Everyone gets it
Why am I here?
Ho Ho Ho! Welcome back to the Bug Report, or a more fitting name for this time of year: The NAUGHTY List! Yes, we checked it twice. It is no holiday season without a few critical bugs tucked under the tree, two of which are still gift-wrapped in mystery. Thus, prepare yourself for battle (or long work hours) because cyber space is on fire. Oh, did you think because we were on holiday the rest of the world just stopped performing all sorts of cyber shenanigans?! Let’s say hello to this month’s list of naughty bugs! We even have a mention by the NSA! Naughty naughty, Citrix!
- CVE-2022-27518: Citrix ADC and Citrix Gateway
- CVE-2022-42475: FortiOS
- CVE-2022-4262: Google Chromium V8
- CVE-2022-42856: Apple’s Webkit
CVE-2022-27518: Holiday or overtime — pick one
What is it?
Did you configure a Citrix ADC or a Citrix Gateway to be your SAML SP or SAML IdP? Congratulations, overtime it is. You are the winner of the new unauthenticated remote code execution (RCE) vulnerability affecting Citrix ADC and Citrix Gateways! As a bonus surprise, you also might have been targeted by APT5.
No holidays for you
Who cares?
Considering the broad utilization of Citrix ACD and gateways, it is most likely impacting customers worldwide. After all, Citrix’s own webpage features customer stories from non-profits and local governments to tech giants like eBay. Wouldn’t want your average user to be able to access financial, medical, or government systems without authentication, right? At least that is the story I am led to believe, as there is currently no publicly-available proof of concept (POC) code. I guess Citrix doesn’t have any holiday spirit left this year. Neither does APT5, a not so nice advanced persistent threat (APT) group believed to be attributed to China and known to target telecommunications and technology companies.
Given that CVE-2022-27518 is being actively exploited in the wild (and by an advanced threat actor no less), unless your patch management programs are streamlined, Citrix might have delivered you some coal this year. Although there is no POC, the NSA – you know, THE NSA – has released YARA rules to detect exploitation of this vuln by the APT group. I guess at least the NSA still has some holiday spirit left. P.S. My ISP history is all research!
government could a guy that works one day out of the year get Employee of the Month
What can I do?
What most of us dread to do: enable the patch goblins! Patches are available for ADC here and for Gateway here. Citrix’s own security bulletin is available for CVE-2022-27518; enjoy your coal-filled stocking.
CVE-2022-42475: FortiOS in heaps over its SSL-VPN
What is it?
Another pre-authentication RCE, this time in the Fortinet FortiOS SSL-VPN. This vulnerability seems to be exploited via specially crafted requests. Fortinet, another big name in cybersecurity solutions, has been the unfortunate victim of this year’s vuln-peddling Grinch.
A clever devil, he steals by giving
Who cares?
Well, Fortinet advertises their partners and customers, and the list is almost as long as Santa’s. If I was a customer of Fortinet products, it would behoove me to evaluate my defensive posture as soon as possible. A bit of my previous life as an NCO came out there, but this is a serious matter that dozens of companies with Fortinet products should look into. If my words of warning aren’t reason enough, recall that this vulnerability is being exploited in the wild.
What can I do?
Did I say patch goblins? I did say patch goblins, oops, wrong season! Elves deploy the patch; elves! Open the gates! Deploy the sleighs! Over seven product versions are affected, so ensuring proper patch management is critical. More information on the patch can be found on Fortinet’s advisory.
CVE-2022-4262: V8 confused its own type
What is it?
Even Google is getting a visit from the Grinch this holiday season. Another type confusion vulnerability in the V8 engine inside Google Chrome has been found, making enough waves for CISA to put out advisories. As is typical for a type confusion vuln, it seems that a component in the V8 engine does not verify the type of object being passed in, allowing a malicious actor to later access that same object using a different type. Thanks to this CVE, a specially crafted HTML page allows a remote attacker to exploit a heap corruption in the popular browser, leading to RCE.
Who cares?
I find that the “caring” part really gets exacerbated when there are POCs in the wild. As a security researcher, I live for a POC! It’s like Santa Claus stumbling upon that warm plate of cookies and Irish coffee when visiting my place, you just know it’s a good time. In any case, the Chrome browser has a 65% market share according to some internet sources. I think it’s safe to say at least 65% of us care, and most likely, your SOC team cares. They don’t want the dreaded incident response call during the holiday season because a patch did not go through or get pushed.
What can I do?
Considering that CVE-2022-4262 has been observed in the wild, thanks to Google’s Threat Analysis Group, the best thing to do is patch and patch rapido, my friend! The relevant patch notes can be found here.
CVE-2022-42856: Google took a bite of Apple
What is it?
It’s a two-for-one special sort of deal! Remember CVE-2022-4262? Good, just checking. Truth be told, there is no direct link between this and the previous vuln other than the same researcher being credited for both and them both involving type confusion, but it’s still a fascinating coincidence.
For those that don’t know, Apple requires that all third-party web browsers operating in their iOS/iPadOS ecosystems utilize WebKit, an open-source web browser engine used not just by Apple but also other platforms, including Google Chrome, Chromiuim, and GNOME Web. From the obscured details surrounding this vulnerability, it appears to be an incorrect use of dynamic memory. What is the likelihood this has something to do with the similar type confusion in V8 Google Chromium? We may never know, as it seems Google and Apple have taken after Ebenezer Scrooge this year and decided not to comment on their respective vulnerabilities.
A full litter box makes for a grumpy cat
Who cares?
Given the fierce competition for market cap, the fact that two giants are ensuring their products are safe is no surprise. At the end of the day, both Apple users and Google users should care. And for those people around you who smugly say “get an Apple product, it can’t get malware,” well, just show them a few CVEs. Then get new friends; elitism is out of style this holiday season.
What can I do?
Given that this vulnerability has been observed being exploited in the wild, again by highly capable threat actors, the best course of action is to patch. You can start by consulting Apple’s advisory here.
This document and the information contained herein describes computer security research for educational purposes only and the convenience of Trellix customers.