Which systems are affected by CVE-2023-6246?

The Qualys researchers who discovered the vulnerability tested a number of popular Linux-based system installations, and identified several vulnerable systems: Debian 12 and 13, Ubuntu 23.04 and 23.10, and Fedora Linux versions 37 through 39. However, experts add that other distributions are probably also affected by this vulnerability. CVE-2023-6246 is present in the library version 2.36 and older. The glibc developers fixed the vulnerability in version 2.39 on January 31 – a day after information about it was published.

What is the CVE-2023-6246 vulnerability and where did it come from?

The vulnerability CVE-2023-6246 is related to a dynamic memory buffer overflow and belongs to the LPE (Local Privilege Escalation) class. In simple terms, an attacker who already has user access to a system can use vulnerable function calls to escalate their privileges to the super-user level.

This vulnerability was first added to the library in version 2.37, in August 2022, in an attempt to close the less dangerous vulnerability CVE-2022-39046. Subsequently, the library developers made the same change in version 2.36.

How to stay safe?

First you need to update the glibc library to version 2.39. Since attackers must already have access to the system to exploit this vulnerability (and all LPE vulnerabilities in general), CVE-2023-6246 will most likely be exploited in complex multi-stage attacks. Therefore, we recommend using solutions that can protect Linux as well. For example, our Kaspersky Endpoint Security solution includes the Kaspersky Endpoint Security for Linux application, which combats modern threats to Linux-based systems.

What is CVE-2017-11882 vulnerability?

CVE-2017-11882 is a RCE vulnerability in the equation editor from the Microsoft Office and it is associated with a failure to handle objects in RAM. To exploit the vulnerability, an attacker must create a malicious file and somehow convince the victim to open it. Most often, such file is sent by e-mail or is hosted on a compromised site.

Successful exploitation of the CVE-2017-11882 vulnerability allows an attacker to execute arbitrary code with the privileges of the user who opened the malicious file. Thus, if the victim has administrator rights, the attacker will be able to take full control of his system — install programs; view, modify or destroy data; and even create new accounts.

At the end of 2017, when information about the vulnerability was first published, there were no attempts to exploit it. But in under a week, a proof of concept (PoC) appeared on the Internet, and attacks using CVE-2017-11882 began over the next few days.

In 2018, it became one of the most exploited vulnerabilities in Microsoft Office. In 2020, during the Covid-19 pandemic, CVE-2017-11882 was actively used in malicious mailouts that exploited the topic of disrupted deliveries due to the medical restrictions. And now, in 2023, this vulnerability apparently still serves malefactors’ purposes!

How to stay safe

Of course, CVE-2017-11882 is not the only vulnerability that has been used in attacks for many years. And not even the most dangerous of them. It is surprising, however, that despite its relative popularity (quite a lot was written about it back in 2017), as well as the availability of updates and more recent versions of MS Office, someone is still using vulnerable versions of the office suite.

So, first of all we recommend all companies that use Microsoft Office to make sure that they are working with the patched version of the suite. It is also usually a good idea to monitor new releases of security patches and install them timely. The rest of the advice is pretty standard:

• avoid working with office documents with administrator rights;
• do not open documents sent by unknown persons and for unknown reasons;
• use security solutions that can stop the exploitation of vulnerabilities.

Kaspersky Endpoint Security for Business detects and blocks exploitation attempts of all known vulnerabilities (including this one), as well as yet undiscovered ones.

Here are the total statistics: 132 flows were closed — nine of which are considered critical. Exploitation of 37 vulnerabilities can lead to arbitrary code execution, 33 of them — to privilege elevation, 13 — to security features bypassing, and 22 — possibly, denial of service.

Why are they patching Internet Explorer?

Not so long ago we wrote that Internet Explorer had kicked the bucket — but not quite. In particular, we talked about Microsoft’s advice to continue installing security updates related to IE, since some of its components are still in the system. And now it becomes clear why they gave this advice. The July patch closes as many as three vulnerabilities in MSHTML, the engine inside the legendary browser. In the CVE descriptions, Microsoft states the following:

The most dangerous of the freshly discovered IE vulnerabilities is CVE-2023-32046, and it’s already being used in real attacks. Its successful exploitation allows cybercriminals to elevate their privileges to those of the victim. Attack scenarios involve the creation of a malicious file that’s sent to the victim by mail or hosted on a compromised website. All attackers need then is to convince the user to follow the link and open the file.

