Control Gap Vulnerability Roundup: August 6th to August 12th

This week saw the publication of 576 new CVE IDs. Of those, 80 have not yet been assigned official CVSS scores, however, of the ones that were, approximately 18% were of critical severity, 39% were high, 39% were medium, and 5% were low. Listed below are the vulnerabilities that caught our attention:

• Zimbra Collaboration Suite vulnerabilities can be chained together to obtain complete remote compromise of the system. Systems are being targeted en-masse in the wild.
• Microsoft Exchange is suffering from multiple vulnerabilities including information disclosure and privilege escalation where an unauthenticated attacker could read e-mails from affected servers.
• Remote code execution affecting Windows server 2022 NFS4.1.
• An unintended behavior in the Google Play Services SDK resulted in potentially thousands of Android applications being built with insecure configurations. Developers are being urged to update their SDK, re-build and re-release their applications.

The modern threat landscape represents an ever-changing vista of vulnerabilities, tools, tactics, and procedures which pose an existential threat to the security of organizations’ IT infrastructures. A key part of an evergreen security program is to maintain an up-to-date knowledge base of actionable threat intelligence that an organization can leverage to improve its security posture. Where dozens of novel threats and vulnerabilities become public each week, it can be challenging for IT professionals to keep pace. Control Gap intends to separate the signal from the noise by highlighting in this weekly segment newly disclosed vulnerabilities that have been assigned a CVE ID and which may be exceedingly novel, widespread, critical, or otherwise noteworthy.

The available threat intelligence at time of writing is documented below. Updates will be clearly marked.

Zimbra Collaboration Suite “ZCS” Multiple Vulnerabilities

Real-World Exploitability High

Exploited in the Wild Yes

Available Public Exploits  No

Zimbra Collaboration Suite is a collection of collaboration software for business which includes e-mail, group calendars, video conferencing, chat and a web client. Previously a remote code execution vulnerability in the mboximport function would allow an attacker who was authenticated as an admin to upload a crafted .zip file and execute arbitrary code. This vulnerability, tracked as CVE-2022-27925 was given a medium severity rating. This week an authentication bypass vulnerability with CVE id CVE-2022-37042 was disclosed for the Zimbra platform. This vulnerability would allow an attacker to authenticate as an admin which could then be chained with the other vulnerability to remotely compromise any affected Zimbra server. Zimbra has released a security advisory and patch. The threat intelligence firm Volexity has reported that the vulnerability is being exploited on a mass scale in the wild. Zimbra has advised customers to immediately patch if they are using Zimbra versions older than 8.8.15-33 or 9.0.0-26.

Microsoft Exchange Multiple Vulnerabilities

Real-World Exploitability Medium

Exploited in the Wild No

Available Public Exploits  No

Microsoft published six unique vulnerabilities affecting the Microsoft Exchange server product including information disclosure and privilege escalation. The exploitability of these vulnerabilities is varying but could lead to an attacker escalating privileges or reading emails from the Exchange Server. Microsoft published separate advisories for each vulnerability and can be found by navigating to the respective CVE page. Microsoft recommends applying relevant patches and claims that none of the vulnerabilities have been exploited in the wild. The CVEs are being tracked with the following ids: CVE-2022-21979, CVE-2022-21980, CVE-2022-24477, CVE-2022-24516, CVE-2022-30134, CVE-2022-34692.

Windows Network File System 4.1 Remote Code Execution

Real-World Exploitability Medium

Exploited in the Wild No

Available Public Exploits No

A remote code execution vulnerability in Microsoft Windows NFS4.1 affecting Windows Server 2022 was disclosed by Microsoft this past week. This vulnerability has not been publicly disclosed and according to Microsoft is not exploited in the wild. Microsoft also assured customers that NFS versions 2.0 and 3.0 are unaffected. An official update has been released along with an advisory from Microsoft which assigned a CVSS score of 9.8 to the vulnerability. The vulnerability is currently being tracked with the CVE id CVE-2022-34715.

Google Play Services SDK PendingIntents

Real-World Exploitability High

Exploited in the Wild Unknown

Available Public Exploits No

Apps developed using Google Play Services SDK before version 18.0.2 incorrectly had the mutability flag set to PendingIntents. This misconfiguration allows an attacker to gain access to all non-exported providers and/or to providers for which the user has permissions. Providers are a component of Android applications which allow for communication between apps on the device. Given that Google Play Services SDK is so popular the publishers theorize that this vulnerability likely affects many Android applications. Google recommends upgrading to version 18.0.2 of the SDK and rebuilding and redeploying any Android applications which have been built using the older software. The vulnerability is being tracked with the CVE id CVE-2022-2390.