By Staff Writer
The Australian Cyber Security Centre (ACSC) issued two alerts on Thursday, including a critical alert regarding a vulnerability present in certain versions of Microsoft Excel. The second alert deals with a remote code execution vulnerability present in certain versions of Palo Alto firewalls utilising the GlobalProtect VPN component.
The Excel vulnerability (CVE-2021-42292) could allow an unauthenticated person to bypass a key security control. A bona fide user could be tricked into opening a malicious spreadsheet, potentially initiating a spear-phishing campaign.
The vulnerability scores 7.8/10 on the Common Vulnerability Scoring System (CVSS), seeing it ranked as a high severity threat. Microsoft notes the vulnerability is currently being exploited.
“The vulnerable component is not bound to the network stack, and the attacker’s path is via read/write/execute capabilities,” says Microsoft in its advisory.
“Either: the attacker exploits the vulnerability by accessing the target system locally (e.g., keyboard, console), or remotely (e.g., SSH); or the attacker relies on user interaction by another person to perform actions required to exploit the vulnerability (e.g., tricking a legitimate user into opening a malicious document).”
Eighteen versions of Excel are impacted, although there is no indication that the Microsoft hosted Office365 Excel product is affected. Microsoft has made security updates available for Excel operating on Windows devices. However, affected versions of Excel operating on Mac devices remain vulnerable.
The ACSC’s second alert on Thursday refers to a memory corruption vulnerability found in Palo Alto Networks GlobalProtect portal and gateway interfaces.
While the bad actor must have network access to the GlobalProtect interface to exploit this issue, if access is gained, the unauthenticated network-based attacker can then disrupt system processes and potentially execute arbitrary code with root privileges. The vulnerability is deemed critical and has a CVSS score of 9.8.
Palo Alto says they are not aware of any malicious exploitation of this issue uncovered by attack teams working in cybersecurity companies. The vulnerability impacted PAN-OS 8.1 versions earlier than PAN-OS 8.1.17.
The US-based cybersecurity company notes the vulnerability is now fixed in PAN-OS 8.1.17 and all later PAN-OS versions. Prisma Access customers remained unaffected throughout.
Attack surface management company Randori deployed one of their attack teams to develop a reliable working exploit and successfully leveraged the Palo Alto vulnerability. Among other things, the team was able to gain a shell on the affected target, access sensitive configuration data, and extract credentials.
Randori estimates around 10,000 vulnerable firewalls were viewable online this week.
“Once an attacker has control over the firewall, they will have visibility into the internal network and can proceed to move laterally,” Randori notes.
While Randori says publicly available exploit code does not exist at this time, they believe such code is likely to surface.
The ACSC says impacted Microsoft and Palo Alto customers should review the security advisories issued by both companies. They further advise users to access available security patches and keep their software up-to-date to mitigate further risks.