Skip to the main content.
Contact
Contact

3 min read

Control Gap Vulnerability Roundup: April 1st to April 7th

Control Gap Vulnerability Roundup: April 1st to April 7th

This week saw the publication of 579 new CVE IDs. Of those, 314 have not yet been assigned official CVSS scores, however, of the ones that were, approximately 18% were of critical severity, 34% were high, 48% were medium, and 0% were low. Listed below are the vulnerabilities that caught our attention:

  • Two new zero-day arbitrary code execution vulnerabilities affecting multiple Apple products have been disclosed and patched.
  • VM2, a popular JavaScript library designed around secure execution of untrusted code was affected by a vulnerability which would allow attackers to escape the sandbox and execute arbitrary code on the host system.
  • A vulnerability affecting HP LaserJet products has been disclosed which would allow an attacker to compromise IPsec credentials. HP has disputed the vulnerabilities severity based on the highly conditional requirements for exploitation.
  • The open-source edge and service proxy “Envoy” has had multiple vulnerabilities disclosed this past week which could potentially allow for the compromise of sensitive communications between applications and the network layer.

The modern threat landscape represents an ever-changing vista of vulnerabilities, tools, tactics, and procedures which pose an existential threat to the security of organizations’ IT infrastructures. A key part of an evergreen security program is to maintain an up-to-date knowledge base of actionable threat intelligence that an organization can leverage to improve its security posture. Where dozens of novel threats and vulnerabilities become public each week, it can be challenging for IT professionals to keep pace. Control Gap intends to separate the signal from the noise by highlighting in this weekly segment newly disclosed vulnerabilities that have been assigned a CVE ID and which may be exceedingly novel, widespread, critical, or otherwise noteworthy.

The available threat intelligence at time of writing is documented below. Updates will be clearly marked.


Apple Zero-Days Use-After-Free and Out-of-Bounds Write

CG_Critical_sm-1

Real-World Exploitability

High

Exploited in the Wild

Yes

Available Public Exploits 

No

 

Two zero-day vulnerabilities in multiple Apple products have had emergency patches released for them following an Apple security advisory published on April 7th. Apple has announced that it is aware that the vulnerabilities may have been exploited in the wild. The first vulnerability, CVE-2023-28205, affects Safari 16.4.1, iOS / iPadOS 15.7.5, macOS Ventura 13.3.1, and iOS / iPadOS 16.4.1. The vulnerability is a use-after-free affecting WebKit, the open-source web browser engine used by Safari. WebKit is frequently targeted by attackers as it provides a valuable vector for achieving privileged code execution on Apple products, like in this case where the use-after-free vulnerability could result in arbitrary code execution on the affected device. The second vulnerability, CVE-2023-28206, affects iOS / iPadOS 16.4.1, macOS Ventura 13.3.1, iOS / iPadOS 15.7.5, macOS Monterey 12.6.5, and macOS Big Sur 11.7.6. The vulnerability is a memory out-of-bounds-write that affects the “IOSurfaceAccelerator” Apple component and can result in arbitrary code execution. Apart from “typical” WebKit or browser-based exploits, vulnerabilities targeting novel components in the Apple ecosystem are likely to be pursued by APTs for their implied stealth. Apple is encouraging users to update as soon as possible. The following pages relate to all vulnerabilities and affected products discussed above:


VM2 Sandbox Escape – Remote Code Execution 

CG_Critical_sm-1

Real-World Exploitability

High

Exploited in the Wild

No

Available Public Exploits 

Yes

 

VM2 is a JavaScript sandbox which is designed to allow for the secure execution of untrusted JavaScript code. Researchers from the Korea Advanced Institute of Science and Technology discovered a vulnerability which would allow for arbitrary code execution on affected hosts. The vulnerability affects versions 3.9.14 and older and has been patched as of version 3.9.15. The problem is particularly concerning as many users rely on the library being inherently secure. The VM2 sandbox has approximately 4.6 million weekly downloads on NPM and is utilized in multiple JavaScript-based software solutions. Proof-of-Concept code has been released for the vulnerability and will likely be adapted into weaponized exploits soon. The vulnerability is tracked as CVE-2023-29017 and received a CVSS severity score of 10. Users are encouraged to update their VM2 libraries as soon as possible as there are no known work arounds.


HP LaserJet Zero-Day  

CG_Critical_sm-1

Real-World Exploitability

High

Exploited in the Wild

No

Available Public Exploits 

No

 

A wide variety of HP LaserJet printers have been found to be affected by a highly conditional vulnerability, CVE-2023-1707, which could compromise information transmitted between it systems and the HP device. HP devices running firmware version 5.6 of the “FutureSmart” firmware and use IPsec are potentially vulnerable. A full list of affected devices can be found in HP’s disclosure. HP has released an official statement disputing the severity of the vulnerability, which has been assigned a CVSS score of 9.1, and is encouraging affected users to update to the latest available patch. Users seeking to update their HP devices can find firmware updates here.


Envoy Multiple Vulnerabilities

CG_Critical_sm-1

 

Real-World Exploitability

High

Exploited in the Wild

No

Available Public Exploits

No

 

Envoy is an “open-source edge and service proxy designed for cloud-native applications”, 6 vulnerabilities have been disclosed this past week for the software which include denial of service, security policy bypasses, and JSON web token abuses. Multiple versions of Envoy are affected but have been addressed in security advisories via GitHub’s new disclosure platform. Given the tool’s position between applications and the network, compromising envoy could lead to the compromise of highly critical or otherwise sensitive information. The vulnerabilities are being tracked as follows:

Control Gap Vulnerability Roundup: April 8th to April14th

1 min read

Control Gap Vulnerability Roundup: April 8th to April14th

This week saw the publication of 652 new CVE IDs. Of those, 240 have not yet been assigned official CVSS scores, however, of the ones that were,...

Read More
Control Gap Vulnerability Roundup: October 1st to October 7th

1 min read

Control Gap Vulnerability Roundup: October 1st to October 7th

This week saw the publication of 237 new CVE IDs. Of those, 94 have not yet been assigned official CVSS scores, however, of the ones that were,...

Read More
Control Gap Vulnerability Roundup: April 22nd to April 28th

1 min read

Control Gap Vulnerability Roundup: April 22nd to April 28th

This week saw the publication of 501 new CVE IDs. Of those, 430 have not yet been assigned official CVSS scores, however, of the ones that were,...

Read More