Table of Contents
Sophos, Oracle and Microsoft vulnerabilities added to CISA’s KEV catalog
The US Cybersecurity and Infrastructure Security Agency (CISA) has updated its catalog of Known Exploited Vulnerabilities (KEV) to include a series of flaws identified in products from three major companies - Sophos, Oracle, and Microsoft. The updated list makes it possible for organizations to be more alert and aware of the vulnerabilities threat actors are actively exploiting, hence be adequately prepared with the necessary security measures.
CVE-2023-1671, the exploited Sophos Web Appliance Vulnerability
One major vulnerability identified in the CISA's update is CVE-2023-1671, found in the Sophos Web Appliance. It has been singled out as a platform still under attacks by malicious entities. This flaw is dangerous as it allows an unauthenticated attacker the opportunity to execute arbitrary code, escalating the potential damage of any successful breach.
No reports of attacks exploiting CVE-2023-1671
Despite the confirmed existence of this vulnerability and its potential to aid successful cyberattacks, there are yet to be any formal reports of attacks exploiting CVE-2023-1671. However, staying ahead of potential threats is key to maintaining robust cybersecurity defenses. Acknowledging these vulnerabilities empowers corporations to reinforce their defences proactively, minimizing the potential reach of the attacks.
Previous attacks on Sophos products linked to Chinese APT and South Asian organizations
Prior to this current alert, previous warnings about threats to Sophos' products have been linked to Chinese Advanced Persistent Threat (APT) groups and some other South Asian organizations. These groups attempted to exploit vulnerabilities for a variety of malicious activities, and their acknowledgment is a clear illustration of the persistent cybersecurity challenges businesses face and the importance of continuous vigilance and adoption of robust security measures.
Four other Sophos vulnerabilities on CISA’s KEV list
In addition to CVE-2023-1671, there are four other identified vulnerabilities relating to Sophos' products in the updated CISA KEV list. Understanding and addressing these vulnerabilities is equally as critical to ensuring the overall cybersecurity health for any business making use of these products. These identified threats underscore the relentless efforts of cybercriminals to exploit vulnerabilities, making cybersecurity a continuously evolving and persistent challenge.
Other vulnerabilities listed by CISA
The US Cybersecurity and Infrastructure Security Agency (CISA) recently updated its Known Exploited Vulnerabilities (KEV) catalogue to include not only Sophos Product flaws but also other significant vulnerabilities found in Oracle and Microsoft products. These vulnerabilities highlight the importance of timely updating and patching software to avert security breaches.
CVE-2020-2551, an Oracle WebLogic Server flaw targeted by a Chinese threat actor
One of the vulnerabilities added to CISA's updated KEV catalogue is CVE-2020-2551, a flaw found in the Oracle WebLogic Server product of Oracle Fusion Middleware. This vulnerability, despite being reported and patched back in 2020, still represents a significant risk as attackers aim to exploit potential gaps in patch management. CVE-2020-2551 has been a target for Chinese threat actors, demonstrating how critical it is for organizations to remain up-to-date with patches for older vulnerabilities.
Attacks targeted Taiwanese government and critical infrastructure organizations
Threat actors, exploiting vulnerabilities such as CVE-2020-2551, have previously focused their attacks on the Taiwanese government and other crucial infrastructure organizations. These attempts underscore the lengths cybercriminals are willing to go in exploiting the weakness in systems and reveal the profound consequences these attacks may have on national security and essential services.
CVE-2023-36584, a Windows vulnerability exploited by a Russia-linked APT
Another significant vulnerability added to the CISA's catalogue is CVE-2023-36584, found in Windows' Mark of the Web (MotW) security feature. A flaw in this feature allows attackers to bypass the security measures. This vulnerability has been exploited by Russia-linked Advanced Persistent Threat (APT) groups, once again highlighting the global scope of cyber threats and the imperative need for continuous vigilance and robust cybersecurity measures to defend against these threats.
CISA methodology and corrections
CISA follows a rigorous methodology in formulating the list of Known Exploited Vulnerabilities (KEV). Only vulnerabilities that have verifiable evidence of being exploited are added to the catalogue. This is done to maintain accuracy and safeguard organizations from unnecessary panic or spending resources on non-existing threats.
Misinterpretation of Palo Alto Networks’ blog post could have led to the addition of CVE-2023-36584
In a surprising revelation, it has been indicated that a misinterpretation of Palo Alto Networks' blog post could have led to CVE-2023-36584 getting added to the CISA's KEV catalogue. This highlights the importance of precise communication when discussing cybersecurity threats to prevent confusion and misinformation.
Previous instances of CISA removing CVEs from the list
Keeping up with its commitment to accuracy and currency, CISA has in the past removed CVEs from the KEV list. This removal often happens when more in-depth investigation disproves the initial claim of exploitation or when the threat has been sufficiently neutralized.
Updates from Sophos and Palo Alto Networks, post-announcement
Following the alert from CISA, both Sophos and Palo Alto Networks were quick to respond with necessary updates, reinforcing their commitment to users' safety.
Statement from Sophos: Patch for CVE-2023-1671 rolled out months ago, encouraged users to upgrade to Sophos Firewall
In light of the recent developments, Sophos has released a statement assuring its users that a patch for the highlighted CVE-2023-1671 vulnerability has been rolled out months ago, recommending that users upgrade to Sophos Firewall, which is more secure and has more features.
Palo Alto Networks confirms no observed exploitation of CVE-2023-36584 in the wild
Adding to the security discussion, Palo Alto Networks has confirmed that there is currently no observed exploitation of CVE-2023-36584 in the wild. This response is in line with CISA’s dedicated efforts to ensure that the details in their KEV catalogue remains accurate and reliable.
