2022-068: UPDATE: New Microsoft Exchange Zero-Day VulnerabilitiesWednesday, December 21, 2022 02:50:00 PM CEST
On September 28, 2022, the security researchers at Vietnamese cybersecurity vendor GTSC published a blog post claiming they have discovered an attack campaign which utilised two zero-day bugs in Microsoft Exchange that could allow an attacker a remote code execution. The attackers are chaining the pair of zero-days to deploy web shells, notably China Choppers, on compromised servers for persistence and data theft, as well as move laterally to other systems on the victims' networks.
Microsoft had identified the vulnerabilities as CVE-2022-41040, a Server-Side Request Forgery (SSRF) vulnerability, while the second, identified as CVE-2022-41082, allows remote code execution (RCE) when PowerShell is accessible to the attacker. CrowdStrike recently discovered a new exploit method (called OWASSRF) consisting of CVE-2022-41080 and CVE-2022-41082 to achieve remote code execution (RCE) through Outlook Web Access (OWA).
2022-087: Critical Vulnerability in Citrix Gateway and Citrix ADCTuesday, December 13, 2022 05:50:00 PM CEST
On December 13, 2022, Citrix released a Security Bulletin regarding a critical vulnerability CVE-2022-27518 affecting its Citrix Gateway and Citrix ADC products. If exploited, this vulnerability can enable an unauthenticated remote attacker to perform arbitrary code execution on the appliance. According to NSA, the vulnerability is being exploited by APT5 group. APT5 is also known to have exploited Pulse Secure VPN vulnerabilities in 2021. It is then highly recommended to install the last security updates.
2022-086: Remote Code Execution Vulnerability in FortiOS SSL-VPNTuesday, December 13, 2022 02:50:00 PM CEST
On December 12, 2022, Fortinet released an advisory concerning a heap-based buffer overflow critical vulnerability in FortiOS SSL-VPN that could allow may allow a remote unauthenticated attacker to execute arbitrary code or commands via specifically crafted requests. This vulnerability CVE-2022-42475 has the CVSS score of 9.3.
Fortinet is aware of one instance where this vulnerability was exploited in the wild. They do not believe this to be trivial to exploit, however they are advising customers using SSL-VPN to upgrade immediately.
2022-085: Type Confusion Vulnerability in Chrome BrowserMonday, December 05, 2022 03:10:00 PM CEST
On December 2, 2022, Google released a new version of its Chrome browser fixing a high-severity flaw, identified by "CVE-2022-4262" that could allow a remote attacker to potentially exploit heap corruption via a crafted HTML page. Google is aware of reports that an exploit for CVE-2022-4262 exists in the wild. It is highly recommended to apply the update.
2022-084: Critical Vulnerability in Visual Studio CodeFriday, December 02, 2022 12:40:00 PM CEST
On November 22, Microsoft published a security advisory about a Remote Code Execution vulnerability in Visual Studio Code. The severity is rated critical as a remote code execution vulnerability exists in VS Code 1.71 and earlier versions for malicious notebooks. These notebooks could use command URIs to execute arbitrary commands, including potentially dangerous commands.
2022-083: Critical Vulnerabilities in NVIDIA GPU Display DriverThursday, December 01, 2022 06:50:00 PM CEST
On November 28, NVIDIA released a software security update for its GPU display driver for Windows, containing a fix for a high-severity flaw that threat actors can exploit to perform, among other things, code execution and privilege escalation.
2022-082: Multiple Vulnerabilities in SolarWinds PlatformThursday, December 01, 2022 06:50:00 PM CEST
On November 22, SolarWinds released a patch note for SolarWinds Platform 2022.4 fixing 7 vulnerabilities including 4 high rated vulnerabilities that could lead to arbitrary commands executed.
2022-081: Critical Vulnerabilities in Atlassian ProductsFriday, November 18, 2022 05:30:00 PM CEST
On November 16, 2022, Atlassian released two advisories for critical vulnerabilities in the Crowd Server and Data Center identity management platform, and in Bitbucket Server and Data Center. Tracked as "CVE-2022-43782", the first vulnerability allows an attacker to authenticate as the Crowd application and subsequently call privileged endpoints on the Crowd platform. The second vulnerability, tracked as "CVE-2022-43781", is a command injection vulnerability in BitBucket that lets an attacker with permission to control their username to exploit this issue and execute arbitrary code on the system.
2022-080: Remote Code Execution Vulnerabilities in F5 ProductsFriday, November 18, 2022 12:30:00 PM CEST
On November 16, 2022, F5 released an advisory on F5 Big-IP and Big-IQ concerning two CVE with high severity. The first one, "CVE-2022-41622", is a cross-site request forgery (CSRF), for which the exploitation can allow an unauthenticated attacker to perform critical actions on the system, even if the management interface is not exposed on the Internet. The second vulnerability, "CVE-2022-41800", can allow an attacker with administrative privileges to execute arbitrary commands on the device.
2022-079: Exploited 0-days and Critical Vulnerabilities in Microsoft WindowsWednesday, November 09, 2022 01:30:00 PM CEST
On November 8, 2022, Microsoft released its Patch Tuesday advisory which contains information about 68 flaws, for which 11 are rated as critical, and 6 are exploited 0-day vulnerabilities. The exploitation of these vulnerabilities could lead to elevation of privilege, security feature bypass, remote code execution, information disclosure, denial of service and spoofing. It is highly recommended applying the fixes as soon as possible.
2022-078: Severe Vulnerabilities in Citrix Gateway and Citrix ADCWednesday, November 09, 2022 11:25:00 AM CEST
On November 8, 2022, Citrix released a Security Bulletin regarding three severe vulnerabilities affecting its Citrix Gateway and Citrix ADC products. Under specific configurations, the three vulnerabilities can enable attackers to gain unauthorised access to the device, perform remote desktop takeover, or bypass the login brute force protection. It is highly recommended installing the last security updates.
