This week saw the publication of 537 new CVE IDs. Of those, 480 have not yet been assigned official CVSS scores, however, of the ones that were, approximately 4% were of critical severity, 49% were high, 47% were medium, and 0% were low. Listed below are the vulnerabilities that caught our attention:
The modern threat landscape represents an ever-changing vista of vulnerabilities, tools, tactics, and procedures which pose an existential threat to the security of organizations’ IT infrastructures. A key part of an evergreen security program is to maintain an up-to-date knowledge base of actionable threat intelligence that an organization can leverage to improve its security posture. Where dozens of novel threats and vulnerabilities become public each week, it can be challenging for IT professionals to keep pace. Control Gap intends to separate the signal from the noise by highlighting in this weekly segment newly disclosed vulnerabilities that have been assigned a CVE ID and which may be exceedingly novel, widespread, critical, or otherwise noteworthy.
The available threat intelligence at time of writing is documented below. Updates will be clearly marked.
|
Real-World Exploitability High |
Exploited in the Wild Unknown |
Available Public Exploits Yes |
YellowFin BI is a business intelligence platform for the automated collection, analysis and transformation of business data pertaining to employees, customers, and suppliers. Max Garrett, a security researcher at the firm AssetNote.io, discovered multiple authentication bypass vulnerabilities leading to remote code execution on the YellowFin platform. AssetNote published a detailed blog outlining the three authentication bypass vulnerabilities: CVE-2022-47884, CVE-2022-47885, CVE-2022-47882. All three vulnerabilities stem from a hardcoded RSA private key which allowed researchers to compromise cryptographic operations surrounding session and authentication management. After digging deeper into the post-authentication attack surface, they discovered that they could then achieve remote code execution via JNDI injection on the ”forceString” gadget which was available to the user through arbitrary data source connections. If JNDI injection sounds familiar that’s because it was the same latent attack technique used to achieve RCE in the Log4J library nearly a year ago. The remote code execution vulnerability is currently being tracked as CVE-2022-47883. All vulnerabilities have been fixed as of YellowFin BI version 9.8.1.
|
Real-World Exploitability High |
Exploited in the Wild Unknown |
Available Public Exploits No |
Three out-of-bounds write vulnerabilities have been discovered and disclosed for the ubiquitous PDF reader Adobe Acrobat and Reader for the following versions: 22.003.20282 (Windows), 22.003.20281 (Mac), 20.005.30418, and earlier versions. The three vulnerabilities, CVE-2023-22242, CVE-2023-22241, and CVE-2023-22240, were identified by Mat Powell, a researcher with the Trend Micro Zero Day Initiative. All three vulnerabilities have been assigned a severity of “Critical” in Adobe’s security bulletin and all three maintain an impact of “Arbitrary Code Execution”. With Microsoft clamping down on common malspam and phishing techniques with more strict mark-of-the-web rules, attackers will surely be looking for other more creative attack techniques. Remote code execution within popular programs such as Adobe Acrobat and Adobe Reader, which can be triggered by crafted files delivered via email, are a valuable attack vector as the most popular methods decline in effectiveness.
|
Real-World Exploitability High |
Exploited in the Wild Unknown |
Available Public Exploits Yes |
An incredible 62 vulnerabilities have been disclosed for products contained within the Siretta Quartz Gold series of routers. The products are industrial routers designed to provide redundant internet connections via LTE cellular networks to industrial networks or devices. The vulnerabilities which were disclosed by Talos Intelligence are divided mainly between buffer overflows, and command injection which can result in unauthenticated or authenticated remote code execution on the device. Routers such as this are frequently targeted as a first step to gain access to an organizations network infrastructure. It is unclear how many of these devices are currently exposed to the public internet. According to Cisco Talos, Siretta has responded to the vulnerabilities and released relevant patches. A full list of CVE IDs and descriptions can be found here.
|
Real-World Exploitability High |
Exploited in the Wild Unknown |
Available Public Exploits No |
Solar-Log is a leading supplier of photovoltaic (PV) devices for smart-monitoring and management in the consumer sector. Researchers with Swascan conducted intense security research on device hardware and firmware and identified a “backdoor” which would allow for Solar-Log support staff to login to the web interface of the device in the context of a “Super Admin” user. The credentials for this account are not hardcoded but can be derived from the serial number and system clock which is publicly available information presented to an unauthenticated user on the web portals login screen. Swascan reports that at the time of writing approximately 10,000 vulnerable devices were available through the public internet. Solar-Log has addressed the issue with an update to the firmware available here, however a number of the affected devices are considered “End-of-life” and as such will not be receiving the security patch. The vulnerability has been assigned the CVE ID CVE-2022-47767.