Control Gap Vulnerability Roundup: October 8th to October 14th

This week saw the publication of 632 new CVE IDs. Of those, 134 have not yet been assigned official CVSS scores, however, of the ones that were, approximately 14% were of critical severity, 48% were high, 36% were medium, and 2% were low. Listed below are the vulnerabilities that caught our attention:

• Microsoft’s October 11th Patch Tuesday addresses 85 vulnerabilities including multiple escalation of privilege, remote code execution, security bypass, information disclosure, denial of service, and impersonation vulnerabilities. The “ProxyNotShell” vulnerabilities we wrote about last week were not addressed.
• A remote code execution vulnerability in the Community and Enterprise editions of GitLab could allow attackers with a valid API key to completely takeover standalone deployments of the software. This is the second significant GitLab RCE this quarter.
• Continuing the trend, multiple Python Package Index packages have been found to have had remote code execution backdoors inserted by an unknown third-party.
• Aruba EdgeConnect Enterprise Orchestrator had multiple vulnerabilities published which include authentication bypass and unauthenticated remote code execution vulnerabilities.

The modern threat landscape represents an ever-changing vista of vulnerabilities, tools, tactics, and procedures which pose an existential threat to the security of organizations’ IT infrastructures. A key part of an evergreen security program is to maintain an up-to-date knowledge base of actionable threat intelligence that an organization can leverage to improve its security posture. Where dozens of novel threats and vulnerabilities become public each week, it can be challenging for IT professionals to keep pace. Control Gap intends to separate the signal from the noise by highlighting in this weekly segment newly disclosed vulnerabilities that have been assigned a CVE ID and which may be exceedingly novel, widespread, critical, or otherwise noteworthy.

The available threat intelligence at time of writing is documented below. Updates will be clearly marked.

Microsoft Patch Tuesday, October 2022

Microsoft’s Patch Tuesday on October 11th, 2022, saw the disclosure of 85 security vulnerabilities for Microsoft products. Included in this group is CVE-2022-41033, declared a zero-day by Microsoft, a vulnerability described as an elevation of privilege bug in the Windows COM+ Event service. Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code in the context of the SYSTEM account. While no public exploits are available, Microsoft has announced that the vulnerability is actively being exploited in the wild. Additionally, Microsoft addressed 20 remote code execution vulnerabilities and 38 other escalation of privilege vulnerabilities. Unfortunately, patches for the zero-day Microsoft Exchange vulnerabilities dubbed “ProxyNotShell”, which we wrote about last week were not released on the 11th but Microsoft continues to update their workaround guidance.

GitLab Remote Code Execution

GitLab Community and Enterprise edition were found to be vulnerable to a remote code execution and information disclosure. A researcher by the name of “yvvdwf” published research demonstrating that the OctoKit library utilized by GitLab to import information from the GitHub API was vulnerable to command injection. While the public GitLab site was not completely vulnerable, “yvvdwf” was able to replicate data to an attacker-controlled server or poison GitLab projects. For other standalone GitLab installations, if an attacker could acquire a valid API key, they could use the exploit to completely compromise the affected server. The vulnerability is currently being tracked with the CVE ID, CVE-2022-2884. GitLab has issued a critical security release and is urging users to patch as soon as possible.

Multiple PYPI Packages Backdoor RCE Vulnerabilities

The trend of supply chain attacks against the Python Package Index continues: 17 unique packages have been found to have malicious code contributed by an unknown third party which would allow for remote code execution. Python projects being affected by the installed backdoor would be highly contingent on the usage of the package and the availability of the affected system to exploit. This new trend highlights the importance of software and supply chain governance and the need for professional review when an organization seeks to use a third-party open-source component in its own projects. The affected packages, associated versions and corresponding CVE IDs can be found below:

• d8s-asns v0.1.0 (CVE-2022-42044)
• d8s-xml v0.1.0 (CVE-2022-42043)
• d8s-networking v0.1.0 (CVE-2022-42042)
• d8s-file-system v0.1.0 (CVE-2022-42041)
• d8s-algorithm v0.1.0 (CVE-2022-42040)
• d8s-lists v0.1.0 (CVE-2022-42039)
• d8s-ip-addresses v0.1.0 (CVE-2022-42038)
• d8s-asns v0.1.0 (CVE-2022-42037)
• d8s-urls v0.1.0 (CVE-2022-42036)
• d8s-pdfs v0.1.0 (CVE-2022-41387)
• d8s-utilisty v0.1.0 (CVE-2022-41386)
• d8s-html v0.1.0 (CVE-2022-41385)
• d8s-domains v0.1.0 (CVE-2022-41384)
• d8s-archives v0.1.0 (CVE-2022-41383)
• d8s-json v0.1.0 (CVE-2022-41382)
• d8s-utility v0.1.0 (CVE-2022-41381)
• d8s-yaml v0.1.0 (CVE-2022-41380)

Aruba EdgeConnect Enterprise Orchestrator Multiple Vulnerabilities

Aruba has released security patches for several product versions after the disclosure of multiple vulnerabilities including authentication bypass, and remote code execution. CVE-2022-37913 and CVE-2022-37914 describe vulnerabilities in the EdgeConnect web management interface which would allow an unauthenticated attacker to bypass the authentication page and interact with the management web panel. CVE-2022-37915 is a flaw in the web management interface which would allow an unauthenticated attacker to execute arbitrary commands on the underlying host, resulting in complete takeover of the affected host. Aruba has released an official product security advisory outlining specifically the affected products and versions and urges users who are using supported products to update as soon as possible.