Security Updates: WinRAR, Juniper, Ivanti, Citrix, Microsoft and SAP
RARLAB has reported a high-severity vulnerability (CVE-2023-40477) in WinRAR that might let remote hackers run their chosen commands on computers with WinRAR installed. This vulnerability particularly concerns the way WinRAR manages recovery volumes. This vulnerability can be taken advantage of from anywhere on the internet and may let attackers run commands in the ongoing process of the affected computer. For a hacker to take advantage of this flaw, the recipient of a file would need to open a tampered RAR file, such as a file delivered with unexpected correspondence from the hacker (e.g. malicious emails).
Juniper has reported four vulnerabilities in Juniper Networks Junos OS. Junos OS is designed to handle a variety of networking functions, like routing, switching, and security. These each have a medium-severity (i.e. 5.3), however, these can be combined together by chaining them and, therefore, resulting in a rating of 9.8 (i.e. critical), as an unauthorised person could remotely run their own code on affected systems.
Ivanti has reported six vulnerabilities in Ivanti Avalanche, which is used by businesses to manage, monitor and secure mobile devices. CVE-2023-32560 is a high-severity, unauthenticated stack-based buffer overflow flaw. Exploitation of this flaw could lead to service disruption or the execution of arbitrary code by an attacker. If someone takes advantage of this problem, it can cause the service to stop working or let an attacker run their own harmful code.
A critical vulnerability (CVE-2023-38035) in Ivanti’s MobileIron Sentry, which is another tool used for mobile device management. The vulnerability affects versions 9.18.0 and below. A weak setup in the Apache HTTPD configuration can let hackers get into the MICS admin interface without the proper permissions.
Citrix has reported a critical flaw, CVE-2023-24489, affecting Citrix Content Collaboration (previously known as Citrix Sharefile), which is used to file-sharing and file-storage. This flaw could be exploited by unauthenticated attacker to remotely compromise the customer-managed ShareFile storage zones controller.
Microsoft has released its August 2023 scheduled updates, which includes patches for 74 vulnerabilities. Two vulnerabilities are zero-day and are currently being exploited by threat actors: ADV230003 is a defence-in-depth update that fixes a patch bypass in Microsoft Office and the second patch fixes a denial-of-service vulnerability in Microsoft.NET and Visual Studio.
SAP has released its August 2023 scheduled update, which addresses two critical-severity vulnerabilities:
- SAP PowerDesigner: an improper access control vulnerability;
- SAP ECC and SAP S/4HANA (IS-OIL), a command-injection vulnerability.
The August update also addresses eight high-severity vulnerabilities for various SAP products.
Recommended Action
Organisations are encouraged to review the appropriate security advisory pages and apply the updates:
WinRAR – WinRAR 6.23 News Release
Juniper – Knowledge Base
Ivanti – Avalanche Vulnerabilities article and MobileIron Sentry article
Citrix – Support Knowledge Center
Microsoft – Update Guide
SAP – August 2023 Patch Day
If you have any concerns, or have been affected by a cyber-related issue, report it to us by submitting a Cyber Concerns Online Reporting Form.