Control Gap Vulnerability Roundup: August 13th to August 19th

This week saw the publication of 455 new CVE IDs. Of those, 93 have not yet been assigned official CVSS scores, however, of the ones that were, approximately 17% were of critical severity, 36% were high, 46% were medium, and 1% were low. Listed below are the vulnerabilities that caught our attention:

• Softing Secure Integration Server had multiple vulnerabilities published this week prompting a CISA advisory warning users to upgrade to a patched version of the software as soon as possible.
• The very popular Zoho Manage Engine Analytics Plus software suite had two vulnerabilities published this week including remote code execution and information disclosure.
• The open-source Chinese configuration server AgileConfig was found to have a hard-coded JWT secret key which would allow attackers to take control of the server.
• Qualys Cloud Agent had two vulnerabilities published which include privilege escalation and information disclosure. The information disclosure vulnerability is currently contested by Qualys with several strong justifications.
• A strange CVE was published this week regarding product research done in 2005. Specific hard drives could be crashed by the music in the Janet Jackson music video for “Rhythm Nation” due to the music lining up with the resonant frequency of the hard drive itself.

The modern threat landscape represents an ever-changing vista of vulnerabilities, tools, tactics, and procedures which pose an existential threat to the security of organizations’ IT infrastructures. A key part of an evergreen security program is to maintain an up-to-date knowledge base of actionable threat intelligence that an organization can leverage to improve its security posture. Where dozens of novel threats and vulnerabilities become public each week, it can be challenging for IT professionals to keep pace. Control Gap intends to separate the signal from the noise by highlighting in this weekly segment newly disclosed vulnerabilities that have been assigned a CVE ID and which may be exceedingly novel, widespread, critical, or otherwise noteworthy.

The available threat intelligence at time of writing is documented below. Updates will be clearly marked.

Softing Secure Integration Server Multiple Vulnerabilities

Softing Secure Integration Server version 1.22 had 9 CVEs published this week including denial-or-service, authentication bypass, directory traversal, arbitrary code execution, default credentials, and a NULL pointer dereference. Softing has released a security advisory warning users and encouraging them to upgrade to version 1.30 of the software. Due to the wide reach and sensitive applications of the software, CISA also released an advisory detailing the vulnerabilities and mitigations encouraging users of the software to implement fixes immediately after performing proper impact analysis on defensive measures. CISA has stated that no known public exploits exist for these vulnerabilities, however, the attacks are of low complexity and can be conducted from a remote position. The related CVE IDs are as follows:

• CVE-2022-2547
• CVE-2022-2338
• CVE-2022-2337
• CVE-2022-2336
• CVE-2022-2335
• CVE-2022-2334
• CVE-2022-1748
• CVE-2022-1373
• CVE-2022-1069

Zoho Manage Engine Analytics Plus Multiple Vulnerabilities

Zoho Manage Engine Analytics Plus is a unified IT analytics platform which “unifies IT data from multiple applications and monitoring tools and empowers you [the user] with automated insights to make faster strategic decisions”. This week, two vulnerabilities were published for the Analytics Plus platform versions lower than 4.3.5 which would allow for remote code execution and information disclosure. It should be noted that these vulnerabilities were fixed with version 4.3.5 in 2019 but were just publicly disclosed now, likely to give the user base more than enough time to patch. The directory traversal vulnerability, CVE-2020-21642, affects the zropusermgmt parameter in the zropusermgmt API, and results in remote unauthenticated attackers being able to execute arbitrary code on the affected system. The second vulnerability, CVE-2020-21641, is an Out-of-Band XML External Entity which allows unauthenticated remote attackers to read arbitrary files on the affected system in the context of the Analytics Plus server. Zoho released a patch for these vulnerabilities back in 2019 with the release of version 4.3.5 of the Analytics Plus software. Zoho announced in July 2022 that across their product offerings they have achieved a user base of approximately 80 million. Given the vendors wide reach it is very likely that there are still instances of the Analytics Plus product in use which are versions less than 4.3.5.

AgileConfig Hardcoded JSON Web Token (JWT)

AgileConfig is a Chinese, open-source, configuration center for applications that have been deployed in a containerized manner. Versions of the AgileConfig server less than 1.6.8 have a hardcoded JWT secret which would allow for remote unauthenticated attackers to gain administrator access to the server. AgileConfig has released a patched version of the server on the projects GitHub. The CVE is currently being tracked with the ID CVE-2022-35540. The projects GitHub page boasts 51,000 downloads at the time of writing this roundup.

Qualys Cloud Agent Multiple Vulnerabilities

Qualys Cloud Agent with manifest versions prior to 2.5.548.2 had two vulnerabilities disclosed this week including privilege escalation and information disclosure. The privilege escalation vulnerability, tracked as CVE-2022-29549 stems from the affected software executing binaries without conducting permission and ownership checks. It is possible for a low privilege user with certain permissions to replace these binaries and execute code in the context of the Qualys Cloud agent. The second vulnerability tracked as CVE-2022-29550 states that affected versions of the Qualys Cloud Agent write the output of the “auxwwe” to logs in certain configurations. This output could contain credentials or other secrets which are stored in certain environment variables. This vulnerability is disputed by Qualys on the following 3 grounds:

• Logs which are stored on the device require root permissions to read in standard configurations.
• The default logging level will not write the output of the “auxwwe” command.
• Qualys actively discourages the storage of secrets or credentials in environment variables.

Qualys has released a security advisory and all Qualys Cloud Agents have automatic updates pending which will upgrade all affected manifests.

Janet Jackson “Rhythm Nation” Denial-of-Service

Microsoft released a strange DevBlog this week detailing a denial-of-service vulnerability in select mechanical hard drives which were used widely in consumer laptops in the mid-2000s. The vulnerability was discovered during product testing for a laptop being produced by a major computer manufacturer in which playing the music video for Janet Jackson’s “Rhythm Nation” caused unexplained crashes, even more confusingly, the music video could crash other competitor laptops in close proximity. Researchers found that the music video contained one of the natural resonant frequencies of the hard drive used in the laptop and was the source of the crashes. The vulnerability was published with the CVE ID CVE-2022-38392. While Control Gap personnel acknowledge that the impact and practicality of this vulnerability is non-existent, this strange anecdote making the rounds in tech news this week may inspire research into various side-channel attacks related to sonic, acoustic, or electro-magnetic waves: