Adobe, Microsoft and Citrix vulnerabilities draw warnings from CISA

Products from Adobe, Microsoft and Citrix are being exploited by hackers, the Cybersecurity and Infrastructure Security Agency warned this week.

In advisories and messages to the cybersecurity community, CISA urged users and administrators to apply the necessary patches as soon as possible due to confirmed reports that the vulnerabilities are being used in cyberattacks.

Adobe ColdFusion issues

The Adobe issues center around a product called ColdFusion, a popular commercial rapid web-application development computing platform.

Cybersecurity experts at Rapid7 — who have been responding to multiple security incidents involving the bugs — initially discovered a bug labeled as CVE-2023-29298 before Adobe released a patch for the issue on July 11.

By July 13, the researchers began to see exploitation of the bug alongside another vulnerability, later classified as CVE-2023-38203.

Adobe patched CVE-2023-38203 on July 14 and CISA released a warning about the issue on July 18, warning that “an attacker can exploit some of these vulnerabilities to take control of an affected system.”

“CISA encourages users and administrators to review the Adobe security release APSB23-41 and apply the necessary updates,” CISA said.

But on Monday evening, Rapid7 said it discovered that the patch for CVE-2023-29298 is incomplete and that a “trivially modified exploit still works against the latest version of ColdFusion (released July 14).”

An Adobe spokesperson told Recorded Future News that the company is aware the patch for the vulnerability can be bypassed and that developers are currently working on “a more comprehensive resolution.”

“Our team will release an update as soon as it is available,” the spokesperson said.

Rapid7 noted that the observed attacks involve both CVE-2023-29298 and CVE-2023-38203, so patching CVE-2023-38203 will protect against the exploit chain overall.

Andrew Barratt, vice president of cybersecurity firm Coalfire, said those kinds of bugs are challenging to manage while patches are still under development because there are no direct workarounds. This means that other inline defenses, such as web application firewalls, will need to be tuned to the specific attack profile and signatures, which can be unreliable, Barratt said.

Microsoft Office vulnerability

The issue affecting Microsoft software — CVE-2023-36884 — has caused widespread concern within the cybersecurity community since it was announced by the company on July 11.

Discovered by researchers from Google’s Threat Analysis Group and Volexity, the vulnerability does not have a patch yet but there are several mitigations that can be taken to protect against it.

Microsoft confirmed that the bug has already been exploited in attacks, noting that it was used to target defense and government entities in Europe and North America through lures related to the Ukrainian World Congress.

“Microsoft is aware of targeted attacks that attempt to exploit these vulnerabilities by using specially-crafted Microsoft Office documents. An attacker could create a specially crafted Microsoft Office document that enables them to perform remote code execution in the context of the victim,” the tech giant said.

“However, an attacker would have to convince the victim to open the malicious file. Upon completion of this investigation, Microsoft will take the appropriate action to help protect our customers. This might include providing a security update through our monthly release process or providing an out-of-cycle security update, depending on customer needs.”

The vulnerability was used by a Russian cybercriminal group named RomCom that is exploiting it in advance of “opportunistic ransomware and extortion-only operations, as well as targeted credential-gathering campaigns likely in support of intelligence operations.”

While no patch is available, Microsoft provided several mitigations to help protect against the bug’s exploitation.

Action1’s Mike Walters said the vulnerability affects all versions of Windows Server from 2008 onwards; Windows 10; and Microsoft Word and Microsoft Office versions 2013 and later.

“Given Microsoft’s confirmation of active exploitation and the absence of available workarounds, it is crucial to prioritize updating systems to address this vulnerability promptly,” Walters said.

Other experts, like Immersive Labs’ Kev Breen, warned that the mitigations provided by Microsoft are “no substitute for patching, as attackers can find ways to bypass AV detections.”

Microsoft did not respond to requests for comment about when a patch would be released. CISA is giving federal civilian agencies until August 7 to patch the vulnerability.

Citrix zero-day

Cloud computing giant Citrix released an urgent advisory on Tuesday about three vulnerabilities affecting a line of networking products named NetScaler ADC and NetScaler Gateway.

The most serious vulnerability, CVE-2023-3519, has already been exploited in the wild, according to incident responders from Rapid7.

The vulnerability carries a CVSS score of 9.8 and Citrix confirmed that exploits of it “on unmitigated appliances have been observed.”

“Cloud Software Group strongly urges affected customers of NetScaler ADC and NetScaler Gateway to install the relevant updated versions as soon as possible,” the company said on Tuesday, a message echoed by CISA in an email to administrators.

BleepingComputer reported that a zero-day vulnerability for Citrix ADC was being sold on an unnamed hacker forum earlier this month.