Monthly Advisory • 10 MIN READ

October 2023 Threat Advisory Top 5

by Eleanor Barlow • Oct 2023

SecurityHQ’s Monthly Threat Report, Drawn from Recent Advisories of October 2023.

Apple Released Security Update to Fix Vulnerability Affecting Multiple Apple Products

Threat Reference: Global

Risks: Arbitrary Code Execution

Advisory Type: Updates/Patches

Priority: Standard

Apple has released a patch to fix vulnerability in their products. Successful exploitation of this vulnerability could lead to Arbitrary Code Execution.

Notable CVE: CVE-2023-5217 – A local attacker may be able to elevate their privileges.

Affected Products include iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later.

Recommendation: For a permanent fix, it is recommended to update all the affected products to its latest available patch version.

Cisco Fixes Critical Vulnerability in Cisco IOS XE Software Web UI

Threat Reference: Global

Risks: Privilege Escalation, Remote Code Execution

Advisory Type: Updates/Patches

Priority: Standard

Cisco has recently fixed a critical vulnerability (CVE-2023-20198) in Cisco IOS XE software Web UI having CVSS 10 score.

This vulnerability can be exploited by a remote, unauthenticated attacker which can take over the vulnerable system. The attacker can also create a new account on an affected system with privileged level 15 access.

Recommendations

• It is recommended to update affected products to their latest available versions/patch level.

• Disable Web UI if not required from affected product.

• Disable HTTP server feature on all internet facing systems.

• It is recommended to not expose Web UI and management services internet.

HTTP/2 ‘Rapid Reset’ DDoS Attack Impacting Multiple Products

Threat Reference: Global

Risks: Denial of Service (DOS)

Advisory Type: Zero Day Exploits

Priority: Elevated

Security Researchers have discovered high-severity vulnerability (CVE-2023-44487) in web servers supporting HTTP/2, allowing threat actors to abuse the ‘stream multiplexing’ feature by repeatedly sending requests and immediately cancelling them which leads to ‘Rapid Reset’ attack causing Denial of Service.

Additionally, security researchers have unveiled two variants of the HTTP/2 Rapid Reset attack.

Variant 1

In the first variant streams are not cancelled, however the requests are sent in groups, which stays idle for a while, and then cancelled. This allows the user to evade Rate of Inbound Frames per second.

Variant 2

In the second variant, the attacker attempts to send more requests concurrently to the server. This method maintains a continuous flow of requests, avoiding delays caused by client-proxy and proxy-server communication which request pipeline consistently busy, making it more challenging to defend against DDoS attacks compared to the standard HTTP/2 method.

Affected vendors include Apache Tomcat, AWS, F5, Microsoft IIS, Microsoft MsQuic, Nginx, and nghttp2 library.

Note that Web apps that are behind the following DDoS protection providers / CDNs should not be impacted: AWS, Cloudflare, Google Cloud, and Microsoft Azure.

Workaround: For NGINX

keepalive_requests should be kept at the default setting of 1000 requests.

http2_max_concurrent_streams should be kept at the default setting of 128 streams.

limit_conn and limit_req should be set “with a reasonable setting balancing application performance and security”.

Note that other vendors can refer to the latest available patch version.

Recommendation

SecurityHQ recommends implementing DDoS protection / CDNs (WAF).

Microsoft Released October 2023 Patch Tuesday for 104 Flaws Including 3 Zero-days.

Threat Reference: Global

Risks: Remote Code Execution, Elevation of Privilege, Security Feature Bypass, Information Disclosure, Spoofing and Denial of Service

Advisory Type: Updates/Patches

Priority: Standard

Microsoft has released their Patch Tuesday for October 2023 with security updates for 104 flaws, including 3 actively exploited vulnerabilities.

Successful exploitation of these vulnerabilities could result in Remote Code Execution, Elevation of Privilege, Security Feature Bypass, Information Disclosure, Spoofing and Denial of Service.

Affected Microsoft Products include Windows, ESU, Microsoft Dynamics, Exchange Server, Microsoft Office, Azure, Developer Tools, SQL Server.

