Cisco Talos has disclosed 17 vulnerabilities over the past two weeks, including nine that exist in a popular VPN software.

Attackers could exploit these vulnerabilities in the SoftEther VPN solution for individual and enterprise users to force users to drop their connections or execute arbitrary code on the targeted machine.

Talos' Vulnerability Research team also found a cross-site scripting (XSS) vulnerability in the Peplink Surf series of home and wireless routers that could allow an attacker to manipulate HTML elements into executing arbitrary JavaScript. However, this vulnerability is not considered to be particularly serious, with a CVSS severity score of only 3.4 out of 10.

For Snort coverage that can detect the exploitation of these vulnerabilities, download the latest rule sets from Snort.org, and our latest Vulnerability Advisories are always posted on Talos Intelligence's website.

SoftEther VPN client

Discovered by Lilith >>._

The SoftEther VPN client contains multiple vulnerabilities that could lead to a variety of conditions, including allowing an adversary to cause a denial of service or execute arbitrary code on the targeted machine. SoftEther is an open-source, cross-platform, multi-protocol VPN managed as part of an academic project at the University of Tsukuba in Japan.

Four of the vulnerabilities Talos disclosed last week exist when an adversary sends a specific set of packets to the targeted device, and can cause the software to crash entirely, leading to a denial of service:

• TALOS-2023-1736 (CVE-2023-22325)
• TALOS-2023-1741 (CVE-2023-23581)
• TALOS-2023-1737 (CVE-2023-22308)
• TALOS-2023-1743 (CVE-2023-25774)

The most serious of these issues is TALOS-2023-1735 (CVE-2023-27395), a vulnerability in the VPN that could lead to a heap-based buffer overflow, potentially allowing an attacker to execute arbitrary code. This vulnerability is considered critical, with a CVSS score of 9.0 out of 10.

Two other vulnerabilities – TALOS-2023-1755 (CVE-2023-32634) and TALOS-2023-1754 (CVE-2023-27516) – could allow an adversary to gain unauthorized access to the VPN session by viewing the default RPC server credentials. This opens the door for the attackers to install certificates and carry out man-in-the-middle attacks or dump the VPN's authentication settings and further compromise the endpoint connected to the VPN session.

A man-in-the-middle attack could also be used to exploit TALOS-2023-1768 (CVE-2023-31192) and TALOS-2023-1753 (CVE-2023-32275), which leads to the disclosure of sensitive information in certain packets.

JustSystems Ichitaro word processor remote code execution vulnerabilities

Discovered by a Cisco Talos researcher.

Talos researchers recently found four vulnerabilities in the JustSystems Ichitaro word processor that could lead to arbitrary code execution, albeit with varying paths.

Ichitaro is one of the most popular word processing systems in the Japanese market and utilizes the ATOK input method. An adversary could exploit these vulnerabilities by tricking the targeted user into opening a specially crafted, malicious file in the program.

The vulnerabilities all exist in various parsers in the software:

• TALOS-2023-1758 (CVE-2023-34366)
• TALOS-2023-1808 (CVE-2023-38127)
• TALOS-2023-1809 (CVE-2023-38128)
• TALOS-2023-1825 (CVE-2023-35126)

XSS, command injection vulnerabilities in SOHO router

Discovered by Matt Wiseman.

A stored cross-site scripting vulnerability exists in the Peplink Surf line of small and home office (SOHO) wireless routers that can lead to the execution of arbitrary JavaScript in another user's browser.

An attacker could trigger TALOS-2023-1781 (CVE-2023-34354) or TALOS-2023-1782 (CVE-2023-35194 and CVE-2023-35193) by making an authenticated HTTP request.

The Surf routers also contain three vulnerabilities that could allow an attacker to execute arbitrary commands in the context of the router's operating system. To exploit TALOS-2023-1778 (CVE-2023-34356), TALOS-2023-1779 (CVE-2023-28381) and TALOS-2023-1780 (CVE-2023-27380), an attacker first needs to be authenticated on the device and then make a specially crafted HTTP request.