controlgap.com

This week saw the publication of 432 new CVE IDs. Of those, 204 have not yet been assigned official CVSS scores, however, of the ones that were, approximately 22% were of critical severity, 46% were high, 32% were medium, and 1% were low. Listed below are the vulnerabilities that caught our attention:

• In a growing pattern, another Python package index package has been backdoored with a remote code execution vulnerability by an unknown third party.
• Japanese company Hytech Inter saw multiple vulnerabilities released for one of their products this week, the affected device, an industrial application LTE router would pose a significant security risk if compromised.
• 23 total vulnerabilities were identified for Snapdragon Auto modules involving memory management, while the impact of these disclosures is still unclear the global adoption of these products could imply far reaching risk.
• An open redirect vulnerability in IBM’s Security Identity Manager could empower threat actors to conduct powerful phishing attacks.

This week saw the publication of 565 new CVE IDs. Of those, 170 have not yet been assigned official CVSS scores, however, of the ones that were, approximately 22% were of critical severity, 46% were high, 32% were medium, and 1% were low. Listed below are the vulnerabilities that caught our attention:

• Atlassian BitBucket remote code execution vulnerability allows user with read permissions on any public/private repository to execute arbitrary code through a crafted HTTP request.
• GitLab community edition and enterprise editions are affected by a remote code execution vulnerability in which an authenticated user who can “import from GitHub” can execute arbitrary code in the context of the affected server.
• BlackHat presenters found variations of similar vulnerabilities in automotive remote keyless entry systems which allow for “time-agnostic” exploitation of keyless entry systems.
• The restaurant management software Tabit had multiple vulnerabilities published this week including information disclosure, weak password generation, database injection, unauthorized account modification, and arbitrary SMS messaging as the Tabit server.

This week saw the publication of 455 new CVE IDs. Of those, 93 have not yet been assigned official CVSS scores, however, of the ones that were, approximately 17% were of critical severity, 36% were high, 46% were medium, and 1% were low. Listed below are the vulnerabilities that caught our attention:

• Softing Secure Integration Server had multiple vulnerabilities published this week prompting a CISA advisory warning users to upgrade to a patched version of the software as soon as possible.
• The very popular Zoho Manage Engine Analytics Plus software suite had two vulnerabilities published this week including remote code execution and information disclosure.
• The open-source Chinese configuration server AgileConfig was found to have a hard-coded JWT secret key which would allow attackers to take control of the server.
• Qualys Cloud Agent had two vulnerabilities published which include privilege escalation and information disclosure. The information disclosure vulnerability is currently contested by Qualys with several strong justifications.
• A strange CVE was published this week regarding product research done in 2005. Specific hard drives could be crashed by the music in the Janet Jackson music video for “Rhythm Nation” due to the music lining up with the resonant frequency of the hard drive itself.

This week saw the publication of 576 new CVE IDs. Of those, 80 have not yet been assigned official CVSS scores, however, of the ones that were, approximately 18% were of critical severity, 39% were high, 39% were medium, and 5% were low. Listed below are the vulnerabilities that caught our attention:

• Zimbra Collaboration Suite vulnerabilities can be chained together to obtain complete remote compromise of the system. Systems are being targeted en-masse in the wild.
• Microsoft Exchange is suffering from multiple vulnerabilities including information disclosure and privilege escalation where an unauthenticated attacker could read e-mails from affected servers.
• Remote code execution affecting Windows server 2022 NFS4.1.
• An unintended behavior in the Google Play Services SDK resulted in potentially thousands of Android applications being built with insecure configurations. Developers are being urged to update their SDK, re-build and re-release their applications.

This week saw the publication of 449 new CVE IDs. Of those, 315 have not yet been assigned official CVSS scores, however, of the ones that were, approximately 19% were of critical severity, 22% were high, 59% were medium, and 1% were low. Listed below are the vulnerabilities that caught our attention:

• Multiple Cisco small business router models vulnerable to unauthenticated remote code execution in the context of the root account.
• DrayTek routers vulnerable to remote code execution vulnerability. The researchers who found the vulnerability claim 200,000+ vulnerable devices are exposed to the internet.
• SourceCodester programming education and application template library vulnerable to multiple SQL injection and cross-site scripting vulnerabilities.
• Novel “ghost domain name” vulnerability in Unbound DNS resolver allows attackers to maintain DNS resolution, even after takedown.

