We have identified several CVEs of note currently being exploited and representing significant risks to the security of computer networks and systems.
CVE-2023-34478, Apache Shiro
Apache Shiro is an open-source software security structure, that conducts authentication, authorisation, cryptography and session management.
A vulnerability has been identified that increases susceptibility to a path traversal attack. This could result in the bypassing of authentication when used with APIs or similar frameworks. This would therefore put any data stored outside the web root folder at risk of unauthorised access
The vulnerability impacts versions of Apache Shiro before 1.12.0 or 2.0.0-alpha-3. Apache recommends upgrading to Apache Shiro 1.12.0+ or 2.0.0-alpha-3+ to resolve this.
CVE-2022-41352, Zimbra ZCS
A Remote Code Execution (RCE) vulnerability identified in Zimbra’s collaborative software suite in October 2022 continues to be exploited.
The exploit targets a vulnerability in Zimbra’s inbuilt antivirus engine, Amavis, as it scans inbound mail. By sending an email containing a .cpio file, attackers can extract the malicious payload while Amavis scans the email. By using cpio an attacker can write to any path on the filesystem that the victim user can access.
ZCS 9.0.0 Patch 27 was released to address this issue. It is recommended to ensure all patches of ZCS are installed to maintain device and network security.
CVE-2023-26360, Adobe ColdFusion
A vulnerability in Adobe ColdFusion (2018 Update 15 (and earlier) and 2021 Update 5 (and earlier)) could allow a threat actor to execute code, in the context of the user of the impacted device, and may also result in memory leak. Such an exploit does not require any user interaction from the victim user.
Adobe has pushed updates for these versions (Update 16 and Update 6 respectively) which address the issue. It is recommended that Coldfusion JDK/JRE is also updated to the latest release in order to secure vulnerable servers. Finally, users should apply Adobe’s Lockdown guidance for Coldfusion.
CVE-2023-35078, Ivanti Endpoint Manager
A new vulnerability has been identified in Ivanti’s Endpoint Manager Mobile (EPMM), AKA MobileIron Core. The vulnerability impacts all current versions of the product, with older versions/releases also being at risk.
When exploited, the vulnerability allows any internet-facing threat actor unauthorised remote access to the victim’s Personally Identifiable Information (PII), and make limited changes to the targeted server.
A patch has been released and can be obtained from Ivanti’s Knowledge Base.
CVE-2023-38408, OpenSSH 9.3p2 and below
A vulnerability has been found in Open SSH. The PKCS#11 feature in ssh-agent in OpenSSH before 9.3p2 has an insufficiently trustworthy search path, leading to remote code execution if an agent is forwarded to an attacker-controlled system. (Code in /usr/lib is not necessarily safe for loading into ssh-agent.)
Remote exploitation requires that the agent was forwarded to an attacker-controlled system. The following could be applied, which may mitigate risks:
Exploitation can be prevented by starting ssh-agent(1) with an empty PKCS#11/FIDO allowlist (ssh-agent -P ”) or by configuring an allowlist that contains only specific provider libraries.
Disabling agent forwarding or restricting ssh-agent options.
Adjusting the ssh-agent.service file ExecStart to disable PKCS11 modules