Advisories and Alerts

Latest Advisory ~ September 30, 2022

Microsoft Exchange Zero-day Vulnerabilities
Risk: HIGH
Severity: HIGH 

WTS is bringing attention towards multiple emerging Microsoft Exchange Zero Day vulnerabilities which have been confirmed as being exploited. The Zero Days currently have no proof of concepts available and has not been assigned any CVE numbers as of yet. The SOC team will be closely monitoring the situation until a patch is available and will send out new information as it becomes available. These vulnerabilities have been reported to Microsoft and currently are tracked under ZDI-CAN18333 and ZDI-CAN18802 (Read More...)


Apple Zero-day Vulnerability ~ September 15, 2022

Apple Zero-day Vulnerability

Risk: MEDIUM
Severity: HIGH 

WTS is strongly recommending that all users of any Apple products take immediate action to implement the required patches or mitigations to address the following vulnerabilities. This vulnerability is currently being tracked as an actively exploited vulnerability

Vendor: Apple

Kernel vulnerability zero-day (CVE-2022-32917) (CVSS TBD)

Description:
An out-of-bounds write vulnerability in the operating system's Kernel. The kernel is a program that operates as the core component of an operating system and has the highest privileges in macOS, iPadOS, and iOS.

Attack Vector:
A malicious application may be able to execute arbitrary code with kernel privileges. As this is the highest privilege level, a process would be able to perform any command on the device, effectively taking complete control over it. Apple is aware of a report that this issue may have been actively exploited.

 Severity: High

Versions Affected:
- Macs running macOS Monterey and Big Sur
- iPhone 6s and later
- iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation).

References:
https://www.itechpost.com/articles/113769/20220912/apple-releases-patch-cve-2022-32917-exploit-affecting-iphones-macs.htm
https://www.bleepingcomputer.com/news/security/apple-fixes-eighth-zero-day-used-to-hack-iphones-and-macs-this-year/
https://support.apple.com/en-us/HT201222

Mitigations:
- MacOS Big Sur 11.7
- MacOS Monterey 12.6
- iPadOS 15.7
- iOS 15.7
- iOS 16
https://support.apple.com/en-us/HT201222

Microsoft Teams Storing Unencrypted Authentication Tokens ~ September 14, 2022

Microsoft Teams Storing Unencrypted Authentication Tokens

Vendor: Microsoft

Description:
A security misconfiguration has been discovered in the desktop app for Microsoft Teams that gives threat actors access to authentication tokens and accounts with multi-factor authentication (MFA) turned on. An attacker with local access on a system where Microsoft Teams is installed could steal the tokens and use them to log into the victim's account. The newly discovered security issue impacts versions of the application for Windows, Linux, and Mac. 

Versions Affected:
Microsoft Teams Desktop Application (Version 1.5.00.21668 or lower)

References:
- https://www.bleepingcomputer.com/news/security/microsoft-teams-stores-auth-tokens-as-cleartext-in-windows-linux-macs/

Mitigations:
While there are no patches yet available, a solution you may choose to take to ensure your security is by utilizing Microsoft Teams in a secure and updated web browser, such as Google Chrome, rather than the desktop app

Linux Kernel Vulnerabilities ~ September 9, 2022

Linux Kernel Vulnerabilities

Risk: MEDIUM
Severity: HIGH

WTS is strongly recommending that administrators of any Linux distributions take immediate action to implement the available patches to address the following vulnerabilities. CVE-2021-4154 is older and may have already been patched but, was seen used in a proof of concept so we are raising attention to it.
Vendor: Google Chrome

Use-After-Free Flaw (CVE-2021-4154) (CVSS 8.8)

Description:
A use-after-free flaw was found in cgroup1_parse_param in kernel/cgroup/cgroup-v1.c in the Linux kernel’s cgroup v1 parser.

Attack Vector:
A local attacker with a user privilege could cause a privilege escalation by exploiting the fsconfig syscall parameter leading to a container breakout and a denial of service on the system.

Use-After-Free Flaw (CVE-2022-2588) (CVSS 7.8)

Description:
A use-after-free flaw was found in route4_change in the net/sched/cls_route.c filter implementation in the Linux kernel It was discovered that the cls_route filter implementation in the Linux kernel would not remove an old filter from the hashtable before freeing it if its handle had the value 0.

Attack Vector:
This flaw allows a local user to crash the system and possibly lead to a local privilege escalation problem.

Versions Affected:
- Multiple Linux distributions
- See references below for specific releases

References:
https://www.suse.com/security/cve/CVE-2022-2588.html

https://www.suse.com/security/cve/CVE-2021-4154.html

https://access.redhat.com/security/cve/cve-2022-2588

https://access.redhat.com/security/cve/cve-2021-4154

https://ubuntu.com/security/CVE-2022-2588

https://ubuntu.com/security/CVE-2021-4154

https://security-tracker.debian.org/tracker/CVE-2022-2588

https://security-tracker.debian.org/tracker/CVE-2021-4154

https://www.rezilion.com/blog/dirty-cred-what-you-need-to-know

Mitigations
-
Install available updates for your distribution
- Some updates are not yet available. See the above reference links for availability on patches.