2022-077: Several High Vulnerabilities in Splunk EnterpriseFriday, November 04, 2022 04:55:00 PM CEST
On November 2, 2022, Splunk released the quarterly Security Patch Update which included nine HIGH severity vulnerabilities. The most severe vulnerabilities, which have a CVSS score of "8.8" out of 10, are "CVE-2022-43571" for Remote Code Execution (RCE) through dashboard PDF generation component, "CVE-2022-43570" for XML External Entity Injection through a custom View and "CVE-2022-43568" for Reflected Cross-Site Scripting via the radio template.
2022-073: UPDATE: OpenSSL Critical VulnerabilityTuesday, November 01, 2022 10:55:00 PM CEST
On November 1, 2022, the OpenSSL project team has released a new version of the openssl library version 3. The version 3.0.7 fixes two HIGH vulnerabilities, CVE-2022-3602 and CVE-2022-3786, that could lead to Denial of Service conditions, or Remote Code Execution in some cases. It is recommended upgrading openssl to the last versions. Proof of concepts are now available.
2022-076: Critical Vulnerability in VMware Cloud FoundationMonday, October 31, 2022 11:20:00 AM CEST
On October 25, 2022, VMWare released a new version of Cloud Foundation (NSX-V) fixing a critical Remote Code Execution vulnerability. VMware has confirmed that exploit code leveraging "CVE-2021-39144" against impacted products has been published. It is highly recommended applying the last version.
2022-075: Type Confusion Vulnerability in Chrome BrowserFriday, October 28, 2022 05:30:00 PM CEST
On October 27, 2022, Google released a new version of its Chrome browser fixing a high-severity flaw, identified by "CVE-2022-3723". Google is aware of reports that an exploit for CVE-2022-3723 exists in the wild. It is highly recommended to apply the update.
2022-074: DoS Vulnerabilities in Pulse Secure ProductsFriday, October 28, 2022 10:25:00 AM CEST
On October 13, 2022, Ivanti released an advisory regarding two vulnerabilities affecting Ivanti Connect Secure (ICS), Ivanti Policy Secure (IPS), and Ivanti Neurons for Zero-Trust Gateway that could lead to DoS conditions if exploited. It is recommended to upgrade to the latest version of these products.
2022-072: Apache Commons Text VulnerabilityWednesday, October 19, 2022 11:00:00 AM CEST
A vulnerability, tracked as CVE-2022-42889 with a CVSS score of 9.8 was found in Apache Commons Text packages in versions 1.5 through 1.9. The affected versions allow an attacker to benefit from a variable interpolation process contained in Apache Commons Text, which can cause properties to be dynamically defined. Server applications are vulnerable to remote code execution (RCE) and unintentional contact with untrusted remote servers
2022-071: Junos OS: Multiple Vulnerabilities in J-WebMonday, October 17, 2022 01:50:00 AM CEST
Multiple vulnerabilities have been found in the J-Web component of Juniper Networks Junos OS. One or more of these issues could lead to unauthorized local file access, cross-site scripting attacks, path injection and traversal, or local file inclusion.
2022-070: UPDATE: FortiOS and FortiProxy Critical VulnerabilityFriday, October 14, 2022 11:30:00 AM CEST
On 10th of October, 2022, Fortinet released a security advisory to warn about a critical vulnerability (CVSS v3 score: 9.6), tracked as CVE-2022-40684, impacting the FortiOS, FortiProxy and FortiSwitchManager. The exploitation of this vulnerability allows an unauthenticated attacker to perform operations on the administrative interface via specially crafted HTTP or HTTPS requests.
Fortinet is aware of at least one instance where this vulnerability was exploited and hence it is recommended to remediate this vulnerability with the utmost urgency.
A proof-of-concept (PoC) exploit and a technical root cause analysis for this vulnerability has been published by the Horizon3.ai security researchers.
2022-069: UPDATE: Remote Code Execution in Zimbra Collaboration SuiteFriday, October 14, 2022 10:30:00 AM CEST
In September 2022, a remote code execution vulnerability similar to CVE-2022-30333 (SA2022-063) was reported for Zimbra Collaboration Suite. Tracked as CVE-2022-41352 since September 25, 2022, this yet-unpatched flaw is due to an unsafe use of a vulnerable "cpio" utility by the Zimbra's antivirus engine Amavis. The exploitation of this vulnerability allows a remote unauthenticated attacker to execute arbitrary code on a vulnerable Zimbra instance.
Proof of Concepts (POC) are publicly available for this vulnerability and reported actively exploited.
2022-067: Critical WhatsApp VulnerabilitiesFriday, September 30, 2022 02:12:00 PM CEST
WhatsApp has patched two remote code execution vulnerabilities in its September update. These could have allowed an attacker to remotely access a device and execute commands. The vulnerabilities were discovered by WhatsApp internal security team and there are no indications that these have already been exploited.
2022-066: Vulnerabilities affecting multiple versions of the BIND 9Tuesday, September 27, 2022 02:05:00 PM CEST
On September 21, 2022, the Internet Systems Consortium (ISC) has released security advisories that address vulnerabilities affecting multiple versions of the ISC’s Berkeley Internet Name Domain (BIND) 9. A remote attacker could exploit these vulnerabilities to potentially cause denial-of-service conditions.
2022-065: RCE Vulnerability in Sophos FirewallMonday, September 26, 2022 12:20:00 PM CEST
On September 23, 2022, Sophos warned about a critical code injection security vulnerability in the company’s Firewall product that is being exploited in the wild. They observed the vulnerability being used to target a small set of specific organisations, primarily in the South Asia region.
2022-064: Multiple Critical Vulnerabilities in Microsoft ProductsWednesday, September 15, 2022 11:00:00 AM CEST
On the 13th of September, Microsoft released its September 2022 Patch Tuesday advisory including fixes for 2 zero-day vulnerabilities identified "CVE-2022-37969" and "CVE-2022-23960" which affect several Windows system versions.
The patch also contains fixes for five critical vulnerabilities affecting Microsoft Dynamics, Windows IKE Extension and Windows TCP/IP.
