Control Gap Vulnerability Roundup: April 8th to April14th

This week saw the publication of 652 new CVE IDs. Of those, 240 have not yet been assigned official CVSS scores, however, of the ones that were, approximately 12% were of critical severity, 48% were high, 39% were medium, and 1% were low. Listed below are the vulnerabilities that caught our attention:

• A flaw in the Microsoft Windows Message Queueing service was disclosed and patched which would allow for remote code execution on any affected asset running an MSMQ service.
• The Microsoft Windows Common Log File System continues to be abused by threat actors to escalate privileges on affected systems, this week saw the disclosure and patch of the 32nd vulnerability affecting the service since 2018.
• SAP products utilized by Fortune 100 companies all over the world had two critical severity vulnerabilities disclosed this week which would allow attackers to execute arbitrary code or upload arbitrary files.
• Spice DB had a very length CVE record published this week outlining a vulnerability which would allow attackers to obtain secrets entered when launching the database from the command line.

The modern threat landscape represents an ever-changing vista of vulnerabilities, tools, tactics, and procedures which pose an existential threat to the security of organizations’ IT infrastructures. A key part of an evergreen security program is to maintain an up-to-date knowledge base of actionable threat intelligence that an organization can leverage to improve its security posture. Where dozens of novel threats and vulnerabilities become public each week, it can be challenging for IT professionals to keep pace. Control Gap intends to separate the signal from the noise by highlighting in this weekly segment newly disclosed vulnerabilities that have been assigned a CVE ID and which may be exceedingly novel, widespread, critical, or otherwise noteworthy.

The available threat intelligence at time of writing is documented below. Updates will be clearly marked.

Microsoft Windows Message Queueing Remote Code Execution

A vulnerability in the Microsoft Windows Message Queueing service has been disclosed which affects multiple versions of Windows and Windows server up to the latest versions of Windows 11 and Windows Server 2022. The Microsoft Windows Message Queueing service is an optional service which “enables applications running at different times to communicate across heterogeneous networks and systems that may be temporarily offline”. The vulnerability, which was assigned a CVSS score of 9.8, allows an unauthenticated attacker to execute arbitrary code on the affected system. The vulnerability was patched during April’s patch Tuesday and Microsoft is urging users to update as soon as possible, or disable the MSMQ service. The flaw was discovered by researchers working with Fortinet and Checkpoint Research who claimed it could be exploited with a single network packet. The vulnerability is tracked as CVE-2023-21554.

Microsoft Windows CLFS Escalation of Privilege 

Threat researchers with Kaspersky’s Global Research and Analysis Team “GReAT” identified exploit attempts targeting the Windows Common Log File System “CLFS”. “CLFS” is a “log file subsystem” for Windows which was introduced with Windows Server 2003 R2. According to Kaspersky, 32 unique escalation of privilege vulnerabilities affecting “CLFS” have been disclosed since 2018. Interestingly, Kaspersky noted that the exploitation techniques they found were highly similar to other modern vulnerability exploits affecting “CLFS”, leading Kaspersky to believe the exploits were discovered and authored by the same developer. The vulnerability is being tracked as CVE-2023-28252 and would allow a low privileged user to execute code in the context of the SYSTEM account. The vulnerability affects multiple versions of Windows, is known to be exploited in the wild, and has been addressed in Microsoft’s April patch Tuesday.

SAP Remote Code Execution and Information Disclosure 

SAP, a German based enterprise software provider has disclosed two critical vulnerabilities in its Diagnostic Agent and NetWeaver. The first vulnerability, CVE-2023-27267, affects the SAP Diagnostic Agent version 720 and allows an unauthenticated attacker to bypass authentication and execute arbitrary scripts on connected agents. The second vulnerability, CVE-2023-29186, affects SAP NetWeaver versions 707, 737, 747, and 757, and would allow an authenticated attacker to upload and overwrite arbitrary files on the affected system. SAP has released a comprehensive patch disclosure and is urging users to update swiftly. SAP’s motto “The best run SAP” is no exaggeration; according to SAP’s testimonials page, 99 of the 100 largest companies in the world utilize SAP software. Critical flaws such as those above are likely to be targeted by threat actors who engage in “whaling”, a practice of targeting the wealthiest or most influential organizations in an industry.

Spice DB Information Disclosure

In one of the largest and most detailed NVD entries I have ever seen, a novel vulnerability has been disclosed for Spice DB which would allow an attacker to retrieve sensitive information about the database instance. The vulnerability, CVE-2023-29193, affects the Spice DB debug command line which is available by default on port 9090. An attacker who could view the metrics endpoint could view the command line flags used when the Spice DB server was started, among which, is the “grpc-preshared-key” used by the server to implement authentication on the gRPC API endpoints. The contents of the key are considered secret but will be exposed through the metrics endpoint and could then be abused by an attacker to access the API endpoints. The flaw was fixed in version 1.19.1 and the NVD entry provides multiple workarounds and mitigations.