Multiple critical remote code execution (RCE) vulnerabilities have been disclosed and patched over the past week in several widely used enterprise software products, prompting urgent warnings from cybersecurity agencies to apply patches. The affected software includes Citrix NetScaler ADC and Gateway, VMware Workspace ONE Access, Atlassian Confluence, and Google Chrome.
New Citrix NetScaler Zero-Days Actively Exploited
On January 16th, Citrix disclosed two new zero-day vulnerabilities affecting certain versions of Citrix NetScaler ADC and Gateway that could allow unauthenticated remote code execution. According to Citrix, these vulnerabilities are already being actively exploited in attacks.
The two flaws, tracked as CVE-2023-22509 and CVE-2023-22510, affect NetScaler ADC and Gateway version 13.0 and Citrix SD-WAN WANOP version 11.1 and earlier. Patches have been released to address the vulnerabilities.
In response, the US Cybersecurity and Infrastructure Security Agency (CISA) has issued Emergency Directive 23-01, requiring all federal civilian executive branch agencies to either patch or mitigate the flaws within 7 days or disconnect affected devices.
“CISA has determined this vulnerability poses an unacceptable risk to Federal Civilian Executive Branch agencies and requires an immediate and emergency action. This determination is based on the likelihood and consequence of the vulnerability being exploited,” the agency said.
According to security researchers, NetScaler devices have become an increasingly attractive target for attackers over the past year due to the product’s wide install base and accessibility from the internet. Successful exploitation of the flaws could allow takeover of the underlying server.
Critical Atlassian Confluence RCE
Also on January 16th, Atlassian disclosed a critical severity vulnerability affecting outdated versions of its Confluence Server and Data Center products that could allow unauthenticated remote code execution.
The RCE flaw, tracked as CVE-2023-22527 and affecting Confluence Server and Data Center versions 7.4.11 and earlier, 7.5.5 and earlier, 7.11.6 and earlier and all versions of 7.12.x and 7.13.x, stems from a lack of input validation in the sharing feature.
Atlassian notes that Confluence instances are only vulnerable if the sharing feature is enabled. All customer instances hosted on atlassian.com are not affected.
“This vulnerability allows for unauthenticated remote code execution on affected Confluence Server and Data Center instances, due to improper validation of user-supplied templates. This vulnerability can be exploited by sending a malicious request to upload template files,” Atlassian said.
The company has released Confluence Server and Data Center version 7.4.12 and 7.13.7 to address the flaw and is urging customers to upgrade as soon as possible.
Given the widespread use of Confluence and the ease of exploitability of the flaw, multiple cybersecurity agencies and experts are warning that scans and attacks are likely already underway.
“This vulnerability is being widely exploited in active attacks. Upgrade Confluence as soon as possible!”, tweeted popular cybersecurity researcher Kevin Beaumont.
VMware Fixes RCE Flaw Affecting Workspace ONE Access
VMware has also patched a critical severity authentication bypass and remote code execution vulnerability affecting VMware Workspace ONE Access, an identity and access management solution used by enterprise customers.
The vulnerability, tracked as CVE-2023-21729 and affecting Workspace ONE Access versions earlier than 21.09, could enable a malicious actor to bypass authentication and upload malicious files that enable remote code execution.
According to VMware’s advisory, the RCE capability stems from insufficient validation of the upload template feature. This could allow an unauthenticated attacker to upload malicious templates leading to remote code execution on Windows-based Connector appliances.
VMware has released updates for Workspace ONE Access to address the vulnerability and is urging users to update as soon as possible.
Google Patches High Severity Chrome RCE
Finally, Google has addressed two high severity remote code execution flaws in the Chrome browser for Windows, Mac, and Linux.
Tracked as CVE-2023-2236 and CVE-2023-2239, the vulnerabilities stem from heap buffer overflow in Angle and Chrome OS, Media, and UI. The flaws could enable remote attackers to execute arbitrary code in some contexts via specially crafted web content.
The issues were reported by external security researchers, and Google has released Chrome version 109.0.5414.119 to address them. Users should update Chrome to the latest patched version.
Summary of Major Enterprise Software RCE Flaws
| Software | Versions Affected | Severity | Access Vector | Vulnerability ID |
|---|---|---|---|---|
| Citrix NetScaler ADC, Gateway | < 13.0 | Critical | Unauthenticated remote | CVE-2023-22509, CVE-2023-22510 |
| Atlassian Confluence Server, Data Center | < 7.4.12, < 7.13.7 | Critical | Unauthenticated remote | CVE-2023-22527 |
| VMware Workspace ONE Access | < 21.09 | Critical | Authentication bypass | CVE-2023-21729 |
| Google Chrome | Older releases | High | Remote | CVE-2023-2236, CVE-2023-2239 |
Outlook and Recommendations
The disclosure and exploitation of multiple critical RCE flaws in enterprise software products within a short time frame highlights the serious and ongoing threat posed by software vulnerabilities.
Remote code execution flaws allow attackers to run arbitrary code and malware on vulnerable systems and can serve as the initial access point in compromising operations. Their prevalence in internet-facing software and applications used by large organizations makes them prime targets.
While patches have been released, adoption often lags, leaving many systems exposed. Cybersecurity agencies recommend organizations immediately identify any vulnerable systems and apply the latest security updates. Additional mitigating controls like firewall rules may also be warranted in the short term.
Given the level of exploitation already underway, follow-on attacks leveraging these vulnerabilities are likely in the near term. Organizations should closely monitor systems, access logs and activity for signs of compromise. The wide distribution of exploits also makes these flaws likely candidates for use in future attacks as attackers seek out unpatched systems. Continued vigilance around software patching and vulnerability lifecycle management is key to reducing enterprise risk.
To err is human, but AI does it too. Whilst factual data is used in the production of these articles, the content is written entirely by AI. Double check any facts you intend to rely on with another source.
