VULNERA Pulse

CVE-2023-23397

CRITICAL CVSS 9.80

CISA Known Exploited Actively Exploited Remote Code Execution Public Exploits Available

Published: March 14, 2023

Microsoft Outlook Elevation of Privilege Vulnerability

Vendor Impacted: Microsoft

Products Impacted: Outlook, Office, 365 Apps

Quotes

• I fail to see how that’s my problem
• People Matter: A look back on how Cisco Talos has been supporting Ukraine
• We anticipate that the longer term trendline for zero-day exploitation will continue to rise, with some fluctuation from year to year
• Products from Microsoft, Google, and Apple made up the majority of zero-day vulnerabilities in 2022, consistent with previous years. The most exploited product types were operating systems (OS) (19), followed by browsers (11), security, IT, and network management products (10), and mobile OS (6)
• Multiple separate campaigns may indicate that the zero-day was distributed to multiple suspected Chinese espionage clusters via a digital quartermaster
• One stop shop for blue and purple teams

Headlines

• March 23, 2023 - Threat Source newsletter (March 23, 2023) — Meta is threatening to ban news sharing in Canada. Good.
• March 23, 2023 - Fighting the Good Fight: Life inside the Talos Ukraine Task Unit
• March 22, 2023 - Emotet Resumes Spam Operations, Switches to OneNote
• March 22, 2023 - 55 zero-day flaws exploited last year show the importance of security risk management
• March 21, 2023 - 2022 Zero-Day exploitation continues at a worrisome pace
• March 21, 2023 - From Ransomware to Cyber Espionage: 55 Zero-Day Vulnerabilities Weaponized in 2022
• March 19, 2023 - Week in review: Kali Linux gets Purple, Microsoft zero-days get patched

CVE-2022-42475

CRITICAL CVSS 9.80

CISA Known Exploited Actively Exploited Remote Code Execution Public Exploits Available

Published: Jan. 2, 2023

A heap-based buffer overflow vulnerability [CWE-122] in FortiOS SSL-VPN 7.2.0 through 7.2.2, 7.0.0 through 7.0.8, 6.4.0 through 6.4.10, 6.2.0 through 6.2.11, 6.0.15 and earlier and FortiProxy SSL-VPN 7.2.0 through 7.2.1, 7.0.7 and earlier may allow a remote unauthenticated attacker to execute arbitrary code or commands via specifically crafted requests.

Vendor Impacted: Fortinet

Products Impacted: Fortigate-6601f-Dc, Fpm-7620f, Fortios, Fpm-7630e, Fortigate-7030e, Fim-7904e, Fortigate-6500f-Dc, Fim-7920e, Fortigate-7060e, Fortigate-7040e, Fortigate-7121f, Fim-7910e, Fim-7941f, Fortigate-6601f, Fim-7921f, Fim-7901e, Fortigate-6500f, Fpm-7620e, Fortigate-6300f-Dc, Fortiproxy, Fortigate-6501f, Fortigate-6300f, Fortigate-6501f-Dc

Quotes

• We anticipate that the longer term trendline for zero-day exploitation will continue to rise, with some fluctuation from year to year
• That's definitely an element that we assess is a focus of Chinese threat groups right now
• Products from Microsoft, Google, and Apple made up the majority of zero-day vulnerabilities in 2022, consistent with previous years. The most exploited product types were operating systems (OS) (19), followed by browsers (11), security, IT, and network management products (10), and mobile OS (6)
• Almost all 2022 zero-day vulnerabilities (53) were exploited for the purpose of achieving either (primarily remote) code execution or gaining elevated privileges, both of which are consistent with most threat actor objectives
• Multiple separate campaigns may indicate that the zero-day was distributed to multiple suspected Chinese espionage clusters via a digital quartermaster

Headlines

• March 22, 2023 - 55 zero-day flaws exploited last year show the importance of security risk management
• March 22, 2023 - Attackers Are Probing for Zero-Day Vulns in Edge Infrastructure Products
• March 21, 2023 - 2022 Zero-Day exploitation continues at a worrisome pace
• March 21, 2023 - Exploitation of 55 Zero-Day Vulnerabilities Came to Light in 2022: Mandiant
• March 21, 2023 - From Ransomware to Cyber Espionage: 55 Zero-Day Vulnerabilities Weaponized in 2022

CVE-2022-37337

CRITICAL CVSS 9.10

Risk Context N/A

Published: March 21, 2023

A command execution vulnerability exists in the access control functionality of Netgear Orbi Router RBR750 4.6.8.5. A specially-crafted HTTP request can lead to arbitrary command execution. An attacker can make an authenticated HTTP request to trigger this vulnerability.

