June Patch Tuesday: VMware vuln beneath assault by Chinese language spies, Microsoft kinda meh

Microsoft has launched safety updates for 78 flaws for June’s Patch Tuesday, and fortuitously for admins, none of those are beneath exploit.

Yesterday’s crucial Fortinet bug and the continuing Progress MOVEit flaws, nonetheless, are completely totally different tales, so the proverbial ideas and prayers to the groups coping with these messes. 

Microsoft’s huge patch day rated six of right this moment’s fixes as crucial and 4 of those garnered a 9.8 severity rating, so let’s begin with these.

CVE-2023-29357, a Microsoft SharePoint Server Elevation of Privilege Vulnerability, is one which Redmond lists as “exploitation extra probably.” This can be as a result of it, when chained with different bugs, was used to bypass authentication throughout March’s Pwn2Own contest.

An attacker can use this vulnerability to realize admin privileges with none consumer interplay, based on Microsoft. As soon as they’ve “gained entry to spoofed JWT authentication tokens, they’ll use them to execute a community assault which bypasses authentication and permits them to realize entry to the privileges of an authenticated consumer,” based on the safety replace.

The opposite three 9.8-rated vulnerabilities permit distant code execution (RCE): CVE-2023-29363, CVE-2023-32014, and CVE-2023-32015. All three might permit a distant, unauthenticated attacker to execute malicious code on a Home windows system the place the message queuing service is operating in a Pragmatic Normal Multicast (PGM) Server surroundings.

“That is the third month in a row for PGM to have a CVSS 9.8 bug addressed, and it is starting to be a little bit of a theme,” Zero Day Initiative’s Dustin Childs identified. “Whereas not enabled by default, PGM is not an unusual configuration. Let’s hope these bugs get mounted earlier than any lively exploitation begins.”

The remaining two crucial patches repair denial of service vulnerabilities (CVE-2023-32013) in Home windows Hyper-V, and one other RCE bug CVE-2023-24897) in .NET, .NET Framework, and Visible Studio.

VMware fixes flaw, however China discovered it first

In different information we shine a lightweight on VMware, which admits one of many bugs disclosed right this moment is already being exploited by alleged Chinese language spies, particularly, a safety replace to repair an authentication bypass VMware Instruments vulnerability that impacts ESXi hypervisors, tracked as CVE-2023-20867. 

“A completely compromised ESXi host can pressure VMware Instruments to fail to authenticate host-to-guest operations, impacting the confidentiality and integrity of the visitor digital machine,” the virtualization large mentioned.

In line with Mandiant, a Chinese language cyber espionage group that it tracks as UNC3886 discovered and exploited the flaw earlier than VMware issued a patch. Mandiant noticed this similar gang focusing on VMware hypervisors for spying functions again in 2022.

Adobe releases 4 patches

And onto Adobe, whose June patches are additionally fortunately uneventually, with not one of the vulnerabilities being beneath exploit or publicly identified on the time of publication.

In whole, the software program supplier launched 4 patches to repair 18 bugs in Adobe Expertise Supervisor, Commerce, Animate, and Substance 3D Designer.

The patch for Adobe Expertise Supervisor addresses 4 CVE rated vital and average. Profitable exploitation of those flaws might permit arbitrary code execution and safety characteristic bypasses. 

The Adobe Commerce replace fixes 12 CVEs together with one crucial RCE vulnerability.

There’s just one repair for each Adobe Animate and Adobe Substance 3D Designer, however these two patches additionally handle crucial RCEs.

SAP tackles XXS

SAP right this moment launched eight new Safety Notes and 5 updates to beforehand launched warnings. 4 of those are rated excessive precedence, eight are medium and one is low precedence.

Curiously, a whopping eight of those repair Cross-Web site Scripting (XSS) vulnerabilities. This contains one of many new high-priority Safety Notes, #3324285, with a CVSS rating of 8.2, that fixes a Saved XXS vulnerability in UI5 Variant Administration.

“This vulnerability permits an attacker to realize user-level entry and compromise the confidentiality, integrity, and availability of the UI5 Varian Administration software,” based on Onapsis’ SAP bug hunters.

Android, nonetheless scorching with spyware and adware distributors

And shutting out the June patch social gathering, Google launched its Android safety replace earlier this month with fixes for 56 bugs. 

“Probably the most extreme of those points is a crucial safety vulnerability within the System part that would result in distant code execution over Bluetooth, if HFP help is enabled, with no further execution privileges wanted. Person interplay is just not wanted for exploitation,” based on Google. It is tracked as CVE-2023-21108. 

One other one of many June fixes addresses CVE-2022-22706, an Arm Mali GPU flaw that Google’s Risk Evaluation Group mentioned has already been exploited by spyware and adware distributors. ®