The Cybersecurity and Infrastructure Security Agency (CISA) on Monday added six new bugs to its Known Exploited Vulnerabilities (KEV) catalog.
While the vulnerabilities included flaws in Cold Fusion, D-Link, Joomla!, and Apache products, arguably the most notable was CVE-2023-41990, a high-severity remote code execution (RCE) vulnerability in the Apple-only ADJUST TrueType font instruction, a bug that was at the center of setting off what is known as the "Operation Triangulation" attacks.
As reported by SC Media on Dec. 28, these attacks began with the threat actors sending a malicious iMessage containing an attachment to a target iPhone that was processed without the user being aware of it.
Once the exploit chain was complete, the attackers had complete control of their target’s device, allowing them to carry out a range of espionage activities, including transmitting the phone’s contents to their servers. Although the spyware was wiped when the phone was rebooted, that did not stop the attackers reloading the malware and taking control of the device again.
The Apache bug — CVE-2023-2754 — a critical 9.8 vulnerability that Horizon3.ai found in the Apache Superset, also made the KEV catalog.
A June 8 blog by Rezilion reported that the Apache bug was caused by the use of the default SECRET_KEY configuration generated by the application. The researchers said using the key isn’t secure because it’s publicly available and can easily be discovered by attackers. Once they obtain the key, they can generate a cookie and sign it using the key, enabling them to gain unauthorized access to the application.
In response to the vulnerability, developers at Horizon3.ai deployed a fix that prevents servers from starting if it’s configured to deploy with the default SECRET_KEY.
Here are the other flaws named to CISA’s KEV catalog:
- CVE-2023-38203 Adobe ColdFusion Deserialization of Untrusted Data Vulnerability. Could result in arbitrary code execution.
- CVE-2023-29300 Adobe ColdFusion Deserialization of Untrusted Data Vulnerability. Could also result in arbitrary code execution.
- CVE-2016-20017 D-Link DSL-2750B Devices Command Injection Vulnerability. Could allow remote unauthenticated command injection via the login.cgi cli parameter, as exploited in the wild in 2016 through 2022.
- CVE-2023-23752 Joomla! Improper Access Control Vulnerability. An improper access check allows unauthorized access to webservice endpoints.