Top Trending CVEs of August 2022

This month we have five CVEs on the radar. The August 2022 Patch Now Award* this month goes to ManageEngine, which is vulnerable to an unauthenticated remote command execution vulnerability. Learn more below, in this month’s trending CVEs:

1. CVE – CVE-2022-2590 Shmem Cow

Overview: Linux kernel versions greater than v5.16 compiled with the “CONFIG_USERFAULTFD=y” are impacted by a local privilege escalation vulnerability. The vulnerability could enable an unprivileged user to gain unauthorized write access to read-only memory mappings. The issue is similar to Dirty COW, which was also caused by the improper handling of copy-on-write, however is restricted to private, read-only, shared memory mappings (shmem/tmpfs). The ability to write to read-only memory mappings facilitates the modification of readable processes to inject code and control the context of any process. POC code is publicly available, so patch soon to get ahead of the curve.

NopSec’s Thoughts: This copy-on-write issue only impacts newer kernel versions, but POC code does exist. It’s worth keeping in mind that exploitation requires local access. Remote attackers would require a different vector to attain remote command execution before escalating privileges.

Severity: High     Complexity: Moderate     CVSS Score: 7.8
Systems Impacted: Linux kernel version greater than v5.16 compiled with the “CONFIG_USERFAULTFD=y”

Read more about this CVE here: 

• Ubuntu: https://ubuntu.com/security/CVE-2022-2590 
• Redhat: https://access.redhat.com/security/cve/cve-2022-2590 
• Debian: https://security-tracker.debian.org/tracker/CVE-2022-2590
• POC: https://seclists.org/oss-sec/2022/q3/att-128/reproducer_c.bin

2. CVE-2022-26135 

Overview: The research team at Assetnote identified a post-authentication server side request forgery vulnerability (CVE-2022-26135). The issue is rooted in the Mobile Plugin on Jira Data Center and Server deployments. The Mobile rest endpoint (./rest/nativemobile/1.0/batch) insecurely concatenates a user controlled “location” parameter. Provided the supplied location parameter begins with an “@” character it’s possible to direct the Jira server to submit an HTTP request to an attacker-defined location. On Jira deployments with the Jira Service Desk enabled, it’s possible for an unauthenticated attacker to register for an account, authenticate, and then exploit the SSRF vulnerability. Exploit code is publicly available, so plan to patch.   

NopSec’s Thoughts: Server side request forgery vulnerabilities are exploited to compel a victim server to submit an HTTP request to an attacker defined location. This can leak sensitive information to untrusted nodes or be leveraged to enumerate internal network services. Attackers use this class of vulnerability to conduct continued attacks, which ultimate results in unauthorized access. 

Severity: Moderate     Complexity: Low     CVSS Score: 6.8
Systems Impacted: Atlassian Jira Server and Data Center from version 8.0.0 before version 8.13.22, from version 8.14.0 before 8.20.10, from version 8.21.0 before 8.22.4. This also affects Jira Management Server and Data Center versions from version 4.0.0 before 4.13.22, from version 4.14.0 before 4.20.10 and from version 4.21.0 before 4.22.4.

Read more about this CVE here: 

• Great write-up: https://blog.assetnote.io/2022/06/26/exploiting-ssrf-in-jira/. 
• Advisory: https://confluence.atlassian.com/jira/jira-server-security-advisory-29nd-june-2022-1142430667.html.
• NIST: https://nvd.nist.gov/vuln/detail/CVE-2022-26135#vulnCurrentDescriptionTitle

3. CVE-2022-28219 ManageEngine Unauthenticated XXE to RCE

Overview: ManageEngine ADAudit Plus earlier than build 7060 are vulnerable to a confluence of vulnerabilities that can result in unauthenticated remote command execution (CVE-2022-28219). The vulnerability is rooted in a Java deserialization vulnerability, path traversal, and XXE. The Java deserialization vulnerability can be leveraged to execute a Java payload, while the XXE vulnerability facilitates arbitrary file uploads. Proof of concept exploit code is publicly available and the vulnerability is under active exploitation. 

