Internet Storm Center Spotlight


INTERNET STORM CENTER SPOTLIGHT

ISC provides a free analysis and warning service to thousands of Internet users and organizations, and is actively working with Internet Service Providers to fight back against the most malicious attackers.

https://isc.sans.edu/about.html


Critical OpenSSL 3.0 Update Released. Patches CVE-2022-3786, CVE-2022-3602

(Johannes Ullrich | 2022-11-01)

As preannounced, OpenSSL released version 3.0.7, which patches two related vulnerabilities rated as "High." Initially, as part of a preannouncement, the vulnerability was rated "Critical." OpenSSL 3.0 was initially released in September of last year.

The update patches a buffer overrun vulnerability that happens during the certificate verification. The certificated needs to contain a malicious Punycode encoded name, and the vulnerability is only triggered AFTER the certificate chain is verified. An attacker first needs to be able to have a malicious certificate signed by a certificate authority the client trusts. This does not appear to be exploitable against servers. For servers, this may be exploitable if the server requests a certificate from the client (mTLS) [1] . OpenSSL also published a blog post with details here: https://www.openssl.org/blog/blog/2022/11/01/email-address-overflows/

In short: While this is a potential remote code execution vulnerability, the requirements to trigger the vulnerability are not trivial, and I do not see this as a "Heartbleed Emergency". Patch quickly as updated packages become available, but beyond this, no immediate action is needed…

https://isc.sans.edu/forums/diary/Critical+OpenSSL+30+Update+Released+Patches+CVE20223786+CVE20223602/29208


Sysinternals Updates: Process Explorer v17.0, Handle v5.0, Process Monitor v3.92 and Sysmon v14.11

(Didier Stevens | 2022-10-30)

Sysinternals tools updates have been released for

Process Explorer v17.0

Handle v5.0

Process Monitor v3.92

Sysmon v14.11

Make sure to update sysmon, as it includes a bug fix.

I like the update to the Handles and DLLs view: it's multitab now, making it easier to switch (unless you are used to the control keys to switch) …

https://isc.sans.edu/diary/Sysinternals+Updates+Process+Explorer+v170+Handle+v50+Process+Monitor+v392+and+Sysmon+v1411/29200/

Internet Storm Center Entries


OTHER INTERNET STORM CENTER ENTRIES


Breakpoints in Burp (2022-11-02)

https://isc.sans.edu/diary/Breakpoints+in+Burp/29214/


Who put the "Dark" in DarkVNC? (2202-11-02)

https://isc.sans.edu/diary/Who+put+the+Dark+in+DarkVNC/29210/


NMAP without NMAP - Port Testing and Scanning with PowerShell (2022-10-31)

https://isc.sans.edu/diary/NMAP+without+NMAP+Port+Testing+and+Scanning+with+PowerShell/29202/


Quickie: CyberChef & Microsoft Script Decoding (2022-10-29)

https://isc.sans.edu/diary/Quickie+CyberChef+Microsoft+Script+Decoding/29198/


Supersizing your DUO and 365 Integration (2022-10-27)

https://isc.sans.edu/diary/Supersizing+your+DUO+and+365+Integration/29194/


Why is My Cat Using Baidu? And Other IoT DNS Oddities (2022-10-26)

https://isc.sans.edu/diary/Why+is+My+Cat+Using+Baidu+And+Other+IoT+DNS+Oddities/29188/


Apple Patches Everything: October 2022 Edition (2022-10-25)

https://isc.sans.edu/diary/Apple+Patches+Everything+October+2022+Edition/29182/

Recent CVEs


RECENT CVEs FROM NATIONAL VULNERABILITY DATABASE (NVD)


CVE-2022-42319

Xenstore: Guests can cause Xenstore to not free temporary memory When working on a request of a guest, xenstored might need to allocate quite large amounts of memory temporarily. This memory is freed only after the request has been finished completely. A request is regarded to be finished only after the guest has read the response message of the request from the ring page. Thus a guest not reading the response can cause xenstored to not free the temporary memory. This can result in memory shortages causing Denial of Service (DoS) of xenstored.

Published: November 01, 2022

NVDBase Score: 7.5 HIGH

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

https://nvd.nist.gov/vuln/detail/CVE-2022-42319


CVE-2022-3652

Type confusion in V8 in Google Chrome prior to 107.0.5304.62 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chrome security severity: High)

Published: November 01, 2022

NVD Base Score: 8.8 HIGH

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

https://nvd.nist.gov/vuln/detail/CVE-2022-3652


CVE-2022-3653

Heap buffer overflow in Vulkan in Google Chrome prior to 107.0.5304.62 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chrome security severity: High)

Published: November 01, 2022

NVDBase Score: 8.8 HIGH

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

https://nvd.nist.gov/vuln/detail/CVE-2022-3653


CVE-2022-3654

Use after free in Layout in Google Chrome prior to 107.0.5304.62 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chrome security severity: High)

Published: November 01, 2022

NVDBase Score: 8.8 HIGH

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

https://nvd.nist.gov/vuln/detail/CVE-2022-3654


CVE-2022-42795

A memory consumption issue was addressed with improved memory handling. This issue is fixed in tvOS 16, iOS 16, macOS Ventura 13, watchOS 9. Processing a maliciously crafted image may lead to arbitrary code execution.

Published: November 01, 2022

NVDBase Score: 8.8 HIGH

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

https://nvd.nist.gov/vuln/detail/CVE-2022-42795


CVE-2022-42791

A race condition was addressed with improved state handling. This issue is fixed in macOS Ventura 13. An app may be able to execute arbitrary code with kernel privileges.

Published: November 01, 2022

NVDBase Score: 7.0 HIGH

Vector: CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

https://nvd.nist.gov/vuln/detail/CVE-2022-42791


CVE-2022-3732

A vulnerability was found in seccome Ehoney and classified as critical. Affected by this issue is some unknown functionality of the file /api/v1/bait/set. The manipulation of the argument Payload leads to sql injection. The attack may be launched remotely. VDB-212414 is the identifier assigned to this vulnerability.

Published: October 28, 2022

NVDBase Score: 9.8 CRITICAL

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

https://nvd.nist.gov/vuln/detail/CVE-2022-3732


CVE-2022-41352

An issue was discovered in Zimbra Collaboration (ZCS) 8.8.15 and 9.0. An attacker can upload arbitrary files through amavisd via a cpio loophole (extraction to /opt/zimbra/jetty/webapps/zimbra/public) that can lead to incorrect access to any other user accounts. Zimbra recommends pax over cpio. Also, pax is in the prerequisites of Zimbra on Ubuntu; however, pax is no longer part of a default Red Hat installation after RHEL 6 (or CentOS 6). Once pax is installed, amavisd automatically prefers it over cpio.

Note: This vulnerability has been modified and is currently undergoing reanalysis. Please check back soon to view the updated vulnerability summary.

Published: September 25, 2022, last modified October 20, 2022

NVDBase Score: 9.8 CRITICAL

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

https://nvd.nist.gov/vuln/detail/CVE-2022-41352


CVE-2022-42827

An out-of-bounds write issue was addressed with improved bounds checking. This issue is fixed in iOS 15.7.1 and iPadOS 15.7.1, iOS 16.1 and iPadOS 16. An application may be able to execute arbitrary code with kernel privileges. Apple is aware of a report that this issue may have been actively exploited.

Note: This vulnerability is currently undergoing analysis and not all information is available. Please check back soon to view the completed vulnerability summary.

Published: November 01, 2022

NVDBase Score: N/A

Vector: not yet provided

https://nvd.nist.gov/vuln/detail/CVE-2022-42827