controlgap.com

This week saw the publication of 294 new CVE IDs. Of those, 99 have not yet been assigned official CVSS scores, however, of the ones that were, approximately 10% were of critical severity, 33% were high, 57% were medium, and 0% were low. Listed below are the vulnerabilities that caught our attention:

• The highly popular WordPress plugin, “Advanced Custom Fields”, which boasts more than 2 million users, was found to have been affected by an XSS vulnerability which would allow an unauthenticated attacker to conduct scripting attacks against site admins.
• A particular model of Cisco phone adapter was found to allow unauthenticated users to force firmware updates on the device, resulting in complete compromise of the system. The devices are end-of-life and Cisco has stated they will not be releasing a fix.
• OpenText BizManager, a popular document management system, had a vulnerability disclosed this week which would allow for the takeover of admin accounts.
• Acronis, a security vendor specializing in backup solutions, had a CVE published this week for two products affected by information disclosure vulnerabilities. Interestingly, the vulnerabilities were addressed by Acronis a year ago in an official advisory.

This week saw the publication of 501 new CVE IDs. Of those, 430 have not yet been assigned official CVSS scores, however, of the ones that were, approximately 20% were of critical severity, 13% were high, 67% were medium, and 0% were low. Listed below are the vulnerabilities that caught our attention:

• Apache Superset disclosed a vulnerability affecting multiple versions of the Superset server. The issue has been known since October 2021 but was finally patched this last week. Apache is urging users to update immediately.
• The highly popular print server “PaperCut” has disclosed multiple critical severity vulnerabilities which are being actively exploited in the wild. Unauthenticated attackers can exploit affected PaperCut servers to execute remote code. Trend Micro, the researchers who initially discovered the vulnerability, have announced that they will wait until May 10th to release technical details. Horizon3 and Huntress Labs have preempted Trend Micro by releasing their own blog posts and PoC exploits publicly.
• APC, an incredibly popular battery backup and electrical product producer, has disclosed a vulnerability affecting the software used to manage their products remotely. This vulnerability’s severity could potentially be exacerbated as these products are commonly relied on during disaster recovery situations.
• ESET has released research showing that they were able to retrieve highly sensitive information from networking technology purchased on the secondhand market. ESET was able to retrieve network and application configuration information in addition to authentication secrets even from devices which were said to be securely wiped by a third-party service.

This week saw the publication of 652 new CVE IDs. Of those, 240 have not yet been assigned official CVSS scores, however, of the ones that were, approximately 12% were of critical severity, 48% were high, 39% were medium, and 1% were low. Listed below are the vulnerabilities that caught our attention:

• A flaw in the Microsoft Windows Message Queueing service was disclosed and patched which would allow for remote code execution on any affected asset running an MSMQ service.
• The Microsoft Windows Common Log File System continues to be abused by threat actors to escalate privileges on affected systems, this week saw the disclosure and patch of the 32nd vulnerability affecting the service since 2018.
• SAP products utilized by Fortune 100 companies all over the world had two critical severity vulnerabilities disclosed this week which would allow attackers to execute arbitrary code or upload arbitrary files.
• Spice DB had a very length CVE record published this week outlining a vulnerability which would allow attackers to obtain secrets entered when launching the database from the command line.

This week saw the publication of 579 new CVE IDs. Of those, 314 have not yet been assigned official CVSS scores, however, of the ones that were, approximately 18% were of critical severity, 34% were high, 48% were medium, and 0% were low. Listed below are the vulnerabilities that caught our attention:

• Two new zero-day arbitrary code execution vulnerabilities affecting multiple Apple products have been disclosed and patched.
• VM2, a popular JavaScript library designed around secure execution of untrusted code was affected by a vulnerability which would allow attackers to escape the sandbox and execute arbitrary code on the host system.
• A vulnerability affecting HP LaserJet products has been disclosed which would allow an attacker to compromise IPsec credentials. HP has disputed the vulnerabilities severity based on the highly conditional requirements for exploitation.
• The open-source edge and service proxy “Envoy” has had multiple vulnerabilities disclosed this past week which could potentially allow for the compromise of sensitive communications between applications and the network layer.

This week saw the publication of 591 new CVE IDs. Of those, 100 have not yet been assigned official CVSS scores, however, of the ones that were, approximately 18% were of critical severity, 34% were high, 48% were medium, and 0% were low. Listed below are the vulnerabilities that caught our attention:

• A new bug dubbed “aCropalypse” has been disclosed which affects the “Markup Tool”, Google’s photo editing app for Android devices. The bug could allow for sensitive information to be retrieved from images which have been cropped or redacted dating back 5 years to Android 9.
• WooCommerce has addressed a vulnerability in the popular self-titled WordPress plugin which would allow an unauthenticated user to impersonate an admin, leading to the complete compromise of the site.
• Microsoft has addressed a zero-day vulnerability in its Outlook email client which could allow attackers to conduct NTLM relay attacks by sending a crafted email that the user does not even have to open or preview. Microsoft has acknowledged exploitation of this vulnerability by Russian APT groups dating back to April 2022.
• Cisco Talos researchers have identified a very simple but effective remote command execution vulnerability in Netgear Orbi routers that could be exploited if an attacker could gain access to the administrator console, either through misconfiguration or credential attacks.

