Supply chain, SaaS, cloud, IoT — the second new technologies emerge, new security vulnerabilities that use these technologies against us also seem to emerge, turning them into points of weakness and portals through which to attack our businesses.
So far, it’s clear that 2022 is no exception, with attacks by entities small and large scanning for every possible weakness. That’s why it’s essential to stay ahead of vulnerabilities as they emerge and in particular, to understand whether or not they affect your business.
Our Voyager18 team took a look at 10 common security vulnerabilities in 2022 and the corresponding mitigation actions.
For each of these top vulnerabilities, we’ve provided some basic information about the vulnerability, how widespread it is, and what systems are affected. We’ve also included the remediation deadline determined by the U.S. Cyber and Infrastructure Security Agency (CISA), as updated in CISA’s catalog.
These deadlines were introduced in 2021, and although only mandatory for federal agencies, they are increasingly being adopted as the gold standard within the private sector as well.
CVE-2021-4034 / PwnKit
- CISA deadline: July 18, 2022
- Type: Local Privilege Escalation
- Impact: Non Privileged users and processes can gain root access
- Wild exploit: YES
- Affects: Polkit’s pkexec utility
- Platforms: Most major Linux distributions (Ubuntu, Debian, Fedora, and CentOS, and others)
- Workaround: Remove the set setuid (SUID) bit from the pkexec binary, however this could potentially interfere with functionality.
- Remediation steps
CVE-2022-0847 / Dirty Pipe
- CISA deadline: May 16, 2022
- Type: Arbitrary File Manipulation
- Impact: Overwrite read-only or immutable data, local privilege escalation
- Wild exploit: Yes
- Affects: Linux and Android kernel (pipe buffer structure)
- Platforms: Linux kernel versions 5.8 and later, as well as Android kernel
- Workaround: None
- Remediation steps
CVE-2022-22965 / Spring4Shell / Spring Framework RCE
- CISA deadline: April 25, 2022
- Type: Remote Code Execution
- Impact: Loss of system control
- Wild exploit: Yes
- Affects: Spring MVC or Spring WebFlux applications using data binding on JDK 9+ (unless application is deployed as a Spring Boot executable jar) — application must be deployed as a web application resource (WAR) on the Apache Tomcat server (Tomcat is one of today’s most popular web server and Java Servlet Containers.)
- Platforms: Spring Framework
- Workaround: None
- Remediation steps
CTX Package Vulnerability
- CISA deadline: N/A
- Type: Repository Compromise
- Impact: Sends confidential and sensitive data to an attacker
- Wild exploit: Yes
- Affects: CTX, a library that provides Python developers with simpler ways to call common dictionary functions using dot notation; note that since CTX has been removed from PyPI, existing programs may not function as intended until they are updated
- Platforms: All Python applications
- Workaround: None
- Remediation steps
CVE-2022-30190 / Follina Microsoft Support Diagnostic Tool (MSDT)
- CISA deadline: July 5, 2022
- Type: Remote Code Execution
- Impact: Arbitrary code execution to install programs, view, change, or delete data, or create new accounts
- Wild exploit: Yes
- Affects: Microsoft Support Diagnostic Tool (MSDT)
- Platforms: Windows 8.1, Windows Server 2012 R2, Windows Server 2012. Windows 7, Windows Server 2008 R2, and Windows Server 2008 SP2
- Workaround: Disable the MSDT protocol within the registry, following Microsoft guidance here.
- Remediation steps
CVE-2022-26138 / Atlassian Questions for Confluence Vulnerability
- CISA deadline: August 19, 2022
- Type: Hard-coded credential vulnerability
- Impact: Log into servers, view and edit non-restricted pages in Confluence
- Wild exploit: Yes
- Affects: Versions 2.7.34, 2.7.35, and 3.0.2 of Questions for Confluence
- Platforms: Confluence Server and Data Center
- Workaround: Disable or delete the disabledsystemuser account
- Remediation steps
CVE-2022-26136 / CVE-2022-26137 Atlassian Servlet Filter Dispatcher
- CISA deadline: N/A
- Type: Cross-site scripting (XSS) / Cross-origin resource sharing (CORS) bypass
- Impact: Authentication bypass, cross-site scripting
- Wild exploit: Yes
- Affects: See this site for all affected versions of the following platforms and products
- Platforms: Bamboo Server and Data Center, Bitbucket Server and Data Center, Confluence Server and Data Center, Crowd Server and Data Center, Fisheye and Crucible, Jira Server and Data Center, and Jira Service Management Server and Data Center; no Atlassian cloud instances are affected
- Workaround: Some may recommend that changing proxy settings is a viable workaround, but Atlassian recommends against this step, saying block lists are prone to bypass.
