Microsoft security bulletin
Microsoft has published its January security bulletin in which it has fixed a total of 97 bugs, including six 0-day vulnerabilities and nine bugs classified as critical. Regarding the 0-days, no active exploitation of these has been detected, but it should be noted that several of them have public proofs of concept, so it is likely that they will be exploited in the short term. Regarding the security flaws classified as critical, it is worth highlighting CVE-2022-21907 (CVSS 9.8), which affects the latest versions of Windows in its desktop and server versions. This is a vulnerability in the HTTP protocol stack, the exploitation of which would result in remote code execution and which has been labelled as “wormable”. The other flaw to note is another remote code execution in this case in Microsoft Office (CVE-2022-21840 CVSS 8.8), patched for Windows versions, but not yet for macOS devices. Similarly to what happened with the 0-days, according to Microsoft, no exploits have been detected for these two vulnerabilities either.
More info: https://msrc.microsoft.com/update-guide/releaseNote/2022-Jan
New JNDI vulnerability in H2 database console
Researchers at JFrog have discovered a critical unauthenticated remote code execution vulnerability in the H2 database console. The vulnerability shares its origin with the Log4Shell (JNDI remote class loading) vulnerability and has been assigned the identifier CVE-2021-42392. H2 is a popular open source Java SQL database widely used in various projects. Despite being a critical vulnerability and sharing features with Log4Shell, the researchers indicate that its impact is minor for several reasons. Firstly, this flaw has a direct impact because the server that processes the initial request is the same server that is affected by the flaw, making it easier to detect vulnerable servers. Secondly, the default configuration of H2 is secure, unlike with Log4Shell where default configurations were vulnerable. And finally, many vendors use the H2 database but not the console, so while there are vectors to exploit the flaw beyond the console, these other vectors are context-dependent and less likely to be exposed to remote attacks. Despite attributing less risk to this new flaw than to Log4Shell, the researchers warn that for anyone running an H2 console exposed to the LAN, the flaw is critical and they should upgrade to version 2.0.206 as soon as possible. The firm has also shared guidance for network administrators to check if they are vulnerable to the new flaw.
All the details: https://jfrog.com/blog/the-jndi-strikes-back-unauthenticated-rce-in-h2-database-console/
Five new URL parsing confusion flaws
MuddyWater: Link to Iran and technical issues
The Cyber National Mission Force (CNMF) of the US cybersecurity command has published a note linking the APT known as MuddyWater to Iran’s Ministry of Intelligence and Security (MOIS) and details some technical aspects that have been associated with the group. MuddyWater was first identified in 2017, with targets located primarily in the Middle East, Europe and North America, and in the telecommunications, government and oil industry sectors. The release identifies some open source tools used by this malicious actor, including variants of PowGoop, samples of the Mori backdoor or sideloading DLL files to trick legitimate programmes into executing malware.
Learn more: https://www.cybercom.mil/Media/News/Article/2897570/iranian-intel-cyber-suite-of-malware-uses-open-source-tools/
0-day vulnerabilities detected in AWS CloudFormation and AWS Glue
Security researchers at Orca Security have detected two 0-day vulnerabilities in different Amazon Web Services (AWS) services. The first of the flaws was in the AWS CloudFormation service and consisted of an XXE (XML External Entity) vulnerability, which allowed threat actors to disclose confidential files located on the vulnerable service machine, as well as the disclosure of credentials for internal AWS infrastructure services. The second vulnerability discovered affected the AWS Glue service, which stemmed from an exploitable feature that allowed the credentials needed to access the internal service’s API to be obtained and could gain administrator permissions. The AWS spokesperson assured that no customer data has been affected due to the vulnerabilities in both services. It should be noted that both vulnerabilities were fixed by the AWS security team after they were reported by researchers.
All the details: https://orca.security/resources/blog/aws-glue-vulnerability/