Weekly Vulnerabilities Review (October 11 – October 17)
Weekly Vulnerabilities Review (October 11 – October 17)

Let’s take a look at a brief overview of new cybersecurity solutions from last week. In the spotlight: Oracle, Google, WP Royal, Cisco, CISA, FBI, MS-ISAC, Atlassian, Signal, Juniper Networks, Squid.

Oracle has unveiled 387 new security patches in its October 2023 CPU, aimed at fixing vulnerabilities within its code and various third-party components. The advisory from Oracle indicates that over 40 of these patches cater to critical-level flaws, while over 200 target vulnerabilities that can be remotely exploited without any user authentication.

Google’s cybersecurity division, Mandiant, reported on a critical flaw in the Citrix NetScaler Application Delivery Controller (ADC) and NetScaler Gateway. This vulnerability, identified as CVE-2023-4966 and having a CVSS score of 9.4, had been taken advantage of as a zero-day since August. The flaw allows unauthorized access to leak sensitive data from on-premises devices set up as a Gateway or an AAA virtual server.

The Royal Elementor Addons and Templates WordPress plugin is under scrutiny due to a critical flaw that has been abused as a zero-day for over a month. This plugin, a product of WP Royal, assists domain administrators in website building without necessitating coding knowledge. The Royal Elementor plugin boasts over 200,000 active installations within the WordPress ecosystem.

Cisco has alerted its clientele about a fresh zero-day vulnerability affecting its IOS XE software, which attackers are exploiting to compromise devices. The vulnerability, labeled as CVE-2023-20198, is a privilege escalation flaw that impacts the IOS XE web user interface available in the default software image. An external attacker, without any authentication, can leverage this flaw to set up an account possessing the top-tier privileges, granting them complete control of the target device.

A joint warning has been issued by the US cybersecurity agency CISA, the FBI, and the MS-ISAC, cautioning entities about the potential wide-scale exploitation of a fresh zero-day vulnerability in the Atlassian Confluence Data Center and Server. This bug, identified as CVE-2023-22515 and carrying a CVSS score of 9.8, was utilized by a nation-state adversary from September 14, approximately a fortnight before Atlassian rolled out the corrective patches.

Contrary to widespread speculation, Signal, the privacy-centric messaging company, has refuted claims of a zero-day exploit in its renowned encrypted messaging application. Chatter regarding a Signal zero-day vulnerability began to spread, suggesting that the app’s “generate link preview” function could potentially be hijacked to gain complete access to user devices.

Juniper Networks, a renowned manufacturer of networking equipment, released patches for over 30 vulnerabilities in Junos OS and Junos OS Evolved last Thursday. Of these, nine are high-risk vulnerabilities. The gravest among these permits an unauthorized user with local device access to design a backdoor with root permissions.

A multitude of flaws in the Squid web caching and forwarding proxy continue to remain unresolved, a staggering two years post their responsible disclosure to the concerned developers. Squid, an extensively utilized open-source proxy, is integrated into numerous devices and systems, often unbeknownst to the user. It’s worth noting that Squid has been embedded in many home or office firewall appliances, while others employ it in large-scale web proxy setups to enhance both broadband and dial-up internet connectivity.