It is highly recommended to patch the affected devices.
2022-063: Path Traversal Vulnerability in Unrar affects Zimbra softwareWednesday, August 31, 2022 02:55:00 PM CEST
In May 2022, security research team from SonarSource discovered a 0-day vulnerability in the "unrar" utility for Linux and Unix systems. This utility is a third party tool used in Zimbra. The exploitation of this vulnerability allows a remote attacker to execute arbitrary code on a vulnerable Zimbra instance without requiring any prior authentication or knowledge about it.
Proof of Concepts (POC) are now publicly available as well as a metasploit module.
2022-062: Remote Command Execution Vulnerability in GitlabThursday, August 25, 2022 11:58:00 AM CEST
On the 22nd of August 2022, GitLab released a security advisory regarding a Remote Command Execution affecting its products. This vulnerability exists in the "import via Github" functionality. Exploiting this vulnerability, allows an authenticated user to achieve remote code execution on the affected server.
2022-061: Reflected Amplification DoS Vulnerability in PAN-OSThursday, August 11, 2022 01:35:00 PM CEST
On August 10, 2022, PaloAlto released a security advisory regarding a Denial-of-Service (DoS) vulnerability affecting PAN-OS. Exploiting this vulnerability, a network-based attacker would be able to obfuscate its identity and implicate the vulnerable firewall as the source of an attack.
While some software updates are not yet available, some mitigation and workarounds are available and should be applied as soon as possible.
2022-060: Multiple Critical Vulnerabilities in Microsoft ProductsWednesday, August 10, 2022 02:20:00 PM CEST
On August 9, Microsoft released its August 2022 Patch Tuesday advisory including fixes for 2 zero-day vulnerabilities identified "CVE-2022-34713" and "CVE-2022-30134", which affect respectively Microsoft Windows Support Diagnostic Tool (MSDT) and Microsoft Exchange Server.
The patch also contains fixes for 17 critical vulnerabilities affecting Active Directory Domain Services, Azure Batch Node Agent, Microsoft Exchange Server, Remote Access Service Point-to-Point Tunneling Protocol, Windows Hyper-V and Windows Kernel (SMB Client and Server), Windows Point-to-Point Tunneling Protocol and Windows Secure Socket Tunneling Protocol (SSTP).
It is highly recommended patching affected devices
2022-059: Critical Vulnerabilities in Cisco VPN RoutersTuesday, August 04, 2022 12:15:00 PM CEST
On August 3, Cisco released a security advisory and patches regarding several critical vulnerabilities affecting Cisco VPN routers.
It is highly recommended upgrading affected appliances as soon as possible.
2022-058: Critical Shell Command Injection Vulnerability in Apache SparkTuesday, August 03, 2022 09:15:00 AM CEST
On July 18, Apache Spark released a security bulletin regarding a newly found critical vulnerability within Apache Spark's ACL implementation, tracked as CVE-2022-33891 and with a CVSS score of 8.8 out of 10. The flaw was discovered by a security researcher, with the proof of concept (PoC) exploit already available on GitHub and exploitation attempts in the wild being detected since, at least, July 26th.
Apache Spark is an open-source, unified engine for large-scale data analytics, which executes data engineering, data science, and machine learning tasks. Additionally, it provides high-level APIs in multiple programming languages.
2022-057: Critical Vulnerability in VMware ProductsTuesday, August 03, 2022 09:15:00 AM CEST
On August 2, 2022, multiple critical vulnerabilities were reported by VMware. Exploitation of these vulnerabilities may lead to an unauthenticated remote code execution on the affected servers.
2022-052: UPDATE: Critical Vulnerability in Questions for ConfluenceTuesday, August 02, 2022 02:45:00 PM CEST
On July 20th, Atlassian released a security advisory to address a critical vulnerability that affects the Questions for Confluence app. Having the app enabled on Confluence Server or Data Center, it creates the Confluence user account "disabledsystemuser". The account is is intended to aid administrators, and it is created with a hardcoded password and is added to the "confluence-users" group, which allows viewing and editing all non-restricted pages within Confluence by default. A remote, unauthenticated attacker with knowledge of the hardcoded password could exploit this to log into Confluence and access any pages the "confluence-users" group has access to.
[UPDATE] The "disabledsystemuser" account is configured with a third party email address that is not controlled by Atlassian, meaning that an affected instance configured to send notifications, will e-mail that address and potentially disclosing information.
The hardcoded password was publicly disclosed by an external party in Twitter on July 21st, which makes the exploitation in the wild highly likely, therefore immediate update to a patched version is highly recommended.
2022-056: Critical Vulnerabilities In SambaMonday, August 01, 2022 05:01:00 PM CEST
On June 27, 2022, The Samba Team has released security updates to address several vulnerabilities in their product. Exploitation of these vulnerabilities may allow an attacker to cause a DoS condition, data leakage, or even to take control of all the domain.
2022-055: Possible Information Disclosure in MobileIron for AndroidThursday, July 28, 2022 04:26:00 PM CEST
The problem affects Android users using MobileIron and having Use smart send option enabled in Email+ client. When "User A" forwards/replies email to "User B", "User B" receives a different email body instead of original email. This could lead to information disclosure especially in case of receipients being outside of the sender's organisation.
2022-054: Critical SQL Injection VulnerabilityMonday, July 25, 2022 04:21:00 PM CEST
On July 21st, 2022, SonicWall released security patches for their Analytics On-Prem and GMS products, addressing a critical SQL injection flaw. Currently, no reports of a proof of concept (PoC) have been made public and there is no active exploitation in the wild. Nevertheless, immediate update to the patched versions is recommended.
2022-053: Oracle Critical Patch Update - July 2022Monday, July 25, 2022 09:48:00 AM CEST
On July 19th, 2022, Oracle released their quarterly Critical Patch Update advisory, a collection of patches that addresses multiple critical security flaws, affecting several of their products. Many of these vulnerabilities may be remotely exploited without the need for user credentials. It is therefore highly recommended to apply the security patches without delay.
