VULNERA Pulse

Fortinet — Multiple Products

CVE-2022-40684 / Added: Oct. 11, 2022

CRITICAL CVSS 9.80

Fortinet FortiOS, FortiProxy, and FortiSwitchManager contain an authentication bypass vulnerability that could allow an unauthenticated attacker to perform operations on the administrative interface via specially crafted HTTP or HTTPS requests.

Headlines

• Nov. 29, 2022 - Threat actors are offering access to corporate networks via unauthorized Fortinet VPN access
• Nov. 29, 2022 - Cyberattackers Selling Access to Networks Compromised via Recent Fortinet Flaw
• Nov. 29, 2022 - Cybercriminals Selling Access to Networks Compromised via Recent Fortinet Vulnerability
• Oct. 19, 2022 - Microsoft Office 365 Message Encryption (OME) doesn’t ensure confidentiality
• Oct. 17, 2022 - Fortinet Admits Many Devices Still Unprotected Against Exploited Vulnerability
• Oct. 14, 2022 - Concerns Over Fortinet Flaw Mount; PoC Released, Exploit Activity Grows
• Oct. 14, 2022 - PoC Published for Fortinet Vulnerability as Mass Exploitation Attempts Begin
• Oct. 14, 2022 - Experts released PoC exploit code for critical bug CVE-2022-40684 in Fortinet products
• Oct. 14, 2022 - PoC Exploit Released for Critical Fortinet Auth Bypass Bug Under Active Attacks
• Oct. 12, 2022 - Fortinet warns that critical authentication bypass flaw has been exploited
• Oct. 12, 2022 - LockBit affiliates compromise Microsoft Exchange servers to deploy ransomware
• Oct. 11, 2022 - Nasty vulnerability in Fortinet firewalls, proxies abused in real-world attacks
• Oct. 11, 2022 - Auth bypass bug in FortiOS, FortiProxy is exploited in the wild (CVE-2022-40684)
• Oct. 11, 2022 - Fortinet warns of critical flaw in its security appliance OSes, admin panels
• Oct. 11, 2022 - Fortinet Warns of Active Exploitation of Newly Discovered Critical Auth Bypass Bug
• Oct. 10, 2022 - Fortinet issues emergency patches for FortiOS, FortiProxy and FortiSwitchManager
• Oct. 10, 2022 - CVE-2022-40684 flaw in Fortinet products is being exploited in the wild
• Oct. 10, 2022 - Fortinet says critical auth bypass bug is exploited in attacks
• Oct. 10, 2022 - Fortinet issues emergency patch for authentication bypass
• Oct. 7, 2022 - Fortinet Warns of New Auth Bypass Flaw Affecting FortiGate and FortiProxy
• Oct. 7, 2022 - Patch Now: Fortinet FortiGate & FortiProxy Contain Critical Vuln
• Oct. 7, 2022 - Fortinet urges customers to immediately fix a critical authentication bypass flaw in FortiGate and FortiProxy
• Oct. 7, 2022 - Fortinet warns admins to patch critical auth bypass bug immediately

Back to top ↑

Microsoft — Windows COM+ Event System Service

CVE-2022-41033 / Added: Oct. 11, 2022

HIGH CVSS 7.80

Microsoft Windows COM+ Event System Service contains an unspecified vulnerability that allows for privilege escalation.

Headlines

• Oct. 14, 2022 - Microsoft Security Update: Windows 0Day Under Attack, Most Versions Vulnerable
• Oct. 13, 2022 - Consolidate and Unify to Accelerate Your Security Efforts
• Oct. 12, 2022 - Microsoft fixes two zero-day flaws in October 2022 Patch Tuesday
• Oct. 12, 2022 - October 2022 Patch Tuesday Updates Fix 85 Windows Vulnerabilities
• Oct. 12, 2022 - Microsoft Patch Tuesday Fixes New Windows Zero-Day; No Patch for Exchange Server Bugs
• Oct. 12, 2022 - October Patch Wednesday handles 13 critical vulnerabilities
• Oct. 11, 2022 - Microsoft Patch Tuesday, October 2022 Edition

Back to top ↑

CVE-2022-22658

MEDIUM CVSS 6.50

Actively Exploited Used In Ransomware

Published: Nov. 1, 2022

An input validation issue was addressed with improved input validation. This issue is fixed in iOS 16.0.3. Processing a maliciously crafted email message may lead to a denial-of-service.

