OSINT Academy

The 12 Most Frequently Exploited Vulnerabilities in 2022 (4)

Related: The 12 Most Frequently Exploited Vulnerabilities in 2022 (3)

vulnerabilities

10–11. VMware Workspace ONE Access & Identity Manager (CVE-2022-22954, CVE-2022-22960)

VMware is a popular virtualization software that often falls prey to cyber attackers at all levels, including APT groups. Exploiting vulnerabilities in VMware can authorize unauthorized access to virtual machines and critical data hosted on the platform. Because VMware virtualizes multiple systems on a single physical server, a successful attack could compromise multiple virtual machines at once. Typically, attackers choose to target VMware environments in order to gain a foothold in a larger network, leveraging the trust and accessibility of virtualized infrastructure. The VMware vulnerability took two spots on CISA's vulnerability list this year.

First, CVE-2022-22954 (CVSS score 9.8) is a server-side template injection vulnerability that can be triggered by a malicious actor with network access to implement RCE in VMware's Workspace ONE access & Identity Manager. After the PoC for the vulnerability was released last spring, security researchers discovered that it was being used in an active attack to infect servers with mining machines.

Second, CVE-2022-22960 is a privilege escalation vulnerability. According to the CISA advisory on this vulnerability, it enables a malicious actor with local access to escalate privileges to root due to incorrect permissions in the support script. If linked with CVE-2022-22954, an attacker could execute arbitrary shell commands as a VMware user, then wipe the logs, escalate privileges, and move laterally to another system with root access.

12. F5 Networks BIG-IP (CVE-2022-1388)

Last September, F5 released a patch for a critical RCE vulnerability related to the BIG-IP product suite, and a few days later, security researchers were able to create an exploit for the vulnerability.

CVE-2022-1388 (CVSS score 9.8) is categorized as a missing authentication vulnerability involving an iControl REST authentication bypass, which could lead to an attacker gaining access and taking control of a compromised BIG-IP system. An attacker could perform many malicious actions such as loading a web shell for future attacks, deploying cryptocurrency miners and leaking sensitive data.

Remote code execution flaws are easy to exploit, which makes them a target for opportunistic threat actors. Whenever vulnerabilities are discovered in Internet-facing services, threat actors are sure to be quick to exploit them. Vulnerabilities like CVE-2022-1388 provide immediate initial access to the target network and often enable attackers to conduct attacks through lateral movement and privilege escalation.

Conclusion

Enterprise security teams must recognize that older vulnerabilities still exist and continue to pose a significant threat. While the latest CVEs are often more visible, CISA's annual list of commonly used vulnerabilities is a clear reminder that known vulnerabilities can still wreak havoc on vulnerable systems.

In addition to the comprehensive list, CISA provides guidance for vendors and technology organizations to identify and mitigate potential risks. Recommendations include adopting secure-by-design practices and prioritizing the patching of known exploited vulnerabilities to minimize the risk of compromise. Vendors are also encouraged to establish a coordinated vulnerability disclosure process to allow for root cause analysis of discovered vulnerabilities.



Related Articles:

Specific cases of data breach in 2022 (2)
How to use open source intelligence for attack surface analysis?
What is OPSEC originating from the U.S. military?
How to use threat intelligence to monitor criminal activity on the dark web? (2)
Information of many car companies was publicly sold on the dark web