VULNERA Pulse

Plex — Media Server

CVE-2020-5741 / Added: March 10, 2023

HIGH CVSS 7.20

Plex Media Server contains a remote code execution vulnerability that allows an attacker with access to the server administrator's Plex account to upload a malicious file via the Camera Upload feature and have the media server execute it.

Headlines

• March 7, 2023 - LastPass hack caused by an unpatched Plex software on an employee’s PC
• March 7, 2023 - LastPass Hack: Engineer's Failure to Update Plex Software Led to Massive Data Breach

Back to top ↑

XStream — XStream

CVE-2021-39144 / Added: March 10, 2023

HIGH CVSS 8.50

XStream contains a remote code execution vulnerability that allows an attacker to manipulate the processed input stream and replace or inject objects, that result in execution of a local command on the server. This vulnerability can affect multiple products including but not limited to VMware Cloud Foundation.

Headlines

• March 10, 2023 - Stolen credentials increasingly empower the cybercrime underground
• March 8, 2023 - VMware NSX Manager bugs actively exploited in the wild since December
• March 8, 2023 - CISA's KEV Catalog Updated with 3 New Flaws Threatening IT Management Systems
• March 7, 2023 - Exploitation of Critical Vulnerability in End-of-Life VMware Product Ongoing
• Oct. 31, 2022 - VMware warns of the public availability of CVE-2021-39144 exploit code
• Oct. 31, 2022 - Apple patches actively exploited iPhone, iPad kernel vulns
• Oct. 26, 2022 - VMware Patches Critical Vulnerability in End-of-Life Product

Back to top ↑

Apache — Spark

CVE-2022-33891 / Added: March 7, 2023

HIGH CVSS 8.80

Apache Spark contains a command injection vulnerability via Spark User Interface (UI) when Access Control Lists (ACLs) are enabled.

Headlines

• March 9, 2023 - Dozens of Exploited Vulnerabilities Missing From CISA 'Must Patch' List
• March 8, 2023 - CISA adds three new bugs to Known Exploited Vulnerabilities Catalog
• Dec. 22, 2022 - A new Zerobot variant spreads by exploiting Apache flaws
• Dec. 22, 2022 - Zerobot IoT Botnet Adds More Exploits, DDoS Capabilities | SecurityWeek.Com

Back to top ↑

Teclib — GLPI

CVE-2022-35914 / Added: March 7, 2023

CRITICAL CVSS 9.80

Teclib GLPI contains a remote code execution vulnerability in the third-party library, htmlawed.

Headlines

• March 9, 2023 - Dozens of Exploited Vulnerabilities Missing From CISA 'Must Patch' List
• March 8, 2023 - CISA adds three new bugs to Known Exploited Vulnerabilities Catalog
• March 8, 2023 - CISA's KEV Catalog Updated with 3 New Flaws Threatening IT Management Systems

Back to top ↑

Zoho — ManageEngine

CVE-2022-28810 / Added: March 7, 2023

MEDIUM CVSS 6.80

Multiple Zoho ManageEngine ADSelfService Plus contains an unspecified vulnerability allowing for remote code execution when performing a password change or reset.

Headlines

• March 9, 2023 - Dozens of Exploited Vulnerabilities Missing From CISA 'Must Patch' List
• March 8, 2023 - CISA adds three new bugs to Known Exploited Vulnerabilities Catalog
• Nov. 16, 2022 - State-Backed APT Group Activity Continuing Apace

Back to top ↑

CVE-2022-47986

CRITICAL CVSS 9.80

CISA Known Exploited Actively Exploited Remote Code Execution Used In Ransomware Public Exploits Available

Published: Feb. 17, 2023

IBM Aspera Faspex 4.4.2 Patch Level 1 and earlier could allow a remote attacker to execute arbitrary code on the system, caused by a YAML deserialization flaw. By sending a specially crafted obsolete API call, an attacker could exploit this vulnerability to execute arbitrary code on the system. The obsolete API call was removed in Faspex 4.4.2 PL2. IBM X-Force ID: 243512.

