Control Gap Vulnerability Roundup: February 25th to March 3rd

This week saw the publication of 442 new CVE IDs. Of those, 258 have not yet been assigned official CVSS scores, however, of the ones that were, approximately 14% were of critical severity, 39% were high, 47% were medium, and 0% were low. Listed below are the vulnerabilities that caught our attention:

• ArubaOS has had a staggering 21 vulnerabilities of varying severity disclosed this week; all requiring an attacker to be authenticated to exploit. This release appears to coincide with a batch disclosure of vulnerabilities identified by their bug bounty program.
• ClamAV, an open-source and “hackable” antivirus tool now owned by Cisco, has had two vulnerabilities disclosed which would allow for the compromise of an affected system if the tool was used to analyze a specially crafted file.
• Firmware for WAGO programmable logic controllers was found to not enforce authentication on requests made to the back end of its web management interface. An unauthenticated attacker could abuse this to completely compromise the affected system.
• Various models of Cisco IP phones were found to be vulnerable to remote code execution allowing an attacker who compromises the device to potentially lurk on the network for an extended period of time.

The modern threat landscape represents an ever-changing vista of vulnerabilities, tools, tactics, and procedures which pose an existential threat to the security of organizations’ IT infrastructures. A key part of an evergreen security program is to maintain an up-to-date knowledge base of actionable threat intelligence that an organization can leverage to improve its security posture. Where dozens of novel threats and vulnerabilities become public each week, it can be challenging for IT professionals to keep pace. Control Gap intends to separate the signal from the noise by highlighting in this weekly segment newly disclosed vulnerabilities that have been assigned a CVE ID and which may be exceedingly novel, widespread, critical, or otherwise noteworthy.

The available threat intelligence at time of writing is documented below. Updates will be clearly marked.

ArubaOS Multiple Vulnerabilities

ArubaOS is a network management software made by Aruba Networks (a Hewlett Packard company) for their networking devices. This week a total of 21 vulnerabilities for the ArubaOS web management and command line interface were disclosed, ranging from authenticated cross-site scripting to authenticated arbitrary command injection. All of these vulnerabilities appear to have been disclosed by multiple security researchers through Aruba’s bug bounty program. These CVEs were publicly disclosed alongside Aruba’s product security advisory available here. These vulnerabilities highlight a recurring issue with product vendors hardening the perimeter of their products and not enforcing the same security standards on aspects which are assumed to be secure (such as authenticated functions). A full list of the vulnerabilities, along with Aruba’s workarounds / mitigations can be found in the product security advisory. A more succinct list provided by NIST can be found here.

ClamAV Multiple Vulnerabilities 

ClamAV is a Cisco open source highly customizable anti-virus engine that is commonly used by cyber security professionals to evaluate and detect proprietary or sensitive malware. This past week two vulnerabilities were disclosed which could allow for information disclosure or remote code execution on the affected system if the tool is used to analyze a crafted file of a specific filetype. Both vulnerabilities were identified by security researcher Simon Scannel and a patch has been released with multiple versions for the Cisco products which integrate ClamAV. Specific patched versions and mitigation information can be found on the Cisco security advisory pages, available here and here. The vulnerabilities are tracked as CVE-2023-20052 and CVE-2023-20032. The vulnerabilities are of particular concern as ClamAV often handles sensitive files or is operated by organizations involved in the cyber security industry. A compromise of a ClamAV system could potentially lead to the disclosure of confidential information or the compromise of a high value network.

WAGO Firmware Remote Code Execution

WAGO is a German electrical automation company that mainly produces hardware and programmable logic controllers (“PLCs”). A vulnerability affecting the web-based management portion of the firmware for PLCs was disclosed this week which would allow an unauthenticated attacker to write arbitrary data to the file system in the context of the root account. The vulnerability stems from the backend of the management interface not enforcing authentication, which means that an attacker with knowledge of how to interact with the backend of the interface could potentially take over the entire affected system. The vulnerability is being tracked as CVE-2022-45140. The vulnerability is patched with FW22 Patch 1 or FW24 and mitigations for those who cannot immediately update include deactivating the web-based management interface or restricting access to the affected device. More information can be found on the cert.vde.com site.

Cisco IP Phone User Interface Code Injection

Two vulnerabilities affecting Cisco’s web-based management interface of its IP phones have been disclosed which could allow for remote code execution on the affected devices. The vulnerabilities are tracked as CVE-2023-20078 and CVE-2023-20079, and affect multiple versions of Cisco phones including: 6800 series, 7800 series, 8800 series and other conferencing models. Specific details can be found in Cisco’s security advisory. These vulnerabilities can be particularly concerning as threat actors commonly seek out simple, network-based exploits after breaching the perimeter of a network. Compromising simple network devices, such as an IP phone, can result in persistent, covert access to a network and could potentially circumvent logging or detection solutions.