Quotes

• Processing a maliciously crafted email message may lead to a denial-of-service - Graham Cluley
• With no updates available to fully address these bugs, the best administrators can do is ensure the September 2021 Cumulative Update (CU) is installed - Theregister.com
• Bug fixes and important security updates - Forbes
• Pretty far down the list - Forbes - Cybersecurity
• This update provides bug fixes and important security updates for your iPhone including the following - ZDNet

Headlines

• Oct. 12, 2022 - Patch your iPhone now against mystery Mail crash bug
• Oct. 11, 2022 - It’s Patch Tuesday and still no fix for ProxyNotShell Microsoft Exchange holes
• Oct. 11, 2022 - Apple iOS 16.0.3 Release: Should You Upgrade?
• Oct. 11, 2022 - iOS 16.0.3—What To Know About Apple’s New iPhone Upgrade
• Oct. 11, 2022 - Apple iOS 16.0.3 arrives with bug fixes for iPhone 14

CVE-2022-40684

CRITICAL CVSS 9.80

CISA Known Exploited Actively Exploited Used In Ransomware Public Exploits Available

Published: Oct. 18, 2022

An authentication bypass using an alternate path or channel [CWE-288] in Fortinet FortiOS version 7.2.0 through 7.2.1 and 7.0.0 through 7.0.6, FortiProxy version 7.2.0 and version 7.0.0 through 7.0.6 and FortiSwitchManager version 7.2.0 and 7.0.0 allows an unauthenticated atttacker to perform operations on the administrative interface via specially crafted HTTP or HTTPS requests.

Vendor Impacted: Fortinet

Products Impacted: Fortiproxy, Fortios, Multiple Products, Fortiswitchmanager

Quotes

• They are compromising these systems to create a super_admin user which provides them with complete access and control - Dark Reading
• Most of the requests we have observed are GET requests presumably trying to determine whether a Fortinet appliance is in place - SecurityWeek
• An authentication bypass using an alternate path or channel [CWE-88] in FortiOS and FortiProxy may allow an unauthenticated attacker to perform operations on the administrative interface via specially crafted HTTP or HTTPS requests - Security Affairs
• FortiOS exposes a management web portal that allows a user to configure the system - The Hacker News
• An attacker can use this vulnerability to do just about anything they want to the vulnerable system. This includes changing network configurations, adding new users, and initiating packet captures - BleepingComputer
• Fortinet is aware of an instance where this vulnerability was exploited, and recommends immediately validating your systems against the following indicator of compromise in the device's logs - ZDNet
• An authentication bypass using an alternate path or channel vulnerability [CWE-288] in FortiOS, FortiProxy and FortiSwitchManager may allow an unauthenticated attacker to perform operations on the administrative interface via specially crafted HTTP or HTTPS requests - TechRadar
• Is aware of an instance where this vulnerability was exploited - Help Net Security
• Really simple to exploit and easy to weaponize - SecurityWeek
• An unauthenticated attacker to perform operations on the administrative interface via specially crafted HTTP or HTTPS requests - The Register - Security
• Fortinet is aware of an instance where this vulnerability was exploited, and recommends immediately validating your systems against the following indicator of compromise in the device's logs: user='Local_Process_Access,' - The Hacker News
• Multiple improper neutralisation of special elements used in an OS Command ... in console, telnet, and SSH login components of FortiTester may allow an unauthenticated remote attacker to execute arbitrary command in the underlying shell - iTnews - Security
• An authentication bypass using an alternate path or channel vulnerability [CWE-288] in FortiOS, FortiProxy and FortiSwitchManager may allow an unauthenticated atttacker to perform operations on the administrative interface via specially crafted HTTP or HTTPS requests - BleepingComputer
• Fortinet is providing an advanced notification of a critical severity authentication bypass using an alternate path or channel [CWE-88] in specific versions of FortiOS and FortiProxy that may allow an unauthenticated attacker to perform operations on the administrative interface via specially crafted HTTP or HTTPS requests - SecurityWeek
• Fortinet is providing an advanced notification of a critical severity authentication bypass using an alternate path or channel ... in specific versions of FortiOS and FortiProxy that may allow an unauthenticated attacker to perform operations on the administrative interface via specially crafted HTTP or HTTPS requests - iTnews - Security

