controlgap.com

This week saw the publication of 455 new CVE IDs. Of those, 93 have not yet been assigned official CVSS scores, however, of the ones that were, approximately 17% were of critical severity, 36% were high, 46% were medium, and 1% were low. Listed below are the vulnerabilities that caught our attention:

• Softing Secure Integration Server had multiple vulnerabilities published this week prompting a CISA advisory warning users to upgrade to a patched version of the software as soon as possible.
• The very popular Zoho Manage Engine Analytics Plus software suite had two vulnerabilities published this week including remote code execution and information disclosure.
• The open-source Chinese configuration server AgileConfig was found to have a hard-coded JWT secret key which would allow attackers to take control of the server.
• Qualys Cloud Agent had two vulnerabilities published which include privilege escalation and information disclosure. The information disclosure vulnerability is currently contested by Qualys with several strong justifications.
• A strange CVE was published this week regarding product research done in 2005. Specific hard drives could be crashed by the music in the Janet Jackson music video for “Rhythm Nation” due to the music lining up with the resonant frequency of the hard drive itself.

This week saw the publication of 576 new CVE IDs. Of those, 80 have not yet been assigned official CVSS scores, however, of the ones that were, approximately 18% were of critical severity, 39% were high, 39% were medium, and 5% were low. Listed below are the vulnerabilities that caught our attention:

• Zimbra Collaboration Suite vulnerabilities can be chained together to obtain complete remote compromise of the system. Systems are being targeted en-masse in the wild.
• Microsoft Exchange is suffering from multiple vulnerabilities including information disclosure and privilege escalation where an unauthenticated attacker could read e-mails from affected servers.
• Remote code execution affecting Windows server 2022 NFS4.1.
• An unintended behavior in the Google Play Services SDK resulted in potentially thousands of Android applications being built with insecure configurations. Developers are being urged to update their SDK, re-build and re-release their applications.

This week saw the publication of 449 new CVE IDs. Of those, 315 have not yet been assigned official CVSS scores, however, of the ones that were, approximately 19% were of critical severity, 22% were high, 59% were medium, and 1% were low. Listed below are the vulnerabilities that caught our attention:

• Multiple Cisco small business router models vulnerable to unauthenticated remote code execution in the context of the root account.
• DrayTek routers vulnerable to remote code execution vulnerability. The researchers who found the vulnerability claim 200,000+ vulnerable devices are exposed to the internet.
• SourceCodester programming education and application template library vulnerable to multiple SQL injection and cross-site scripting vulnerabilities.
• Novel “ghost domain name” vulnerability in Unbound DNS resolver allows attackers to maintain DNS resolution, even after takedown.

This week saw the publication of 465 new CVE IDs. Of those, 356 have not yet been assigned official CVSS scores, however, of the ones that were, approximately 6% were of critical severity, 37% were high, 52% were medium, and 5% were low. Listed below are the vulnerabilities that caught our attention:

• An authentication bypass vulnerability in the FileWave device management platform could allow attackers to compromise an organizations entire fleet of managed devices.
• Secure email and collaboration software Open-Xchange had multiple vulnerabilities published this week the worst of which could allow a user with access to the document converter module to execute arbitrary code on the affected server.
• Citrix ADC and Citrix Gateway is affected by a redirection vulnerability. These are often exploited as part of phishing campaigns to automatically redirect users from a site which may seem trustworthy to an attacker-controlled site.
• Adobe Acrobat Reader is affected by an out-of-bounds read vulnerability which can result in arbitrary code execution if a user is convinced to open a crafted file.
• LibreOffice fails to verify the authenticity of macro certificates allowing malicious macros to masquerade as those provided by a trusted source.

This week saw the publication of 579 new CVE IDs. Of those, 356 have not yet been assigned official CVSS scores, however, of the ones that were, approximately 6% were of critical severity, 37% were high, 52% were medium, and 5% were low. Listed below are the vulnerabilities that caught our attention:

• MiCODUS GPS trackers have multiple vulnerabilities which could allow an attacker to execute arbitrary commands in an admin context on the device. This could allow an attacker to control certain functions of the vehicle or track its location.
• Supply chain attacks against projects contained in the Python package index result in backdoors allowing for remote code execution to be contained in the affected projects.
• Cryptocurrency mining devices created by Goldshell are found to suffer from multiple vulnerabilities including hard coded credentials for their SSH service.
• The incredibly popular Foxit PDF Reader is affected by multiple vulnerabilities which could lead to remote code execution if a user can be convinced to interact with a crafted file.

This week saw the publication of 561 new CVE IDs. Of those, 441 have not yet been assigned official CVSS scores, however, of the ones that were, approximately 26% were of critical severity, 34% were high, 40% were medium, and 0% were low. Listed below are the vulnerabilities that caught our attention:

• Microsoft’s July 12th Patch Tuesday updates included 84 fixes for a wide range of security issues, including multiple remote command execution and privilege escalation vulnerabilities. Several of the remediated privilege escalation vulnerabilities have been reportedly exploited in the wild.
• Multiple critical vulnerabilities were identified to affect a newly released medical clinic patient management software, highlighting the risks associated with leveraging source code from untrustworthy open-source sites.
• Sage 300 enterprise resource planning software is affected by a DLL hijacking vulnerability which could allow an attacker to escalate to local SYSTEM privileges. This disclosure stems from security research conducted by Control Gap’s own Konrad Haase into installer misconfigurations and weak folder permissions affecting the software.

This week saw the publication of 330 new CVE IDs. Of those, 296 have not yet been assigned official CVSS scores, however, of the ones that were, approximately 21% were of critical severity, 48% were high, 31% were medium, and 0% were low. Listed below are the vulnerabilities that caught our attention:

• An account takeover and authenticated remote code execution vulnerability present in the CentOS Control Web Panel can result in unauthenticated remote code execution in the context of the root account.
• A zero-day buffer overflow in Google Chrome Desktop was patched on July 4th. Google has disclosed that the vulnerability is being exploited in the wild.
• Session tokens for the OpenVPN Access Server web interface are not generated randomly enough to be considered secure.
• The “ransomware canaries” feature of Elastic Endpoint Security which is designed to detect and prevent ransomware execution was found to have a local privilege escalation vulnerability which could allow an attacker to escalate to SYSTEM.