Tag Archive for: patches

Cisco Patches Two Dangerous Zero-Day Vulnerabilities

/in


The vulnerabilities, one of which was rated critical and one of which was rated highly severe, affect Cisco IOS XE software.

Homepage of cisco website on the display of PC.
Image: mehaniq41/Adobe Stock

Cisco has patched two zero-day vulnerabilities that exposed Cisco IOS XE system software hosts to attackers. These vulnerabilities affected devices running the Cisco IOS XE software, such as routers and switches.

The update, including the patches, is available at Cisco’s software download portal. Customers who do not have a Cisco service contract or cannot obtain fixed software through their third-party vendors can contact Cisco support.

Jump to:

Cisco Threat Intelligence Group releases fixes and new curl command for IOS XE vulnerability

Fixes for CVE-2023-20198 and CVE-2023-20273 started to roll out on October 22, the Cisco Talos Intelligence Group wrote in a threat advisory updated on October 23.

The fixes appear in the 17.9.4a update to the 17.9 Cisco IOS XE software release train, according to the U.S. Cybersecurity & Infrastructure Security Agency.

CVE-2023-20198 allowed attackers to exploit a vulnerability in the Web UI of Cisco IOS XE software to gain privilege level 15 access. CVE-2023-20273 allowed an attacker with privilege level 15 access to inject commands with root privileges. In the Common Vulnerability Scoring System, CVE-2023-20198 is rated critical, and CVE-2023-20273 is rated high severity.

On October 22, Cisco provided a new curl command to check for infected devices. The curl command can be found in the threat advisory.

On October 23, the Cisco Talos Intelligence Group identified an updated version of the implant that allows the attackers to execute arbitrary commands at the system level or IOS level (Figure A). The fixes address the updated version of the implant. This updated implant, plus Fox-IT’s discovery that attackers may have hidden themselves over the last few days shows that the vulnerability is still being exploited.

Figure A

The updated malicious implant used as part of the exploitable vulnerability.
The updated malicious implant used as part of the exploitable vulnerability. Image: Cisco Talos Intelligence Group

The IOS XE vulnerabilities were first discovered on September 28

Cisco first began to suspect something was wrong on…

Source…

Yikes: Apple Patches 3 New Zero-Day Exploits for iOS, MacOS

/in


Apple today released a fix for a trio of iOS vulernabilities that hackers may already be exploiting.

Apple issued emergency patches for iOS 16 and the newly launched iOS 17, as well as iPadOS, Safari, watchOS and macOS Ventura and Monterey. 

Although details are thin, the vulnerabilities were discovered by two security researchers, according to Apple. The first, Bill Marczak, works for Citizen Lab, a watchdog group that investigates spyware attacks from commercial surveillance companies. The other, Maddie Stone, is a researcher at Google’s Threat Analysis Group, which is dedicated to protecting users from state-sponsored hackers and commercial spyware dealers. 

Google and Citizen Lab didn’t immediately respond to requests for comment. But it’s likely the two security researchers uncovered the vulnerabilities while investigating an attack on user devices. The fixes also come two weeks after Citizen Lab discovered a new iOS attack allegedly from notorious spyware dealer NSO Group that infected a device belonging to an employee at a “Washington DC-based civil society organization.”  

The first vulnerability, CVE-2023-41993, involves Webkit, the browser engine for Safari. The researchers discovered the engine can be manipulated to execute rogue computer code if it processes certain web content. Hence, the vulnerability could be paired with a malicious message or website to potentially trigger an iPhone to download malware

The second vulnerability, CVE-2023-41992, can affect iOS’s kernel, the core part of the operating system. Exploiting this bug can help an attacker elevate their privileges over the OS, enabling them to install programs or gain access to sensitive data. 

Meanwhile, the third vulnerability, CVE-2023-41991, can allow a malicious app to potentially “bypass signature validation,” enabling an attacker to circumvent the security check Apple uses to verify an iOS app is safe and legitimate. 

Recommended by Our Editors

All three vulnerabilities also affect macOS Ventura, with Apple warning, “additional CVE entries coming soon,” a sign that other exploits have been found. 

