CISA'S KEV additions - fix these threats to IT management systems

Recently, the Cybersecurity and Infrastructure Security Agency (CISA) updated its Known Exploitable Vulnerabilities (KEV) catalog to include three new security flaws that pose a serious threat to IT management systems. These vulnerabilities are identified as CVE-2022-35914, CVE-2022-33891, and CVE-2022-28810, each with a different Common Vulnerability Scoring System (CVSS) score. Here’s what you need to know.

What are the vulnerabilities?

• CVE-2022-35914 (CVSS score: 9.8) – Teclib GLPI Remote Code Execution Vulnerability: A critical Remote Code Execution security vulnerability exists in Htmlawed, a third-party library in Teclib GLPI, an open source asset and IT management software package (in the ManageEngine OpManager product). Exploits of this attack have been detected in large numbers since the beginning of October 2022 with IP addresses from the US, Australia, the Netherlands, Bulgaria and Hong Kong, all attempting to abuse the flaw. A threat actor can execute code on insecure servers available on the internet, hosting GLPI (GLPI Network Cloud instances are not impacted), thus exploiting this vulnerability to execute arbitrary code on a target system without the need for authentication. This flaw affects versions of the product prior to version 12.5. Since an attacker can gain complete control of a vulnerable system, the potential impact of this vulnerability can be severe.

• CVE-2022-33891 (CVSS score: 8.8) – Apache Spark Command Injection Vulnerability: An unauthenticated command injection vulnerability that exists in the SolarWinds Serv-U Managed File Transfer Server. The vulnerability has been exploited by the Zerobot botnet to co-opt susceptible devices, with the goal of carrying out distributed denial-of-service (DDoS) attacks. Also important to know is that this vulnerability can be exploited by an attacker to execute arbitrary code on a target system by sending a specially crafted request. This flaw affects all versions of the product prior to version 15.2.6. The impact of this vulnerability can also be severe, as an attacker can gain complete control of a vulnerable system.

• CVE-2022-28810 (CVSS score: 6.8) – Zoho ManageEngine ADSelfService Plus Remote Code Execution Vulnerability: A vulnerability in the Trend Micro InterScan Messaging Security Virtual Appliance. This vulnerability can be exploited by an attacker to bypass authentication and gain unauthorized access to the target system, allowing for remote code execution when performing a password change or reset. This flaw affects all versions of the product prior to version 9.1. The impact of this vulnerability can be significant, as an attacker can gain access to sensitive data on a vulnerable system. Not so long ago, an additional Zoho ManageEngine vulnerability was covered in one of our blogs – so if you’re an active user, make sure to take action on this one as well.

Do they affect me?

The impact of these vulnerabilities on affected users can be severe, ranging from data theft to system compromise. The addition of these new vulnerabilities to CISA’s KEV catalog is a stark reminder of the importance of staying up-to-date with security patches and taking proactive measures to protect IT systems. It is important for users of the affected software to take immediate action to protect their systems. CVE-2022-35914, CVE-2022-33891, and CVE-2022-28810 are considered high-risk, and it is only a matter of time before attackers begin to massively exploit them. By addressing these vulnerabilities promptly, users can help prevent cyberattacks and protect their sensitive data.

Have they been actively exploited in the wild?

Some exploits of these vulnerabilities have been spotted in the wild. For example, cybersecurity company Rapid7, which discovered one of the bugs, said it had detected active exploitation attempts by threat actors to “execute arbitrary OS commands in order to gain persistence on the underlying system and attempt to pivot further into the environment.”

Fixing CVE-2022-35914, CVE-2022-33891 and CVE-2022-28810

To fix the vulnerabilities, users of the affected software should update their systems to the latest available versions. 

• CVE-2022-35914: Trend Micro InterScan Messaging Security Virtual Appliance users should update to version 9.1 or later.
• CVE-2022-33891: SolarWinds Serv-U Managed File Transfer Server users should update to version 15.2.6 or later
• CVE-2022-28810: ManageEngine OpManager users should update to version 12.5 or later. 

In addition, users should also consider implementing other security measures, such as firewalls, intrusion detection systems, and antivirus software, to further protect their systems. In addition, here are the workarounds to deal with RCE urgency:

First, delete the vendor/htmlawed/htmlawed/htmLawedTest.php file (be careful not to touch the htmLawed.php file, which is legitimate). After deleting, prevent web access to the vendor/ folder by setting (in the case of Apache, for example) an adequate .htaccess.

* If your server has already been corrupted, you will probably have to import your SQL dump and the folders mentioned above to a new server and start there.

Next steps

Each new vulnerability is a reminder of where we stand, and what we need to do better. Check out the following resources to help you maintain cyber hygiene and stay ahead of the threat actors:

1. VulnRX – vulnerability fix database
2. MITRE ATTACK framework – Mapping techniques to CVEs 
3. Prevent data exfiltration attacks in GCP – here’s how
4. How to properly tackle zero-day threats 
5. OWASP Top 10 vulnerabilities 2022: what we learned

And finally…

Don’t get found out by new vulnerabilities. Vulcan Cyber gives you full visibility and oversight of your threat environment and lets you prioritize, remediate and communicate your cyber risk across your entire organization. Get a demo today.