The Rootshell Platform continuously scans a user’s estate for any issues that are being actively exploited by threat actors in the wild. If any of these vulnerabilities are detected, users are alerted immediately by the platform.
In this article, we have rounded up the top active exploits that are currently being monitored by Velma.
CVE-2022-42475 – Critical Unauthenticated Remote Code Execution Vulnerability in FortiOS
On December 12, 2022, FortiGuard Labs published advisory FG-IR-22-398 regarding a critical (CVSSv3 9.3) “heap-based buffer overflow vulnerability [CWE-122] in FortiOS SSL-VPN [which] may allow a remote unauthenticated attacker to execute arbitrary code or commands via specifically crafted requests.”
FortiGuard Labs has confirmed at least one instance of the vulnerability being exploited in the wild and included the current indicators of compromise (IOCs) for FortiOS administrators to utilize in reviewing the integrity of current vulnerable systems in their advisory. Vulnerabilities of this nature, and on this type of system, have proven to be of high value to attackers. We strongly advise that organizations upgrade to an unaffected version of FortiOS on an emergency basis and follow FortiGuard’s advice to review existing systems for signs of compromise. Organizations that are unable to patch are advised to disable SSL-VPN.
CVE-2022-44690 – Microsoft SharePoint Server Remote Code Execution Vulnerability
CVE-2022-44690 & CVE-2022-44693 relate to a SharePoint Server Remote Code Execution Vulnerability. This issue was reported in December 2022 No POC exploit code has been seen but Rootshell would recommend patching these issues as Microsoft indicate exploitation likely.
CVE-2022-44698 – Microsoft Windows SmartScreen Security Feature Bypass Vulnerability
Microsoft has fixed a security vulnerability used by threat actors to circumvent the Windows SmartScreen security feature and deliver Magniber ransomware and Qbot malware payloads. The attackers used malicious standalone JavaScript files to exploit the CVE-2022-44698 zero-day to bypass Mark-of-the-Web security warnings displayed by Windows to alert users that files originating from the Internet should be treated with caution.
CVE-2022-44704 – Windows Sysmon privilege escalation flaw
The 2022 Windows Sysmon privilege escalation flaw listed as CVE-2022-44704 has been highlighted by Microsoft as exploitation Likely. No proof of concept code can be found however Rootshell recommend patching.
CVE-2022-44710 – DirectX Graphics Kernel Elevation of Privilege Vulnerability
Successful exploitation of this vulnerability requires an attacker to win a race condition. An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.
CVE-2022-47942 – Linux Kernel ksmbd Heap-based Buffer Overflow Remote Code Execution Vulnerability
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Linux Kernel. Authentication is required to exploit this vulnerability. The specific flaw exists within the handling of file attributes. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a heap-based buffer. An attacker can leverage this vulnerability to execute code in the context of the kernel.
CVE-2022-38023 – Samba
Samba has released software updates to remediate multiple vulnerabilities that, if successfully exploited, could allow an attacker to take control of affected systems. The high-severity flaws, tracked as CVE-2022-38023, CVE-2022-37966, CVE-2022-37967, and CVE-2022-45141, have been patched in versions 4.17.4, 4.16.8 and 4.15.13 released on December 15, 2022.
Samba is an open source Windows interoperability suite for Linux, Unix, and macOS operating systems that offers file server, printing, and Active Directory services. It’s worth noting that both CVE-2022-37966 and CVE-2022-37967, which enable an adversary to gain administrator privileges, were first disclosed by Microsoft as part of its November 2022 Patch Tuesday updates.
CVE-2022-27510 – Citrix Application Delivery Controller (ADC) and Gateway endpoints remain vulnerable to critical security flaws
CVE-2022-27510 relates to an authentication bypass that could be exploited to gain unauthorized access to Gateway user capabilities
CVE-2022-27518 – Citrix Application Delivery Controller (ADC)
CVE-2022-27518 concerns a remote code execution bug that could enable the takeover of affected systems. Citrix and the U.S. National Security Agency (NSA), warned that CVE-2022-27518 is being actively exploited in the wild by threat actors, including the China-linked APT5 state-sponsored group.
Subscribe So You Never Miss an Update
