Control Gap Vulnerability Roundup: July 16th to 22nd

This week saw the publication of 579 new CVE IDs. Of those, 356 have not yet been assigned official CVSS scores, however, of the ones that were, approximately 6% were of critical severity, 37% were high, 52% were medium, and 5% were low. Listed below are the vulnerabilities that caught our attention:

• MiCODUS GPS trackers have multiple vulnerabilities which could allow an attacker to execute arbitrary commands in an admin context on the device. This could allow an attacker to control certain functions of the vehicle or track its location.
• Supply chain attacks against projects contained in the Python package index result in backdoors allowing for remote code execution to be contained in the affected projects.
• Cryptocurrency mining devices created by Goldshell are found to suffer from multiple vulnerabilities including hard coded credentials for their SSH service.
• The incredibly popular Foxit PDF Reader is affected by multiple vulnerabilities which could lead to remote code execution if a user can be convinced to interact with a crafted file.

The modern threat landscape represents an ever-changing vista of vulnerabilities, tools, tactics, and procedures which pose an existential threat to the security of organizations’ IT infrastructures. A key part of an evergreen security program is to maintain an up-to-date knowledge base of actionable threat intelligence that an organization can leverage to improve its security posture. Where dozens of novel threats and vulnerabilities become public each week, it can be challenging for IT professionals to keep pace. Control Gap intends to separate the signal from the noise by highlighting in this weekly segment newly disclosed vulnerabilities that have been assigned a CVE ID and which may be exceedingly novel, widespread, critical, or otherwise noteworthy.

The available threat intelligence at time of writing is documented below. Updates will be clearly marked.

MiCODUS GPS Tracker Multiple Vulnerabilities

Real-World Exploitability High

Exploited in the Wild Likely

Available Public Exploits  Yes

Multiple vulnerabilities surrounding the MiCODUS GPS tracker model MV720 including: remote code execution, cross-site scripting, and insecure direct object references which can disclose sensitive information were published by cyber security firm BitSight. Some sensitive functionalities which could be controlled through the device are, car fuel-offs, and alarms. BitSight claims that these GPS devices are seeing use in vehicles owned by fortune 50 firms, critical infrastructure companies and various world governments. CISA released an advisory recommending that end users ensure that these devices are not remotely available as public exploits have been released. While six vulnerabilities have been discovered by BitSight only five have been assigned CVE ids. The CVE ids which have been assigned are as follows:

Microsoft’s Patch Tuesday on July 12th, 2022, saw disclosure of 84 security vulnerabilities for Microsoft products. Highlights from these disclosures include the following:

• CVE-2022-2107
• CVE-2022-2141
• CVE-2022-2199
• CVE-2022-34150
• CVE-2022-33944

Multiple PyPI Packages Backdoor RCE Vulnerabilities

Real-World Exploitability High

Exploited in the Wild Unknown

Available Public Exploits  No

For the second month in a row multiple Python package index projects have been found to contain backdoors which would allow for remote code execution in the context of the application utilizing the package. These backdoors were inserted to the projects by an unknown third-party. Vulnerability to the backdoor would be highly contingent on the usage of the package and the availability of the affected system to exploit. This highlights the importance of software and supply chain governance and the need for professional review when an organization seeks to use a third-party open-source component in its own projects. The affected packages, associated versions and corresponding CVE ids can be found below:

• scu-captcha v0.0.1 to v0.0.4 (CVE-2022-34983)
• eziod v0.0.1 (CVE-2022-34982)
• PyCrowdTangle before v0.0.1 (CVE-2022-34981)
• wikifaces v1.0 (CVE-2022-34509)
• bin-collection before v0.1 (CVE-2022-34501)
• bin-collect before v0.1 (CVE-2022-34500)

Foxit Reader Multiple Vulnerabilities

Real-World Exploitability High

Exploited in the Wild Unknown

Available Public Exploits No

A total of 18 vulnerabilities were published for Foxit PDF Reader version 11.2.1.53537. Multiple components of the program are affected and can allow for information disclosure and remote code execution if an attacker can convince a user to interact with a crafted PDF file. Foxit has released a security bulletin to address these vulnerabilities and encourages users to update to the latest version, no public exploits have been released at the time of writing. Foxit claims that the Foxit PDF Reader is used by more than 425 million users globally making these vulnerabilities incredibly widespread and an attractive attack vector for PDF document-based attacks. The 18 CVE ids and summary descriptions can be found here.

Goldshell ASIC Miners Multiple Vulnerabilities

Real-World Exploitability High

Exploited in the Wild Unknown

Available Public Exploits Yes

Multiple vulnerabilities have been discovered in Goldshell ASIC miners which include an exposed debug interface, path traversal and default credentials for the installed SSH service. Security researcher James Chambers detailed these vulnerabilities and PoC exploits in a blog post where he examined multiple crypto currency mining devices. These vulnerabilities would allow for information disclosure including arbitrary files or passwords and other confidential information in plaintext, in addition to allowing arbitrary users remote access to the device. These vulnerabilities should be particularly concerning given the financial risk inherent to the compromise of these devices. The CVE ids tracking these vulnerabilities are as follows: CVE-2022-24660, CVE-2022-24659, CVE-2022-24657.