2022-051: Cisco Nexus Dashboard Multiple VulnerabilitiesFriday, July 22, 2022 05:19:00 PM CEST
On July 20th, Cisco released a security advisory, that addresses one Critical and two High severity vlnerabilities found in Cisco Nexus Dashboard. The vulnerabilities could allow an unauthenticated remote attacker to execute arbitrary commands, read or upload container image files, or perform a cross-site request forgery attack. Cisco's Product Security Incident Response Team (PSIRT) is not aware of any active exploitation of these vulnerabilities in the wild and the company has released software updates to address these vulnerabilities.
2022-050: Multiple Critical Vulnerabilities in Microsoft ProductsThursday, July 14, 2022 09:15:00 AM CEST
On the 12th of July, Microsoft released July's 2022 Patch Tuesday including fixes for one actively exploited zero-day vulnerability and a total of 84 flaws. A zero-day vulnerability tracked as CVE-2022-22047 concerns a Windows CSRSS elevation of privilege, allowing an attacker to gain SYSTEM privileges. Out of the 84 other security flows, four of them are classified as Critical, as they allow remote code execution. These critical vulnerabilities affect Microsoft Graphics Component, Windows Network File System and Windows Remote Procedure Call. They are tracked as CVE-2022-22029, CVE-2022-22039, CVE-2022-22038 and CVE-2022-30221. Bleeping Computer released a full report, listing all the vulnerabilities assessed by Microsoft Security Updates, and giving a description of each vulnerability and also the systems that it affects.
2022-049: TheHive Unauthentified API Endpoint Leaking DataTuesday, July 5, 2022 01:35:00 PM CEST
On the 4th of July 2022, StrangeBee published an advisory about a critical vulnerability that, if exploited, could leak sensitive information about current activities in TheHive (creation, modification, deletion of any object). It is strongly recommended to update to the latest versions available.
2022-048: Critical Remote Code Execution Vulnerability in GitLabMonday, July 4, 2022 05:30:00 PM CEST
On June 30, 2022, GitLab released new software versions that fix several vulnerabilities, one of which is a critical remote command execution vulnerability identified "CVE-2022-2185", with a CVSS score of 9.9 out of 10. It is highly recommended to upgrade GitLab servers to the latest available version.
2022-047: Jira Full-Read SSRF VulnerabilityFriday, July 1, 2022 11:36:00 PM CEST
On June 29th, Atlassian published a security advisory for a high severity security vulnerability in Mobile Plugin for Jira Data Center and Server. The vulnerability allows a remote authenticated user to perform a full read server-side request forgery via a batch endpoint. This vulnerability is tracked as CVE-2022-26135. Atlassian rates the severity level of this vulnerability as high, according to their published scale (7.0 - 8.9).
2022-046: Critical PHP Flaw Exposes QNAP NAS Devices to RCE AttacksWednesday, June 22, 2022 6:36:00 PM CEST
On 22nd of June 2022, QNAP published an advisory about specific products that are vulnerable to remote code execution (RCE) when certain conditions are met. The CVE-2019-11043 is reported to affect PHP versions 7.1.x below 7.1.33, 7.2.x below 7.2.24 and 7.3.x below 7.3.11. In certain configurations of FPM setup, it is possible to cause FPM module to write past allocated buffers into the space reserved for FCGI protocol data, thus opening the possibility of remote code execution.
2022-045: TheHive and Cortex Active Directory Authentication BypassWednesday, June 22, 2022 6:03:00 PM CEST
On 22nd of June 2022 StrangeBee published an advisory about a critical vulnerability in the Active Directory (AD) authentication module of TheHive.
The vulnerability allows impersonating any account on the platform, including administrators. The exploit is possible if the configured AD is on-premise. If the Active Directory authentication module is not enabled nor configured, or if Azure AD is used, the system is not vulnerable.
2022-044: MS-DFSNM NTLM Relay Attack for Windows Domain TakeoverTuesday, June 21, 2022 11:18:00 AM CEST
On the 18th of June 2022, a security researcher published a proof of concept for MS-DFSNM coerce authentication using "NetrDfsRemoveStdRoot" method. This type of attack allows Windows domain takeover. To coerce a remote server to authenticate against a malicious NTLM relay, threat actors could use various methods, including the MS-RPRN, MS-EFSRPC (PetitPotam), and MS-FSRVP protocols.
2022-043: Critical Vulnerability in Citrix ADMFriday, June 17, 2022 2:44:00 PM CEST
On the 14th of June 2022, Citrix released security updates to address vulnerabilities in Application Delivery Management that could allow an unauthenticated attacker to log in as administrator.
All supported versions of Citrix ADM server and Citrix ADM agent are affected by this vulnerability.
2022-042: Critical Vulnerability in Windows NFSWednesday, June 15, 2022 4:09:00 PM CEST
On the 14th of June 2022, Microsoft - as part of the June Patch Tuesday release - has issued several (55) security fixes for various vulnerabilities. Among others, the update fixes the critical vulnerability "CVE-2022-30136" which is a RCE vulnerability in the network file system (NFS). The vulnerability can be exploited by an unauthenticated attacker using a specially crafted call to a NFS service. The vulnerability is not exploitable in NFSV2.0 or NFSV3.0.
There is no evidence that this vulnerability is exploited in the wild. However, it is recommended to patch as soon as possible.
2022-041: Critical Vulnerability in GitLabFriday, June 3, 2022 11:45:00 PM CEST
On June 1, 2022, GitLab released updates fixing several vulnerabilities, one of which could lead to Account Take Over. This critical vulnerability is identified "CVE-2022-1680" with a severity score of 9.9 out of 10.
2022-040: UPDATE: Critical Remote Code Execution Vulnerability in ConfluenceFriday, June 3, 2022 9:37:00 AM CEST
On June 2, 2020, Confluence released an advisory about a critical vulnerability, identified "CVE-2022-26134" with a severity score of 10 out of 10, which could lead to unauthenticated Remote Code Execution if exploited.
