Skip to the main content.
Contact
Contact

3 min read

Control Gap Vulnerability Roundup: January 21st to January 27th

Control Gap Vulnerability Roundup: January 21st to January 27th

This week saw the publication of 537 new CVE IDs. Of those, 480 have not yet been assigned official CVSS scores, however, of the ones that were, approximately 4% were of critical severity, 49% were high, 47% were medium, and 0% were low. Listed below are the vulnerabilities that caught our attention:

  • YellowFin Business Intelligence platform was found to utilize a hard-coded RSA private key for several cryptographic functions resulting in multiple authentication bypass vulnerabilities which could be abused to achieve remote code execution.
  • Multiple buffer overflow vulnerabilities were disclosed for Adobe Acrobat which could result in remote code execution if a user opens a crafted file. These kinds of vulnerabilities will slowly become more valuable as Microsoft makes strides to shut down typical malspam techniques.
  • A whopping 62 vulnerabilities allowing for remote code execution were disclosed by Cisco Talos for the Siretta Quartz Gold industrial LTE router.
  • Solar-Log Photovoltaic device firmware was found by Swascan researchers to have backdoor “Super Admin” credentials which can be derived from public information available on the web portal.

The modern threat landscape represents an ever-changing vista of vulnerabilities, tools, tactics, and procedures which pose an existential threat to the security of organizations’ IT infrastructures. A key part of an evergreen security program is to maintain an up-to-date knowledge base of actionable threat intelligence that an organization can leverage to improve its security posture. Where dozens of novel threats and vulnerabilities become public each week, it can be challenging for IT professionals to keep pace. Control Gap intends to separate the signal from the noise by highlighting in this weekly segment newly disclosed vulnerabilities that have been assigned a CVE ID and which may be exceedingly novel, widespread, critical, or otherwise noteworthy.

The available threat intelligence at time of writing is documented below. Updates will be clearly marked.


YellowFin Business Intelligence Authentication Bypass and Code Execution

CG_Critical_sm-1

Real-World Exploitability

High

Exploited in the Wild

Unknown

Available Public Exploits 

Yes

 

YellowFin BI is a business intelligence platform for the automated collection, analysis and transformation of business data pertaining to employees, customers, and suppliers. Max Garrett, a security researcher at the firm AssetNote.io, discovered multiple authentication bypass vulnerabilities leading to remote code execution on the YellowFin platform. AssetNote published a detailed blog outlining the three authentication bypass vulnerabilities: CVE-2022-47884, CVE-2022-47885, CVE-2022-47882. All three vulnerabilities stem from a hardcoded RSA private key which allowed researchers to compromise cryptographic operations surrounding session and authentication management. After digging deeper into the post-authentication attack surface, they discovered that they could then achieve remote code execution via JNDI injection on the ”forceString” gadget which was available to the user through arbitrary data source connections. If JNDI injection sounds familiar that’s because it was the same latent attack technique used to achieve RCE in the Log4J library nearly a year ago. The remote code execution vulnerability is currently being tracked as CVE-2022-47883. All vulnerabilities have been fixed as of YellowFin BI version 9.8.1.


Adobe Acrobat Multiple Vulnerabilities

CG_Critical_sm-1

Real-World Exploitability

High

Exploited in the Wild

Unknown

Available Public Exploits 

No

Three out-of-bounds write vulnerabilities have been discovered and disclosed for the ubiquitous PDF reader Adobe Acrobat and Reader for the following versions: 22.003.20282 (Windows), 22.003.20281 (Mac), 20.005.30418, and earlier versions. The three vulnerabilities, CVE-2023-22242, CVE-2023-22241, and CVE-2023-22240, were identified by Mat Powell, a researcher with the Trend Micro Zero Day Initiative. All three vulnerabilities have been assigned a severity of “Critical” in Adobe’s security bulletin and all three maintain an impact of “Arbitrary Code Execution”. With Microsoft clamping down on common malspam and phishing techniques with more strict mark-of-the-web rules, attackers will surely be looking for other more creative attack techniques. Remote code execution within popular programs such as Adobe Acrobat and Adobe Reader, which can be triggered by crafted files delivered via email, are a valuable attack vector as the most popular methods decline in effectiveness.


Siretta Quartz Gold Router Many Vulnerabilities

Real-World Exploitability

High

Exploited in the Wild

Unknown

Available Public Exploits

Yes

 

An incredible 62 vulnerabilities have been disclosed for products contained within the Siretta Quartz Gold series of routers. The products are industrial routers designed to provide redundant internet connections via LTE cellular networks to industrial networks or devices. The vulnerabilities which were disclosed by Talos Intelligence are divided mainly between buffer overflows, and command injection which can result in unauthenticated or authenticated remote code execution on the device. Routers such as this are frequently targeted as a first step to gain access to an organizations network infrastructure. It is unclear how many of these devices are currently exposed to the public internet. According to Cisco Talos, Siretta has responded to the vulnerabilities and released relevant patches. A full list of CVE IDs and descriptions can be found here.


Solar-Log Photovoltaic Device (PV) Backdoor

CG_Critical_sm-1

Real-World Exploitability

High

Exploited in the Wild

Unknown

Available Public Exploits

No

 

Solar-Log is a leading supplier of photovoltaic (PV) devices for smart-monitoring and management in the consumer sector. Researchers with Swascan conducted intense security research on device hardware and firmware and identified a “backdoor” which would allow for Solar-Log support staff to login to the web interface of the device in the context of a “Super Admin” user. The credentials for this account are not hardcoded but can be derived from the serial number and system clock which is publicly available information presented to an unauthenticated user on the web portals login screen. Swascan reports that at the time of writing approximately 10,000 vulnerable devices were available through the public internet. Solar-Log has addressed the issue with an update to the firmware available here, however a number of the affected devices are considered “End-of-life” and as such will not be receiving the security patch. The vulnerability has been assigned the CVE ID CVE-2022-47767.

The Art of Reading a PCI Attestation of Compliance (AoC)

The Art of Reading a PCI Attestation of Compliance (AoC)

PCI Attestations of Compliance (AoCs) provide organizations with a tool that helps with the all-important aspects of third-party due diligence.  Yet...

Read More
Control Gap Vulnerability Roundup: March 4th to March 10th

Control Gap Vulnerability Roundup: March 4th to March 10th

This week saw the publication of 493 new CVE IDs. Of those, 58 have not yet been assigned official CVSS scores, however, of the ones that were,...

Read More
Control Gap Vulnerability Roundup: February 25th to March 3rd

Control Gap Vulnerability Roundup: February 25th to March 3rd

This week saw the publication of 442 new CVE IDs. Of those, 258 have not yet been assigned official CVSS scores, however, of the ones that were,...

Read More