In 2022 Konrad Haase, a member of the Control Gap Offensive Security team, discovered a series of vulnerabilities in Sage 300, a well-established on-premises enterprise resource planning (ERP) solution, that could allow an attacker to bypass authentication and user-level access controls, decrypt sensitive data including stored passwords, and obtain direct database access to read/modify/delete all records. Over the past 10 months the Control Gap team has been working with Sage to develop a product update to address these issues, which Sage released on April 27, 2023. Users of the Sage 300 program are strongly encouraged to download and install this product update as soon as possible.

On June 27 we published a series of technical articles detailing the discovery and exploitation process for the six (6) vulnerabilities described below.

This week saw the publication of 652 new CVE IDs. Of those, 240 have not yet been assigned official CVSS scores, however, of the ones that were, approximately 12% were of critical severity, 48% were high, 39% were medium, and 1% were low. Listed below are the vulnerabilities that caught our attention:

• A flaw in the Microsoft Windows Message Queueing service was disclosed and patched which would allow for remote code execution on any affected asset running an MSMQ service.
• The Microsoft Windows Common Log File System continues to be abused by threat actors to escalate privileges on affected systems, this week saw the disclosure and patch of the 32nd vulnerability affecting the service since 2018.
• SAP products utilized by Fortune 100 companies all over the world had two critical severity vulnerabilities disclosed this week which would allow attackers to execute arbitrary code or upload arbitrary files.
• Spice DB had a very length CVE record published this week outlining a vulnerability which would allow attackers to obtain secrets entered when launching the database from the command line.

This week saw the publication of 579 new CVE IDs. Of those, 314 have not yet been assigned official CVSS scores, however, of the ones that were, approximately 18% were of critical severity, 34% were high, 48% were medium, and 0% were low. Listed below are the vulnerabilities that caught our attention:

• Two new zero-day arbitrary code execution vulnerabilities affecting multiple Apple products have been disclosed and patched.
• VM2, a popular JavaScript library designed around secure execution of untrusted code was affected by a vulnerability which would allow attackers to escape the sandbox and execute arbitrary code on the host system.
• A vulnerability affecting HP LaserJet products has been disclosed which would allow an attacker to compromise IPsec credentials. HP has disputed the vulnerabilities severity based on the highly conditional requirements for exploitation.
• The open-source edge and service proxy “Envoy” has had multiple vulnerabilities disclosed this past week which could potentially allow for the compromise of sensitive communications between applications and the network layer.

This week saw the publication of 591 new CVE IDs. Of those, 100 have not yet been assigned official CVSS scores, however, of the ones that were, approximately 18% were of critical severity, 34% were high, 48% were medium, and 0% were low. Listed below are the vulnerabilities that caught our attention:

• A new bug dubbed “aCropalypse” has been disclosed which affects the “Markup Tool”, Google’s photo editing app for Android devices. The bug could allow for sensitive information to be retrieved from images which have been cropped or redacted dating back 5 years to Android 9.
• WooCommerce has addressed a vulnerability in the popular self-titled WordPress plugin which would allow an unauthenticated user to impersonate an admin, leading to the complete compromise of the site.
• Microsoft has addressed a zero-day vulnerability in its Outlook email client which could allow attackers to conduct NTLM relay attacks by sending a crafted email that the user does not even have to open or preview. Microsoft has acknowledged exploitation of this vulnerability by Russian APT groups dating back to April 2022.
• Cisco Talos researchers have identified a very simple but effective remote command execution vulnerability in Netgear Orbi routers that could be exploited if an attacker could gain access to the administrator console, either through misconfiguration or credential attacks.

This week saw the publication of 493 new CVE IDs. Of those, 58 have not yet been assigned official CVSS scores, however, of the ones that were, approximately 18% were of critical severity, 24% were high, 57% were medium, and 1% were low. Listed below are the vulnerabilities that caught our attention:

• Fortinet products experience yet another remote code execution vulnerability allowing a path of entry for threat actors into organization’s internal networks.
• Two remote code execution vulnerabilities have been disclosed and patched for multiple versions of the Android operating system. Google has chosen to play their cards very close to their chest and not release any technical details surrounding the vulnerabilities. Highly motivated attackers will likely seek to create exploits for these vulnerabilities as mobile devices represent high-value targets.
• Veeam has disclosed a high severity vulnerability which would allow an attacker to retrieve “encrypted” credentials from the Backup & Replication service. The vulnerability is being treated very seriously by Veeam and would suggest an unauthenticated attacker could access sensitive backup files without much effort.
• Microsoft has disclosed a vulnerability for its popular document editing product “Word” which affects its rich text format parser. In a world where the mark of the web is severely reducing the effectiveness of malspam this represents an attractive alternative attack path.

