A vulnerability was discovered in iOS/iPadOS 16 and macOS 13 by Félix Poulin-Bélanger identified as CVE-2023-41974. Poulin-Bélanger recently generated extensive proof-of-concept code, which can win a race condition and exploit a use-after-free which results in Kernel read and write operations. This vulnerability was recently patched by Apple in a security release for iOS and iPadOS 17. There are also updates for macOS regarding other use-after-free vulnerabilities here.
On Christmas Day, Anna Jaques Hospital, a healthcare facility in Newburyport, MA, experienced a severe cyberattack that caused a critical outage in its medical records system. This incident had immediate repercussions, causing the diversion of ambulances to other medical facilities until the hospital was able to receive patients again on December 26, 2023.
Barracuda has an ongoing investigation regarding a threat actor exploiting an arbitrary code execution vulnerability affecting its Email Security Gateway Appliance (ESG). The vulnerability, tracked as CVE-2023-7102, is a zero-day which affects an open-source third-party library called Speadsheet::ParseExcel. Using this library, attackers can deploy a specially crafted Excel email attachment to targeted ESG devices.
A critical vulnerability has been discovered in Apache OFBiz resulting from an incomplete fix to CVE-2023-49070. Discovered by SonicWall, this CVE is classified as CVE-2023-51467 and is being tracked as an Authentication Bypass vulnerability. According to NVD, this vulnerability allows for attackers to bypass authentication to achieve a simple Server-Side Request Forgery. This vulnerability can be considered a zero-day as there is proof-of-concept code available from SonicWall’s investigation.
Google released an advisory on December 20th detailing a new Stable Channel update for Desktop. In this release a vulnerability known as CVE-2023-7024 was patched and was reported that an exploit for this vulnerability exists in the wild. Clément Lecigne and Vlad Stolyarov of Google’s Threat Analysis Group were responsible for discovering and reporting on this zero-day vulnerability. Not much information is available at this time for CVE-2023-7024, but it is described as a heap buffer overflow in WebRTC.
Microsoft has identified several vulnerabilities in Perforce Helix Core Server, the most critical of which is CVE-2023-45849. With a CVSS score of 9.8, this vulnerability allows arbitrary code execution which results in privilege escalation. This vulnerability manifests if the administrator setting up the server does not run the “p4 protect” command immediately after installing the server. Without this command, an unauthenticated anonymous attacker could run arbitrary command lines (powershell) as LocalSystem when Perforce Server is installed in its default configuration.
An OS command injection vulnerability exists in AE1021PE/AE1021 routers in firmware version 2.0.9 and earlier. The vulnerability is classified as CVE-2023-49897 and has a CVSS score of 8.8 HIGH. If exploited, the vulnerability allows an arbitrary OS command to be executed by an attacker who can login to the product. This vulnerability is currently under active exploitation by the “InfectedSlurs” botnet and has been designated a zero-day vulnerability.
Every second Tuesday of the month, Microsoft releases many security fixes to several of its software solutions. This is known as “Patch Tuesday.” December 2023 was a lighter patch Tuesday than usual, with only a small number of critical vulnerabilities that require patching. Of the 33 vulnerabilities reported, 4 are rated ‘critical’ and 29 ‘important.’
The Hershey Company, a renowned candy manufacturer, recently experienced a significant data breach impacting 2,214 individuals. The breach, occurring between September 3 and 4, originated from a targeted phishing attack on employee accounts. Despite the breach being promptly detected, the company is actively collaborating with a forensics team and law enforcement to assess the incident's impact.