The most critical vulnerabilities right now - April 2022

02.May.2022
Blueliv, an Outpost24 company
The first few months of 2022 have brought with them plenty of breaches and vulnerabilities for threat experts to sink their teeth into. Here's a roundup of the most critical vulnerabilities to date this year.
The most critical vulnerabilities right now - April 2022

In March alone, Microsoft has patched 71 CVEs, two of which, CVE-2022-22006 and CVE-2022-24501, were deemed critical–but more on those later. Meanwhile, cloud-based software company Okta has suffered a cyber-attack, believed to be at the hands of threat actor “Lapsus$”, which has put thousands of its 15,000 customers on high alert. The attack, already dubbed the next Solarwinds, proves that the influx of threats observed since the beginning of the COVD-19 pandemic shows no signs of slowing down as the world opens up.

Compared to the National Vulnerability Database (NVD), the U.S. government repository of standards-based vulnerability management data, Blueliv’s analysis of these differs significantly. This is due to Blueliv’s commitment to not only evaluate standard CVEs and their potential risk to an organization in theory but also how they evolve ‘in the wild’.

As a result, Blueliv’s risk score is far more dynamic and evolves in line with CVE developments in real-time to ensure that security teams can respond to such vulnerabilities swiftly and securely. Below are the most critical CVEs currently being observed by Blueliv:

 

 

CVE-2022-24086

  • Blueliv score: 9.7

  • CVSS score: 9.8

  • Vendor: Adobe

CVE-2022-24086

CVE-2022-24086 was discovered in February after the vendor discovered it was already being exploited in the wild. This critical vulnerability affected Adobe’s Commerce and Magento Open Source solutions and was labeled an "improper input validation" bug that could easily be weaponized for arbitrary code execution purposes. What makes this vulnerability so dangerous is the fact that it is pre-authenticated, so it can easily be exploited by an intruder–whether they have administrative privileges or not.

At the same time, CVE-2022-24087, which allowed for the elevation of privilege vulnerability in Adobe’s Azure IoT CLI extension was also discovered. It was deemed equally critical and received a similar 9.8 CVSS score.

CVE-2022-24086 affects Adobe Commerce and Magento Open Source version 2.4.3-p1 and any earlier versions and can be addressed in two patches.

 

 

CVE-2022-1040

  • Blueliv score: 9.4

  • CVSS score: 9.8

  • Vendor: Sophos

CVE-2022-1040

British security software company Sophos identified a flaw in its Sophos Firewall earlier this year that critically impacted versions 18.5 MR3 (18.5.3) and older.

In this instance, the vulnerability allowed for authentication bypass in the software’s User Portal and Webadmin interface. Once weaponized, attackers could launch a remote attacker to execute arbitrary code.

Sophos was quick to release fixes for its customers favoring the “allow automatic installation of hotfixes" setting, whilst advising users to disable WAN access to both the User Portal and Webadmin interfaces as a temporary solution in the first instance before it launched the necessary updates and advised, "users of older versions of Sophos Firewall are required to upgrade to receive the latest protections and this fix.”

 

 

CVE-2022-22674 & CVE-2022-22675

  • Blueliv score: 8.4

  • CVSS score:

  • Vendor: Apple

CVE-2022-22674
CVE-2022-22675

Consumer tech giant Apple had to patch two zero-day vulnerabilities earlier this year when news broke of attackers in the wild using the CVEs to gain access to Apple devices including iPhones, iPads, and Macs.

 

CVE-2022-22675, which impacts Monterey on macOS, as well as most up to date iPhones and iPads, is the result of an overlooked write issue that could allow attackers to use kernel privileges to run malicious code. CVE-2022-22674, meanwhile, is the result of an out-of-bounds read vulnerability that could allow hackers to expose a device’s kernel memory.

 

Apple was quick to release the patches and to advise users to upgrade iOS and iPadOS to 15.4.1 and macOS Monterey to 12.3.1 as a matter of urgency. Coupled with the fact that Apple publicly revealed very little about the attack (therefore did not give potential hackers any indication of the severity of the issue), this swift response prevented what could have been a major flaw that could have impacted millions of Apple device users worldwide.

 

 

CVE-2022-0609

 

  • Blueliv score: 9.0

  • CVSS score: 9.8

  • Vendor: Google

CVE-2022-0609

Google Threat Analysis Group (TAG) discovered a series of zero-day vulnerabilities within the web browser Google Chrome that were being exploited by alleged North Korean state hackers for up to four weeks before patches were released. TAG also discovered two attack campaigns that were actively exploiting CVE-2022-0609, a remote code execution vulnerability, as they targeted news media, IT companies, cryptocurrency, and fintech organizations.

 

It was through these campaigns that Lazarus Group’s involvement was discovered, as its infrastructure identically matched a similar campaign attributed to the threat actor in 2021.

 

This and the other CVEs (CVE-2022-0603 all the way to 10) were patched for Windows, Mac and Linux systems through the release of Chrome version 98.0.4758.102.

 

 

CVE-2022-1096

 

  • Blueliv score: 8.7

  • CVSS score:

  • Vendor: Google

CVE-2022-1096

Shortly after the above vulnerabilities were discovered, a second Chrome zero-day flaw was discovered–though not before attackers could actively exploit it in the wild. Some days later, Microsoft revealed that the same vulnerability is impacting Edge, its Chrome-based browser.

