In this advisory we provide information around various vulnerabilities concerning Cisco, Veeam and Juniper OS. Also, information on the recent data breach at Pareto Phone, an Australian based company who seeks donations for charitable causes, with the breach resulting in the publication of donor’s details on the darknet.
Cisco Duo Device Health Application for Windows Arbitrary File Write Vulnerability – CVE-2023-20229
An authenticated local attacker with low privileges may be able to perform directory traversal style attacks and modify arbitrary files. This has potential to result in data loss. There are no work-arounds available.
Impacted Products:
Cisco Duo Device Health Application for Windows
v5.0.0
v5.1.0
Mitigation / Remediation Strategies
Update to v5.2.0
Further Reading:
Cisco Unified Communications Manager SQL Injection Vulnerability – CVE-2023-20211
Due to improperly implemented input validation, an authenticated remote actor could perform SQL injection attacks. Successful exploitation could permit the reading or destruction of data in the underlying database. Proof of concept code exists for this vulnerability, however abuse has not been reported as of yet.
Impacted Products / Remediation Strategies:
Cisco Unified CM and Cisco Unified CM SME.
v11.5 – Update to a fixed release
v12.v5 – Update to 12.5(1)SU8
v14 – Apply patch “ciscocm.V14SU3_CSCwe89928_sql-injection_C0194-1.cop.sha512.”
Further Reading:
Cisco ThousandEyes Enterprise Agent Virtual Appliance Privilege Escalation Vulnerability – CVE-2023-20224
Due to insufficient input validation of user-supplied command line arguments, an attacker can take advantage of this vulnerability by successfully authenticating to a targeted device and utilise crafted commands. By doing so, they can potentially gain unauthorised access leading to data exfiltration, manipulate data, or disrupt the normal operation of the system.
Impacted Products:
0.216 and earlier
Mitigation / Remediation Strategies:
Update to v0.230
Further Reading:
Veeam
A ransomware group has been observed successfully exploiting CVE-2023-27532, targeting critical infrastructure in South America. This vulnerability permits the exfiltration of encrypted credentials, which facilitates offline cracking. Please note that in order for this to occur, the threat actor must be operating within the backup infrastructure network perimeter.
This has been observed being exploited in the wild by hostile entities who gain initial access via other means (usually stolen or re-used credentials) to gain an initial foothold. Successful cracking of the encrypted Veeam credentials may lead to an attacker gaining access to the backup infrastructure hosts. The group subsequently stole data as well as encrypting it with threats of leaking the information if a ransom isn’t paid.
“The first evidence of a compromise in the targeted organisation was a successful Administrator-level login via Remote Desktop Protocol (RDP),” they wrote. “This login was achieved without evidence of prior invalid login attempts, nor evidence of techniques such as brute-forcing or exploitation of vulnerabilities. This means that the attacker likely obtained the valid credentials via some other nefarious means preceding the attack.”
Impacted Products:
All Veeam Backup & Replication versions
Remediation Strategies:
Update to version:
12 (build 12.0.0.1420 P20230223)
11a (build 11.0.1.1261 P20230227)
Mitigation:
If it is impractical to update, external connections to port TCP 9401 can be blocked in the backup server firewall as a temporary remediation until the patch is installed. This is only suitable if you use an all-in-one Veeam appliance with no remote backup infrastructure components.
Further Reading:
https://www.veeam.com/kb4424
https://securityboulevard.com/2023/08/cuba-ransomware-group-exploiting-veeam-flaw-in-latest-campaign/
Juniper
CVE-2023-36844
CVE-2023-36845
CVE-2023-36846
CVE-2023-36847
Multiple vulnerabilities have been discovered in the J-web component of Juniper Junos OS SRX and EX series. The chaining of these can permit an unauthenticated network based attacker to perform remote code execution on the impacted devices.
The manipulation of a PHP variable can allow unauthenticated, network-based attackers to control sensitive environment variables. This in turn can be leveraged to allow arbitrary file upload to J-web, which potentially leads to further escalation.
Impacted Products:
SRX
All versions prior to 20.4R3-S8;
21.2 versions prior to 21.2R3-S6;
21.3 versions prior to 21.3R3-S5;
21.4 versions prior to 21.4R3-S5;
22.1 versions prior to 22.1R3-S3;
22.2 versions prior to 22.2R3-S2;
22.3 versions prior to 22.3R2-S2, 22.3R3;
22.4 versions prior to 22.4R2-S1, 22.4R3;
EX
All versions prior to 20.4R3-S8;
21.2 versions prior to 21.2R3-S6;
21.3 versions prior to 21.3R3-S5;
21.4 versions prior to 21.4R3-S4;
22.1 versions prior to 22.1R3-S3;
22.2 versions prior to 22.2R3-S1;
22.3 versions prior to 22.3R2-S2, 22.3R3;
22.4 versions prior to 22.4R2-S1, 22.4R3.
Remediation Strategies:
To prevent remote code execution (RCE), only one PR needs to be fixed per platform.
For EX Series, the following releases have resolved this via PR 1735387: 20.4R3-S8, 21.2R3-S6, 21.3R3-S5*, 21.4R3-S4, 22.1R3-S3, 22.2R3-S1, 22.3R2-S2, 22.3R3, 22.4R2-S1, 22.4R3*, 23.2R1, and all subsequent releases.
For SRX Series, the following releases have resolved this via PR 1735389: 20.4R3-S8, 21.2R3-S6, 21.3R3-S5*, 21.4R3-S5*, 22.1R3-S3, 22.2R3-S2*, 22.3R2-S2, 22.3R3, 22.4R2-S1, 22.4R3*, 23.2R1, and all subsequent releases.
Mitigation:
If it is not appropriate to update immediately, the issue can be temporarily mitigated by disabling J-Web, or limit access to only trusted hosts.
Further Reading:
Pareto
Pareto Phone, an Australian based phone firm who seeks donations for charitable causes, has suffered a breach resulting in the publication of donor’s details on the darknet. It said information including full names, date of birth, addresses, email addresses and phone numbers had been released, but not financial information. It is feared that there is a risk more data could be published, since there had been four months between the attack and the leak.
Charities impacted include The Cancer Council, Canteen, Fred Hollows Foundation and Médecins Sans Frontières. Evidence suggests that some of the breached client details were initially recorded more than 8 years ago, raising questions regarding data retention policies.
Under the Australian Privacy Principles, there is a requirement for personal information data to be destroyed or de-identified once it is no longer needed for the purpose for which it was collected. This impacts institutions across many sectors nationwide.
Pareto said it was in the process of contacting affected donors.
Further Information:
https://communitydirectors.com.au/articles/charity-donor-details-released-in-major-cyber-breach
https://www.abc.net.au/news/2023-08-23/pareto-phones-data-breach-canteen-cancer-council-fred-hollows/102763776