Control Gap Vulnerability Roundup: February 11th to February 17th

This week saw the publication of 788 new CVE IDs. Of those, 526 have not yet been assigned official CVSS scores, however, of the ones that were, approximately 6% were of critical severity, 44% were high, 49% were medium, and 1% were low. Listed below are the vulnerabilities that caught our attention:

• A remote code execution vulnerability involving JNDI abuse (like Log4J) and insecure deserialization was disclosed for Apache Kafka.
• FortiNAC and FortiWeb were patched to remediate remote code execution vulnerabilities which could potentially allow an attacker with no privileges to breach an organization’s perimeter.
• Apple has patched a zero-day remote code execution vulnerability in its WebKit browser engine. Apple has confirmed it was exploited in the wild but will not provide any further technical details. Special thanks were given to Citizen Lab.
• Citrix has patched a privilege escalation vulnerability which would allow any Windows user within the VDE to escalate to “NT AUTHORITY\SYSTEM.

The modern threat landscape represents an ever-changing vista of vulnerabilities, tools, tactics, and procedures which pose an existential threat to the security of organizations’ IT infrastructures. A key part of an evergreen security program is to maintain an up-to-date knowledge base of actionable threat intelligence that an organization can leverage to improve its security posture. Where dozens of novel threats and vulnerabilities become public each week, it can be challenging for IT professionals to keep pace. Control Gap intends to separate the signal from the noise by highlighting in this weekly segment newly disclosed vulnerabilities that have been assigned a CVE ID and which may be exceedingly novel, widespread, critical, or otherwise noteworthy.

The available threat intelligence at time of writing is documented below. Updates will be clearly marked.

Apache Kafka Remote Code Execution

A remote code execution vulnerability in the open-source platform Apache Kafka was disclosed this week. The vulnerability was discovered by Jari Jääskelä as part of the Aiven bug bounty program. The vulnerability centers around how Kafka handles worker connectors. The exploit abuses LDAP and JNDI; if that sounds familiar it’s because it is the exact same attack class that allowed for remote code execution in the popular Log4j library. An attacker can configure a worker connection that causes the Kafka server to reach out to an attacker-controlled LDAP server, which can supply crafted serialized LDAP payloads. The payloads are then deserialized by the Kafka server, triggering gadget chains to execute code on the system. The vulnerability affects versions 2.3.0 through 3.3.2 and is fixed in version 3.4.0. The vulnerability can be identified by CVE-2023-25194.

ForitNAC and FortiWeb Remote Code Execution 

Two unique vulnerabilities affecting Fortinet products have been disclosed and addressed by Fortinet this week. Both vulnerabilities received critical severity ratings and could result in unauthenticated remote code execution on the affected devices. The first vulnerability, tracked as CVE-2022-39952, is an arbitrary file write affecting FortiNAC versions 8.3 through 8.8 and select versions between 9.1 and 9.4. Remediation instructions and a full list of affected versions can be found here. The second vulnerability, tracked as CVE-2021-42756, is a stack-based buffer overflow which can result in arbitrary code execution that could be triggered by crafted HTTP requests sent to the affected device. Remediation instructions and a full list of affected versions can be found in Fortinet’s security advisory. Remote code execution vulnerabilities in perimeter devices such as those manufactured by Fortinet are particularly concerning as they provide a pathway for attackers to gain access to an organization’s internal networks.

Apple WebKit Remote Code Zero-Day

Apple has disclosed a remote code execution zero-day affecting its WebKit browser engine. Apple released an advisory highlighting the “security content” of the iOS 16.3.1 and iPadOS 16.3.1 which included fixes for a type confusion vulnerability in WebKit. Apple has confirmed that the vulnerability has been exploited in the wild and gave additional recognition to University of Toronto Munk School’s Citizen Lab, an interdisciplinary lab dedicated to investigating threats to human rights. Citizen Lab famously researched and reported on NSO Group spyware “Pegasus”, which was designed to compromise victim cell phones with no user interaction and the only attacker requirement being a victim phone number. Apple has not released any additional information, likely to prevent other industrious attackers from weaponizing the exploit before the majority of users can update. The vulnerability has been assigned the ID CVE-2023-23529, but at the time of writing this ID has not been published and is still in the reserved state.

Citrix Virtual Apps and Desktops Privilege Escalation

Citrix has disclosed a vulnerability in its Virtual Apps and Desktops service which could allow a user to escalate privileges to the NT AUTHORITY\SYSTEM account. The only requirement for the attack is that the attacker has access as a Windows user to the vulnerable virtual delivery agent (VDA). The vulnerability, tracked as CVE-2023-24483, affects versions of the product before version 2212, versions before 2203 LTSR CU2, and versions 1912 LTSR CU6 and prior. There is currently very little technical information available regarding the vulnerability, but the Citrix advisory gives a special thanks to the Lockheed Martin Red Team.