There is active exploitation of this vulnerability leading to installation of webshells and crypto-miners. Moreover, a POC of the vulnerability exploitation is now publicly available.
2022-039: UPDATE: Follina Vulnerability in Microsoft Office ProductsMonday, May 30, 2022 12:59:00 PM CEST
On the 29th of May 2022, the Nao_Sec team, an independent Cyber Security Research Team, discovered a malicious Office document shared on Virustotal. This document is using an unusual, but known scheme to infect its victims. The scheme was not detected as malicious by some EDR, like Microsoft Defender for Endpoint. This vulnerability could lead to code execution without the need of user interaction, as it does not involve macros, except if the "Protected View" mode is enabled and the "Preview mode" is disabled in Windows Explorer.
On the 30th of May 2022, Microsoft started to track this vulnerability identified "CVE-2022-30190" (aka Follina) with a severity score of 7.8 out of 10.
On the 14th of June 2022, Microsoft has released security updates as part of June Patch Tuesday. One of the fixes applies to this actively exploited vulnerability. This update does not prevent Microsoft Office tools from loading Windows protocol URI handlers without user interaction, but will instead block PowerShell injection and disable this attack vector.
2022-038: Zoom VulnerabilitiesFriday, May 27, 2022 4:29:00 PM CEST
On the 17th of May 2022, Zoom released an advisory about two high vulnerabilities. They are tracked as CVE-2022-22786 with a CVSS score of 7.5 and CVE-2022-22784 with a CVSS score of 8.1. A successful exploitation of both of these vulnerabilities could be used in a more sophisticated attack to trick a user into downgrading their Zoom client to a less secure version and to forge XMPP messages from the server, respectively.
2022-037: Path Traversal SPL Injection in Splunk ProductsFriday, May 20, 2022 7:48:00 PM CEST
On May 3rd, 2022, Splunk released a security advisory for path traversal in search parameter that can potentiall allow external content injection. An attacker can cause the application to load data from incorrect endpoints, URLs leading to outcomes such as running arbitrary SPL queries.
A vulnerability was found in Splunk Enterprise up to 8.1.1 and it has been declared as critical and named CVE-2022-26889.
2022-036: UPDATE: Critical Vulnerabilities in VMware ProductsThursday, May 19, 2022 10:57:00 AM CEST
On the 18th of May 2022, VMware released an advisory about two critical vulnerabilities. Tracked as CVE-2022-22972 and CVE-2022-22973 with a respective CVSS score of 9.8 and 7.8, a successful exploitation of these vulnerabilities allows an unauthenticated attacker to achieve an authentication bypass affecting local domain users and a privilege escalation gaining "root" access.
On the 25th of May 2022, security researchers at attack surface assessment company Horizon3 announced that they managed to create a working proof-of-concept (PoC) exploit code for CVE-2022-22972 and will likely release a technical report at the end of the week. No technical details have been released yet, but the plan includes publishing exploit code that demonstrates the attack vector.
It is strongly recommended to apply the patches as soon as possible.
2022-035: Critical Remote Code Execution in Zyxel ProductsTuesday, May 17, 2022 10:02:00 AM CEST
In April 2022, a security researcher from Rapid7 discovered and reported a vulnerability that affects Zyxel firewall and VPN devices for business (advisory publicly released on 12th May 2022). Tracked as CVE-2022-30525 with a CVSS score of 9.8, a successful exploitation of this vulnerability allows an unauthenticated and remote attacker to achieve code execution as the "nobody" user.
A public exploit is available and a module had been added to the Metasploit penetration testing framework. This vulnerability is currently exploited in the wild by attackers to get access to information systems.
It is strongly recommended to apply the vendor patch as soon as possible.
2022-034: UPDATE: Multiple Critical Vulnerabilities in Microsoft ProductsWednesday, May 11, 2022 3:53:00 PM CEST
On May 11th, Microsoft issued May 2022 Patch Tuesday including fixes for three zero-day vulnerabilities and 75 flaws. Among the zero-days, the vulnerability tracked as CVE-2022-26925 is actively exploited in the wild. It is a new NTLM Relay Attack using an LSARPC flaw, allowing an unauthenticated attacker to coerce the domain controller to authenticate to the attacker using NTLM. The two other zero-days are a denial of service vulnerability in Hyper-V, tracked as CVE-2022-22713, and new remote code execution vulnerability in Azure Synapse and Azure Data Factory, tracked as CVE-2022-29972 and presented in CERT-EU Security Advisory 2022-033.
Out of the 75 flaws, eight are classified as Critical, allowing remote code execution or elevation of privilege. These vulnerabilities affect a lot of different Microsoft components, including Excel, Windows LDAP, Remote Desktop Protocol, LSA and others.
Bleepingcomputer released a full report, listing all the vulnerabilites assessed by Microsoft Security Updates, and giving a description of each vulnerability and also the systems that it affects.
On May 13, additional information became available about authentication issues followed by the installation of the patches on Domain Controller servers. However, on May 19, the issue related to authentication failures of Domain Controlers was resolved in out-of-band updates. Please see the [Recommendations] section of this advisory for details.
2022-033: Critical RCE Vulnerabilities in Microsoft Azure SynapseTuesday, May 10, 2022 3:06:00 PM CEST
On May 9th, Microsoft issued one security advisory addressing a critical RCE vulnerability in the third-party Open Database Connectivity (ODBC) driver used to connect to Amazon Redshift in Azure Synapse pipelines and Azure Data Factory Integration Runtime (IR). This vulnerability CVE-2022-29972 has CVSS score of 8.2 out of 10 and it may allow an attacker to perform remote command execution across IR infrastructure not limited to a single tenant.
According to Microsoft article, there was no evidence of misuse or malicious activity. Only self-host IR environments without auto-update need to take action to safeguard their deployments.
