On 1 November 2022, the OpenSSL project released OpenSSL version 3.0.7 to address two high-severity security issues. We recommend updating the affected product to the latest version immediately and following the mitigation steps below.
On 1 November 2022, the OpenSSL project released a security update to address two high-severity flaws in Open Secure Sockets Layer (OpenSSL), an open-source toolkit that implements the protocols and algorithms required by the SSL (Secure Socket Layer) and TLS (Transport Layer Security) protocols.
The two flaws, tracked as CVE-2022-3602 and CVE-2022-3786, are due to memory corruption in the Punycode decoding functions. The vulnerable functionality was introduced in OpenSSL 3.0.0 and is only used for processing email address name constraints in X.509 certificates. Servers accepting TLS client authentication to validate their identity may be susceptible to this issue. Any OpenSSL 3.x application that verifies X.509 certificates received from untrusted sources is considered vulnerable. This includes TLS clients, and TLS servers that are configured to use TLS client authentication.
The issue affects OpenSSL 3.0 to 3.0.6. OpenSSL 1.0.2, 1.1.1 and other earlier versions are not affected. OpenSSL 1.1.1 is still supported, and the version 1.1.1s, also released on 1 November 2022, is described as a “bug fix release”, with no security issues.
The first vulnerability, tracked as CVE-2022-3602 , is a buffer overflow triggered in name constraint checking during the X.509 certificate verification. Exploitation requires either a Certificate Authority (CA) to have signed a malicious certificate or for an application to continue certificate verification despite failure to construct a path to a trusted issuer. In a pre-release announcement, OpenSSL assessed CVE-2022-3602 as Critical. In its 1 November 2022 advisory, OpenSSL downgraded the impact of this flaw, due to mitigating factors, to a High-severity rating. The project developers assessed that the stack overflow protections and stack layout on most common architectures and platforms mitigate the remote code execution (RCE) vector. In most cases, this buffer overflow would result in a crash, causing a denial-of-service (DoS) condition.
The second flaw, CVE-2022-3786, is also rated as High severity. A threat actor could craft a malicious email address in a certificate to trigger a buffer overflow that could result in a crash causing a DoS condition.
At the time of the reporting, there is no functional exploit published, and there is no evidence of current abuse by threat actors.
Multiple vendors have reported being affected and are either working on updates or have already released them. The list of vendors is being continually updated and we recommend monitoring for and applying the updates as they become available.
We strongly advise following OpenSSL’s guidance and updating the affected product to the latest version (3.0.7) immediately.
We recommend reviewing guidance and applying updates for relevant operating systems, software and hardware vendors, and service providers as they become available.
On 13 October 2022, Apache Software Foundation published details on a critical vulnerability in the Apache Commons Text library, fixed in version 1.10.0 (Java 8+). Since then, multiple examples of working exploit implementations have been made publicly available. We recommend updating the affected library to the latest version.
Apache Commons Text version 1.10.0 contains a security update that fixes a critical flaw in versions 1.5 through 1.9. Apache Commons Text is an open-source Java library and a component of the Apache Commons project that is offered as an alternative to the native Java Development Kit (JDK) for text handling. It is used to modify, decode, generate, and escape text strings based on input string lookups.
The vulnerability, tracked as CVE-2022-42889 and given the names Text4Shell and Act4Shell, has been assigned a CVSS Score of 9.8 out of 10 (Critical). The flaw is due to a failure to validate the input to string lookups when Apache Commons Text performs variable interpolation. Also known as string interpolation (variable substitution, variable expansion), this process evaluates the properties of strings that contain placeholders in order to replace the placeholders with their corresponding values. A set of default string lookups in versions 1.5-1.9 included interpolators that could accept untrusted input from a remote source. The input may then be processed on an internal server triggering arbitrary code execution or connections with remote servers. In version 1.10.0, Apache has disabled the vulnerable interpolators by default.
Several examples of working exploit implementations have been published for this vulnerability, and they are publicly available on GitHub. Exploitation appears to require a vulnerable Apache Commons Text library version in default configuration parsing user-controlled input. Researchers also note that it only affects applications that pass user input strings to:
These interpolators are not widely used and as such exploitation is significantly less likely than in the case of a similar, recent vulnerability in Log4J.
Apache Commons Text is used by several projects including Apache Hadoop, Spark, Velocity, Hive, and Solr. At the time of this reporting, the Apache security team has stated that they are “not currently aware of any applications” using the vulnerable interpolators or that are otherwise affected by this flaw. Details about the severity and scope of this vulnerability are still emerging.
We recommend reviewing your Apache software supply chain and third-party services for the use of a vulnerable version of this library. Files with names that match the pattern commons-text*.jar and using strings `StringSubstitutor` and `StringLookupFactory`could be a good indicator.
If you are using Apache Commons Text versions 1.5 through 1.9, follow Apache’s guidance and update the affected product to the latest version (1.10.0).
We also recommend monitoring for third-party updates and applying them if/when they become available.
As a general precaution to mitigate this type of vulnerability, we recommend treating all application inputs as untrusted by default and as a potential source of malicious data.
On 29 September 2022, Microsoft published an advisory providing a workaround for two unpatched flaws in Microsoft Exchange Server 2013, 2016, and 2019 that are being exploited in the wild in “limited targeted attacks”. We recommend following the mitigation steps below to validate whether your software or devices are affected by this vulnerability, and to apply the vendor remediation if required.
Microsoft noted that it is working on “an accelerated timeline to release a fix” for two vulnerabilities affecting on-premises Microsoft Exchange Server 2013, 2016, and 2019, as well as Exchange servers running Outlook Web App, and are exposed to the internet.
