1 min read
Control Gap Vulnerability Roundup: February 25th to March 3rd
This week saw the publication of 442 new CVE IDs. Of those, 258 have not yet been assigned official CVSS scores, however, of the ones that were,...
4 min read
Zach Matthews : Apr 3, 2023 1:44:53 PM
This week saw the publication of 591 new CVE IDs. Of those, 100 have not yet been assigned official CVSS scores, however, of the ones that were, approximately 18% were of critical severity, 34% were high, 48% were medium, and 0% were low. Listed below are the vulnerabilities that caught our attention:
The modern threat landscape represents an ever-changing vista of vulnerabilities, tools, tactics, and procedures which pose an existential threat to the security of organizations’ IT infrastructures. A key part of an evergreen security program is to maintain an up-to-date knowledge base of actionable threat intelligence that an organization can leverage to improve its security posture. Where dozens of novel threats and vulnerabilities become public each week, it can be challenging for IT professionals to keep pace. Control Gap intends to separate the signal from the noise by highlighting in this weekly segment newly disclosed vulnerabilities that have been assigned a CVE ID and which may be exceedingly novel, widespread, critical, or otherwise noteworthy.
The available threat intelligence at time of writing is documented below. Updates will be clearly marked.
Real-World Exploitability High |
Exploited in the Wild Unknown |
Available Public Exploits Yes |
Independent security researchers @ItsSimonTime and David Buchanan (@David3141593) have discovered a severe bug in Google’s “Markup” tool, which is the default photo editing tool installed on Google phones such as the Google Pixel. The vulnerability, now tracked as CVE-2023-21036, stems from a proprietary Google library which handles the file operations when editing a photo. The library was found to be parsing the file without truncation, meaning that some of the original file was left over in the newly edited one. The implication is that when cropping or censoring photos using the Markup tool, someone who received the image could recover details which were cropped out or drawn over. Commonly, social media websites will compress or otherwise modify image files submitted to them which prevents this type of attack, but many file sharing services and image submission services do not. For example, the researchers were able to recover data in images sent over the popular communications platform “Discord”. The researchers released a public tool that anyone can use to see if their pictures are vulnerable, and the bug/exploit has been dubbed “aCropalypse”. The exploit has spurred a surge of research into similar photo editing tools including the Windows 11 “Snipping Tool” which had a similar bug preventing the truncation of cropped photos. The privacy implications of this vulnerability are incredibly serious as any pictures edited with the Markup Tool since Android 9 are potentially vulnerable.
Real-World Exploitability High |
Exploited in the Wild No |
Available Public Exploits No |
WooCommerce, the incredibly popular WordPress plugin used by more than 500,000 websites, had a vulnerability disclosed and almost immediately patched which would allow for an unauthenticated attacker to impersonate a site administrator and compromise the affected WordPress site. The vulnerability affects WooCommerce versions 4.8.0 to 5.6.1 and was considered so severe that any site hosted by WordPress with the plugin installed was forcibly updated. At the time of writing the vulnerability does not have a CVE number but WooCommerce has released a patch and guidance for its users and urges anyone with the plugin installed to update immediately and investigate their site for signs of compromise.
Real-World Exploitability High |
Exploited in the Wild Yes |
Available Public Exploits Unknown |
A Microsoft Outlook vulnerability allowing for escalation of privilege was disclosed this past week with Microsoft issuing a patch and multiple guidance documents on exploitation detection, triage, and threat analytics. The vulnerability can be exploited when an attacker sends a crafted email to a user accessing their email through an affected Outlook client. The user is not required to open or preview the email for the exploit to be successful. The crafted email will trigger an authentication handshake to an attacker-controlled server which can then be used in NTLM relay attacks against online Windows services which accept NTLM as an authentication method. Microsoft has acknowledged the exploitation of this vulnerability by a Russian APT group specifically against “organizations in government, transportation, energy, and military sectors in Europe”. The vulnerability is being tracked as CVE-2023-23397.
|
Real-World Exploitability High |
Exploited in the Wild Likely |
Available Public Exploits Yes |
Researchers with Cisco Talos have identified a remote command execution vulnerability affecting Netgear Orbi 750 series routers and released a disclosure along with a proof-of-concept exploit. The vulnerability requires authenticated access to the device or the admin console to be exposed but can be easily exploited if either of these criteria are met. Orbi Router administrators can allow or deny-list specific clients from the wireless network via the administrative console. Cisco Talos researchers found that the “dev_name” parameter was vulnerable to a simple command injection vulnerability utilizing a semicolon to delimit a device name from a shell command. For example, the following payload would run the ping command on the device: ;ping${IFS}10.0.0.4. Despite the attack requiring authentication, routers are commonly configured with default credentials and exposed to the internet. Attackers commonly scan the internet for exposed routers and test a variety of default credentials against them to compromise the device, commonly to add to large botnets. Netgear has released a firmware patch to address this vulnerability and is encouraging users to update. The vulnerability is being tracked as CVE-2022-37337.
1 min read
This week saw the publication of 442 new CVE IDs. Of those, 258 have not yet been assigned official CVSS scores, however, of the ones that were,...
1 min read
This week saw the publication of 712 new CVE IDs. Of those, 328 have not yet been assigned official CVSS scores, however, of the ones that were,...
1 min read
This week saw the publication of 326 new CVE IDs. Of those, 258 have not yet been assigned official CVSS scores, however, of the ones that were,...