October 2, 2023 CISA KEV Breakdown | Google, Red Hat

Ryan Cribelar
October 2, 2023
CISA KEV

October 2: 2 New Vulns | CVE-2018-14667, CVE-2023-5217

In this CISA KEV Breakdown, we cover the Red Hat addition from the 28th of September as well as a recently disclosed vulnerability in the libvpx library. CVE-2023-5217 is the issued ID by the Google Chrome team that identifies the exploitable vulnerability present in Chrome 117.0.5938.132 and libvpx 1.13.1, but others are considering this the primary CVE for their products utilizing libvpx as well. In other news, CISA has added a “Known to be Used in Ransomware Campaigns” column to the KEV which may assist further in the future with adding context to how CISA observed the exploitation of the vulnerability.

[wptb id=22572]

Notable Vulnerability Additions

CVE-2018-14667 | RichFaces Expression Language Injection

Disclosed in 2018, RichFaces 3.X through 3.3.4 contains a vulnerability in the UserResource component that can allow a remote unauthenticated attacker to inject code and execute it on the vulnerable host system. An attacker could craft a malicious Expression Language (EL) injection which is evaluated by the UserResource class and executed.

The vulnerability as well as available exploits have been available for quite some time. The reporter of the vulnerability, Joao Filho Matos Figueiredo, wrote extensive detail of the vulnerability in the seclists disclosure which you can read here. At this time it does not appear to be publicly available what evidence CISA observed in exploitation of the vulnerability, but nonetheless it has been added to the KEV. The RichFaces project reached end of life in June of 2016, but received an update in 2018 when the vulnerability was discovered.

Security Advisory(s):

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-14667

https://access.redhat.com/solutions/3660371

CVE-2023-5217 | Chrome libvpx Code Execution

A vulnerability in chrome 117.0.5938.132 and libvpx 1.13.1 was disclosed by Google Threat Analysis Group’s Clément Lecigne and given the ID CVE-2023-5217. It is a vulnerability in the VP8 encoding component of the libvpx library that could allow for arbitrary code execution on a vulnerable system. Multiple other software providers have issued security advisories pointing to CVE-2023-5217 even though most descriptions of this CVE point to it being in Chrome without much more context. Stackdiary’s reporting on the vulnerability covers details well, which you can read more of here.

Similar to the recent WebP confusion, since the vulnerability is in the component of a well-known software library used by many different applications, possibilities for exploitation are applicable to the vulnerable versions of the application using the library. In the context of this vulnerability, any application that deploys libvpx for the purpose of video decoding and encoding with VP8 and VP9 are possibly vulnerable. This is one of those vulnerabilities where some hero out there has a Pastebin with all of the downstream components that utilize a library such as this, and it paints an accurate picture of the pain a vulnerability like this could theoretically cause if all of them could be potentially vulnerable in some way.

Security Advisory(s):

https://chromereleases.googleblog.com/2023/09/stable-channel-update-for-desktop_27.html

https://www.mozilla.org/en-US/security/advisories/mfsa2018-06/#CVE-2018-5127

Footnote – WS_FTP & CVE-2023-40044

Nucleus is aware of reports from Huntress Labs’ John Hammond of observed exploitation of CVE-2023-40044, an RCE bug in the WS_FTP software made by Progress. Assetnote released a blog discussing their initial discovery of the vulnerability and how it is exploited which you can read here. Assetnote points out that “about 2.9k hosts” are running WS_FTP on the internet. According to their observed exploits, look for attempts to open port 3389 for UDP from a firewall rule add using netsh, as well as a malicious svchost.exe in C:Windows. It is possible that this activity could be cause enough for CISA to add this vulnerability to the KEV.

← September 22, 2023 CISA Kev Breakdown

Click here to expand our CISA KEV Breakdown Frequently Asked Questions
  • What makes for a notable addition?
    • A notable addition can arise from many different characteristics. If a particular vulnerability is notable to the security community or a subset of the security community or if the EPSS score reveals notable information about the vulnerability, this can constitute further analysis. It may also be the case that a particular vulnerability shines a light on everyday users and we will highlight important information and key takeaways to ensure users and readers have easy access to actionable information.
  • When is the Breakdown released?
    • We aim to have our analysis of each KEV update posted within 24 hours of the time in which the Catalog is updated. See CISA’s full catalog here
  • I am not bound by BOD 22-01 or federal regulations, why should the KEV concern me?
    • CISA encourages all organizations to utilize the Catalog as an attribute in your vulnerability prioritization framework. Organizations looking to lessen the scope on known dangerous vulnerabilities and make a goal to remediate them can understand where they currently stand against what CISA has confirmed as exploited vulnerabilities in the wild. See CISA’s section on “How should organizations use the KEV catalog?” here.
  • What is EPSS?
    • EPSS is the Exploit Prediction Scoring System. It is an open, data-driven effort for estimating the likelihood (probability) that a software vulnerability will be exploited in the wild. See the EPSS home page on FIRST for more information here.
  • What is the difference between EPSS probability and EPSS percent?
    • EPSS probability is the risk calculated by the model when determining the perceived threat of the vulnerability itself. Percentage is a relative comparison of the rest of the CVEs within the given sample. While the probability only changes upon refreshing the results from the model, the percentage can change purely based on the CVE sample given. In the case of the Breakdown, we use the percentage given by the pool of all CVEs with given EPSS data. Scores may vary post-release of the post given new information about the vulnerabilities and their perceived threat. For more information on applying and understanding EPSS data, see this article on the FIRST website, as well as their FAQ page.
  • What is GreyNoise?
    • GreyNoise is a platform that collects, analyzes, and labels data on IPs that scan the internet and saturate security tools with noise. Through their sensor network, GreyNoise observes vulnerability exploitation attempts for vulnerabilities that are exploited in the wild over the Internet. These are arguably vulnerabilities that should be at the very top of your priority list to remediate.
  • Why are GreyNoise exploitation attempts only observed on ~20% of KEV vulnerabilities?
    • Exploitation of many vulnerabilities in the CISA KEV will not be observed for many reasons that GreyNoise does a good job of explaining in this post. For example:
      • The vulnerability may not be remotely exploitable
      • Vulnerability exploitation may require authentication (and result in privilege escalation)
      • The impacted software may not be exposed to the internet
      • Mass scanning/exploitation is not occurring yet
Ryan Cribelar

See Nucleus in Action

Discover how unified, risk-based automation can transform your vulnerability management.