2022-032: UPDATE: Critical Vulnerability Affecting F5 DevicesThursday, May 5, 2022 2:17:00 PM CEST
On the 4th or May 2022, F5 released several patches addressing 43 vulnerabilities, including one identified as critical - CVE-2022-1388. This vulnerability has the CVSS score of 9.8 out of 10, and it may allow an unauthenticated attacker with network access to the iControl REST interface to execute arbitrary system commands, create or delete files, and disable services.
On the 9th of May 2022, Horizon3 - along with other groups - released a proof-of-concept exploit. Moreover, there was an increase of exploitation attempts in the last few days. We advice you to patch as quickly as possible and restrict the access to the F5 BIG-IP management interface only to authorised people.
2022-031: Jira Authentication Bypass VulnerabilityTuesday, April 26, 2022 4:42:00 PM CEST
On April 20th, Atlassian published a security advisory for a critical vulnerability in the Jira and Jira Service Management products, that are vulnerable to an authentication bypass in its web authentication framework, Jira Seraph. This vulnerability is tracked as CVE-2022-0540, with a severity score of 9.9 out of 10 on the CVSS scoring system. Atlassian has released software updates that address this vulnerability.
2022-030: Cisco Umbrella Virtual Appliance VulnerabilityFriday, April 22, 2022 10:01:00 AM CEST
On the 20th of April Cisco released a security advisory about a high severity vulnerability in the key-based SSH authentication mechanism of Cisco Umbrella Virtual Appliance (VA). The vulnerability could allow an unauthenticated, remote attacker to impersonate a VA. Cisco has released software updates that address this vulnerability.
2022-029: UPDATE: Oracle Java SE RCE VulnerabilityThursday, April 21, 2022 2:21:00 PM CEST
Oracle published a Critical Patch Update Advisory - April 2022 which is a collection of patches for multiple security vulnerabilities. This Critical Patch Update contains 520 new security patches across the product families.
One of the vulnerabilities is CVE-2022-21449. It is an exploitable vulnerability which allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Exploitation of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data.
On the 20th of April, a researcher has released a Proof-of-Concept code, which make potential attacks much more likely.
2022-028: Apache Struts RCE VulnerabilityWednesday, April 20, 2022 2:59:00 PM CEST
The Apache Software Foundation has released a security advisory about a possible remote code execution vulnerability CVE-2021-31805 in the Apache Struts web application framework. This vulnerability was previously addressed with CVE-2020-17530 but the fix was incomplete.
2022-027: CISCO WLC Critical VulnerabilitySaturday, April 16, 2022 12:26:00 PM CEST
Cisco has released a security advisory to warn about a critical vulnerability (CVSS v3 score: 10.0), tracked as CVE-2022-20695, impacting the Wireless LAN Controller (WLC) software. A vulnerability in the authentication functionality of Cisco Wireless LAN Controller (WLC) Software could allow an unauthenticated, remote attacker to bypass authentication controls and log into the device through the management interface.
2022-026: Critical Vulnerabilities in Microsoft WindowsWednesday, April 13, 2022 2:47:00 PM CEST
On April 12th, Microsoft issued the monthly Patch Tuesday where 128 vulnerabilities were fixed. Three of them were classified as Critical as they allow remote code execution (RCE) with no user interaction. Two other vulnerabilities rated as important can be used for privilege escalation, but since one of them is already being actively exploited and the other has a public exploit, we recommend to patch all of them as soon as possible.
2022-025: UPDATE: Critical Vulnerabilities in VMwareThursday, April 7, 2022 1:45:00 PM CEST
On April 6th, VMware released several security patches for critical-severity flaws affecting multiple products. The vulnerabilities identified as "CVE-2022-22954", "CVE-2022-22955", "CVE-2022-22956", "CVE-2022-22957", and "CVE-2022-22958" can lead to multiple effects such as remote code execution and authentication bypass.
VMware also patched high and medium severity bugs that could be exploited for Cross-Site Request Forgery (CSRF) attacks ("CVE-2022-22959"), privilege escalation ("CVE-2022-22960"), and gain access to information without authorisation ("CVE-2022-22961").
On May 20th, Unit 42 has observed numerous instances of "CVE-2022-22954" being exploited in the wild. When successful, "CVE-2022-22960" can be leveraged to run commands as a root user. It is strongly recommended to patch as soon as possible.
2022-024: Critical Vulnerability in GitlabMonday, April 4, 2022 12:53:00 PM CEST
On 31/03/2022, GitLab released an advisory for a critical password security vulnerability in GitLab Community and Enterprise products tracked as CVE-2022-1162. Discovered by the internal team of Gitlab, this vulnerability allows remote attacker to taker over user accounts. GitLab is not aware of accounts compromised by exploiting this vulnerability.
Evaluated with a score of 9.1 out of 10, CERT-EU recommends to patch as soon as possible.
2022-023: UPDATE: Critical RCE Vulnerability in Spring CoreThursday, March 31, 2022 2:48:00 PM CEST
On 29/03/2022, some cybersecurity analysts were alarmed following the publication of a few posts from a Chinese Twitter account. These tweets contained screenshots showing a 0-day exploit in Spring Core, a popular Java library.
The vulnerability has been assigned "CVE-2022-22965", and it is being referred to as "Spring4Shell". The key points known at this time are:
- This vulnerability allows an unauthenticated attacker to execute arbitrary code on the targeted system.
- Proofs-of-Concept (PoCs) of this vulnerability are publicly available.
- Patches have been released.
CERT-EU recommends to patch as soon as possible.
Additionally, another Spring vulnerability was also part of the recent discussions on the internet - assigned CVE number "CVE-2022-22963" (CVSS score 9.0), it is a remote code execution vulnerability in Spring Cloud Function, which is a separate Java library from Spring Core. Public POCs are available. CERT-EU recommend to also patch this vulnerability as soon as possible.
2022-022: Critical RCE Vulnerability in SonicWall FirewallsTuesday, March 29, 2022 10:14:00 AM CEST
On 25/03/2022, SonicWall has fixed a critical vulnerability (CVE-2022-22274) in SonicWall firewall product, which allows remote unauthenticated attacker to cause Denial-of-Service (DoS) that potentially results in code execution in the firewall. This vulnerability has a score of 9.4 out of 10.
