Six high severity vulnerabilities in Atlassian Confluence have been disclosed over the past few months making it imperative for its users to upgrade with urgency. Of these, the most severe, CVE-2023-22527 has been added to CISA’s KEV (Known Exploited Vulnerabilities). Collectively, the recently disclosed vulnerabilities range in severity from CVSS 7.5 (High) to 10 (Critical). Greenbone vulnerability manager is able to detect all vulnerabilities with active checks and version detection tests including the most critical, CVE-2023-22527.

CVE-2023-22527 can be exploited by an attacker to achieve unauthenticated remote code execution (RCE). Impacted products include Confluence Data Center and Server versions 8.0.x, 8.1.x, 8.2.x, 8.3.x, 8.4.x, and 8.5.0 through 8.5.3 as well as 8.4.5 which no longer receives backported fixes according to Atlassian’s Security Bug Fix Policy. CVE-2023-22527 is tracked internally through Atlassian’s Jira portal as CONFSERVER-93833 and via a published advisory, and was reported as part of Atlassian’s Bug Bounty program by a contributor with the handle m1sn0w.

The remaining five vulnerabilities can be all exploited remotely without user-interaction, having impacts ranging from only Denial of Service (DoS) (CVE-2023-3635) to high impact to Confidentiality, Integrity, and Availability (CIA). The majority, including several high severity RCE vulnerabilities, were introduced in version 7.13.0 of Confluence Data Center and Server. Customers operating affected products on publicly exposed IP addresses are at increased risk of exploitation.

In total, Confluence has been the subject of 9 CISA KEV alerts for active exploitation. 3 of those have been in recent months; since October 2023:

  • January 24th, 2024: CISA added CVE-2023-22527 to its KEV catalog
  • November 7th, 2023: CISA added CVE-2023-22518 to its KEV catalog
  • December 5th, 2023: CISA added CVE-2023-22515 to its KEV catalog

A recent report based on analysis of publicly available Shodan data from the vulnerability and exploit research group VulnCheck, estimated that more than 235,000 internet-facing Confluence honeypots exist on public-facing IP addresses, while the true number of real internet-facing Confluence servers is closer to 4,000.

Summary Of Vulnerabilities in Atlassian Confluence

Here is a brief summary of all recently disclosed vulnerabilities in Atlassian Confluence:

  • CVE-2023-22527 (CVSS 10 Critical): A template injection vulnerability [CWE-284] on older versions of Confluence Data Center and Server allows an unauthenticated attacker to achieve RCE on an affected instance. Most recent supported versions of Confluence Data Center and Server are not affected. After initial disclosure, Atlassian raised the CVSS score of CVE-2023-22527 from 9.1 to the highest possible score of 10.
  • CVE-2024-21673 (CVSS 8.8 High): Allows an authenticated attacker to expose restricted assets [CWE-284] remotely to cause high impact to system Confidentiality, Integrity, and Availability (CIA) without user interaction. The vulnerability was introduced in version 7.13.0 (released August 2021) of Confluence Data Center and Server.
  • CVE-2023-22526 (CVSS 8.8 High): Allows an authenticated attacker to execute arbitrary code remotely to cause high impact to system Confidentiality, Integrity, and Availability (CIA) without user interaction.
  • CVE-2024-21672 (CVSS 8.8 High): Allows an authenticated attacker to execute arbitrary code remotely to cause high impact to system Confidentiality, Integrity, and Availability (CIA) without use interaction. The vulnerability was introduced in version 2.1.0 (released December 2005) of Confluence Data Center and Server meaning it affects virtually all versions.
  • CVE-2023-3635 (CVSS 7.5 High): A DoS vulnerability in the Okio client Java library component used in Confluence X. GzipSource does not handle an exception that might be raised when parsing a malformed gzip buffer potentially leading to denial of service of the Okio client when handling a crafted GZIP archive, by using the GzipSource class.
  • CVE-2024-21674 (CVSS 7.5 High): Allows an authenticated attacker to expose restricted assets [CWE-284] remotely to cause high impact to system Confidentiality without user interaction, but no impact to Integrity or Availability. The vulnerability was introduced in version 13.0 (released August 2021) of Confluence Data Center and Server.

Mitigation Of Vulnerabilities in Atlassian Confluence

There are no reported workarounds to protect against these vulnerabilities. The most severe, CVE-2023-22527, only impacts older versions of Confluence Data Center and Server. Atlassian’s general recommendation for all other CVEs listed above is to download and upgrade to the newest version of Confluence Data Center and Server. However, if users are unable to do so, Atlassian’s mitigation advice is different for each CVE.

Atlasian has also outlined version specific mitigations for CVE-2024-21673, CVE-2023-22526, CVE-2023-3635, and CVE-2024-21674. Customers who are unable to upgrade to the most recent version of Confluence Data Center and Server can upgrade to a minor version which has been patched.