- CVE-2022-41040 is a Server-Side Request Forgery (SSRF) vulnerability that requires prior authentication. The Zero Day Initiative (ZDI) who reported the vulnerability to Microsoft, assigned it a CVSS score of 6.3 out of 10.
- CVE-2022-41082 could enable an authenticated actor to trigger remote code execution (RCE) when PowerShell is accessible. The flaw received a CVSS v3 score of 8.8.
Researchers reported on post-exploitation activity by threat actors using these vulnerabilities. The actors have been observed using Antsword to install web shells on vulnerable Exchange servers. Antsword is an open-source cross-platform website administration tool that supports web shell management. Resulting exploitation requests appear in the same format as the ProxyShell Exchange Server vulnerabilities. Threat actors are then injecting malicious DLLs into memory, loading, and executing additional payloads on the infected servers using the WMI command-line (WMIC) utility. At the time of reporting, there is no known viable public proof-of-concept (PoC).
Covalence alerts on the presence of software impacted by this threat in your environment. Our teams are applying the latest indicators of compromise to ensure our clients and partners are protected. Covalence will detect and report anomalous authentication and other behaviour for users prior to exploitation attempts, in particular given that the exploit has the requirement for an authenticated user.
We recommend that you refer to the Microsoft advisory, noted below, to apply the mitigations. Check your log files for the indicators of compromise contained in the Microsoft advisory referenced below. If present, disconnect and isolate the affected host.
Refer to Microsoft’s advisory referenced below to apply temporary mitigations to reduce the risk of exploitation.
Please apply the latest Cumulative Update (CU) and Security Update (SU) update to the affected software as soon as the updates become available.
On 13 September 2022, Microsoft released updates to address 63 vulnerabilities; five were classified as ‘Critical’, two have been publicly disclosed, one of which is being actively exploited. We recommend applying the latest updates as soon as possible.
Microsoft noted that threat actors are exploiting a publicly disclosed vulnerability tracked as CVE-2022-37969. This vulnerability affects Common Log File System (CLFS), a logging subsystem that is accessible to both kernel-mode as well as user-mode applications for transaction logging and/or recovery. Prior access is required, and a threat actor would have to engineer interaction with a victim. If the victim opens a file or a link, the threat actor would be able to execute code with elevated privileges. Microsoft rated this flaw as “important” and assigned a CVSS risk score of 7.8 out of 10. This flaw appears to be identical to CVE-2022-24521, another local privilege escalation (LPE) issue that Microsoft fixed and reported to be exploited in April 2022.
As part of the 13 September update, Microsoft included a fix for another LPE vulnerability in CLFS CVE-2022-35803, noting that “exploitation is more likely”. Threat actors often exploit flaws that are similar in nature and are likely to take note of the proof-of-concept (POC) details available for the CLFS flaws mentioned above.
Another publicly disclosed flaw fixed in the September update is tracked as CVE-2022-23960. It is a Cache Speculation Restriction vulnerability that was disclosed in March 2022 as Spectre-BHB or Branch History Injection (BHI). It is a variant of processor-based speculative execution issues known as Spectre-v2, affecting Windows 11 for ARM64-based Systems. Due to speculation issues in the victim’s hardware, a threat actor could perform cache allocation, which could lead to information disclosure.
Some notable vulnerabilities that were labelled as critical include:
- CVE-2022-34718 – a Remote Code Execution (RCE) vulnerability in Windows TCP/IP. It could allow a remote unauthenticated threat actor to execute code with elevated privileges on affected systems without user interaction. The flaw, however, only affects systems that have enabled IPv6 and have Internet Protocol Security (IPsec) configured. CVSS: 9.8
- CVE-2022-34721 and CVE-2022-34722 both affect Windows Internet Key Exchange (IKE) Protocol Extensions. Both flaws carry a CVSS score of 9.8. An unauthenticated threat actor could send a malicious IP packet to a target machine that is running Windows and has IPSec enabled, which could enable an RCE. These issues only impact IKEv1. All Windows Servers are affected because they accept both V1 and V2 packets.
We recommend timely patching of the Microsoft vulnerabilities noted as critical and publicly disclosed in order to decrease the likelihood of exploitation.
Microsoft has reported authentication failures after installing the updates on servers used as domain controllers; testing should be conducted prior to patching. We recommend consulting the Known Issues and Microsoft Support Document referenced below prior to applying the updates.
In order to expedite the updates, users should go to Settings > Windows Update > Check for Updates.
On 17 August, Apple issued an emergency security update for vulnerabilities affecting multiple devices, noting that they are already being exploited by threat actors. We recommend applying the latest updates as soon as possible.
Apple released advisories on two critical vulnerabilities fixed as part of the August emergency updates. The flaws are as follows:
- CVE-2022-32893 affects WebKit, a browser engine developed by Apple and used in its Safari web browser, as well as browsers used in iOS and iPadOS, and in Apple devices using WebView. The flaw could allow for remote code execution via malicious web content presented by a threat actor.
- CVE-2022-32894 is an out-of-bounds write issue that could allow applications to execute code with kernel privileges. Using the WebKit vulnerability above, a threat actor could obtain access to an application. They could then leverage CVE-2022-32894 to obtain administrative privileges and bypass security restrictions on a vulnerable device.
Apple reported that these issues have been actively exploited but did not provide any details on the exploitation.
Apple has released macOS Monterey 12.5.1, iOS 15.6.1, iPadOS 15.6.1, and Safari 15.6.1 to address these vulnerabilities.
- If you are using any of the vulnerable Apple products, ensure you have the latest updates installed.
- Check for and install software updates on your device manually by going to Settings > General > Software Update.