Although no public reports have described attacks exploiting CVE-2023-1671, Sophos was unable to provide clarifications to SecurityWeek at the time of publication.

Sophos product vulnerabilities are frequently targeted by threat actors. Some attacks, attributed to a Chinese APT group, have targeted government and other organizations in South Asia. CISA’s Known Exploited Vulnerabilities (KEV) list currently includes four other vulnerabilities in Sophos products discovered in 2020 and 2022.

Another vulnerability added to the KEV list, CVE-2020-2551, affects Oracle WebLogic Server, allowing unauthenticated attackers to seize control of affected servers. This vulnerability was one of four targeted for initial compromise by a Chinese threat actor, according to a blog post by EclecticIQ.

Additionally, CVE-2023-36584 has been added to CISA’s KEV catalog, enabling attackers to bypass the Mark of the Web (MotW) security feature in Windows. Although Palo Alto Networks discovered this flaw during an analysis of attacks by a Russia-linked APT, exploitation details are not clear.

Sophos has released a statement acknowledging the patch released in April 2023 for all Sophos Web Appliances and recommending users upgrade to Sophos Firewall for optimal security.

Palo Alto Networks confirmed that they have not observed exploitation of the new MotW bypass vulnerability, CVE-2023-36584, and clarified its discovery process and communication with Microsoft regarding the vulnerability.

The security flaw, referred to by Intel as the “Redundant Prefix Issue,” specifically pertains to the execution of an instruction (REP MOVSB) that, under certain microarchitectural conditions, could lead to unpredictable system behavior. This could result in system crashes and, in some cases, privilege escalation.

Although Intel rates the problem as serious, with a severity score of 8.8 out of 10, the company does not anticipate it occurring in practice with non-malicious software. Nevertheless, updated microcodes have already been released for some affected CPUs, including Alder Lake, Raptor Lake, and Sapphire Rapids, prior to November 2023. Motherboard manufacturers are expected to provide BIOS updates for affected CPUs.

The vulnerability was independently discovered by several Google security researchers and given the name “Reptar.” According to Google Cloud CISO Phil Venables, the issue stems from how redundant prefixes are interpreted by the CPU. The impact can be significant, particularly in virtualized environments, where an attack on a guest computer could lead to the host computer crashing, resulting in denial of service for other guest computers, as well as privilege escalation and data theft.

The vulnerability allows malicious actors with network access to bypass login restrictions on Port 22 (SSH) and Port 5480 (Appliance Management Console) but not on Port 443, used for provider and tenant login. VMware emphasizes that this vulnerability arises due to the usage of an affected version of sssd from the underlying Photon OS.

Although VMware has yet to release a patch for CVE-2023-34060, it has provided a workaround in the form of a shell script (“WA_CVE-2023-34060.sh”), allowing administrators to mitigate the issue temporarily. This workaround does not disrupt the functionality of Cloud Director installations and does not require any downtime or system restart.

The company advises administrators to manually intervene until a patch becomes available. They can utilize provided scripts to check for vulnerability and apply the workaround if necessary. It’s worth noting that Dustin Hartle from Ideal Integrations discovered and reported the vulnerability.

This disclosure comes in the wake of recent security concerns surrounding VMware, including the patching of critical flaws in vCenter Server (CVE-2023-34048) and ESXi, the latter of which was exploited by cybercriminals for ransomware attacks on various organizations.