  • Customer’s using Confluence Data Center and Server 7.19: Upgrade to version 19.18, or any higher 7.19.x release
  • Customer’s using Confluence Data Center and Server 8.5: Upgrade to version 5.5 or any higher 8.5.x release
  • Customer’s using Confluence Data Center and Server 8.7: Upgrade to version 7.2 or any higher 8.7.x release


In January 2024, 1 critical severity vulnerability was disclosed impacting Atlassian Confluence Data Center and Server following in the footsteps of 5 more recently disclosed high impact CVEs. The most critical, CVE-2023-22527 is known to be exploited in the wild making it imperative for users of affected products to upgrade with urgency. Public facing instances of Confluence are most at risk with an estimated 4,000 instances as of February 2nd, 2024.

A series of flaws in Ivanti’s Connect Secure VPN is being actively exploited by attackers. Both the German BSI and the US government’s Cybersecurity and Infrastructure Security Agency (CISA) have spread a warning. CISA has even issued an Emergency Directive ordering all Federal Civilian Executive Branch (FCEB) agencies to apply patches immediately.

Thousands of publicly accessible Ivanti systems worldwide are at risk, many of which are located in Germany, the flaws are being actively exploited. Because Ivanti’s devices have been included in Greenbone’s vulnerability tests in the Enterprise Feed for several years, we were able to warn our customers as early as January 10 and have been continuously building tests for the most recent vulnerabilities. Nevertheless, Ivanti customers need to be alert and take action – the patches from Ivanti need a factory reset on the devices.

Remote Code Execution and Authentification Bypass

Since December, the American security expert Volexity had found two serious security vulnerabilities (CVE-2023-46805 and CVE-2024-21887, both published on January 12, 2024) in devices with Ivanti Connect Secure VPN. Products affected included Ivanti Connect Secure (formerly Ivanti Pulse Secure), Ivanti Policy Secure and Ivanti Neurons for Zero Trust Access (ZTA).

According to Ivanti’s official statement, the vulnerabilities allowed remote attackers to bypass authentication mechanisms, execute their own code without authorization and take control of systems. The manufacturer urgently advises its customers to implement the workarounds and continues to update communication in an article in the forum.

Patches were shipped end of January which also included fixes for three other severe vulnerabilities, that Ivanti had to warn about in late January and early February. (CVE-2024-21893, CVE-2024-21888 and CVE-2024-22024). These three security issues come at high risk, include server-side request forgery, privilege escalation and an XML external entity (XXE) vulnerability.

According to the vendor, security patches for all flaws have been delivered on February 1. Users that applied the February patch and who have made a factory reset should not require another one now.

Greenbone customers have been warned, but administrators need to take action

Due to the widespread use of Ivanti devices in Germany, Greenbone has been including tests for Ivanti Connect Secure for several years. While other available tests only check the version numbers of the software used, Greenbone’s vulnerability checks use extended functions and thus achieve a significant higher level of accuracy in reporting.

However, even though our products warn Greenbone customers faster and more accurately about potential vulnerabilities in Avanti devices, users still need to take action to apply all the measures recommended by the manufacturer. For example, it is quite possible that attackers have already exploited the vulnerability before it was published. Therefore, all customers must use the Integrity Checker provided by Ivanti to ensure the integrity of their installation.

The five security vulnerabilities in Ivanti VPN Gateway appliances according to NIST:

  • CVE-2023-46805 (CVSS 8.2 High): The authentication bypass vulnerability [CWE-287] in the web component of Ivanti ICS 9.x, 22.x and Ivanti Policy Secure allows an attacker to access restricted resources by bypassing control checks.
  • CVE-2024-21887 (CVSS 9.1 High): The command injection vulnerability [CWE-77] in the web components of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) allows administrators to send specially crafted requests and execute arbitrary commands on the appliance.
  • CVE-2024-21893 (CVSS 8.2 High): A server-side request forgery vulnerability [CWE-918] in the SAML component of Ivanti Connect Secure (9.x, 22.x), Ivanti Policy Secure (9.x, 22.x) and Ivanti Neurons for ZTA allows an attacker to access certain restricted resources without authentication.
  • CVE-2024-21888 (CVSS 8.8 High): A privilege escalation vulnerability [CWE-265] in web components of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) allows a user to elevate privileges to administrator level.
  • CVE-2024-22024 (CVSS 8.3 High): An XML external entity or XXE vulnerability [CWE-643] in the SAML components of Ivanti Connect Secure (9.x, 22.x), Ivanti Policy Secure (9.x, 22.x) and ZTA gateways which allows an attacker to access certain restricted resources without authentication.

Immediate Actions

The patches were initially released on January 22. Until users can download and install the official patches from Ivanti, they should follow these steps:

Two security vulnerabilities in Sharepoint – both from last year – are currently causing trouble for Sharepoint administrators. Because attackers are increasingly exploiting a combination of the two vulnerabilities, the Cybersecurity Infrastructure Security Agency CISA is now also issuing a warning. Affected customers of the Greenbone Enterprise Feed have been warned since June 2023.

