Control Gap Vulnerability Roundup: November 5th to November 11th

This week saw the publication of 507 new CVE IDs. Of those, 133 have not yet been assigned official CVSS scores, however, of the ones that were, approximately 16% were of critical severity, 43% were high, 38% were medium, and 3% were low. Listed below are the vulnerabilities that caught our attention:

• Parse Server prototype pollution may lead to unauthenticated remote code execution.
• Plesk cross-site request forgery (CSRF) can allow for attackers to takeover administrative accounts by luring victims to malicious websites.
• Citrix Gateway and ADC products were found to have multiple vulnerabilities, products acting in the “gateway” role have a critical vulnerability which can allow for unauthenticated attackers to take authenticated actions on the device.
• VMWare Workstation ONE has disclosed three unique authentication bypass vulnerabilities, an attacker with network access may be able to take administrative actions.

The modern threat landscape represents an ever-changing vista of vulnerabilities, tools, tactics, and procedures which pose an existential threat to the security of organizations’ IT infrastructures. A key part of an evergreen security program is to maintain an up-to-date knowledge base of actionable threat intelligence that an organization can leverage to improve its security posture. Where dozens of novel threats and vulnerabilities become public each week, it can be challenging for IT professionals to keep pace. Control Gap intends to separate the signal from the noise by highlighting in this weekly segment newly disclosed vulnerabilities that have been assigned a CVE ID and which may be exceedingly novel, widespread, critical, or otherwise noteworthy.

The available threat intelligence at time of writing is documented below. Updates will be clearly marked.

Parse Server Prototype Pollution Remote Code Execution

Parse Server, an incredibly popular backend server for Node.js web applications published a security advisory this week disclosing a prototype pollution vulnerability discovered by researchers from the KTH Royal Institute of Technology. Prototype pollution is a class of vulnerability which generally affects JavaScript applications and abuses properties of object inheritance allowing attackers to change attributes of JavaScript objects on an application wide scale. The researchers found that the vulnerability CVE-2022-39396, affects Parse Server in a default configuration and would allow for an attacker to take complete control of the affected server. Exact details on the vulnerability are currently being withheld until a majority of the userbase can update. Parse Server released versions 4.10.18 and 5.3.1 which address the vulnerability and users are encouraged to update immediately.

Plesk Cross-Site Request Forgery

The highly popular administration tool for hosting and datacenter providers, Plesk, disclosed a cross-site request forgery (CSRF) vulnerability that could allow attackers to upload files to the Plesk platform or takeover the administrative account. Security researchers at Fortbridge found that the REST API for the Plesk platform did not implement any CSRF protection measures, an attacker who could convince a Plesk administrator to visit a malicious (and knew to target Plesk beforehand) could launch cookieless attacks against the Plesk API in the context of the administrator. The vulnerability CVE-2022-45130, affects Plesk Obsidian and Plesk claims that 98.4% of all Plesk instances have been patched automatically.

Citrix Gateway and Citrix ADC Multiple Vulnerabilities

Citrix has released a security bulletin to address three vulnerabilities in its Gateway and ADC products. The vulnerabilities, CVE-2022-27510, CVE-2022-27513, and CVE-2022-27516 affect multiple product lines and versions, users are encouraged to check the bulletin and apply the appropriate updates for their affected products. Two of the vulnerabilities are considered by Citrix to be non-critical, CVE-2022-27513 is vaguely described as “remote desktop takeover via phishing” and CVE-2022-27516 is a bypass for user login brute-force protections. The final vulnerability CVE-2022-27510 is classed by Citrix as “critical” and only affects appliances that are acting as a gateway. The vulnerability is an authentication bypass that would allow a remote unauthenticated attacker to take actions on the appliance as if they were a legitimate user. Citrix gateways have been heavily targeted in the past by threat actors as they represent a common vector to gain access into an organization’s internal environment.

VMWare Workspace ONE Multiple Authentication Bypasses

VMWare’s Workspace ONE product versions up to but not including 22.10 had three authentication bypass vulnerabilities disclosed in the past week. VMWare has addressed these vulnerabilities in the security advisory VMSA-2022-0028. The three vulnerabilities CVE-2022-31685, CVE-2022-31686 and CVE-2022-31687, have the same description, “a malicious actor with network access may be able to obtain administrative access without the need to authenticate to the application.” Apart from affected version numbers it is unclear what conditions have to be met for a system to be vulnerable. Details on the vulnerabilities are likely being omitted on purpose to hinder exploit development and allow VMWare customers time to patch.