Headlines

• Oct. 14, 2022 - Concerns Over Fortinet Flaw Mount; PoC Released, Exploit Activity Grows
• Oct. 14, 2022 - PoC Published for Fortinet Vulnerability as Mass Exploitation Attempts Begin
• Oct. 14, 2022 - Experts released PoC exploit code for critical bug CVE-2022-40684 in Fortinet products
• Oct. 14, 2022 - PoC Exploit Released for Critical Fortinet Auth Bypass Bug Under Active Attacks
• Oct. 13, 2022 - Threat Advisory: CVE-2022-40684 Fortinet Appliance Auth bypass
• Oct. 13, 2022 - Exploit available for critical Fortinet auth bypass bug, patch now
• Oct. 12, 2022 - Fortinet warns that critical authentication bypass flaw has been exploited
• Oct. 11, 2022 - Nasty vulnerability in Fortinet firewalls, proxies abused in real-world attacks
• Oct. 11, 2022 - Auth bypass bug in FortiOS, FortiProxy is exploited in the wild (CVE-2022-40684)
• Oct. 11, 2022 - Fortinet Confirms Zero-Day Vulnerability Exploited in One Attack
• Oct. 11, 2022 - Fortinet warns of critical flaw in its security appliance OSes, admin panels
• Oct. 11, 2022 - Fortinet Warns of Active Exploitation of Newly Discovered Critical Auth Bypass Bug
• Oct. 11, 2022 - Fortinet serves up six more fixes
• Oct. 10, 2022 - Fortinet issues emergency patches for FortiOS, FortiProxy and FortiSwitchManager
• Oct. 10, 2022 - CVE-2022-40684 flaw in Fortinet products is being exploited in the wild
• Oct. 10, 2022 - Fortinet says critical auth bypass bug is exploited in attacks
• Oct. 10, 2022 - Fortinet Customers Told to Urgently Patch Remotely Exploitable Vulnerability
• Oct. 10, 2022 - Fortinet issues emergency patch for authentication bypass

CVE-2022-41043

MEDIUM CVSS 5.30

Risk Context N/A

Published: Oct. 11, 2022

Microsoft Office Information Disclosure Vulnerability.

Vendor Impacted: Microsoft

Products Impacted: Office, Office Long Term Servicing Channel

Quotes

• Successfully exploited this vulnerability could gain SYSTEM privileges - TechSpot
• An attacker who successfully exploited this vulnerability could gain SYSTEM privileges - The Hacker News
• Impersonating security researchers to sell fake proof-of-concept ProxyNotShell exploits - Cyber Security Advisories - MS-ISAC
• With no updates available to fully address these bugs, the best administrators can do is ensure the September 2021 Cumulative Update (CU) is installed - The Register - Security
• If you are using these types of containers with a version lower than 1.5.8, 1.6.19, 1.7.18, and 1.8.11 and they are available from the Internet, upgrade immediately - Dark Reading

Headlines

• Oct. 12, 2022 - Microsoft fixes two zero-day flaws in October 2022 Patch Tuesday
• Oct. 12, 2022 - Microsoft Patch Tuesday Fixes New Windows Zero-Day; No Patch for Exchange Server Bugs
• Oct. 12, 2022 - Critical Patches Issued for Microsoft Products, October 11, 2022
• Oct. 11, 2022 - It’s Patch Tuesday and still no fix for ProxyNotShell Microsoft Exchange holes
• Oct. 11, 2022 - Microsoft Addresses Zero-Days, but Exchange Server Exploit Chain Remains Unpatched
• Oct. 11, 2022 - You can’t always get what you want on Patch Tuesday
• Oct. 11, 2022 - Microsoft October 2022 Patch Tuesday fixes zero-day used in attacks, 84 flaws

CVE-2022-41033

HIGH CVSS 7.80

CISA Known Exploited Actively Exploited

Published: Oct. 11, 2022

Windows COM+ Event System Service Elevation of Privilege Vulnerability.

