Control Gap Vulnerability Roundup: March 18th to March 24th

This week saw the publication of 591 new CVE IDs. Of those, 100 have not yet been assigned official CVSS scores, however, of the ones that were, approximately 18% were of critical severity, 34% were high, 48% were medium, and 0% were low. Listed below are the vulnerabilities that caught our attention:

• A new bug dubbed “aCropalypse” has been disclosed which affects the “Markup Tool”, Google’s photo editing app for Android devices. The bug could allow for sensitive information to be retrieved from images which have been cropped or redacted dating back 5 years to Android 9.
• WooCommerce has addressed a vulnerability in the popular self-titled WordPress plugin which would allow an unauthenticated user to impersonate an admin, leading to the complete compromise of the site.
• Microsoft has addressed a zero-day vulnerability in its Outlook email client which could allow attackers to conduct NTLM relay attacks by sending a crafted email that the user does not even have to open or preview. Microsoft has acknowledged exploitation of this vulnerability by Russian APT groups dating back to April 2022.
• Cisco Talos researchers have identified a very simple but effective remote command execution vulnerability in Netgear Orbi routers that could be exploited if an attacker could gain access to the administrator console, either through misconfiguration or credential attacks.

The modern threat landscape represents an ever-changing vista of vulnerabilities, tools, tactics, and procedures which pose an existential threat to the security of organizations’ IT infrastructures. A key part of an evergreen security program is to maintain an up-to-date knowledge base of actionable threat intelligence that an organization can leverage to improve its security posture. Where dozens of novel threats and vulnerabilities become public each week, it can be challenging for IT professionals to keep pace. Control Gap intends to separate the signal from the noise by highlighting in this weekly segment newly disclosed vulnerabilities that have been assigned a CVE ID and which may be exceedingly novel, widespread, critical, or otherwise noteworthy.

The available threat intelligence at time of writing is documented below. Updates will be clearly marked.

Markup Tool Information Leakage “aCropalypse”

Independent security researchers @ItsSimonTime and David Buchanan (@David3141593) have discovered a severe bug in Google’s “Markup” tool, which is the default photo editing tool installed on Google phones such as the Google Pixel. The vulnerability, now tracked as CVE-2023-21036, stems from a proprietary Google library which handles the file operations when editing a photo. The library was found to be parsing the file without truncation, meaning that some of the original file was left over in the newly edited one. The implication is that when cropping or censoring photos using the Markup tool, someone who received the image could recover details which were cropped out or drawn over. Commonly, social media websites will compress or otherwise modify image files submitted to them which prevents this type of attack, but many file sharing services and image submission services do not. For example, the researchers were able to recover data in images sent over the popular communications platform “Discord”. The researchers released a public tool that anyone can use to see if their pictures are vulnerable, and the bug/exploit has been dubbed “aCropalypse”. The exploit has spurred a surge of research into similar photo editing tools including the Windows 11 “Snipping Tool” which had a similar bug preventing the truncation of cropped photos. The privacy implications of this vulnerability are incredibly serious as any pictures edited with the Markup Tool since Android 9 are potentially vulnerable.

WooCommerce Administrator Impersonation 

WooCommerce, the incredibly popular WordPress plugin used by more than 500,000 websites, had a vulnerability disclosed and almost immediately patched which would allow for an unauthenticated attacker to impersonate a site administrator and compromise the affected WordPress site. The vulnerability affects WooCommerce versions 4.8.0 to 5.6.1 and was considered so severe that any site hosted by WordPress with the plugin installed was forcibly updated. At the time of writing the vulnerability does not have a CVE number but WooCommerce has released a patch and guidance for its users and urges anyone with the plugin installed to update immediately and investigate their site for signs of compromise.

Microsoft Outlook Escalation of Privilege Zero-Day 

A Microsoft Outlook vulnerability allowing for escalation of privilege was disclosed this past week with Microsoft issuing a patch and multiple guidance documents on exploitation detection, triage, and threat analytics. The vulnerability can be exploited when an attacker sends a crafted email to a user accessing their email through an affected Outlook client. The user is not required to open or preview the email for the exploit to be successful. The crafted email will trigger an authentication handshake to an attacker-controlled server which can then be used in NTLM relay attacks against online Windows services which accept NTLM as an authentication method. Microsoft has acknowledged the exploitation of this vulnerability by a Russian APT group specifically against “organizations in government, transportation, energy, and military sectors in Europe”. The vulnerability is being tracked as CVE-2023-23397.

Netgear Orbi Router 750 Series Remote Command Execution

Researchers with Cisco Talos have identified a remote command execution vulnerability affecting Netgear Orbi 750 series routers and released a disclosure along with a proof-of-concept exploit. The vulnerability requires authenticated access to the device or the admin console to be exposed but can be easily exploited if either of these criteria are met. Orbi Router administrators can allow or deny-list specific clients from the wireless network via the administrative console. Cisco Talos researchers found that the “dev_name” parameter was vulnerable to a simple command injection vulnerability utilizing a semicolon to delimit a device name from a shell command. For example, the following payload would run the ping command on the device: ;ping${IFS}10.0.0.4. Despite the attack requiring authentication, routers are commonly configured with default credentials and exposed to the internet. Attackers commonly scan the internet for exposed routers and test a variety of default credentials against them to compromise the device, commonly to add to large botnets. Netgear has released a firmware patch to address this vulnerability and is encouraging users to update. The vulnerability is being tracked as CVE-2022-37337.