Pierluigi Paganini June 23, 2023

U.S. Cybersecurity and Infrastructure Security Agency (CISA) added six new vulnerabilities to its Known Exploited Vulnerabilities catalog.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added six new security flaws to its  Known Exploited Vulnerabilities Catalog.

Below is the list of the issues added to the catalog:

• CVE-2023-32434: Apple Multiple Products Integer Overflow Vulnerability – Apple iOS. iPadOS, macOS, and watchOS contain an integer overflow vulnerability that could allow an application to execute code with kernel privileges.
• CVE-2023-32435: Apple iOS and iPadOS WebKit Memory Corruption Vulnerability – Apple iOS and iPadOS WebKit contain a memory corruption vulnerability that leads to code execution when processing web content.
• CVE-2023-32439: Apple Multiple Products WebKit Type Confusion Vulnerability – Apple iOS, iPadOS, macOS, and Safari WebKit contain a type confusion vulnerability that leads to code execution when processing maliciously crafted web content.
• CVE-2023-20867: VMware Tools Authentication Bypass Vulnerability – VMware Tools contains an authentication bypass vulnerability in the vgauth module. A fully compromised ESXi host can force VMware Tools to fail to authenticate host-to-guest operations, impacting the confidentiality and integrity of the guest virtual machine. An attacker must have root access over ESXi to exploit this vulnerability.
• CVE-2023-27992: Zyxel Multiple NAS Devices Command Injection Vulnerability – Multiple Zyxel network-attached storage (NAS) devices contain a pre-authentication command injection vulnerability that could allow an unauthenticated attacker to execute commands remotely via a crafted HTTP request.
• CVE-2023-20887: Vmware Aria Operations for Networks Command Injection Vulnerability: VMware Aria Operations for Networks (formerly vRealize Network Insight) contains a command injection vulnerability that allows a malicious actor with network access to perform an attack resulting in remote code execution.

According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.

Experts recommend also private organizations review the Catalog and address the vulnerabilities in their infrastructure.

CISA orders federal agencies to fix these vulnerabilities by July 14, 2023.

This week CISA also added three flaws to its Known Exploited Vulnerabilities Catalog that were exploited by the Russia-linked APT28 group to hack into Roundcube email servers used by Ukrainian organizations.

In the recent campaign, the threat actors used news about the ongoing conflict between Russia and Ukraine as bait. The cyber spies sent crafted emails to the target organizations, upon opening the messages Roundcube Webmail vulnerabilities (CVE-2020-35730, CVE-2020-12641, and CVE-2021-44026) were triggered allowing them to hack vulnerable servers.

CISA orders federal agencies to fix these three flaws by July 14, 2023.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Known Exploited Vulnerabilities catalog)