Notable CVE ID and details:

[Critical] – CVE-2023-41774 – Layer 2 Tunnelling Protocol Remote Code Execution Vulnerability

[Critical] – CVE-2023-41773 – Layer 2 Tunnelling Protocol Remote Code Execution Vulnerability

[Critical] – CVE-2023-41771 – Layer 2 Tunnelling Protocol Remote Code Execution Vulnerability

[Critical] – CVE-2023-41770 – Layer 2 Tunnelling Protocol Remote Code Execution Vulnerability

[Critical] – CVE-2023-41769 – Layer 2 Tunnelling Protocol Remote Code Execution Vulnerability

[Critical] – CVE-2023-41768 – Layer 2 Tunnelling Protocol Remote Code Execution Vulnerability

[Critical] – CVE-2023-41767 – Layer 2 Tunnelling Protocol Remote Code Execution Vulnerability

[Critical] – CVE-2023-41765 – Layer 2 Tunnelling Protocol Remote Code Execution Vulnerability

[Critical] – CVE-2023-38166 – Layer 2 Tunnelling Protocol Remote Code Execution Vulnerability

[Critical] – CVE-2023-36718 – Microsoft Virtual Trusted Platform Module Remote Code Execution Vulnerability

[Critical] – CVE-2023-36697 – Microsoft Message Queuing Remote Code Execution Vulnerability

[Critical] – CVE-2023-36566 – Microsoft Common Data Model SDK Denial of Service Vulnerability

[Critical] – CVE-2023-35349 – Microsoft Message Queuing Remote Code Execution Vulnerability

[Zero-Day] – [Important] – CVE-2023-41763 – Skype for Business Elevation of Privilege Vulnerability

[Zero-Day] – [Important] – CVE-2023-36563 – Microsoft WordPad Information Disclosure Vulnerability

[Zero-Day] – [Important] – CVE-2023-44487 – HTTP/2 Rapid Reset Attack

[Important] – CVE-2023-41772 – Win32k Elevation of Privilege Vulnerability

[Important] – CVE-2023-38159 – Windows Graphics Component Elevation of Privilege Vulnerability

[Important] – CVE-2023-36780 – Skype for Business Remote Code Execution Vulnerability

[Important] – CVE-2023-36778 – Microsoft Exchange Server Remote Code Execution Vulnerability

[Important] – CVE-2023-36776 – Win32k Elevation of Privilege Vulnerability

[Important] – CVE-2023-36743 – Win32k Elevation of Privilege Vulnerability

[Important] – CVE-2023-36732 – Win32k Elevation of Privilege Vulnerability

[Important] – CVE-2023-36731 – Win32k Elevation of Privilege Vulnerability

[Important] – CVE-2023-36713 – Windows Common Log File System Driver Information Disclosure Vulnerability

[Important] – CVE-2023-36594 – Windows Graphics Component Elevation of Privilege Vulnerability

Recommendation

For a permanent fix it is recommended to keep applications and operating systems running at the current released patch level, and to run software with the least privileges.

Threat Reference: Global

Risks: Privilege Escalation

Advisory Type: Updates/Patches

Priority: Standard

Fortinet has released a security update to patch a high severity vulnerability. CCVE-2023-41841[ CVSSv3 Score:7.4]: A improper authorization vulnerability identified within the FortiOS WEB UI component. Successful exploits can allow an attacker, one belongs to the prof-admin profile, to perform Privilege Escalation.

Affected Products includes FortiOS version 7.2.0 through 7.2.4, and FortiOS version 7.0.0 through 7.0.11.

Recommendation

It is recommended to update the affected products to their latest available versions.

Threat Intelligence for the Future

SecurityHQ’s Threat Intelligence team is a cohesive global unit dedicated to Cyber Threat

Intelligence. Our team is focused on researching emerging threats, tracking activities of threat-actors, ransomware groups, and campaigns, to ensure that they stay ahead of potential risks.

Beyond their investigative work, the Intelligence team provides actionable threat intelligence and

research, enriching the understanding of SecurityHQ’s customers worldwide. United by a

common commitment, the SecurityHQ Threat Intelligence team delivers the insights needed to

confidently navigate the intricacies of the cyber security threat landscape.

For more information on these threats, speak to an expert here. Or if you suspect a security incident, you can report an incident here.