If you have ever watched a movie or television show that depicted hacking, you have probably heard the phrase, “I’m in”. A character in the story hacks into a network remotely in mere seconds without performing any type of reconnaissance to identify vulnerabilities. This is most likely done to save time and to keep the audience engaged in the story. In reality, reconnaissance and initial access can be some of the most time consuming attack phases for cybercriminals. This is why many ransomware groups outsource this task onto affiliates and initial access brokers (IAB). Although Hollywood hacking is not always accurate, there is one thing that is true and we can take away, which is that cybercriminals enjoy the path of least resistance. 

Depending on the sophistication of the threat actor, exploiting a vulnerability in a public-facing system may be easier than creating a spear phishing campaign that may or may not work. Remote code execution (RCE) is a cyber attack where a threat actor can execute code or commands on a device remotely from anywhere in the world. Due to this, RCE vulnerabilities are usually considered critical for organizations. Once a proof of concept or exploit is developed for these vulnerabilities, it does not take long for cybercriminals to start scanning the Internet for vulnerable systems. Organizations should prioritize and patch these vulnerabilities before an attacker has time to say, “I’m in”. 

Digital Shadows (now ReliaQuest)’ Vulnerability Intelligence capability can help organizations make threat-informed decisions in a timely manner. No more scouring the web for information about vulnerabilities, such as if an exploit is available or if the vulnerability has been embedded into penetration testing tools. Digital Shadows (now ReliaQuest) provides all of this context in one, centralized location; the SearchLight portal. If you haven’t already, check out our last Vulnerability Roundup blog which provides a detailed overview of several critical need-to-know vulnerabilities from August 2022.

For this month’s vulnerability intelligence blog, we are going to go over five RCE vulnerabilities that organizations should prioritize from Microsoft’s September Patch Tuesday. 

CVE-2022-34718

There is a critical vulnerability, tracked as CVE-2022-34718, affecting a TCP/IP component in Microsoft Windows operating system. An attacker can perform remote code execution by sending a custom IPv6 packet to a Windows system that is using IP Security (IPSec) for secure tunneling. The vulnerability has a CVSS base score of 9.8 and a proof of concept exploit for the vulnerability is available on GitHub.

Figure 1: Proof of concept code for CVE-2022-34718 that the SearchLight (now ReliaQuest’s GreyMatter Digital Risk Protection) portal found on GitHub.

CVE-2022-34721 & CVE-2022-34722

Microsoft released a patch for the RCE vulnerability, tracked as CVE-2022-34721, affecting the Internet Key Exchange (IKE) Protocol Extension in Microsoft Windows operating system. This vulnerability could allow an unauthenticated attacker to perform remote code execution. The IKE is a protocol used to set up secure and authenticated communication channels for IPSec. The vulnerability has a CVSS base score of 9.8. Several working exploits have been published on GitHub and Twitter. 

Figure 3: Additional context for CVE-2022-34722 as detailed in our Vulnerability Intelligence portal.

CVE-2022-34700 & CVE-2022-35805

The next RCE vulnerabilities, tracked as CVE-2022-34700 and CVE-2022-35805, were found in Microsoft Dynamics 365. Microsoft Dynamics is a customer relationship management system available to Microsoft Office 365 business customers. Both of the vulnerabilities have a CVSS score of 8.8. In order to exploit these, an authenticated user could run a specially crafted trusted solution package to execute arbitrary SQL commands. From there the attacker could escalate and execute commands as the database owner within their Dynamics CRM database. However, exploitation relies on the attacker using an authenticated account.   

Figure 4: Risk factors of CVE-2022-34700 available in our Vulnerability Intelligence portal.

That’s a wrap

After recording each scene in a movie, the director yells, “Cut!”. It would be nice if security teams could do the same at the end of each shift or when they need more time to investigate a vulnerability. Unfortunately, real life moves forward with or without you and criminals will be criminals. However, network defenders are not alone. 

Digital Shadows (now ReliaQuest)’ Vulnerability Intelligence capability can help organizations make timely, threat-informed decisions during the vulnerability investigation process. You can test drive SearchLight (now ReliaQuest’s GreyMatter Digital Risk Protection) and see the rich context available for each CVE, including risk factors, threat actor and malware associations, exploits, news, and much more. 

Not ready to chat? Download a copy of our Vulnerability Intelligence Solutions Guide to learn more about how threat intelligence can help!