Top Trending CVEs of December 2022

Happy holiday season! December was off the chains, literally. Microsoft released a security update to address a remote command execution vulnerability that impacted Exchange that chained a combination of previously “fixed” vulnerabilities to achieve RCE. Citrix Gateway and ADC systems were impacted by an RCE bug that got the attention of CISA on the active exploitation list, but public exploit code is not yet available. Cisco also released a patch to cope with a RCE vulnerability, complete with public exploit code.

1. ProxyNotShell Dejavu (aka OWASSRF) CVE-2022-41080 and CVE-2022-41082

The excellent research team at CrowdStrike has identified a means to bypass an Exchange patch released last month by Microsoft, complete with exploit code. In November, Microsoft released security update KB5019758 to address a privilege escalation vulnerability (CVE-2022-41040) and a remote command execution vulnerability (CVE-2022-41082). Without going into too much detail, attackers would exploit the Exchange AutoDiscover front end via CVE-2022-41040 to send unauthenticated server-side request forgery (SSRF) requests to arbitrary backend services with LocalSystem privileges. This was then chained with CVE-2022-41082 to exploit an RCE vulnerability found in the Exchange PowerShell backend. The latest iteration of this exploit chain is a bypass of the URL rewrite mitigations implemented by Microsoft. The primary difference between ProxyNotShell and OWASSRF is the path to achieve SSRF. The URL rewrite rules to mitigate ProxyNotShell focused primarily on requests that matched a regex pattern (=*autodiscover). The bypass of this mitigation targets the Exchange OWA endpoint rather than Autodiscover endpoint, however once SSRF is achieved attackers fall back to exploiting CVE-2022-41082. Proof of concept code is floating around the internet, so exploitation for this one is highly likely. If you are operating Exchange and have OWA enabled, it is strongly recommended you apply the patch.

Severity:  High

Complexity: Low

CVSS Score: 8.8

Systems Impacted: Microsoft Exchange 2013, 2016, 2019

Read more: 

• https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-41080
• https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-41082
• https://www.crowdstrike.com/blog/owassrf-exploit-analysis-and-recommendations/
• https://www.picussecurity.com/resource/blog/proxynotshellcve-2022-41040-and-cve-2022-41082-exploits-explained
• https://support.microsoft.com/en-us/topic/description-of-the-security-update-for-microsoft-exchange-server-2019-2016-and-2013-november-8-2022-kb5019758-2b3b039b-68b9-4f35-9064-6b286f495b1d

2. Citrix ADC and Gateway RCE CVE-2022-27518

Citrix Application Delivery Controller (ADC) and Citrix Gateway were hit with an unauthenticated RCE vulnerability this month. The good news is that this only impacts customer managed deployments with SAML service Provider (SP) or SAML Identity Provider (Id) enabled, but this is likely a fairly common configuration. Based on the research work of Fox IT, there are roughly 28,000 such deployments exposed to the Internet, with roughly 4,000 deployments still lacking patches. At present there are no known workarounds to this vulnerability short of disabling SAML authentication. Exploitation has been observed in the wild, but it appears to be state sponsored groups (APT5), with no exploit code publicly available. The NSA has released guidelines to determine if your deployment has been compromised, which primarily focuses on periodically checking Citrix ADC and Gateway binary executable file integrity by way of MD5 hashing. Executable files include, but may not be limited to: nsppe, nsaaad, nsconf, nsreadfile, and nsconmsg. The following command can be executed from a shell to facilitate this comparison:

cd /netscaler ; for i in “nsppe nsaaad nsconf nsreadfile nsconmsg”; do md5

${i} ; done

Severity:  Critical

Complexity: Unknown

CVSS Score: 9.8

Systems/Applications Impacted: Citrix ADC and Citrix Gateway 13.0 before 13.0-58.32,  Citrix ADC and Citrix Gateway 12.1 before 12.1-65.25, Citrix ADC 12.1-FIPS before 12.1-55.291, Citrix ADC 12.1-NDcPP before 12.1-55.291  