Google Chrome Zero-day Vulnerability ~ August 18, 2022

Google Chrome Zero-day Vulnerability

Risk: MEDIUM
Severity: HIGH 

WTS is strongly recommending that all users of Google Chrome take immediate action to implement the required patches or mitigations to address the following vulnerabilities.

Vendor: Google Chrome

Insufficient validation of untrusted input in Intents (CVE-2022-2856) (CVSS TBD)

Description:
Google Chrome released a new security update for Windows, Linux & Mac users and an update for a the fixes of 11 security vulnerabilities, including one critical severity bug and six high severity bugs.

A Critical Use after free bug(CVE-2022-2852) in Federated Credential Management API (FedCM) Let hackers allow take over the system remotely.

Severity: High

Versions Affected:
Versions earlier than
- 0.5112.101 for Mac and Linux
- 0.5112.102/101 for Windows 

Vulnerabilities Details:

- CVE-2022-2852:  Use after free in FedCM  – Critical
- CVE-2022-2854: Use after free in SwiftShader – High
- CVE-2022-2855: Use after free in ANGLE  – High
- CVE-2022-2857: Use after free in Blink  – High
- CVE-2022-2858: Use after free in Sign-In Flow   – High
- CVE-2022-2853: Heap buffer overflow in Downloads  – High
- CVE-2022-2856: Insufficient validation of untrusted input in Intents  – High (Exploited Wide)
- CVE-2022-2859: Use after free in Chrome OS Shell – Medium 
- CVE-2022-2860: Insufficient policy enforcement in Cookies -Medium
- CVE-2022-2861: Inappropriate implementation in Extensions API – Medium

 

References:

https://www.bleepingcomputer.com/news/security/google-fixes-fifth-chrome-zero-day-bug-exploited-this-year/

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2856


Mitigations:
Users are advised to update to version
- 104.0.5112.101 for macOS and Linux and
- 104.0.5112.102/101 for Windows to mitigate potential threats.

Users of Chromium-based browsers such as Microsoft Edge, Brave, Opera, and Vivaldi are also advised to apply the fixes as and when they become available.

To upgrade your old Chrome, then you have to follow a few simple steps that we have mentioned below:
- First of all, you have to go to Settings.
- Then click on the Help option.
- After that, you have to select the About Google Chrome option.
- That’s it, now your browser will automatically check for the new update and install it.

Apple Zero-day Vulnerability ~ August 18, 2022

Apple Zero-day Vulnerability

Risk: MEDIUM
Severity: HIGH 

WTS is strongly recommending that all users of any Apple products take immediate action to implement the required patches or mitigations to address the following vulnerabilities.

Vendor: Apple

Kernel vulnerability zero-day (CVE-2022-32894) (CVSS TBD)

Description:
An out-of-bounds write vulnerability in the operating system's Kernel. The kernel is a program that operates as the core component of an operating system and has the highest privileges in macOS, iPadOS, and iOS.

Attack Vector:
A malicious application may be able to execute arbitrary code with kernel privileges. As this is the highest privilege level, a process would be able to perform any command on the device, effectively taking complete control over it. Apple is aware of a report that this issue may have been actively exploited.

Webkit vulnerability zero-day (CVE-2022-32893) (CVSS TBD)

Description:
An out-of-bounds write vulnerability in WebKit, the web browser engine used by Safari and other apps that can access the web.

Attack Vector:
Processing maliciously crafted web content may lead to arbitrary code execution. As it's in the web engine, it could likely be exploited remotely by visiting a maliciously crafted website. Apple is aware of a report that this issue may have been actively exploited.

Severity: High

Versions Affected:
- Macs running macOS Monterey
- iPhone 6s and later
- iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation).

References:
https://www.bleepingcomputer.com/news/security/apple-security-updates-fix-2-zero-days-used-to-hack-iphones-macs/amp/
https://support.apple.com/en-us/HT213412
https://support.apple.com/en-us/HT213413

Mitigations:
- MacOS 12.5.1
- iOS 15.6.1
- iPadOS 15.6.1
https://support.apple.com/en-us/HT213412
https://support.apple.com/en-us/HT213413

Google Chrome Vulnerability ~ July 4, 2022

Google Chrome Vulnerability

Security Operations Advisory - Cyber Alerts & Notifications

Risk: HIGH
Severity: HIGH 

WTS is strongly recommending that all users of the Google Chrome browser take immediate action to implement the required patches or mitigations to address the following zero-day vulnerability.

Vendor: Google Chrome

Heap-based buffer overflow weakness (CVE-2022-2294) (CVSS TBD)

Description:
The impact of a successful heap overflow exploitation can range from program crashes and arbitrary code execution to bypassing security solutions if code execution is achieved during the attack.

