The new year brought few new vulnerabilities, and only Ivanti Endpoint Manager and Kyber, the quantum resistant encryption algorithm, publicized new vulnerabilities or fixes.
Most news derived from the active attacks on multiple older vulnerabilities, which threaten to expose organizations slow to patch.
Speed remains critical to security, but more importantly, patching teams need to make progress with patch and vulnerability management.
Here's a roundup of the week's major vulnerabilities that security teams should mitigate or patch.
Type of attack: Secure Shell vulnerability enables prefix truncation attacks.
The countries with the top vulnerabilities include the USA, China, and Germany.
Researchers also provide a vulnerability scanner on GitHub written in Go that can detect vulnerable servers.
Type of attack: Arbitrary and remote code execution attacks that exploit data import/export operations in Excel-related functions in web applications and denial of service crashes or ACE/RCE related to heap buffer overflows in Chrome.
The problem: The US Cybersecurity and Infrastructure Security Agency added two vulnerabilities to the Known Exploited Vulnerabilities catalog.
Versions 0.65 and older of the Perl Spreadsheet::ParseExcel library contain a RCE vulnerability exploited by Chinese hackers, as noted on December 24th. Chrome web browsers experience heap buffer overflow in the WebRTC real-time communication coding that can crash chrome or allow for code execution.
Type of attack: SQL injection vulnerability permits an RCE attack allows the hijack of enrolled devices or even the core server.
Type of attack: Critical RCE vulnerability in unpatched or partially patched RocketMQ services.
The problem: The ShadowServer Foundation logs show hundreds of hosts scanning for exposed RocketMQ systems still vulnerable to the original critical RCE vulnerability, CVE-2023-33246, patched earlier in 2023.
The patch didn't fully solve the vulnerability, leading to a second announced vulnerability, CVE-2023-37582, rated 9.8/10.0 for severity.
Apache released patches for both of these vulnerabilities in July 2023, yet over six months later, attackers still search for potential victims.
Type of attack: Timing-based attack on Kyber Encryption implementations can expose encryption keys.
The Kyber key decapsulation process uses division operations, and timing-based attacks - dubbed KyberSlash - can allow the encryption key to be determined in as many as two out of three attacks.
Researchers reported the first vulnerability, KyberSlash1, to Kyber's developers in November 2023 and discovered KyberSlash2 in December.
The Kyber development team patched both vulnerabilities promptly, but not all projects and tools incorporating patches patched as quickly.
The vulnerability does not impact some libraries and tools, and some libraries fully patched for all known vulnerabilities.
This Cyber News was published on www.esecurityplanet.com. Publication date: Mon, 08 Jan 2024 22:13:04 +0000