Vendor Vulnerabilities Published In April 2022
Vendor Vulnerabilities are a common cybersecurity challenge businesses face when introducing third-party products and services to their network.
Whether it’s a security flaw located in a network, server or application, businesses relying on third party vendors are often the ones left to resolve the issues.
To support you in resolving known vulnerabilities as quickly as possible, we have outlined some of the main third-party vendor vulnerabilities announced in April 2022. These include:
- Microsofts’ monthly patches
- Git security vulnerability
- Adobe vulnerability patches
- Google Chrome Zero-Day Vulnerability
This month sees Microsoft patch 145 vulnerabilities, including 3 rated critical at 9.8 and seven at 7.7 and above.
Immediate Patch Recommended for CVE-2022-26809
CVE-2022-26809 is an RPC Runtime Library Remote Code Execution Vulnerability. The flaw, which is rated 9.8 on the CVSS scale, could allow a remote attacker to execute code at high privileges on an affected system.
We are currently monitoring this vulnerability and will add any updates here.
Other Microsoft Vulnerabilities of Interest
CVE-2022-24491 and CVE-2022-24497- Windows Network File System Remote Code Execution Vulnerability
On systems where the Windows Network File System (NFS) role is enabled, both vulnerabilities could allow a remote attacker to execute their code on an affected system with high privileges and without any user interaction.
CVE-2022-26904 - Windows User Profile Service Elevation of Privilege Vulnerability
CVE-2022-26904, a privilege escalation vulnerability, allows an attacker to gain code execution at system level on affected systems.
Microsoft has categorised this vulnerability as high complexity in order to exploit the bug. Proof of Concept (PoC) code is also available for this vulnerability.
|CVE-2022-26809||RPC Runtime Library Remote Code Execution Vulnerability||Critical||9.8|
|CVE-2022-24491||Windows Network File System Remote Code Execution Vulnerability||Critical||9.8|
|CVE-2022-24497||Windows Network File System Remote Code Execution Vulnerability||Critical||9.8|
|CVE-2022-23259||Microsoft Dynamics 365 (on-premises) Remote Code Execution Vulnerability||Critical||8.8|
|CVE-2022-24541||Windows Server Service Remote Code Execution Vulnerability||Critical||8.8|
|CVE-2022-24500||Windows SMB Remote Code Execution Vulnerability||Critical||8.8|
|CVE-2022-23257||Windows Hyper-V Remote Code Execution Vulnerability||Critical||8.6|
|CVE-2022-26919||Windows LDAP Remote Code Execution Vulnerability||Critical||8.1|
|CVE-2022-22008||Windows Hyper-V Remote Code Execution Vulnerability||Critical||7.7|
|CVE-2022-24537||Windows Hyper-V Remote Code Execution Vulnerability||Critical||7.7|
As with all security vulnerabilities it’s recommended to apply the patches as soons as possible to prevent cyber security attacks or breaches.
On 12th April, several vulnerabilities were discovered in Git, including two main flaws which affect local Git installations and Git for Windows.
CVE-2022-24765 is the worst of the two main flaws which allows an attacker to execute arbitrary commands. Users who work on multi-user machines are most at risk of this vulnerability.
Commenting on the vulnerability, Githhub added that “a malicious actor could create a .git directory in a shared location above a victim’s current working directory. On Windows, for example, an attacker could create C:.git\config, which would cause all git invocations that occur outside of a repository to read its configured values.
Since some configuration variables (such as core.fsmonitor) cause Git to execute arbitrary commands, this can lead to arbitrary command execution when working on a shared machine.”
The second vulnerability, CVE-2022-24767, is limited to the Git for Windows uninstaller, which runs within the user's temporary directory.
In their press release on the matter, Github noted that “Because the system user account inherits the default permissions of C:\Windows\Temp (which is world-writable), any authenticated user can place malicious .dll files which are loaded when running the Git for Windows uninstaller when run via the system account.”
Git Upgrade is Advised
Git users are advised to upgrade their systems to Git v2.35.2 or higher in order to protect their systems against potential cyber security attacks.
Users who use Linux or macOS are also advised to upgrade, given that they are affected by the second flaw described above.
Adobe released patches addressing 70 CVEs in a number of their applications including Acrobat, Acrobat Reader, Photoshop, After Effects and Adobe Commerce.
Acrobat and Acrobat Reader Vulnerabilities
Acrobat and Acrobat Reader vulnerabilities account for 62 of the 70 CVEs being addressed in the April patch.
The vulnerabilities, which have been awarded a Critical rating by Adobe, are described as use after free (UAF and Out of Bounds (OOB) vulnerabilities, which could potentially allow a malicious attacker to execute code on a target system if a user can be convinced to open a specifically crafted PDF document.
The Adobe patch included fixes for 13 CVEs for Photoshop. These vulnerabilities could allow a malicious actor to gain code execution once a user has been convinced of opening a specifically crafted malicious file.
After Effects Vulnerabilities
Two critical rated CVEs in After Effects were addressed in the latest patch. Both bugs have been listed as stack-based buffer overflows.
Adobe Commerce Vulnerabilities
Adobe Commerce was patched for one critically rated vulnerability. The vulnerability, rated with a CVSS of 9.1, requires authentication and admin privileges in order to exploit this vulnerability.
Only days ago, Google rolled out its third emergency update of the year addressing another critical zero-day affecting its Chrome web browser, CVE-2022-1364.
This patch comes weeks after another critical zero-day known as CVE-2022-1096.
Google has identified the CVE-2022-1364 vulnerability as high severity but, like the previous vulnerability, little information is available as to whether is being actively exploited by malicious attackers.
To check that your Google Chrome browser has been updated to version 100.0.4896.127 or higher, navigate to Chrome Menu > Help > About Google Chrome.
To check that your Microsoft Edge Browser has been updated to version 99.0.1150.55, navigate to settings/about. If the version is 100.0.4896.127 or higher, it is no longer vulnerable to the zero-day issue.
How can we help?
Identifying cyber security vulnerabilities without an expert’s eye can be a difficult task.
At Secora Consulting, we offer a wide range of services which we tailor to meet our clients individual requirements.
Cyber Hygiene Assessment
Our Cyber Hygiene Assessment can support you in reducing exposure to cyber-attacks by gaining insight into weaknesses in your current cyber security posture and putting in place some good practice controls to increase your cyber defenses.
Our Vulnerability Assessment service can provide you with a prioritised list of your vulnerabilities and easy to follow remediation advice to immediately improve your cyber security posture.
Partner With Us Today
Partner with us today, our experienced consultants will go the extra mile to ensure your organisation stays secure by:
- Validating implemented security controls
- Prioritising your risks based on their exploitability and impact
- Providing expert and effective advice to immediately improve your cybersecurity posture
All of Secora Consulting's assessments are tailored to our client's needs.
Using our experience, we can help you determine which services are right for you.