CERT-EU strongly recommends to patch this vulnerability as soon as possible.
2022-021: UPDATE: Critical RCE Vulnerability in Sophos FirewallsMonday, March 28, 2022 10:28:00 AM CEST
On 25/03/2022, Sophos has fixed a critical vulnerability (CVE-2022-1040) in Sophos firewall product, which allows remote code execution. This vulnerability enables an unauthenticated attacker to gain control over the targeted system. This vulnerability has a score of 9.8 out of 10.
[Update] : This vulnerability is currently under active exploitation in the wild.
CERT-EU strongly recommends to patch this vulnerability as soon as possible.
2022-020: Multiple Critical Vulnerabilities in VMware Carbon BlackFriday, March 25, 2022 1:23:00 PM CET
On 23/03/2022, VMware has published multiple critical vulnerabilities ("CVE-2022-22951", "CVE-2022-22952") in VMware products which allow remote code execution. These vulnerabilities may lead to gaining control over the targeted system. Both vulnerabilities rated with CVSSv3 base score of 9.1 out of 10.
2022-019: Multiple Critical Vulnerabilities in VeeamMonday, March 21, 2022 6:14:00 PM CET
On 12/03/2022 Veeam has published multiple critical vulnerabilities (CVE-2022-26500, CVE-2022-26501) in Veeam products which allow remote code execution without authentication. This vulnerability may lead to gaining control over the targeted system. The publication was last modified by Veeam on 18/03/2022.
2022-018: Serious Vulnerability in Linux KernelThursday, March 17, 2022 10:28:00 AM CET
On February 22, Red Hat released a security advisory for fixing a severe vulnerability in the "netfilter" subcomponent in the Linux kernel. Listed as CVE-2022-25636 with a CVSS score of 7.8, it could allow a local attacker with a user account on the system to gain access to out-of-bounds memory, leading to a system crash or a privilege escalation. This vulnerability is present in all recent major distributions and exploits for this vulnerability ware already published.
It is recommended to update the Linux distributions as soon as possible.
2022-017: OpenSSL/LibreSSL VulnerabilityWednesday, March 16, 2022 11:45:00 AM CET
On March 15th, the OpenSSL project revealed a high severity vulnerability that can lead to Denial-Of-Service for the applications that use certificates from untrusted sources. It can be exploited remotely by an attacker using a specialy crafted certificate that can trigger an infinite loop. LibreSSL was also impacted by this vulnerability and it has been also patched.
2022-016: Important Vulnerability in Windows SMBv3Thursday, March 10, 2022 11:05:00 PM CET
On March 8th, Microsoft fixed in the monthly Patch Tuesday 71 vulnerabilities with three classified as Critical as they allow remote code execution. A remote code execution vulnerability classified as Important affects Windows SMBv3 Client/Server.
The vulnerability tracked as CVE-2022-24508 is a remote code execution vulnerability allowing an authenticated user to execute malicious code on Windows 10 version 2004 and newer systems via SMBv3. No active exploitation of this vulnerability is known yet.
2022-015: Critical Vulnerability in Microsoft Exchange ServerThursday, March 10, 2022 11:55:00 AM CET
On March 8th, Microsoft issued the monthly Patch Tuesday where 71 vulnerabilities were fixed. Three of them were classified as Critical as they allow remote code execution (RCE). One of these critical vulnerabilities affects Microsoft Exchange Server.
The vulnerability tracked as CVE-2022-23277 is a remote code execution vulnerability that can be exploited by an authenticated attacker to perfom RCE on Microsoft Excahnge. No active exploitation of this vulnerability is known yet.
2022-014: Privilege Escalation Vulnerability in Linux KernelTuesday, March 8, 2022 11:28:00 AM CET
On March 7th, a security researcher disclosed the Dirty Pipe vulnerability affecting Linux Kernel 5.8 and later versions. The vulnerability is tracked as CVE-2022-0847 and allows a non-privileged user to inject and overwrite data in read-only files including SUID processes that run as root.
As per the researcher, the vulnerability is similar to CVE-2016-5195 Dirty Cow, but it is even easier to exploit.
2022-013: Multiple Vulnerabilities in VMwareThursday, February 17, 2022 3:39:00 PM CET
On January 15th, VMware released several security patches for high-severity flaws affecting multiple products. The vulnerabilities identified as "CVE-2021-22040", "CVE-2021-22041", "CVE-2021-22042", "CVE-2021-22043", "CVE-2021-22050", "CVE-2022-22945" can lead to multiple effects such as arbitrary code execution, denial of service, and privilege escalation.
There is no evidence that any of the weaknesses are exploited in the wild. However, it is recommended to patch as soon as possible.
2022-012: UPDATE: Critical Vulnerabilities in PHP Everywhere WordPress PluginThursday, February 10, 2022 7:50:00 PM CET
On January 4th, researchers found three critical ‘PHP Everywhere’ plugin for WordPress. These vulnerabilities identified as "CVE-2022-24663", "CVE-2022-24664" and"CVE-2022-24665" affect many WordPress sites and can lead to remote code execution (RCE) that could be leveraged to achieve a complete site takeover. All three have a CVSS score of 9.9.
The vulnerabilities were found on January 4th, but due to the responsible disclosure process, the information about them has been publicly published 30 days after the release of patched version. No proof-of-concept or ongoing exploitation of these vulnerabilities have been observed yet. However, it is highly recommended to apply the patches as soon as possible.
2022-011: ICM Vulnerability in SAP SoftwareWednesday, February 9, 2022 7:08:00 PM CET
On February 8, the SAP Product Security Response Team released new patches addressing CVEs in SAP products. One of them is categorised as critical vulnerabilitY with the CVSS score of 10. This vulnerability identified as "CVE-2022-22536" is affecting many SAP products and it can lead to different impacts such as: ransomware attack, theft of sensitive data, financial fraud, disruption of mission-critical business processes, etc.
