Bulletin — October 2023

October is the month of broken appliances. Citrix NetScaler with a buffer overread that bypasses MFA, Cisco IOS XE with a pre-auth add-admin exploited at scale, Atlassian Confluence with trivial privilege escalation, Okta with a support-system breach giving access to 1Password and Cloudflare. And a minor drama: Curl CVE-2023-38545 with pre-disclosure hype the actual impact doesn’t back up.

CVE-2023-4966 — Citrix Bleed

10 October. Citrix publishes an advisory on a buffer overread in NetScaler ADC/Gateway. CVSS 9.4. Exploited in the wild since late August. The attacker sends an HTTP request with a long Host: header, NetScaler returns adjacent memory — including active session tokens. The reused token gives access to authenticated sessions bypassing MFA.

By end of October Boeing, ICBC, Allen & Overy, DP World Australia and several US federal agencies are confirmed victims. LockBit ransomware adds it to its toolkit. We’ve published the full technical analysis and PoC.

CVE-2023-20198 — Cisco IOS XE add-admin

16 October. Cisco publishes an emergency advisory: a CVSS 10.0 vulnerability in the IOS XE WebUI lets you create a local admin account without authentication. A single HTTP POST to /webui_wsma_HTTP with the right body creates the user. The attacker logs in with full privileges.

Cisco detects exploitation in the wild before the advisory. CIA + Talos: 40,000+ compromised devices in the first 72 hours with a specific implant (a persistent endpoint that serves privilege escalation and persistence even after reboot). Cisco Catalyst, ISR, ASR with exposed WebUI are the main target: many sit in ISP, service provider and telco networks.

The patch comes on 22 October (version 17.9.4a and similar). Immediate mitigation: disable the global http server in config with no ip http server and no ip http secure-server while the patch arrives.

Source: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-webui-privesc-j22SaA4z

Okta — support breach leaks HAR files

18 October. Okta confirms its support ticketing system was compromised. What the attacker exfiltrated: HAR (HTTP Archive) files customers uploaded to support for debugging. HARs contain active session tokens and authentication headers if the user captured them during an authenticated session.

1Password, Cloudflare and BeyondTrust are first to confirm that attempted token reuse from HARs uploaded to Okta support landed on their systems. All three detected and blocked in time. Effective detection: authenticated sessions from IPs without precedent, with valid tokens but suspicious age.

Operational lesson: HAR files are active credentials wearing the costume of “logs for debugging”. Any vendor that requests a HAR must (a) tell the customer what to delete before uploading, (b) store them encrypted with data scope tied to the ticket, (c) destroy them when the ticket closes. Few vendors do all three.

Source: https://sec.okta.com/articles/2023/10/tracking-unauthorized-access-oktas-support-system · https://blog.cloudflare.com/how-cloudflare-mitigated-yet-another-okta-compromise/

CVE-2023-38545 — Curl, the hype and the reality

11 October. Curl ships 8.4.0 with two CVEs pre-announced as “one high severity, the worst we’ve had in a long time”. Curl maintainer Daniel Stenberg builds anticipation for a week. The industry braces for a Curl-flavoured Heartbleed.

The actual bug: heap overflow in SOCKS5 proxy processing when the destination hostname is very long. To exploit it, the attacker needs:

1. The victim to make a request through a SOCKS5 proxy.
2. The destination hostname to be attacker-controllable.
3. The hostname to be >256 characters long.

In other words: applies to applications using curl with SOCKS5 against a destination the user can control (some scrapers, enterprise crawlers, pentesting tools). Does NOT apply to typical curl http://example.com. Does NOT apply to almost any standard home or server use.

The industry settles into a mix of relief and criticism of the maintainer over the disproportionate hype. Lesson for next time: the “early announcement + detail at disclosure” model is good only when impact matches expectations; if it doesn’t, it erodes credibility for the next real case.

Source: https://daniel.haxx.se/blog/2023/10/11/curl-8-4-0/

CVE-2023-22515 — Atlassian Confluence privilege escalation

4 October. Atlassian publishes an advisory on improper authorisation in Confluence Data Center / Server. The bug allows creating admin accounts remotely via a specific request to the setup wizard, which is apparently closed after install but responds to specific parameters.

Microsoft Threat Intelligence attributes the zero-day to Storm-0062 (China-nexus cluster), exploited since mid-September. CVSS 10.0. Confluence’s public exposure on the internet is high — Confluence has been sitting on the corporate perimeter for years.

Mitigation: patch immediately. CISA issues an urgent advisory. Although the exposure at well-managed enterprises isn’t huge (Confluence behind SSO/VPN), the total installed base remains large for the “Confluence directly exposed at confluence.company.com” pattern.

Source: https://confluence.atlassian.com/security/cve-2023-22515-broken-access-control-vulnerability-in-confluence-data-center-and-server-1295682276.html

Rest of the month

• MOVEit — Cl0p continues. End of October: 2,000+ acknowledged victims.
• 23andMe credential stuffing — attacker reuses credentials from other breaches against 23andMe. Genetic data from 6.9 million accounts leaked through the rest of the year.
• Roundcube webmail CVE-2023-43770 — persistent XSS exploited by Winter Vivern (Belarusian/Russian-nexus) against European government entities.
• iLeakage — CPU side-channel paper on Apple Silicon. Demo: read content from adjacent Safari tabs. Apple patches in macOS Sonoma and iOS 17.

Cross-cutting pattern

October confirms what we’ve been seeing since March: the corporate perimeter is broken and the appliances holding it together break at a rate of one per month. Citrix, Cisco, Atlassian, Okta — four large vendors in four weeks. If your 2024 security plan still depends on a perimeter appliance + MFA + EDR, there’s a mature alternative (Zero Trust Network Access, identity-aware proxies, device-posture session binding) worth evaluating.

Defence against Citrix Bleed specifically — rotate sessions after patching — is the month’s clearest example: patching without rotating leaves the attacker inside. 2015’s patch hygiene no longer cuts it. Every bug that exposes state requires rotating the state.