Control Gap Vulnerability Roundup: October 15th to October 21st

This week saw the publication of 540 new CVE IDs. Of those, 134 have not yet been assigned official CVSS scores, however, of the ones that were, approximately 14% were of critical severity, 39% were high, 44% were medium, and 3% were low. Listed below are the vulnerabilities that caught our attention:

• A zero-day vulnerability affecting Windows ability to detect files which have the “mark of the web” was discovered by threat analysts researching malware which was appearing “in the wild”.
• A vulnerability affecting Apache Commons Text dubbed “Text4Shell” was disclosed this week. Researchers do not believe the impact to be close to the same magnitude as “Log4Shell”.
• Oracle Web Applications Desktop Integrator is affected by an unauthenticated remote code execution vulnerability which could allow for an attacker to completely compromise the integrator.
• A little known reporting application Anji-Plus AJ Report was found to have an authentication bypass vulnerability stemming from a common development mistake, a hardcoded JWT key.

The modern threat landscape represents an ever-changing vista of vulnerabilities, tools, tactics, and procedures which pose an existential threat to the security of organizations’ IT infrastructures. A key part of an evergreen security program is to maintain an up-to-date knowledge base of actionable threat intelligence that an organization can leverage to improve its security posture. Where dozens of novel threats and vulnerabilities become public each week, it can be challenging for IT professionals to keep pace. Control Gap intends to separate the signal from the noise by highlighting in this weekly segment newly disclosed vulnerabilities that have been assigned a CVE ID and which may be exceedingly novel, widespread, critical, or otherwise noteworthy.

The available threat intelligence at time of writing is documented below. Updates will be clearly marked.

Microsoft Mark of the Web Zero-Day Bypass

Security researchers investigating a novel malware dropper discovered the malicious files were abusing a zero-day vulnerability in Microsoft’s “mark of the web”. The vulnerability allows certain executable files which are downloaded from the internet to be executed without showing the user the typical “mark of the web” warning. Twitter user “wdormann” working for the management consulting firm “ANALYGENCE” identified that to exploit the vulnerability malicious files need to be signed with malformed signature keys. It should be noted that while these files do not obey regular “mark of the web” safety rules, Windows still identifies and marks the files as such. Additional research conducted by “wdormann” strongly suggests the vulnerability was introduced in Windows 10, however at the time of writing there is no official guidance from Microsoft on the issue.

Apache Commons Text Remote Code Execution

A vulnerability dubbed “Text4Shell” was disclosed for the Apache Commons Text Java library. Similar to the previous “Log4Shell” vulnerability the affected library implements an interpolation system that allows developers to modify input strings based on specific string “lookups”. In some scenarios where attackers can inject a malicious string and have it processed by the vulnerable component an attacker may be able to achieve remote code execution or information disclosure. While researchers initially expressed fear that this could be another “Log4Shell” scenario, under more scrutiny, the vulnerability was found to be more conditional than initially assumed and therefore much less widespread. The vulnerability, CVE-2022-42889, was discovered by Alvaro Munoz and reported to Apache on March 9th, concerningly, it took Apache 7 months to release a patch which finally came out earlier this October.

Oracle Web Applications Desktop Integrator

The Oracle Web Applications Desktop Integrator versions 12.2.3-12.2.11 of the Oracle E-business suite was found to contain a remote code execution vulnerability. An unauthenticated attacker can exploit this vulnerability to execute code in the context of the affected process. Oracle has stated that this would allow for the complete takeover of the integrator. Oracle has addressed the vulnerability in its October 2022 Security Alert, users are encouraged to apply the relevant patches as soon as possible. The vulnerability was disclosed under the CVE ID, CVE-2022-39428.

Anji-Plus AJ Report Authentication Bypass

Anji-Plus AJ Report is a little-known reporting tool used for data visualization and scientific reporting. The application was found to have an authentication bypass vulnerability stemming from a classic development error. The creators of AJ Report opted to use a hard-coded JWT key allowing attackers who know the key to impersonate other users. This type of vulnerability is described in a great writeup on JWTs by PortSwigger. The vulnerability is currently being tracked as CVE-2022-42983.