Control Gap Vulnerability Roundup: August 27th to September 2nd

This week saw the publication of 432 new CVE IDs. Of those, 204 have not yet been assigned official CVSS scores, however, of the ones that were, approximately 22% were of critical severity, 46% were high, 32% were medium, and 1% were low. Listed below are the vulnerabilities that caught our attention:

• In a growing pattern, another Python package index package has been backdoored with a remote code execution vulnerability by an unknown third party.
• Japanese company Hytech Inter saw multiple vulnerabilities released for one of their products this week, the affected device, an industrial application LTE router would pose a significant security risk if compromised.
• 23 total vulnerabilities were identified for Snapdragon Auto modules involving memory management, while the impact of these disclosures is still unclear the global adoption of these products could imply far reaching risk.
• An open redirect vulnerability in IBM’s Security Identity Manager could empower threat actors to conduct powerful phishing attacks.

The modern threat landscape represents an ever-changing vista of vulnerabilities, tools, tactics, and procedures which pose an existential threat to the security of organizations’ IT infrastructures. A key part of an evergreen security program is to maintain an up-to-date knowledge base of actionable threat intelligence that an organization can leverage to improve its security posture. Where dozens of novel threats and vulnerabilities become public each week, it can be challenging for IT professionals to keep pace. Control Gap intends to separate the signal from the noise by highlighting in this weekly segment newly disclosed vulnerabilities that have been assigned a CVE ID and which may be exceedingly novel, widespread, critical, or otherwise noteworthy.

The available threat intelligence at time of writing is documented below. Updates will be clearly marked.

PyPI Package Affected by Backdoor

In a growing trend another Python package index package was found to have been backdoored by an unknown third-party. Exotel-py as of version 0.1.6 was found to have a remote code execution backdoor which was inserted intentionally by an unknown third-party, the vulnerability is being tracked as CVE-2022-38792. The vulnerability represents a growing threat of supply chain attacks involving open-source, crowd developed software, NIST has very recently released its “Secure Software Development Framework” which in part seeks to address and advise organizations on “Software Bill[s] of Material” (SBOM) and mitigations against supply chain attacks.

Hytec Inter HWL-2511-SS Multiple Vulnerabilities

The Hytec Inter HWL-2511-SS is an LTE internet router commonly used in industrial applications. The router had three vulnerabilities published this week including a weak password hash for the root account, an arbitrary command execution vulnerability which would allow an attacker to execute commands in the context of the root account, and an additional command injection vulnerability in the web page “/www/cgi-bin/popen.cgi”. The vulnerabilities are being tracked as CVE-2022-36555, CVE-2022-36554, and CVE-2022-36553 respectively. Interestingly the CVE pages link to an informational GitHub page which has since been taken offline. It is not clear if a vendor advisory or patches have been released yet.

Snapdragon Auto Multiple Vulnerabilities

23 total vulnerabilities for Snapdragon Auto modules involving memory management were identified this week. Qualcomm is one of the leading mobile processor manufacturers in the world with Snapdragon products found in millions of devices around the world. While the impact of these vulnerabilities is currently undefined, the wide adoption of these devices and the nature of their use in automobiles could have far reaching implications in the future. The vulnerability IDs are as follows:

• CVE-2022-25680
• CVE-2022-25668
• CVE-2022-25659
• CVE-2022-25658
• CVE-2022-25657
• CVE-2022-22106
• CVE-2022-22104
• CVE-2022-22102
• CVE-2022-22101
• CVE-2022-22100
• CVE-2022-22099
• CVE-2022-22098
• CVE-2022-22080
• CVE-2022-22070
• CVE-2022-22069
• CVE-2022-22067
• CVE-2022-22062
• CVE-2022-22059
• CVE-2022-35135
• CVE-2022-35132
• CVE-2022-35122
• CVE-2022-35113
• CVE-2022-35097

IBM Security Identity Manager Open Redirect Vulnerability

IBM Security Identity Manager versions 6.0 and 6.0.2 suffer from an open redirect vulnerability which could enable attacks to conduct more sophisticated phishing attacks. The vulnerability which is being tracked as CVE-2022-29864, could allow an attacker to craft a URL which appears to represent a legitimate resource at the product, users visiting the URL would then be redirected to an attacker-controlled site which would enable further client-side or phishing attacks on victims. IBM and IBM X-Force have released security advisories and recommend users update to the latest patch.