moodle/moodle
Opgelost in
4.0.3
3.9.15
CVE-2022-35649 is a critical remote code execution (RCE) vulnerability affecting Moodle Learning Management System versions up to 3.9.9. This vulnerability stems from improper input validation when parsing PostScript code, specifically due to a missing execution parameter. Successful exploitation, often leveraging older GhostScript versions (prior to 9.50), can grant attackers complete control over the vulnerable system.
The impact of CVE-2022-35649 is severe. An attacker exploiting this vulnerability can execute arbitrary code on the Moodle server with the privileges of the web server user. This could lead to complete system compromise, including data exfiltration, modification, and denial of service. The vulnerability's reliance on GhostScript expands the attack surface, as many Moodle installations utilize GhostScript for PDF processing. The ability to execute arbitrary code allows for persistent backdoors, credential theft, and lateral movement within the network. This vulnerability shares similarities with other PostScript parsing vulnerabilities where improper sanitization leads to code execution.
CVE-2022-35649 was publicly disclosed on July 26, 2022. It is considered a high-priority vulnerability due to its CRITICAL CVSS score and the potential for complete system compromise. Public proof-of-concept (PoC) exploits are likely to emerge, increasing the risk of exploitation. The vulnerability has been added to the CISA KEV catalog, indicating a heightened concern for US federal agencies. Active exploitation campaigns are possible, particularly targeting organizations with unpatched Moodle installations.
Educational institutions, online learning platforms, and any organization utilizing Moodle for learning management are at significant risk. Organizations running Moodle on shared hosting environments are particularly vulnerable, as they may lack control over the underlying GhostScript version. Legacy Moodle installations with outdated plugins and configurations are also at increased risk.
• php: Examine web server access logs for requests containing PostScript data. Look for unusual patterns or attempts to execute commands.
grep -i 'postscript' /var/log/apache2/access.log | grep -i 'command'• linux / server: Monitor system processes for unexpected GhostScript instances or processes executing suspicious commands.
ps aux | grep ghostscript• generic web: Use curl to test Moodle endpoints that process PostScript files. Analyze the response headers and body for signs of code execution or unexpected behavior.
curl -X POST -d '...' <moodle_url>/some/postscript/endpointdisclosure
patch
Exploit Status
EPSS
7.53% (92% percentiel)
CVSS-vector
The primary mitigation for CVE-2022-35649 is to upgrade Moodle to version 3.9.15 or later. If upgrading immediately is not feasible, consider temporarily disabling PostScript processing within Moodle, if possible, to reduce the attack surface. Ensure GhostScript is updated to version 9.50 or later to address the underlying vulnerability. Web Application Firewalls (WAFs) configured to inspect PostScript code for malicious patterns could provide an additional layer of defense. After upgrading, verify the fix by attempting to process a known malicious PostScript file within Moodle and confirming that it is handled safely without code execution.
Actualice Moodle a la versión 4.0.2, 3.11.8 o 3.9.15, o una versión posterior. Esto corregirá la vulnerabilidad de ejecución remota de código causada por la validación incorrecta de entradas al analizar código PostScript.
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
CVE-2022-35649 is a critical remote code execution vulnerability in Moodle versions up to 3.9.9. Improper PostScript code validation allows attackers to execute arbitrary code, potentially compromising the entire system.
If you are running Moodle versions 3.9.9 or earlier, you are affected by this vulnerability. Check your Moodle version and upgrade as soon as possible.
Upgrade Moodle to version 3.9.15 or later to address the vulnerability. Temporarily disable PostScript processing if immediate upgrade is not possible.
While confirmed active exploitation is not yet widespread, the vulnerability's severity and public disclosure make it a likely target for attackers. Proactive patching is crucial.
Refer to the official Moodle security advisory at https://security.moodle.org/mdl-2022-35649 for detailed information and updates.
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.