Tracking-News: Critical Vunerability in MS Sharepoint

Remote Privilege Execution

The two vulnerabilities CVE-2023-29357 and CVE-2023-24955 together allow attackers to remotely gain administrator rights in a company’s SharePoint server. Details of the attack were published back in September 2023 at the Pwn2Own conference in Vancouver 2023 and can be found on the Singapore Starlabs blog, for example.

Massive attacks have now led to CISA recently issuing a warning about these vulnerabilities and including CVE-2023-29357 in its catalog of known exploited vulnerabilities. However, Greenbone has already had authenticated version checks for both CVEs since around June 2023 and an active check for CVE-2023-29357 since October 2023. Customers of the enterprise products have been receiving these CVEs as a threat for several months – in authenticated and unauthenticated scan mode.

Microsoft advises its customers on its website to update to the SharePoint Server 2019 version of June 13, 2023, (KB5002402), which fixes five critical vulnerabilities, including the first CVE mentioned by CISA. Furthermore, all administrators should install the antivirus software AMSI and activate Microsoft Defender in the SharePoint server. Otherwise, attackers could bypass authentication with fake authentication tokens and gain administrator rights.

Recognising and detecting vulnerabilities in the company at an early stage is important, as the many reports of damaging vulnerabilities show. Greenbone products can take on a lot of work here and ensure security – as a hardware- or virtual appliance or as a cloud service. The Greenbone Enterprise Feed, which feeds all Greenbone security products, receives daily updates and therefore covers a high percentage of risks.

5 Known Juniper Junos Vulnerabilities Being Actively Exploited

CISA has added 5 CVEs relating to Juniper Junos (aka Junos OS), to its Known Exploited Vulnerabilities (KEV) catalog. The full exploit chain involves combining several lower-severity CVEs to achieve pre-authentication remote code execution (RCE). The 5 CVEs range in severity from CVSS 9.8 Critical to CVSS 5.3 Medium. Greenbone is equipped with vulnerability tests to identify affected systems.

Understanding the timeline of events should help network defenders grasp how rapidly cyber threats can escalate. In this case a proof-of-concept (PoC) was published just 8 days after the vendor Juniper released its security advisory. Security researchers observed active exploitation just 12 days after the disclosure. Still, it was not until several months later that CISA acknowledged active exploitation. Greenbone Enterprise vulnerability feed added detection tests [1][2] for all impacted versions of the two affected product lines (EX Series Series Ethernet Switches and SRX Series Series Services Gateways) on August 18, 2023, immediately after they were disclosed.

Here is a brief description of each CVE:

  • CVE-2023-36844 (CVSS 5.3 Medium): A PHP External Variable Modification [CWE-473] vulnerability exists in J-Web, a tool used for remote configuration and management of Junos OS. The vulnerability allows an unauthenticated, network-based attacker to modify sensitive PHP environment variables. CVE-2023-36844 allows chaining to other vulnerabilities that lead to unauthenticated RCE.
  • CVE-2023-36845 (CVSS 9.8 Critical): A PHP External Variable Modification vulnerability [CWE-473] in J-Web allows an unauthenticated, network-based attacker to remotely execute code. Using a crafted request that sets the variable PHPRC an attacker is able to modify the PHP execution environment to inject and execute code.
  • CVE-2023-36846 (CVSS 5.3 Medium): A Missing Authentication for Critical Function [CWE-306] vulnerability in Juniper Networks Junos OS allows an unauthenticated, network-based attacker to impact file system integrity with a specific request to user.php via J-Web. Without authentication, an attacker is able to upload arbitrary files [CWE-434] which allows chaining to other vulnerabilities including unauthenticated RCE.
  • CVE-2023-36847 (CVSS 5.3 Medium): A Missing Authentication for Critical Function [CWE-306] vulnerability in Juniper Networks Junos OS allows an unauthenticated, network-based attacker to impact file system integrity. With a malicious request to installAppPackage.php via J-Web an attacker is able to upload arbitrary files [CWE-434] without authentication, which may allow chaining to other vulnerabilities that lead to RCE.
  • CVE-2023-36851 (CVSS 5.3 Medium): A Missing Authentication for Critical Function [CWE-306] vulnerability in Juniper Networks Junos OS allows an unauthenticated, network-based attacker to impact file system integrity. With a specific request to webauth_operation.php that doesn’t require authentication, an attacker is able to upload arbitrary files via J-Web [CWE-434], leading to a loss of integrity for a certain part of the file system and chaining to other vulnerabilities.

Understanding The Attack Trajectory

Several of the CVEs listed above are classified as Missing Authentication for Critical Function [CWE-306] vulnerabilities meaning that various functions of the J-Web device management web application do not implement proper authentication checks.