Vendors Impacted: Microsoft, Ibm, Linux

Products Impacted: Linux Kernel, Aspera Faspex, Windows

Quotes

• The operators of the IceFire malware, who previously focused only on targeting Windows, have now expanded their focus to include Linux
• In comparison to Windows, Linux is more difficult to deploy ransomware against, particularly at scale
• During our analysis, the user profile directory at /home/[user_name]/ saw the most encryption activity. IceFire targets user and shared directories (e.g., /mnt, /media, /share) for encryption; these are unprotected parts of the file system that do not require elevated privileges to write or modify
• This strategic shift is a significant move that aligns them with other ransomware groups that also target Linux systems
• In comparison to Windows, Linux is more difficult to deploy ransomware against–particularly at scale. Many Linux systems are servers: typical infection vectors like phishing or drive-by download are less effective

Headlines

• March 10, 2023 - IceFire Ransomware Targets Linux Enterprise Networks
• March 9, 2023 - IceFire Ransomware Portends a Broader Shift From Windows to Linux
• March 9, 2023 - Recently discovered IceFire Ransomware now also targets Linux systems
• March 9, 2023 - IceFire Ransomware Exploits IBM Aspera Faspex to Attack Linux-Powered Enterprise Networks
• March 9, 2023 - IceFire ransomware now encrypts both Linux and Windows systems

CVE-2023-21716

CRITICAL CVSS 9.80

Actively Exploited Remote Code Execution Used In Ransomware Public Exploits Available

Published: Feb. 14, 2023

Microsoft Word Remote Code Execution Vulnerability

Vendor Impacted: Microsoft

Products Impacted: Office, Sharepoint Server, Office Long Term Servicing Channel, Office Web Apps, Sharepoint Enterprise Server, Sharepoint Foundation, Word, Office Online Server

Quotes

• An unauthenticated attacker could send a malicious e-mail containing an RTF payload that would allow them to gain access to execute commands within the application used to open the malicious file
• When dealing with a font table containing an excessive number of fonts
• When dealing with a font table (*\fonttbl*) containing an excessive number of fonts (*\f###*)
• Microsoft Office 2010 and later use Protected View to limit damage caused by malicious documents procured from untrusted sources. Protected View is in effect when this vulnerability manifests and thus an additional sandbox escape vulnerability would be required to gain full privileges

Headlines

• March 7, 2023 - Expert released PoC exploit code for critical Microsoft Word RCE flaw
• March 7, 2023 - This malicious Word doc doesn't even have to be opened to infect your PC
• March 6, 2023 - Proof-of-Concept released for critical Microsoft Word RCE bug
• March 6, 2023 - PoC exploit for recently patched Microsoft Word RCE is public (CVE-2023-21716) - Help Net Security

CVE-2022-35914

CRITICAL CVSS 9.80

CISA Known Exploited Actively Exploited Public Exploits Available

Published: Sept. 19, 2022

/vendor/htmlawed/htmlawed/htmLawedTest.php in the htmlawed module for GLPI through 10.0.2 allows PHP code injection.

Vendor Impacted: Teclib

Product Impacted: Glpi

Quotes

• ​​The CISA KEV Catalog is undoubtedly helpful and a driving force in our industry. Still, as long as it’s missing actively exploited vulnerabilities, it cannot be treated as the authoritative catalog of exploited vulnerabilities
• Multiple Zoho ManageEngine ADSelfService Plus contains an unspecified vulnerability allowing for remote code execution when performing a password change or reset

Headlines

• March 9, 2023 - Dozens of Exploited Vulnerabilities Missing From CISA 'Must Patch' List
• March 8, 2023 - CISA adds three new bugs to Known Exploited Vulnerabilities Catalog
• March 8, 2023 - CISA's KEV Catalog Updated with 3 New Flaws Threatening IT Management Systems

CVE-2021-39144

HIGH CVSS 8.50

CISA Known Exploited Actively Exploited Remote Code Execution Public Exploits Available

Published: Aug. 23, 2021

XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker has sufficient rights to execute commands of the host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.

