Control Gap Vulnerability Roundup: December 10th to December 16th

This week saw the publication of 806 new CVE IDs. Of those, 307 have not yet been assigned official CVSS scores, however, of the ones that were, approximately 8% were of critical severity, 48% were high, 43% were medium, and 1% were low. Listed below are the vulnerabilities that caught our attention:

• Fortinet has quietly addressed a vulnerability in its FortiOS SSL-VPN product which could allow for remote code execution. The vulnerability is known to have been exploited in the wild.
• Citrix ADC and Citrix Gateway in certain authentication configurations can be vulnerable to remote code execution. Threat intelligence indicates the vulnerability has been exploited by APTs
• iOS has released a patch for its Webkit engine to address a arbitrary code execution vulnerability. Apple has warned the vulnerability may have been exploited in the wild.
• VMware vRealize has had multiple vulnerabilities disclosed including arbitrary file reads and remote code execution.

The modern threat landscape represents an ever-changing vista of vulnerabilities, tools, tactics, and procedures which pose an existential threat to the security of organizations’ IT infrastructures. A key part of an evergreen security program is to maintain an up-to-date knowledge base of actionable threat intelligence that an organization can leverage to improve its security posture. Where dozens of novel threats and vulnerabilities become public each week, it can be challenging for IT professionals to keep pace. Control Gap intends to separate the signal from the noise by highlighting in this weekly segment newly disclosed vulnerabilities that have been assigned a CVE ID and which may be exceedingly novel, widespread, critical, or otherwise noteworthy.

The available threat intelligence at time of writing is documented below. Updates will be clearly marked.

FortiOS SSL-VPN Remote Code Execution 

A French cyber security firm “OLYMPE Cyberdefense” has released a blog post detailing exploitation of a previously undisclosed heap-based buffer overflow flaw in FortiOS SSL-VPN which would allow for arbitrary remote code execution. Fortinet has released a security advisory encouraging users to update to the latest available versions of affected products. In a theme this week, Fortinet has confirmed that the vulnerability has been exploited in the wild. The security advisory from Fortinet, along with the blog post from “OLYMPE Cyberdefense” outline mitigation workarounds for users who cannot currently apply patches along with guidance on how to detect indicators of compromise. The vulnerability, while having been acknowledged by Fortinet, currently does not have a CVE ID assigned

Citrix ADC and Citrix Gateway Unauthenticated Remote Code Execution

Citrix has released a security advisory and blog post warning customers of an unauthenticated remote code execution vulnerability (CVE-2022-27518) affecting Citrix ADC and Citrix Gateway which are configured to utilize SAML SP and SAML ldP authentication. Specific details surrounding affected product versions can be found in the Citrix security advisory. Currently, technical details surrounding the vulnerability are being withheld while customers apply the appropriate patches or apply workarounds or temporary mitigations. The U.S National Security Agency (NSA) has released its own cyber security advisory with detection and mitigation guidance along with threat intelligence that the vulnerability has been exploited in a limited fashion by APT actors

IOS Arbitrary Code Execution Zero-Day

Apple has released a security bulletin and patches for its tenth zero-day vulnerability this year. CVE-2022-42856 is a type confusion vulnerability in the Apple Webkit browser engine and affects multiple devices running versions of iOS before version 15.1. Apple has released a statement warning users that this vulnerability may have been exploited in the wild. The vulnerability was discovered by Google’s Threat Intelligence Team, although no technical details are currently available. Apple is urging customers to update as soon as possible.

VMware vRealize Network Insight Multiple Vulnerabilities

VMware vRealize Network Insight is a network and application monitoring tool developed by VMware which allows customers to “Monitor, discover, and analyze to build an optimized, highly-available and secure network infrastructure across clouds.”. VMware released a security advisory on December 13^th, detailing two vulnerabilities in the product (CVE-2022-31702, CVE-2022-31703) affecting versions 6.2 to 6.7, where one of the vulnerabilities is considered by VMware to be critical. CVE-2022-31703 is a directory traversal vulnerability affecting the vRNI REST API that could allow attackers with network access to read arbitrary files from the server. CVE-2022-31702, is a command injection vulnerability that also affects the vRNI REST API and could allow attackers with network access to execute arbitrary commands on the server. VMware has stated that there are no workarounds that could mitigate these vulnerabilities and users should update to the latest available version immediately.