The remaining two vulnerabilities — CVE-2023-35308 and CVE-2023-35336 — can be used to bypass security features. The first allows a cybercriminal to create a file bypassing the Mark-of-the-Web mechanism so that the file can be opened by Microsoft Office applications without Protected View mode. And both holes can be used to trick a victim into accessing a URL in a less restrictive Internet Security Zone than intended.

Recommendations instead of the patches

The next two vulnerabilities are also being actively exploited, but instead of full-fledged patches, they’ve only received security recommendations.

The first one — CVE-2023-36884 (with CVSS rating of 8.3) — is being exploited in the Storm-0978/RomCom RCE attacks on both Office and Windows. To stay safe, Microsoft advises adding all Office executables to the FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION list.

The second unresolved issue relates to the signing of kernel-level drivers. This one doesn’t have a CVE index, but only a guide with recommendations (ADV-230001). Microsoft revoked a bunch of developer certificates used in APT attacks and blocked several malicious drivers, but the root of the problem remained. Hackers still manage to sign drivers with Microsoft certificates, or sign them backdated to make them work as one of the exceptions and not require the MS developer portal signature.

As a countermeasure, Microsoft recommends keeping both Windows and EDR up to date. The only small consolation is that in order to exploit such drivers, the attacker must have administrator privileges.

The remaining exploited vulnerabilities

Besides the above-mentioned vulnerabilities there are three more holes that are already being exploited by cybercriminals.

• CVE-2023-32049 — SmartScreen security feature bypass vulnerability. Its exploitation allows attackers to create a file that opens without displaying the Windows warning “downloaded from the Internet”.
• CVE-2023-36874 — privilege escalation vulnerability in the Windows Error reporting service. Allows attackers to elevate privileges if they already have normal permissions to create folders and technical performance monitoring files.
• CVE-2023-35311 — security feature bypass vulnerability in Outlook. Its exploitation helps cybercriminals avoid showing warnings when using preview.

How to stay safe

In order to keep corporate resources safe, we recommend installing the security patches ASAP, as well as protecting all working computers and servers using modern solutions that can detect exploitation of both known and yet undetected vulnerabilities.

How malware got into mods

According to the initial hypothesis, unknown cybercriminals compromised mod developers’ accounts on CurseForge.com and dev.bukkit.org. This allowed them to place their malicious code into several mods.

However, Prism Launcher developers suspect that someone may have exploited an unknown vulnerability in the Overwolf platform. They also posted a list of the mods known to be infected with fractureiser.

What is fractureiser malware and what does it do?

Enthusiasts report that after the compromised mod is installed and the game launched, malicious code downloads and executes additional payload from the remote server. This payload begins to create folders and scripts, and makes changes to the system registry in order to run malware after a reboot.

Independent researchers state that, in the final stage of the attack, the malware tries to spread the infection to all .jar files on the computer (supposedly trying to reach all previously downloaded mods). This malware can also steal cookie files and credentials stored in browsers. Furthermore, it’s capable of switching cryptowallet addresses on the clipboard.

Fractureiser infection signs

Reddit discussion concluded that the presence of the libWebGL64.jar file may be considered a definite sign of infection. The malware creates this file in the %LOCALAPPDATA%/Microsoft Edge/ or /AppData/Local/Microsoft Edge/ folder. To find this file you need to go to the “Folder options” menu (via “View”, then “Options” in Windows File Explorer), and enable the “Show hidden files, folders, and drives” option and disable “Hide protected operating system files” setting under the “View” tab.

How to stay safe?

If you play Minecraft and use third-party modifications, then probably the first thing you should do is check your PC with a reliable antivirus software. If scanning detects and deletes the malware, it would be a good idea to change all passwords to online resources you accessed from this computer.

Also, we would advise to follow the news and refrain from installing new mods for Minecraft until the situation is resolved (and we’re talking not only about mods downloaded directly from the aforementioned sites: it would be wise not to install them via third-party software either). Mods, add-ons and plugins for other games that are distributed in the same way don’t seem to be affected by this attack. However, if the delivery channel is indeed compromised, then it’s possible that attackers will find alternative methods of infection and endanger players of other games as well.