Read more: 

• https://media.defense.gov/2022/Dec/13/2003131586/-1/-1/0/CSA-APT5-CITRIXADC-V1.PDF
• https://blog.fox-it.com/2022/12/28/cve-2022-27510-cve-2022-27518-measuring-citrix-adc-gateway-version-adoption-on-the-internet/
• https://support.citrix.com/article/CTX474995/citrix-adc-and-citrix-gateway-security-bulletin-for-cve202227518
• https://www.citrix.com/blogs/2022/12/13/critical-security-update-now-available-for-citrix-adc-citrix-gateway/

3. Cisco IP Phone RCE CVE-2022-20968

Cisco has disclosed a critical vulnerability that impacts their latest IP 7800 series and 8800 series phones. The vulnerability is a result of a lack of sufficient data validation on received Cisco Discovery Protocol (CDP) packets. CDP is a proprietary data link layer protocol developed by Cisco used to share information about other directly connected Cisco equipment, such as the operating system version and IP address.vCrafted CDP frames sent to vulnerable endpoints results in a stack based buffer overflow, which can lead to a denial of service or remote command execution. 

Although unauthenticated remote command execution sounds pretty bad, which it 100% is, IP phones are not often exposed to the internet. So, this attack would most likely be conducted by an adjacent device on a private network. 

Cisco has acknowledged that the vulnerability is trending online and proof-of-concept exploit code has been identified, but exploitation has not yet been observed  in the wild. Short of applying a fix, Cisco has released mitigating controls. To mitigate the risk, Cisco indicated that CDP could be disabled on vulnerable deployments where Link Layer Discovery Protocol (LLDP) is also supported. LLDP would then be used for neighbor discovery. However, this is not a trivial change and may impact functionality.

Severity:  Critical

Complexity: Low

CVSS Score: 8.8

Systems Impacted: IP Phone 7800 Series, IP Phone 8800 Series (except Cisco Wireless IP Phone 8821)

Read more: 

• https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ipp-oobwrite-8cMF5r7U#vp

4. FreeBSD Ping CVE-2022-23093

The version of “ping” distributed with all versions of FreeBSD is vulnerable to a stack based buffer overflow. Successful exploitation of this flaw could result in sensitive information disclosure, data modification, or a denial of service (DoS) condition. The flaw is present due to a lack of sufficient bounds checking within the pr_pack()” function. The pr_pack() function copies the received IP and ICMP headers into stack buffers for further processing. In so doing, it fails to take into account the possible presence of IP option headers following the IP header in either the response or the quoted packet. When IP options are present, pr_pack() overflows the destination buffer by up to 40 bytes.

This impacts all supported versions of FreeBSD, which exists in many forms and fashions from embedded systems to servers. While this vulnerability casts a large net, the impact will likely not escalate to arbitrary command execution due to the way the ping process runs in a capability mode sandbox that is very constrained in how it can interact with the rest of the system at the point where the bug occurs. At least, that is the hope. If you’re running FreeBSD, it’s best to apply the patch. Further, exploitation is only possible while the ping command is running, which is a short window of opportunity. All the same, I find it interesting when a bread and butter networking tool that has been around for decades suddenly finds itself at risk.

Severity:  Critical

Complexity: Low

CVSS Score: 8.8

Systems Impacted: All supported versions of FreeBSD

Read more: 

• https://www.freebsd.org/security/advisories/FreeBSD-SA-22:15.ping.asc
• https://securityboulevard.com/2022/12/security-advisory-for-freebsd-ping-stack-based-overflow-cve-2022-23093/

To stay up to date on the latest trending and critical celebrity vulnerabilities, subscribe to NopSec’s newsletter. If you don’t like having to keep up with vulnerabilities like these yourself, let our Unified VRM platform do it for you. It takes into account new critical vulnerabilities as they emerge, ensuring your risks are prioritized accordingly in your unique environment. If you’d like to see what NopSec’s Unified VRM can do in action watch this on-demand product tour.