This week saw the publication of 237 new CVE IDs. Of those, 94 have not yet been assigned official CVSS scores, however, of the ones that were, approximately 22% were of critical severity, 38% were high, 36% were medium, and 4% were low. Listed below are the vulnerabilities that caught our attention:
The modern threat landscape represents an ever-changing vista of vulnerabilities, tools, tactics, and procedures which pose an existential threat to the security of organizations’ IT infrastructures. A key part of an evergreen security program is to maintain an up-to-date knowledge base of actionable threat intelligence that an organization can leverage to improve its security posture. Where dozens of novel threats and vulnerabilities become public each week, it can be challenging for IT professionals to keep pace. Control Gap intends to separate the signal from the noise by highlighting in this weekly segment newly disclosed vulnerabilities that have been assigned a CVE ID and which may be exceedingly novel, widespread, critical, or otherwise noteworthy.
The available threat intelligence at time of writing is documented below. Updates will be clearly marked.
Real-World Exploitability High |
Exploited in the Wild Yes |
Available Public Exploits Unknown |
Two zero-day vulnerabilities affecting Microsoft Exchange products were disclosed this week. The two vulnerabilities tracked as CVE-2022-41040 and CVE-2022-41082, are an evolution of the 2021 ProxyShell vulnerabilities which allowed for the execution of arbitrary code on affected Exchange Servers. The two new vulnerabilities dubbed “ProxyNotShell” allow an authenticated user with minimal privileges to compromise the affected Exchange Server. Microsoft has released multiple security advisories, patches and potential work arounds. The initial guidance from Microsoft was found to be ineffective at mitigating the vulnerabilities and has been updated in the latest Microsoft documentation. Microsoft is urging all administrators to take further remedial action.
Real-World Exploitability High |
Exploited in the Wild Yes |
Available Public Exploits No |
An authentication bypass vulnerability affecting multiple Fortinet products has been disclosed by Fortinet, in private customer communications which were later leaked, the company is advising admins of all the following products to apply prescribed workarounds or upgrade to non-vulnerable versions:
The vulnerability is being tracked with the following CVE ID, however, the CVE has not been officially published: CVE-2022-40684. Fortinet has released a PSIRT advisory on the vulnerability. As the vulnerability can be remotely exploited to interact with the affected devices in an admin context, Fortinet is recommended customers to take remedial actions immediately.
|
Real-World Exploitability High |
Exploited in the Wild Unknown |
Available Public Exploits No |
Veritas NetBackup is a cloud-based backup solution which allows for “agentless backup, instant access, and reliable granular data recovery in the cloud that can scale with [a] virtual machine environment”. The product page claims that the solution has 100 exabytes of information currently under management. This week saw 10 unique vulnerabilities released for multiple versions of the product including XXE injection, arbitrary file deletion, denial of service, path traversal, and SQL injection. Veritas has released multiple security advisories available at the following links: VTS22-010, VTS22-011, VTS22-012, VTS22-013. The CVE IDs for all related vulnerabilities are as follow:
|
Real-World Exploitability High |
Exploited in the Wild Unknown |
Available Public Exploits Yes |
ZKteco ZKBioSecurity is a biometric access control and security solutions company operating out of Shenzhen, China. The company’s website claims that the organizations products have multinational reach and operated in more than 100 countries. The two vulnerabilities tracked as CVE-2022-36634 and CVE-2022-36635 affect multiple versions of the ZKBioSecurity V5000 product. CVE-2022-36634 is an SQL injection vulnerability affecting version 4.1.3. CVE-2022-36635 is a privilege escalation vulnerability affecting version 3.0.5_r and allows an authenticated user with minimal privileges to create admin accounts. ZKteco has not released an official advisory pertaining to the vulnerabilities.