This week saw the publication of 576 new CVE IDs. Of those, 80 have not yet been assigned official CVSS scores, however, of the ones that were, approximately 18% were of critical severity, 39% were high, 39% were medium, and 5% were low. Listed below are the vulnerabilities that caught our attention:

• Zimbra Collaboration Suite vulnerabilities can be chained together to obtain complete remote compromise of the system. Systems are being targeted en-masse in the wild.
• Microsoft Exchange is suffering from multiple vulnerabilities including information disclosure and privilege escalation where an unauthenticated attacker could read e-mails from affected servers.
• Remote code execution affecting Windows server 2022 NFS4.1.
• An unintended behavior in the Google Play Services SDK resulted in potentially thousands of Android applications being built with insecure configurations. Developers are being urged to update their SDK, re-build and re-release their applications.

This week saw the publication of 449 new CVE IDs. Of those, 315 have not yet been assigned official CVSS scores, however, of the ones that were, approximately 19% were of critical severity, 22% were high, 59% were medium, and 1% were low. Listed below are the vulnerabilities that caught our attention:

• Multiple Cisco small business router models vulnerable to unauthenticated remote code execution in the context of the root account.
• DrayTek routers vulnerable to remote code execution vulnerability. The researchers who found the vulnerability claim 200,000+ vulnerable devices are exposed to the internet.
• SourceCodester programming education and application template library vulnerable to multiple SQL injection and cross-site scripting vulnerabilities.
• Novel “ghost domain name” vulnerability in Unbound DNS resolver allows attackers to maintain DNS resolution, even after takedown.

This week saw the publication of 465 new CVE IDs. Of those, 356 have not yet been assigned official CVSS scores, however, of the ones that were, approximately 6% were of critical severity, 37% were high, 52% were medium, and 5% were low. Listed below are the vulnerabilities that caught our attention:

• An authentication bypass vulnerability in the FileWave device management platform could allow attackers to compromise an organizations entire fleet of managed devices.
• Secure email and collaboration software Open-Xchange had multiple vulnerabilities published this week the worst of which could allow a user with access to the document converter module to execute arbitrary code on the affected server.
• Citrix ADC and Citrix Gateway is affected by a redirection vulnerability. These are often exploited as part of phishing campaigns to automatically redirect users from a site which may seem trustworthy to an attacker-controlled site.
• Adobe Acrobat Reader is affected by an out-of-bounds read vulnerability which can result in arbitrary code execution if a user is convinced to open a crafted file.
• LibreOffice fails to verify the authenticity of macro certificates allowing malicious macros to masquerade as those provided by a trusted source.

This week saw the publication of 579 new CVE IDs. Of those, 356 have not yet been assigned official CVSS scores, however, of the ones that were, approximately 6% were of critical severity, 37% were high, 52% were medium, and 5% were low. Listed below are the vulnerabilities that caught our attention:

• MiCODUS GPS trackers have multiple vulnerabilities which could allow an attacker to execute arbitrary commands in an admin context on the device. This could allow an attacker to control certain functions of the vehicle or track its location.
• Supply chain attacks against projects contained in the Python package index result in backdoors allowing for remote code execution to be contained in the affected projects.
• Cryptocurrency mining devices created by Goldshell are found to suffer from multiple vulnerabilities including hard coded credentials for their SSH service.
• The incredibly popular Foxit PDF Reader is affected by multiple vulnerabilities which could lead to remote code execution if a user can be convinced to interact with a crafted file.

This week saw the publication of 561 new CVE IDs. Of those, 441 have not yet been assigned official CVSS scores, however, of the ones that were, approximately 26% were of critical severity, 34% were high, 40% were medium, and 0% were low. Listed below are the vulnerabilities that caught our attention:

• Microsoft’s July 12th Patch Tuesday updates included 84 fixes for a wide range of security issues, including multiple remote command execution and privilege escalation vulnerabilities. Several of the remediated privilege escalation vulnerabilities have been reportedly exploited in the wild.
• Multiple critical vulnerabilities were identified to affect a newly released medical clinic patient management software, highlighting the risks associated with leveraging source code from untrustworthy open-source sites.
• Sage 300 enterprise resource planning software is affected by a DLL hijacking vulnerability which could allow an attacker to escalate to local SYSTEM privileges. This disclosure stems from security research conducted by Control Gap’s own Konrad Haase into installer misconfigurations and weak folder permissions affecting the software.

In modern cyberattacks, threat actors will often begin their attacks against enterprises by obtaining low-privileged access to a single system in the internal IT environment through phishing, VPN access, or successful exploits against perimeter systems. Once they’ve gained a foothold into the secure environment, these threat actors will often perform local-system privilege escalation, which is the process of elevating their permission beyond those of their compromised user account, to expand their access and accomplish their objectives. Local-system privilege escalation will typically be performed by exploiting missing operating system patches (which address critical vulnerabilities), system misconfigurations, or vulnerable third-party applications installed on the target machine. In this article, we’ll explore how a simple oversight in a third-party application installer can compromise the security of a local system, allowing a threat actor or attacker to escalate their privileges and obtain complete system compromise. During a cyberattack, such a compromise would allow attackers to pivot and escalate their access to other systems and potentially privileged domain accounts within a corporate IT environment. This article should be of particular interest to IT administrators as this type of vulnerability affects many enterprise software products and is trivial to exploit.

The third-party application installer we’ll be examining in this article is associated with a product called Sage 300. This product caught our attention during a penetration test in 2021 where we used a vulnerability in a local Sage 300 installation to escalate our privileges on a workstation we had obtained low-privileged access to. Given the nature of the vulnerability, we assumed that our customer had made a mistake during installation or subsequent configuration, but after some research, we discovered that the vulnerability we exploited lay in the product itself, and likely affected Sage 300 installations going back several years. Following responsible disclosure, we alerted the Sage security team and worked with them towards a fix for over a year to address the vulnerability we discovered, which is now described in CVE-2021-45492

This week saw the publication of 330 new CVE IDs. Of those, 296 have not yet been assigned official CVSS scores, however, of the ones that were, approximately 21% were of critical severity, 48% were high, 31% were medium, and 0% were low. Listed below are the vulnerabilities that caught our attention:

• An account takeover and authenticated remote code execution vulnerability present in the CentOS Control Web Panel can result in unauthenticated remote code execution in the context of the root account.
• A zero-day buffer overflow in Google Chrome Desktop was patched on July 4th. Google has disclosed that the vulnerability is being exploited in the wild.
• Session tokens for the OpenVPN Access Server web interface are not generated randomly enough to be considered secure.
• The “ransomware canaries” feature of Elastic Endpoint Security which is designed to detect and prevent ransomware execution was found to have a local privilege escalation vulnerability which could allow an attacker to escalate to SYSTEM.