Vendor Impacted: Microsoft

Products Impacted: Windows Rt 8.1, Windows 8.1, Windows 7, Windows Server 2012, Windows Server 2022, Windows Com+ Event System Service, Windows 11, Windows 10, Windows Server 2016, Windows Server 2019, Windows Server 2008

Quotes

• The October 2022 SUs do not contain fixes for the zero-day vulnerabilities reported publicly on September 29, 2022 (CVE-2022-41040 and CVE-2022-41082). Please see this blog post to apply mitigations for those vulnerabilities. We will release updates for CVE-2022-41040 and CVE-2022-41082 when they are ready - Computerworld
• All versions of Windows, starting with Windows 7 and Windows Server 2008, are vulnerable - Forbes
• Successfully exploited this vulnerability could gain SYSTEM privileges - TechSpot
• With no updates available to fully address these bugs, the best administrators can do is ensure the September 2021 Cumulative Update (CU) is installed. This adds the Exchange Emergency Mitigation service. This automatically installs available mitigations and sends diagnostic data to Microsoft. Otherwise, follow this post from Microsoft with the latest information - Security Affairs
• Fortinet is aware of an instance where this vulnerability was exploited, and recommends immediately validating your systems against the following indicator of compromise in the device's logs - ZDNet
• An attacker who successfully exploited this vulnerability could gain SYSTEM privileges - The Hacker News
• Impersonating security researchers to sell fake proof-of-concept ProxyNotShell exploits - Cyber Security Advisories - MS-ISAC
• With no updates available to fully address these bugs, the best administrators can do is ensure the September 2021 Cumulative Update (CU) is installed - Theregister.com
• Despite its relatively low score in comparison to other vulnerabilities patched today, this one should be at the top of everyone's list to quickly patch - Krebs on Security
• If you are using these types of containers with a version lower than 1.5.8, 1.6.19, 1.7.18, and 1.8.11 and they are available from the Internet, upgrade immediately - Dark Reading

Headlines

• Oct. 14, 2022 - Zero-days flaws mean it's time to patch Exchange and Windows
• Oct. 14, 2022 - Zero-day flaws mean it's time to patch Exchange and Windows
• Oct. 14, 2022 - Microsoft Security Update: Windows 0Day Under Attack, Most Versions Vulnerable
• Oct. 12, 2022 - Microsoft fixes two zero-day flaws in October 2022 Patch Tuesday
• Oct. 12, 2022 - Microsoft Patch Tuesday for October 2022 doesn’t fix Exchange Server flaws
• Oct. 12, 2022 - Fortinet warns that critical authentication bypass flaw has been exploited
• Oct. 12, 2022 - Microsoft Patch Tuesday Fixes New Windows Zero-Day; No Patch for Exchange Server Bugs
• Oct. 12, 2022 - Critical Patches Issued for Microsoft Products, October 11, 2022
• Oct. 11, 2022 - It’s Patch Tuesday and still no fix for ProxyNotShell Microsoft Exchange holes
• Oct. 11, 2022 - Microsoft Patch Tuesday, October 2022 Edition
• Oct. 11, 2022 - Microsoft Addresses Zero-Days, but Exchange Server Exploit Chain Remains Unpatched
• Oct. 11, 2022 - Microsoft Warns of New Zero-Day; No Fix Yet for Exploited Exchange Server Flaws
• Oct. 11, 2022 - You can’t always get what you want on Patch Tuesday
• Oct. 11, 2022 - Microsoft October 2022 Patch Tuesday fixes zero-day used in attacks, 84 flaws

CVE-2022-37976

HIGH CVSS 8.80

Risk Context N/A

Published: Oct. 11, 2022

Active Directory Certificate Services Elevation of Privilege Vulnerability.

