Les Bell
Blog entry by Les Bell
Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.
News Stories
CISA Adds Multiple Exploited Vulnerabilities
This week, CISA has added five vulnerabilities to its Known Exploited Vulnerabilities Catalog:
- CVE-2023-41179 - Trend Micro Apex One and Worry-Free Business Security Remote Code Execution Vulnerability
- CVE-2023-41991 - Apple Multiple Products Improper Certificate Validation Vulnerability
- CVE-2023-41992 - Apple Multiple Products Kernel Privilege Escalation Vulnerability
- CVE-2023-41993 - Apple Multiple Products WebKit Code Execution Vulnerability
- CVE-2018-14667 - Red Hat JBoss RichFaces Framework Expression Language Injection Vulnerability
CISA, CISA Adds One Known Exploited Vulnerability to Catalog, cybersecurity advisory, 21 September 2023. Available online at https://www.cisa.gov/news-events/alerts/2023/09/21/cisa-adds-one-known-exploited-vulnerability-catalog.
CISA, CISA Adds Three Known Exploited Vulnerabilities to Catalog, cybersecurity advisory, 25 September 2023. Available online at https://www.cisa.gov/news-events/alerts/2023/09/25/cisa-adds-three-known-exploited-vulnerabilities-catalog.
CISA, CISA Adds One Known Exploited Vulnerability to Catalog, cybersecurity advisory, 28 September 2023. Available online at https://www.cisa.gov/news-events/alerts/2023/09/28/cisa-adds-one-known-exploited-vulnerability-catalog.
WebP Vulnerability More Widespread Than First Thought
Of course, Apple should not be singled out over that WebKit code execution vulnerability - lots of browsers (and many server systems) have had to be updated this week due to a vulnerability in the libwebp library for rendering and processing images in the WebP format.
CVE-2023-4863 was initially considered to be a heap-based buffer overflow vulnerability in the Chrome browser. The vulnerability could be exploited by a malicious web page which contains a specially crafted image, giving the attacker remote code execution. However, the vulnerability is really in some heap memory allocation code in the Huffman compression decoding routine. This was initially tracked as CVE-2023-5129 (since retired and replaced with CVE-2023-4863).
A similar vulnerability existed in Apple's code (CVE-2023-41064) as well as Chrome (CVE-2023-4863). Furthermore, libwebp is widely used in web content management systems, including WordPress and Drupal, as well as web languages such as Python and Node.js.
As we reported earlier this month, CVE-2023-41064, in particular, was exploited in the wild before its discovery by CitizenLab, who reported that it was being used as part of a zero-click deployment chain - called BLASTPASS - for NSO Group's Pegasus spyware.
A new report from Rezilion ties all this together rather nicely, and includes a list of affected products, including browsers, Linux distributions and other software. Rezilion also provide recommended mitigations.
Rezillion, Rezilion Researchers Uncover New Details on Severity of Google Chrome Zero-Day Vulnerability (CVE-2023-4863), blog post, 21 September 2023. Available online at https://www.rezilion.com/blog/rezilion-researchers-uncover-new-details-on-severity-of-google-chrome-zero-day-vulnerability-cve-2023-4863/.
Google, An image format for the Web, developer documentation page, 14 September 2023. Available online at https://developers.google.com/speed/webp.
Upcoming Courses
- SE221 CISSP Fast Track Review, Virtual/Online, 13 - 17 November 2023
- SE221 CISSP Fast Track Review, Sydney, 4 - 8 December 2023
These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.
Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.