Top Trending CVEs of September 2022
- Sep 27, 2022
- Shawn Evans
In this month’s edition of trending CVEs, we feature a blast from the past that provides an excellent example of how a forgotten unpatched flaw can lead to supply chain poisoning with our September 2022 Patch Now* recipient. Not to be left out, Microsoft and Apple released security patches to address critical remote command execution and privilege escalation vulnerabilities — some of which have public exploit code released in the wild. Lets dig into some trending CVEs for September, 2022:
A path traversal vulnerability in the “extract()” and “extractall()” functions of the “tarfile” (default) Python package recently celebrated its 15th birthday. The Python maintainers acknowledged the vulnerability in August 2007 by way of documenting the security risk in the package documentation — but not actually patching it. Case closed. Queue the balloons. Fast forward 15 years and the use of the vulnerable functions have propagated to nearly 350k projects. Although there is no evidence (yet..) of active exploitation, the multi-year saga provides a very accurate illustration of the risks of software supply chain vulnerabilities.
With 350k potential targets and a renewed interest in a fifteen (15) year old vulnerability, I wouldn’t be surprised to see public exploits released into the wild. It’s not yet clear if the Python maintainers will positively react to the research and release a formal patch, but as of now unsanitized, user-controlled input passed to the vulnerable functions could result in fertile conditions for path traversal and ultimately remote command execution via arbitrary file writes.
CVSS Score: 6.8
Systems Impacted: All Python 2.x and 3.x versions.
Apple had a busy month having addressed a remote command execution vulnerability last month in WebKit, they followed it up by releasing a patch for a privilege escalation vulnerability that impacts a wide range of products. The exact nature of the vulnerability is unclear, as Apple has not been forthcoming with details, but it appears to be an out-of-bounds write that can result in arbitrary code execution at the Kernel level. This means that a local attacker can craft a malicious executable that results in ‘root’ access to a vulnerable device. Exploit code has not yet been widely released, but it is available. Active exploitation of the flaw has been tracked to the beginning of the year.
Given the wide range of products impacted by the issue, I’d bet the culprit is once again WebKit, but without additional details this is speculative. Upgrade to iOS 15.7 or 16.0 and macOS 11.7 (Big Sur) or 12.6 (Monterey) or be very careful what you execute.
CVSS Score: 7.8
Systems Impacted: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation
running iOS 15.6.1 or earlier and Macs running macOS Big Sur 11.7 and macOS Monterey 12.6.
Everyone eagerly anticipates patch Tuesday in the security community and Microsoft did not disappoint for September. Microsoft released security patches to address a remote command execution vulnerability that exists in the Windows Network File System (NFS). The flaw is attributed to a dynamically allocated buffer created by a vulnerabile NFS function (Nfs4SrvAclBuildWindowsAclsFromNfsAcl). Without getting too deep into the weeds, Windows NFS contains a flaw in the processing of RPC request messages. A lack of bounds checking on ACL attribute data can result in a heap overflow when the ACL attribute value (ACE_count) exceeds the allocated buffer. Basically, the vulnerable NFS function allocated a buffer for “0xFFFF”, but the function accepts an “int32” or “0xFFFFFFFF”. An attacker able to craft an RPC request message with an ACE_count value greater than 0x8000000 can trigger the vulnerability. Successful exploitation would result in remote command execution with the privilege level of SYSTEM. The vulnerability is listed as remote and unauthenticated, however known exploitation paths require file creation or modification privileges, which implies authenticated access in most environments.
This is a pretty serious vulnerability. It doesn’t get much juicer than remote, unauthenticated command execution with SYSTEM privileges. The published research is detailed. This vulnerability is almost certainly being exploited in the wild, but (so far) exploit code isn’t readily available and this only affects NFSv4 on Windows Server 2022. If you are unable to apply the patch, disable NSFv4.1. This could result in loss of functionality. Our advice, just apply the patch.
CVSS Score: 9.8
Systems Impacted: Windows Server 2022
CVE-2022-34718 is a remote command execution vulnerability in Windows TCP/IP. The good news is that this vulnerability can only be exploited against systems with IPv6 enabled and IKE and AuthIP IPsec Keying Modules running. Successful exploitation could grant an unauthenticated attacker remote code execution with SYSTEM privileges. Microsoft has released patches for all supported versions of Windows, including Server Core editions.
IPv6 is almost certainly enabled on systems within your domain. It’s been a default setting since Windows 8 and Windows Server 10 in 2013 and later. That leaves your corporate VPN servers as likely targets. As of publishing there are no known exploits circulating and specific details have not been released. If you have a server operating IPSec consider disabling IPv6 as a mitigation strategy until the formal patch can be applied.
CVSS Score: 9.8
Systems Impacted: Windows Server 2008, Windows Server 2012 R2, Windows Server 2012, Windows RT 8.1, Windows Server 2016, Windows Server 2022 Azure Edition Core Hotpatch, Windows Server 2022, Windows Server 2019, Windows 11, Windows 10 Versions 1607, 21H2, 21H1, and 1809, Windows 7, Windows 8.1
To stay up to date on the latest trending and critical celebrity vulnerabilities, subscribe to NopSec’s newsletter. As a leader in risk-based vulnerability management, our Unified VRM platform takes into account new critical vulnerabilities as they emerge, ensuring your risks are prioritized accordingly in your environment. If you’d like to see what NopSec’s Unified VRM can do for your Vulnerability Management program, schedule a demo here.
*The Patch Now Award is a designation of the most critical vulnerability to make NopSec’s top trending CVEs post for a given month.