CSW's Threat Intelligence - January 16, 2022 - January 20, 2022
Posted on Jan 18, 2023 | Updated on Jan 20, 2023 | By Supriya Aluri
This edition brings you early warnings, trending news about cyber threats, and the accurate threat context. Check out which threat group is on the rampage, what vulnerability it could soon weaponize, and more.
Why play catch up when you can fix this now?
Check out our podcast on the top critical threats of this week, hosted by David Rushton!
- CISA Adds CVE-2022-44877 to the KEV Catalog
- Three Critical Vulnerabilities in GIT
- CVE-2023-21752 Windows PE Vulnerability
Vulnerabilities to Watch Out For
- Exploits Available for Multiple Critical Wordpress Flaws
- CVE-2022-47966: Critical ManageEngine Vulnerability
- CVE-2022-42841: MacOS Gatekeeper and SIP Bypass Vulnerability
- Four Critical Vulnerabilities in Netcomm and TP-Link Routers
- CVE-2022-42475: Actively Exploited FortiOS Vulnerability
- CVE-2022-35690: RCE Vulnerability in Adobe ColdFusion
Last week we warned you about the Centos Web Panel vulnerability that hackers are now exploiting to install reverse webshells and remotely execute code. The US Cyber Security Agency (CISA) has added this vulnerability to the KEV catalog and has advised all users to patch it before February 7, 2023. Since CVE-2022-44877 is trending as a highly exploited vulnerability, we recommend that all Web Panel users patch it immediately.
Vulnerabilities to Watch Out For
CVE-2023-23488, CVE-2023-23489, and CVE-2023-23490 are critical SQL injection vulnerabilities in Wordpress plugins Paid Memberships Pro, Easy Digital Downloads, and Survey Marker, respectively. More than a thousand instances of these plugins have been downloaded by Wordpress users and are actively used. Since the latest versions of the plugins have fixed these vulnerabilities, the proof-of-concept for these CVE was published recently.
Users of these plugins are recommended to immediately upgrade to the latest version.
An outdated and vulnerable third-party dependency, Apache Santuario in several ManageEngine products allows hackers to arbitrarily execute code in the ManageEngine servers. A single-sign-on (SSO) enabled product allows unauthenticated actors to access several ManageEngine products. This vulnerability is tracked as CVE-2022-47966 and ManageEngine fixed it in their products.
This critical vulnerability in the xar source code that allows MacOs security bypass using an invalidated maliciously crafted signed installer package. In some cases, this vulnerability could be exploited to bypass Gatekeeper, SIP, and elevate privileges to root. Apple fixed this issue in macOS Monterey 12.6.2, macOS Ventura 13.1, and macOS Big Sur 11.7.2. A public exploit is available for this vulnerability.
CVE-2022-41903 and CVE-2022-41953 are caused by the heap overflow buffer weakness. They impact the commit formatting mechanism in GIT. An attacker can arbitrarily execute code on exploiting these vulnerabilities. These two CVEs were fixed in the latest versions of the GIT tool (v2.30.7. and above).
CVE-2022-23521 impacts the GIT GUI tool and enables unauthenticated actors to run untrusted code low-complexity attacks. This vulnerability is yet to receive a fix from GIT.
GIT users are recommended to patch CVE-2022-41903 and CVE-2022-41953 immediately.
This vulnerability can cause an attacker to delete files in a Windows server remotely. By exploiting CVE-2023-21752, a threat actor can gain root privileges. However, the attacker cannot access data present in the server. By deleting a particular file, the threat actor can cause the service to no longer be available.
Microsoft released a security advisory for this CVE and recommends users to watch out for this vulnerability.
CVE-2022-4874 and CVE-2022-4873 are buffer overflow and authentication bypass vulnerabilities impacting Netcomm router models NF20MESH, NF20, and NL1902 running firmware versions earlier than R6B035. When chained together, these two vulnerabilities allow a remote, unauthenticated attacker to execute arbitrary code. The CERT Coordination Center has also released a security advisory for these vulnerabilities.
CVE-2022-4499 and CVE-2022-4498 affect TP-Link routers WR710N-V1-151022 and Archer-C5-V2-160201. Exploiting CVE-2022-4499 could lead to information disclosure while CVE-2022-4498 can enable remote code execution. These two CVEs have however not received a patch yet.
This critical zero-day vulnerability is caused by heap-based buffer overflow flaw in FortiOS SSL-VPN. It allows a remote unauthenticated attacker to execute arbitrary code or commands via specifically crafted requests. A suspected China-nexus campaign is believed to have exploited this vulnerability in early October 2022. Identified targets include a European government entity and a managed service provider located in Africa. The threat actor is using a new malware known as BOLDMOVE which is specifically designed to run on FortiGate Firewalls.
This CVE has already been added to the CISA KEV and users are recommended to immediately patch this vulnerability in their systems.
This is a memory corruption vulnerability caused due to the lack of proper validation of user-supplied data. If exploited, it could allow an unauthenticated attacker to remotely execute code and gain SYSTEM privileges. CVE-2022-35690 impacts the databases connected to the ColdFusion Administrator. Adobe patched this vulnerability in October 2022 with APSB22-44. They also recommend updating the ColdFusion JDK/JRE to the latest version of the LTS releases for JDK 11.
Check out this section to track how these threats evolve!
We use our threat intelligence platform driven by Artificial Intelligence (AI) and Machine Learning (ML) models to analyze the vulnerabilities that hackers could potentially exploit. We warn our customers continuously about exposures and prioritize vulnerabilities to facilitate rapid remediation.
Follow our weekly blog and podcast to get proactive alerts on trending threats. Reach out to us if you need help managing your vulnerabilities and exposures.
Leverage our expertise and manage your threats continuously to stay safe from attackers.
Never miss a patch or an update with CSW's Patch Watch Newsletter. Subscribe now!