Here is a summary of how these vulnerabilities were chained together for unauthenticated RCE:

The J-Web application is written in PHP which, as the watchTowr researchers noted, is known for its usability at the cost of security. In the case of CVE-2023-36846, J-web’s `webauth_operation.php` file implemented a different method for authentication than the rest of the application. This file instead invokes the `sajax_handle_client_request()` function and submits the value of ‘false’ as the `doauth` parameter, resulting in no authentication being performed. The aforementioned `sajax_handle_client_request()` function is designed to execute J-web’s built-in functions by specifying them as a $_POST variable, including the `do_upload()` function, used to upload files.

CVE-2023-36845 is a vulnerability in the Junos web server that allows system environment variables to be set via the `name` field of an HTTP POST request when a`Content-Type: multipart/form-data` header is used. Two exploits matching the description of CVE-2023-36845 were previously disclosed for the GoAhead IoT web server and tracked as CVE-2017-17562 and CVE-2021-42342, indicating that the Junos web server likely implements the GoAhead proprietary web-server.

Executing the uploaded file is possible by setting the PHPRC environment variable, using it to load an unauthorized PHP configuration `php.ini` file also uploaded via CVE-2023-36846 that contains a malicious `auto_prepend_file` setting directing PHP to execute the first uploaded file every time a page is loaded. Here is the complete example chain

Mitigation Of Recent Juniper Junos Vulnerabilities

The 5 new CVEs affect Juniper Networks Junos OS on EX Series Series Ethernet Switches and SRX Series Series Services Gateways. Specifically Junos OS version 20.4 and prior, 21.1, 21.2, 21.3, 21.4, 22.1, 22.2, 22.3, 22.4 and 23.2 on the EX and SRX Series appliances.

The best mitigation option is to install the security patches to Junos OS. If you cannot install the official provided security patches, completely disabling the J-Web interface, or configuring firewalls with an accept list to restrict access to only trusted hosts can prevent exploitation. In general, strictly limiting access to critical servers and network appliances to only client IP addresses that require access can prevent exploitation of similar yet undiscovered remotely exploitable zero-day vulnerabilities.

The end of the year could hardly be better: Greenbone can look back on the most successful year in its company history. After 15 years, the Osnabrück-based company has grown into a successful public limited company in 2023. Greenbone has grown from 50 to 120 employees within the space of a year, and the journey is far from over: not only EU legislation, but also various collaborations and commitments are enabling further growth. We look back on 2023 and thank our customers, partners, and the OpenVAS community.

A successful year at one glance

The growth can be seen both in the Greenbone blog, which had ten times more readers in 2023, and in the new community portal – a big thank you goes to the large Greenbone community!

In addition to numerous reports on vulnerabilities from VMware to Microsoft, Atlassian, Citrix and many others, we were able to report on projects with the  Center for Internet Security (CIS), the Federal Office for Information Security (BSI), and the OSB Alliance – Federal Association for Digital Sovereignty.”

We also continue to participate in studies by renowned universities such as the “Comparison of the Security of Open-Source Software and Proprietary Software” by Dr. Marc Ohm (Rheinische Friedrich-Wilhelms-Universität Bonn).

Zero Days, Log4j, Citrix, Atlassian, Sharepoint

We warned of serious vulnerabilities, all of which had already been detected with suitable tests developed by our specialists in the Greenbone Enterprise Appliances – our customers were always warned and in many cases were able to protect themselves proactively. Whether ransomware threatened companies via VMware EsXi, or via Outlook Zero days, the aftermath of the Log4j disaster from 2022 or the critical errors in Citrix Netscaler, Confluence, f5 Big IP or Sharepoint, Greenbone customers were forewarned and provided with tests.

Greenbone tests web applications …

In 2023, we have also increased our commitment in other areas: We now also test your web applications. We operate strictly in accordance with GDPR regulations, we are ISO 27001/9001 certified and have outstanding security experts. As with our vulnerability management products, you will also receive detailed reports on your security situation with clear instructions for action, which the Greenbone experts will be happy to help you implement.

… and is present at international trade fairs, congresses and panels.

We also increased our presence at international trade fairs this year: we attended the ITSA, the PITS (“Public IT Security”) congress organized by Behördenspiegel and the renowned Open Source Experience 2023 (OSXP) in Paris. At the PITS congress, Greenbone CEO Jan-Oliver Wagner was also invited as an expert to share his knowledge at the panel discussion “Putting your finger in the wound – manage or close vulnerabilities?” moderated by Katharina Sook Hee (National Cyber Defense Center of the BSI).

There was broad agreement that “vulnerability management is becoming increasingly important”. This is also due to new legislation, which is leading to more and more vulnerabilities being reported, a general increase in awareness and more draconian penalties for companies that disregard compliance rules, for example. The pressure is increasing, even for companies that are not KRITIS.

Regulation makes vulnerability management mandatory.

