Security vulnerabilities are a common occurrence in managing any business’s organizational security. The prompt patching and remediation of any new vulnerabilities are critical to reducing the outside attack surface. Netizen’s Security Operations Center (SOC) has compiled four vulnerabilities from June that should be immediately patched or addressed if present in your environment. Detailed writeups below:
CVE-2023-3422:
Potential exploit heap corruption via a crafted HTML page can convince a user to install a malicious extension. This vulnerability has a NIST CVSSv3 base score rating of 8.8/10. In Google Chrome quest view, there is a UAF (Use After Free) vulnerability that allows an attacker to convince a user, with a well-crafted HTML page, to install a malicious extension and possibly cause a heap corruption. A UAF vulnerability involves an incorrect use of dynamic memory. If a program doesn’t properly clear the memory pointer after a memory location is cleared, an attacker can use this vulnerability to exploit/hack the program. This affects Google Chrome versions prior to 114.0.5735.198. The technical details of this vulnerability are listed as unknown and there is no known public exploit available.
CVE-2022-29144:
Chromium-based Microsoft Edge Privilege Escalation Vulnerability. This vulnerability has a NIST CVSSv3 base score rating of 8.3/10 and the attack complexity is rated high, which means there are conditions that are required for a successful exploit that are beyond the attacker’s control. The technical details of this vulnerability are not publicly available and to exploit this vulnerability, there needs to be a user interaction. If an exploit is successful, it poses a high risk to the CIA Triad.
CVE-2023-25055:
Cross-Site Request Forgery (CSRF) vulnerability in Google XML Sitemap for Videos plugin that is in versions 2.6.1 or earlier. This vulnerability has a NIST CVSSv3 base score rating of 8.8/10. This is a Google XML Sitemap video plugin for WordPress. The video_sitemap_generate function is affected. The web application doesn’t sufficiently verify the input given which leads to a CSRF exploit and allows an attacker to trick a user of a web application to execute actions such as transferring funds, changing mail addresses, etc.
CVE-2023-34121:
Improper input validation in the Zoom may allow information disclosure. This vulnerability has a NIST CVSSv3 base score rating of 8.8/10, requires no user interaction, and poses a high risk to the CIA Triad. An improper validation of input in the Zoom for Windows, Zoom Rooms, and Zoom VDI Windows Meeting clients before 5.14.0 can lead to information disclosure. This disclosure allows an attacker to see sensitive information that they are not authorized to see. The MITRE ATT&CK has declared this attack technique as T1592 (Gather Victim Host Information).
Conclusion:
In conclusion, software vulnerabilities are a common nuisance to IT and security teams everywhere. Organizations that prioritize the remediation and patching of these vulnerabilities will drastically reduce their attack surface and ensure no doors into their environment are left unlocked.
How Can Netizen Help?
Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time.
We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type.
Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.
Netizen is an ISO 27001:2013 (Information Security Management), ISO 9001:2015, and CMMI V 2.0 Level 3 certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans.
Questions or concerns? Feel free to reach out to us any time – https://www.netizen.net/contact
