Addressing these concerns, Splunk has issued security advisories detailing patches for these vulnerabilities.

CVE-2023-40592: Reflected Cross-Site Scripting (XSS) This vulnerability permits attackers to execute arbitrary commands on the Splunk Platform via crafted web requests directed at the “/app/search/table” endpoint. It stems from inadequate input validation, warranting a CVSS score of 8.4 (High).

CVE-2023-40593: Denial Of Service (DoS) By sending malformed SAML requests to the “/saml/acs” REST endpoint, threat actors can trigger a Denial of Service (DoS) scenario. The vulnerability lies in the failure of the SAML XML parser to properly validate signatures for malformed URIs, scoring a CVSS of 6.3 (Medium).

CVE-2023-40594: Denial Of Service (DoS) The improper expression validation within the printf function, especially in conjunction with commands like “fieldformat,” allows attackers to orchestrate a DoS attack. This vulnerability rates at a CVSS of 6.5 (Medium).

CVE-2023-40595: Remote Code Execution Exploiting this flaw involves sending a specially crafted query capable of serializing untrusted data to execute arbitrary code on the Splunk Enterprise platform. The severity of this vulnerability warrants a CVSS score of 8.8 (High).

CVE-2023-40596: Splunk Enterprise On Windows Privilege Escalation Arising from an insecure path in the OPENSSLDIR build definition, this vulnerability facilitates privilege escalation by enabling the installation of malicious code through directory structure manipulation. Rated at a CVSS of 7.0 (High).

CVE-2023-40597: Absolute Path Traversal With write access to the drive on Splunk Enterprise instances, attackers can leverage the “runshellscript.py” script’s inadequate user validation to execute scripts on the root directory of another disk. This vulnerability permits absolute path traversal for arbitrary code execution, earning a CVSS score of 7.8 (High).

VMware tools encompass a suite of modules and services designed to enhance various functionalities within VMware products. These tools facilitate efficient management of guest operating systems and seamless user interactions between host and guest systems. Moreover, VMware tools facilitate the transmission of messages from the host to the guest operating system.

In response to this security flaw, VMware has issued a security advisory. The vulnerability (CVE-2023-20900) enables attackers positioned within a man-in-the-middle (MITM) network setup between the vCenter server and the virtual machine to circumvent SAML token signature verification. This exploitation could lead to the execution of VMware guest operations, with a CVSS score of 7.5 (High) attributed to this vulnerability.

As of now, there are no known publicly available exploits targeting this vulnerability.

Previously, VMware had encountered a critical vulnerability in Aria Operations for Networks, which allowed threat actors to conduct authentication bypass and arbitrary file write operations.

To address these vulnerabilities, VMware has issued security advisories and Knowledge Base articles specifically addressing the vulnerabilities in Aria Operations for Networks and VMware tools.

Users of VMware tools are strongly advised to update to the latest version to mitigate the risk of exploitation by threat actors.

Aruba, the owner of ArubaOS-Switch and a subsidiary of Hewlett Packard Enterprise, has taken steps to address these vulnerabilities and has released a security advisory. ArubaOS-Switch allows centralized network management and is part of Aruba Networks’ product lineup.

CVE-2023-39266: Unauthenticated Stored Cross-Site Scripting This vulnerability affects the web management interface of ArubaOS-Switch, potentially enabling unauthenticated attackers to execute Stored XSS attacks. The exploitation of this vulnerability could permit malicious script execution on affected interfaces, with a CVSS score of 8.3 (High).

CVE-2023-39267: Authenticated Denial Of Service Vulnerability The Command Line Interface (CLI) of ArubaOS-Switch is susceptible to an authenticated remote code execution, leading to a Denial-of-Service scenario. This vulnerability has a CVSS score of 6.6 (Medium).

CVE-2023-39268: Memory Corruption Vulnerability Attackers could exploit this vulnerability by sending specially crafted packets to the ArubaOS-Switch, potentially resulting in unauthenticated remote code execution. This vulnerability stems from memory corruption issues within the ArubaOS-Switch, with a CVSS score of 4.5 (Medium).

Affected Products & Fixed In Version

The affected products include HPE Aruba Networking Switch Models,

• Aruba 5400R Series Switches
• Aruba 3810 Series Switches
• Aruba 2920 Series Switches
• Aruba 2930F Series Switches
• Aruba 2930M Series Switches
• Aruba 2530 Series Switches
• Aruba 2540 Series Switches

Aruba Networks’ advisory recommends upgrading to version KB/WC/YA/YB/YC.16.11.0013 or higher to address these vulnerabilities. They also suggest implementing workarounds such as restricting CLI and web-based management interfaces to dedicated layer 2 segments/VLANs or controlling them with firewall policies at layer 3 and above to minimize the risk of exploitation.

One of the vulnerabilities (CVE-2023-39266) has been publicly disclosed along with a Proof-of-Concept, accessible here. Users of these products are strongly advised to update to the latest version to mitigate these vulnerabilities and prevent potential exploitation.

Using Skype? Then you should be particularly cautious now! A security researcher has managed to find out the IP address of a Skype user without them having to click on a link. Sounds alarming, doesn’t it? In this article, you’ll learn everything you need to know about this new security vulnerability.

Hackers have developed a clever method to find out your IP address without you actively interacting with them. All they have to do is send you a link via the Skype application for mobile phones. Once you open the message, they already have access to your IP address and can determine your general location. You don’t even have to click on the link to be affected.

The consequences of the Skype security flaw are far-reaching. Activists, journalists, and political dissenters are particularly vulnerable as their locations can be exposed. But they’re not the only ones at risk. This security flaw also poses risks for the average user. The IP address reveals the location, which can lead to physical or digital attacks.

Cooper Quintin, a security researcher at the Electronic Frontier Foundation, emphasizes that almost everyone can be affected by the security flaw in Skype.

Independent security researcher Yossi discovered this vulnerability and informed Microsoft about it. Surprisingly, MS initially stated that the security flaw did not need to be immediately fixed. It was only after public pressure that the company announced plans to address the issue in one of the upcoming updates. This was reported by 404media in a recent article.

You’re probably wondering what you can do to protect yourself? Well, at the moment, there’s no definitive solution except to be cautious and avoid suspicious messages or links. Once Microsoft releases the update, make sure your Skype application is up to date.

Despite possessing PDF-specific file format and magic numbers, a file crafted with MalDoc in PDF can be opened in Word. When such a file contains a configured macro, executing it in Word triggers the launch of VBS, enabling the execution of malicious activities.

Reports from JPCERT/CC indicate that the attacks utilizing this method employ the “.doc” file extension. If Windows associates the “.doc” extension with Word, the MalDoc in PDF-generated file will open as a Word document.

According to JPCERT/CC’s blog, attackers append an MHT file, created in Word and containing a macro, after the PDF file object, resulting in a file that is recognized as a PDF but can also be opened in Word.

Analysis of the Attack: Traditional PDF analysis tools such as pdfid may fail to detect the malicious elements in a file generated using MalDoc. Moreover, while unintended behaviors are observed when accessing the file in Word, detecting malicious activities becomes challenging when opening it in PDF readers. As the file is identified as a PDF, current antivirus or sandbox tools may not flag it.

However, the JPCERT/CC team warns that this technique does not circumvent the setting that disables auto-execution in Word macros.

Therefore, when conducting automated malware analysis using specific tools or sandboxes, it’s crucial to exercise caution regarding detection findings, considering that the files are recognized as PDFs.