Control Gap Vulnerability Roundup: July 23rd to 29th

This week saw the publication of 465 new CVE IDs. Of those, 356 have not yet been assigned official CVSS scores, however, of the ones that were, approximately 6% were of critical severity, 37% were high, 52% were medium, and 5% were low. Listed below are the vulnerabilities that caught our attention:

• An authentication bypass vulnerability in the FileWave device management platform could allow attackers to compromise an organizations entire fleet of managed devices.
• Secure email and collaboration software Open-Xchange had multiple vulnerabilities published this week the worst of which could allow a user with access to the document converter module to execute arbitrary code on the affected server.
• Citrix ADC and Citrix Gateway is affected by a redirection vulnerability. These are often exploited as part of phishing campaigns to automatically redirect users from a site which may seem trustworthy to an attacker-controlled site.
• Adobe Acrobat Reader is affected by an out-of-bounds read vulnerability which can result in arbitrary code execution if a user is convinced to open a crafted file.
• LibreOffice fails to verify the authenticity of macro certificates allowing malicious macros to masquerade as those provided by a trusted source.

The modern threat landscape represents an ever-changing vista of vulnerabilities, tools, tactics, and procedures which pose an existential threat to the security of organizations’ IT infrastructures. A key part of an evergreen security program is to maintain an up-to-date knowledge base of actionable threat intelligence that an organization can leverage to improve its security posture. Where dozens of novel threats and vulnerabilities become public each week, it can be challenging for IT professionals to keep pace. Control Gap intends to separate the signal from the noise by highlighting in this weekly segment newly disclosed vulnerabilities that have been assigned a CVE ID and which may be exceedingly novel, widespread, critical, or otherwise noteworthy.

The available threat intelligence at time of writing is documented below. Updates will be clearly marked.

FileWave Authentication Bypass

Real-World Exploitability High

Exploited in the Wild Unknown

Available Public Exploits  no

FileWave is a device management platform marketed to healthcare, government, and large business sectors. An authentication bypass vulnerability present in FileWave versions before 14.6.3 and 14.7.x before 14.7.2 would allow an attacker to access the affected system as the highest possible authority and take full control of the FileWave platform. Security researchers at Team82 released a detailed blog discussing their research, disclosure process, and potential impact of systems which are still affected by this vulnerability. The two vulnerabilities which were disclosed in the blog have the following CVE ids: CVE-2022-34906, and CVE-2022-34907.

Open-Xchange Multiple Vulnerabilities

Real-World Exploitability High

Exploited in the Wild Unknown

Available Public Exploits  No

Multiple vulnerabilities affecting the Open-Xchange application suite including remote code execution, server-side request forgery, and cross-site scripting. Open-Xchange is an application suite that provides secure email and collaboration services. A user who can utilize the document converter functionality can obtain remote code execution on the OX App suite server. All of the related vulnerabilities have been addressed in versions following version 7.10.6. The CVE ids for the related vulnerabilities are as follows:

• CVE-2022-24406
• CVE-2022-24405
• CVE-2022-23101
• CVE-2022-23100
• CVE-2022-23099

Citrix ADC and Citrix Gateway Unauthenticated Redirect

Real-World Exploitability Medium

Exploited in the Wild Unknown

Available Public Exploits No

Citrix ADC and Citrix Gateway appliances of varying versions which are “customer-managed” have been found to be vulnerable to a redirection vulnerability. This class of vulnerability is frequently exploited by attackers in phishing campaigns to redirect users to a malicious website even though the phishing like was to a legitimate site. While Citrix recommends that these appliances are not exposed to the public internet, if a vulnerable system was, an attacker could craft a specific URL to the affected site which would then redirect a victim to an attacker defined site. Citrix has released a security bulletin and related patches, the CVE is being tracked with the id CVE-2022-27509.

Adobe Acrobat Reader out-of-bounds read

Real-World Exploitability Medium

Exploited in the Wild Unknown

Available Public Exploits No

Adobe Acrobat Reader versions 22.001.20085 (and earlier), 20.005.30314 (and earlier), 17.012.30205 (and earlier) are affected by an out-of-bounds read vulnerability when parsing a crafted file. An attacker could convince a user to open a crafted document to achieve code execution in the context of the victim user. Adobe has released a security bulletin and patches for the vulnerability, the vulnerability is being tracked with the id CVE-2022-35672.

LibreOffice Improper Certificate Validation

Real-World Exploitability Medium

Exploited in the Wild Unknown

Available Public Exploits No

Libre Office versions prior to 7.2.7 and 7.3.1 fail to properly verify the authenticity of certificated used to sign document macros. An attacker can create arbitrary macro certificates which will present themselves to the user as belonging to a trusted source. The vulnerability could be leveraged to completely disarm security controls designed to mitigate against maldocs which may be present in phishing or malspam campaigns. LibreOffice has released a security advisory and product versions later than 7.2.7 and 7.3.1 are no longer vulnerable. The vulnerability is being tracked with the id CVE-2022-26305.