Quotes

• The access control functionality of the Orbi RBR750 allows a user to explicitly add devices (specified by MAC address and a hostname) to allow or block the specified device when attempting to access the network
• Meaning they'd need to access an unprotected network or the login credentials of a password-protected network, for this attack to be successful
• A command execution vulnerability exists in the access control functionality of Netgear Orbi Router RBR750 4.6.8.5

Headlines

• March 23, 2023 - Netgear Orbi routers have some troubling security issues, so patch now
• March 22, 2023 - Cisco reveals PoC attacks for flaws in rival Netgear's kit
• March 22, 2023 - Experts released PoC exploits for severe flaws in Netgear Orbi routers
• March 22, 2023 - PoC exploits released for Netgear Orbi router vulnerabilities
• March 21, 2023 - Vulnerability Spotlight: Netgear Orbi router vulnerable to arbitrary command execution

CVE-2022-30190

HIGH CVSS 7.80

CISA Known Exploited Actively Exploited Remote Code Execution Public Exploits Available

Published: June 1, 2022

Microsoft Windows Support Diagnostic Tool (MSDT) Remote Code Execution Vulnerability.

Vendor Impacted: Microsoft

Products Impacted: Windows 7, Windows 10, Windows 8.1, Windows Server 2008, Windows Server 2012, Windows Server 2016, Windows Server 2019, Windows Rt 8.1, Windows, Windows 11, Windows Server 2022

Quotes

• We anticipate that the longer term trendline for zero-day exploitation will continue to rise, with some fluctuation from year to year
• That's definitely an element that we assess is a focus of Chinese threat groups right now
• Products from Microsoft, Google, and Apple made up the majority of zero-day vulnerabilities in 2022, consistent with previous years. The most exploited product types were operating systems (OS) (19), followed by browsers (11), security, IT, and network management products (10), and mobile OS (6)
• Almost all 2022 zero-day vulnerabilities (53) were exploited for the purpose of achieving either (primarily remote) code execution or gaining elevated privileges, both of which are consistent with most threat actor objectives
• Multiple separate campaigns may indicate that the zero-day was distributed to multiple suspected Chinese espionage clusters via a digital quartermaster

Headlines

• March 22, 2023 - 55 zero-day flaws exploited last year show the importance of security risk management
• March 22, 2023 - Attackers Are Probing for Zero-Day Vulns in Edge Infrastructure Products
• March 21, 2023 - 2022 Zero-Day exploitation continues at a worrisome pace
• March 21, 2023 - Exploitation of 55 Zero-Day Vulnerabilities Came to Light in 2022: Mandiant
• March 21, 2023 - From Ransomware to Cyber Espionage: 55 Zero-Day Vulnerabilities Weaponized in 2022

CVE-2023-27532

HIGH CVSS 7.50

Remote Code Execution Public Exploits Available

Published: March 10, 2023

Vulnerability in Veeam Backup & Replication component allows encrypted credentials stored in the configuration database to be obtained. This may lead to gaining access to the backup infrastructure hosts.

Vendor Impacted: Veeam

Product Impacted: Backup \& Replication

Quotes

• CVE-2023-27532 allows an unauthenticated user with access to the Veeam backup service to request cleartext credentials. We have examined the vulnerable port, reverse engineered the Veeam Backup Service, and constructed a WCF client using .NET core
• Vulnerability CVE-2023-27532 in a Veeam Backup & Replication component allows an unauthenticated user operating within the backup infrastructure network perimeter to obtain encrypted credentials stored in the configuration database
• We have developed patches for V11 and V12 to mitigate this vulnerability and we recommend you update your installations immediately

Headlines

• March 24, 2023 - PoC Exploit Published for Just-Patched Veeam Data Backup Solution Flaw
• March 23, 2023 - Experts published PoC exploit code for Veeam Backup & Replication bug
• March 23, 2023 - Exploit released for Veeam bug allowing cleartext credential theft

CVE-2023-0669

HIGH CVSS 7.20

CISA Known Exploited Actively Exploited Remote Code Execution Used In Ransomware Public Exploits Available

Published: Feb. 6, 2023

Fortra (formerly, HelpSystems) GoAnywhere MFT suffers from a pre-authentication command injection vulnerability in the License Response Servlet due to deserializing an arbitrary attacker-controlled object. This issue was patched in version 7.1.2.

