The Bug Report – August 2023 Edition

By Trellix · September 6, 2023
This blog was written by Charles McFarland

Why am I here?

Welcome back to The Bug Report, the hotter-than-hell Texas edition! For those still unfamiliar with our monthly escapades, every month our trusty Advanced Research Center vulnerability research team filters through a month’s worth of bugs to ensure you are aware of the most critical. This month, we do so in 105°F (~41°C) heat to ensure we actually do put our sweat and tears into it. So, sit back, grab an ice-cold drink, and enjoy.

August brings us four bugs worth paying attention to. Three of these are being actively exploited, and the last has publicly available POC code to play with, so the threats (like the heat) are far from hypothetical:

• CVE-2022-40982 (aka Downfall): Intel Processors
• CVE-2023-38831: RARLAB WinRAR
• CVE-2023-32315: Ignite Realtime Openfire
• CVE-2023-38035: Ivanti Sentry

CVE-2022-40982: If it has its own marketing team, it must be important, right?

What is it?

CVE-2022-40982, also known as Downfall, has a catchy name, its own icon, and an official domain! That should be evidence it’s a big deal, right? Not always, but in this case it certainly is. A researcher named Daniel Moghimi discovered two new attack techniques targeting Intel processors: Gather Data Sampling (GDS) and Gather Value Injection (GVI), that allow an attacker to extract information during speculative execution of the Gather instruction. This essentially bypasses normal OS and hardware protections put in place to prevent users from accessing other user data.

This can cross the boundaries of even trusted computing environments like Intel Software Guard Extensions (SGX) as well as virtual machines, meaning cloud computing environments (where many users share the same physical hardware) are also affected. Moghimi proved he could extract information like 128-bit and 256-bit AES keys among other sensitive data using this approach. He wrote a whole paper on his findings and even conveniently released POC code for anyone wanting to play around and try it themselves. Just be careful where you run your experiments–this thing has no regard for sandboxes, and we suspect “I was just playing around” isn’t much of a legal defense.

Who cares?

The reason this is such a critical vulnerability is that nearly every Intel processor user is affected. If you purchased your Intel-powered computing device after 2014, it’s almost certainly vulnerable. Given Intel’s dominant market share in the server space, any web or cloud service you use is also very likely to be affected. Barring our sizeable Amish readership, we suspect anyone reading this is exposed to this bug one way or another. While this is not currently exploited in-the-wild (unlike the other bugs on our list), the fact that POC code is available only makes this a matter of time.

What can I do?

Intel recommends that you update to the latest firmware immediately to protect yourself against this vulnerability, and of course we recommend the same. Getting these firmware updates should be your top priority.

CVE-2023-38831: Why trade when you can steal!

What is it?

Why trade when you can steal? I’ll tell you why. You’ll catch the attention of several three letter agencies and find yourself behind a set of bars hoping that today is Jello Day. Stealing is bad but some miscreants just don’t seem to get the message. Such is the case with the threat actors behind the CVE-2023-38831 exploit. Since April of this year, bad guys have been exploiting this vulnerability in WinRAR to steal from crypto and stock traders. Victims simply need to open a malicious .RAR or .ZIP file with trusty ol’ WinRAR and click on seemingly innocuous files such as jpegs or text files. The exploit then launches a script that will download additional malware to infect the system.

Who cares?

The campaign has been going on since April as far as we know. If you are a trader and are an avid user of WinRAR (as we all have been at one point), maybe you should go check your MetaMask and make sure everything is still there. Even if you don’t trade, you still aren’t out of the woods yet. Now that the cat is out of the bag, POCs have been popping up like this POC generator on GitHub. Since it has become common knowledge, we expect other groups to be targeted as well.

What can I do?

Ensure you are on WinRAR 6.23 or later. This takes care of the vulnerability among other things. Keep your security products up to date, as Trellix can stop known samples in their tracks, including ones associated with the CVE-2023-38831 exploitation campaign." As a general practice, you should be cautious of opening any files, especially compressed files, from unknown or untrusted sources. That also goes for known and untrusted sources for those of you who have that one “friend.” As for unknown but trusted sources... wait, can that even happen? The point here is to be cautious about opening files from others.

CVE-2023-32315: Putting out fires...

What is it?

Back in May, Ignite released details of a vulnerability impacting their Realtime Openfire servers, CVE-2023-32315. This was a very severe path traversal bug impacting the admin console and granting a bad actor admin access to the server and Openfire infrastructure. Skip ahead to August, and there is a new resurgence in reports of compromise, bringing to question if there is a new exploit going around.

According to Ignite, the answer is “no.” Instead, some of you have decided that patching isn’t all that important (despite our monthly insistence to the contrary) and now things have gone south.

The official explanation is that bad actors have automated the attack and if you’re not patched by now, you’re likely compromised. Given how easy it was for us to find POCs for this exploit, we would agree with that conclusion.

Who cares?

Given that there are over 9 million downloads of the server and current reports of in-the-wild exploits, anyone hosting a Realtime Openfire server should check their version and ensure they are patched up. If you’re not, assume you’re compromised and proceed from there. If you are patched up, keep an eye on the issue since there seems to be some disagreements about whether the old patch fixed the problem.

What can I do?

Read the official advisory, follow the suggestions, and make sure you are patched and on version 4.6.8, 4.7.5, 4.8.0, or higher. When you’re hosting your own public-facing server, it is important that you keep a close eye on official announcements and implement any patches as soon as possible. Ensuring your IPS is properly configured and updated can protect you until you can get your servers updated. Trellix IPS customers in particular can breathe a bit easier, as they are covered for this vuln via signature 0x452D9700. You may have fallen a bit behind, but we’ve got your back!

CVE-2023-38035: Thou shall not pass! (unless you say, "pretty please”)

What is it?

It’s an unfortunate day when software meant to protect your data ends with an exploitable bug. Development is hard and vulnerabilities happen to the best of us. But we are in the business of squashing bugs, so let's squash some bugs!

Ivanti Sentry, an in-line gateway designed to protect enterprise resources like SharePoint and Exchange, was hit with in-the-wild attacks this month using CVE-2023-38035, a low complexity improper authentication bypass vulnerability. By exploiting the vulnerability, an actor can gain administrative privileges to the server and root access to the OS. According to the vendor, only a limited number of APIs from an endpoint can be used to exploit the vulnerability. Even so, POCs have been available for this exploit for at least five days, so we can expect other actors to jump on the bandwagon to try to take advantage.

Who cares?

If you’re running Ivanti Sentry and haven’t yet run their RPM script, you need to jump to it. You can find details on how to do this on their official knowledgebase. While Ivanti mentions only a limited number of APIs from an endpoint can be used to exploit the vulnerability, we haven’t found a list of them. Regardless, there is enough technical information here, paired with the POCs mentioned above, for anyone committed enough to find out. You should assume that your endpoint has the impacted capabilities and get to patching.

What can I do?

Go to the knowledgebase and follow the instructions to run the RPM on your server. A fully patched server should be numbered 9.16.0a, 9.17.0a, or 9.18.0a. There are unfortunately no public Indicators-of-Compromise, so you’ll have to review your server and network traffic for anything suspicious and work from there.

Get the latest cybersecurity insights from our LinkedIn Digest. Subscribe on LinkedIn