Control Gap Vulnerability Roundup: January 7th to January 13th

This week saw the publication of 712 new CVE IDs. Of those, 328 have not yet been assigned official CVSS scores, however, of the ones that were, approximately 17% were of critical severity, 49% were high, 33% were medium, and 1% were low. Listed below are the vulnerabilities that caught our attention:

• A difficult to exploit but wide-ranging vulnerability in Okta’s Auth0 JSON Web Token library could allow for remote code execution under the right conditions.
• A 0-day vulnerability in multiple versions of Windows which would allow for privilege escalation was discovered by Avast in what appears to be an actively utilized exploit chain.
• A simple unauthorized SQL injection vulnerability was discovered by researchers at Tenable which affected more than 100,000 installations of the Paid Membership Pro WordPress plugin.
• The Israeli National Cyber Directorate disclosed multiple vulnerabilities for the cross-platform FTP server Rumpus. The software does not appear to be regularly updated and possibly even abandoned by the developer. There are thousands of internet-facing Rumpus instances at time of writing.

The modern threat landscape represents an ever-changing vista of vulnerabilities, tools, tactics, and procedures which pose an existential threat to the security of organizations’ IT infrastructures. A key part of an evergreen security program is to maintain an up-to-date knowledge base of actionable threat intelligence that an organization can leverage to improve its security posture. Where dozens of novel threats and vulnerabilities become public each week, it can be challenging for IT professionals to keep pace. Control Gap intends to separate the signal from the noise by highlighting in this weekly segment newly disclosed vulnerabilities that have been assigned a CVE ID and which may be exceedingly novel, widespread, critical, or otherwise noteworthy.

The available threat intelligence at time of writing is documented below. Updates will be clearly marked.

Auth0 JSON Web Token Remote Code Execution 

Last year, Palo Alto researchers from the organizations “Unit 42” identified a remote code execution / arbitrary file write vulnerability in versions less than 9.0.0 in the open-source JSON Web Token library maintained by Auth0. The hugely popular library implements JSON Web Tokens “JWT”s as specified in RFC 7519, the project is available through npm and at the time of writing boasts 11.4 million weekly downloads. The vulnerability, CVE-2022-23529, affects the “jwt.verify” method and can effectively lead to remote code execution if an attacker can control the “secretOrPublicKey” parameter of the function call. Control of the “secretOrPublicKey” parameter is a significant hurdle for attackers to overcome, making the vulnerability much more difficult to exploit. However, the vast scope and usage of the library throughout the industry has experts warning that the vulnerability could propagate through software supply chains. Auth0 released a patch with version 9.0.0 of the library on December 21, 2022, along with a short advisory via GitHub.

Microsoft Privilege Escalation 0-day

During the Microsoft Patch Tuesday for January 2023, Microsoft addressed a privilege escalation vulnerability CVE-2023-21674 which was originally discovered and reported to Microsoft by Avast’s Threat Labs team. Following the Tuesday patch release, Avast addressed their finding in a short twitter thread stating that exploitation of the vulnerability would allow an attacker to “corrupt Windows kernel memory from the browser sandbox”. Avast hypothesized that the exploit would likely have been chained with a different browser remote code execution 0-day as part of a larger exploit chain. The vulnerability affects a wide range of Windows versions up to and including the latest Windows 11 builds. Microsoft has released its own update guide assigning the vulnerability a CVSS score of 8.8, Microsoft has confirmed that the vulnerability was being exploited in the wild.

WordPress Paid Memberships Pro Plugin SQL Injection

The Researchers at Tenable, the company behind the popular security assessment tool Nessus, identified a number of WordPress plugins with simple but scary SQL injection vulnerabilities and detailed all of their findings in a single advisory post. The most popular vulnerable plugin identified in the research was the Paid Memberships Pro plugin for WordPress, which is described as “the most complete member management and membership subscriptions plugin for WordPress”. On wordpress.org the plugin currently has more than 100,000 installations. This plugin was found to not escape the “code” parameter used within the “pmpro/v1/order” endpoint. An unauthenticated user could send crafted requests to arbitrarily query the SQL database. The vulnerability affects versions of the plugin less than 2.9.8, a patch has been released by the plugin maintainers and the vulnerability is being tracked as CVE-2023-23488.

Rumpus FTP Server Multiple Vulnerabilities

The Israel National Cyber Directorate has disclosed multiple vulnerabilities for the FTP server “Rumpus” including persistent cross-site scripting, cross-site request forgery, reflected cross-site scripting and a bug within the server’s token verification logic. The disclosure from INCD contains very little information on each individual vulnerability, and according to the CVE records, Maxum Development (the creators of Rumpus FTP) have not addressed the findings. Based on the lack of activity on Maxum Development’s website and Twitter, it appears as though Rumpus FTP may have been abandoned by the developer. According to this Shodan query, there are over 6000 publicly exposed Rumpus instances at the time of writing. The CVE ID for each vulnerability is as follows:

• CVE-2022-39187
• CVE-2022-46367
• CVE-2022-46368
• CVE-2022-46369
• CVE-2022-46370