@RISK

The Consensus Security Vulnerability Alert

November 10, 2022  |  Vol. 22, Num. 45

Recent Security Issues


INTERNET STORM CENTER SPOTLIGHT

ISC provides a free analysis and warning service to thousands of Internet users and organizations, and is actively working with Internet Service Providers to fight back against the most malicious attackers. https://isc.sans.edu/about.html

Another Script-Based Ransomware
In the past, I already found some script-based ransomware samples written in Python or Powershell[1]. The last one I found was only a “proof-of-concept” (my guess) but it demonstrates how easy such malware can be developed and how they remain undetected by most antivirus products.

I found a malicious VisualBasic script that attracted my attention. The SHA256 is 8c8ed4631248343f8732a83193828471e005900fbaf144589d57f6900b9c8996 and its VT score is only 3/57![2]. It's no flagged as malicious but, even more, it’s reported as a simple mallicious script.

The obfuscation technique used is simple but pretty effective: The VBS creates a bunch of environment variables that contains encrypted PowerShelll code:

Set osi = CreateObject("Wscript.shell")
Set wev = osi.Environment("Process")
wev("XXX0") = "JGVuY3J5cHRlZD0iNzY0OTJ….”
wev("XXX1") = "QXhBRElBTndCbUFHUUFNQUExQURJQVpnQX…”

The Environment() parameter specifies the location of the environment variable. In this case, “Process” means that environment variables will be passed to child processes (and not stored in the registry). In this case, it will make the variables available to the second stage, the PowerShell script. In total, 80 “XXX” variables are created. The code to launch the next stage is obfuscated in a long string...

Read the entire diary entry at: https://isc.sans.edu/diary/Another+ScriptBased+Ransomware/29234/


Microsoft November 2022 Patch Tuesday

This month we got patches for 68 vulnerabilities. Of these, 10 are critical, 1 was previously disclosed, and 4 are already being exploited, according to Microsoft.

The previously disclosed (and exploited) vulnerability is a security feature bypass on Windows Mark of the Web (MOTW) (CVE-2022-41091). According to the advisory, an attacker can craft a malicious file that would evade MOTW defenses, resulting in a limited loss of integrity and availability of security features such as Protected View in Microsoft Office, which rely on MOTW tagging. The CVSS for this vulnerability is 5.4.

Another exploited vulnerability is a Remote Code Execution (RCE) on Windows Script Languages (CVE-2022-41128). This vulnerability impacts JScript9 language. To exploit this vulnerability, an attacker would have to convince users to visit a specially crafted server share or website typically through an enticement in an email or chat message. In other words, user interaction is required, but it would not be hard for an attacker to accomplish this kind of interaction which makes this vulnerability worthy of special attention. The CVSS for this vulnerability is 8.8.

Among critical vulnerabilities, there is an elevation of privilege vulnerability affecting the Microsoft Exchange Server (CVE-2022-41080). The CVSS for this vulnerability is the highest for this month: 8.8. The advisory says that this vulnerability is not exploited, but marks it as “Exploitation More Likely”.

Last but not least, there is an important elevation of privilege vulnerability affecting Microsoft Windows Sysmon (CVE-2022-41120) that you should also dedicate special attention to. An attacker who successfully exploited this vulnerability could gain administrator privileges by manipulating information on the Sysinternals services. The CVSS for this vulnerability is 7.8.

See my dashboard for a more detailed breakout: https://patchtuesdaydashboard.com/

Read the entire diary entry at: https://isc.sans.edu/diary/Microsoft+November+2022+Patch+Tuesday/29230/

Security News


OTHER INTERNET STORM CENTER ENTRIES

IPv4 Address Representations (2022-11-06)
https://isc.sans.edu/diary/IPv4+Address+Representations/29224/

Windows Malware with VHD Extension (2022-11-05)
https://isc.sans.edu/diary/Windows+Malware+with+VHD+Extension/29222/

Remcos Downloader with Unicode Obfuscation (2022-11-04)
https://isc.sans.edu/diary/Remcos+Downloader+with+Unicode+Obfuscation/29220/

Vulnerabilities with Exploits


RECENT CVEs
The list is assembled by pulling recent vulnerabilities from NIST NVD, Microsoft, Twitter mentions of vulnerabilities, ISC Diaries and Podcast, and the CISA list of known exploited vulnerabilities. There are also some unscored, but significant, vulnerabilities at the end. This includes vulnerabilities that have not been added to the NVD yet.

