This week's vulnerability news include GitHub credential access, a new Chrome fix, and hidden malware from pirated applications hosted on Chinese websites.
Citrix and Ivanti are seeing more problems, too, as more vulnerabilities have cropped up in Netscaler and Endpoint Manager Mobile.
Type of vulnerability: Weaknesses in the network boot process of UEFI's network implementation.
The problem: The Unified Extensible Firmware Interface specification has an open-source network implementation, EDK II, with nine discovered vulnerabilities.
Together, the vulnerabilities are known as PixieFAIL, and unauthenticated attackers are able to target them while the network is booting.
Type of vulnerability: Credential access vulnerability.
The problem: Last week, GitHub released a notice regarding a recent vulnerability discovered by a bug bounty program.
The vulnerability had been discovered and fixed on December 26.
If exploited, this vulnerability could have resulted in credential access in a production container.
GitHub said that it didn't see any evidence that the vulnerability had been found or exploited.
The vulnerability also exists on GitHub Enterprise Server, but it can only be exploited by an authenticated user with an organization owner role.
Cirtrix has announced two vulnerabilities on its Netscaler ADC and NetScaler Gateway appliances, which they've seen exploited in the wild.
We've mentioned vulnerabilities in these two products before, in October, but the new CVEs are different.
CVE-2023-6548 is a remote code execution vulnerability for an authenticated user, and CVE-2023-6549 is a denial-of-service vulnerability.
Type of vulnerability: Out-of-bounds write, out-of-bounds memory access, and type confusion.
The problem: The Chrome Stable Channel for desktop has been updated to fix four vulnerabilities in Chrome, including out-of-bounds V8 write, V8 type confusion, and out-of-bounds V8 memory access.
The problem: Ivanti Endpoint Manager Mobile and MobileIron Core are susceptible to an authentication bypass vulnerability.
Ivanti's community noted this vulnerability in August 2023, but the Cybersecurity and Infrastructure Security Agency just added it to its Known Exploited Vulnerabilities catalog.
MobileIron Core version 11.3 has resolved the vulnerability; any older versions won't have it resolved because they've already been out of support.
Type of vulnerability: Malware from hidden executables in pirated applications.
This Cyber News was published on www.esecurityplanet.com. Publication date: Mon, 22 Jan 2024 23:13:05 +0000