At the same time, the vulnerabilities identified are getting older, have been open for longer than before and are being exploited increasingly quickly, with ransomware remaining the top threat.

It is no wonder that both the German government and the EU have recognized the signs of the times: The federal government is investing extensively in cybersecurity, and the EU’s Cyber Resilience Act also prescribes packages of measures that make vulnerability management a la Greenbone mandatory in many companies.

Together with the BSI: the new SMP federal portal

Together with the German Federal Office for Information Security (BSI), we have therefore introduced the Greenbone SMP-Bund portal. As a central point of contact for IT security and vulnerability management, it offers authorities concrete support with the current challenges of IT security.

In addition to extensive information and a forum for exchanging ideas on vulnerability management, the portal also offers direct access to Greenbone support, contact with our sales team and exclusive conditions with Greenbone framework agreements.

2023 was a good 15th year for Greenbone, we would like to take this opportunity to thank all customers, partners, and the community again, without your help none of this would be possible.

Thank you, happy holidays and a happy new year!

We at Greenbone are excited to introduce the innovative Greenbone SMP-Bund-Portal in collaboration with the Federal Office for Information Security (BSI). As a leading provider of IT security solutions, we are proud to offer this platform specifically tailored to the needs of federal agencies.

A Portal Setting Standards

The Greenbone SMP-Bund-Portal is the central point of contact for IT security and vulnerability management. It has been developed to provide agencies with concrete support in addressing current IT security challenges.

Many Advantages for Federal Agencies

  1. Easy-to-Understand Insights: The portal offers clear and user-friendly information about vulnerability management. It is ideal for both beginners and experts in IT security.
  2. Exclusive Framework Contract Conditions: Federal agencies enjoy special offers and benefits. The obligation to issue public tenders is eliminated, saving time and resources.
  3. Personal Support: Our competent support team is always at our customers’ side to answer questions and ensure support.
  4. Direct Access to the Agency Sales Team: Expert advice from our team, which is well-versed in the specific requirements of federal agencies. We look forward to furthering our trusted collaboration with the BSI and are available for any questions.
  5. Opportunity for Exchange: Use the shared forum to share your experiences and questions.

International panel discussion on effective cybersecurity at #OSXP2023

At the esteemed #OSXP2023 event, that took place in Paris, our participation in the “Cybersécurité et open source” roundtable brought forward critical discussions on improving cybersecurity in companies. The panel, including distinguished experts from the academic and governmental sectors, delved into strategies and points of vigilance essential for robust cybersecurity.

1. The Mindset of Security

Security by Design: A Leadership Commitment

  • The panel emphasized the importance of incorporating security from the initial stages of development. This approach requires a commitment from the top management to prioritize security in all business operations.

A Mentality Focused on Secure and Protected Solutions

  • Companies must cultivate a culture where security is an integral part of the thinking process, aiming to deliver solutions that are inherently secure and protected.

2. Implementing Key Processes

Adherence to Standards and Automation

  • The importance of adhering to established cybersecurity standards was underscored, with a recommendation to automate processes wherever possible to ensure consistency and efficiency.

No Deployment Without Security Compliance

  • It was strongly advised that no deployments or actions should proceed without meeting the necessary security requirements.

3. Resources: Empowering Teams and Enhancing Vigilance

Dedicated Security Teams and Training

  • Having specialized security teams and conducting regular training sessions were identified as crucial for maintaining a high level of security awareness and preparedness.

Vigilance as a Continuous Effort

  • Continuous vigilance was highlighted as a key resource, ensuring that security measures are always up-to-date and effective.

4. Essential Tools and Technologies

Mandatory Multi-Factor Authentication (MFA)

  • Implementing MFA as a compulsory measure we recommend enhancing account security significantly.

Vulnerability Scanners and Dependance Management

  • Utilizing vulnerability scanners and managing dependencies and configurations were suggested as vital tools. While platforms like GitHub Enterprise may be costly, they offer comprehensive solutions for these needs.

Conclusion: Education, Awareness, and the Use of Open-Source Tools

In conclusion, the panel at #OSXP2023, including our expert Corentin Bardin, a cyber security specialist and pen tester, highlighted the importance of continuous education and staying updated in the rapidly evolving cybersecurity landscape. They advocated for the use of open-source tools to bolster security measures.

The key takeaway from the discussion is the commitment to offering secure services. It’s not just about the tools and processes; it’s about the mindset and ongoing effort to stay vigilant and informed.

Update from 2023-12-06:

Last week, we reported on pro-Russian hacktivists scanning for vulnerable SharePoint Servers to exploit a critical vulnerability (CVE-2023-29357).

New findings suggest that the group, calling themselves “Zarya”, is undertaking various exploit-attempts, including directory traversal and targeting specific vulnerabilities in systems such as OpenWRT-Routers. The IP address, associated with these activities, has been observed in several different exploit attempts. In addition to simple reconnaissance, specific attacks on configuration files and Admin-APIs have been detected. This case re-emphasizes the importance of securing systems against such threats and shows, how unprotected or poorly configured systems can become targets of such attacks.

