Control Gap Vulnerability Roundup: September 17th to September 23rd

This week saw the publication of 587 new CVE IDs. Of those, 126 have not yet been assigned official CVSS scores, however, of the ones that were, approximately 21% were of critical severity, 36% were high, 41% were medium, and 1% were low. Listed below are the vulnerabilities that caught our attention:

• Sophos firewall unauthenticated remote code execution vulnerability was disclosed and immediately added to CISA’s KEVC.
• Oracle Cloud Infrastructure vulnerability that allowed for the violation of cloud segmentation controls and mounting of storage volumes with full read/write access.
• Previously undisclosed WhatsApp vulnerabilities which could lead to remote code execution under certain conditions are publicly acknowledged by WhatsApp.
• A Python package vulnerability from 2007 has resurfaced after Trellix, a security firm, found that approximately 350,000 GitHub projects are affected.

The modern threat landscape represents an ever-changing vista of vulnerabilities, tools, tactics, and procedures which pose an existential threat to the security of organizations’ IT infrastructures. A key part of an evergreen security program is to maintain an up-to-date knowledge base of actionable threat intelligence that an organization can leverage to improve its security posture. Where dozens of novel threats and vulnerabilities become public each week, it can be challenging for IT professionals to keep pace. Control Gap intends to separate the signal from the noise by highlighting in this weekly segment newly disclosed vulnerabilities that have been assigned a CVE ID and which may be exceedingly novel, widespread, critical, or otherwise noteworthy.

The available threat intelligence at time of writing is documented below. Updates will be clearly marked.

Sophos Firewall Remote Code Execution

A vulnerability affecting Zoho ManageEngine Password Manager Pro, PAM360, and Access Manager Plus which could lead to unauthenticated remote code execution was disclosed in early August. The vulnerability, CVE-2022-35405 has had public PoC exploit code released along with a Metasploit module. Just this week CISA added the vulnerability to its “Known Exploited Vulnerabilities Catalog” KEVC and urged organizations to patch immediately as the vulnerability is now being exploited en masse. CISA’s binding operational directive BOD 22-01, states that all U.S. federal civilian executive branch agencies must patch vulnerabilities which are found on the KEVC.

Oracle Cloud Infrastructure #AttachMe Access Control Violation

On September 20th, the security researcher Elad Gabay publicly disclosed a security flaw in Oracle Cloud Infrastructure (OCI) which was originally discovered in June. The flaw, which has since been addressed by Oracle would allow an attacker, under certain (attacker controlled) conditions to attach OCI customer storage volumes without authorization. If an attacker knew the Oracle Cloud Identifier (OCID) of the storage volume, which in most cases is publicly available, it would be possible to mount the volume with full read/write permissions.

WhatsApp Multiple Remote Code Execution Vulnerabilities

Two previously undisclosed remote code execution vulnerabilities in WhatsApp applications prior to version 2.22.16.12 for iOS and Android were publicly acknowledged by WhatsApp in a security advisory. The first vulnerability CVE-2022-36934, results from an integer overflow and affects both regular and business versions of WhatsApp on Android and iOS, the vulnerability can be exploited to achieve remote code execution on the victim device by sending crafted payloads during an established video call. The second vulnerability, CVE-2022-27492, results from an integer underflow and affects the regular Android application prior to version 2.22.16.12 and the regular iOS application prior to version 2.22.15.9, the vulnerability can be exploited to achieve remote code execution on the victim device by sending crafted video files to a victim. WhatsApp has already released a patch and users are urged to update as soon as possible.

Python tarfile Package Arbitrary File Write

An old vulnerability in the Python tarfile package has been identified by the security firm Trellix and found to impact an estimated 350,000 GitHub projects. The vulnerability CVE-2007-4559, which can lead to arbitrary file writes, was never patched and instead a warning on the usage of vulnerable function in the package was included. As such, many projects either ignored the warning, implemented the functions improperly, or inherited insecure code from other projects. Again, this is an example of the importance of the software supply chain and how organizations/projects should be aware of the risks associated with using third party components.