To update an iPhone, go to Settings > General > Software Update. The device can also…

Source…

Apple Patches 3 Zero-Days Likely Exploited by Spyware Vendor to Hack iPhones

/in


Apple announced on Thursday that its latest operating system updates patch three new zero-day vulnerabilities. Based on the previous work of the organizations credited for reporting the flaws, they have likely been exploited by a spyware vendor.

The zero-days are tracked as CVE-2023-41991, which allows a malicious app to bypass signature verification, CVE-2023-41992, a kernel flaw that allows a local attacker to elevate privileges, and CVE-2023-41993, a WebKit bug that can be exploited for arbitrary code execution by luring the targeted user to a malicious webpage. 

Apple patched some or all of these vulnerabilities in Safari, iOS and iPadOS (including versions 17 and 16), macOS (including Ventura and Monterey), and watchOS.

It’s worth noting that while each of these operating systems is impacted by the zero-days, Apple said it’s only aware of active exploitation targeting iOS versions before 16.7.

Apple has not shared any information about the attacks exploiting the new vulnerabilities. However, considering that they were reported to the tech giant by researchers at the University of Toronto’s Citizen Lab group and Google’s Threat Analysis Group, they have likely been exploited by a commercial spyware vendor to hack iPhones. 

Citizen Lab and Apple recently investigated attacks involving a zero-day identified as CVE-2023-41064. That security hole, part of a zero-click exploit named BlastPass, was used to  deliver the NSO Group’s notorious Pegasus spyware to iPhones.

In an attack investigated by Citizen Lab, the spyware was delivered to an employee at an international civil society organization based in Washington DC. 

Advertisement. Scroll to continue reading.

CVE-2023-41064 impacts the WebP image format. The affected library is also used in the Chrome and Firefox web browsers, and Google and Mozilla were also forced to release emergency updates to address the zero-day, which they track as CVE-2023-4863.

Related: Google Links More iOS, Android Zero-Day Exploits to Spyware Vendors

Related: US to Adopt New Restrictions on Using Commercial Spyware

Related: Details Emerge on Israeli Spyware Vendor QuaDream and Its iOS Malware 

Source…

Apple issues emergency patches on three new exploited zero-days

/in


Apple on Thursday moved to patch three zero-day vulnerabilities actively exploited in the wild that security researchers believe are the work of commercial spyware vendors.

This now means Apple has fixed 16 zero-days this year, which security researchers said demonstrates that the popularity of Apple products has made it an attractive target.

In advisories, Apple credited Bill Marczak of The Citizen Lab at The University of Toronto’s Munk School and Maddie Stone of Google’s Threat Analysis Group for bringing the latest zero-days to their attention.

“A total of 16 zero-day vulnerabilities in a year is significant,” said Callie Guenther, senior manager, cyber threat research at Critical Start. “Zero-days, by definition, are previously unknown and unpatched vulnerabilities that can be exploited. This high number could suggest that Apple devices, given their popularity and extensive user base, are attractive targets for advanced threat actors.”

Guenther also noted the fact that many of these vulnerabilities were discovered by groups such as the Citizen Lab and Google’s Threat Analysis Group, which often focus on state-sponsored and high-level cyber-espionage campaigns, suggests that Apple devices are being targeted in sophisticated attacks against high-profile individuals.

For example, following a report Sept. 7 by Citizen Lab that an actively exploited zero-click vulnerability was used to deliver NSO Group’s Pegasus mercenary spyware on an Apple device, Apple quickly moved to issue two CVEs to rectify the issue.

The Pegasus spyware developed and distributed by the NSO Group has been widely used by both the private and government sectors across the globe for surveillance purposes against journalists, human and civil rights activists, politicians and other individuals.

The zero-days patched yesterday by Apple include the following:

  • CVE-2023-41993: WebKit browser vulnerabilities. Critical Start’s Guenther said given that WebKit powers Apple’s Safari browser and many iOS apps, a flaw allowing arbitrary code execution can be highly impactful. Malicious web pages can directly impact a broad range of users and potentially compromise sensitive data. NIST reported that this issue was…

Source…