This week saw the publication of 493 new CVE IDs. Of those, 58 have not yet been assigned official CVSS scores, however, of the ones that were, approximately 18% were of critical severity, 24% were high, 57% were medium, and 1% were low. Listed below are the vulnerabilities that caught our attention:

• Fortinet products experience yet another remote code execution vulnerability allowing a path of entry for threat actors into organization’s internal networks.
• Two remote code execution vulnerabilities have been disclosed and patched for multiple versions of the Android operating system. Google has chosen to play their cards very close to their chest and not release any technical details surrounding the vulnerabilities. Highly motivated attackers will likely seek to create exploits for these vulnerabilities as mobile devices represent high-value targets.
• Veeam has disclosed a high severity vulnerability which would allow an attacker to retrieve “encrypted” credentials from the Backup & Replication service. The vulnerability is being treated very seriously by Veeam and would suggest an unauthenticated attacker could access sensitive backup files without much effort.
• Microsoft has disclosed a vulnerability for its popular document editing product “Word” which affects its rich text format parser. In a world where the mark of the web is severely reducing the effectiveness of malspam this represents an attractive alternative attack path.

This week saw the publication of 442 new CVE IDs. Of those, 258 have not yet been assigned official CVSS scores, however, of the ones that were, approximately 14% were of critical severity, 39% were high, 47% were medium, and 0% were low. Listed below are the vulnerabilities that caught our attention:

• ArubaOS has had a staggering 21 vulnerabilities of varying severity disclosed this week; all requiring an attacker to be authenticated to exploit. This release appears to coincide with a batch disclosure of vulnerabilities identified by their bug bounty program.
• ClamAV, an open-source and “hackable” antivirus tool now owned by Cisco, has had two vulnerabilities disclosed which would allow for the compromise of an affected system if the tool was used to analyze a specially crafted file.
• Firmware for WAGO programmable logic controllers was found to not enforce authentication on requests made to the back end of its web management interface. An unauthenticated attacker could abuse this to completely compromise the affected system.
• Various models of Cisco IP phones were found to be vulnerable to remote code execution allowing an attacker who compromises the device to potentially lurk on the network for an extended period of time.

This week saw the publication of 326 new CVE IDs. Of those, 258 have not yet been assigned official CVSS scores, however, of the ones that were, approximately 19% were of critical severity, 25% were high, 55% were medium, and 1% were low. Listed below are the vulnerabilities that caught our attention:

• An arbitrary password reset vulnerability in the open source “GNUBoard” bulletin board system, tracked as CVE-2022-44216, could lead to account takeovers.
• CloudFlow ProofScope, a web-based software application for proofing and collaboration, was found to be affected by an arbitrary file upload leading to code execution vulnerability that is being tracked as CVE-2022-41217.
• ZoneMinder, the popular open-source CCTV software was found to be affected by 8 different vulnerabilities including authenticated code execution, local file inclusion, cross-site scripting, path traversal, and SQL injection.
• Two cross-site scripting vulnerabilities were disclosed for JetBrains TeamCity which could allow for scripting attacks against users of the platform.

This week saw the publication of 788 new CVE IDs. Of those, 526 have not yet been assigned official CVSS scores, however, of the ones that were, approximately 6% were of critical severity, 44% were high, 49% were medium, and 1% were low. Listed below are the vulnerabilities that caught our attention:

• A remote code execution vulnerability involving JNDI abuse (like Log4J) and insecure deserialization was disclosed for Apache Kafka.
• FortiNAC and FortiWeb were patched to remediate remote code execution vulnerabilities which could potentially allow an attacker with no privileges to breach an organization’s perimeter.
• Apple has patched a zero-day remote code execution vulnerability in its WebKit browser engine. Apple has confirmed it was exploited in the wild but will not provide any further technical details. Special thanks were given to Citizen Lab.
• Citrix has patched a privilege escalation vulnerability which would allow any Windows user within the VDE to escalate to “NT AUTHORITY\SYSTEM.

This week saw the publication of 468 new CVE IDs. Of those, 435 have not yet been assigned official CVSS scores, however, of the ones that were, approximately 24% were of critical severity, 40% were high, 36% were medium, and 0% were low. Listed below are the vulnerabilities that caught our attention:

• The file transfer software GoAnywhere MFT has had a “remote code injection” vulnerability disclosed this week by Brian Krebs. The official advisory was released in a private manner to GoAnywhere MFT customers.
• Popular NAS producer QNAP has addressed a remote code execution vulnerability in its QTS and QuTS firmware for its devices.
• A vulnerability for Lexmark network printers has been released which affects more than 100 different Lexmark devices. If successfully exploited, the vulnerability could allow for remote code execution in the context of the root user.
• The popular reverse engineering tool Binwalk was found to have a path traversal which could allow for remote code execution if a reverse engineer extracts a PFS file.