Corvus Threat Intel
Microsoft Vulnerability, Fortinet Exploited, & Security Tools for Software Development
Critical Microsoft vulnerability, Fortinet exploited in the wild, and tools to help software development projects.
Microsoft SPNEGO NEGOEX Vulnerability Upgraded to Critical
On September 13, 2022, Microsoft released software patches for a number of vulnerabilities, including one for SPNEGO NEGOEX (CVE-2022-37958). On December 13, 2022 Microsoft updated this vulnerability marking it as critical. This change occurred after researchers discovered that the flaw could potentially allow attackers to achieve remote code execution using a number of common protocols on Windows systems, including RDP, SMB, and possibly SMTP and HTTP. Security researchers at IBM who discovered the critical nature of the flaw are waiting until Q2 2023 to release technical details in order to give organizations time to patch but affected organizations shouldn’t delay applying security updates.
Why This Matters
This vulnerability is reminiscent of the “EternalBlue” exploit leveraging CVE-2017-0144. This was widely exploited in wormable (self-spreading) ransomware attacks spreading WannaCry through SMB. The present vulnerability may have a wider potential impact given there are multiple protocols in which the flaw may be present. Many unpatched default configurations are likely vulnerable, therefore we strongly urge organizations to patch immediately.
- Critical Remote Code Execution Vulnerability in SPNEGO Extended Negotiation Security Mechanism (Security Intelligence)
Fortinet Warns Critical Vulnerability in SSL-VPN is Being Exploited
On December 12, 2022, Fortinet released an advisory detailing a critical security flaw (CVE-2022-42475) in FortiOS SSL-VPN products. The vulnerability allows for an unauthenticated attacker to execute arbitrary code or commands. Corvus has observed similar vulnerabilities that led to ransomware incidents. Security patches have been released and should be applied as soon as possible.
The vulnerability affects Fortinet appliances running the following versions:
- FortiOS version 7.2.0 through 7.2.2
- FortiOS version 7.0.0 through 7.0.8
- FortiOS version 6.4.0 through 6.4.10
- FortiOS version 6.2.0 through 6.2.11
- FortiOS-6K7K version 7.0.0 through 7.0.7
- FortiOS-6K7K version 6.4.0 through 6.4.9
- FortiOS-6K7K version 6.2.0 through 6.2.11
- FortiOS-6K7K version 6.0.0 through 6.0.14
Attackers can execute arbitrary code or commands against unpatched devices, gaining a foothold into the network. From there the attacker would be able to conduct further exploitation and potentially move around the network. This vulnerability is under active exploitation.
Why This Matters
Given the critical nature of this vulnerability, Corvus identified and quickly alerted affected policyholders. Remote code execution vulnerabilities in virtual private network (VPN) appliances have been a favorite for ransomware gangs. Ironically, the tool designed to secure network communications and access can serve as an entry for threat actors when critical flaws exist. Ensure you are maintaining a regular patching cadence, especially for products such as VPNs or other externally-facing services. You can also protect yourself by installing endpoint detection and response (EDR) solutions throughout your network.
Google and GitHub Release Tools to Help DevSecOps
Both Google and GitHub released tools this week to boost security in software development projects. Google launched the Open Source Vulnerabilities (OSV) scanner which is a tool designed to connect a project’s list of dependencies with the vulnerabilities that affect them, giving visibility to software engineers and security teams.
Later in the week GitHub announced free secret scanning for all public repositories. “Secrets” here generally refers to access information such as credentials, access tokens, private keys, API keys and other information unintentionally exposed in GitHub repositories. Through oversight, code uploaded to GitHub and publicly visible has been known to include such confidential information. GitHub’s secret scanning alerts users about leaked secrets identified in public code and will be rolled out to all users by January 2023.
Why This Matters
Leaked secrets and supply chain vulnerabilities have led to a number of high profile attacks in recent years. These moves by Google and GitHub signal a positive step toward minimizing the risk of a major compromise through minor oversight.
- Check Your Github Alerts
- Google Online Security Blog: Announcing OSV-Scanner: Vulnerability Scanner for Open Source
This blog post and its contents are intended for general guidance and informational purposes only. This blog post is under no circumstances intended to be used or considered as specific insurance or information security advice.