Top Trending CVEs of October 2022

Happy Halloween! The October trending CVEs feature another out of bound write of vulnerability being exploited in the wild that impacts a broad range of Apple products. This is starting to feel like a trend with Apple having addressed three such vulnerabilities in as many months. We also cover an interesting SHA-3 vulnerability that has scary potential to impact a wide spectrum of applications – even in “memory safe” languages. Apache has released a patch for a critical unauthenticated remote command execution vulnerability that already has a dead simple public exploit. But, is it as dreadful as Log4Shell? As a last minute entry this month, VMware is dealing with a Cloud Foundation RCE bug that has exploit code released to the wild. Finally, we’ll preview what could be a bombshell similar to the likes of HeartBleed. 

Let’s get informed about what to be on the lookout for in this month’s trending CVEs.

1. CVE-2022-42827- Out of Bounds Write on iOS and iPadOS

Apple released a patch for a privilege escalation vulnerability that impacts a wide range of iOS and iPadOS products. The exact nature of the vulnerability is unclear, but an anonymous researcher reported the findings to Apple. Apple has not been forthcoming with details, but the vulnerability is reported as an out-of-bounds write that can result in an attacker controlling memory outside the bounds of application memory, which can lead to arbitrary code execution at the Kernel level. This means that a local attacker can craft a malicious executable that results in ‘root’ access to a vulnerable device. 

Exploit code has not yet been widely released, but it is available. Active exploitation of the flaw is being tracked and is on-going. Expect an uptick in publicly available exploits now that the patch has been released. 

Upgrade to iOS 15.7 or 16.0 and macOS 11.7 (Big Sur) or 12.6 (Monterey) or be very careful what you execute. 

Severity:  High

Complexity: Low

CVSS Score: N/A

Systems Impacted: iOS prior to 16.1, 15.7.1 and iPadOS prior to 16, 15.7.1

Read more: 

• https://support.apple.com/en-us/HT213489#:~:text=improved%20bounds%20checking.-,CVE%2D2022%2D42827,-%3A%20an%20anonymous%20researcher

2. CVE-2022-32917 – XKCP SHA-3 Buffer Overflow

SHA-3 is a hashing algorithm and the latest in the secure hashing algorithm family that also includes SHA-1 and SHA-2. The eXtended Keccak Code Package (XKCP) SHA-3 library was standardized by the Keccak team, who also maintains the official release. The vulnerability, tracked as CVE-2022-32917, is present due to a logical flaw in the comparison of caller provided values and smaller sized values. The issue was remediated in the functions DuplexingGetFurtherOutput, SpongeAbsorb, SpongeSqueeze, SpongePRG_Feed, Ketje_FeedAssociatedData, Ketje_WrapPlaintext, and Ketje_UnwrapCiphertext. 

Due to the logical flaw, it’s possible to overflow an integer buffer, resulting in an unstable state that results in flawed or invalid comparisons. Although specific attack payloads have yet to be released, the researcher (Nicky Mouha) provided a simple proof-of-concept in Python and PHP that results in a segmentation fault. The vulnerability traces back to code released in 2011, which is a significant amount of time for a hashing algorithm to find its way into hundreds if not thousands of projects.

I wouldn’t be surprised to see this vulnerability make an appearance in future trending CVEs. The implications of this flaw could be immense. The research indicated that exploitation could result in hash collisions, invalid signature verification, and even arbitrary command execution when hashing a specifically crafted payload. This is basically a supply chain issue that has been sitting in wait for more than a decade. It will be interesting to see what is ultimately impacted. The Keccak team has released an official fix for the issue. 

