Control Gap Vulnerability Roundup: December 31st to January 6th

This week saw the publication of 425 new CVE IDs. Of those, 240have not yet been assigned official CVSS scores, however, of the ones that were, approximately 18% were of critical severity, 33% were high, 48% were medium, and 1% were low. Listed below are the vulnerabilities that caught our attention:

• Popular NAS vendor Synology has disclosed a remote code execution vulnerability affecting their VPN Plus Server bearing the maximum CVSS score of 10.
• CWP is vulnerable to an unauthenticated remote code execution bug stemming from improper handling of user input.
• Zoho ManageEngine password manager products are vulnerable to SQL injection which allows any authenticated user to arbitrarily query the back-end database.
• Apache Dubbo vulnerabilities dating back to 2021 have finally been disclosed by NIST’s NVD. The most severe vulnerability would allow for unauthenticated remote code execution.

The modern threat landscape represents an ever-changing vista of vulnerabilities, tools, tactics, and procedures which pose an existential threat to the security of organizations’ IT infrastructures. A key part of an evergreen security program is to maintain an up-to-date knowledge base of actionable threat intelligence that an organization can leverage to improve its security posture. Where dozens of novel threats and vulnerabilities become public each week, it can be challenging for IT professionals to keep pace. Control Gap intends to separate the signal from the noise by highlighting in this weekly segment newly disclosed vulnerabilities that have been assigned a CVE ID and which may be exceedingly novel, widespread, critical, or otherwise noteworthy.

The available threat intelligence at time of writing is documented below. Updates will be clearly marked.

Synology VPN Plus Server Remote Code Execution 

The popular NAS vendor Synology has released a security advisory addressing a remote code execution vulnerability that has been labelled with a CVSS score of 10. The vulnerability, tracked as CVE-2022-43931, affects the Remote Desktop Functionality of the Synology VPN Plus Server versions before 1.4.3-0534 and 1.4.4-0635. The vulnerability was discovered by Synology’s internal PSIRT team and stems from an out-of-bounds write which would allow an unauthenticated attacker to execute arbitrary code on the server. Synology is urging customers to update their products to the latest available version.

CWP Unauthenticated Remote Code Execution

Versions of Control Web Panel (CWP), previously known as CentOS Web Panel, prior to 0.9.8.1147 were found to be affected by an unauthenticated remote code execution vulnerability. The flaw stems from the improper usage of user supplied input within an “echo” command which is used to log invalid login attempts, crafted payloads can be used to escape the command and execute arbitrary commands in the shell. The vulnerability was initially discovered and reported to the Control Web Panel Team in July by Numan Türle, a researcher working for Gais Security. The Control Web Panel team produced a patch within two days. The vulnerability, now tracked as CVE-2022-44877, was published only after CWP could confirm that a sufficient majority of servers had been patched. Anyone who has not yet patched should update to the latest version of CWP 7.

Zoho ManageEngine SQL Injection

An SQL injection vulnerability, now tracked as CVE-2022-47523, was disclosed this past week which affects several Zoho ManageEngine products including PAM360, Password Manager Pro, and Access Manager Plus. The SQL injection vulnerability requires an attacker to be authenticated to the affected system but would compromise the entire backend database system. Given the highly sensitive nature of the products, unfettered access to the back-end database would represent a severe compromise of organizational information. Zoho has released an advisory and patch instructions and is urging customers to update to the latest product builds immediately.

Apache Dubbo Unauthenticated Remote Code Execution

Apache Dubbo is a Java-based “microservice framework that provides high-performance RPC communication, traffic governance, observability, and other solutions for large-scale microservice practices”. Alvaro Munoz, a security researcher, has recently identified multiple vulnerabilities (CVE-2021-25641, CVE-2021-30179, CVE-2021-301880, CVE-2021-30181, and CVE-2021-32824) in the product which would allow an attacker to execute arbitrary code on both Dubbo consumers and providers. Perhaps the most concerning vulnerability, CVE-2021-32824, which was only disclosed this past week, would allow an unauthenticated attacker to abuse the Dubbo Telnet handler to instantiate arbitrary classes to achieve code execution. The vulnerability affects all versions of Apache Dubbo prior to 2.6.10 and 2.7.10. Alvaro Munoz has released a blog post which discusses all of the research in great detail. Apache Dubbo users are urged to update to the latest available version of the product which at the time of writing is 3.1.4 and 2.7.19.