CyberScotland Bulletin

Microsoft released its monthly security update on Tuesday 11^th January 2022, disclosing 96 vulnerabilities across its suite of products.

This Patch Tuesday, the breakdown of vulnerabilities includes 9 “Critical” ratings, and 6 zero-days.

• CVE-2022-21919– Windows User Profile Service Elevation of Privilege
• CVE-2022-21874 – Windows Security Centre API Remote Code Execution
• CVE-2022-21839 – Event Training Discretionary Access Control List Denial of Service
• CVE-2022-21836– Windows Certificate Spoofing
• CVE-2021-36976 – Libarchive Remote Code Execution
• CVE-2021-22947 – Open Source Curl Remote Code Execution

Additionally, Microsoft released patches for 29 issues regarding Microsoft Edge towards the beginning of the month.

A full list of Microsoft’s January 2022 Patches, their severities, and updates can be found here: Microsoft Security Response Centre

Log4j version 2.17.1 was released to fix an arbitrary code execution vulnerability in the Log4j 2 logging library. In less than one month, five CVEs have been linked to the Log4j library.

Unlike the previous recent vulnerabilities identified in this version, this is forecast to have much less impact to organisations given the prerequisites for successful exploitation. An attacker would need to find a method of modifying the configuration file, in order to successfully compromise the service, which would ultimately be a significant issue in itself.

More information on the arbitrary code execution vulnerability can be found at this link: Checkmarx.com

A vulnerability has been discovered which affects three WordPress plugins used on over 84,000 websites. Researchers state this vulnerability could be used by an attacker to take over any vulnerable site.

The flaw, tracked as CVE-2022-0215, is a cross-site request forgery vulnerability. This occurs when an authenticated end user is tricked into submitting a specially crafted web request by a malicious actor. The three affected WordPress plugins are as follows:

• Login/Signup Popup
• Site Cart Woocommerce
• Waitlist Woocommerce

These issues have been addressed by those who maintain the plugins and the issue can be patched by updated to the plugin’s latest version. More information on this vulnerability and it’s discovery can be found at this link: thehackernews.com

Google’s first round of 2022 patches fix a total of 37 issues, ranging mostly at high and medium severities.

One vulnerability affecting Google Chrome has been given a critical rating, in which an attacker could pass arbitrary code and gain control of a victim’s system. The flaw, tracked as CVE-2022-0096, could lead to the corruption of data to the execution of malicious code.

It is recommended that Google Chrome users update to the latest version (which is 97.0.4692.71 as of 18^th January 2022). Further information regarding the patched vulnerabilities and additional Chrome updates can be found with this link: Chrome Releases

The Cyber Security Information Sharing Partnership is a joint initiative between government and industry to share cyber threat information in a secure and confidential environment.

Organisations that are proactive in their approach for the management and handling of cyber security should consider joining CiSP to keep up with emerging threats.

Your organisation can register to join CiSP here. If your organisation is looking for a sponsor please contact the Cyber Resilience Unit at the Scottish Governement at cyberresilience@gov.scot

When your organisation has joined, you can register as an individual here.