Control Gap Vulnerability Roundup: January 14th to January 20th

This week saw the publication of 712 new CVE IDs. Of those, 247 have not yet been assigned official CVSS scores, however, of the ones that were, approximately 21% were of critical severity, 29% were high, 48% were medium, and 2% were low. Listed below are the vulnerabilities that caught our attention:

• Multiple remote code execution vulnerabilities were identified in the universal open-source project Git via a source-code review conducted by X41 D-Sec and the GitLab Security Research Team.
• Two vulnerabilities which could be chained together to achieve unauthenticated remote code execution have been disclosed for multiple models of Cisco Small Business router. The products are end-of-life and Cisco has stated they will not be addressing the vulnerabilities.
• A vulnerability in the Samsung Galaxy App store could allow applications already present on the phone to install any app available through the app store without user permission. The vulnerability does not affect versions of Android 13 or later due to additional security measures implemented on the OS.
• Multiple vulnerabilities were disclosed by CISA for Sewio’s Real-Time Location System including remote code execution. Given the product’s ability to track personnel in real-time, the impact may be much more severe than the assigned CVSS score.

The modern threat landscape represents an ever-changing vista of vulnerabilities, tools, tactics, and procedures which pose an existential threat to the security of organizations’ IT infrastructures. A key part of an evergreen security program is to maintain an up-to-date knowledge base of actionable threat intelligence that an organization can leverage to improve its security posture. Where dozens of novel threats and vulnerabilities become public each week, it can be challenging for IT professionals to keep pace. Control Gap intends to separate the signal from the noise by highlighting in this weekly segment newly disclosed vulnerabilities that have been assigned a CVE ID and which may be exceedingly novel, widespread, critical, or otherwise noteworthy.

The available threat intelligence at time of writing is documented below. Updates will be clearly marked.

Git Remote Code Execution

A source code review of Git, sponsored by the Open Source Technology Improvement Fund and conducted by X41 D-Sec   and GitLab, has identified a number of vulnerabilities including potential remote code execution in the widely popular, nearly universal project. Two vulnerabilities, CVE-2022-41903, and CVE-2022-23521 which are unique, were patched last week and address Git versions going back to version 2.30.7, which was released on December 13, 2022. The first vulnerability CVE-2022-23521, affects Git clone and pull operations via memory corruption resulting from a specially crafted .gitattributes file. The researchers found that the parser for the file would trigger a counter error when trying to parse a file which had a large number of attribute lines or an attribute line with large numbers of attributes. A Git client attempting a pull or clone on a repository with a malicious or compromised .gitattributes file could potentially trigger remote code execution on the client system or a system crash. The second vulnerability CVE-2022-23521 CVE-2022-41903, affects the “git log” command when used with the --format switch which, according to PortSwigger, is a common practice coded into services such as GitHub and GitLab. Researchers commented that the most impactful attack vector would be to craft a specific “export-subst” statement into the .gitattributes file to abuse padding operators utilized by the tools pretty printing “pretty formatting” which would result in an integer overflow, and ultimately remote code execution. The researchers commented that both vulnerabilities represent a significant supply chain risk as any client interacting with these repositories, including Git forges such as GitHub or GitLab could inadvertently trigger an exploit stemming from a malicious or compromised repository. GitLab has released a security advisory and “…highly [recommend] that all customers upgrade to the latest security release for their supported version”.

Cisco Small Business Router Arbitrary Command Execution

A vulnerability chain resulting in remote code execution has been disclosed for Cisco Small Business Routers, specifically model numbers RVo16, RVo42, RVo42G, RVo82. The two vulnerabilities, CVE-2023-20025 and CVE-2023-20026, can allow for authentication bypass and an authenticated command injection respectively. The two can be chained together to allow an unauthenticated attacker to achieve arbitrary command execution. All of the affected products are considered end-of-life and Cisco has announced they will not be releasing a patch to address them. The vulnerabilities affect the web management interface of the products and, as such, Cisco is suggesting customers still using these devices limit access to the web management interface and do not expose it to the public internet. Additional research performed by the firm “Censys” indicates that approximately 20,000 of the affected devices are publicly exposed.

Samsung Galaxy App Store Arbitrary App Install

Researchers with the NCC group have identified a vulnerability in the Samsung Galaxy App store, which would allow for an app to install additional applications on its own without user interaction. The vulnerability, CVE-2023-21433, stems from the Galaxy store’s improper handling of Android “Intents”, the NCC Group released a technical writeup and PoC which utilized the Android Debug Bridge “ADB” to force the device to install the popular game “Pokemon Go”, however, the vulnerability could be abused by a rogue application already installed on the device to install any application which is available through the Samsung Galaxy App store. The vulnerability does not affect devices which are running versions of Android which are Android 13 or later. The issue has been patched as of version 4.5.49.8 of the Galaxy App Store.

Sewio Real-Time Location System Multiple Vulnerabilities

Sewio’s Real-Time Location System is a software suite which is used for “precise indoor tracking” of assets, employees and vehicles. This week, multiple vulnerabilities were disclosed for the software including remote code execution, denial-of-service, cross-site scripting, hard-coded credentials, cross-site request forgery, and access control issues. The vulnerabilities were reported to CISA by the security researcher Andrea Palanca and CISA has released a disclosure and some guidance on the impact of the vulnerabilities and how to mitigate them. Updating to Sewio version 3.0.0 can address some of the vulnerabilities, users are encouraged to read the CISA advisory and implement patches or workarounds as deemed appropriate. Given the ability of the software to provide real-time location information for personnel, the compromise of the host system or software could have a disproportionate impact as compared to the assigned CVSS score. The vulnerabilities are being tracked with the following CVE IDs:

CVE-2022-45444
CVE-2022-47911
CVE-2022-43483
CVE-2022-41989
CVE-2022-45127
CVE-2022-47395
CVE-2022-47917
CVE-2022-46733
CVE-2022-43455