Control Gap Vulnerability Roundup: July 8th to 15th

This week saw the publication of 561 new CVE IDs. Of those, 441 have not yet been assigned official CVSS scores, however, of the ones that were, approximately 26% were of critical severity, 34% were high, 40% were medium, and 0% were low. Listed below are the vulnerabilities that caught our attention:

• Microsoft’s July 12th Patch Tuesday updates included 84 fixes for a wide range of security issues, including multiple remote command execution and privilege escalation vulnerabilities. Several of the remediated privilege escalation vulnerabilities have been reportedly exploited in the wild.
• Multiple critical vulnerabilities were identified to affect a newly released medical clinic patient management software, highlighting the risks associated with leveraging source code from untrustworthy open-source sites.
• Sage 300 enterprise resource planning software is affected by a DLL hijacking vulnerability which could allow an attacker to escalate to local SYSTEM privileges. This disclosure stems from security research conducted by Control Gap’s own Konrad Haase into installer misconfigurations and weak folder permissions affecting the software.

The modern threat landscape represents an ever-changing vista of vulnerabilities, tools, tactics, and procedures which pose an existential threat to the security of organizations’ IT infrastructures. A key part of an evergreen security program is to maintain an up-to-date knowledge base of actionable threat intelligence that an organization can leverage to improve its security posture. Where dozens of novel threats and vulnerabilities become public each week, it can be challenging for IT professionals to keep pace. Control Gap intends to separate the signal from the noise by highlighting in this weekly segment newly disclosed vulnerabilities that have been assigned a CVE ID and which may be exceedingly novel, widespread, critical, or otherwise noteworthy.

The available threat intelligence at time of writing is documented below. Updates will be clearly marked.

Microsoft Patch Tuesday: Multiple Vulnerabilities

Real-World Exploitability High

Exploited in the Wild Yes

Available Public Exploits  No, but soon

Microsoft’s Patch Tuesday on July 12th, 2022, saw disclosure of 84 security vulnerabilities for Microsoft products. Highlights from these disclosures include the following:

• CVE-2022-22047 describes a local privilege escalation vulnerability discovered to affect the Windows Client Server Runtime Subsystem (the CSRSS) which would allow for SYSTEM-level privileges to be obtained upon successful exploitation. While no public exploits are currently available for this vulnerability, Microsoft has noted that it has observed exploitation in the wild to classify it as a 0day.
• A further four additional local privilege escalation vulnerabilities described by CVE-2022-30206, CVE-2022-30226, CVE-2022-22022, and CVE-2022-22041 were disclosed to affect the Windows Print Spooler service. Each would allow for attackers to obtain SYSTEM-level privileges from a low-privileged local foothold on an affected machine. While no public exploits were known at the time of this article’s writing, these vulnerabilities should be added to the long list of Windows Print Spooler exploits actively leveraged by attackers to escalate permissions in the wild.
• CVE-2022-22038 describes a remote code execution vulnerability affecting Microsoft’s remote procedure call (RPC) services on Windows workstations and servers. While no public exploits are available, and no exploitation has been observed in the wild, unauthenticated remote command execution on Windows hosts represents a significant vulnerability potentially on par with the notorious wormable vulnerabilities EternalBlue and BlueKeep.
• Two remote code execution vulnerabilities identified by CVE-2022-22029 and CVE-2022-22039 were disclosed to affect Windows Network File System (NFS) services. While no public exploits are available, and no exploitation in the wild has been noted, attackers could potentially leverage these vulnerabilities to obtain remote compromise of Windows systems exposing NFS shares to internal environments.
• At least 33 distinct vulnerabilities were patched in Microsoft’s Azure Site Recovery service. These vulnerabilities included a high-severity privilege escalation vulnerability in CVE-2022-33674 and two potential remote code execution vulnerabilities in CVE-2022-33676 and CVE-2022-33678.

SourceCodester Clinic Management System 2.0: Vulnerabilities

Real-World Exploitability High

Exploited in the Wild Unknown

Available Public Exploits  Yes

Open-source repository site Sourcecodester.com hosts hundreds of free open-source code repositories for software applications ranging from hospitality services and restaurant management software to employee payroll management software. On June 30th, 2022, a project titled “Clinic’s Patient Management System in PHP/PDO Free Source Code” which could be leveraged to manage patient medical data was listed on the site. Soon after, security researchers discovered multiple critical vulnerabilities to affect the application. An unauthenticated SQL injection vulnerability affecting the portal’s login functionality, as described by CVE-2022-2298, would allow for the platform’s administrative authentication to be bypassed or for arbitrary contents to be exfiltrated from the application’s database. Further, an arbitrary file upload vulnerability, as described by CVE-2022-2297, would allow for an attacker with low-privileged access to the application to obtain remote command execution against the underlying application server.

At the time of this report’s authoring, the Clinic’s Patient Management System 2.0 source code had been viewed 2000 times, with developer comments on the page suggesting that the software had been deployed by several organizations. These vulnerabilities highlight the dangers of leveraging open-source software examples as foundations for custom software solutions. Open-source code available online should always be considered to be insecure prior to audit by secure coding experts.

Sage 300 ERP < 2023: Local Privilege Escalation

Real-World Exploitability High

Exploited in the Wild Unknown

Available Public Exploits Yes

Vulnerability CVE-2021-45492, disclosed by Control Gap’s own Konrad Haase, describes a local privilege escalation vulnerability affecting all available versions of Sage 300 ERP software. The Sage 300 product installer was found to be configured, by default, to install the program in "%SystemDrive%\Sage\Sage300” and set the "%SystemDrive%\Sage\Sage300\Runtime" folder as the first entry in the system-wide PATH environment variable. The Sage 300 installation folder and the “Runtime” folder are writable by normal, unprivileged users due to the weak permissions inherited from the %SystemDrive%\ folder. This vulnerability could be exploited to achieve SYSTEM privileges via DLL search-order hijacking as entries in the system-wide PATH variable are included in the search order, or, if the Global Search or Web Screens functionality is enabled, via the “GlobalSearchService” and “Sage.CNA.WindowsService” services as those service binaries and dependencies reside in the writable installation directory and can therefore be substituted. The Web Screens functionality can also allow for privilege escalation to SYSTEM without forced system reboots via web shells. No patch for this vulnerability is available at the time of this post’s authoring. The Sage 300 2023 major version release scheduled to arrive in August 2022 may include a fix for the security flaws described above. Until that time, system administrators should manually edit the advanced folder permissions for the “Sage” local folder as described in Control Gap’s blog post regarding the vulnerability.