This week saw the publication of 432 new CVE IDs. Of those, 204 have not yet been assigned official CVSS scores, however, of the ones that were, approximately 22% were of critical severity, 46% were high, 32% were medium, and 1% were low. Listed below are the vulnerabilities that caught our attention:
The modern threat landscape represents an ever-changing vista of vulnerabilities, tools, tactics, and procedures which pose an existential threat to the security of organizations’ IT infrastructures. A key part of an evergreen security program is to maintain an up-to-date knowledge base of actionable threat intelligence that an organization can leverage to improve its security posture. Where dozens of novel threats and vulnerabilities become public each week, it can be challenging for IT professionals to keep pace. Control Gap intends to separate the signal from the noise by highlighting in this weekly segment newly disclosed vulnerabilities that have been assigned a CVE ID and which may be exceedingly novel, widespread, critical, or otherwise noteworthy.
The available threat intelligence at time of writing is documented below. Updates will be clearly marked.
Real-World Exploitability High |
Exploited in the Wild Unknown |
Available Public Exploits No |
In a growing trend another Python package index package was found to have been backdoored by an unknown third-party. Exotel-py as of version 0.1.6 was found to have a remote code execution backdoor which was inserted intentionally by an unknown third-party, the vulnerability is being tracked as CVE-2022-38792. The vulnerability represents a growing threat of supply chain attacks involving open-source, crowd developed software, NIST has very recently released its “Secure Software Development Framework” which in part seeks to address and advise organizations on “Software Bill[s] of Material” (SBOM) and mitigations against supply chain attacks.
Real-World Exploitability High |
Exploited in the Wild Unknown |
Available Public Exploits No |
The Hytec Inter HWL-2511-SS is an LTE internet router commonly used in industrial applications. The router had three vulnerabilities published this week including a weak password hash for the root account, an arbitrary command execution vulnerability which would allow an attacker to execute commands in the context of the root account, and an additional command injection vulnerability in the web page “/www/cgi-bin/popen.cgi”. The vulnerabilities are being tracked as CVE-2022-36555, CVE-2022-36554, and CVE-2022-36553 respectively. Interestingly the CVE pages link to an informational GitHub page which has since been taken offline. It is not clear if a vendor advisory or patches have been released yet.
|
Real-World Exploitability Medium |
Exploited in the Wild Unknown |
Available Public Exploits No |
23 total vulnerabilities for Snapdragon Auto modules involving memory management were identified this week. Qualcomm is one of the leading mobile processor manufacturers in the world with Snapdragon products found in millions of devices around the world. While the impact of these vulnerabilities is currently undefined, the wide adoption of these devices and the nature of their use in automobiles could have far reaching implications in the future. The vulnerability IDs are as follows:
|
Real-World Exploitability High |
Exploited in the Wild No |
Available Public Exploits No |
IBM Security Identity Manager versions 6.0 and 6.0.2 suffer from an open redirect vulnerability which could enable attacks to conduct more sophisticated phishing attacks. The vulnerability which is being tracked as CVE-2022-29864, could allow an attacker to craft a URL which appears to represent a legitimate resource at the product, users visiting the URL would then be redirected to an attacker-controlled site which would enable further client-side or phishing attacks on victims. IBM and IBM X-Force have released security advisories and recommend users update to the latest patch.