Vulnerability 1: Printnightmare Windows Spooler Service (9.0 Critical)
Description: The Windows Spooler Service (WSS) holds a Remote Code Execution vulnerability. The WSS is used to implement the print roles for clients and servers, by enabling each connected system to act as a print client, administrative client or print server for printer services. A remote code execution (RCE) vulnerability enables attackers to execute arbitrary code on a compromised machine. In the case of the Printnightmare, an attacker is enabled to execute arbitrary code with SYSTEM level privileges within the Active Directory (AD) service.
Likelihood: High – Exploiting this vulnerability grants attackers with high level privileges enabling them the ability to install programs; view, change, or delete data or create new accounts with full user rights.
Recommendation: Brace168 recommends identifying whether or not the Print Spooler service is running, and if it is to disable this service and to also disable any inbound remote printing capabilities.
Vulnerability 2: Django 3.1.x & 3.2.x SQL Injection (7.5 High)
Description: The Django web framework has an SQL injection vulnerability. SQL Injection is a common attack method whereby attackers abuse input field parameters to retrieve, update or add entries within a database that is linked to a website or application. Therefore, in Django’s case, unsanitised user input passed to the ‘QuerySet.order_by()’ parameter could bypass intended validation checks resulting in a potential SQL injection. As a result, attackers will be able to retrieve sensitive entries stored in the database. Django versions 3.2.4 and below are vulnerable to this SQL injection attack.
Likelihood: High – The Django framework is extremely accessible and is widely used with some examples being JSTOR & Prezi using this framework. Attackers are highly likely to exploit this vulnerability due to the high popularity and open-source nature of this framework.
Recommendation: We recommend patching instances that use the specified versions. Furthermore, sanitisation of user inputs should be enforced to ensure inputs are appropriate and don’t contain any code.
Vulnerability 3: OpenVPN Arbitrary Code Execution (4.4 Medium)
Description: OpenVPN has an arbitrary code execution vulnerability. Arbitrary code execution allows the execution of machine code that inject and execute shellcode on a compromised device to give an attacker the ability to manually run arbitrary commands, from which they are able to take complete control over the device. In the case of OpenVPN, a local user is able to load an arbitrary dynamic loadable library via an OpenSSL configuration file, which will allow the user to run arbitrary code with the same privilege level as the main OpenVPN process (openvpn.exe), meaning that, if you run OpenVPN with admin level privileges, the user will be able to run the code with those same privileges. OpenVPN versions 2.5.2 and below are vulnerable to the Arbitrary Code Execution attack.
Likelihood: Medium – Although OpenVPN is widely used by businesses and even individual users, the likelihood of this vulnerability being exploited is minimal but still prevalent.
Recommended: Brace168 recommends patching OpenVPN applications to the latest version 2.5.3 for OpenVPN Community or 2.7.1, if running OpenVPN Client Connect. Since, this vulnerability was linked to the way OpenSSL library are built, not further actions are required.