Microsoft has unveiled a series of memory corruption vulnerabilities in the ncurses programming library, predominantly used in Linux and macOS systems. The flaws, if exploited, could allow threat actors to execute malicious code on susceptible systems. Microsoft's Threat Intelligence researchers highlighted that by manipulating environment variables, attackers could leverage these vulnerabilities to escalate privileges and execute code in the context of the targeted program.
Technical Insights and Implications
The vulnerabilities, officially labeled as CVE-2023-29491 with a CVSS score of 7.8, were rectified in April 2023. Microsoft collaborated with Apple to address macOS-specific issues related to these vulnerabilities. The flaws discovered encompass a variety of issues, including a stack information leak, a parameterized string type confusion, and a heap out-of-bounds during terminfo database file parsing. The researchers emphasized that exploiting these vulnerabilities would require a multi-stage attack strategy.
Collaborative Efforts and Remediation
Microsoft has been proactive in sharing these vulnerabilities with relevant stakeholders through Coordinated Vulnerability Disclosure (CVD) and Microsoft Security Vulnerability Research (MSVR). The vulnerabilities were promptly addressed by the maintainers of the ncurses library. Microsoft also acknowledged the contributions of researcher Gergely Kalman, who provided valuable use cases that aided in the research. Users of the ncurses library are urged to update their systems to safeguard against potential exploitation.
Recent Patch Tuesday Fixes
Microsoft's September 2023 Patch Tuesday was rolled out this week, addressing a total of 59 vulnerabilities, two of which are zero-day flaws currently under active exploitation. Just like all months, Patch Tuesday is about shoring up Microsoft's services from security issues and bugs. The two zero-day vulnerabilities that have been actively exploited are:
- CVE-2023-36802 – Microsoft Streaming Service Proxy Elevation of Privilege Vulnerability. This flaw allows attackers to exploit the vulnerability to gain system privileges.
- CVE-2023-36761 – Microsoft Word Information Disclosure Vulnerability. This vulnerability can be exploited by attackers to disclose NTLM hashes.