Get Help Now
CONTACT US

Get expert threat analysis weekly. Sign up to receive our Threat Briefing:

    RESOURCES  >   THREAT INTEL BRIEFINGS

    Date: 12/05/2022

    Oracle Fusion Vulnerability Exploited

    Overview

    The U.S. Cybersecurity and Infrastructure Security Agency (CISA) recently added a critical vulnerability affecting Oracle Fusion Middleware to its Known Exploited Vulnerabilities (KEV) Catalog. The vulnerability is tracked as CVE-2021-35587 (CVSS score of 9.8) and affects Oracle Access Manager (OAM) versions 11.1.2.3.0, 12.2.1.3.0, and 12.2.1.4.0.

    Potential Impact

    An unauthenticated attacker with network access can potentially gain remote code execution and compromise Oracle Access Manager instances. This would allow attackers to create users with any privilege level or execute arbitrary code on the server. The scale at which this is being actively exploited is currently unclear, but proof of concept code is readily available. 

    Recommended Actions

    This issue was addressed in a patch from January 2022. It is strongly recommended that administrators ensure this patch is applied. Furthermore, restricting access to the Oracle Access Manager interface would reduce the risk of exploitation if an attacker has already gained access to the network. 

    Request Consultation

    For more information, fill out the form below and we will be in touch shortly

      Number of Employees - select one:
      Industry - select one:

      Multiple Lansweeper Vulnerabilities

      Overview

      Multiple new vulnerabilities affecting Lansweeper 10.1.1.0 have been recently identified. This includes two directory traversal vulnerabilities that can lead to arbitrary file upload: CVE-2022-32573 and CVE-2022-29517. This also includes two directory traversal vulnerabilities that can lead to an arbitrary file read: CVE-2022-29511) and CVE-2022-27498. An attacker can send an HTTP request to trigger these vulnerabilities. Other vulnerabilities include cross-site scripting that can  potentially lead to JavaScript injection. 

      Potential Impact

      Attackers could successfully exploit these vulnerabilities by sending crafted HTTP requests to the vulnerable application. Note that attackers would need to gain access to the network before exploitation can be attempted. These vulnerabilities were discovered by Cisco Talos, and there are no reports or active exploitation at this time.

      Recommended Actions

      Applying Lansweeper patches as they become available is recommended. Furthermore, restricting internal access to Lansweeper so that it cannot be accessed from any location is recommended. 

      Sources

      https://blog.talosintelligence.com/vulnerability-spotlight-lansweeper-directory-traversal-and-cross-site-scripting-vulnerabilities/

      https://talosintelligence.com/vulnerability_reports/TALOS-2022-1530

      Critical Vulnerability Introduces FreeBSD Take Over Avenue

      Overview

      A new critical vulnerability in the FreeBSD operating system has been published. Identified as CVE-2022-23093, this vulnerability targets the ping module within the operating system and can lead to crashing the program or triggering remote code execution without authorization. This specific vulnerability has been categorized as a stack-based buffer overflow within the ping service.

      Potential Impact

      This buffer overflow can lead to up to 40 bytes of executable code being run by an exploited system. Additionally, since this module is run under the root account, whatever executions occur will run with root privileges. This will give a threat actor the highest level of permissions on a vulnerable host and virtually run complete control over the device.  

      Recommended Actions

      Thankfully, the developers of FreeBSD have already released a security patch to fix this vulnerability. Organizations are urged to update any FreeBSD devices to the most recent stable release or security branch to prevent exploitation of this vulnerability. Organizations can get direct information about this vulnerability and appropriate response via the official FreeBSD posting found here: https://www.freebsd.org/security/advisories/FreeBSD-SA-22:15.ping.asc

      Sources

      https://thehackernews.com/2022/12/critical-ping-vulnerability-allows.html?&web_view=true

      https://securityaffairs.co/wordpress/139300/hacking/cve-2022-23093-freebsd-systems-flaw.html

      Crowdstrike Falcon Agent Bypass Proof-Of-Concept Released

      Overview

      Deda Cloud cybersecurity released a proof-of-concept (POC), identified as 2022-44721, which uninstalls the Crowdstrike Falcon agent, bypassing the usual one-time token uninstall protection. This is the second bypass of Crowdstrike’s uninstall protection in the last several months.

      Potential Impact

      Disabling Endpoint Detection and Response (EDR) software is a common tactic of threat actors seeking to move laterally and escalate privileges in an environment in the early post-compromise stage of an attack. If threat actors can ‘blind’ the security team by disabling EDR, data exfiltration and ransomware deployment are on the menu for attacker actions.

      Recommended Actions

      Ensure your security team knows that EDR is not a set-and-forget tool deployment. Crowdstrike released a patch for this vulnerability in version v6.44.15806.  Confirm that patches for security tools are deployed regularly and in a timely fashion.

      Sources

      https://github.com/purplededa/CVE-2022-44721-CsFalconUninstaller

      https://cve.mitre.org/cgi-bin/cvename.cgi?name=2022-44721

      For strategic clients, your vCISO will add this to your next Office Hours for further discussion. However, if you have an immediate need, concern, or question, please reach out to them directly.

      For non-strategic clients, please reach out to your Advisor for further discussion.

      For those not yet clients of GreyCastle Security, please click the “Contact Us” button below and we’ll be glad to provide assistance as well as answer any questions you might have.


      Let’s Discuss Your Cybersecurity Needs

      Contact Us  
      Privacy Settings
      We use cookies to enhance your experience while using our website. If you are using our Services via a browser you can restrict, block or remove cookies through your web browser settings. We also use content and scripts from third parties that may use tracking technologies. You can selectively provide your consent below to allow such third party embeds. For complete information about the cookies we use, data we collect and how we process them, please check our Privacy Policy
      Youtube
      Consent to display content from - Youtube
      Vimeo
      Consent to display content from - Vimeo
      Google Maps
      Consent to display content from - Google
      Spotify
      Consent to display content from - Spotify
      Sound Cloud
      Consent to display content from - Sound
      Contact Us