Vendors Impacted: Debian, Oracle, Fedoraproject, Netapp, Xstream

Products Impacted: Webcenter Portal, Communications Billing And Revenue M, Communications Unified Inventory Man, Communications Cloud Native Core Pol, Retail Xstore Point Of Service, Business Activity Monitoring, Communications Cloud Native Core Aut, Snapmanager, Commerce Guided Search, Fedora, Xstream, Debian Linux, Communications Cloud Native Core Bin, Utilities Framework, Utilities Testing Accelerator

Quotes

• Last year, 4,518 data breaches were reported
• Due to an unauthenticated endpoint that leverages XStream for input serialization in VMware Cloud Foundation (NSX-V), a malicious actor can get remote code execution in the context of ‘root’ on the appliance
• Multiple Zoho ManageEngine ADSelfService Plus contains an unspecified vulnerability allowing for remote code execution when performing a password change or reset

Headlines

• March 10, 2023 - Stolen credentials increasingly empower the cybercrime underground
• March 8, 2023 - VMware NSX Manager bugs actively exploited in the wild since December
• March 8, 2023 - CISA's KEV Catalog Updated with 3 New Flaws Threatening IT Management Systems
• March 7, 2023 - Exploitation of Critical Vulnerability in End-of-Life VMware Product Ongoing

CVE-2023-1017

HIGH CVSS 7.80

Risk Context N/A

Published: Feb. 28, 2023

An out-of-bounds write vulnerability exists in TPM2.0's Module Library allowing writing of a 2-byte data past the end of TPM2.0 command in the CryptParameterDecryption routine. An attacker who can successfully exploit this vulnerability can lead to denial of service (crashing the TPM chip/process or rendering it unusable) and/or arbitrary code execution in the TPM context.

Vendor Impacted: Trustedcomputinggroup

Product Impacted: Trusted Platform Module

Quotes

• Oh, March the 6th, that’s my birthday. Did you know it’s also Michelangelo’s birthday
• An attacker who has access to a TPM-command interface can send maliciously-crafted commands to the module and trigger these vulnerabilities

Headlines

• March 9, 2023 - S3 Ep125: When security hardware has security holes [Audio + Text]
• March 7, 2023 - Serious Security: TPM 2.0 vulns – is your super-secure data at risk?
• March 6, 2023 - This new TPM 2.0 security flaw could spell big trouble for "billions" of devices
• March 4, 2023 - New TPM 2.0 flaws could let hackers steal cryptographic keys

CVE-2023-1018

MEDIUM CVSS 5.50

Risk Context N/A

Published: Feb. 28, 2023

An out-of-bounds read vulnerability exists in TPM2.0's Module Library allowing a 2-byte read past the end of a TPM2.0 command in the CryptParameterDecryption routine. An attacker who can successfully exploit this vulnerability can read or access sensitive data stored in the TPM.

Vendor Impacted: Trustedcomputinggroup

Product Impacted: Trusted Platform Module

Quotes

• Oh, March the 6th, that’s my birthday. Did you know it’s also Michelangelo’s birthday
• An attacker who has access to a TPM-command interface can send maliciously-crafted commands to the module and trigger these vulnerabilities

Headlines

• March 9, 2023 - S3 Ep125: When security hardware has security holes [Audio + Text]
• March 7, 2023 - Serious Security: TPM 2.0 vulns – is your super-secure data at risk?
• March 6, 2023 - This new TPM 2.0 security flaw could spell big trouble for "billions" of devices
• March 4, 2023 - New TPM 2.0 flaws could let hackers steal cryptographic keys