Attack Vector:
Google has stated that this vulnerability has been exploited in the wild however has not disclosed any technical details regarding these incidents. Heap buffer overflows, aka heap overrun/heap smashing, occur when data is overwritten in the heap area of the memory, leading to arbitrary code execution or a denial-of-service (DoS) condition.

Versions Affected:
- Google Chrome versions prior to 103.0.5060.114 for Windows, macOS, and Linux
- Google Chrome versions prior to 103.0.5060.71 for Android

References:
https://chromereleases.googleblog.com/2022/07/extended-stable-channel-update-for.html
https://chromereleases.googleblog.com/2022/07/chrome-for-android-update.html
https://www.bleepingcomputer.com/news/security/google-patches-new-chrome-zero-day-flaw-exploited-in-attacks/
https://thehackernews.com/2022/07/update-google-chrome-browser-to-patch.html

Mitigations:
Review the following link for current patches or mitigations that are available for the version of software you are using.

  • - 103.0.5060.114 for Windows, macOS, and Linux
  • - 103.0.5060.71 for Android
  • - Users of Chromium-based browsers such as Microsoft Edge, Brave, Opera, and Vivaldi are also advised to apply the fixes as and when they become available

https://chromereleases.googleblog.com/2022/07/extended-stable-channel-update-for.html
https://chromereleases.googleblog.com/2022/07/chrome-for-android-update.html

SAMBA Vulnerability ~ February 2, 2022

SAMBA Vulnerability

Security Operations Advisory - Cyber Alerts & Notifications

Risk: Medium

Severity: HIGH     

CVE-2021-44142

WTS is strongly recommending that all administrators of any systems using the SAMBA VFS module “vfs_fruit”  take immediate action to implement the required patches or mitigations to address this vulnerability.

Vendor: SAMBA

Description:

All versions of SAMBA prior to 4.13.17 are vulnerable to an out-of-bounds heap read write vulnerability that allows remote attackers to execute arbitrary code as root on affected Samba installations that use the VFS module vfs_fruit. The specific flaw exists within the parsing of EA metadata when opening files in smbd. Access as a user that has write access to a file's extended attributes is required to exploit this vulnerability. Note that this could be a guest or unauthenticated user if such users are allowed write access to file extended attributes.

Severity: High

Base CVSS Score: 9.9

Versions Affected:

  • All versions of Samba prior to 4.13.17

References:

Mitigations:

Upgrade Samba to 4.13.17, 4.14.12, and 4.15.5 and apply patches

vfs_fruit can be disabled as a temporary measure if it is not possible to update to the latest Samba release:  

  • To disable vfs_fruit, remove "fruit" from “vfs objects” lines in Samba configuration files.  
  • Please note: by disabling the vfs_fruit module, some macOS file metadata will become inaccessible.  

*Note: This mitigation may have impact to services if your environment makes use of vfs_fruit

New zero-day exploit for Log4j Java library CVE-2021-44228 Exploited in the Wild ~ Updated: December 15, 2021

ALERT :   New zero-day exploit for Log4j Java library CVE-2021-44228 Exploited in the Wild

Risk: HIGH

Severity: HIGH               

New zero-day exploit for Log4j Java library CVE-2021-44228 Exploited in the Wild

WTS is strongly recommending that all administrators of systems or applications that are using any version of Apache Log4j take immediate action to review the installation against this advisory and references, and take any action as necessary to address this vulnerability.

Vendor: Apache

Description: Apache Log4j2 <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default.

*Note: It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. log4j 2.16.0 has been released to fix this (CVE-2021-45046)

Severity: Critical

Base CVSS Score: 10.0 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Versions Affected: all versions from 2.0-beta9 to 2.14.1

References:

  1. https://www.randori.com/blog/cve-2021-44228/
  2. https://www.lunasec.io/docs/blog/log4j-zero-day/
  3. https://nvd.nist.gov/vuln/detail/CVE-2021-44228
  4. https://logging.apache.org/log4j/2.x/security.html

Mitigations:

Permanent:

Patch Log4j to version 2.16.0 or greater

Temporary:

If your version of Log4j is at 2.10.0 or newer:

Originally suggested remediation steps are no longer valid:

  • Set 'formatMsgNoLookups=true'

If your version of Log4j is older than 2.10.0 then you can do either of:

  • Modify every logging pattern layout to say '%m\{nolookups}' instead of '%m' in your logging config files
  • Substitute a non-vulnerable or empty implementation of the class org.apache.logging.log4j.core.lookup.JndiLookup, in a way that your classloader uses your replacement instead of the vulnerable version of the class. Refer to your application's or stack's classloading documentation to understand this behavior.

 

Updated remediation steps:

  • Remove the JndiLookup class from the classpath by running the following command.
    • “zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.cla ss”
  • This mitigation measure has been expanded to include all versions of Log4j < 2.16.0.

Published on  and maintained in Cascade.