The US Cybersecurity and Infrastructure Security Agency (CISA) has issued an urgent alert regarding three actively exploited vulnerabilities [4]. These vulnerabilities have been added to CISA’s Known Exploited Vulnerabilities (KEV) catalog due to their significant risks and frequent targeting by malicious cyber actors.
Description
CISA has identified three vulnerabilities that are currently being actively exploited [7]. The first vulnerability, CVE-2023-36584 [1] [2] [3] [4] [5] [6] [7] [8], is a medium severity flaw in Microsoft Windows Mark of the Web (MOTW) [3]. It allows attackers to bypass Microsoft’s Mark of the Web (MotW) security feature in Windows [5], potentially resulting in a limited loss of integrity and availability of security features [3]. Microsoft has addressed this issue in the October 2023 security updates [1].
The second vulnerability, CVE-2023-1671 [1] [2] [3] [4] [5] [6] [7] [8], is a critical command injection vulnerability in Sophos Web Appliance [1] [3] [6]. This vulnerability could allow remote code execution. Although there are no public reports of attacks exploiting this vulnerability [5], CISA’s inclusion of it in their Known Exploited Vulnerabilities (KEV) catalog suggests that it has been exploited [5]. Sophos has released a patch for this vulnerability on April 4, 2023 [3]. Users of Sophos Web Appliance are advised to migrate to Sophos Firewall for better security [1], as the Web Appliance has reached end-of-life in July [1] [8].
The third vulnerability [1] [3] [5] [6] [8], CVE-2023-2551 [1] [2] [3] [4] [5] [6] [7] [8], is an unspecified vulnerability in Oracle Fusion Middleware that affects supported versions of Oracle WebLogic Server. It is also critical and allows unauthenticated attackers to take control of affected servers [5]. CISA has identified attacks against government and critical infrastructure organizations in Taiwan [5].
CISA has also mentioned a Binding Operational Directive (BOD) 22-01 [2], which requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats [2]. While BOD 22-01 specifically applies to FCEB agencies [2], CISA strongly advises all organizations to prioritize timely remediation of vulnerabilities listed in the catalog to reduce the risk of cyberattacks. CISA will continue to update the catalog with vulnerabilities that meet the specified criteria. Additionally, CISA advises organizations to regularly update software [4], implement strong patch management processes [4], utilize security solutions [4], educate employees about cybersecurity best practices [4], and conduct vulnerability scans and penetration tests [4].
Conclusion
CISA urges organizations [2], especially federal agencies in the United States [7], to prioritize patching these vulnerabilities [7]. If patching is not possible, vendor-recommended mitigations should be applied [7]. It is important to monitor systems for signs of compromise and report any suspected intrusions to CISA or relevant authorities [7]. The inclusion of these vulnerabilities in CISA’s Known Exploited Vulnerabilities (KEV) catalog highlights the need for organizations to take immediate action to protect their systems and networks.
References
[1] https://www.digitalguardian.com/blog/friday-five-threats-critical-infrastructure-new-actively-exploited-bugs-more
[2] https://www.cisa.gov/news-events/alerts/2023/11/16/cisa-adds-three-known-exploited-vulnerabilities-catalog
[3] https://www.scmagazine.com/news/cisa-adds-products-from-sophos-oracle-and-microsoft-to-the-kev-catalog
[4] https://securityonline.info/cisa-warns-of-actively-exploited-flaw-cve-2023-36584-cve-2023-1671-and-cve-2023-2551/
[5] https://vulnera.com/newswire/cisa-issues-warning-over-exploitation-of-sophos-web-appliance-vulnerability/
[6] https://thehackernews.com/2023/11/cisa-adds-three-security-flaws-with.html
[7] https://itssecurityyall.substack.com/p/cisa-adds-three-exploited-vulnerabilities
[8] https://blog.cyberconvoy.com/cisa-warns-of-actively-exploited-windows-sophos-and-oracle-bugs/