This week saw the publication of 465 new CVE IDs. Of those, 356 have not yet been assigned official CVSS scores, however, of the ones that were, approximately 6% were of critical severity, 37% were high, 52% were medium, and 5% were low. Listed below are the vulnerabilities that caught our attention:

• An authentication bypass vulnerability in the FileWave device management platform could allow attackers to compromise an organizations entire fleet of managed devices.
• Secure email and collaboration software Open-Xchange had multiple vulnerabilities published this week the worst of which could allow a user with access to the document converter module to execute arbitrary code on the affected server.
• Citrix ADC and Citrix Gateway is affected by a redirection vulnerability. These are often exploited as part of phishing campaigns to automatically redirect users from a site which may seem trustworthy to an attacker-controlled site.
• Adobe Acrobat Reader is affected by an out-of-bounds read vulnerability which can result in arbitrary code execution if a user is convinced to open a crafted file.
• LibreOffice fails to verify the authenticity of macro certificates allowing malicious macros to masquerade as those provided by a trusted source.

This week saw the publication of 579 new CVE IDs. Of those, 356 have not yet been assigned official CVSS scores, however, of the ones that were, approximately 6% were of critical severity, 37% were high, 52% were medium, and 5% were low. Listed below are the vulnerabilities that caught our attention:

• MiCODUS GPS trackers have multiple vulnerabilities which could allow an attacker to execute arbitrary commands in an admin context on the device. This could allow an attacker to control certain functions of the vehicle or track its location.
• Supply chain attacks against projects contained in the Python package index result in backdoors allowing for remote code execution to be contained in the affected projects.
• Cryptocurrency mining devices created by Goldshell are found to suffer from multiple vulnerabilities including hard coded credentials for their SSH service.
• The incredibly popular Foxit PDF Reader is affected by multiple vulnerabilities which could lead to remote code execution if a user can be convinced to interact with a crafted file.

This week saw the publication of 561 new CVE IDs. Of those, 441 have not yet been assigned official CVSS scores, however, of the ones that were, approximately 26% were of critical severity, 34% were high, 40% were medium, and 0% were low. Listed below are the vulnerabilities that caught our attention:

• Microsoft’s July 12th Patch Tuesday updates included 84 fixes for a wide range of security issues, including multiple remote command execution and privilege escalation vulnerabilities. Several of the remediated privilege escalation vulnerabilities have been reportedly exploited in the wild.
• Multiple critical vulnerabilities were identified to affect a newly released medical clinic patient management software, highlighting the risks associated with leveraging source code from untrustworthy open-source sites.
• Sage 300 enterprise resource planning software is affected by a DLL hijacking vulnerability which could allow an attacker to escalate to local SYSTEM privileges. This disclosure stems from security research conducted by Control Gap’s own Konrad Haase into installer misconfigurations and weak folder permissions affecting the software.

This week saw the publication of 330 new CVE IDs. Of those, 296 have not yet been assigned official CVSS scores, however, of the ones that were, approximately 21% were of critical severity, 48% were high, 31% were medium, and 0% were low. Listed below are the vulnerabilities that caught our attention:

• An account takeover and authenticated remote code execution vulnerability present in the CentOS Control Web Panel can result in unauthenticated remote code execution in the context of the root account.
• A zero-day buffer overflow in Google Chrome Desktop was patched on July 4th. Google has disclosed that the vulnerability is being exploited in the wild.
• Session tokens for the OpenVPN Access Server web interface are not generated randomly enough to be considered secure.
• The “ransomware canaries” feature of Elastic Endpoint Security which is designed to detect and prevent ransomware execution was found to have a local privilege escalation vulnerability which could allow an attacker to escalate to SYSTEM.

Username enumeration (sometimes called account enumeration) is when it is possible for a hacker to confirm whether a given username is valid for a system. If a malicious actor can gather valid usernames on a platform, they can then use brute force attacks such as credential stuffing or guessing to compromise associated accounts. The collected usernames can also be sold to other spammers and hackers or used in social engineering attacks against the users themselves.