Severity:  Critical

Complexity: Low

CVSS Score: 9.8

Systems/Applications Impacted: Unknown

Read more: 

• https://github.com/XKCP/XKCP
• https://nvd.nist.gov/vuln/detail/CVE-2022-37454
• https://mouha.be/sha-3-buffer-overflow/

3. CVE-2022-34715 – Text4Shell

Text4Shell is a data validation flaw that impacts the Apache Common Text library. The Apache Common Text library is a Java library focused on algorithms for string processing, according to Apache’s documentation. Specifically, the vulnerability is attributed to a lack of sufficient input validation on the StringSubstitutor interpolator class. The default interpolations allow string lookups to be performed, but the flaw is specifically related to the “dns”, “url”, and “script” key values in the format “${key:value}”. The vulnerability can result in trivial remote command execution with a very simple payload, as shown below. 

Due to the simplicity of the attack, this vulnerability has drawn comparisons to Log4Shell, hence the snazzy name. However, it’s worth pointing out that use of user-controlled input within the StringSubstitutor class is exceedingly rare in production use-cases. It’s not to say that no systems will be vulnerable to Text4Shell, but that it will not be as pervasive as Log4Shell. 

Severity:  Critical

Complexity: Low

CVSS Score: 9.8

Systems Impacted: Apache Common Text versions 1.5 through 1.9, patched in 1.10

Read more: 

• https://commons.apache.org/proper/commons-text/apidocs/org/apache/commons/text/StringSubstitutor.html
• https://commons.apache.org/proper/commons-text/apidocs/org/apache/commons/text/lookup/StringLookupFactory.html
• https://nvd.nist.gov/vuln/detail/CVE-2022-42889
• https://commons.apache.org/proper/commons-text/download_text.cgi

4. CVE-2022-34718 – VMware Cloud Foundation RCE

VMware has released a critical security update for their Cloud Foundation platform to address a critical unauthenticated remote command execution vulnerability. VMware Cloud Foundation software defined services to run enterprise apps in public and private environments. The flaw is attributed to the use of XStream open-source library, which is a Java library used to serialize objects to XML and back again. A payload submitted to the stream process, when unmarshalled, results in the recreation of formerly written objects. An attacker can manipulate this XML input stream to inject objects, which can result in the execution of attacker defined commands. XStream has released a proof-of-concept payload to achieve remote command execution. Public extensions of this proof-of-concept are already being demoed online and will certainly mature. 

This is a low complexity attack that does not require authentication, as stated by VMware in the advisory: “Due to an unauthenticated endpoint that leverages XStream for input serialization in VMware Cloud Foundation (NSX-V), a malicious actor can get remote code execution in the context of ‘root’ on the appliance.” That is about as bad as it gets; patch now.

Severity:  Critical

Complexity: Low

CVSS Score: 9.8

Systems Impacted: VMware Cloud Foundation (Cloud Foundation)

Read more: 

• https://x-stream.github.io/CVE-2021-39144.html
• https://kb.vmware.com/s/article/89809
• https://www.vmware.com/security/advisories/VMSA-2022-0027.html

5. November Preview: Critical Vulnerability in OpenSSL 3.0.x

You may recall a time in 2014 when the Heartbleed vulnerability was patched in OpenSSL and the public exploit along with it. As a security researcher, it was quite a day. Every major site was impacted. I can still recall dumping clear-text passwords from “yahoo.com” (like I said, it was 2014). This vulnerability was responsible for a change in the manner in which critical vulnerabilities were reported. OpenSSL currently provides about one week advance notice of any patches slated for release. At the tail end of October, OpenSSL informed the world that a patch for critical vulnerability will be made available on November 1st. It is not yet clear what the nature of the vulnerability is, but it will only impact 3.0.0-3.0.6. Now is the time to assess what in your environment will require an update. Check out our November edition of Trending CVEs to stay informed!

To stay up to date on the latest trending and critical celebrity vulnerabilities, subscribe to NopSec’s newsletter. As a leader in risk-based vulnerability management, our Unified VRM platform takes into account new critical vulnerabilities as they emerge, ensuring your risks are prioritized accordingly in your environment. If you’d like to see what NopSec’s Unified VRM can do for your Vulnerability Management program, schedule a demo here.