakage. WordPress site databases often contain personal user data, passwords, and configuration settings, all of which could be compromised. Security team WPScan from Automattic released the vulnerability details, tracked as CVE-2023-6063 with a high-severity score of 8.6. A proof-of-concept (PoC) exploit will be published by WPScan, raising the urgency for administrators to patch the issue. The developer of WP Fastest Cache has released an updated version (1.2.2) that patches the vulnerability, and users are urged to update immediately.

Russian and Moldovan national Sergei Makinin pleaded guilty to building and operating the IPStorm botnet, which commandeered tens of thousands of machines worldwide. The IPStorm botnet, which relied on the IPFS protocol, allowed illegal activities to be masked as legitimate IPFS traffic and infected Windows, Mac, Linux, and Android devices. Makinin utilized the botnet as a proxy network service, selling access to infected devices to clients wanting to hide their Internet activities, and made over $500,000. The FBI successfully dismantled the botnet, and Makinin faces up to 30 years in prison if convicted on all three counts of computer misuse. Despite the dismantling of IPStorm, concerns remain about the potential abuse of the IPFS platform for hosting malicious content including future botnets. Trustwave researchers have highlighted the challenges of IPFS's decentralized nature, which allows data persistence and poses concerns for regulation and control of malicious activities.

Intel has fixed a high-severity CPU flaw affecting desktop, server, mobile, and embedded processors, including its latest Alder Lake, Raptor Lake, and Sapphire Rapids microarchitectures. The vulnerability, identified as CVE-2023-23583, could enable attackers to escalate privileges, access sensitive data, or cause denial of service disruptions. Intel's internal security validation identified the potential for privilege escalation under certain microarchitectural conditions involving a 'Redundant Prefix Issue' with the REP MOVSB instruction. The flaw has been mitigated with microcode updates for affected processors, and system owners are advised to update their BIOS and system software. The issue, which Intel believes will not be encountered by non-malicious real-world software, was also independently discovered by Google researchers, who named it 'Reptar.' The vulnerability relates to unexpected CPU behavior when handling redundant prefixes, which could compromise CPU security boundaries if exploited.

VMware has disclosed an unpatched, critical authentication bypass vulnerability in its Cloud Director appliance. The flaw only affects VCD Appliance 10.5 installations that have been upgraded from older versions and not fresh installs or other deployments. The vulnerability permits unauthenticated remote attackers to exploit the system without user interaction, specifically on ports 22 (SSH) and 5480 (appliance management console). No patch is currently available, but VMware has provided a temporary workaround involving a custom script that doesn't disrupt functionality or require system downtime. Past security issues addressed by VMware included an ESXi zero-day exploited by Chinese hackers and a severe bug in the Aria Operations for Networks tool. The company has actively engaged in patching critical vulnerabilities, including one in October for the vCenter Server which could lead to remote code execution attacks.

New fault injection attack named CacheWarp discovered, targeting AMD SEV-protected virtual machines. CacheWarp can escalate privileges, allowing hackers to obtain root access and execute remote code. The attack exploits CVE-2023-20592 vulnerabilities in AMD's Secure Encrypted Virtualization technologies (SEV-ES and SEV-SNP). Researchers demonstrated CacheWarp's ability to recover RSA private keys, bypass OpenSSH authentication, and gain root access via sudo. CacheWarp manipulates cache line write-back behavior, potentially reverting variable states and altering a program's control flow. AMD acknowledges the vulnerability in the INVD instruction on certain processors, not affecting their latest 4th Gen 'Genoa' EPYC CPUs. AMD released a hot-loadable microcode patch and updated firmware for 3rd Gen EPYC processors to mitigate CacheWarp without impacting performance.

LockBit ransomware is leveraging the Citrix Bleed vulnerability (CVE-2023-4966) to launch attacks against large organizations. Citrix has released patches for CVE-2023-4966, but over 10,000 servers globally have yet to apply the fixes, exposing a significant attack surface. High-profile organizations like the Industrial and Commercial Bank of China (ICBC), DP World, Allen & Overy, and Boeing are reported victims, primarily through their vulnerable Citrix servers. The US Treasury has acknowledged the exploitation of this vulnerability by LockBit in a cyberattack against ICBC. LockBit operates as a Ransomware-as-a-Service, with various affiliates conducting attacks; the current campaign is likely driven by an affiliate specifically using the Citrix Bleed flaw. Vulnerable servers are majorly concentrated in the US, Germany, China, and the UK, with critical organizations at risk across multiple countries. The Citrix Bleed vulnerability enables attackers to steal sensitive session tokens post-multi-factor authentication, providing them with unauthorized access to system information.

