Malware & Threats

CISA Warns of Attacks Exploiting Sophos Web Appliance Vulnerability

CISA adds Sophos, Oracle and Microsoft product security holes to its Known Exploited Vulnerabilities (KEV) catalog.

Sophos CVE-2023-1671 exploited

The US cybersecurity agency CISA added Sophos, Oracle and Microsoft product flaws to its Known Exploited Vulnerabilities (KEV) catalog on Thursday.

The Sophos flaw that the agency says has been exploited in attacks is CVE-2023-1671, a critical Sophos Web Appliance vulnerability that can be exploited by an unauthenticated attacker for arbitrary code execution. 

Sophos announced patches in April, when it also informed customers that the impacted appliance would reach end of life on July 20, 2023.

There do not appear to be any public reports describing attacks exploiting CVE-2023-1671 and Sophos could not provide clarifications to SecurityWeek by the time this article was published. [statement added in an update at the end of the article]

It’s not uncommon for threat actors to exploit Sophos product vulnerabilities in their attacks. Some attacks have been linked to a Chinese APT and targeted government and other organizations in South Asia. 

CISA’s KEV list currently includes four other Sophos product vulnerabilities, found in 2020 and 2022. 

The second vulnerability added to CISA’s KEV list on Thursday is CVE-2020-2551, an Oracle WebLogic Server flaw that can be exploited by unauthenticated attackers to take control of affected servers. 

CVE-2020-2551 was one of the four vulnerabilities targeted for initial compromise by a Chinese threat actor, according to a blog post published in early June by threat intelligence company EclecticIQ. The attacks seen by the security firm were aimed at government and critical infrastructure organizations in Taiwan. 

Advertisement. Scroll to continue reading.

It’s worth noting that at the time of writing CVE-2020-2551 is erroneously referenced as CVE-2023-2551 in an alert published by CISA. The correct CVE identifier is used in the KEV catalog, but not in the alert.

CISA on Thursday also added CVE-2023-36584 to its KEV catalog. This vulnerability allows attackers to bypass the Mark of the Web (MotW) security feature in Windows. 

Details of the vulnerability were disclosed on November 13 by Palo Alto Networks, whose researchers discovered the flaw. The researchers identified CVE-2023-36584 during an analysis of attacks launched by a Russia-linked APT, which leveraged a different MotW bypass flaw tracked as CVE-2023-36884, whose exploitation came to light in July

However, Palo Alto Networks’ blog post does not clearly state that CVE-2023-36584 has been exploited as well. In addition, Microsoft’s October 10 advisory says the vulnerability has not been exploited.  

It’s unclear if CISA has other evidence of exploitation for CVE-2023-36884 or if it may have misinterpreted Palo Alto Networks’ blog post. The agency says it only adds vulnerabilities to its KEV catalog if it has reliable evidence of exploitation, but it has been known to remove CVEs from the list. 

UPDATE: Sophos has provided the following statement to SecurityWeek:

“More than six months ago, on April 4, 2023, we released an automatic patch to all Sophos Web Appliances, as noted in the Security Advisory on our Trust Center, and in July 2023, we’ve phased out Sophos Web Appliance as previously planned. We appreciate CISA’s notice for any of the small number of remaining Sophos Web Appliance users who turned off auto-patch and/or missed our ongoing updates, and recommend they upgrade to Sophos Firewall for optimal network security moving forward.”

Palo Alto Networks has confirmed to SecurityWeek that it hasn’t observed exploitation of the new MotW bypass vulnerability.

“The ‘new’ vulnerability (CVE-2023-36584) is Unit 42’s discovery from the exploit chain, which hasn’t been observed as exploited in the wild. We first analyzed CVE-2023-36884 and determined how to execute the vulnerability. We reported to Microsoft our research based on studying CVE-2023-36884 and we were awarded a bug bounty and CVE (CVE-2023-36584). Microsoft did not confirm that the techniques we shared with them were used by the threat actors, explained Mike Harbison, distinguished engineer in Palo Alto Networks’ Unit 42. 

Related: Samsung Phone Flaws Added to CISA ‘Must Patch’ List Likely Exploited by Spyware Vendor

Related: Government Shutdown Could Bench 80% of CISA Staff

Related: Faster Patching Pace Validates CISA’s KEV Catalog Initiative

Related Content

Vulnerabilities

A Chrome 124 update patches the second Chrome zero-day that has been found to be exploited in malicious attacks in 2024.

Vulnerabilities

CISA says a critical GitLab password reset flaw is being exploited in attacks and roughly 1,400 servers have not been patched.

Incident Response

Palo Alto Networks has shared remediation instructions for organizations whose firewalls have been hacked via CVE-2024-3400.

Vulnerabilities

CISA warns organizations of a two-year-old Windows Print Spooler vulnerability being exploited in the wild.

Vulnerabilities

CrushFTP patches a zero-day vulnerability allowing unauthenticated attackers to escape the VFS and retrieve system files.

Malware & Threats

Shadowserver has identified roughly 6,000 internet-accessible Palo Alto Networks firewalls potentially vulnerable to CVE-2024-3400.

Malware & Threats

Microsoft warns that several OpenMetadata vulnerabilities are being exploited to deploy cryptomining malware to Kubernetes environments.

Application Security

Malicious hackers are targeting SAP applications at an alarming pace, according to warnings from Onapsis and Flashpoint.

Copyright © 2024 SecurityWeek ®, a Wired Business Media Publication. All Rights Reserved.

Exit mobile version