Control Gap Vulnerability Roundup: September 10th to September 16th

This week saw the publication of 655 new CVE IDs. Of those, 239 have not yet been assigned official CVSS scores, however, of the ones that were, approximately 14% were of critical severity, 53% were high, 31% were medium, and 1% were low. Listed below are the vulnerabilities that caught our attention:

• Multiple versions of Microsoft SharePoint server are affected by several authenticated remote code execution vulnerabilities.
• Tesla Model 3s using phone key authentication are vulnerable to authentication bypass which could allow an attacker to unlock, start, and drive away the vehicle.
• OASES, a software used to manage aviation maintenance and engineering is vulnerable to an authenticated remote code execution vulnerability.
• Watchdog anti-virus does not enforce access control lists on key application files allowing an attacker to execute arbitrary code in the context of the anti-virus software.

The modern threat landscape represents an ever-changing vista of vulnerabilities, tools, tactics, and procedures which pose an existential threat to the security of organizations’ IT infrastructures. A key part of an evergreen security program is to maintain an up-to-date knowledge base of actionable threat intelligence that an organization can leverage to improve its security posture. Where dozens of novel threats and vulnerabilities become public each week, it can be challenging for IT professionals to keep pace. Control Gap intends to separate the signal from the noise by highlighting in this weekly segment newly disclosed vulnerabilities that have been assigned a CVE ID and which may be exceedingly novel, widespread, critical, or otherwise noteworthy.

The available threat intelligence at time of writing is documented below. Updates will be clearly marked.

Microsoft SharePoint Server Multiple Remote Code Execution Vulnerabilities

Multiple remote code execution vulnerabilities affecting several versions of SharePoint server were disclosed this week. Four vulnerabilities requiring low user privileges would allow an attacker to remotely execute arbitrary code in the context of the SharePoint server. Microsoft has released security bulletins and patches for these vulnerabilities and customers with affected products are encouraged to update immediately. The vulnerabilities are being tracked with the following CVE ids: CVE-2022-38009, CVE-2022-38008, CVE-2022-37961, and CVE-2022-35823.

Tesla Model 3 Authentication Bypass via MitM

Tesla Model 3 version 11.0 using the Tesla mobile app version 4.23 for phone key authentication is vulnerable to man-in-the-middle attacks which can be leveraged to bypass authentication mechanisms in the automobile. In correct conditions an attacker can exploit this vulnerability in less than a minute, unlock the vehicle, and drive it away using Android applications developed by the researchers on an attacker phone. The research which discovered the security issues was conducted by Chinese security researchers at the Shanghai Fudan Microelectronics Group and the findings were detailed in a GitHub document. The vulnerability is currently being tracked with the CVE id CVE-2022-37709 and the researchers claim in their post that Tesla has ignored responsible disclosure communications.

OASES Authenticated Remote Code Execution

Open Aviation Strategic Engineering System (OASES) is an aviation engineering and maintenance system used by 130 aviation customers across 55 countries. Version 8.8.0.2 was found to be affected by an authenticated remote code execution vulnerability whereby a user could execute code in the context of the server via the “Open Print Folder” menu. While the software does not appear to be widely adopted, the applications close relation to physical safety makes the severity of the vulnerability critical. The vulnerability is being tracked with the CVE id CVE-2022-40337.

Watchdog Anti-Virus Software Arbitrary Code Execution

Watchdog anti-virus version 1.4.158 implements weak access control lists on key application files including binaries and DLL files. Any authenticated user can perform a DLL hijacking attack to execute arbitrary code in the privileged context of the anti-virus program. Threat actors in increasing frequency have been leveraging attacks which exploit vulnerable privileged processes like anti-virus programs to escalate privileges as a key step in the cyber incident kill chain. The vulnerability was described in a GitHub document authored by the user “dru1d-foofus” and is being tracked with CVE id CVE-2022-38611.