CISA Warns of Attacks Exploiting Sophos Web Appliance Vulnerability

CISA Warns of Attacks Exploiting Sophos Web Appliance Vulnerability

November 17, 2023 at 08:09AM

The US cybersecurity agency CISA has added vulnerabilities from Sophos, Oracle, and Microsoft to its Known Exploited Vulnerabilities (KEV) catalog. The Sophos flaw, CVE-2023-1671, has been exploited in attacks and allows for arbitrary code execution. There have been reports of Chinese threat actors exploiting Sophos vulnerabilities. CISA’s KEV list also includes other vulnerabilities from Sophos. Another vulnerability added to the KEV list is CVE-2020-2551, an Oracle flaw that allows attackers to take control of affected servers. CVE-2023-36584, which bypasses the Mark of the Web (MotW) security feature in Windows, was also added to the KEV catalog.

CISA, the US cybersecurity agency, has added three product flaws to its Known Exploited Vulnerabilities (KEV) catalog. The first vulnerability is CVE-2023-1671, a critical flaw in a Sophos Web Appliance that allows arbitrary code execution by an unauthenticated attacker. Sophos released patches for this flaw in April and notified customers that the affected appliance will reach end of life on July 20, 2023. There is no public information about attacks exploiting CVE-2023-1671, and Sophos has not provided any clarification about it. However, threat actors have previously targeted Sophos product vulnerabilities, particularly a Chinese APT group that attacked government and organizations in South Asia. The KEV list also includes four other Sophos product vulnerabilities from 2020 and 2022.

The second vulnerability added to CISA’s KEV list is CVE-2020-2551, a flaw in Oracle WebLogic Server that allows unauthenticated attackers to gain control of affected servers. This vulnerability was one of four targeted by a Chinese threat actor in attacks on government and critical infrastructure organizations in Taiwan. It’s worth noting that CISA mistakenly references this vulnerability as CVE-2023-2551 in one of its alerts.

CISA also added CVE-2023-36584 to its KEV catalog. This vulnerability allows attackers to bypass the Mark of the Web (MotW) security feature in Windows. Palo Alto Networks discovered the flaw while analyzing attacks by a Russia-linked APT group. However, it’s unclear if CVE-2023-36584 has been exploited, as the available information is not explicit about it. Microsoft’s advisory from October 10 states that the vulnerability has not been exploited.

It’s important to note that CISA adds vulnerabilities to its KEV catalog only with reliable evidence of exploitation. However, there have been cases where CVEs have been removed from the list.

Full Article