Appsec Phoenix

AppSec Phoenix Wide

Security Vulnerability of the Week 16/05/22


Date Posted: 17th May 2022

Weekly review of the top vulnerability issues of the week

This week there were mostly updates on existing flaws – Qnap, F5 discloses vulnerabilities,

This week features Apple O/S Zero Day, Cisco, and Netgear update, Zyxel Firewall, Sonicwall Patch, Nvidia add by CISA, the Russian attack on Italy during Eurovision, Eternity project


Appsec

Nothing Major this week on application security or packages


INFRA/Network

Apple OS AVD

Security Apple

Patch has been released

Named CVE-2022-22675 in the AppleAVD (a kernel extension for audio and video decoding) that allows apps to execute arbitrary code with kernel privileges.

Details: https://support.apple.com/en-us/HT213220

This vulnerability allows remote attackers to disclose sensitive information on affected installations of Apple macOS. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the AppleScript framework. Crafted data in a SCPT file can trigger a read past the end of an allocated data structure. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of the current process.

Credit: Mickey Jin (@patch1t) of Trend Micro

The bug was reported by anonymous researchers and fixed by Apple in macOS Big Sur 11.6.watchOS 8.6, and tvOS 15.5 with improved bounds checking.

The list of impacted devices includes Apple Watch Series 3 or late, Macs running macOS Big Sur, Apple TV 4K, Apple TV 4K (2nd generation), and Apple TV HD.

This year there have been 5 security updates on apple

QNAP

QNAP Has released OS Firmware for the following vulnerabilities Tracked as  

 CVE-2022-23121 and others were discovered by NCC Group EDG team at Pwn2Own

The following Vulnerabilities were patched in the latest release

More details: https://www.qnap.com/en-uk/security-advisories

Affected Versions

  • QTS 5.0.x and later
  • QTS 4.5.4 and later
  • QTS 4.3.6 and later
  • QTS 4.3.4 and later
  • QTS 4.3.3 and later
  • QTS 4.2.6 and later
  • QuTS hero h5.0.x and later
  • QuTS hero h4.5.4 and later
  • QuTScloud c5.0.x

Sonicwall patch

SSL Applicace SSLVPN SMA 1000 bug allows users to bypass authorization

SummaryCVSS ScoreImpacted FirmwareFixed Firmware
Unauthenticated access control bypass8.2 (High)12.4.0
12.4.1
12.4.1-02994
Use of hard-coded cryptographic key5.7 (Medium)12.4.0
12.4.1
12.4.1-02994
URL redirection to an untrusted site (open redirection)6.1 (Medium)12.4.0
12.4.1
12.4.1-02994
credit bleeping computer

“There are no temporary mitigations. SonicWall urges impacted customers to implement applicable patches as soon as possible,” the company says in a security advisory published this week.

Vulnerability Does not affect the following: SMA 1000 series running versions earlier than 12.4.0, SMA 100 series products, CMS, and remote access clients.

The security bugs impact the following SMA 1000 Series models: 6200, 6210, 7200, 7210, 8000v (ESX, KVM, Hyper-V, AWS, Azure).

CVE-2022-22282 is the most severe as it allows unauthenticated attackers to bypass authentication.

Most notable vulnerability: CVE-2022-1388 with CVSS 9.8 and internal assessment Critical due to the front-facing and lack of authentication checks potentially allowing an attacker to remotely execute code and attack the affected system

“This vulnerability may allow an unauthenticated attacker with network access to the BIG-IP system through the management port and/or self IP addresses to execute arbitrary system commands, create or delete files, or disable services,” 

Zyxel Firewalls

Shadowserver Foundation reported seeing an increased attack number leveraging the CVE-2022-30525 recently discovered

The vulnerability was disclosed by Jacob Baines, a lead security researcher at Rapid7, that explain how the flaw can be leveraged in attacks.