As a general rule, game modifications are developed by enthusiasts and hosted on independent platforms. Therefore, game developers are not responsible for their security and do not guarantee the safety of their use. This, it’s better to download game mods only to computers with security solutions installed.

What is the CVE-2023-28252 vulnerability?

CVE-2023-28252 belongs to the class of privilege-elevation vulnerabilities. To exploit it, attackers must manipulate a BLF file to elevate their privileges in the system and be able to continue their attack (so they need initial access with user privileges).

As usual, our Securelist website has the technical info, plus indicators of compromise, but the details aren’t being disclosed just now since they could be used by other cybercriminals to carry out new attacks. However, our experts intend to share them on April 20 (or thereabouts), by which date most users will have installed the patches.

What is the CVE-2023-28252 vulnerability used for?

Unlike most zero-day vulnerabilities, CVE-2023-28252 isn’t being used in APT attacks. In this case, the final payload delivered to victims’ computers was a new variant of the Nokoyawa ransomware. But after examining the exploit, our experts concluded that the attackers behind it were also responsible for creating a number of earlier, similar exploits for vulnerabilities in that same CLFS. In attacks deploying those we’ve seen other tools too, including Cobalt Strike Beacon and the modular backdoor Pipemagic.

How to stay safe

First of all, we recommend installing the April updates for Windows. In general, to secure your infrastructure against attacks using vulnerabilities (both known and zero-day), you need to protect all work computers and servers with reliable security solutions featuring protection against vulnerability exploitation. Our products automatically detect attempts to attack through CVE-2023-28252 as well as all malware used by the cybercriminals who created the exploit.

Apparently, trojans are hiding in all versions of the software that were released after March 3; that is, builds 18.12.407 and 18.12.416 for Windows, and 18.11.1213 and newer for macOS. According to 3CX representatives, the malicious code got into the program because of some unnamed trojanized open-source component that was used by the development team.

The attack via trojanized 3CX software

Citing researchers from various companies, BleepingComputer describes the attack mechanism via a trojanized Windows client as follows:

• The user either downloads an installation package from the company’s official website and runs it, or receives an update for an already installed program;
• Once installed, the trojanized program creates several malicious libraries, which are used for the next stage of the attack;
• The malware then downloads .ico files hosted on GitHub with additional lines of data inside;
• These lines are then used to download the final malicious payload — the one used to attack end users.

The mechanism for attacking macOS users is somewhat different. You can find its detailed description on the website of the Objective-See non-profit foundation.

What are the hackers after?

The downloaded malware is able to gather information about the system, as well as steal data and save credentials from Chrome, Edge, Brave, and Firefox browsers’ user profiles. In addition, attackers can deploy an interactive command shell, which, theoretically, allows them to do almost anything with the victim’s computer.

Kaspersky experts studied the backdoor used by attackers as a part of final payload. According to their analysis, this backdoor, dubbed Gopuram, was employed mainly in attacks on cryptocurrencies related companies. Experts also suspect that, according to a number of clues, the Lazarus group was behind the attack. Details on the Gopuram backdoor, along with indicators of compromise, can be found in a post on the Securelist blog.

Why is this attack is especially dangerous?

According to the BleepingComputer, the trojanized version of the program is signed with a legitimate 3CX Ltd. certificate issued by Sectigo and timestamped by DigiCert — the same certificate used in earlier versions of the 3CX program.

Moreover, according to Objective-See, the macOS version of the malware isn’t only signed with a valid certificate, but also notarized by Apple! This means that the application is allowed to run on recent versions of macOS.

How to stay safe

The application’s developers recommend urgently uninstalling trojanized versions of the program using the VoIP web client until the update is released.

It’s also wise to conduct a thorough investigation of the incident to make sure that attackers haven’t had time to take over your company’s computers. In general, in order to control what’s happening on the corporate network and to timely detect malicious activity, we recommend using Managed Detection and Response (MDR)-class services.

The main purpose of this system is to notify administrators that they’re working with outdated and possibly unsafe software, and that, if they don’t subsequently update in a timely fashion, mail delivery from vulnerable servers will be gradually throttled and eventually blocked. It’s hoped that this system will serve as a convincing reason for administrators to finally upgrade or update Exchange Servers.

