Ringing in 2022 with vulns, more vulns, and CISA guidance

, by Pearce Barry

Wrapping up 2021 and kicking off 2022, there were no shortages of vulnerabilities, vendor security advisories, patches, and active exploitations. Oh, did we mention, even more vulnerabilities and more patches? To ring in 2022 accordingly, let’s discuss some recent notable vulnerabilities (including an update on heavy-hitter Log4j) and touch on some CISA updates to their Known Exploited Vulnerabilities Catalog.

Wormable Windows vuln in the HTTP protocol stack (CVE-2022-21907)

As part of Patch Tuesday his week, Microsoft patched a vulnerability that could leave modern Windows systems (including Windows 10, Windows 11, and also Windows Server 2019 and 2022) open to exploitation. Existing within the HTTP Trailer Support logic of the HTTP protocol stack, this vulnerability is tracked as CVE-2022-21907 and has a “critical” CVSS score of 9.8. Considered “low complexity” to exploit, successful exploitation does not require authentication and can yield remote code execution to an attacker. Microsoft encourages patching of vulnerable systems, and does also offer mitigation steps for Windows 10 and Windows Server 2019 systems.

You can search for potentially vulnerable Windows instances in your network inventory with the following Rumble asset inventory query:

os:"microsoft windows 10" or os:"microsoft windows 11" or os:"microsoft windows server 2019" or os:"microsoft windows server 2022" or (os:="microsoft windows" and os_version:="")
Find potentially vulnerable Microsoft instances

Multi-vendor router flaw in the NetUSB kernel module (CVE-2021-45608)

Recently published security research from SentinelOne surfaced a vulnerability in the NetUSB kernel module from KCodes, which is used by a number of manufacturers in many popular home and small-business routers, including (but not limited to) the following:

  • D-Link
  • EDiMAX
  • Netgear
  • Tenda
  • TP-Link
  • Western Digital

Designed to support USB over IP, the NetUSB module contains an integer overflow vulnerability which can be successfully exploited (pre-authentication) to trigger a denial-of-service on the target router or even remote code execution (for more-advanced attackers). Tracked as CVE-2021-45608, this vulnerability received a “critical” CVSS score of 9.8 and folks with vulnerable router devices should upgrade to patched firmware releases as available.

You can search for potentially vulnerable routers in your network inventory with the following Rumble asset inventory query:

(type:"router" or type:"wap") and (hardware:"d-link" or hardware:"edimax" or hardware:"netgear" or hardware:"tenda" or hardware:"tp-link" or hardware:"western digital")
Find vulnerable routers in your network inventory

And speaking of large-impact vulnerabilities…

Circling back on Log4j

Log4j vulnerabilities became a whirlwind of activity last month, involving an 0-day and disclosures, newly patched releases, active exploitation, vendor security advisories, downstream software pulling-and-including new Log4j releases, and many (so many) end users patching and mitigating as best they could.

With an astoundingly far-and-wide reach in affected applications/software, four CVEs ultimately shook out of all of this:

  • CVE-2021-44228 - could allow remote code execution via lookup-with-JNDI vulnerability (“critical” CVSS score of 10.0)
  • CVE-2021-45046 - could allow remote and/or local code execution via lookup-with-JNDI vulnerability (“critical” CVSS score of 9.0)
  • CVE-2021-45105 - could allow DDoS via infinite recursion vulnerability (“high” CVSS score of 7.5)
  • CVE-2021-44832 - could allow remote code execution via JDBC Appender with a JNDI LDAP data source URI vulnerability (“medium” CVSS score of 6.6)

Per Apache’s guidance, folks should be using the latest versions of Log4j to remediate thes vulns, which include:

  • v2.17.1 (for Java 8 and later)
  • v2.12.4 (for Java 7)
  • v2.3.2 (for Java 6)

While many affected vendors did publish details on their affected products (and offer patched solutions and/or mitigations for their users/customers), a small number of vendors have chosen to make these details only available to their customers with current support contracts, and some vendors are still referring to their investigations into affected products as “ongoing”.

Government entities who stepped up to help sort through affected vendors and products may be the best bet as a long-term source for ongoing Log4j updates, including (but not limited to):

You can read more details, plus access many easy-to-use Rumble searches to help surface potentially vulnerable products in your network, in our Log4j blog post.

Run the Log4j prebuilt query

New CISA guidance to patch against 15 exploited vulns

Rounding out our post today, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) recently added 15 vulnerabilities to the Known Exploited Vulnerabilities Catalog it maintains “based on evidence that threat actors are actively exploiting” these vulnerabilities. While some vulnerabilities are ones from fairly recent memory, others go back a number of years. While CISA’s posted remediation due dates (which U.S. FCEB agencies are required to honor via BOD 22-01) include later this month (for a handful of the vulns) and July 2022 (for the remaining vulns), CISA “strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities as part of their vulnerability management practice.”

You can search your network inventory for the handful of vulnerabilities that have a CISA January 2022 remediation due date using the following Rumble service inventory query:

_asset.protocol:http and protocol:http and ((product:"vmware vcenter" and tcp_port:443) or (_asset.vendor:hikvision or hw:hikvision) or (_asset.protocol:http and protocol:http and (html.title:"FatPipe IPVPN" or last.html.title:"FatPipe IPVPN" or html.title:"FatPipe MPVPN" or last.html.title:"FatPipe MPVPN" or html.title:"FatPipe WARP" or last.html.title:"FatPipe WARP")))
Search for vulnerabilities that have a CISA January 2022 remediation due date

Try Rumble

Don’t have Rumble and need help finding assets potentially vulnerable to items in this blog post? Start your Rumble trial today.

Similar Content

December 10, 2021

Finding applications that use Log4J

Last updated on January 17, 2021 at 16:00 CST (-0600) Rumble can help you build an up-to-date asset inventory and search for assets that may be affected by the recent spate of Log4J vulnerabilities (e.g. Log4shell, etc.). You can then share the results with your security …

Read More

December 8, 2021

Finding Grafana instances

A zero-day vulnerability for Grafana, a popular analytics and visualization software, was leaked this week. This vulnerability provides attackers a path traversal attack vector that can result in data disclosure, resulting in access to files containing confidential …

Read More

December 3, 2021

Finding HP printers and MFPs vulnerable to Printing Shellz

Do you have HP printers and multi-function printers (MFPs)? You might want to look at the two recently published vulnerabilities that affect 150+ models. Named “Printing Shellz” by the F-Secure security researchers who reported them, these vulns have been around for ~8 …

Read More