More than 20000 Zyxel firewall affected are currently on the web (shodan results) requires login

Zyxel Firewalls RCE Vulnerability
Source Shadowserver

Metaexploit module has been added to test the vulnerability

“Commands are executed as the nobody user. This vulnerability is exploited through the /ztp/cgi-bin/handler URI and is the result of passing unsanitized attacker input into the os.system method in lib_wan_settings.py” – 

Jacob Baines

The following models are affected

Affected modelAffected firmware versionPatch availability
USG FLEX 100(W), 200, 500, 700ZLD V5.00 through ZLD V5.21 Patch 1ZLD V5.30
USG FLEX 50(W) / USG20(W)-VPNZLD V5.10 through ZLD V5.21 Patch 1ZLD V5.30
ATP seriesZLD V5.10 through ZLD V5.21 Patch 1ZLD V5.30
VPN seriesZLD V4.60 through ZLD V5.21 Patch 1ZLD V5.30

Nvidia Card

Use an NVIDIA GPU? Check whether you need security updates - Help Net  Security

Four vulnerabilities were addressed in the latest release. The fixes on the firmware have covered for Tesla, RTX/Quadro, NVS, Studio, and GeForce software products, covering driver branches R450, R470, and R510. Interestingly also covered support card with the latest release: GTX 600 and GTX 700 Kepler-series cards, whose support ended in October 2021.

  • CVE-2022-28181 (CVSS v3 score: 8.5) – Out-of-bounds write in the kernel mode layer caused by a specially crafted shader sent over the network, potentially leading to code execution, denial of service, escalation of privileges, information disclosure, and data tampering.
  • CVE-2022-28182 (CVSS v3 score: 8.5) – Flaw in DirectX11 user mode driver allowing an unauthorized attacker to send a specially crafted shared over the network and cause denial of service, escalation of privileges, information disclosure, and data tampering.
  • CVE-2022-28183 (CVSS v3 score: 7.7) – Vulnerability in the kernel mode layer, where an unprivileged regular user can cause an out-of-bounds read, which may lead to denial of service and information disclosure.
  • CVE-2022-28184 (CVSS v3 score: 7.1) – Vulnerability in the kernel mode layer (nvlddmkm.sys) handler for DxgkDdiEscape, where a regular unprivileged user can access administrator-privileged registers, which may lead to denial of service, information disclosure, and data tampering.

Cloud

Current Year Research on Vulnerabilities Discovered

No alternative text description for this image
Courtesy of Christoper Parisel

For the Deep dive on previous Cloud Vulnerabilities: https://appsecphoenix.com/security-vulnerability-of-the-week-02-04-22/

sagemaker – Lightspin – CVSS 7.4

AWS SageMaker Jupyter Notebook

Lightspin researcher Gafnit Amiga found that an attacker can run any code on a victim’s SageMaker JupyterLab Notebook Instance across accounts. 

The vulnerability has been already remediated

Using the access token, the attacker can read data from S3 buckets, create VPC endpoints and more actions that are allowed by the SageMaker execution role and the “AmazonSageMakerFullAccess” policy.

An attacker is able to use CSRF to send this POST request to install my malicious extension on the victim’s JupyterLab Instance.

The requirement to deploy the vulnerability is that the victim must be logged in the AWS account, and click on the malicious link to start the attack

For full vulnerability disclose: https://blog.lightspin.io/aws-sagemaker-notebook-takeover-vulnerability

RDS Postress SQL – Lightspin – CVSS 6.3

AWS Amazon Postrgress

Amazon Web Services (AWS) resolved on 09 Mar 22 (disclosed date: 09Dec 2021) a vulnerability affecting Amazon Relational Database Service (RDS) that could lead to the exposure of internal credentials.

Another vulnerability was uncovered by the Lightspin’s Research Team. The team has obtained credentials to an internal AWS service by exploiting a local file read vulnerability on the RDS EC2 instance using the log_fdw extension. The internal AWS service was connected to AWS internal account, related to the RDS service.

The AWS team has disclosed that the patch was limited only to the recent RDS and Aurora PostgreSQL engines. AWS Team has reached out to all affected users

“No cross-customer or cross-cluster access was possible; however, highly privileged local database users who could exercise this issue could potentially have gained additional access to data hosted in their cluster or read files within the operating system of the underlying host running their database,” AWS explains.

For full vulnerability disclosure: https://blog.lightspin.io/aws-rds-critical-security-vulnerability

For AWS Bulletin: https://aws.amazon.com/security/security-bulletins/AWS-2022-004/

AutoWrap – Orca – CVSS 8.5

logicApp – NetSPI – CVSS 6

credManifest – NetSPI – CVSS 6.5 – CVE 2021-42306

extraReplica – Wiz – CVSS 6.8

Share this article

[ssba]

Categories

x Logo: ShieldPRO
This Site Is Protected By
ShieldPRO