This week saw the publication of 632 new CVE IDs. Of those, 134 have not yet been assigned official CVSS scores, however, of the ones that were, approximately 14% were of critical severity, 48% were high, 36% were medium, and 2% were low. Listed below are the vulnerabilities that caught our attention:
The modern threat landscape represents an ever-changing vista of vulnerabilities, tools, tactics, and procedures which pose an existential threat to the security of organizations’ IT infrastructures. A key part of an evergreen security program is to maintain an up-to-date knowledge base of actionable threat intelligence that an organization can leverage to improve its security posture. Where dozens of novel threats and vulnerabilities become public each week, it can be challenging for IT professionals to keep pace. Control Gap intends to separate the signal from the noise by highlighting in this weekly segment newly disclosed vulnerabilities that have been assigned a CVE ID and which may be exceedingly novel, widespread, critical, or otherwise noteworthy.
The available threat intelligence at time of writing is documented below. Updates will be clearly marked.
Real-World Exploitability High |
Exploited in the Wild Yes |
Available Public Exploits Unknown |
Microsoft’s Patch Tuesday on October 11th, 2022, saw the disclosure of 85 security vulnerabilities for Microsoft products. Included in this group is CVE-2022-41033, declared a zero-day by Microsoft, a vulnerability described as an elevation of privilege bug in the Windows COM+ Event service. Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code in the context of the SYSTEM account. While no public exploits are available, Microsoft has announced that the vulnerability is actively being exploited in the wild. Additionally, Microsoft addressed 20 remote code execution vulnerabilities and 38 other escalation of privilege vulnerabilities. Unfortunately, patches for the zero-day Microsoft Exchange vulnerabilities dubbed “ProxyNotShell”, which we wrote about last week were not released on the 11th but Microsoft continues to update their workaround guidance.
Real-World Exploitability High |
Exploited in the Wild No |
Available Public Exploits Yes |
GitLab Community and Enterprise edition were found to be vulnerable to a remote code execution and information disclosure. A researcher by the name of “yvvdwf” published research demonstrating that the OctoKit library utilized by GitLab to import information from the GitHub API was vulnerable to command injection. While the public GitLab site was not completely vulnerable, “yvvdwf” was able to replicate data to an attacker-controlled server or poison GitLab projects. For other standalone GitLab installations, if an attacker could acquire a valid API key, they could use the exploit to completely compromise the affected server. The vulnerability is currently being tracked with the CVE ID, CVE-2022-2884. GitLab has issued a critical security release and is urging users to patch as soon as possible.
|
Real-World Exploitability High |
Exploited in the Wild Unknown |
Available Public Exploits No |
The trend of supply chain attacks against the Python Package Index continues: 17 unique packages have been found to have malicious code contributed by an unknown third party which would allow for remote code execution. Python projects being affected by the installed backdoor would be highly contingent on the usage of the package and the availability of the affected system to exploit. This new trend highlights the importance of software and supply chain governance and the need for professional review when an organization seeks to use a third-party open-source component in its own projects. The affected packages, associated versions and corresponding CVE IDs can be found below:
|
Real-World Exploitability High |
Exploited in the Wild No |
Available Public Exploits No |
Aruba has released security patches for several product versions after the disclosure of multiple vulnerabilities including authentication bypass, and remote code execution. CVE-2022-37913 and CVE-2022-37914 describe vulnerabilities in the EdgeConnect web management interface which would allow an unauthenticated attacker to bypass the authentication page and interact with the management web panel. CVE-2022-37915 is a flaw in the web management interface which would allow an unauthenticated attacker to execute arbitrary commands on the underlying host, resulting in complete takeover of the affected host. Aruba has released an official product security advisory outlining specifically the affected products and versions and urges users who are using supported products to update as soon as possible.