Control Gap Vulnerability Roundup: November 26th to December 2nd

This week saw the publication of 564 new CVE IDs. In a strange week, 223 of those CVE IDs were labelled as “Reject, DO NOT USE”. Of those legitimate IDs, 125 have not yet been assigned official CVSS scores, however, of the ones that were, approximately 13% were of critical severity, 37% were high, 48% were medium, and 2% were low. Listed below are the vulnerabilities that caught our attention:

• Hyundai and Genesis myHyundai application functionality allows for remote vehicle takeover.
• Android virtual keyboard & mouse applications could allow an attacker to compromise systems or surveil keystrokes.
• Intel Datacenter Management console has been found to be affected by an authentication bypass vulnerability.
• GitHub has released a feature for open-source maintainers that allows for easy reporting, remediation, and disclosure of vulnerabilities.

The modern threat landscape represents an ever-changing vista of vulnerabilities, tools, tactics, and procedures which pose an existential threat to the security of organizations’ IT infrastructures. A key part of an evergreen security program is to maintain an up-to-date knowledge base of actionable threat intelligence that an organization can leverage to improve its security posture. Where dozens of novel threats and vulnerabilities become public each week, it can be challenging for IT professionals to keep pace. Control Gap intends to separate the signal from the noise by highlighting in this weekly segment newly disclosed vulnerabilities that have been assigned a CVE ID and which may be exceedingly novel, widespread, critical, or otherwise noteworthy.

The available threat intelligence at time of writing is documented below. Updates will be clearly marked.

Hyundai and Genesis Remote Car Control

Security researchers investigating the Hyundai “myHyundai” mobile application identified a creative account impersonation technique to remotely control many features of any vehicle that had been manufactured after 2012 and registered to the service. Due to sloppy username requirements during registration and mishandling of the username after authentication the researchers found that by creating an account with the format victimEmail@domain%0d (a CRLF character) they were able to impersonate the victim account. An attacker could then utilize all the controls available to the application, the researchers claimed this included: lock/unlock, start/stop engines, control of the horn and lights, and the ability to open the trunk. All this researched was briefly described in a twitter thread. Hyundai was able to address the vulnerability before official disclosure and as such it can no longer be exploited.

Android Keyboard & Mouse Apps RCE

Keyboard and mouse applications allow users to turn their Android devices into virtual keyboards or mice to use with other supported devices such as a Windows computer. Security researchers at Synopsys have identified three such apps which have vulnerabilities that would allow an attacker to execute arbitrary code on a device that has one of the application companion servers installed, or intercept keystrokes sent from the Android device. The applications, Lazy Mouse, Telepad, and PC Keyboard, which share more than 2 million downloads, were found to be affected by a collective 7 vulnerabilities relating to weak authentication and insecure communications. Synopsys reached out to the developers of these applications with regards to the vulnerabilities and were completely ignored suggesting that they are “abandonware”. Following a 90-day responsible disclosure timeline Synopsys published their research and the vulnerabilities were listed in the NIST database with the following IDs:

• CVE-2022-45477
• CVE-2022-45478
• CVE-2022-45479
• CVE-2022-45480
• CVE-2022-45481
• CVE-2022-45482
• CVE-2022-45483

Intel Datacenter Management Authentication Bypass

Intel Datacenter Manager Console is a real-time monitoring and management tool which allows administrators to manage systems across an entire datacenter. A security researcher named Julien Ahrens has published research detailing a vulnerability which would allow an unauthenticated attacker to bypass system authentication and make devastating changes across the datacenter environment. The vulnerability was found entirely through source-code review according to the research post and abuses the platform’s Active Directory authentication mechanisms. Intel has released their own security advisory and is currently disputing the CVSS severity score. A more in-depth justification of the severity can be found at the end of the blog post. The vulnerability is currently being tracked as CVE-2022-33942.

GitHub Vulnerability Reports

While not a vulnerability, GitHub has announced at its GitHub Universe that maintainers of open-source repositories on the site can now receive private vulnerability reports, and issue CVEs within the platform. The security industry has applauded the feature as a clear step forward in the right direction. Hopefully the feature can assist developers and maintainers track and remediate vulnerabilities without implementing a complex or inconsistent reporting and disclosure program.