Control Gap Vulnerability Roundup: July 1st to 8th

This week saw the publication of 330 new CVE IDs. Of those, 296 have not yet been assigned official CVSS scores, however, of the ones that were, approximately 21% were of critical severity, 48% were high, 31% were medium, and 0% were low. Listed below are the vulnerabilities that caught our attention:

• An account takeover and authenticated remote code execution vulnerability present in the CentOS Control Web Panel can result in unauthenticated remote code execution in the context of the root account.
• A zero-day buffer overflow in Google Chrome Desktop was patched on July 4th. Google has disclosed that the vulnerability is being exploited in the wild.
• Session tokens for the OpenVPN Access Server web interface are not generated randomly enough to be considered secure.
• The “ransomware canaries” feature of Elastic Endpoint Security which is designed to detect and prevent ransomware execution was found to have a local privilege escalation vulnerability which could allow an attacker to escalate to SYSTEM.

The modern threat landscape represents an ever-changing vista of vulnerabilities, tools, tactics, and procedures which pose an existential threat to the security of organizations’ IT infrastructures. A key part of an evergreen security program is to maintain an up-to-date knowledge base of actionable threat intelligence that an organization can leverage to improve its security posture. Where dozens of novel threats and vulnerabilities become public each week, it can be challenging for IT professionals to keep pace. Control Gap intends to separate the signal from the noise by highlighting in this weekly segment newly disclosed vulnerabilities that have been assigned a CVE ID and which may be exceedingly novel, widespread, critical, or otherwise noteworthy.

The available threat intelligence at time of writing is documented below. Updates will be clearly marked.

CentOS Control Web Panel < v0.9.8.1122 Multiple Vulnerabilities

The CentOS Control Web Panel software used to manage dedicated or virtual servers is affected by two separate vulnerabilities. Vulnerability CVE-2022-25047 describes weak password reset tokens for user accounts which are generated in an insecure fashion and can be known before hand or predicted. Additionally, a remote code execution vulnerability CVE-2022-25048 would allow an authenticated user to run commands in the context of the root account.

When chained together, these two vulnerabilities would allow for an unauthenticated remote attacker to execute arbitrary commands in the context of the root account with only a valid username and associated email as a prerequisite. Both of these vulnerabilities have public exploits available at https://github.com/Immersive-Labs-Sec/CentOS-WebPanel. The official product website claims that 35,000 users are utilizing the control panel https://control-webpanel.com/.

A Shodan search with a likely fingerprint for the control panel returns over 200,000 results, with the majority of IP addresses being located in North America. It is probable that this issue could be resolved by upgrading to the latest version of the product.

Google Chrome Heap-Based Buffer Overflow

Google has patched a zero-day heap-based buffer overflow vulnerability in Google Chrome Desktop with the release of version 103.0.5060.114. This high severity vulnerability was found by Jan Vojtesek from the Avast threat intelligence team on July 1st. Google addressed the issue in a security bulletin where they acknowledged that the vulnerability is being exploited in the wild and can lead to remote code execution. Details on the vulnerability are currently being withheld until the majority of the user base has updated to a non-vulnerable version and as such, a CVE has not been published. The CVE which has been reserved for this vulnerability is CVE-2022-2294.

OpenVPN Access Server < 2.11 Weak PRNG

OpenVPN Access Server versions before version 2.11 were found to use a weak pseudo random number generator to create user session tokens for the web portal. While no public exploits exist for this vulnerability currently this vulnerability could allow an attacker to impersonate a user with a valid session token. Updating to the latest version of the Access Server “2.11” will fix this issue, official release notes can be found here https://openvpn.net/vpn-server-resources/release-notes/#openvpn-access-server-2-11-0. This vulnerability was assigned the CVE number CVE-2022-33738.

Elastic Endpoint Security Ransomware Canaries Privilege Escalation

An unknown vulnerability has been “patched” in the Windows edition of Elastic Endpoint Security ransomware canary feature which can detect, alert on, and stop ransomware attacks or activity. The vulnerability could allow a local attacker to escalate privileges to Local/SYSTEM. Elastic has released a security “update” which disables the feature for now but has promised to provide a comprehensive patch in the future. The Elastic security advisory is available here https://discuss.elastic.co/t/elastic-8-3-1-8-3-0-and-7-17-5-security-update/308613. No public exploits have been published for this vulnerability. This vulnerability was assigned the CVE number CVE-2022-23714.