Vendor Impacted: Microsoft

Products Impacted: Windows Server 2022, Windows Server 2012, Windows Server 2019, Windows Server 2016, Windows Server 2008

Quotes

• An attacker who successfully exploited this vulnerability could gain SYSTEM privileges - The Hacker News
• With no updates available to fully address these bugs, the best administrators can do is ensure the September 2021 Cumulative Update (CU) is installed - Theregister.com

Headlines

• Oct. 12, 2022 - Microsoft Patch Tuesday Fixes New Windows Zero-Day; No Patch for Exchange Server Bugs
• Oct. 11, 2022 - It’s Patch Tuesday and still no fix for ProxyNotShell Microsoft Exchange holes
• Oct. 11, 2022 - Microsoft Patch Tuesday for October 2022 — Snort rules and prominent vulnerabilities

CVE-2022-37968

CRITICAL CVSS 10.00

Risk Context N/A

Published: Oct. 11, 2022

Azure Arc-enabled Kubernetes cluster Connect Elevation of Privilege Vulnerability.

Vendor Impacted: Microsoft

Products Impacted: Azure Arc-Enabled Kubernetes, Azure Stack Edge

Quotes

• With no updates available to fully address these bugs, the best administrators can do is ensure the September 2021 Cumulative Update (CU) is installed. This adds the Exchange Emergency Mitigation service. This automatically installs available mitigations and sends diagnostic data to Microsoft. Otherwise, follow this post from Microsoft with the latest information - Security Affairs
• An attacker who successfully exploited this vulnerability could gain SYSTEM privileges - The Hacker News
• It's unclear why Microsoft assigned such a high score, given that an attacker would need to know the randomly generated external DNS [domain name system] endpoint for an Azure Arc-enabled Kubernetes cluster, arguably making the attack complexity high - iTnews - Security
• With no updates available to fully address these bugs, the best administrators can do is ensure the September 2021 Cumulative Update (CU) is installed - The Register - Security
• Despite its relatively low score in comparison to other vulnerabilities patched today, this one should be at the top of everyone's list to quickly patch - Krebs on Security
• If you are using these types of containers with a version lower than 1.5.8, 1.6.19, 1.7.18, and 1.8.11 and they are available from the Internet, upgrade immediately - Dark Reading

Headlines

• Oct. 12, 2022 - Microsoft Patch Tuesday for October 2022 doesn’t fix Exchange Server flaws
• Oct. 12, 2022 - Microsoft Patch Tuesday Fixes New Windows Zero-Day; No Patch for Exchange Server Bugs
• Oct. 12, 2022 - October Patch Wednesday handles 13 critical vulnerabilities
• Oct. 11, 2022 - It’s Patch Tuesday and still no fix for ProxyNotShell Microsoft Exchange holes
• Oct. 11, 2022 - Microsoft Patch Tuesday, October 2022 Edition
• Oct. 11, 2022 - Microsoft Addresses Zero-Days, but Exchange Server Exploit Chain Remains Unpatched
• Oct. 11, 2022 - Microsoft Patch Tuesday for October 2022 — Snort rules and prominent vulnerabilities

CVE-2022-41082

HIGH CVSS 8.80

CISA Known Exploited Actively Exploited Remote Code Execution Public Exploits Available

Published: Oct. 3, 2022

Microsoft Exchange Server Remote Code Execution Vulnerability.

Vendor Impacted: Microsoft

Product Impacted: Exchange Server

Quotes

• The October 2022 SUs do not contain fixes for the zero-day vulnerabilities reported publicly on September 29, 2022 (CVE-2022-41040 and CVE-2022-41082). Please see this blog post to apply mitigations for those vulnerabilities. We will release updates for CVE-2022-41040 and CVE-2022-41082 when they are ready - Computerworld Security
• All versions of Windows, starting with Windows 7 and Windows Server 2008, are vulnerable - Forbes - Cybersecurity
• With regards to the RSS feed, we have received feedback from some of our customers that an RSS feed on the Security Update Guide (SUG) would be greatly appreciated - BleepingComputer
• Looking at the Microsoft Exchange Server vulnerability history, the remote code execution vulnerability was disclosed on December 16, 2021 (CVE-2022-21969), the privilege escalation vulnerability was disclosed in February 2022, and the most recent vulnerability was on June 27. Information Disclosure Vulnerability vulnerability. That is, among the vulnerabilities disclosed after May, there were no reports of vulnerabilities related to remote commands or file creation - Security Affairs
• Impersonating security researchers to sell fake proof-of-concept ProxyNotShell exploits - Cyber Security Advisories - MS-ISAC
• With no updates available to fully address these bugs, the best administrators can do is ensure the September 2021 Cumulative Update (CU) is installed - Theregister.com
• If you are using these types of containers with a version lower than 1.5.8, 1.6.19, 1.7.18, and 1.8.11 and they are available from the Internet, upgrade immediately - Dark Reading
• An attacker who successfully exploited this vulnerability could gain SYSTEM privileges - BleepingComputer
• Among the vulnerabilities disclosed after May, there were no reports of vulnerabilities related to remote commands or file creation - BleepingComputer
• API Protection Report: Shadow APIs and API Abuse Explode - Help Net Security

