Control Gap Vulnerability Roundup: July 30th to August 5th

This week saw the publication of 449 new CVE IDs. Of those, 315 have not yet been assigned official CVSS scores, however, of the ones that were, approximately 19% were of critical severity, 22% were high, 59% were medium, and 1% were low. Listed below are the vulnerabilities that caught our attention:

• Multiple Cisco small business router models vulnerable to unauthenticated remote code execution in the context of the root account.
• DrayTek routers vulnerable to remote code execution vulnerability. The researchers who found the vulnerability claim 200,000+ vulnerable devices are exposed to the internet.
• SourceCodester programming education and application template library vulnerable to multiple SQL injection and cross-site scripting vulnerabilities.
• Novel “ghost domain name” vulnerability in Unbound DNS resolver allows attackers to maintain DNS resolution, even after takedown.

The modern threat landscape represents an ever-changing vista of vulnerabilities, tools, tactics, and procedures which pose an existential threat to the security of organizations’ IT infrastructures. A key part of an evergreen security program is to maintain an up-to-date knowledge base of actionable threat intelligence that an organization can leverage to improve its security posture. Where dozens of novel threats and vulnerabilities become public each week, it can be challenging for IT professionals to keep pace. Control Gap intends to separate the signal from the noise by highlighting in this weekly segment newly disclosed vulnerabilities that have been assigned a CVE ID and which may be exceedingly novel, widespread, critical, or otherwise noteworthy.

The available threat intelligence at time of writing is documented below. Updates will be clearly marked.

Cisco Small Business Routers Multiple Vulnerabilities

Real-World Exploitability High

Exploited in the Wild No

Available Public Exploits  No

Several models of Cisco small business routers have been found to be affected by multiple vulnerabilities which could allow a remote, unauthenticated attacker to achieve arbitrary code execution (CVE-2022-20842) or arbitrary command injection (CVE-2022-20827, CVE-2022-20841). Interestingly, CVE-2022-20842 and CVE-2022-20827 would allow code and command execution in the context of the root account. Note that the CVE-2022-20841 vulnerability requires attackers to leverage a man-in-the-middle position or be attacking from a device directly connected to the router. Cisco released a security advisory and patches for the affected devices along with documentation which specifically identifies affected models and relevant software versions. Cisco is reporting that these vulnerabilities have not yet been exploited in the wild.

DrayTek Router Remote Code Execution

Real-World Exploitability High

Exploited in the Wild No

Available Public Exploits  No

Researchers at Trellix have identified an unauthenticated remote code execution vulnerability in DrayTek router web management interfaces. Trellix released a detailed technical blog describing their research and indicated that they had no intelligence at the time of writing which would indicate exploitation in the wild. An attacker who successfully exploits this vulnerability can take over the router device and leverage that control to gain access to the associated network. Shodan fingerprinting indicates hundreds of thousands of affected DrayTek routers are currently exposed to the internet. The manufacturer has released a patch for the vulnerability which requires upgrading the devices firmware. This vulnerability is currently being tracked with the id CVE-2022-32548.

SourceCodester Multiple Vulnerabilities

Real-World Exploitability High

Exploited in the Wild Unknown

Available Public Exploits No

SourceCodester is an open-source application library which provides a large variety of simple applications for educational and coding template purposes. Eleven (11) vulnerabilities were published this week for multiple projects within the library which include SQL injection and cross-site scripting. Due to the nature of the vulnerabilities and the descriptions included in the CVE details, it would likely be trivial for an attacker to figure out how to exploit them. Given the user-submitted nature of SourceCodester, it is unclear if these vulnerabilities will be addressed at all. It is unclear at this time if any of this template code has made its way into significant projects or applications. The affected SourceCodester projects and associated CVE ids are as follows:

• Online Admission System (CVE-2022-2643)
• Online Admission System (CVE-2022-2644)
• Garage Management System (CVE-2022-2645)
• Online Admission System (CVE-2022-2646)
• Multi Language Hotel Management Software (CVE-2022-2648)
• Multi Language Hotel Management Software (CVE-2022-2656)
• Simple E-Learning System (CVE-2022-2665)
• Loan Management System (CVE-2022-2667)
• Garage Management System (CVE-2022-2671)
• Garage Management System (CVE-2022-2672)
• Best Fee Management System (CVE-2022-2674)

NLNet Labs Unbound DNS “ghost domain name”

Real-World Exploitability Low

Exploited in the Wild No

Available Public Exploits No

Unbound DNS resolver servers prior to version 1.16.2 have a highly novel vulnerability which allows for the resolution of “ghost domain names” whereby an attacker can convince the server to cache delegation information for a malicious domain by sending a series of crafted requests. When the malicious domain is revoked from the parent zone for abuse, the Unbound DNS server will continue to resolve the malicious domain. This vulnerability was addressed in an update from the Unbound team and is tracked with the CVE ids CVE-2022-30698 and CVE-2022-30699.