Control Gap Vulnerability Roundup: March 4th to March 10th

This week saw the publication of 493 new CVE IDs. Of those, 58 have not yet been assigned official CVSS scores, however, of the ones that were, approximately 18% were of critical severity, 24% were high, 57% were medium, and 1% were low. Listed below are the vulnerabilities that caught our attention:

• Fortinet products experience yet another remote code execution vulnerability allowing a path of entry for threat actors into organization’s internal networks.
• Two remote code execution vulnerabilities have been disclosed and patched for multiple versions of the Android operating system. Google has chosen to play their cards very close to their chest and not release any technical details surrounding the vulnerabilities. Highly motivated attackers will likely seek to create exploits for these vulnerabilities as mobile devices represent high-value targets.
• Veeam has disclosed a high severity vulnerability which would allow an attacker to retrieve “encrypted” credentials from the Backup & Replication service. The vulnerability is being treated very seriously by Veeam and would suggest an unauthenticated attacker could access sensitive backup files without much effort.
• Microsoft has disclosed a vulnerability for its popular document editing product “Word” which affects its rich text format parser. In a world where the mark of the web is severely reducing the effectiveness of malspam this represents an attractive alternative attack path.

The modern threat landscape represents an ever-changing vista of vulnerabilities, tools, tactics, and procedures which pose an existential threat to the security of organizations’ IT infrastructures. A key part of an evergreen security program is to maintain an up-to-date knowledge base of actionable threat intelligence that an organization can leverage to improve its security posture. Where dozens of novel threats and vulnerabilities become public each week, it can be challenging for IT professionals to keep pace. Control Gap intends to separate the signal from the noise by highlighting in this weekly segment newly disclosed vulnerabilities that have been assigned a CVE ID and which may be exceedingly novel, widespread, critical, or otherwise noteworthy.

The available threat intelligence at time of writing is documented below. Updates will be clearly marked.

FortiOS and FortiProxy Remote Code Execution

Disturbingly, Fortinet has disclosed another critical vulnerability affecting its products this week, and this time it’s a buffer overflow vulnerability affecting FortiOS and FortiProxy which could result in remote code execution. The vulnerability, tracked as CVE-2023-25610, affects a complex group of Fortinet products. The big ones which Fortinet believes could be exploited to achieve remote code execution are FortiOS and FortiProxy, but there are several others including FortiGate and FortiWifi that could be exploited to achieve a denial-of-service condition. A full list of the affected products can be found in the official Fortinet disclosure. Unauthenticated remote code execution vulnerabilities in perimeter products such as those created and sold by Fortinet are particularly concerning as they provide a vector for threat actors to gain access to an organization’s internal infrastructure. Fortinet has stated in their disclosure that they are not aware of any public exploitation of this vulnerability although this is coming off the back of CISA issuing a warning that threat actors are actively exploiting other Fortinet vulnerabilities with a focus on government organizations.

Android Operating System Remote Code Execution 

Google has disclosed and patched two unique remote code execution vulnerabilities in its Android mobile operating system this week. The two vulnerabilities, tracked as CVE-2023-20951 and CVE-2023-20954, affect multiple versions of Android and Google has announced that it is intentionally holding back technical details surrounding the vulnerabilities to prevent exploit development by threat actors. Threat actors frequently seek out vulnerabilities in mobile applications and frameworks as mobile devices have increasingly come to represent “crown jewel” assets sought out by highly motivated and financed attackers. For a complete list of patches and affected Android versions check the Google disclosure.

Veeam Backup Credential Access 

Veeam has patched and disclosed a vulnerability which would allow an attacker to retrieve and utilize encrypted credentials from an affected Veeam Backup & Replication service. Based on the Veeam advisory it is unclear how an attacker could leverage these “encrypted” credentials to access the backup service, however, the assigned CVSS score of 7.5 would suggest that the credentials are not secure in their encrypted state. While it is only speculation, it is very possible Veeam was using hardcoded or otherwise insecure keys to manage the services credentials resulting in trivial attacks succeeding in compromising privileged credentials. The vulnerability, which is tracked as CVE-2023-27532, affects all versions of Veeam Backup & Replication and patches have been released for versions 11 and 12. For those who cannot upgrade their Veeam product, a workaround has been developed which involves disabling network access to port 9401 on the Veeam system. This vulnerability is particularly concerning as Veeam is a prolific backup solution which commonly contains sensitive files such as key disaster recovery backups or privileged information.

Microsoft Word Remote Code Execution

A lingering vulnerability in Microsoft Word that is at least a year old has finally been publicly acknowledged and patched by Microsoft this past week. Security researcher Joshua Drake (@jduck on Twitter) discovered the vulnerability and famously developed an exploit payload which could fit within a tweet. The vulnerability is focused around the rich text format “RTF” parser and can result in remote code execution. Exploit payloads could be delivered via email and Microsoft has confirmed that just viewing the preview pane of the file could exploit the vulnerability. Microsoft has been making great strides with regards to mitigating malspam and other internet based local attacks, but the enormous surface area of Microsoft products means that threat actors will almost certainly continue developing novel avenues of attack in the near future. The vulnerability is currently tracked as CVE-2023-21716 and Microsoft is urging customers to apply the latest available update. More information can be found in the Microsoft advisory.