HC3 bulletin reveals June vulnerabilities of interest to healthcare sector, calls for immediate patching

The Health Sector Cybersecurity Coordination Center (HC3) in the U.S. Department of Health & Human Services (HHS) has revealed that vulnerabilities affecting the health sector in June have been identified and require prompt attention. The HC3 bulletin has identified security loopholes in hardware from various vendors, including Microsoft, Google/Android, Apple, Mozilla, SAP, Cisco, Fortinet, VMware, and Progress Software’s managed file transfer (MFT) solution known as MOVEit Transfer. 

HC3 recommends in its monthly cybersecurity vulnerability bulletin immediate patching of all vulnerabilities with special consideration to the risk management posture of the organization. 

“The Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) added a total of 24 vulnerabilities in June to their Known Exploited Vulnerabilities Catalog,” the HC3 bulletin said last Thursday. “This effort is driven by Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, which established the Known Exploited Vulnerabilities Catalog as a living list of known CVEs that carry significant risk to the U.S. federal enterprise. Vulnerabilities that are entered into this catalog are required to be patched by their associated deadline by all U.S. executive agencies.” 

The agency added that while these requirements do not extend to the private sector, HC3 recommends all healthcare entities review vulnerabilities in this catalog and consider prioritizing them as part of their risk mitigation plan. 

Microsoft issued security updates to fix 78 vulnerabilities, including 38 remote code execution (RCE) flaws in June. While all 38 remote code execution vulnerabilities were fixed, Microsoft only listed six vulnerabilities as ‘Critical,’ including denial of service attacks, remote code execution, and privilege elevation. 

The HC3 bulletin identified the number of bugs in each vulnerability category as 17 elevation of privilege vulnerabilities, three security feature bypass vulnerabilities; 32 RCE vulnerabilities; five information disclosure vulnerabilities; 10 denial of service vulnerabilities; 10 spoofing vulnerabilities; and a Edge – Chromium vulnerability. There were no zero-day vulnerabilities or actively exploited flaws this month.

Detailing the ‘CVE-2023-29357’ vulnerability, HC3 said that this is a Microsoft SharePoint Server elevation of privilege vulnerability with a CVSS score of 8.5. Microsoft has addressed this privilege elevation vulnerability in Microsoft SharePoint that could provide threat actors the ability to assume the privileges of other users, including administrators. The ‘CVE-2023-32031’ vulnerability is a Microsoft Exchange Server RCE vulnerability with a CVSS score of 8.8. Microsoft has fixed this Microsoft Exchange vulnerability that could allow authenticated RCE. 

Google released security updates in June for Android devices with fixes for over 50 vulnerabilities, including an Arm Mali GPU Kernel Driver flaw exploited by spyware vendors, which Google reported in March 2023. Tracked as ‘CVE-2022-22706,’ the exploited vulnerability is a kernel driver issue that allows a non-privileged user to achieve write access to read-only memory pages. The flaw has been used in targeted attacks and was fixed by Arm in January 2022.

“HC3 recommends users refer to the Android and Google service mitigations section for a summary of the mitigations provided by Android security platform and Google Play Protect, which improve the security of the Android platform,” according to the bulletin. “It is imperative that health sector employees keep their devices updated and apply patches immediately, and those who use older devices follow previous guidance to prevent their devices from being compromised.”

Mozilla released security advisories for vulnerabilities affecting multiple Mozilla products, including Firefox 114 and Firefox ESR 102.12, according to the bulletin. “If successful, a threat actor could exploit these vulnerabilities to take control of a compromised system or device,” it added. 

The HC3 bulletin also addressed 13 new security notes released by SAP addressing vulnerabilities affecting multiple products. “If successful with launching an attack, a threat actor could exploit these vulnerabilities and take control of a compromised device or system. This month, there were four vulnerabilities rated as ‘High,’ eight rated as ‘Medium,’ and one rated as ‘Low’ in severity,” it added. 

