This week saw the publication of 343new CVE IDs. Of those, 144 have not yet been assigned official CVSS scores, however, of the ones that were, approximately 31% were of critical severity, 30% were high, 38% were medium, and 1% were low. Listed below are the vulnerabilities that caught our attention:
The modern threat landscape represents an ever-changing vista of vulnerabilities, tools, tactics, and procedures which pose an existential threat to the security of organizations’ IT infrastructures. A key part of an evergreen security program is to maintain an up-to-date knowledge base of actionable threat intelligence that an organization can leverage to improve its security posture. Where dozens of novel threats and vulnerabilities become public each week, it can be challenging for IT professionals to keep pace. Control Gap intends to separate the signal from the noise by highlighting in this weekly segment newly disclosed vulnerabilities that have been assigned a CVE ID and which may be exceedingly novel, widespread, critical, or otherwise noteworthy.
The available threat intelligence at time of writing is documented below. Updates will be clearly marked.
Real-World Exploitability High |
Exploited in the Wild No |
Available Public Exploits Yes |
Tailscale has released a security bulletin disclosing a critical vulnerability which could allow for remote code execution via the Windows Tailscale client. The Tailscale client was found to utilize an insecure TCP socket for local API communications, if a node visited a malicious website an attacker could rebind the node’s DNS server and then change the node’s coordination server to one which is attacker controlled. A malicious coordination server can push executables to nodes or install SMB shares. The vulnerability, CVE-2022-41924, affects all Windows Tailscale clients below version 1.32.3 and Tailscale is claiming that the vulnerability was not exploited in the wild. The security researchers who disclosed the vulnerabilities to Tailscale have published a technical write-up of their findings which contains sufficient information for adversaries to exploit these vulnerabilities. Serious kudos to Tailscale for resolving all of the reported issues in less than 48 hours.
Real-World Exploitability High |
Exploited in the Wild No |
Available Public Exploits Yes |
Dolibarr is an open-source ERP and CRM software suite for organizations, the GitHub page indicates that the platform is fairly popular with downloads of at least 4,000 per week. Security researcher, Abdelrhman Allam, reported three distinct SQL injection vulnerabilities affecting the “s” parameter of the web application. SQL injection allowing attackers to directly access the underlying database of the Dolibarr platform could be particularly concerning given the sensitive financial information which could be stored by the application. Dolibarr has addressed the issue and released a patch on their GitHub. No additional security guidance appears to have been released, the vulnerability is being tracked as CVE-2022-4093.
|
Real-World Exploitability High |
Exploited in the Wild No |
Available Public Exploits No |
The popular “Nighthawk” router made by NetGear has had a staggering 17 buffer overflow vulnerabilities disclosed this week affecting multiple aspects of firmware versions 1.3.0.8 and 1.3.1.64. While it does not appear any of the vulnerabilities have weaponized exploits available, buffer overflow vulnerabilities are typically a first step towards achieving remote code execution. Threat actors have been targeting internet connected “dumb” devices such as routers with increasing frequency to develop some of the largest botnets in existence. With the industry moving away from hard-coded credentials following mass exploitation by Mirai malware, threat actors are looking to other exploits such as buffer overflows to gain access to these devices. A complete list of all 17 vulnerabilities can be found here.
|
Real-World Exploitability Low |
Exploited in the Wild No |
Available Public Exploits No |
Nextcloud Talk Android is the Android implementation of Nextcloud Talk, a communications platform “designed for privacy” which allows users to communicate using voice, text, or video. The application was found to improperly utilize broadcastPermission[s] on its receiver, which would allow a malicious application on the same Android device to spy on communications made through the Nextcloud Talk app. Nextcloud is recommending users upgrade to version 14.1.0, the vulnerability is being tracked as CVE-2022-41926.