Microsoft's November 2023 Patch Tuesday features security updates for 58 vulnerabilities and 5 zero-day issues. RCE vulnerabilities have been addressed, with one flagged as critical, alongside critical flaws in Azure, Windows ICS, and Hyper-V. Five zero-day vulnerabilities were corrected, including three that were actively exploited and three that were publicly disclosed. Exploited zero-days include flaws in Windows Cloud Files Mini Filter Driver, Windows DWM Core Library, and Windows SmartScreen, which could lead to SYSTEM-level privileges or security feature bypass. Two additional zero-day vulnerabilities in Microsoft Office and ASP.NET Core, while publicly disclosed, were not known to be exploited in the wild. The security updates are part of Microsoft's routine to proactively mitigate risks alongside other vendor updates this month.

Researchers disclosed a vulnerability in AMD Secure Encrypted Virtualization (SEV) technology, which could be exploited to infiltrate and escalate privileges within encrypted virtual machines (VMs). The attack, named CacheWarp (CVE-2023-20592), was identified by CISPA Helmholtz Center for Information Security and targets AMD CPUs supporting all variants of SEV, including SEV-SNP. SEV-SNP, designed to protect against malicious hypervisor activities by encrypting VM memory, was found to be susceptible to CacheWarp, potentially enabling attackers to control the VM's execution flow. Two attack primitives demonstrated were "timewarp," which tricks the computer into re-executing old code with new data, and "dropforge," which resets changes in VM data, such as bypassing OpenSSH authentication or granting unauthorized admin privileges. AMD has released a microcode update to address the issue, but the discovery suggests that even AMD's claims of comprehensive integrity protection can be circumvented. This revelation comes shortly after the same CISPA researchers unveiled a power side-channel attack, Collide+Power (CVE-2023-20583), that affects CPUs across several manufacturers, including Intel and AMD.

Microsoft has rectified a severe security flaw in Azure CLI that risked credential exposure in GitHub Actions and Azure DevOps logs. The vulnerability, identified as CVE-2023-36052, was discovered by Palo Alto's Prisma Cloud team and could allow unauthenticated remote access to plaintext credentials. Users must upgrade to Azure CLI version 2.53.1 or later to mitigate risks associated with this issue, which also affected log files from Azure DevOps and GitHub Actions. Security notifications were issued to customers who may have used vulnerable Azure CLI commands, prompting them to update via the Azure Portal. Microsoft has updated Azure CLI to prevent the inadvertent disclosure of sensitive data, with defaults now restricting secrets in output for App Service-related updates. A broader application of credential redaction has been implemented across GitHub Actions and Azure Pipelines, albeit not all patterns of secrets are currently covered. Microsoft is working on expanding and optimizing secret pattern detection to further safeguard against unintentional data leaks in CI/CD log outputs.

A group of researchers discovered a vulnerability in AMD's Secure Encrypted Virtualization (SEV) technology, named CacheWarp. CacheWarp allows an attacker to create memory inconsistencies by interrupting context switches, potentially leading to arbitrary code execution or data exposure. The technique involves the use of the APIC timer to induce selective state resets, undermining the SEV's protection mechanisms. The vulnerability affects all versions of AMD SEV, including enhancements like SEV-ES and SEV-SNP, with the latter being more resistant but still vulnerable. CacheWarp is a software-fault attack, not a side-channel or transient execution attack, and operates by introducing errors in page table entries. The researchers demonstrated CacheWarp's potential by extracting private keys, accessing an OpenSSH server without credentials, and gaining root privileges via sudo. AMD was informed about the issue on April 25, 2023, and has plans to release a microcode patch for SEV-SNP and an SEV firmware update for Zen 3 EPYC Milan CPUs. A hardware-level fix is ultimately necessary, and AMD is scheduled to publish details in an upcoming bulletin.