Control Gap Vulnerability Roundup: December 3rd to December 9th

This week saw the publication of 430 new CVE IDs. Of those, 4 have not yet been assigned official CVSS scores, however, of the ones that were, approximately 18% were of critical severity, 37% were high, 40% were medium, and 5% were low. Listed below are the vulnerabilities that caught our attention:

• Cisco IP Phone firmware is vulnerable to remote code execution. Cisco plans to release a patch in the new year.
• AMI MegaRAC BMC firmware which is utilized to manage servers all over the world was found to use default credentials for the root account and is vulnerable to remote code execution.
• Veeam Backup for Google Cloud has been found to be vulnerable to an authentication bypass.
• Zabbix client was found to adjust Windows firewall rules during install to allow all traffic inbound and outbound to the system.

The modern threat landscape represents an ever-changing vista of vulnerabilities, tools, tactics, and procedures which pose an existential threat to the security of organizations’ IT infrastructures. A key part of an evergreen security program is to maintain an up-to-date knowledge base of actionable threat intelligence that an organization can leverage to improve its security posture. Where dozens of novel threats and vulnerabilities become public each week, it can be challenging for IT professionals to keep pace. Control Gap intends to separate the signal from the noise by highlighting in this weekly segment newly disclosed vulnerabilities that have been assigned a CVE ID and which may be exceedingly novel, widespread, critical, or otherwise noteworthy.

The available threat intelligence at time of writing is documented below. Updates will be clearly marked.

Cisco IP Phone Remote Code Execution Zero-Day

Cisco’s product security incident response team (PSIRT) has released a statement that the organization has become aware of a remote code execution vulnerability in its IP Phone series 7800 and 8800 firmware. The PSIRT team announced that the vulnerability has been publicly disclosed and that proof-of-concept exploit code exists. The vulnerability centers around the Cisco Discovery Protocol and a bug which would allow an unauthenticated attacker to send crafted packets to trigger a stack overflow. Cisco has disclosed that there is no workaround for the vulnerability, and they are planning on releasing a patch sometime in January 2023. The vulnerability is tracked as CVE-2022-20968.

AMI MegaRAC Multiple Vulnerabilities

Researchers at Eclypsium have released research titled “Supply Chain Vulnerabilities put Server Ecosystem at Risk” where they disclose three separate vulnerabilities in AMI’s MegaRAC baseboard management controller (“BMC”) software. MegaRAC is leveraged globally by multiple Fortune 500 companies to provide “lights-out” management for servers and networking appliances. Two of the three vulnerabilities are of severe concern: CVE-2022-40259 is a remote code execution vulnerability within the products “Redfin” API and CVE-2022-40242 is related to default credentials for the root user. Eclypsium details in their blog how their research stemmed from a leak of intellectual property from AMI and that AMI’s PSIRT team promptly responded to and remediated the vulnerabilities, however adoption may be slow across the industry as remediation is dependent on vendor updates.

Veeam Backup Authentication Bypass

Veeam Backup for Google Cloud versions 1 and 3 was found to have an authentication bypass vulnerability which would allow for unauthorized users to access the backup appliance. Veeam has issued a statement and knowledge base article which discloses that the vulnerability was found as part of an internal testing exercise. Specific details on the vulnerability are unavailable. The vulnerability is particularly concerning as a malicious user could potentially cause significant and disproportionate damage to organizations relying on Veeam Backup as a data security and continuity solution if the vulnerability was exploited. The vulnerability is being tracked as CVE-2022-43549.

Zabbix Overly Permissive Firewall Rule

The open-source IT monitoring tool Zabbix was found to circumvent or reduce the security of systems which have had its client installed on it. The Zabbix client was found to install a Windows firewall rule that would allow all inbound and outbound traffic to any program on the system if the client is installed using the MSI installer. Zabbix has released a knowledge base article and patch for the vulnerability which is being tracked as CVE-2022-43516. Users are encouraged to update to the latest Zabbix version and adjust local firewall rules such that all connections are no longer allowed.