Control Gap Vulnerability Roundup: April 22nd to April 28th

This week saw the publication of 501 new CVE IDs. Of those, 430 have not yet been assigned official CVSS scores, however, of the ones that were, approximately 20% were of critical severity, 13% were high, 67% were medium, and 0% were low. Listed below are the vulnerabilities that caught our attention:

• Apache Superset disclosed a vulnerability affecting multiple versions of the Superset server. The issue has been known since October 2021 but was finally patched this last week. Apache is urging users to update immediately.
• The highly popular print server “PaperCut” has disclosed multiple critical severity vulnerabilities which are being actively exploited in the wild. Unauthenticated attackers can exploit affected PaperCut servers to execute remote code. Trend Micro, the researchers who initially discovered the vulnerability, have announced that they will wait until May 10th to release technical details. Horizon3 and Huntress Labs have preempted Trend Micro by releasing their own blog posts and PoC exploits publicly.
• APC, an incredibly popular battery backup and electrical product producer, has disclosed a vulnerability affecting the software used to manage their products remotely. This vulnerability’s severity could potentially be exacerbated as these products are commonly relied on during disaster recovery situations.
• ESET has released research showing that they were able to retrieve highly sensitive information from networking technology purchased on the secondhand market. ESET was able to retrieve network and application configuration information in addition to authentication secrets even from devices which were said to be securely wiped by a third-party service.

The modern threat landscape represents an ever-changing vista of vulnerabilities, tools, tactics, and procedures which pose an existential threat to the security of organizations’ IT infrastructures. A key part of an evergreen security program is to maintain an up-to-date knowledge base of actionable threat intelligence that an organization can leverage to improve its security posture. Where dozens of novel threats and vulnerabilities become public each week, it can be challenging for IT professionals to keep pace. Control Gap intends to separate the signal from the noise by highlighting in this weekly segment newly disclosed vulnerabilities that have been assigned a CVE ID and which may be exceedingly novel, widespread, critical, or otherwise noteworthy.

The available threat intelligence at time of writing is documented below. Updates will be clearly marked.

Apache Superset Remote Code Execution

Apache Superset is an open-source “lightweight and intuitive” data exploration and visualization server which is able to handle data at the petabyte scale. Recently, researchers with Horizon3 disclosed a vulnerability, CVE-2023-27524, affecting the authentication component of the application. Superset versions up to and including 2.0.1 utilize a default Flask secret key to sign user session tokens. An unauthenticated attacker could sign their own session token with the default key and access the server with administrator privileges. Horizon3 has done extensive research into this issue and reported it to Apache back in October of 2021. To give some credit to Apache, the setup documentation tells administrators to change the key from default. After Horizon3’s initial report, Apache rotated the default key and also added warning logs to notify administrators that the server was running with defaults. According to Horizon3, this did not stop Apache Superset users from exposing more than 2,000 servers to the internet with either old or new defaults configured. Horizon3 contacted Apache again, resulting in the 2023 CVE above. Apache has addressed this issue with the 2.1 version which does not allow the Superset server to launch if it is configured with defaults. Horizon3 has released a GitHub script and relayed official instructions for any Superset admins which want to check if they are vulnerable and remediate their instance.

PaperCut Authentication Bypass and Remote Code Execution 

PaperCut has released an “URGENT” security advisory for its customers detailing two vulnerabilities, CVE-2023-27350 and CVE-2023-27351, a remote code execution and authentication bypass vulnerability which, according to other security researchers, are being exploited to compromise internet exposed PaperCut servers. Trend Micro is credited by PaperCut for initially reporting the vulnerability and their security advisory states that Trend Micro will be releasing a detailed technical write-up on the vulnerability on May 10th. Researchers at Horizon3 and Huntress Labs however, have already released their own blog posts on the issue along with PoC exploit code. PaperCut is urging all its affected customers to update all of their “application” and “site” servers immediately.

APC Uninterrupted Power Supply (UPS) Remote Code Execution 

APC is one of, if not the most, popular IT physical infrastructure brands owned by Schneider Electric. APC specializes in “battery back-up power and surge protection” and I have personally purchased their UPS products for use in critical IT infrastructure I used to administrate. APC has disclosed three vulnerabilities: two arbitrary code execution and one denial of service for its “Easy UPS Online Monitoring Software”. The vulnerabilities are tracked as follows: CVE-2023-29411, CVE-2023-29412 and CVE-2023-29413. The severity of these vulnerabilities may be exacerbated by the urgency and panic of an incident which would cause these devices to be used. IT administrators experiencing an outage or disaster situation may be tempted to make interacting with infrastructure “as easy as possible” and in doing so, expose this critical infrastructure to the internet. Exploitation of power backup systems can result in higher impact incidents or more severe compromise. APC is urging affected customers to upgrade to the latest available version of their software.

ESET Second-hand Router Research

ESET is a cyber security company specializing in internet security and anti-malware technology. Recently, researchers working with the company have released a report that describes a significant problem in the secondhand market for corporate networking products. ESET purchased multiple corporate routers on the second hand market and was able to recover sensitive information from approximately 90% of them including: network configuration information, authentication secrets, or network topography surrounding critical IT applications such as Microsoft Exchange. ESET took the extra step to reach out to some of the organizations affected by the data leak and found that they had employed a 3rd party to “securely” wipe the devices. This issue highlights the complex problem of IT inventory management and secure data management. High value organizations seeking to recoup the cost of cutting-edge networking technology should account for the added cost of secure data destruction to prevent future compromise. The cost of a cyber security incident greatly outweighs the cost of thorough data destruction on key infrastructure, which is going to be thrown out, or re-sold. There is no CVE associated with their findings.