Vendor Impacted: Fortra

Products Impacted: Goanywhere Mft, Goanywhere Managed File Transfer

Quotes

• P&G can confirm that it was one of the many companies affected by Fortra's GoAnywhere incident. As part of this incident, an unauthorized third party obtained some information about P&G employees
• On March 20, the City became aware of potential unauthorized access to City data
• Fortra, a vendor to Saks and many other companies, recently experienced a data security incident that led to mock customer data being taken from a storage location used by Saks
• Upon learning of this event, we took immediate action and initiated our own investigation, disconnected the third-party system, and engaged forensic IT experts to help us analyze the nature and scope of the attack

Headlines

• March 24, 2023 - Procter & Gamble confirms data theft via GoAnywhere zero-day
• March 23, 2023 - City of Toronto confirms data theft, Clop claims responsibility
• March 22, 2023 - Saks Fifth Avenue becomes latest Clop ransomware victim
• March 21, 2023 - Clop ransomware claims Saks Fifth Avenue, retailer says mock data stolen
• March 20, 2023 - Hitachi Energy Blames Data Breach on Zero-Day as Ransomware Gang Threatens Firm

CVE-2022-38452

HIGH CVSS 7.20

Risk Context N/A

Published: March 21, 2023

A command execution vulnerability exists in the hidden telnet service functionality of Netgear Orbi Router RBR750 4.6.8.5. A specially-crafted network request can lead to arbitrary command execution. An attacker can send a network request to trigger this vulnerability.

Quotes

• Meaning they'd need to access an unprotected network or the login credentials of a password-protected network, for this attack to be successful
• A command execution vulnerability exists in the access control functionality of Netgear Orbi Router RBR750 4.6.8.5

Headlines

• March 22, 2023 - Cisco reveals PoC attacks for flaws in rival Netgear's kit
• March 22, 2023 - Experts released PoC exploits for severe flaws in Netgear Orbi routers
• March 22, 2023 - PoC exploits released for Netgear Orbi router vulnerabilities
• March 21, 2023 - Vulnerability Spotlight: Netgear Orbi router vulnerable to arbitrary command execution

CVE-2022-36429

HIGH CVSS 7.20

Risk Context N/A

Published: March 21, 2023

A command execution vulnerability exists in the ubus backend communications functionality of Netgear Orbi Satellite RBS750 4.6.8.5. A specially-crafted JSON object can lead to arbitrary command execution. An attacker can send a sequence of malicious packets to trigger this vulnerability.

Quotes

• Meaning they'd need to access an unprotected network or the login credentials of a password-protected network, for this attack to be successful
• A command execution vulnerability exists in the access control functionality of Netgear Orbi Router RBR750 4.6.8.5

Headlines

• March 22, 2023 - Cisco reveals PoC attacks for flaws in rival Netgear's kit
• March 22, 2023 - Experts released PoC exploits for severe flaws in Netgear Orbi routers
• March 22, 2023 - PoC exploits released for Netgear Orbi router vulnerabilities
• March 21, 2023 - Vulnerability Spotlight: Netgear Orbi router vulnerable to arbitrary command execution

CVE-2022-41328

HIGH CVSS 7.10

CISA Known Exploited Actively Exploited

Published: March 7, 2023

A improper limitation of a pathname to a restricted directory vulnerability ('path traversal') [CWE-22] in Fortinet FortiOS version 7.2.0 through 7.2.3, 7.0.0 through 7.0.9 and before 6.4.11 allows a privileged attacker to read and write files on the underlying Linux system via crafted CLI commands.

Vendor Impacted: Fortinet

Product Impacted: Fortios

Quotes

• We anticipate that the longer term trendline for zero-day exploitation will continue to rise, with some fluctuation from year to year
• That's definitely an element that we assess is a focus of Chinese threat groups right now
• Products from Microsoft, Google, and Apple made up the majority of zero-day vulnerabilities in 2022, consistent with previous years. The most exploited product types were operating systems (OS) (19), followed by browsers (11), security, IT, and network management products (10), and mobile OS (6)
• Almost all 2022 zero-day vulnerabilities (53) were exploited for the purpose of achieving either (primarily remote) code execution or gaining elevated privileges, both of which are consistent with most threat actor objectives
• Multiple separate campaigns may indicate that the zero-day was distributed to multiple suspected Chinese espionage clusters via a digital quartermaster
• UNC3886 is an advanced cyber espionage group with unique capabilities in how they operate on-network as well as the tools they utilize in their campaigns

Headlines

• March 22, 2023 - 55 zero-day flaws exploited last year show the importance of security risk management
• March 22, 2023 - Attackers Are Probing for Zero-Day Vulns in Edge Infrastructure Products
• March 21, 2023 - 2022 Zero-Day exploitation continues at a worrisome pace
• March 21, 2023 - Exploitation of 55 Zero-Day Vulnerabilities Came to Light in 2022: Mandiant
• March 21, 2023 - From Ransomware to Cyber Espionage: 55 Zero-Day Vulnerabilities Weaponized in 2022
• March 18, 2023 - Chinese Hackers Exploit Fortinet Zero-Day Flaw for Cyber Espionage Attack