All of us at Tripwire’s Vulnerability Exposure and Research Team (VERT) are constantly looking out for interesting stories and developments in the infosec world. Here’s what cybersecurity news stood out to us during the week of August 22nd, 2022, including some commentary of mine.
VMware fixed a privilege escalation issue in VMware Tools
VMware this week released patches to address an important-severity vulnerability in the VMware Tools suite of utilities. According to Security Affairs, an attacker with local non-administrative access to the Guest OS can trigger the CVE-2022-31676 flaw to escalate privileges on a compromised system.
“VMware Tools suite was subject to a privilege escalation vulnerability. An attacker could gain root privileges upon successful exploitation of this vulnerability. This vulnerability was resolved in versions 12.1.0 and 10.3.25.”
GitLab issues patch for critical flaw in its Community and Enterprise software
DevOps platform GitLab this week issued patches to address a critical security flaw in its software that could lead to arbitrary code execution on affected systems. Tracked as CVE-2022-2884, the issue is rated 9.9 on the CVSS vulnerability scoring system. Hacker News reports that a successful exploitation of the critical flaw could enable a malicious actor to run malicious code on the target machine, inject malware and backdoors, and seize complete control of the susceptible devices.
“GitLab is subject to an arbitrary code execution vulnerability. An attacker could execute arbitrary code upon successful exploitation of this vulnerability. An attacker would need access to the import API to exploit this issue. This issue has been resolved in versions 15.3.1, 15.2.3, and 15.1.5. The issue can be mitigated by disabling import option.”
Microsoft publicly discloses details on critical ChromeOS flaw
According to Security Affairs, Microsoft shared technical details of a critical ChromeOS flaw that could be exploited to trigger a DoS condition or for remote code execution. The vulnerability is tracked as CVE-2022-2587 and bears a CVSS score of 9.8.
“Microsoft reported a vulnerability in ChromeOS to Google in April 2022. This vulnerability is being tracked as CVE-2022-2587. This vulnerability could allow an attacker to cause denial of service conditions and potentially execute arbitrary code. To trigger this vulnerability an attacker needs to craft malicious metadata associated with songs. This vulnerability occurred because there was not proper validation of user supplied data. This lack of validation lead to a heap-based buffer overflow. Google has since resolved this issue in ChromeOS.”
Fake Chrome extension 'Internet Download Manager' has 200,000 installs
Bleeping Computer reported that a Google Chrome extension 'Internet Download Manager', which is installed by more than 200,000 users, is adware. The extension has been sitting on the Chrome Web Store since at least June 2019, according to the earliest reviews posted by users.
“More than 200,000 users have installed an extension called "Internet Download Manager." This extension is adware and has been present on the Chrome Web Store since June 2019. Once installed the extension opens links to spammy sites, changes the default browser search engine, and hounds the user with pop-ups.
There is a legitimate extension called Internet Download Manager created by Tonec, but it is actually called ‘IDM Integration Module’. Any IDM extension on the Chrome Web Store is considered fake and should not be used.”
Keep in Touch with Tripwire VERT
Want more insights from Tripwire VERT before our next cybersecurity news roundup comes out? Subscribe to our newsletter here.