Quick Insights on This Week’s Critical Software Flaws (Week 39)

Florian Roth
4 min readSep 30, 2023

In this week’s roundup, I’ve listed some notable vulnerabilities that caught my attention. They range from issues in libwebp to critical flaws in SharePoint, WS_FTP, and Exim. I’ve provided a brief description and included links for each, in case you want to explore further.

libwebp: CVE-2023–4863, CVE-2023–41064, CVE-2023–5129

CVE-2023–4863 is a heap buffer overflow vulnerability in libwebp, affecting the processing of WebP image format. This zero-click exploit is dangerous, especially in desktop applications. It’s not only restricted to browsers like Chrome and Firefox but extends to any application or service utilizing libwebp for image processing. The risk is pronounced when interacting with or processing images from untrusted sources, making it a significant concern for applications, services, and platforms that heavily rely on image processing tasks​.

This blog by Rezilion does a great job explaining the extent of the problem caused by this vulnerability: https://www.rezilion.com/blog/rezilion-researchers-uncover-new-details-on-severity-of-google-chrome-zero-day-vulnerability-cve-2023-4863/

Source (https://www.rezilion.com/blog/rezilion-researchers-uncover-new-details-on-severity-of-google-chrome-zero-day-vulnerability-cve-2023-4863/)

This vulnerability initially led to confusion in CVE number assignment, resulting in three different CVE numbers for the same issue.

Here’s a list of the CVEs and what they stand for

  • CVE-2023–4863 (Google Chrome)
  • CVE-2023–41064 (Apple; aka BLASTPASS)
  • CVE-2023–5129 (merged and later rejected CVE)

Yotam Perkal published a great threat on Twitter explaining the chain of events:

(make sure to read the whole thread 🧵)

SharePoint: POC for CVE-2023–24955 RCE Released

CVE-2023–24955, alongside CVE-2023–29357, are notable vulnerabilities in Microsoft SharePoint Server, which when exploited together, enable unauthenticated remote code execution (RCE). A proof-of-concept exploit chain was publicly released, highlighting the severity of these vulnerabilities.

Although the current proof-of-concept doesn’t provide RCE due to ethical considerations, it still poses a risk as malicious actors could modify it for harmful purposes, underscoring the urgency of patching these vulnerabilities promptly​.

SOC Radar does a great job explaining this vulnerability:

Windows Defender reports exploitation attempts as:
(source: https://x.com/TH3C0DEX/status/1707502967580967214?s=20 )

An active ‘SPAuthBypass’ exploit malware was prevented from executing via AMSI

A successful exploitation using the published POC looks like this (source @theluemmel):

2023–09–29 08:05:48 GET /_vti_bin/client.svc/web/siteusers — 80 0i.t|00000003–0000–0ff1-ce00–000000000000|app@sharepoint python-requests/2.25.1–200 0 0 139

POC: https://github.com/Chocapikk/CVE-2023-29357
my YARA rule: https://x.com/cyb3rops/status/1707678149448700270?s=20

WS_FTP: Critical RCE Vulnerability

CVE-2023–40044 is a severe .NET deserialization vulnerability in WS_FTP Server’s Ad Hoc Transfer module, allowing a pre-authenticated attacker to execute remote commands on the server’s operating system. CVE-2023–42657 is a directory traversal vulnerability, enabling attackers to perform file operations outside their authorized WS_FTP folder path and operate on the underlying OS. Both vulnerabilities are critical, with CVSS scores of 8.8 and 9.9 respectively, and affect versions prior to 8.7.4 and 8.8.2​. (all previous versions)

The description lacks clarity, hence it’s uncertain as to which and how many services are impacted by this vulnerability. While I won’t publicly share the search query, searches on ShodanHQ revealed 570 affected services. (Barre Dijkstra figured out a useful query)

570 affected services listed in ShodanHQ

Info: https://community.progress.com/s/article/WS-FTP-Server-Critical-Vulnerability-September-2023

Exim: 0day AUTH Out-Of-Bounds Write RCE

CVE-2023–42115 is a critical vulnerability in Exim with a CVSS score of 9.8, exposing email servers to remote attacks by allowing attackers to execute arbitrary code. This flaw is rooted in inadequate user data validation within the SMTP service, which leads to out-of-bounds write operations, thus facilitating remote code execution.

ShodanHQ query: https://www.shodan.io/search?query=%22ESMTP+Exim%22

Query on ShodanHQ showing over 3.5 million affected services

Info: https://www.zerodayinitiative.com/advisories/ZDI-23-1469/

News Article: https://x.com/BleepinComputer/status/1707851420496539856?s=20