CISA Adds Three Security Flaws with Active Exploitation to KEV Catalog

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday added three security flaws to its Known Exploited Vulnerabilities (KEV) catalog based on evidence of active exploitation in the wild.

The vulnerabilities are as follows –

• CVE-2023-36584 (CVSS score: 5.4) – Microsoft Windows Mark-of-the-Web (MotW) Security Feature Bypass Vulnerability
• CVE-2023-1671 (CVSS score: 9.8) – Sophos Web Appliance Command Injection Vulnerability
• CVE-2020-2551 (CVSS score: 9.8) – Oracle Fusion Middleware Unspecified Vulnerability

CVE-2023-1671 relates to a critical pre-auth command injection vulnerability that allows for the execution of arbitrary code. CVE-2020-2551 is a flaw in the WLS Core Components that allows an unauthenticated attacker with network access to compromise the WebLogic Server.

There are currently no public reports documenting in-the-wild attacks leveraging CVE-2023-1671, but Cybernews disclosed in July 2023 that it had identified a subdomain of the Harvard University – courses.my.harvard[.]edu – that was susceptible to CVE-2020-2551.

On the other hand, the addition of CVE-2023-36584 to the KEV catalog is based on a report from Palo Alto Networks Unit 42 earlier this week, which detailed spear-phishing attacks mounted by pro-Russian APT group known as Storm-0978 (aka RomCom or Void Rabisu) targeting groups supporting Ukraine’s admission into NATO in July 2023.

CVE-2023-36584, patched by Microsoft as part of October 2023 security updates, is said to have been used alongside CVE-2023-36884, a Windows remote code execution vulnerability addressed in July, in an exploit chain to deliver PEAPOD, an updated version of RomCom RAT.

In light of active exploitation, federal agencies are recommended to apply the fixes by December 7, 2023, to secure their networks against potential threats.

Fortinet Discloses Critical Command Injection Bug in FortiSIEM

The development comes as Fortinet is alerting customers of a critical command injection vulnerability in FortiSIEM report server (CVE-2023-36553, CVSS score: 9.3) that could be exploited by attackers to execute arbitrary commands.

CVE-2023-36553 has been described as a variant of CVE-2023-34992 (CVSS score: 9.7), a similar flaw in the same product that was remediated by Fortinet in early October 2023.

“An improper neutralization of special elements used in an OS command vulnerability [CWE-78] in FortiSIEM report server may allow a remote unauthenticated attacker to execute unauthorized commands via crafted API requests,” the company said in an advisory this week.

The vulnerability, which impacts FortiSIEM versions 4.7, 4.9, 4.10, 5.0, 5.1, 5.2, 5.3, and 5.4, has been fixed in versions 7.1.0, 7.0.1, 6.7.6, 6.6.4, 6.5.2, 6.4.3, or later.

Update

When reached for comment on the addition of CVE-2023-1671 to the KEV catalog, Sophos shared the following statement with The Hacker News –

More than six months ago, on April 4, 2023, we released an automatic patch to all Sophos Web Appliances, as noted in the Security Advisory on our Trust Center, and in July 2023, we’ve phased out Sophos Web Appliance as previously planned. We appreciate CISA’s notice for any of the small number of remaining Sophos Web Appliance users who turned off auto-patch and/or missed our ongoing updates, and recommend they upgrade to Sophos Firewall for optimal network security moving forward.

(The article was updated after publication to mention that the third security flaw added to the KEV catalog is CVE-2020-2551 and not CVE-2023-2551, which was erroneously referenced in the alert published by CISA.)