Headlines

• Oct. 14, 2022 - Zero-day flaws mean it's time to patch Exchange and Windows
• Oct. 14, 2022 - Zero-days flaws mean it's time to patch Exchange and Windows
• Oct. 14, 2022 - Microsoft Security: Windows 0Day Under Attack, Most Versions Vulnerable—Update Now
• Oct. 12, 2022 - Microsoft adds new RSS feed for security update notifications
• Oct. 12, 2022 - LockBit Ransomware Deployed via Windows Exchange Server Hack - MUO - MakeUseOf
• Oct. 12, 2022 - LockBit affiliates compromise Microsoft Exchange servers to deploy ransomware
• Oct. 12, 2022 - Critical Patches Issued for Microsoft Products, October 11, 2022
• Oct. 11, 2022 - It’s Patch Tuesday and still no fix for ProxyNotShell Microsoft Exchange holes
• Oct. 11, 2022 - Microsoft Addresses Zero-Days, but Exchange Server Exploit Chain Remains Unpatched
• Oct. 11, 2022 - Microsoft Warns of New Zero-Day; No Fix Yet for Exploited Exchange Server Flaws
• Oct. 11, 2022 - You can’t always get what you want on Patch Tuesday
• Oct. 11, 2022 - Microsoft October 2022 Patch Tuesday fixes zero-day used in attacks, 84 flaws
• Oct. 11, 2022 - Microsoft Exchange servers hacked to deploy LockBit ransomware
• Oct. 9, 2022 - Week in review: 7 cybersecurity audiobooks to read, Patch Tuesday forecast
• Oct. 8, 2022 - Microsoft Issues Improved Mitigations for Unpatched Exchange Server Vulnerabilities

CVE-2022-41040

HIGH CVSS 8.80

CISA Known Exploited Actively Exploited Used In Ransomware Public Exploits Available

Published: Oct. 3, 2022

Microsoft Exchange Server Elevation of Privilege Vulnerability.

Vendor Impacted: Microsoft

Product Impacted: Exchange Server

Quotes

• The October 2022 SUs do not contain fixes for the zero-day vulnerabilities reported publicly on September 29, 2022 (CVE-2022-41040 and CVE-2022-41082). Please see this blog post to apply mitigations for those vulnerabilities. We will release updates for CVE-2022-41040 and CVE-2022-41082 when they are ready - Computerworld Security
• All versions of Windows, starting with Windows 7 and Windows Server 2008, are vulnerable - Forbes
• With regards to the RSS feed, we have received feedback from some of our customers that an RSS feed on the Security Update Guide (SUG) would be greatly appreciated - BleepingComputer
• This patch fixes a security vulnerability that Microsoft stated is under active attack. However, it is not clear how severe these attacks are - infosecurity-magazine.com
• Looking at the Microsoft Exchange Server vulnerability history, the remote code execution vulnerability was disclosed on December 16, 2021 (CVE-2022-21969), the privilege escalation vulnerability was disclosed in February 2022, and the most recent vulnerability was on June 27. Information Disclosure Vulnerability vulnerability. That is, among the vulnerabilities disclosed after May, there were no reports of vulnerabilities related to remote commands or file creation - Security Affairs
• Impersonating security researchers to sell fake proof-of-concept ProxyNotShell exploits - Cyber Security Advisories - MS-ISAC
• With no updates available to fully address these bugs, the best administrators can do is ensure the September 2021 Cumulative Update (CU) is installed - Theregister.com
• If you are using these types of containers with a version lower than 1.5.8, 1.6.19, 1.7.18, and 1.8.11 and they are available from the Internet, upgrade immediately - Dark Reading
• An attacker who successfully exploited this vulnerability could gain SYSTEM privileges - BleepingComputer
• Among the vulnerabilities disclosed after May, there were no reports of vulnerabilities related to remote commands or file creation - BleepingComputer
• API Protection Report: Shadow APIs and API Abuse Explode - Help Net Security