 

Not much is known about the severity of the flaw or its capabilities at this stage though, following Apple’s lead, it is likely that Google is keeping information close to its chest in order to limit the impact this second zero-day flaw could have on its 3.2 billion users.

 

All the search engine giant has revealed is that this flaw is a "Type Confusion in V8” that it relates to the JavaScript engine employed by Chrome and that the company is "aware that an exploit for CVE-2022-1096 exists in the wild."

 

 

CVE-2022-22951

 

  • Blueliv score: 8.9

  • CVSS score: 9.1

  • Vendor: VMware

CVE-2022-22951

In March, this CVE (alongside CVE-2022-22952) was discovered within VMware’s Carbon Black App Control platform. Left unpatched, the critical vulnerabilities could allow an attacker to execute arbitrary code on affected VMware installations across Windows systems.

 

From here, the actor in question could escalate privileges or abuse administrative access. CVE-2022-22951 is believed to be a command injection vulnerability that lets intruders with VMware App Control network access "execute commands on the server due to improper input validation leading to remote code execution."

 

Alternatively, actors could use CVE-2022-22952 in a bid to weaponize the VMware App Control administration interface by uploading a specially crafted file and executing it on vulnerable Windows systems.

 

Both flaws have been addressed in a recent series of patches for Carbon Black App Control versions, and users are advised to update to versions 8.5.14, 8.6.6, 8.7.4, and 8.8.2 as soon as possible to avoid being exploited by the vulnerabilities.

 

 

CVE-2022-22988

 

  • Blueliv score: 8.1

  • CVSS score: 9.1

  • Vendor: Western Digital

CVE-2022-22988

Western Digital’s EdgeRover app was revealed to be compromised last month as a critical vulnerability was discovered that affected both Windows and Mac users. The CVE could allow intruders to gain unauthorized access to sensitive files by carrying out a local privilege escalation and bypassing film system sandboxing, according to Western Digital.

 

This is the second critical CVE observed in this vendor’s solutions already this year and follows a security fix launched in January that urged users to download an updated release to address a range of vulnerabilities. Left unfixed, this flaw may have allowed attackers to launch denial-of-service attacks.

 

The most recent CVE has since been patched. Given the series of vulnerabilities this year already, users are strongly advised to ensure all their applications are up to date.

 

 

CVE-2022-22965

 

  • Blueliv score: 9.7

  • CVSS score: 9.8

  • Vendor: Spring

CVE-2022-22965

Very recently, CVE-2022-22965 has been spotted in the wild and is expected to cause major havoc for vulnerable users and organizations, as it was dubbed the new Log4j. Active exploitation of the Spring4Shell vulnerability, CVE-2022-22965, offers intruders a way of executing Mirai botnet malware into infected systems–it does this by granting them a means of downloading a Mirai sample to the “/tmp” folder and executing them after permission change using “chmod”. From here, malicious actors are able to deploy remote code executions via simple data binding.

 

Spring Framework is the leading global platform used for the development of enterprise-level applications in Java, offering developers a way to support model-view-controller- or MVC-based applications development whilst cutting down on manual configuration in order to enhance memory management. It is part of the Spring ecosystem, which encompasses a series of tools that support cloud, data and more for modern enterprises.

 

Following the discovery of this CVE, which affects all versions of the Spring Framework, users are advised to upgrade from 5.3.x to 5.3.18+ and from 5.2.x to 5.2.20+ as a matter of urgency.

 

That being said, a simple update may not be enough as details of this CVE continue to emerge; members of the Spring community have warned that “the nature of the vulnerability is more general, and there may be other ways to exploit it.”

 

 

CVE-2022-26500

 

  • Blueliv score: 8.3

  • CVSS score: 8.8

  • Vendor: Veeam

CVE-2022-26500

Versions 9.5, 10 and 11 of Veeam’s Backup & Replication solution are compromised by this and CVE-2022-26501, and could see threat actors use unauthorized access to remotely launch malicious code and ultimately gain control of the systems housing the Backup & Replication solution.

 

Patches have been issued for versions 10 and 11, with users of version 9.5 being advised to upgrade to a version that supports these fixes. If they are unable to do so, or the patches cannot be implemented quickly, administrators are then advised to temporarily disable their Veeam Distribution Service.

 

 

Conclusion

As many of the affected vendors in question are globally recognised and widely successful brands, it’s evident that profile means nothing when it comes to CVEs and the potential devastation they pose to customers and the wider supply chain.

To ensure the utmost protection against these vulnerabilities and ensure your business, customers, and data is secure, we recommend IT teams and their broader organization to practice regular vulnerability assessment to audit their security hygiene and protocols. This means instilling a robust security culture in employees at all levels, regardless of their perceived involvement in IT, and delivering regular, evolving training to keep security protocols front of mind.

However, this is no substitute for a complete threat intelligence solution capable of monitoring, detecting and remediating CVE-related incidents. Blueliv’s Threat Compass is one such tool and can be utilized by organizations looking to benefit from deep contextual threat intelligence and powerful insights into today’s CVEs and how to overcome them.

 

 

Visit our threat intelligence product page

Looking for anything in particular?

Type your search word here