August ’22 a bumper month for high-impact vulnerabilities

The disclosure of multiple impactful and, critically, widespread vulnerabilities and proof-of-concept (POC) exploits made August a busy month for patching, with urgent updates needed for users of Apple and Google products, while corporate security teams were kept on their toes with fixes for vulns targeting Microsoft, Palo Alto and VMware, among others.

That is according to the third edition of Recorded Future’s CVE monthly report, in which the firm’s analysts highlighted some of the most critical bugs, including CVE-2022-2856 in Google’s Chrome web browser, and CVE-2022-32893 and -32894 in Apple Safari WebKit, Apple iOS, iPadOS and macOS, all of which are particularly important in part because of their vast user bases.

“When it rains, it pours,” said the analyst team. “As if the landscape was not content to simply break the dry spell of June, the number of high-risk vulnerabilities that we identified for August 2022 was over double the number from July, driven by two categories: disclosures of several zero-day vulnerabilities in products from major vendors like Apple, Google, and Microsoft; and releases of POC exploits for critical vulnerabilities in software from both our prioritised vendors and a diverse group of others.

“Unlike last month, there was a nearly equal distribution of high-risk vulnerabilities between our prioritised vendors and others. For our prioritised list, OSs and web browsers were principally affected. Outside of this list, we saw a wide spread of affected components, including router firmware, device management, interface controllers and learning management software.

“As is to be expected based on trends from the last several years, all of the high-risk vulnerabilities for this past month with CVSS scores were of low attack complexity. However, POC exploit code for these vulnerabilities ranged from a few lines to multi-file packages.”

The full list of prioritised vulnerabilities – in order of potential severity – is as follows:

• CVE-2022-2856 in Google’s Chrome web browser.
• CVE-2022-27255 in Realtek’s eCos interface controller.
• CVE-2022-32548 in DrayTek’s Vigor router firmware.
• CVE-2022-32893 in Apple’s Safari Webkit web browser.
• CVE-2022-32894 in Apple’s iOS, iPadOS, and macOS operating system.
• CVE-2022-34699 in Microsoft’s Windows and Windows Server operating system.
• CVE-2022-31656 in VMWare’s Workspace ONE Access, Identity Manager, and vRealize Automation device management.
• CVE-2022-31659 in VMWare’s Workspace ONE Access and Identity Manager device management.
• CVE-2022-0028 in Palo Alto Networks’s PAN-OS operating system.
• CVE-2022-34713 in Microsoft Windows and Windows Server operating system.
• CVE-2020-14321 in Moodle’s learning management system.

Of these, some of the more noteworthy issues included CVE-2022-34713, also known as DogWalk, which is disputed as a zero-day because technically, exploitation was reported after its initial disclosure, which occurred in 2020. The Recorded Future team said its exploitation confirmed their suspicions that non-macro-related Microsoft vulnerabilities that are exploitable via malicious documents would become a trending feature of the threat landscape.

The VMware vulnerabilities – which are not zero-days either – were disclosed as a pair on 2 August, CVE-2022-31656 being an authentication bypass vulnerability and CVE-2022-31659 being an SQL injection vulnerability. POC code was spotted in the wild a few days later on 9 August.

VMware users have been highly targeted by nation state advanced persistent threat (APT) groups and cyber criminal gangs throughout 2022 – its Horizon platform in particular became the subject of an alert from the US authorities in June. Prior to the August disclosures, VMware alerted users in April to CVE-2022-22954, a server-side template injection bug leading to remote code execution (RCE), which is thought to have been exploited by Iran-linked threat actors.

Recorded Future has been producing a monthly CVE bulletin since June 2022 – launched to coincide with the debut of Microsoft’s Windows Autopatch service, which has forever changed the nature of Patch Tuesday for security pros at thousands of large enterprises.