Editor’s Note: This story was updated at 1:50 p.m. November 17 with a comment from Sophos.
The Cybersecurity and Infrastructure Security Agency (CISA) on Thursday added products from Sophos, Oracle, and Microsoft to its Known Exploited Vulnerabilities (KEV) catalog.
In all three cases, CISA advises security teams to apply mitigations as per instructions from the vendors, but to discontinue if mitigations are not available.
SecurityWeek reported that it’s not uncommon for threat actors to exploit Sophos product vulnerabilities in attacks. Some attacks have been linked to a Chinese APT and targeted government and other organizations in South Asia. It was also reported that the Oracle vulnerability added to the KEV catalog was one of four vulnerabilities targeted for compromise by a Chinese threat actor, based on a blog post in early June by EclecticIQ. The attacks EclecticIQ observed were aimed at government and critical infrastructure organizations in Taiwan.
The first flaw added to the KEV catalog – CVE-2023-1671 – was a critical (9.8 CVSS) Sophos Web Appliance command injection vulnerability in the “warn proceed handler.” This flaw could allow any product older than version 22.214.171.124 to experience a remote code injection.
A Sophos spokesperson pointed out that more than six months ago, on April 4, they released an automatic patch to all Sophos Web Appliances, and in July 2023, the company phased out Sophos Web Appliance as previously planned.
“We appreciate CISA’s notice for any of the small number of remaining Sophos Web Appliance users who turned off auto-patch and/or missed our ongoing updates, and recommend they upgrade to Sophos Firewall for optimal network security moving forward,” said the Sophos spokesperson.
CISA also added CVE-2020-2551 to the KEV catalog, a critical vulnerability (9.8 CVSS) in the Oracle WebLogic Server product of Oracle Fusion Middleware. NIST reported that supported versions affected are 10.3.6.0.0, 126.96.36.199.0, 188.8.131.52.0 and 184.108.40.206.0.
According to NIST, this easily exploitable vulnerability lets an unauthenticated attacker with network access via the Internet-InterORB Protocol (IIOP) to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in the takeover of Oracle WebLogic Server.
Finally, CISA added CVE-2023-36584, a medium severity flaw (5.4 CVSS) in which Microsoft Windows Mark of the Web (MOTW) contains a security feature bypass vulnerability that could result in a limited loss of integrity and availability of security features, such as Protected View in Microsoft Office, which relies on MOTW tagging.
According to Microsoft, to exploit this vulnerability, an attacker could host a file on an attacker-controlled server, then convince a targeted user to download and open the file. This could let the attacker interfere with the MOTW functionality.