This week saw the publication of 442 new CVE IDs. Of those, 258 have not yet been assigned official CVSS scores, however, of the ones that were, approximately 14% were of critical severity, 39% were high, 47% were medium, and 0% were low. Listed below are the vulnerabilities that caught our attention:

• ArubaOS has had a staggering 21 vulnerabilities of varying severity disclosed this week; all requiring an attacker to be authenticated to exploit. This release appears to coincide with a batch disclosure of vulnerabilities identified by their bug bounty program.
• ClamAV, an open-source and “hackable” antivirus tool now owned by Cisco, has had two vulnerabilities disclosed which would allow for the compromise of an affected system if the tool was used to analyze a specially crafted file.
• Firmware for WAGO programmable logic controllers was found to not enforce authentication on requests made to the back end of its web management interface. An unauthenticated attacker could abuse this to completely compromise the affected system.
• Various models of Cisco IP phones were found to be vulnerable to remote code execution allowing an attacker who compromises the device to potentially lurk on the network for an extended period of time.

This week saw the publication of 326 new CVE IDs. Of those, 258 have not yet been assigned official CVSS scores, however, of the ones that were, approximately 19% were of critical severity, 25% were high, 55% were medium, and 1% were low. Listed below are the vulnerabilities that caught our attention:

• An arbitrary password reset vulnerability in the open source “GNUBoard” bulletin board system, tracked as CVE-2022-44216, could lead to account takeovers.
• CloudFlow ProofScope, a web-based software application for proofing and collaboration, was found to be affected by an arbitrary file upload leading to code execution vulnerability that is being tracked as CVE-2022-41217.
• ZoneMinder, the popular open-source CCTV software was found to be affected by 8 different vulnerabilities including authenticated code execution, local file inclusion, cross-site scripting, path traversal, and SQL injection.
• Two cross-site scripting vulnerabilities were disclosed for JetBrains TeamCity which could allow for scripting attacks against users of the platform.

This week saw the publication of 788 new CVE IDs. Of those, 526 have not yet been assigned official CVSS scores, however, of the ones that were, approximately 6% were of critical severity, 44% were high, 49% were medium, and 1% were low. Listed below are the vulnerabilities that caught our attention:

• A remote code execution vulnerability involving JNDI abuse (like Log4J) and insecure deserialization was disclosed for Apache Kafka.
• FortiNAC and FortiWeb were patched to remediate remote code execution vulnerabilities which could potentially allow an attacker with no privileges to breach an organization’s perimeter.
• Apple has patched a zero-day remote code execution vulnerability in its WebKit browser engine. Apple has confirmed it was exploited in the wild but will not provide any further technical details. Special thanks were given to Citizen Lab.
• Citrix has patched a privilege escalation vulnerability which would allow any Windows user within the VDE to escalate to “NT AUTHORITY\SYSTEM.

This week saw the publication of 468 new CVE IDs. Of those, 435 have not yet been assigned official CVSS scores, however, of the ones that were, approximately 24% were of critical severity, 40% were high, 36% were medium, and 0% were low. Listed below are the vulnerabilities that caught our attention:

• The file transfer software GoAnywhere MFT has had a “remote code injection” vulnerability disclosed this week by Brian Krebs. The official advisory was released in a private manner to GoAnywhere MFT customers.
• Popular NAS producer QNAP has addressed a remote code execution vulnerability in its QTS and QuTS firmware for its devices.
• A vulnerability for Lexmark network printers has been released which affects more than 100 different Lexmark devices. If successfully exploited, the vulnerability could allow for remote code execution in the context of the root user.
• The popular reverse engineering tool Binwalk was found to have a path traversal which could allow for remote code execution if a reverse engineer extracts a PFS file.

This week saw the publication of 537 new CVE IDs. Of those, 480 have not yet been assigned official CVSS scores, however, of the ones that were, approximately 4% were of critical severity, 49% were high, 47% were medium, and 0% were low. Listed below are the vulnerabilities that caught our attention:

• YellowFin Business Intelligence platform was found to utilize a hard-coded RSA private key for several cryptographic functions resulting in multiple authentication bypass vulnerabilities which could be abused to achieve remote code execution.
• Multiple buffer overflow vulnerabilities were disclosed for Adobe Acrobat which could result in remote code execution if a user opens a crafted file. These kinds of vulnerabilities will slowly become more valuable as Microsoft makes strides to shut down typical malspam techniques.
• A whopping 62 vulnerabilities allowing for remote code execution were disclosed by Cisco Talos for the Siretta Quartz Gold industrial LTE router.
• Solar-Log Photovoltaic device firmware was found by Swascan researchers to have backdoor “Super Admin” credentials which can be derived from public information available on the web portal.