No proof-of-concept or ongoing exploitation of these vulnerabilities have been observed yet. However, it is highly recommended to apply the patch as soon as possible.
2022-010: RCE Vulnerabilities in Microsoft Sharepoint and DNSWednesday, February 9, 2022 7:02:00 PM CET
On February 8, Microsoft released 51 new patches addressing CVEs in various Microsoft products. Two of them are categorised as significant (rating: High) vulnerabilities with the CVSS score of 8.8. The first vulnerability identified as "CVE-2022-22005" is affecting Microsoft SharePoint Server, and it can lead to remote code execution in case the attacker is authenticated and possess the permissions for page creation. The second vulnerability identified as "CVE-2022-21984" is affecting the Microsoft DNS Server, and it can lead also to remote code execution if the DNS server has the dynamic updates enabled.
No proof-of-concept or ongoing exploitation of these vulnerabilities are have been observed yet, however, it is highly recommended to apply the patches as soon as possible.
2022-009: Critical Vulnerability in Cisco VPN RoutersMonday, February 7, 2022 6:08:00 PM CET
On January 4th, Cisco has issued advisories and software updates to address multiple vulnerabilities of which the three most serious are identified as: "CVE-2022-20699", "CVE-2022-20700", "CVE-2022-20708" with a severity score of 10 out of 10.
- "CVE-2022-20699" could lead to Remote Code Execution by unauthenticated attackers with "root" privileges.
- "CVE-2022-20700" could allow a remote attacker to elevate privileges to "root".
- "CVE-2022-20708" could allow an unauthenticated, remote attacker to inject and execute arbitrary commands on the underlying operating system.
Concerning the "CVE-2022-20699" vulnerability, a public presentation has recently been done at the OffensiveCon2022 followed by a leak of the exploit on Twitter. It is unknown what PoC exploits are available for the other vulnerabilities. However, once security updates are released, these PoCs tend to become publicly fairly quickly.
It is recommended to update as soon as possible.
2022-008: Critical Vulnerability in SambaTuesday, February 1, 2022 4:57:00 PM CET
On January 31, Samba has issued advisories and software updates to address multiple vulnerabilities one of which, identified as "CVE-2021-44142", could lead to Remote Code Execution with "root" privileges. It is recommended to update as soon as possible.
2022-007: Serious Vulnerability in All Major Linux DistributionsThursday, January 27, 2022 6:27:00 PM CET
On January 25, Polkit's authors released a patch for their software fixing a severe vulnerability that could lead to local privilege escalation on all Major Linux distributions (including Ubuntu, Debian, Fedora, and CentOS).
Exploits for this vulnerability already exist in the wild.
It is recommended to update Linux distributions as soon as possible.
2022-006: Critical Vulnerabilities in Multiple Oracle ProductsThursday, January 20, 2022 6:24:00 PM CET
On January 18th, Oracle released their quarterly Critical Patch Update advisory, a collection of patches that addresses hundreds of critical security flaws, affecting several of their products. Many of these vulnerabilities may be remotely exploited without the need for user credentials. It is therefore highly recommended to apply the security patches without delay.
2022-005: Critical Vulnerability in Ivanti ProductsWednesday, January 19, 2022 10:25:00 AM CET
On January 17th, Ivanti updated its advisory related to "CVE-2021-44228" vulnerability affecting some of its products. While this CVE affects the Java logging library "log4j", all products using this library are vulnerable to Unauthenticated Remote Code Execution.
2022-004: Multiple Vulnerabilities in GitLabMonday, January 17, 2022 4:42:00 PM CET
On January 11th, GitLab released significant security updates to address multiple vulnerabilities, including an arbitrary file read issue rated as ‘critical’ and two high-impact vulnerabilities, among others. The update tackles a vulnerability involving cross-site scripting (XSS) in Notes, along with a high-impact authentication-related flaw involving a lack of state parameter on GitHub import project OAuth.
Gitlab strongly encourages users to upgrade to 14.6.2, 14.5.3, or 14.4.5 for GitLab Community Edition (CE) and Enterprise Edition (EE), in order to safeguard their environments.
2022-003: UPDATE: New Critical Vulnerabilities in Microsoft ProductsFriday, January 14, 2022 5:26:00 PM CET
On the 11th of January 2022, Microsoft released a software update to mitigate several vulnerabilities that affect many of its products. Few of them could lead to remote code execution on certain versions of Microsoft Windows and Server, Microsoft Exchange Servers, and Microsoft Office, Word, Excel and Sharepoint.
No active exploitation of these vulnerabilities is known yet, however, regarding the "CVE-2022-21907" vulnerability, Microsoft said that organisations should prioritise fixing it, because this vulnerability can become wormable - that is - after infection, the virus can spread laterally on the intranet. Also, a proof-of-concept code is already available publicaly.
This is why it is generally recommended to apply the patches as soon as possible, but please refer to [Recommendations] section for additional notes.
2022-002: Critical RCE Vulnerability in H2 Database ConsoleFriday, January 7, 2022 6:35:00 PM CET
On the 6th of January 2022, security researchers from JFrog identified a critical JNDI-based vulnerability in the H2 database console that exploits the same root cause as the Log4Shell vulnerability. Identified by CVE-2021-42392, this security flaw could lead to unauthenticated remote code execution.
H2 is an open-source relational database management system written in Java that can be embedded within applications or run in a client-server mode.
2022-001: Important Vulnerability in VMWareThursday, January 6, 2022 1:03:00 PM CET
On the 4th of January 2022, VMware has released a security alert for a vulnerability affecting VMware Workstation, Fusion, ESXi Server and Cloud Foundation. This vulnerability tracked as CVE-2021-22045 has an important CVSSv3 score of 7.7. A malicious actor with access to a virtual machine with CD-ROM device emulation may be able to exploit a heap overflow vulnerability in conjunction with other issues to execute code on the hypervisor from a virtual machine.
Successful exploitation requires CD image to be attached to the virtual machine.