This week saw the publication of 579 new CVE IDs. Of those, 314 have not yet been assigned official CVSS scores, however, of the ones that were, approximately 18% were of critical severity, 34% were high, 48% were medium, and 0% were low. Listed below are the vulnerabilities that caught our attention:
The modern threat landscape represents an ever-changing vista of vulnerabilities, tools, tactics, and procedures which pose an existential threat to the security of organizations’ IT infrastructures. A key part of an evergreen security program is to maintain an up-to-date knowledge base of actionable threat intelligence that an organization can leverage to improve its security posture. Where dozens of novel threats and vulnerabilities become public each week, it can be challenging for IT professionals to keep pace. Control Gap intends to separate the signal from the noise by highlighting in this weekly segment newly disclosed vulnerabilities that have been assigned a CVE ID and which may be exceedingly novel, widespread, critical, or otherwise noteworthy.
The available threat intelligence at time of writing is documented below. Updates will be clearly marked.
Real-World Exploitability High |
Exploited in the Wild Yes |
Available Public Exploits No |
Two zero-day vulnerabilities in multiple Apple products have had emergency patches released for them following an Apple security advisory published on April 7th. Apple has announced that it is aware that the vulnerabilities may have been exploited in the wild. The first vulnerability, CVE-2023-28205, affects Safari 16.4.1, iOS / iPadOS 15.7.5, macOS Ventura 13.3.1, and iOS / iPadOS 16.4.1. The vulnerability is a use-after-free affecting WebKit, the open-source web browser engine used by Safari. WebKit is frequently targeted by attackers as it provides a valuable vector for achieving privileged code execution on Apple products, like in this case where the use-after-free vulnerability could result in arbitrary code execution on the affected device. The second vulnerability, CVE-2023-28206, affects iOS / iPadOS 16.4.1, macOS Ventura 13.3.1, iOS / iPadOS 15.7.5, macOS Monterey 12.6.5, and macOS Big Sur 11.7.6. The vulnerability is a memory out-of-bounds-write that affects the “IOSurfaceAccelerator” Apple component and can result in arbitrary code execution. Apart from “typical” WebKit or browser-based exploits, vulnerabilities targeting novel components in the Apple ecosystem are likely to be pursued by APTs for their implied stealth. Apple is encouraging users to update as soon as possible. The following pages relate to all vulnerabilities and affected products discussed above:
Real-World Exploitability High |
Exploited in the Wild No |
Available Public Exploits Yes |
VM2 is a JavaScript sandbox which is designed to allow for the secure execution of untrusted JavaScript code. Researchers from the Korea Advanced Institute of Science and Technology discovered a vulnerability which would allow for arbitrary code execution on affected hosts. The vulnerability affects versions 3.9.14 and older and has been patched as of version 3.9.15. The problem is particularly concerning as many users rely on the library being inherently secure. The VM2 sandbox has approximately 4.6 million weekly downloads on NPM and is utilized in multiple JavaScript-based software solutions. Proof-of-Concept code has been released for the vulnerability and will likely be adapted into weaponized exploits soon. The vulnerability is tracked as CVE-2023-29017 and received a CVSS severity score of 10. Users are encouraged to update their VM2 libraries as soon as possible as there are no known work arounds.
Real-World Exploitability High |
Exploited in the Wild No |
Available Public Exploits No |
A wide variety of HP LaserJet printers have been found to be affected by a highly conditional vulnerability, CVE-2023-1707, which could compromise information transmitted between it systems and the HP device. HP devices running firmware version 5.6 of the “FutureSmart” firmware and use IPsec are potentially vulnerable. A full list of affected devices can be found in HP’s disclosure. HP has released an official statement disputing the severity of the vulnerability, which has been assigned a CVSS score of 9.1, and is encouraging affected users to update to the latest available patch. Users seeking to update their HP devices can find firmware updates here.
|
Real-World Exploitability High |
Exploited in the Wild No |
Available Public Exploits No |
Envoy is an “open-source edge and service proxy designed for cloud-native applications”, 6 vulnerabilities have been disclosed this past week for the software which include denial of service, security policy bypasses, and JSON web token abuses. Multiple versions of Envoy are affected but have been addressed in security advisories via GitHub’s new disclosure platform. Given the tool’s position between applications and the network, compromising envoy could lead to the compromise of highly critical or otherwise sensitive information. The vulnerabilities are being tracked as follows: