Cloud 101CircleEventsBlog
Master CSA’s Security, Trust, Assurance, and Risk program—download the STAR Prep Kit for essential tools to enhance your assurance!

Latest Security Vulnerabilities Breakdown: February 2022

Published 03/14/2022

Latest Security Vulnerabilities Breakdown: February 2022

This blog was originally published by Schellman here.

Written by Jacob Ansari, Chief Information Security Officer, Schellman.

In his play Julius Caesar, Shakespeare famously portrays a soothsayer as warning Caesar to beware the Ides of March, forever giving the otherwise innocuous middle of the month a sinister cast.

It may have been March for Caesar, but for those of us concerned with information security here and now, February this year has shaped up to become an incredibly dangerous time. This month particularly, we’ve seen numerous significant vulnerabilities both published and actively exploited by threat actors in the wild.

Strangely, Microsoft’s Patch Tuesday did not contain any fixes for zero-day or critical severity vulnerabilities. Instead, we’ve found significant vulnerabilities in ICM components in SAP, Google’s Chrome browser, and the popular e-commerce platforms Magento 2/Adobe Commerce, along with more Apple WebKit vulnerabilities. All this during the actual shortest month of the year.

We all know how Caesar meets his tragic end—both in the play and in history. But given just how important information security has become, we’d all like to avoid any semblance of such a sticky situation that the famous Roman found himself in.

We understand that technology rapidly advances all the time and it can be difficult to keep up with every new potential problem that could negatively impact your organization.

So let us break down these recent vulnerabilities for you. After reading this brief article, you’ll know more about these recent threats, enabling you to account for them within your own systems. We’ll also provide you with some further measures you can take to avoid your own Ides of February.

Security Vulnerabilities You Should Know About

Recent Vulnerabilities in ICM SAP

SAP releases updates on a monthly Tuesday cadence, and they recently announced three high-severity vulnerabilities in their Internet Communication Manager (ICM) components.

  • One of these is listed as CVE-2022-22536 and scores a maximum of 10 on the CVSS scale, meaning these are about as critical of a problem as Caesar had when Brutus grabbed his knife.
  • As its name implies, ICM gives SAP products the ability to communicate over the Internet via HTTPS, and CVE-2022-22536 allows a full remote takeover of the affected systems without any authentication or the like.
  • Specifically, it allows an attacker to prepend a legitimate web request to the ICM with arbitrary commands that the web application will then execute. The other issues allow attackers to mount remote attacks against the HTTP server to impersonate a legitimate user or easily cause a denial-of-service condition.
Recent Vulnerability in Google Chrome

A concern for Internet users everywhere, Google also reported a serious vulnerability in its Chrome browser.

  • More specifically, it’s a use-after-free error, where heap memory used by the browser in its animation rendering function can be repurposed by the attacker, who can then force the browser to execute this new arbitrary code.
  • Reported as CVE-2022-0609, this vulnerability is the first Chrome zero-day vulnerability of the year and came along with seven other security fixes for Chrome this month.
Recent Vulnerabilities in Magento 2/Adobe Commerce

A new remote-code execution (RCE) bug that affects Magento 2 and Adobe Commerce was patched in an emergency patch release on Sunday, February 13th.

  • The release came with urgent warnings to apply this fix right away, as vulnerable versions of the software are prime targets for the Magecart threat actor, who uses credit card skimming in e-commerce sites to harvest stolen payment cards.
  • This vulnerability, CVE-2022-24086, scores 9.8 on the CVSS scale and bears similarities to prior security vulnerabilities that affected numerous merchants using Magento involved in large-scale attacks resulting in many stolen payment card numbers.
  • Moreover, on February 17th, 2022, Adobe updated its advisory for Adobe Commerce/Magento 2 to fix another critical zero-day flaw that allowed remote code execution. This vulnerability, CVE-2022-24087, scores 9.8 on the CVSS scale, and the fix for this is equally urgent as the first.
Recent Vulnerabilities in Apple WebKit

Another use-after-free condition occurs in Apple devices, namely iPhones, iPads, and MacOS devices, specifically in its WebKit browser functionality.

  • This vulnerability, CVE-2022-22620, allows an attacker to run arbitrary code on a target browser that processes specific, malicious web content and can also cause crash conditions in the operating system.
  • Like the Chrome issue, it results from a heap memory error, where the dynamic memory is freed from use, but the pointer to it was not cleared.
  • When under attack and that same segment of memory receives new data, the pointer can reference potentially hostile instructions contained in that new data allocated to that section of the heap, allowing an attacker to run commands of their choice.

Responding to These Vulnerabilities

Given that some of the affected software is commonly used by ordinary users, namely Chrome and Apple operating systems, both organizations and individual users need to respond by quickly obtaining and installing the updates to their affected systems.

All of these vulnerabilities present significant risks, not just because of their severe nature, but also because the software vendors and security researchers are aware of active exploitation of these issues in the wild. Threat actors are making use of these vulnerabilities to mount campaigns to target vulnerable systems or are incorporating them into existing attack campaigns already targeting the relevant victims.

Ironically, while these vulnerabilities are new and affect modern systems, the underlying issues that allowed for them to be exploited them are not.

These things occur because of improper input validation or memory management techniques, both of which have been well understood issues, with clear mitigation strategies available for decades. As Cassius says to Brutus, the fault indeed lies not in their stars, but in themselves.

The fact that we are still here demonstrates how effective software security practices can prove challenging for all sorts of organizations, even those with extensive security practices in their development efforts. Senior leadership in these organizations needs to continue to prioritize software security practices to find and mitigate these issues early in the development lifecycle, rather than after product release, when the result can lead to many severe security incidents that potentially affect numerous organizations and people.

How to Protect Yourself Against Emerging Security Vulnerabilities

It’s fair to say that we can expect more significant vulnerabilities in crucial software yet this year—it’s also entirely possible that more will come to light even before the month is out.

To avoid an Ides of Anytime, organizations need to be ready to address these software vulnerabilities as they emerge. Your first steps would be to aggressively prioritize software updates, but also looking at other mitigations that take into account the complexity of your software stack.

To help with your more extensive cybersecurity measures, read our content on the subject. These articles can help you start or build upon your foundational defenses, with tips against particular threats and ideas on how to talk security with your personnel:

Regardless of whatever steps you take regarding these vulnerabilities and others, at the very least understand this: every new component or application requires care and maintenance. The types of problems we’ve witnessed in February prove that this fight continues, and we know one thing for sure—the consequences of not paying attention can be severe.

References:

https://portswigger.net/daily-swig/emergency-adobe-commerce-magento-patches-follow-limited-in-the-wild-attacks-on-vulnerable-deployments

https://thehackernews.com/2022/02/new-chrome-0-day-bug-under-active.html

https://threatpost.com/adobe-zero-day-magento-rce-attack/178407/

https://threatpost.com/sap-patches-severe-icmad-bugs/178344/

https://threatpost.com/apple-patches-actively-exploited-webkit-zero-day/178370/


About the Author

Jacob Ansari is the Chief Information Security Officer at Schellman & Company, where he develops and manages the company-wide information security program. Jacob oversees the processes for risk and security assessment, vulnerability management, software security, awareness and education, and incident response. Jacob has also performed in a client facing role as the technical lead for Schellman’s PCI services, and represents Schellman to the payments industry. Additionally, Jacob has experience with other Payment Card Industry assessment services, namely Software Security Framework, PA-DSS, P2PE, 3DS, and PIN. Jacob has extensive technical expertise on matters of information security, compliance, application security, and cryptography, and has been performing payment card security assessments since the card brands operated the predecessor standards to PCI DSS. Over the 20 years of his career, Jacob has spoken extensively on PCI-related matters, trained and mentored assessors, and contributed to groups on emerging standards, advisory bodies, and special interest groups

Share this content on your favorite social network today!