The U.S. Cybersecurity & Infrastructure Safety Company has added to its catalog of recognized exploited vulnerabilities (KEV) three safety points that have an effect on Microsoft gadgets, a Sophos product, and an enterprise answer from Oracle.
The KEV catalog comprises flaws confirmed to be exploited by hackers in assaults and serves as a repository for vulnerabilities that firms throughout ought to deal with with precedence.
The company is urging federal businesses to use accessible safety updates for the three points earlier than December 7. The three vulnerabilities are tracked as follows:
- CVE-2023-36584 – “Mark of the Internet” (MotW) safety characteristic bypass on Microsoft Home windows.
- CVE-2023-1671 – Command injection vulnerability in Sophos Internet Equipment permitting distant code execution (RCE).
- CVE-2020-2551 – Unspecified vulnerability in Oracle Fusion Middleware, permitting an unauthenticated attacker with community entry through IIOP to compromise the WebLogic server.
Microsoft addressed CVE-2023-36584 within the October 2023 Patch Tuesday bundle of safety updates. Nevertheless, it wasn’t flagged as actively exploited within the disclosure and on the time of writing it is nonetheless marked as non exploited.
The essential flaw in Sophos Internet Equipment, mounted on April 4, 2023, is recognized as CVE-2023-1671 and has a severity rating of 9.8. It may possibly result in distant code execution (RCE) and impacts variations of the software program earlier than 4.3.10.4.
It’s price noting that Sophos Internet Equipment reached end-of-life on July 20 and now not receives any sort of updates. The corporate notified clients that they need to migrate to Sophos Firewall internet safety.
Though CISA’s KEV catalog is principally geared toward federal businesses within the U.S. firms internationally are suggested to make use of it as an alert system for exploited vulnerabilities and take the required steps to replace their methods or apply vendor-recommended mitigations.
Replace 11/17 – A Sophos spokesperson has reached out to share the next clarification about CVE-2023-1671:
Greater than six months in the past, on April 4, 2023, we launched an computerized patch to all Sophos Internet Home equipment, as famous within the Safety Advisory on our Belief Heart, and in July 2023, we’ve phased out Sophos Internet Equipment as beforehand deliberate.
We admire CISA’s discover for any of the small variety of remaining Sophos Internet Equipment customers who turned off auto-patch and/or missed our ongoing updates, and advocate they improve to Sophos Firewall for optimum community safety shifting ahead.