Control Gap Vulnerability Roundup: August 20th to August 26th

This week saw the publication of 565 new CVE IDs. Of those, 170 have not yet been assigned official CVSS scores, however, of the ones that were, approximately 22% were of critical severity, 46% were high, 32% were medium, and 1% were low. Listed below are the vulnerabilities that caught our attention:

• Atlassian BitBucket remote code execution vulnerability allows user with read permissions on any public/private repository to execute arbitrary code through a crafted HTTP request.
• GitLab community edition and enterprise editions are affected by a remote code execution vulnerability in which an authenticated user who can “import from GitHub” can execute arbitrary code in the context of the affected server.
• BlackHat presenters found variations of similar vulnerabilities in automotive remote keyless entry systems which allow for “time-agnostic” exploitation of keyless entry systems.
• The restaurant management software Tabit had multiple vulnerabilities published this week including information disclosure, weak password generation, database injection, unauthorized account modification, and arbitrary SMS messaging as the Tabit server.

The modern threat landscape represents an ever-changing vista of vulnerabilities, tools, tactics, and procedures which pose an existential threat to the security of organizations’ IT infrastructures. A key part of an evergreen security program is to maintain an up-to-date knowledge base of actionable threat intelligence that an organization can leverage to improve its security posture. Where dozens of novel threats and vulnerabilities become public each week, it can be challenging for IT professionals to keep pace. Control Gap intends to separate the signal from the noise by highlighting in this weekly segment newly disclosed vulnerabilities that have been assigned a CVE ID and which may be exceedingly novel, widespread, critical, or otherwise noteworthy.

The available threat intelligence at time of writing is documented below. Updates will be clearly marked.

Atlassian BitBucket Remote Code Execution

All versions of Atlassian BitBucket Server and Data Center between 7.0.0 and 8.3.0 are affected by a remote code execution vulnerability being tracked as CVE-2022-36804. Multiple API endpoints in the software would allow an attacker with read permissions on any public or private BitBucket repository to execute arbitrary code in the context of the server by sending a crafted HTTP request. The vulnerability was reported to Atlassian through their bug bounty program by the user “TheGrandPew”. Atlassian has released a security advisory and patches and have assigned the vulnerability a CVSS score of 9.9.

GitLab Remote Code Execution

GitLab Community Editions and Enterprise Editions between 11.3.4 to 15.1.5, 15.2 to 15.2.3, and 15.3 to 15.3.1 are affected by an authenticated remote code execution vulnerability. Users with the ability to use the “Import from GitHub” API endpoint can achieve arbitrary code execution on the affected GitLab server. The vulnerability was discovered through the software’s HackerOne bug bounty program by the user “yvvdwf”. GitLab has released a security advisory highlighting a patch and a workaround for users who cannot apply the patch immediately. The CVE id is currently reserved at the time of writing with no further information, GitLab has declared it is being published with the id CVE-2022-2884.

“RollBack” Exploit for Vulnerabilities in Multiple Automobile Manufacturers Keyless Entry

Researchers for the NCS group, the National University of Singapore, and DSBJ Pte. Ltd. have developed an exploit titled “RollBack” targeting vulnerabilities CVE-2022-36945, CVE-2022-37305, and CVE-2022-37418 which are logic vulnerabilities in the remote keyless entry (RKE) systems of vehicles produced by Hyundai, Honda, Kia, Mazda, Nissan and Toyota. Through a novel replay attack the researchers were able to exploit variations of the vulnerability across vehicle manufacturers to trigger the RKE system of the vehicles. The researchers presented their findings in a presentation at BlackHat in early August and just this week the CVE ids were published. The exploit was deemed “time-agnostic” meaning attackers could exploit the vulnerability at any time (after some preparation) which is unlike exploits targeting RKE systems in the past in which an attacker payload could “expire”. The research found that across different vehicle make, models, and RKE system manufacturers approximately 70% of vehicles in the Asian market were vulnerable. The researchers posit that given three out of four manufacturers were using vulnerable RKE systems, the impact is likely to be higher. It is not clear if manufacturers plan to fix these types of vulnerabilities in older model vehicles but some have stated they will fix them moving forward.

Tabit Multiple Vulnerabilities

Tabit, a popular online solution for managing restaurant services has had seven vulnerabilities published this week including sensitive information disclosure, account modification, database injection, weak passwords, and arbitrary SMS send. Due to Covid-19 health and safety protocols in countries which have seen significant adoption of Tabit software the information disclosure vulnerabilities have the potential to expose sensitive health information recorded by the application. In addition to covid status, the application may also expose billing information and itemized receipts. Limited information on the vulnerabilities is available at the time of writing but the Israel National Cyber Directorate is encouraging users to update to version 3.27.0. The seven vulnerabilities are being tracked with the following CVE ids:

• CVE-2022-34776
• CVE-2022-34775
• CVE-2022-34774
• CVE-2022-34773
• CVE-2022-34772
• CVE-2022-34771
• CVE-2022-34770