The festive patching season is here again, and CVEs are hanging around like shiny baubles in the broken software tree. Be careful not to fall asleep in front of the fire. Criminals tend to attack before holidays. Here are some highlights from the December Tuesday/Wednesday patch:
Microsoft has provided 33 patches, 4 of which are critical. None have been exploited yet. Adobe pushed 9 patches covering a notable 212 of his CVEs. Again, nothing has been reported to have been exploited in the wild yet.A whopping 186 of these CVEs experience manager and all cross-site scripting (XSS) bugs.
Made by Microsoft, CVSS 9.6 rated CVE-2023-36019 On paper, it matters the most. This is a connector spoofing vulnerability affecting Microsoft Power Platform and Azure Logic Apps. (Alternating currentconnector A proxy or wrapper for an API that allows underlying services to communicate. power automation, power appand Azure logic app. Provides a way for users to connect to their accounts and take advantage of a set of pre-built features. action. Microsoft offers over 1,000 connectors to connect to verified services, and some people build custom connectors. Spoofing sounds like a sophisticated attack…)
“Connector” security will be enhanced…
As Microsoft states in another advisory, “Newly created custom connectors that automatically authenticate using OAuth 2.0 will be assigned a per-connector redirect URI. Existing OAuth 2.0 connectors will be assigned a per-connector redirect URI. , must be updated to use per-connector redirect URIs by February 17, 2024.”
- If you created a custom connector using the web interface, edit the custom connector and safety Click on the tab and check the box, Update to unique redirect URLClick to save and enable per-connector redirect URIs.
- If you created a custom connector Multi-authentication using command line interface (CLI) toolsTo configure, you must update the connector using the CLI tool.
"redirectMode": "GlobalPerConnector"
. - ([セキュリティ]Once your custom connector has been updated to use per-connector redirect URIs (via tab settings or CLI tools), you must remove the global redirect URI from your OAuth 2.0 app and add the newly generated unique redirect. there is. URL to your OAuth 2.0 app.
- This update applies to existing OAuth 2.0 custom connectors starting February 17, 2024. Custom connectors that are not updated to use per-connector redirect URIs will no longer work with new connections and users will see an error message.
This vulnerability exists in web servers and requires a crafted link to be submitted. Following this will execute malicious script on the client’s browser.
Microsoft also notified affected users of this bug through the Microsoft 365 admin center. Users running this bug should read the bulletin for more information. So it’s important enough that Microsoft notified affected customers about the safeguards last month. (As a mitigation, Redmond notes, “As of November 17, 2023, newly created custom connectors that use OAuth 2.0 for authentication will be automatically assigned a per-connector redirect URI. Existing OAuth 2.0 connectors must be updated by February 17, 2024.”)
SEE ALSO: Microsoft promises dramatic overhaul of software security as Amazon veteran shakes trees
This month also includes patches for two critical RCE vulnerabilities in Internet Connection Sharing. Adam Barnett from Rapid7 said: “CVE-2023-35630 and CVE-2023-35641 have many similarities: CVSS v3.1 base score of 8.8, Microsoft severity ranking, low attack complexity, and possibly Execution. Although the advisory does not specify an execution context, the exploitation description differs between the two, but CVE-2023-35630 allows an attacker to modify the Options->Length field of a DHCPv6 DHCPV6_MESSAGE_INFORMATION_REQUEST input message. The CVE-2023-35641 vulnerability also occurs via maliciously crafted DHCP messages to ICS servers, but the advisory provides no further clues. A nearly similar ICS vulnerability in September 2023 resulted in an RCE in the SYSTEM context on an ICS server. In all three, in some cases, the attacks were launched from the same network segment as the ICS server. This requirement is a mitigating factor. Although it is unlikely that any of this month’s ICS vulnerabilities could be exploited against a target that is not running ICS, Microsoft does not. I unequivocally deny it.”
Apache Struts
Additionally, after the Apache Software Foundation disclosed a critical RCE bug assigned CVE-2023-50164 earlier this month, Cisco has published a security advisory regarding the Apache Struts vulnerability. This vulnerability affects countless products that include this software. “An attacker can manipulate file uploads. There are parameters that allow path traversal, which in some circumstances could lead to the upload of malicious files that can be used for remote code execution,” the foundation explained at the time. . User must update to his Struts 2.5.33, Struts 6.3.0.2 or later.
Dial 1111 for the PLC default password.
While not technically part of Tuesday’s December Patch, it’s worth noting that another vulnerability is being actively exploited in the wild this week, and was reported as being exploited by CISA on Tuesday. It is CVE-2023-6448, a vulnerability in CVSS 9.8. Unitronix programmable logic controllers (PLCs) Water and wastewater systems (WWS) sector A default password of 1111 is set at the time of shipment.
In addition to implementing strong passwords and changing their defaults, put a firewall/VPN in front of the PLC to control network access to remote PLCs (or take a chance…). CISA states: “If possible, differ from the default port TCP 20256.
“Cyber attackers are actively targeting TCP 20256 after identifying it as a port associated with Unitronix PLCs through network probing. Once identified, they utilize scripts specific to PCOM/TCP. “to query and validate the system for further investigation and connectivity. Parse the packet using PCOM/TCP filters, if available,” the agency said. Added.
December Patch Tuesday also belatedly fixes AMD’s less severe bugs first revealed in August that remain unpatched by the semiconductor company. (CVE-2023-20588 comes with the following guidance) “For affected products, AMD recommends following software development best practices. ” AMD breaking news. “Developers can mitigate this issue by ensuring that privileged data is not used in departmental operations before changing privilege boundaries. We believe the impact is low.”
of ZDI and Qualis Contains more detailed information. CVE-2023-36019 I can’t see it at all too much Not this month. Let’s have another mince pie.