Critical Zero-Day Vulnerability 2023-09-28 - Are we exposed?

peter-ries · ‎2023-09-28

Please advise if the Data Centre Expert and IT Advisor Software are at risk by the most recent vulnerability called: Critical Zero-Day Vulnerability 2023-09-28

Summary:

The vulnerability was initially reported by Google on Sep 12, however, investigation of active related exploits resulted in their report being upgraded to a critical vulnerability this morning (score of High 8.8/10) due to the multiple products that can be leveraged on multiple technologies, devices and platforms.
POTENTIAL IMPACTS:

Exploiting this vulnerability would allow malicious actors to execute code remotely on a vulnerable machine, which could lead to malware being introduced into the environment, ability for the threat actor to gain complete control over devices without any user actions (in other words, no one needs to click on anything at our end), as well as a high potential for establishing a persistent connection or back door into the device (ability to access the device “unnoticed” in the future).

VULNERABILITIES BEING LEVERAGED:

Most if not every Commercial off-the-shelf (COTS), many custom applications and development platforms, operating systems, browsers and devices leveraging the “libwebp” library are vulnerable. This library is leveraged by millions of applications worldwide.

LarryK · ‎2023-09-29

Following...

gsterling · ‎2023-10-02

Hello Peter. I had sent you a note via the email you had forwarded to me pertaining to this topic. Pasting comments from the email below to this post.

From a Schneider standpoint, the authority regarding vulnerabilities for all Schneider products is the Schneider cyber portal page at https://www.se.com/ww/en/work/support/cybersecurity/security-notifications.jsp

The Schneider Cyber portal mentioned above should be considered the source of truth.

If ITA and DCE are not listed as being vulnerable to this specific zero-day vulnerability, then you should consider them as not impacted. Given this vulnerability is still quite recent, I'd suggest you subscribe to be notified on the Cyber portal in case the status changes. As of today (Oct 2, 2023) neither DCE nor ITA is identified as being impacted by this vulnerability.

I did check where Redhat has responded to this threat. Redhat has responded to CVE-2023-5217 on this page https://access.redhat.com/security/cve/cve-2023-5217 . The zero day vulnerability does apply to Redhat 8x operating systems when the thunderbird, libwebp modules or libvpx library are present. These modules appear to be installed as dependencies when/if browser like chrome or firefox are installed in the OS.

I checked online and offline ITA servers. These rpm’s/modules are not part of the ITA online or offline iso’s. When I installed firefox on one of my ITA servers I did indeed see the libvpx and libwebp libraries were also installed. This would lead me to believe your ITA server is safe as long as your team did not install a browser on the server.

Regards

Greg Sterling