- Remediation steps
A rise in browser vulnerabilities
As the number of web-based attacks continues to grow, so does concern over web browser security vulnerabilities. Despite best efforts, there are a limited number of ways to secure browsing sessions and protect against these threats. In response, some browsers have implemented features such as built-in malware protection and anti-phishing measures. However, these tools are not foolproof and can sometimes give users a false sense of security.
One major problem is that many users do not update their browsers regularly, which leaves them vulnerable to known exploits. Additionally, new vulnerabilities are constantly being discovered, meaning that even up-to-date versions of popular browsers may still be at risk. Another issue is that most browsers rely on third-party plugins in order to provide certain functionality. These plugins often introduce their own set of vulnerabilities which can be exploited by attackers.
Following are two examples of significant browser vulnerabilities we’ve seen in the past year:
CVE 2022-22620 / Use-After-Free in Safari Zero-Day
- CISA deadline: February 25, 2022
- Type: Memory Safety Vulnerability
- Impact: Execution of arbitrary code
- Wild exploit: Yes
- Affects: Apple iOS browsers for mobile devices
- Platforms: All browsers for iOS, iPadOS and MacOS: Safari, Chrome, FireFox and others
- Workaround: None
- Remediation steps
CVE-2022-1096 / Type Confusion in V8
- CISA deadline: April 18, 2022
- Type: Memory Safety Vulnerability
- Impact: Remote code execution following out-of-bounds memory access
- Wild exploit: Yes
- Affects: V8 JavaScript and Web Assembly engine within Chrome
- Platforms: Chromium Open Source Software (OSS) and all browsers using it, including Google Chrome, Microsoft Edge, Amazon Silk, Brave, Opera, and many others
- Workaround: None
- Remediation steps
Cyber risk in SaaS products
As more and more businesses move to SaaS solutions for their critical data and applications, the risk of third-party SaaS breaches is growing. In the past year, there have been a number of high-profile breaches of popular SaaS platforms. In each of these cases, the attackers were able to gain access to a large amount of sensitive customer data, including names, email addresses, and in some cases, credit card information.
As SaaS solutions become more popular, they are also becoming more attractive targets for attackers. Because SaaS platforms typically contain a large amount of sensitive data, a successful breach can result in significant data loss, having serious impact on business operations.
To protect against third-party SaaS breaches, businesses need to carefully vet the security of any SaaS solution they are considering using and to implement strong security controls such as two-factor authentication and data encryption to protect their data.
Some examples of breaches from 2022 include:
Hubspot
In March, malicious actors gained access to the contact data of several accounts through an email address used by an employee for customer service. Disabling the “Hubspot employee access control” option in the Hubspot account settings can counter this threat. This is a common feature in many SaaS products, but should only be switched on when customers require assistance.
Okta
Gaining remote access to the computer of an employee at Sitel — a company providing Okta with customer service functions — the malicious Lapsus$ group was able to compromise Okta’s systems. While the scope of the attack was not as wide as first thought, this was an alarming breach given Okta’s status as an access management provider for a number of well-known reputable organizations, with millions of users of their own.
Looking beyond CVEs
This list covers just some of the biggest security vulnerabilities we saw in 2022. Note that it is by no means exhaustive, and that there were other serious vulnerabilities throughout the past 12 months.
Visibility of vulnerabilities is one thing. But the true knowledge comes in identifying the common themes and patterns which tie multiple vulnerabilities together. That’s why we’ve produced our latest report, Cyber risk in 2022 – a 360° view. With original research from our Voyager18 team, this report explores the stories behind the stories from the past year, and offers actionable recommendations for better security posture in 2023.
One last thing…
As technology evolves, so will cyber threats. In fact, the rapidly changing threat landscape and enterprise IT architecture has exposed organizations to significant security risks. Taking a proactive approach to cyber security is therefore critical to get ahead of the cyber risk trends..
Security teams can mitigate cyber risk and fortify enterprise infrastructure whenever they take steps to increase awareness and leverage cutting-edge security technology.
The Vulcan Cyber® risk management platform allows development teams to prioritize cyber risks and mitigate them collaboratively. Book a demo today.