This vulnerability allows local attackers to escalate privileges on affected installations of Trend Micro Password Manager. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.
Daily Archives: May 11, 2022
F5 BIG-IP Remote Command Execution Vulnerability (CVE-2022-1388)
FortiGuard Labs is aware of a new remote command execution vulnerability affecting F5 BIG-IP clients. Exploiting this vulnerability will allow an attacker to completely take over an affected device. What are the Technical Details of this Vulnerability?According to the F5 security advisory, this vulnerability may allow an unauthenticated attacker with network access to the BIG-IP system through the management port and/or self IP addresses to execute arbitrary system commands, create or delete files, or disable services. There is no data plane exposure; this is a control plane issue only.Because this vulnerability does not require any sophistication to exploit, and the fact that in-the-wild exploitation are reported to have been observed and proof-of-concept (PoC) codes are publicly available, it is highly recommended that organizations affected by this latest vulnerability apply all patches immediately.What Versions Are Affected?Reported versions affected by CVE-2022-1388 are:BIG-IP versions 16.1.2 through 13.1.0 (versions under 13.1.0 are affected but will not be fixed)How Serious of an Issue is This?HIGH. CVE-2022-1388 has a CVSS score of 9.8. US-CERT (CISA) has also issued an alert for this issue. For further information, please refer to F5 Releases Security Advisories Addressing Multiple Vulnerabilities in the APPENDIX.How Widespread is this Attack?Global. Malicious scans by attackers are currently underway looking for vulnerable unpatched appliances, regardless of location. Proof-of-concept codes (POC) are available and the vulnerability is reported to have been actively exploited in the wild.What is the Status of Coverage?Customers running current (IPS) definitions are protected by:F5.BIG-IP.iControl.REST.Authentication.BypassFortiGuard Labs is continuously monitoring this vulnerability and we will update this Threat Signal once more information becomes available.Are There Any Reports of Nation State Activity Actively Exploiting CVE-2022-1388?Yes, the vulnerability is reported to have been actively exploited in the wild.Any Other Suggested Mitigation?According to F5, it is recommended to apply all available patches from the May 2022 update immediately. If patching is not possible at this time, F5 recommends blocking all access to the iControl REST interface of your BIG-IP system through self IP addresses. Mitigation details can be found in the article titled – “K23605346: BIG-IP iControl REST vulnerability CVE-2022-1388” in the APPENDIX section.The potential for damage to daily operations, reputation, and unwanted release of data, the disruption of business operations, etc. is apparent, and because of this it is important to keep all AV and IPS signatures up to date. It is also important to ensure that all known vendor vulnerabilities within an organization are addressed once available, and updated on a regular basis to protect against attackers establishing a foothold within a network.
Microsoft Patch Tuesday, May 2022 Edition
Microsoft today released updates to fix at least 74 separate security problems in its Windows operating systems and related software. This month’s patch batch includes fixes for seven “critical” flaws, as well as a zero-day vulnerability that affects all supported versions of Windows.
By all accounts, the most urgent bug Microsoft addressed this month is CVE-2022-26925, a weakness in a central component of Windows security (the “Local Security Authority” process within Windows). CVE-2022-26925 was publicly disclosed prior to today, and Microsoft says it is now actively being exploited in the wild. The flaw affects Windows 7 through 10 and Windows Server 2008 through 2022.
Greg Wiseman, product manager for Rapid7, said Microsoft has rated this vulnerability as important and assigned it a CVSS (danger) score of 8.1 (10 being the worst), although Microsoft notes that the CVSS score can be as high as 9.8 in certain situations.
“This allows attackers to perform a man-in-the-middle attack to force domain controllers to authenticate to the attacker using NTLM authentication,” Wiseman said. “This is very bad news when used in conjunction with an NTLM relay attack, potentially leading to remote code execution. This bug affects all supported versions of Windows, but Domain Controllers should be patched on a priority basis before updating other servers.”
Wiseman said the most recent time Microsoft patched a similar vulnerability — last August in CVE-2021-36942 — it was also being exploited in the wild under the name “PetitPotam.”
“CVE-2021-36942 was so bad it made CISA’s catalog of Known Exploited Vulnerabilities,” Wiseman said.
Seven of the flaws fixed today earned Microsoft’s most-dire “critical” label, which it assigns to vulnerabilities that can be exploited by malware or miscreants to remotely compromise a vulnerable Windows system without any help from the user.
Among those is CVE-2022-26937, which carries a CVSS score of 9.8, and affects services using the Windows Network File System (NFS). Trend Micro’s Zero Day Initiative notes that this bug could allow remote, unauthenticated attackers to execute code in the context of the Network File System (NFS) service on affected systems.
“NFS isn’t on by default, but it’s prevalent in environment where Windows systems are mixed with other OSes such as Linux or Unix,” ZDI’s Dustin Childs wrote. “If this describes your environment, you should definitely test and deploy this patch quickly.”
Once again, this month’s Patch Tuesday is sponsored by Windows Print Spooler, a core Windows service that keeps spooling out the security hits. May’s patches include four fixes for Print Spooler, including two information disclosure and two elevation of privilege flaws.
“All of the flaws are rated as important, and two of the three are considered more likely to be exploited,” said Satnam Narang, staff research engineer at Tenable. “Windows Print Spooler continues to remain a valuable target for attackers since PrintNightmare was disclosed nearly a year ago. Elevation of Privilege flaws in particular should be carefully prioritized, as we’ve seen ransomware groups like Conti favor them as part of its playbook.”
Other Windows components that received patches this month include .NET and Visual Studio, Microsoft Edge (Chromium-based), Microsoft Exchange Server, Office, Windows Hyper-V, Windows Authentication Methods, BitLocker, Remote Desktop Client, and Windows Point-to-Point Tunneling Protocol.
Also today, Adobe issued five security bulletins to address at least 18 flaws in Adobe CloudFusion, Framemaker, InCopy, InDesign, and Adobe Character Animator. Adobe said it is not aware of any exploits in the wild for any of the issues addressed in today’s updates.
For a more granular look at the patches released by Microsoft today and indexed by severity and other metrics, check out the always-useful Patch Tuesday roundup from the SANS Internet Storm Center. And it’s not a bad idea to hold off updating for a few days until Microsoft works out any kinks in the updates: AskWoody.com usually has the skinny on any patches that may be causing problems for Windows users.
As always, please consider backing up your system or at least your important documents and data before applying system updates. And if you run into any problems with these patches, please drop a note about it here in the comments.
USN-5259-3: Cron regression
USN-5259-1 and USN-5259-2 fixed vulnerabilities in Cron. Unfortunately
that update was incomplete and could introduce a regression. This update
fixes the problem.
We apologize for the inconvenience.
Original advisory details:
It was discovered that the postinst maintainer script in Cron unsafely
handled file permissions during package install or update operations.
An attacker could possibly use this issue to perform a privilege
escalation attack. (CVE-2017-9525)
Florian Weimer discovered that Cron incorrectly handled certain memory
operations during crontab file creation. An attacker could possibly use
this issue to cause a denial of service. (CVE-2019-9704)
It was discovered that Cron incorrectly handled user input during crontab
file creation. An attacker could possibly use this issue to cause a denial
of service. (CVE-2019-9705)
It was discovered that Cron contained a use-after-free vulnerability in
its force_rescan_user function. An attacker could possibly use this issue
to cause a denial of service. (CVE-2019-9706)