Headlines

• Oct. 14, 2022 - Zero-day flaws mean it's time to patch Exchange and Windows
• Oct. 14, 2022 - Zero-days flaws mean it's time to patch Exchange and Windows
• Oct. 14, 2022 - Microsoft Security Update: Windows 0Day Under Attack, Most Versions Vulnerable
• Oct. 12, 2022 - Microsoft adds new RSS feed for security update notifications
• Oct. 12, 2022 - Microsoft October 2022 Patch Tuesday Fixes 84 Flaws, Including Zero-Day
• Oct. 12, 2022 - LockBit Ransomware Deployed via Windows Exchange Server Hack - MUO - MakeUseOf
• Oct. 12, 2022 - LockBit affiliates compromise Microsoft Exchange servers to deploy ransomware
• Oct. 12, 2022 - Critical Patches Issued for Microsoft Products, October 11, 2022
• Oct. 11, 2022 - It’s Patch Tuesday and still no fix for ProxyNotShell Microsoft Exchange holes
• Oct. 11, 2022 - Microsoft Addresses Zero-Days, but Exchange Server Exploit Chain Remains Unpatched
• Oct. 11, 2022 - Microsoft Warns of New Zero-Day; No Fix Yet for Exploited Exchange Server Flaws
• Oct. 11, 2022 - You can’t always get what you want on Patch Tuesday
• Oct. 11, 2022 - Microsoft October 2022 Patch Tuesday fixes zero-day used in attacks, 84 flaws
• Oct. 11, 2022 - Microsoft Exchange servers hacked to deploy LockBit ransomware
• Oct. 9, 2022 - Week in review: 7 cybersecurity audiobooks to read, Patch Tuesday forecast
• Oct. 8, 2022 - Microsoft Issues Improved Mitigations for Unpatched Exchange Server Vulnerabilities

CVE-2022-41352

CRITICAL CVSS 9.80

CISA Known Exploited Actively Exploited

Published: Sept. 26, 2022

An issue was discovered in Zimbra Collaboration (ZCS) 8.8.15 and 9.0. An attacker can upload arbitrary files through amavisd via a cpio loophole (extraction to /opt/zimbra/jetty/webapps/zimbra/public) that can lead to incorrect access to any other user accounts. Zimbra recommends pax over cpio. Also, pax is in the prerequisites of Zimbra on Ubuntu; however, pax is no longer part of a default Red Hat installation after RHEL 6 (or CentOS 6). Once pax is installed, amavisd automatically prefers it over cpio.

Vendor Impacted: Zimbra

Products Impacted: Collaboration, Collaboration (Zcs)

Quotes

• The vulnerability is due to the method (cpio) in which Zimbra's antivirus engine (Amavis) scans inbound emails - Dark Reading
• Arises from unsafe usage of the cpio utility, specifically from Zimbra's antivirus engine's (Amavis) use of the vulnerable cpio utility to scan inbound emails - The Daily Swig | Cybersecurity news and views
• When Amavis inspects it for malware, it uses Cpio to extract the file. Since Cpio has no mode where it can be securely used on untrusted files, the attacker can write to any path on the filesystem that the Zimbra user can access - SecurityWeek
• CVE-2022-41352 is an unpatched remote code execution vulnerability in Zimbra Collaboration Suite discovered in the wild due to active exploitation - Security Affairs

