The US cybersecurity agency CISA added Sophos, Oracle and Microsoft product flaws to its Known Exploited Vulnerabilities (KEV) catalog on Thursday.
The Sophos flaw that the agency says has been exploited in attacks is CVE-2023-1671, a critical Sophos Web Appliance vulnerability that can be exploited by an unauthenticated attacker for arbitrary code execution.
Sophos announced patches in April, when it also informed customers that the impacted appliance would reach end of life on July 20, 2023.
There do not appear to be any public reports describing attacks exploiting CVE-2023-1671 and Sophos could not provide clarifications to SecurityWeek by the time this article was published. [statement added in an update at the end of the article]
It’s not uncommon for threat actors to exploit Sophos product vulnerabilities in their attacks. Some attacks have been linked to a Chinese APT and targeted government and other organizations in South Asia.
CISA’s KEV list currently includes four other Sophos product vulnerabilities, found in 2020 and 2022.
The second vulnerability added to CISA’s KEV list on Thursday is CVE-2020-2551, an Oracle WebLogic Server flaw that can be exploited by unauthenticated attackers to take control of affected servers.
CVE-2020-2551 was one of the four vulnerabilities targeted for initial compromise by a Chinese threat actor, according to a blog post published in early June by threat intelligence company EclecticIQ. The attacks seen by the security firm were aimed at government and critical infrastructure organizations in Taiwan.
It’s worth noting that at the time of writing CVE-2020-2551 is erroneously referenced as CVE-2023-2551 in an alert published by CISA. The correct CVE identifier is used in the KEV catalog, but not in the alert.
CISA on Thursday also added CVE-2023-36584 to its KEV catalog. This vulnerability allows attackers to bypass the Mark of the Web (MotW) security feature in Windows.
Details of the vulnerability were disclosed on November 13 by Palo Alto Networks, whose researchers discovered the flaw. The researchers identified CVE-2023-36584 during an analysis of attacks launched by a Russia-linked APT, which leveraged a different MotW bypass flaw tracked as CVE-2023-36884, whose exploitation came to light in July.
However, Palo Alto Networks’ blog post does not clearly state that CVE-2023-36584 has been exploited as well. In addition, Microsoft’s October 10 advisory says the vulnerability has not been exploited.
It’s unclear if CISA has other evidence of exploitation for CVE-2023-36884 or if it may have misinterpreted Palo Alto Networks’ blog post. The agency says it only adds vulnerabilities to its KEV catalog if it has reliable evidence of exploitation, but it has been known to remove CVEs from the list.
UPDATE: Sophos has provided the following statement to SecurityWeek:
“More than six months ago, on April 4, 2023, we released an automatic patch to all Sophos Web Appliances, as noted in the Security Advisory on our Trust Center, and in July 2023, we’ve phased out Sophos Web Appliance as previously planned. We appreciate CISA’s notice for any of the small number of remaining Sophos Web Appliance users who turned off auto-patch and/or missed our ongoing updates, and recommend they upgrade to Sophos Firewall for optimal network security moving forward.”
Palo Alto Networks has confirmed to SecurityWeek that it hasn’t observed exploitation of the new MotW bypass vulnerability.
“The ‘new’ vulnerability (CVE-2023-36584) is Unit 42’s discovery from the exploit chain, which hasn’t been observed as exploited in the wild. We first analyzed CVE-2023-36884 and determined how to execute the vulnerability. We reported to Microsoft our research based on studying CVE-2023-36884 and we were awarded a bug bounty and CVE (CVE-2023-36584). Microsoft did not confirm that the techniques we shared with them were used by the threat actors,” explained Mike Harbison, distinguished engineer in Palo Alto Networks’ Unit 42.