How the transport-based enforcement system works

The mechanism is quite simple: when Exchange Online receives mail from Exchange Server through an inbound OnPremises type connector, it identifies the server’s build version and evaluates if it’s safe to receive mail from it (i.e., whether the server’s version is supported and critical security patches are in place). If the server is vulnerable, then Exchange Online notes the date of its first encounter with it and adds a notification about an outdated server to the mail flow report, accessible by Exchange Server administrators.

If the situation doesn’t change within 30 days from the moment of initial discovery, Exchange Online will begin to throttle (in other words delay) messages from the vulnerable server. The throttling duration increases progressively every 10 days. If nothing changes 60 days after detection, Exchange Online begins to block the e-mails.

Initially, Microsoft plans to apply this system to Exchange 2007 servers only, but later the same approach will be applied to all versions of Exchange, and it doesn’t matter how the servers communicate with Exchange Online (that is, it won’t be limited to just OnPremises inbound connector). You can find additional details regarding the transport-based enforcement system in the official Exchange team’s blog post. Unfortunately, it lacks information on when this system will be launched and, most importantly, when it will extend its scope to other versions of Exchange servers.

Why a transport-based enforcement system is important

Implementation of such a system will be interesting as a precedent. Microsoft is rather aggressively demonstrating to its customers how highly it regards the importance of its cloud infrastructure security. It will be very interesting to see if this initiative turns into a trend — if other manufacturers of hybrid solutions (i.e., which run partly on a customer’s premises and partly in the cloud) follow Microsoft’s  example.

How to ensure Microsoft Exchange servers’ operability and secure e-mail flow?

If you are still using an unsupported version of the Exchange platform, it’s probably time to upgrade. If you have an up-to-date version of the Exchange, you need to monitor the release of security patches and timely install them.

In addition, we recommend protecting Exchange servers and the mail delivered through them with the dedicated solution Kaspersky Security for Microsoft Exchange Server (included in Kaspersky Security for Mail Server). In addition, as the last few years have shown, attackers willingly exploit vulnerabilities in Microsoft Exchange — sometimes creating exploits before users have a chance to install patches, and this can lead to rather serious consequences. But you can stay on top of things — controlling what’s happening in the corporate infrastructure and detecting malicious activity in time — with the help of Managed Detection and Response-class services.

The CVE-2023-24069 and CVE-2023-24068 vulnerabilities: what gives?

The first vulnerability, CVE-2023-24069, lies in an ill-conceived mechanism that handles files sent via Signal. When you send a file to a Signal chat, the desktop client saves it in a local directory. When a file is deleted, it disappears from the directory… unless someone answers it or forwards it to another chat. Moreover, despite the fact that Signal is positioned as a secure messenger and all communications via it are encrypted, the files are stored in unprotected form.

The second vulnerability, CVE-2023-24068, was found upon closer study of the client. It turns out that the client lacks a file validation mechanism. Theoretically, this allows an attacker to replace them. That is, if the forwarded file is opened on the desktop client, someone could replace it in the local folder with a forged one. Therefore, with further transfers, a user will distribute the switched file instead of the one they were intended to forward.

How might these vulnerabilities be dangerous?

The potential risks posed by CVE-2023-24069 are more or less understandable. If a user of Signal’s desktop version leaves their computer unlocked and unattended, someone could gain access to files sent through Signal. The same thing may happen if full disk encryption is enabled on the computer and the owner tends to leave it somewhere unattended (in hotel rooms, for example).

The exploitation of the second vulnerability requires a more comprehensive approach. Let’s say a person frequently receives and sends files through the Signal desktop app (for example, a manager sending tasks to subordinates). Here, an attacker with access to this computer can replace one of the files, or, for the sake of stealth, modify an existing document, for example by inserting a malicious script into it. Thus, with further transfers of the same file, its owner will spread the malware to their contacts.

It’s important to emphasize that exploitation of both vulnerabilities is possible only if the attacker already has access to the victim’s computer. But this isn’t an unreal scenario — we’re not necessarily talking about physical access. It would be enough to infect the computer with malware that allows outsiders to manipulate files.

How to stay safe?