Headlines

• Oct. 13, 2022 - CVE-2022-41352 — vulnerability in Zimbra | Kaspersky official blog
• Oct. 13, 2022 - Ongoing exploitation of CVE-2022-41352 (Zimbra 0-day)
• Oct. 10, 2022 - Zimbra RCE Bug Under Active Attack
• Oct. 10, 2022 - Zimbra remote code execution vulnerability actively exploited in the wild
• Oct. 10, 2022 - Critical Zimbra RCE Vulnerability Exploited in Attacks
• Oct. 8, 2022 - Unpatched remote code execution flaw in Zimbra Collaboration Suite actively exploited
• Oct. 8, 2022 - Hackers Exploiting Unpatched RCE Flaw in Zimbra Collaboration Suite

CVE-2021-4034

HIGH CVSS 7.80

CISA Known Exploited Actively Exploited Public Exploits Available

Published: Jan. 28, 2022

A local privilege escalation vulnerability was found on polkit's pkexec utility. The pkexec application is a setuid tool designed to allow unprivileged users to run commands as privileged users according predefined policies. The current version of pkexec doesn't handle the calling parameters count correctly and ends trying to execute environment variables as commands. An attacker can leverage this by crafting environment variables in such a way it'll induce pkexec to execute arbitrary code. When successfully executed the attack can cause a local privilege escalation given unprivileged users administrative rights on the target machine.

Vendors Impacted: Oracle, Redhat, Red Hat, Canonical, Starwindsoftware, Suse

Products Impacted: Command Center, Linux Enterprise High Performance Co, Starwind Virtual San, Zfs Storage Appliance Kit, Enterprise Linux For Power Big Endia, Enterprise Linux Server, Manager Proxy, Enterprise Linux, Enterprise Linux For Ibm Z Systems, Linux Enterprise Server, Enterprise Linux Desktop, Http Server, Enterprise Linux Workstation, Enterprise Linux Server Tus, Starwind Hyperconverged Appliance, Ubuntu Linux, Enterprise Linux Server Aus, Manager Server, Linux Enterprise Desktop, Enterprise Linux Server Eus, Enterprise Storage, Enterprise Linux For Ibm Z Systems E, Enterprise Linux For Scientific Comp, Enterprise Linux For Power Little En, Enterprise Linux Eus, Enterprise Linux Server Update Servi, Polkit, Linux Enterprise Workstation Extensi

Quotes

• They both have been designed and implemented to operate as standalone GoLang-based executables that can be distributed with relative ease to operators. The frameworks inside carry the implants and the whole web user interface. The implant configuration is defined using the Web UI (Web User Interface), which in both cases is completely written in Simplified Chinese - SecurityWeek
• Alchimist is a new C2 framework that can be rapidly deployed and operated with relatively low technical expertise by a threat actor - Dark Reading
• Our discovery of Alchimist is yet another indication that threat actors are rapidly adopting off-the-shelf C2 frameworks to carry out their operations - Csoonline.com
• However, Manjusaka and Alchimist have virtually the same set of features. They both have been designed and implemented to operate as standalone GoLang-based executables that can be distributed with relative ease to operators. The frameworks inside carry the implants and the whole web user interface - Security Affairs
• Alchimist C2 has a web interface written in Simplified Chinese and can generate a configured payload, establish remote sessions, deploy payload to the remote machines, capture screenshots, perform remote shellcode execution, and run arbitrary commands - The Hacker News
• The Linux variant of Insekt also has the functionality to list the contents of - BleepingComputer

Headlines

• Oct. 14, 2022 - New 'Alchimist' Attack Framework Targets Windows, Linux, macOS
• Oct. 13, 2022 - Feature-Rich 'Alchimist' Cyberattack Framework Targets Windows, Mac, Linux Environments
• Oct. 13, 2022 - New Chinese attack framework Alchimist serves Windows, Linux, and macOS implants
• Oct. 13, 2022 - The discovery of Alchimist C2 tool, revealed a new attack framework to target Windows, macOS, and Linux systems
• Oct. 13, 2022 - New Chinese Malware Attack Framework Targets Windows, macOS, and Linux Systems
• Oct. 13, 2022 - Alchimist: A new attack framework in Chinese for Mac, Linux and Windows
• Oct. 13, 2022 - New Alchimist attack framework targets Windows, macOS, Linux