Cisco also released security advisories for vulnerabilities affecting multiple Cisco products. One advisory was rated ‘Critical,’ three were rated ‘High,’ and seven were rated ‘Medium.’ “If successful, a remote threat actor could possibly exploit these vulnerabilities and take control of an affected device or system,” the HC3 bulletin added.

Some of the vulnerabilities covered in the HC3 bulletin include Cisco AnyConnect secure mobility client software for Windows and Cisco secure client software for Windows privilege escalation vulnerability; Cisco Expressway Series and Cisco TelePresence video communication server privilege escalation vulnerabilities; Cisco Unified Communications Manager IM & Presence Service denial of service vulnerability; Cisco Adaptive security appliance software and Firepower threat defense software for Firepower 2100 Series Appliances SSL/TLS denial of service vulnerability; Cisco Unified Communications Manager denial of service vulnerability; and Cisco Secure Workload authenticated OpenAPI privilege escalation vulnerability. 

The HC3 bulletin also included Fortinet’s June vulnerability advisory that addressed several vulnerabilities across different Fortinet products, including a heap-based buffer overflow vulnerability tracked as FG-IR-23-097(CVE-2023-27997) in FortiOS and FortiProxy. “If successful, a threat actor could exploit this vulnerability to take control of a compromised system.”

According to Fortinet, the vendor is ‘not linking FG-IR-23-097 to the Volt Typhoon campaign, however, Fortinet expects all threat actors, including those behind the Volt Typhoon campaign, to continue to exploit unpatched vulnerabilities in widely used software.’ HC3 recommends that users review Fortinet’s security advisory. 

VMware released security updates addressing vulnerabilities in Aria Operations for Networks (formerly vRealize Network Insight), according to the bulletin. “The vulnerabilities fall within the critical severity range, as a malicious threat actor with network access could possibly perform a command injection attack leading to remote code execution.” 

It added that VMware also released a security update to address multiple memory corruption vulnerabilities in vCenter Server and Cloud Foundation. “If successful, a threat actor could exploit these vulnerabilities to take control of a compromised device or system.” 

The HC3 bulletin also covered the critical vulnerability discovered in Progress/IPswitch’s MOVEit Transfer software, which encrypts files and uses secure File Transfer Protocols to transfer data with automation, analytics, and failover options. 

“Tracked as ‘CVE-2023-35708,’ this critical vulnerability could lead to escalated privileges and potential unauthorized access to the environment,” according to the HC3 bulletin. “This SQL injection vulnerability has been identified in the MOVEit Transfer web application that could allow an unauthenticated threat actor to gain unauthorized access to the MOVEit Transfer database. This impacts Progress MOVEit Transfer versions released before 2021.0.8 (13.0.8), 2021.1.6 (13.1.6), 2022.0.6 (14.0.6), 2022.1.7 (14.1.7), 2023.0.3 (15.0.3).” 

It added that if successful, a threat could exploit this flaw and submit a crafted payload to a MOVEit Transfer application endpoint which could result in modification and disclosure of MOVEit database content. “HC3 recommends that all MOVEit Transfer software users protect their MOVEit Transfer environment by taking immediate action and following Progress’ remediation guidance.”

In June, the HC3 assessed that the critical vulnerability that exists in MOVEit Transfer software could result in unauthorized access and privilege escalation across the healthcare sector. MOVEit Transfer is commonly used by healthcare organizations to securely transfer large files and data between their internal and external networks.

The Healthcare and Public Health Sector Coordinating Council (HSCC) Cybersecurity Working Group (CWG) published last week a template document called ‘Health Industry Cybersecurity Coordinated Healthcare Incident Response (HIC-CHIRP),’ with material for the technical response process to a cybersecurity incident. These plans and templates provide universal guidance on detecting, containing, responding, and recovering from cybersecurity incidents across industries is provided through templates without replicating or replacing existing resources.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.