A critical vulnerability for Sharepoint (CVE-2023-29357), is being targeted by presumably pro-Russian attackers who are trying to exploit this vulnerability.

The Internet Storm Center has discovered corresponding activity on its honeypots. The severity for this vulnerability is critical (a score of 9.8 out of 10), and the attack complexity is very low, making this vulnerability particularly dangerous. Greenbone customers can benefit from the automatic detection of this vulnerability in our Enterprise Feed. Microsoft offers a security update since June 12, 2023, Microsoft customers who missed the update should install it now.

In the November 2023 commVT Intelligence Update, several critical vulnerabilities and security threats have come to light. Cisco’s Internetworking Operating System (IOS) XE Software Web User Interface (UI) was found to be vulnerable to two actively exploited critical vulnerabilities, allowing attackers to execute arbitrary code remotely. The curl command-line tool, widely used across various platforms, faced a serious vulnerability that could result in arbitrary code execution during SOCKS5 proxy handshakes. VMware is urging immediate updates for its vCenter Server due to a critical vulnerability potentially leading to remote code execution. Multiple vulnerabilities were found in versions of PHP 8; one is a particularly critical deserialization vulnerability in the PHAR extraction process. Additionally, SolarWinds Access Rights Manager (ARM) was found susceptible to multiple critical vulnerabilities, emphasizing the urgency to update to version 2023.2.1. Lastly, two F5 BIG-IP vulnerabilities were discovered to be actively exploited, with mitigation options available and outlined below.

Cisco IOS XE: Multiple Critical Vulnerabilities

Two actively exploited critical CVSS 10 vulnerabilities were discovered in Cisco’s Internetworking Operating System (IOS) XE Software Web User Interface (UI); CVE-2023-20198 and CVE-2023-20273. Combined, they allow an attacker to remotely execute arbitrary code as the system user and are estimated to have been used to exploit tens of thousands of vulnerable devices within the past few weeks. Greenbone has added detection for both the vulnerable product by version [1], and another aimed at detecting the BadCandy implanted configuration file [2]. Both are VTs included in Greenbone’s Enterprise vulnerability feed.

Cisco IOS was created in the 1980s and used as the embedded OS in the networking technology giant’s routers. Fast forward to 2023, IOS XE is a leading enterprise networking full-stack software solution that powers Cisco platforms for access, distribution, core, wireless, and WAN. IOS XE is Linux-based, and specially optimized for networking and IT infrastructure, routing, switching, network security, and management. Cisco devices are pervasive in global IT infrastructure and used by organizations of all sizes, including large-scale enterprises, government agencies, critical infrastructure, and educational institutions.

Here’s how the two recently disclosed CVEs work:

CVE-2023-20198 (CVSS 10 Critical): Allows a remote, unauthenticated attacker to create an account [T1136] on an affected system with privilege level 15 (aka privileged EXEC level) access [CWE-269]. Privilege level 15 is the highest level of access to Cisco IOS. The attacker can then use that account to gain control of the affected system.
CVE-2023-20273 (CVSS 7.2 High): A regular user logged into the IOS XE web UI, can inject commands [CWE-77] that are subsequently executed on the underlying system with the system (root) privileges. This vulnerability is caused by insufficient input validation [CWE-20]. CVE is also associated with a Lua-based web-shell [T1505.003] implant dubbed “BadCandy”. BadCandy consists of an Nginx configuration file named `cisco_service.conf` that establishes a URI path to interact with the web-shell implant but requires the webserver to be restarted.

Cisco has released software updates for mitigating both CVEs in IOS XE software releases, including versions 17.9, 17.6, 17.3, and 16.12 as well as available Software Maintenance Upgrades (SMUs) and IT security teams are strongly advised to urgently install them. Cisco has also released associated indicators of compromise (IoC), Snort rules for detecting active attacks, and a TAC Technical FAQs page. Disabling the web UI prevents exploitation of these vulnerabilities and may be suitable mitigation until affected devices can be upgraded. Publicly released proof of concept (PoC) code [1][2] and a Metasploit module further increase the urgency to apply the available security updates.

Critical Vulnerability In The Curl Tool

A widespread vulnerability has been discovered in the popular curl command line tool, libcurl, and the many software applications that leverage them across a wide number of platforms. Tracked as CVE-2023-38545 (CVSS 9.8 Critical), the flaw makes curl overflow a heap-based buffer [CWE-122]] in the SOCKS5 proxy handshake that can result in arbitrary code execution [T1203]. Greenbone’s community feed includes several NVTs [1] to detect many of the affected software products and will add additional detections for CVE-2023-38545 as more vulnerable products are identified.