NopSec’s Thoughts: This is a severe vulnerability if you happen to be running ManageEngine ADAudit Plus. These systems are domain connected and run with elevated access to Active Directory, typically with Domain Admin. An attacker with Domain Admin privileges would be able to move laterally within the target network to compromise additional systems without resistance. Exploit code is mature and available, which means attackers are going to be on the lookout for these systems. Patch ASAP!

Severity: Critical     Complexity: Low     CVSS Score: 9.8
Systems Impacted: ManageEngine ADAudit Plus earlier than build 7060.

Read more about this CVE here

• Awesome writeup: https://www.horizon3.ai/red-team-blog-cve-2022-28219/
• Advisory: https://www.manageengine.com/products/active-directory-audit/cve-2022-28219.html
• NIST: https://nvd.nist.gov/vuln/detail/CVE-2022-28219

4. CVE-2022-37042 Zimbra Collaboration Suite RCE

Overview: The Zimbra Collaboration Suite (ZCS) is currently being targeted in mass exploitation attacks leveraging an unauthenticated remote command execution vulnerability. The attack chains two (2) separate issues that impact ZCS. Threat actors obtain initial access by exploiting an authentication bypass vulnerability. After obtaining unauthorized admin access threat actors can exploit a path traversal vulnerability impacting a ZIP file upload function (CVE-2022-37042), which facilitated the upload of arbitrary *.jsp scripts resulting in remote command execution. Public exploit code is available and under active exploitation. 

NopSec’s Thoughts: This exploit chain is under active exploitation and proof of concept code is available. The ease of exploitation and the fact that credentials are not required is going to make this a lucrative target for attackers as a means to deploy malware on victim systems or elevate privileges to conduct lateral post exploitation of connected systems and networks. It is critical to apply patches.

Severity: Critical     Complexity: Low     CVSS Score: 9.8
Systems Impacted: Zimbra versions 8.8.15 before P31 and 9.0 before P24

Read more about this CVE here: 

• Advisory: https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.15/P31, https://wiki.zimbra.com/wiki/Zimbra_Releases/9.0.0/P24.
• POC: https://github.com/Josexv1/CVE-2022-27925
• POC: https://github.com/GreyNoise-Intelligence/Zimbra_CVE-2022-37042-_CVE-2022-27925
• NIST: https://nvd.nist.gov/vuln/detail/CVE-2022-27925

5. CVE-2022-32893 and CVE-2022-32894

Overview: Apple has released patches to address CVE-2022-32893 and CVE-2022-32894. The first critical issue is an out-of-bounds memory write vulnerability that impacts WebKit, which is Apple’s browser engine used on iOS and OSX. Successful exploitation could result in remote command execution (CVE-2022-32893). The second vulnerability is another out-of-bounds memory write issue that could enable an attacker with local access to execute arbitrary commands with kernel (super user) privileges (CVE-2022-32894). There’s a very strong chance these two (2) issues would be chained. Exploit code has yet to be made publicly available, but the vulnerabilities are being actively exploited. 

NopSec’s Thoughts: This is another scenario where an attacker is going to chain a remote command execution vulnerability with a privilege escalation vulnerability. The silver lining is that successful exploitation requires an attacker to leverage a social engineering or phishing component to lure would-be victims into clicking a link that redirects to a web server hosting the JavaScript payload. It’s worth noting that this vulnerability impacts WebKit, which  is used by a number of iOS/iPadOS and MacOS software, including Mail and Safari.  

Severity: High     Complexity: Moderate    CVSS Score: 8.8
Systems Impacted: iPadOS 15.6.1, iOS 15.6.1, MacOS 12.5.1

Read more about this CVE here:

• NIST: https://nvd.nist.gov/vuln/detail/CVE-2022-32893
• NIST: https://nvd.nist.gov/vuln/detail/CVE-2022-32894
• Advisory: https://support.apple.com/en-us/HT213412
• Advisory: https://support.apple.com/en-us/HT213413

To stay up to date on the latest trending and critical celebrity vulnerabilities, subscribe to NopSec’s newsletter. As a leader in risk-based vulnerability management, our Unified VRM platform takes into account new critical vulnerabilities as they emerge, ensuring your risks are prioritized accordingly in your environment. If you’d like to see what NopSec’s Unified VRM can do for your Vulnerability Management program, schedule a demo here.

*The Patch Now Award is a designation of the most critical vulnerability to make NopSec’s top trending CVE post for a given month.