Crying Out Cloud - June's Newsletter

June’s highlights: vulnerabilities in MOVEit transfer once more, MSSQL flaws, FortiOS and FortiNAC RCEs, and a 0-day vulnerability in ESXi exploited by Chinese attackers.

The past month has brought a series of vulnerabilities and security incidents that have left users affected. Amidst the noise, we've taken it upon ourselves to curate the most significant developments for you.  

Here are our top picks of cloud security highlights! 

✨ Highlights

Three MOVEit Transfer vulnerabilities

Since May 31, 2023, Progress has been publishing details of vulnerabilities in MOVEit Transfer. Some of these vulnerabilities are known to have been exploited in-the-wild by the Cl0p ransomware group. Users are urgently advised to patch to the latest fixed version. MOVEit Transfer is a Windows-Server-based managed file transfer (MFT) service developed by Ipswitch, a subsidiary of Progress. 

An SQL injection vulnerability (CVE-2023-34362) was found in the MOVEit Transfer web application that could allow an un-authenticated attacker to gain unauthorized access to MOVEit Transfer's database and was exploited in the wild by the Cl0p ransomware group. Depending on the database engine being used by MOVEit Transfer (MySQL, Microsoft SQL Server, or Azure SQL), an attacker may be able to infer information about the structure and contents of the database in addition to executing SQL statements that alter or delete database elements. Since then, two more SQL injection vulnerabilities have been disclosed (CVE-2023-35036 and CVE-2023-35708). 

According to Wiz data, less than 1% of environments have publicly exposed resources vulnerable to the MOVEit vulnerabilities.

Learn more in our blogpost.  

🐞 High Profile Vulnerabilities

Vulnerabilities in ODBC and OLE DB drivers for Microsoft SQL Server 

High severity vulnerabilities were discovered in the ODBC and OLE DB drivers for Microsoft SQL Server, which under certain conditions would allow a threat actor to execute arbitrary code on a client machine if the attacker is in a position to direct the target client to connect to an attacker-controlled remote server.  

According to Wiz data 64% percent of cloud environments have resources vulnerable to these vulnerabilities.  

Refer to the report to learn more.

XSS vulnerabilities in Azure Bastion and Container Registry 

On June 14, 2023, security researchers disclosed XSS vulnerabilities related to two Azure services, Bastion and Container Registry, which could allow an attacker to hijack a victim session in either of these services. However, these vulnerabilities required user interaction (e.g., making the victim click on a malicious link) and have since been fixed by Microsoft, with no customer action required. 

Refer to the report to learn more. 

Azure AD OAuth misconfiguration could lead to account takeover

Researchers discovered a misconfiguration, nicknamed nOAuth, that may affect some Microsoft Azure AD OAuth applications and can expose companies to full account takeover by misusing the "Log in with Microsoft" authentication method. 

If an authentication service is configured to merge user accounts without proper validation, and an application relies on email attribute claims for authentication (which is against best practice), an attacker can exploit this to gain full control over a victim's account. 

This issue reportedly affected several large SaaS providers and seems to have been the root cause of an authentication bypass vulnerability in Grafana (CVE-2023-3128). 

Refer to the report to learn more. 

Critical vulnerability in FortiOS exploited in the wild 

A critical vulnerability was discovered in FortiOS and FortiProxy (CVE-2023-27997) that was published as part of a monthly security update on June 13, 2023. This vulnerability may allow remote code execution. Fortinet has reported that the vulnerability was likely exploited in the wild. It is highly recommended to upgrade vulnerable instances to the patched versions. 
According to Wiz data less than 2% of cloud environments have publicly exposed resources vulnerable to CVE-2023-27997, which account for 17% of environments running FortiOS.

Refer to the report to learn more. 

Critical RCE vulnerability in FortiNAC

CVE-2023-33299 is a critical RCE vulnerability in FortiNAC with a CVSS of 9.6. The vulnerability was published on June 23, and could allow an unauthenticated user to execute unauthorized code or commands via specifically crafted requests to the tcp/1050 service. It is highly recommended to upgrade vulnerable instances to the patched versions. 

According to Wiz data, the vulnerability is uncommon in cloud environments, as less than 1% of environments have instances vulnerable to CVE-2023-33299.  

Refer to the exploit repository to learn more.  

🔓 Security Incidents

VMWare ESXi vulnerability exploited by Chinese threat actor

Researchers discovered that Chinese state-sponsored threat actor UNC3886 has been exploiting a 0-day vulnerability, CVE-2023-20867, in VMWare ESXi hosts in order to backdoor systems. However, exploiting the vulnerability requires prior access to the hypervisor, for example through compromised credentials, and it cannot lead on its own to a remote attack. 

According to Wiz data, 10% of cloud environments have publicly exposed instances vulnerable to CVE-2023-20867. 

Refer to the report to learn more.

Want to test your cloud security knowledge? Try The Big IAM Challenge!

The Big IAM Challenge is a cloud security Capture the Flag (CTF) event organized by Wiz. It consists of six levels, each focusing on a different IAM configuration mistake commonly made in various AWS services. Participants are tasked with identifying and exploiting these mistakes to progress through the challenge. 

Spoiler alert: new levels coming soon! Better finish the existing 6 levels fast 😉

Hold on to your headphones!

Tune in to "Crying Out Cloud", our monthly roundup of cloud security news podcast! Hosted by the talented duo Eden Naftali and Amitai Cohen 👏 This week with special guest - Scott Piper!

Listen on Spotify and Apple Podcasts.