CVE-2023-38545 is a client-side vulnerability exploitable when passing a hostname to the SOCKS5 proxy that exceeds the maximum length of 255 bytes. If supplied with an excessively long hostname, curl is supposed to use local name resolution and pass it on to the resolved address only. However, due to the CVE-2023-38545 flaw, curl may actually copy the overly long hostname to the target buffer instead of copying just the resolved address there. The target buffer, being a heap-based buffer, and the hostname coming from the URL results in the heap-based overflow.

While the severity of the vulnerability is considered high because it can be exploited remotely and has a high impact to the confidentiality, integrity, and availability (CIA) of the underlying system, the SOCKS5 proxy method is not the default connection mode and must be declared explicitly. Additionally, for an overflow to happen an attacker also needs to cause a slow enough SOCKS5 handshake to trigger the bug. All versions of curl are affected between v7.69.0 (released March 4th, 2020) until v8.3.0. The vulnerable code was patched in v8.4.0 commit 4a4b63daaa.

VMware vCenter Server: Multiple Vulnerabilities

CVE-2023-34048 is a critical severity vulnerability that could allow a malicious actor with network access to vCenter Server to cause an out-of-bounds write [CWE-787] potentially leading to remote code execution (RCE). The affected software includes VMware vCenter Server versions 6.5, 6.7, 7.0, and 8.0. VMWare has issued a security advisory to address both vulnerabilities which states that there are no known mitigations other than installing the provided updates. Both vulnerabilities can be detected by Greenbone’s enterprise vulnerability feed [1]. The vCenter Server patch also fixes CVE-2023-34056, a medium-severity information disclosure resulting from improper authorization [CWE-285].

Although there are no reports that CVE-2023-34048 is being actively exploited in the wild attackers have proven adept at swiftly converting threat intelligence into exploit code. Research by Palo Alto Networks Unit 42 threat research group shows that on average an exploit is published 37 days after a security patch is released.

Here are some brief details on both CVEs:

CVE-2023-34048 (CVSS 9.8 Critical): vCenter Server contains an out-of-bounds write [CWE-787] vulnerability in the implementation of the DCERPC protocol. A malicious actor with network access to vCenter Server may trigger this vulnerability to achieve remote code execution (RCE). The Distributed Computing Environment Remote Procedure Call (DCERPC) protocol facilitates remote procedure calls (RPC) in distributed computing environments, allowing applications to communicate and invoke functions across networked systems.
CVE-2023-34056 (CVSS 4.3 Medium): vCenter Server contains a partial information disclosure vulnerability. A malicious actor with non-administrative privileges to vCenter Server may leverage this issue to access unauthorized data.

Multiple Vulnerabilities Discovered In PHP 8

Several vulnerabilities were identified in PHP 8.0.X before 8.0.28, 8.1.X before 8.1.16 and 8.2.X before 8.2.3. Although the group of vulnerabilities does include one critical and two high-severity vulnerabilities, these require particular contexts to be present for exploitation; either deserializing PHP applications using PHAR or else using PHP’s core path resolution functions on untrusted input. Greenbone’s enterprise VT feed includes multiple detection tests for these vulnerabilities across multiple platforms.

Here are brief descriptions of the most severe recent PHP 8 vulnerabilities:

CVE-2023-3824 (CVSS 9.8 Critical): A PHAR file (short for PHP Archive) is a compressed packaging format in PHP, which is used to distribute and deploy complete PHP applications in a single archive file. While reading directory entries during the PHAR archive loading process, insufficient length checking may lead to a stack buffer overflow [CWE-121], potentially leading to memory corruption or remote code execution (RCE).
CVE-2023-0568 (CVSS 8.1 High): PHP’s core path resolution function allocates a buffer one byte too small. When resolving paths with lengths close to the system `MAXPATHLEN` setting, this may lead to the byte after the allocated buffer being overwritten with NULL value, which might lead to unauthorized data access or modification. PHP’s core path resolution is used for the `realpath()` and `dirname()` functions, when including other files using the `include()`, `include_once()`, `require()`, and `require_once()`, and during the process of resolving PHP’s “magic” constants” such as `__FILE__` and `__DIR__`.
CVE-2023-0567 (CVSS 6.2 Medium): PHP’s `password_verify()` function may accept some invalid Blowfish hashes as valid. If such an invalid hash ever ends up in the password database, it may lead to an application allowing any password for this entry as valid [CWE-287]. Notably, this vulnerability has been assigned different CVSS scores by NIST (CVSS 6.2 Medium) and the PHP group CNA (CVSS 7.7 High), the difference being that the PHP Group CNA considers CVE-2023-0567 a high risk to confidentiality while NIST does not. CNAs are a group of independent vendors, researchers, open source software developers, CERT, hosted service, and bug bounty organizations authorized by the CVE Program to assign CVE IDs and publish CVE records within their own specific scopes of coverage.

