Netizen: September Vulnerability Review

Security vulnerabilities are a common occurrence in managing any business’s organizational security. The prompt patching and remediation of any new vulnerabilities are critical to reducing outside attack surface. Netizen’s Security Operations Center (SOC) has compiled eight vulnerabilities from August that should be immediately patched or addressed if present in your environment. Detailed writeups below:

CVE-2022-33636 & CVE-2022-22021 :

Microsoft’s Edge Chromium based Browser vulnerability. The NIST CVSSv3 base score is a rating of 8.3/10 and is a RCE (Remote Code Execution) vulnerability. In order to exploit this vulnerability, an attacker must create a race condition which is a common problem with multithreaded applications. A race condition occurs when two processes or threads of a computer program try to access the same resource at the same time and can allow an attacker to have access to secure areas. This can lead to an escape from a browser’s sandbox, which is a physical isolation of the user’s internet activity and their computer. Although the severity is rated high, the amount of user interaction needed causes the severity to be downgraded. An attacker needs to design a website that will exploit the Microsoft Edge vulnerability and trick a user into viewing the attacker’s website. This would require some form of social engineering to take place such as email phishing. 

CVE-2021-42321 :

Microsoft Exchange Server Vulnerability. The NIST CVSSv3 base score is a rating of 8.3/10 and is an RCE (Remote Code Execution) vulnerability. There is a Metasploit module that can allow the execution of an exploit payload on the following Exchange Servers:  2019 CUIO before Security Update 3, the 2019 CU11 before Security Update 2, the 2016 CU21 before Security Update 3 as well as 2016 CU22 before Security Update 2. In order to exploit this vulnerability, the attacker has to authenticate. The vulnerability exists with the ChainedSerializationBinder (Used to ensure that types specified in the serialized data are valid to prevent the deserialization of dangerous types which are malicious). There is a typo within the ChainedSerializationBinder deny list so that if an entry is typed as System.Security.ClaimsPrincipal instead of System.Security.Claims.ClaimsPrincipal, an attacker can use this vulnerability to bypass the ChainedSerializationBinder deserialization deny list and execute code as NT AUTHORITY/SYSTEM or Root User. 

CVE-2022-23277 :

Microsoft Exchange Server Vulnerability. The NIST CVSSv3 base score is a rating of 8.8/10 and is a RCE (Remote Code Execution) vulnerability. This vulnerability is similar to CVE-2021-42321, but for Exchange Server 2019 CU10, Exchange Server 2019 CU11, Exchange Server 2016 CU21, and Exchange Server 2016 CU22 before MAR22SU, it also requires authentication in order to exploit the vulnerability. 

CVE-2021-1585:

Cisco (ASDM) Adaptive Security Device Manager/Launcher Vulnerability. The NIST CVSSv3 base score is a rating of 8.3/10 & CISCO gives a CVSSv3 score of 7.5.  The ASDM allows you to manage the Cisco Secure Firewall. The vulnerability could allow RCE (Remote Code Execution by an unauthenticated attacker on a user’s OS. The vulnerability is because of improper signature verification of code exchanged between the ASDM and the Launcher. An attacker can use this vulnerability through a MITM (Man in the Middle) attack where there is an interception between the ASDM, the Launcher, and malicious code that is injected. In order to be able to leverage this vulnerability, the attacker needs to do some social engineering to get a user to begin communication between the Launcher and the ASDM. There are two types of reverse payloads that could be used to get RCE: jjs.exe based (A JavaScript engine that is shipped with Java that executes in memory and can give you a command prompt on the workstation) or Longtime Sunshine (Post exploitation framework) based. It has been reported by Cisco that this issue was fixed in ASDM 7.18.1.150, but Rapid7 has informed Cisco that the issue was, in fact, not fixed. Cisco retracted ASDM 7.18.1.150 and attempted to fix the issue 7.18.1.152. However, it has been reported that the issue remains exploitable as long as the user clicks through a pop-up. 

CVE-2022-37401 & CVE-2022-37400:

Apache OpenOffice vulnerability. The NIST CVSSv3 base score is a rating of 8.8/10. The vulnerability affects Apache OpenOffice version before 4.1.13. Similar to some web browsers, the Apache OpenOffice allows the user to store web connection passwords in a user’s configuration database. These stored passwords are encrypted, and there is a user master key to access the passwords. The vulnerability is in a poorly encoded master key which causes a weakening of the randomness from 128 to 43 bits. This makes the passwords that are stored vulnerable to a brute force attack if the attack has access to the user’s configuration database file.  

CVE-2022-35794:

Windows Secure Socket Tunneling Protocol (SSTP) Vulnerability. The NIST CVSSv3 base score is a rating of 8.1/10 and is an RCE (Remote Code Execution) vulnerability. This CVE ID is unique from CVE-2022-34702, CVE-2022-34714, CVE-2022-35745, CVE-2022-35752, CVE-2022-35753, CVE-2022-35766, CVE-2022-35767. In order to successfully exploit this vulnerability, an attacker must create a race condition which is a common problem with multithreaded applications. A race condition occurs when two processes or threads of a computer program try to access the same resource at the same time and can allow an attacker to have access to secure areas. This vulnerability could allow an unauthenticated attacker to send a specially worded connection request to a Remote Access Server and get RCE on the Remote Access Server. 

Conclusion:

In conclusion, software vulnerabilities are a common nuisance to IT and security teams everywhere. Organizations that prioritize the remediation and patching of these vulnerabilities will drastically reduce their attack surface and ensure no doors into their environment are left unlocked.

How Can Netizen Help?

Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time. 

We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type. 

Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.

Netizen is an ISO 27001:2013 (Information Security Management), ISO 9001:2015, and CMMI V 2.0 Level 3 certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans. 

Questions or concerns? Feel free to reach out to us any time – https://www.netizen.net/contact

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.