Control Gap Vulnerability Roundup: February 18th to February 24th

This week saw the publication of 326 new CVE IDs. Of those, 258 have not yet been assigned official CVSS scores, however, of the ones that were, approximately 19% were of critical severity, 25% were high, 55% were medium, and 1% were low. Listed below are the vulnerabilities that caught our attention:

• An arbitrary password reset vulnerability in the open source “GNUBoard” bulletin board system, tracked as CVE-2022-44216, could lead to account takeovers.
• CloudFlow ProofScope, a web-based software application for proofing and collaboration, was found to be affected by an arbitrary file upload leading to code execution vulnerability that is being tracked as CVE-2022-41217.
• ZoneMinder, the popular open-source CCTV software was found to be affected by 8 different vulnerabilities including authenticated code execution, local file inclusion, cross-site scripting, path traversal, and SQL injection.
• Two cross-site scripting vulnerabilities were disclosed for JetBrains TeamCity which could allow for scripting attacks against users of the platform.

The modern threat landscape represents an ever-changing vista of vulnerabilities, tools, tactics, and procedures which pose an existential threat to the security of organizations’ IT infrastructures. A key part of an evergreen security program is to maintain an up-to-date knowledge base of actionable threat intelligence that an organization can leverage to improve its security posture. Where dozens of novel threats and vulnerabilities become public each week, it can be challenging for IT professionals to keep pace. Control Gap intends to separate the signal from the noise by highlighting in this weekly segment newly disclosed vulnerabilities that have been assigned a CVE ID and which may be exceedingly novel, widespread, critical, or otherwise noteworthy.

The available threat intelligence at time of writing is documented below. Updates will be clearly marked.

GNUBoard Account Takeover

GNUBoard is an open-source bulletin board system developed in South Korea that, according to Wappalyzer, is used on at least 11,000 websites. An account takeover vulnerability, tracked as CVE-2022-44216, was disclosed this week which would allow an attacker to change the password for any account on the affected platform. The issue was originally reported to GNUBoard by GitHub user “projectSylas” and is currently understood to only affect versions 5.54 and 5.55. The problem stems from the password reset functionality contained in the “/bbs/password_reset_update.php” file which does not verify if the user is authorized to initiate a password reset for a given account. The problem was originally patched in April of 2022, but interestingly the CVE record was only created in February 2023. The vulnerability has been fixed as of commit “11718eb4c02ffdca5393bedc0300a75e4e7b19f2”. It would likely be quite simple for a motivated attacker to figure out how to exploit this vulnerability to create headaches for users of unpatched instances.

CloudFlow ProofScope Unauthenticated File Upload 

CloudFlow ProofScope is marketed as a “turnkey solution for soft proofing and collaboration”. Security researcher “Witold Gorecki” identified a vulnerability in the CloudFlow ProofScope web application which would allow for arbitrary file upload and code execution via executable file uploads. The vulnerability is tracked as CVE-2022-41217 and affects versions 2.x up to and including 2.3.1. Version 2.3.2 contains an update to address this issue. Interestingly, the vulnerability was reported through DIVD (Dutch Institute for Vulnerability Disclosure) whose motto is “open, honest, collaborative, and for free”. The organization’s vulnerability tracking site keeps succinct statistics for vulnerabilities they identify including # of IP addresses found to be affected. Shoutout to the Dutch for being leaders in the space.

ZoneMinder Multiple Vulnerabilities

A total of 8 vulnerabilities have been disclosed for ZoneMinder, the popular open-source closed-circuit TV software. The 8 vulnerabilities were disclosed for versions prior to 1.36.33 and 1.37.33 including authenticated code execution, local file inclusion, cross-site scripting, path traversal, and SQL injection. Multiple patches have been submitted through different commits and the new official version 1.37.35 release addresses all issues. The project tis leveraging  the new GitHub advisories feature and all relevant CVEs and information can be found in the project’s advisories page.

JetBrains TeamCity Cross-Site Scripting (XSS)

Two vulnerabilities were disclosed this week affecting JetBrains TeamCity, a “Continuous integration / Continuous deployment” (CI/CD) server which allows for “collaborative and flexible” development practices. The two vulnerabilities, CVE-2022-48343 and CVE-2022-48344, affect version 2022.10.2 of the product and allow for XSS attacks via the user creation or group creation processes within the platform. According to JetBrains “Issues Fixed” page, both vulnerabilities are not as severe as they initially sounded, with both receiving medium severity scores. However, the idea of DevOps team members attacking each other with arbitrary scripting on their development platform does seem to come across as quite funny.