According to the CVE Program, Signal developers disagree with the importance of these vulnerabilities, stating that their product should not and cannot protect from attackers with this level of access to the victim’s system. Therefore, the best advice would be not to use the desktop version of Signal (and desktop versions of messengers in general). But if your working process requires it for some tasks, then we recommend the following:

• teaching your employees not to leave an unlocked computer unattended;
• always using full disk encryption on working devices;
• employing security solutions that can detect and stop malware and attempts at unauthorized accessing of your data.

In the past, we’ve seen some malware strains that became wipers by accident — due to mistakes of their creators who poorly implemented encryption algorithms. However, this time it’s not the case: our experts are confident that the main goal of the attackers is not financial gain, but destroying data. The files are not really encrypted; instead, the Trojan overwrites them with pseudo-randomly generated data.

What CryWiper is hunting for

The Trojan corrupts any data that’s not vital for the functioning of the operating system. It doesn’t affect files with extensions .exe, .dll, .lnk, .sys or .msi, and ignores several system folders in the C:\Windows directory. The malware focuses on databases, archives, and user documents.

So far, our experts have seen only pinpoint attacks on targets in the Russian Federation. However, as usual, no one can guarantee that the same code won’t be used against other targets.

How the CryWiper Trojan works

In addition to directly overwriting the contents of files with garbage, CryWiper also does the following:

• creates a task that restarts the wiper every five minutes using the Task Scheduler;
• sends the name of the infected computer to the C&C server and waits for a command to start an attack;
• halts processes related to: MySQL and MS SQL database servers, MS Exchange mail servers and MS Active Directory web services (otherwise access to some files would be blocked and it would be impossible to corrupt them);
• deletes shadow copies of files so that they cannot be restored (but for some reason only on the C: drive);
• disables connection to the affected system via RDP remote access protocol.

The purpose of the latter isn’t entirely clear. Perhaps with such disabling the malware authors tried to complicate the work of the incident response team, which would clearly prefer to have remote access to the affected machine — they’d have to get physical access to it instead. You can find technical details of the attack along with indicators of compromise in a post on Securelist (in Russian only).

How to stay safe

To protect your company’s computers from both ransomware and wipers, our experts recommend the following measures:

• carefully control remote access connections to your infrastructure: prohibit connections from public networks, allow RDP access only through a VPN tunnel, and use unique strong passwords and two-factor authentication;
• update critical software in a timely manner, paying special attention to the operating system, security solutions, VPN clients, and remote access tools;
• raise security awareness of your employees, for example, using specialized online tools;
• employ advanced security solutions to protect both work devices and the perimeter of the corporate network.

What is CVE-2022-41352 and why is it so dangerous?

This vulnerability was found in the archive unpacking utility named cpio, which is used by the Amavis content filter, which in turn is part of the Zimbra Collaboration suite. Attackers can craft a malicious .tar archive with a web-shell inside and send it to a server running vulnerable Zimbra Collaboration software. When they Amavis filter starts to check this archive, it calls up the cpio utility, which unpacks the web-shell to one of the public directories. Then the criminals only have to run their web-shell and start executing arbitrary commands on the attacked server. In other words, this vulnerability is akin to the one in the tarfile module.

A more detailed technical description of the vulnerability can be found in the blog post on Securelist. Among other things, the blog post lists the directories where the attackers have placed their web-shell in the attacks investigated by our experts.

What is especially dangerous about it is that the exploit for this vulnerability was added to the Metasploit Framework — a platform that theoretically serves for security research and pentesting, but in fact is often used by cybercriminals for real attacks. Thus, the exploit for CVE-2022-41352 can now be used even by novice cybercriminals.

How to stay safe

On October 14 Zimbra released patch along with installation instructions, so the first logical step is to install newest updates that can be found here. If for some reason you can not install this patch, there is a workaround: the attack can be prevented by installing the pax utility on a vulnerable server. In this case Amavis will use pax to unpack .tar archives instead of cpio. However, don’t forget that this is not a real solution to the problem: in theory, attackers can come up with another way to exploit cpio.

If you suspect you’re being attacked through this vulnerability, or if you find a web-shell in one of the directories listed on Securelist, our experts recommend contacting incident response specialists. It could be that the attackers have already gained access to other service accounts or even installed backdoors. This will give them the opportunity to regain access to the attacked system even if the web-shell is removed.

Kaspersky security solutions successfully detect and block attempts to exploit the CVE-2022-41352 vulnerability.