Control Gap Vulnerability Roundup: October 29th to November 4th

This week saw the publication of 517 new CVE IDs. Of those, 9 have not yet been assigned official CVSS scores, however, of the ones that were, approximately 12% were of critical severity, 37% were high, 48% were medium, and 1% were low. Listed below are the vulnerabilities that caught our attention:

• A zero-day type confusion vulnerability in Google Chrome V8 has been patched and is currently being exploited in the wild.
• A zero-day vulnerability for Apple devices has received updates addressing older devices as a widespread arbitrary code execution vulnerability is reported anonymously.
• The Zoom Client for Meetings was found to be vulnerable to an arbitrary redirect, users who receive crafted links can be directed to malicious sites.
• Devolutions Remote Desktop Manager was found to keep master passwords for password manager products KeePass Server and Dashlane in its own database in an unencrypted state.

The modern threat landscape represents an ever-changing vista of vulnerabilities, tools, tactics, and procedures which pose an existential threat to the security of organizations’ IT infrastructures. A key part of an evergreen security program is to maintain an up-to-date knowledge base of actionable threat intelligence that an organization can leverage to improve its security posture. Where dozens of novel threats and vulnerabilities become public each week, it can be challenging for IT professionals to keep pace. Control Gap intends to separate the signal from the noise by highlighting in this weekly segment newly disclosed vulnerabilities that have been assigned a CVE ID and which may be exceedingly novel, widespread, critical, or otherwise noteworthy.

The available threat intelligence at time of writing is documented below. Updates will be clearly marked.

Google Chrome Zero-Day Type Confusion

Google has released an emergency security patch for a type confusion vulnerability in Google Chrome V8 versions before 107.0.5304.87/88. According to Google, the vulnerability, tracked as CVE-2022-3723, is currently being exploited in the wild. In a security notice Google stated that they will not be releasing details on the bug/vulnerability until the majority of users have received an update. Type confusion vulnerabilities stem from programs or applications initializing an object as one type but accessing it later using a sufficiently different type, this class of vulnerability is particularly dangerous as it can lead to out-of-bounds memory access and by extension, arbitrary code execution. Most instances of Chrome will update automatically without any user interaction, for installations which do not utilize this feature, Google is encouraging updates be applied immediately.

Apple Out-of-bounds Write Zero-Day

Apple has released a second set of updates for older devices which were found to be affected by a zero-day vulnerability which was disclosed in late October. The vulnerability, tracked as CVE-2022-42827, which is an out-of-bounds write can, according to Apple result in privileged code execution, denial of service, or data manipulation. The vulnerability was reported to Apple anonymously, Apple received reports that the vulnerability may have been exploited in the wild. Apple devices dating back to the iPhone 6s, multiple versions of iPad models, and the iPod touch 7th generation. Updates have been released which implement more stringent boundary checks, Apple encourages users to update immediately.

Zoom Client for Meetings Arbitrary Redirect

The Zoom client for meetings before version 5.12.2 on all platforms (Android, iOS, Linux, macOS, and Windows) is affected by an arbitrary redirect vulnerability. Users who receive a specially crafted malicious link can be directed to an arbitrary network address. This could potentially facilitate a variety of further attacks against a victim, including credential harvesting or client side attacks. The vulnerability, tracked as CVE-2022-28763 was identified by the Zoom security team and addressed in the Zoom security bulletin ZSB-22024. Users are encouraged to update their clients to the latest available version possible.

Devolutions Remote Desktop Manager Plaintext Passwords

Devolutions remote desktop manager (RDM) is a centralized remote access tool that seeks to provide organizations with a single platform through which they can configure and maintain user access across a variety of remote access and authentication technologies, which according to Devolutions, is utilized by nearly a million users across more than 140 countries. The vulnerability, CVE-2022-3781, describes that account passwords for KeePass Server and Dashlane are stored in the database in an unencrypted state, any user with access to the database can read these passwords and likely use them to escalate privileges in the environment. Devolutions Server versions <= 2022.3.1 and Devolutions RMD versions <= 2022.2.26 are affected. Devolutions has published the security advisory DEVO-2022-0009 and urges customers to upgrade to Devolutions Server version 2022.3.2 and Devolutions Remote Desktop Manager version 2022.2.27.