Tag Archive for: 0day

Xfinity waited 13 days to patch critical Citrix Bleed 0-day. Now it’s paying the price

/in


A parked Comcast service van with the
Enlarge / A Comcast Xfinity service van in San Ramon, California on February 25, 2020.

Getty Images | Smith Collection/Gado

Comcast waited 13 days to patch its network against a high-severity vulnerability, a lapse that allowed hackers to make off with password data and other sensitive information belonging to 36 million Xfinity customers.

The breach, which was carried out by exploiting a vulnerability in network hardware sold by Citrix, gave hackers access to usernames and cryptographically hashed passwords for 35.9 million Xfinity customers, the cable TV and Internet provider said in a notification filed Monday with the Maine attorney general’s office. Citrix disclosed the vulnerability and issued a patch on October 10. Eight days later, researchers reported that the vulnerability, tracked as CVE-2023-4966 and by the name Citrix Bleed, had been under active exploitation since August. Comcast didn’t patch its network until October 23, 13 days after a patch became available and five days after the report of the in-the-wild attacks exploiting it.

“However, we subsequently discovered that prior to mitigation, between October 16 and October 19, 2023, there was unauthorized access to some of our internal systems that we concluded was a result of this vulnerability,” an accompanying notice stated. “We notified federal law enforcement and conducted an investigation into the nature and scope of the incident. On November 16, 2023, it was determined that information was likely acquired.”

Comcast is still investigating precisely what data the attackers obtained. So far, Monday’s disclosure said, information known to have been taken includes usernames and hashed passwords, names, contact information, the last four digits of social security numbers, dates of birth, and/or secret questions and answers. Xfinity is Comcast’s cable television and Internet division.

Citrix Bleed has emerged as one of the year’s most severe and widely exploited vulnerabilities, with a…

Source…

Google 0-day browser bug under attack, patch available

/in


Google patched a zero-day bug being exploited in the wild that is tied to its Chrome browser and ChromeOS software. The flaw allows an attacker, who is able to compromise the browsers rendering process, to bypass sandbox security measures and execute remote code or access sensitive data.

Tracked as CVE-2023-6345 and rated by Google as a high priority fix, the vulnerability is an integer overflow bug in Chrome’s open source 2D graphics library called Skia. Google is withholding technical details of the vulnerability until fixes have been rolled out to a majority of users and vendors who use the Chromium browser engine in their products.

The patch, which impacts versions of Chrome prior to 119.0.6045.199, is one of seven security updates the company released on Tuesday.

“Google is aware that an exploit for CVE-2023-6345 exists in the wild,” the Google security bulletin stated.

The Skia flaw is an integer overflow that opens unpatched software to a “remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a malicious file.”

An attack that involves exploiting a sandbox escape allows an adversary to “break out of a secure or quarantined environment (sandbox)… An attacker could use a sandbox escape to execute malicious code on the host system, access sensitive data, or cause other types of harm,” according to a NordVPN description.

Part of Google’s security bulletin also included patches high-severity bugs including:

The announcement is the latest zero-day bug to affect the popular web browser from Google this year. 

The company patched another zero-day, CVE-2023-5217, in September that was described as a heap buffer overflow in vp8 encoding in the libvpx free codec library that allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

Source…

Cisco security appliance 0-day is under attack by ransomware crooks

/in


Cisco Systems headquarters in San Jose, California, US, on Monday, Aug. 14, 2023. Cisco Systems Inc. is scheduled to release earnings figures on August 16. Photographer: David Paul Morris/Bloomberg via Getty Images
Enlarge / Cisco Systems headquarters in San Jose, California, US, on Monday, Aug. 14, 2023. Cisco Systems Inc. is scheduled to release earnings figures on August 16. Photographer: David Paul Morris/Bloomberg via Getty Images

Cisco on Thursday confirmed the existence of a currently unpatched zero-day vulnerability that hackers are exploiting to gain unauthorized access to two widely used security appliances it sells.

The vulnerability resides in Cisco’s Adaptive Security Appliance Software and its Firepower Threat Defense, which are typically abbreviated as ASA and FTD. Cisco and researchers have known since last week that a ransomware crime syndicate called Akira was gaining access to devices through password spraying and brute-forcing. Password spraying, also known as credential stuffing, involves trying a handful of commonly used passwords for a large number of usernames in an attempt to prevent detection and subsequent lockouts. In brute-force attacks, hackers use a much larger corpus of password guesses against a more limited number of usernames.

Ongoing attacks since (at least) March

“An attacker could exploit this vulnerability by specifying a default connection profile/tunnel group while conducting a brute force attack or while establishing a clientless SSL VPN session using valid credentials,” Cisco officials wrote in an advisory. “A successful exploit could allow the attacker to achieve one or both of the following:

  • Identify valid credentials that could then be used to establish an unauthorized remote access VPN session.
  • Establish a clientless SSL VPN session (only when running Cisco ASA Software Release 9.16 or earlier).

The ASA is an all-in-one security device that provides firewall, antivirus, intrusion prevention, and virtual private network protections. The FTD is Cisco’s next-generation device that combines the ASA capabilities with a finer-grained management console and other more advanced features. The vulnerability, tracked as CVE-2023-20269, stems from the devices’ improper separation of authentication, authorization, and accounting in remote access among their VPN, HTTPS management, and site-to-site…

Source…

One 0-day; Win 7 and 8.1 get last-ever patches – Naked Security

/in


As far as we can tell, there are a whopping 2874 items in this month’s Patch Tuesday update list from Microsoft, based on the CSV download we just grabbed from Redmond’s Security Update Guide web page.

(The website itself says 2283, but the CSV export contained 2875 lines, where the first line isn’t actually a data record but a list of the various field names for the rest of the lines in the file.)

Glaringly obvious at the very top of the list are the names in the Product column of the first nine entries, dealing with an elevation-of-privilege (EoP) patch denoted CVE-2013-21773 for Windows 7, Windows 8.1, and Windows RT 8.1.

Windows 7, as many people will remember, was extremely popular in its day (indeed, some still consider it the best Windows ever), finally luring even die-hard fans across from Windows XP when XP support ended.

Windows 8.1, which is remembered more as a sort-of “bug-fix” release for the unlamented and long-dropped Windows 8 than as a real Windows version in its own right, never really caught on.

And Windows RT 8.1 was everything people didn’t like in the regular version of Windows 8.1, but running on proprietary ARM-based hardware that was locked down strictly, like an iPhone or an iPad – not something that Windows users were used to, nor, to judge by the market reaction, something that many people were willing to accept.

Indeed, you’ll sometimes read that the comparative unpopularity of Windows 8 is why the next major release after 8.1 was numbered Windows 10, thus deliberately creating a sense of separation between the old version and the new one.

Other explanations include that Windows 10 was supposed to be the full name of the product, so that the 10 formed part of the brand new product name, rather than being just a number added to the name to denote a version. The subsequent appearance of Windows 11 put something of a dent in that theory – but there never was a Windows 9.

The end of two eras

Well, this month sees the very last security updates for the old-school Windows 7 and Windows 8.1 versions.

Windows 7 has now reached the end of its three-year pay-extra-to-get-ESU period (ESU is short for extended security updates), and…

Source…