Control Gap Vulnerability Roundup: January 28th to February 3rd

This week saw the publication of 468 new CVE IDs. Of those, 435 have not yet been assigned official CVSS scores, however, of the ones that were, approximately 24% were of critical severity, 40% were high, 36% were medium, and 0% were low. Listed below are the vulnerabilities that caught our attention:

• The file transfer software GoAnywhere MFT has had a “remote code injection” vulnerability disclosed this week by Brian Krebs. The official advisory was released in a private manner to GoAnywhere MFT customers.
• Popular NAS producer QNAP has addressed a remote code execution vulnerability in its QTS and QuTS firmware for its devices.
• A vulnerability for Lexmark network printers has been released which affects more than 100 different Lexmark devices. If successfully exploited, the vulnerability could allow for remote code execution in the context of the root user.
• The popular reverse engineering tool Binwalk was found to have a path traversal which could allow for remote code execution if a reverse engineer extracts a PFS file.

The modern threat landscape represents an ever-changing vista of vulnerabilities, tools, tactics, and procedures which pose an existential threat to the security of organizations’ IT infrastructures. A key part of an evergreen security program is to maintain an up-to-date knowledge base of actionable threat intelligence that an organization can leverage to improve its security posture. Where dozens of novel threats and vulnerabilities become public each week, it can be challenging for IT professionals to keep pace. Control Gap intends to separate the signal from the noise by highlighting in this weekly segment newly disclosed vulnerabilities that have been assigned a CVE ID and which may be exceedingly novel, widespread, critical, or otherwise noteworthy.

The available threat intelligence at time of writing is documented below. Updates will be clearly marked.

GoAnywhere MFT Remote Code Injection

A mysterious but frightening security advisory was reported on by popular cyber security journalist Brian Krebs this week. The highly popular file transfer solution “GoAnywhere MFT” released a private security advisory to customers warning of a zero-day remote code execution affecting the administrative console of the application. While the full security advisory is not available and a CVE does not appear to have been assigned to this vulnerability, the available information provided by Krebs seems to suggest if an attacker could connect to the administrative console, they could somehow gain access to or create administrator accounts and utilize that access to execute code on the affected system. Mitigation and detection tips were also provided through the security advisory and can be found on Brian Krebs’ Mastodon post. Shortly after this vulnerability started receiving coverage, security researcher Florian Hauser published a technical walkthrough of the vulnerability and proof-of-concept exploit code. Administrative portals are often overlooked in terms of secure coding as developers frequently make the assumption that they will not be made available to the public. Best practices dictate that any web portal present as part of an organization’s cyber footprint should only be exposed to the public if it serves a legitimate business function. Kevin Beaumont, a security professional, posted the results of a Shodan search which identified over 1000 exposed instances of “GoAnywhere MFT”, a much smaller fraction of which was found to expose the admin console.

QNAP QTS and QuTS Hero Remote Code Injection

QNAP is a popular Taiwanese manufacturer of “Network-Attached-Storage” (NAS) devices. This week, a remote code injection vulnerability was disclosed which affects the QTS 5.0.1 and QuTS hero h5.0.1 operating systems / firmware of QNAP products. The vulnerability, which is tracked as CVE-2022-27596, would allow attackers to “inject malicious code” according to QNAP’s advisory and was assigned a 9.8 CVSS score, ranking the vulnerability as critical. Following the release of security patches, Censys, a hybrid threat intelligence company, released a scan of the public internet which showed approximately 66,000 QNAP devices as currently exposed. The actual number of exposed devices that are vulnerable to this issue is the subject of online debate. QNAP is urging customers to apply security updates as soon as possible.

Lexmark Printer Zero-Day Remote Code Execution

Cyber security researcher “Peter Geissler” has disclosed a vulnerability and exploit chain which could be used to achieve remote code execution on approximately 100 different models of Lexmark printers. According to Geissler, the exploit chain takes advantage of “a couple of seemingly harmless harmless/isolated functionalities”. The exploit chain first leverages an arbitrary file upload vulnerability to upload a privilege escalation payload to the device, then exploits an SSRF vulnerability, which triggers the privilege escalation payload and finally produces a reverse shell. The vulnerability is being tracked (only the SSRF component) as CVE-2023-23560 and was addressed by Lexmark in a security alert. Lexmark recommends customers obtain updated firmware by contacting Lexmark support. Vulnerabilities like this can be particularly worrisome as printers are often forgotten about as IT inventory and rarely ever receive software / firmware updates.

Binwalk Path Traversal Resulting in Remote Code Execution

Security researcher “Quentin Kaiser”, working with ONEKEY research, has disclosed an obscure vulnerability in the popular reverse engineering tool “Binwalk” which has been latent in the tool since 2017. The vulnerability affects the Professional File System (“PFS”) extractor module of the tool and allows for arbitrary file write when a “Binwalk” user extracts a malicious PFS file. Binwalk’s behavior of loading plugins immediately after they are added into its plugins directory means that this vulnerability can be used to write a malicious Binwalk plugin that is written into the plugin directory and automatically executed, resulting in “environment agnostic” remote code execution. As of the writing of this roundup, Refirm Labs has not addressed the vulnerability, although ONEKEY has submitted a pull request to the tool’s GitHub repository. The vulnerability is currently being tracked as CVE-2022-4510.