SolarWinds Access Rights Manager (ARM): Multiple Critical Vulnerabilities

SolarWinds Access Rights Manager (ARM) prior to version 2023.2.1 is vulnerable to 8 different exploits; one critical and two additional high-severity vulnerabilities (CVE-2023-35182, CVE-2023-35185, and CVE-2023-35187). These include authenticated and unauthenticated privilege escalation [CWE-269], directory traversal [CWE-22], and remote code execution (RCE) at the most privileged “SYSTEM” level. Greebone’s Enterprise vulnerability feed includes both local security check (LSC) [1] and remote HTTP detection [2].

SolarWinds ARM is an enterprise access control software for Windows Active Directory (AD) networks and other resources such as Windows File Servers, Microsoft Exchange services, and Microsoft SharePoint as well as virtualization environments, cloud services, NAS devices, and more. The widespread use of ARM and other SolarWinds software products means that its vulnerabilities have a high potential to impact a wide range of large organizations including critical infrastructure.

These and more recent vulnerabilities are disclosed in SolarWinds’ security advisories. Although no reports of active exploitation have been released, mitigation is highly recommended and available by installing SolarWinds ARM version 2023.2.1.

F5 BIG-IP: Unauthenticated RCE And Authenticated SQL Injection Vulnerabilities

Two RCE vulnerabilities in F5 BIG-IP, CVE-2023-46747 (CVSS 9.8 Critical) and CVE-2023-46748 (CVSS 8.8 High), have been observed by CISA to be actively exploited in the wild soon after PoC code was released for CVE-2023-46747. A Metasploit exploit module has also since been published. F5 BIG-IP is a family of hardware and software IT security products for ensuring that applications are always secure and perform the way they should. The platform is produced by F5 Networks, and it focuses on application services ranging from access and delivery to security. Greenbone has added detection for both CVEs [1][2].

CVE-2023-46747 is a remote authentication bypass [CWE-288] vulnerability while CVE-2023-46748 is a remote SQL injection vulnerability [CWE-89] that can only be exploited by an authenticated user. The affected products include the second minor release (X.1) for major versions 14-17 of BIG-IP Advanced Firewall Manager (AFM) and F5 Networks BIG-IP Application Security Manager (ASM).

If you are running an affected version you can eliminate this vulnerability by installing the vendor-provided HOTFIX updates [1][2]. The term “hotfix” implies that the patch can be applied to a system while it is running and operational, without the need for a shutdown or reboot. If updating is not an option, CVE-2023-46747 can be mitigated by downloading and running a bash script that adds or updates the `requiredSecret` attribute in the Tomcat configuration, which is used for authentication between Apache and Tomcat, and CVE-2023-46748 can be mitigated by restricting access to the Configuration utility to allow only trusted networks or devices, and ensuring only trusted user accounts exist thereby limiting the attack surface.

Our developers have provided vulnerability tests for two critical vulnerabilities in widely used enterprise software. Within a very short time, tests for CVE 2023-22518 und CVE 2023-46747 were integrated, and customers of Greenbone’s Enterprise Feed were protected.

Knowledge management tools Confluence and Jira from Australian vendor Atlassian have been hit by a serious security vulnerability, rated 9.8 out of 10 on the CERT scale. Since November 8, CVE 2023-22518 has been actively exploited by attackers gaining unauthorized access to company data, according to media reports.

According to the company, the “authentication flaw” affects all versions of Confluence Data Center and Server, but not the cloud version at Atlassian itself. For anyone else, including users of Jira, but especially all publicly accessible Confluence servers, there is a “high risk and need to take immediate action”, writes Atlassian.

We reacted quickly and provided our customers with appropriate tests before ransomware attacks could be successful. Customers of the Greenbone Enterprise Feed were warned and reminded of the patch via update.

Remote code execution: F5 BIG-IP allows request smuggling

Also at the end of October, security researchers from Praetorian Labs discovered a serious vulnerability (CVE-2023-46747) in the products of application security expert F5. The American company’s solutions are designed to protect large networks and software environments; the software, which was launched in 1997 as a load balancer, is primarily used in large enterprises.

However, according to the experts, attackers can remotely execute code on the BIG-IP servers by adding arbitrary system commands to the administration tools via manipulated URLs. Details can be found at Praetorian; patches are available, and a long list of BIG-IP products of versions 13, 14, 15, 16, and 17 are affected, both in hardware and software.

We reacted quickly and integrated tests into its vulnerability scanners on the same day, which test the BIG-IP installations at Greenbone Enterprise for vulnerable versions and, if necessary, point to the patches listed at F5.

Our vulnerability management products, the Greenbone Enterprise Appliances, offer the best protection.

Professional vulnerability management is an indispensable part of IT security. It enables the early detection of risks and provides valuable instructions for their elimination.
The Greenbone Enterprise Feed is updated daily to detect new vulnerabilities. We therefore recommend that you regularly update and scan all your systems. Please also read this article on IT security and the timeline of common attack vectors.