This week saw the publication of 501 new CVE IDs. Of those, 430 have not yet been assigned official CVSS scores, however, of the ones that were, approximately 20% were of critical severity, 13% were high, 67% were medium, and 0% were low. Listed below are the vulnerabilities that caught our attention:
The modern threat landscape represents an ever-changing vista of vulnerabilities, tools, tactics, and procedures which pose an existential threat to the security of organizations’ IT infrastructures. A key part of an evergreen security program is to maintain an up-to-date knowledge base of actionable threat intelligence that an organization can leverage to improve its security posture. Where dozens of novel threats and vulnerabilities become public each week, it can be challenging for IT professionals to keep pace. Control Gap intends to separate the signal from the noise by highlighting in this weekly segment newly disclosed vulnerabilities that have been assigned a CVE ID and which may be exceedingly novel, widespread, critical, or otherwise noteworthy.
The available threat intelligence at time of writing is documented below. Updates will be clearly marked.
Real-World Exploitability High |
Exploited in the Wild No |
Available Public Exploits No |
Apache Superset is an open-source “lightweight and intuitive” data exploration and visualization server which is able to handle data at the petabyte scale. Recently, researchers with Horizon3 disclosed a vulnerability, CVE-2023-27524, affecting the authentication component of the application. Superset versions up to and including 2.0.1 utilize a default Flask secret key to sign user session tokens. An unauthenticated attacker could sign their own session token with the default key and access the server with administrator privileges. Horizon3 has done extensive research into this issue and reported it to Apache back in October of 2021. To give some credit to Apache, the setup documentation tells administrators to change the key from default. After Horizon3’s initial report, Apache rotated the default key and also added warning logs to notify administrators that the server was running with defaults. According to Horizon3, this did not stop Apache Superset users from exposing more than 2,000 servers to the internet with either old or new defaults configured. Horizon3 contacted Apache again, resulting in the 2023 CVE above. Apache has addressed this issue with the 2.1 version which does not allow the Superset server to launch if it is configured with defaults. Horizon3 has released a GitHub script and relayed official instructions for any Superset admins which want to check if they are vulnerable and remediate their instance.
Real-World Exploitability High |
Exploited in the Wild Yes |
Available Public Exploits Yes |
PaperCut has released an “URGENT” security advisory for its customers detailing two vulnerabilities, CVE-2023-27350 and CVE-2023-27351, a remote code execution and authentication bypass vulnerability which, according to other security researchers, are being exploited to compromise internet exposed PaperCut servers. Trend Micro is credited by PaperCut for initially reporting the vulnerability and their security advisory states that Trend Micro will be releasing a detailed technical write-up on the vulnerability on May 10th. Researchers at Horizon3 and Huntress Labs however, have already released their own blog posts on the issue along with PoC exploit code. PaperCut is urging all its affected customers to update all of their “application” and “site” servers immediately.
Real-World Exploitability High |
Exploited in the Wild No |
Available Public Exploits No |
APC is one of, if not the most, popular IT physical infrastructure brands owned by Schneider Electric. APC specializes in “battery back-up power and surge protection” and I have personally purchased their UPS products for use in critical IT infrastructure I used to administrate. APC has disclosed three vulnerabilities: two arbitrary code execution and one denial of service for its “Easy UPS Online Monitoring Software”. The vulnerabilities are tracked as follows: CVE-2023-29411, CVE-2023-29412 and CVE-2023-29413. The severity of these vulnerabilities may be exacerbated by the urgency and panic of an incident which would cause these devices to be used. IT administrators experiencing an outage or disaster situation may be tempted to make interacting with infrastructure “as easy as possible” and in doing so, expose this critical infrastructure to the internet. Exploitation of power backup systems can result in higher impact incidents or more severe compromise. APC is urging affected customers to upgrade to the latest available version of their software.
|
Real-World Exploitability Medium |
Exploited in the Wild No |
Available Public Exploits Yes |
ESET is a cyber security company specializing in internet security and anti-malware technology. Recently, researchers working with the company have released a report that describes a significant problem in the secondhand market for corporate networking products. ESET purchased multiple corporate routers on the second hand market and was able to recover sensitive information from approximately 90% of them including: network configuration information, authentication secrets, or network topography surrounding critical IT applications such as Microsoft Exchange. ESET took the extra step to reach out to some of the organizations affected by the data leak and found that they had employed a 3rd party to “securely” wipe the devices. This issue highlights the complex problem of IT inventory management and secure data management. High value organizations seeking to recoup the cost of cutting-edge networking technology should account for the added cost of secure data destruction to prevent future compromise. The cost of a cyber security incident greatly outweighs the cost of thorough data destruction on key infrastructure, which is going to be thrown out, or re-sold. There is no CVE associated with their findings.