CVE-2022-27510 - Unauthorized access to Gateway user capabilities
CVSS Score: 9.8
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-27510
ISC Podcast: https://isc.sans.edu/podcastdetail.html?id=8250
NVD References: https://support.citrix.com/article/CTX463706/citrix-gateway-and-citrix-adc-security-bulletin-for-cve202227510-cve202227513-and-cve202227516



CVE-2022-41128 - Windows Scripting Languages Remote Code Execution Vulnerability
CVSS Score: 8.8
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C
** KEV since 2022-11-08 **
NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-41128
ISC Diary: https://isc.sans.edu/diary/29230
MSFT Details: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-41128
NVD References: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-41128



CVE-2022-41091 - Windows Mark of the Web Security Feature Bypass Vulnerability
CVSS Score: 5.4
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L/E:U/RL:O/RC:C
** KEV since 2022-11-08 **
NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-41091
ISC Diary: https://isc.sans.edu/diary/29230
MSFT Details: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-41091
NVD References: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-41091



CVE-2022-41073 - Windows Print Spooler Elevation of Privilege Vulnerability
CVSS Score: 7.8
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
** KEV since 2022-11-08 **
NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-41073
ISC Diary: https://isc.sans.edu/diary/29230
MSFT Details: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-41073
NVD References: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-41073



CVE-2022-41125 - Windows CNG Key Isolation Service Elevation of Privilege Vulnerability
CVSS Score: 7.8
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
** KEV since 2022-11-08 **
NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-41125
ISC Diary: https://isc.sans.edu/diary/29230
MSFT Details: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-41125
NVD References: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-41125



CVE-2022-41080 - Microsoft Exchange Server Elevation of Privilege Vulnerability
CVSS Score: 8.8
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-41080
ISC Diary: https://isc.sans.edu/diary/29230
MSFT Details: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-41080
NVD References: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-41080



CVE-2022-41120 - Microsoft Windows Sysmon Elevation of Privilege Vulnerability
CVSS Score: 7.8
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-41120
ISC Diary: https://isc.sans.edu/diary/29230
MSFT Details: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-41120
NVD References: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-41120



CVE-2022-3723 - Google Chromium V8 Type Confusion Vulnerability
CVSS Score: 8.8
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
** KEV since 2022-10-28 **
NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-3723
NVD References:
- https://chromereleases.googleblog.com/2022/10/stable-channel-update-for-desktop_27.html
- https://crbug.com/1378239



CVE-2022-27582 - Password recovery vulnerability in SICK SICK SIM4000 (PPC) Partnumber 1078787 allows an unprivileged remote attacker to gain access to the userlevel defined as RecoverableUserLevel by invocating the password recovery mechanism method. This leads to a increase in their privileges on the system and thereby affecting the confidentiality integrity and availability of the system. An attacker can expect repeatable success by exploiting the vulnerability. Please make sure that you apply general security practices when operating the SIM4000. The following general security practices could mitigate the associated security risk. A fix is planned but not yet scheduled.
CVSS Score: 9.8
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-27582
NVD References: https://sick.com/psirt



CVE-2022-27584 - Password recovery vulnerability in SICK SIM2000ST Partnumber 2086502 and 1080579 allows an unprivileged remote attacker to gain access to the userlevel defined as RecoverableUserLevel by invocating the password recovery mechanism method. This leads to an increase in their privileges on the system and thereby affecting the confidentiality integrity and availability of the system. An attacker can expect repeatable success by exploiting the vulnerability. Please make sure that you apply general security practices when operating the SIM2000ST. The following general security practices could mitigate the associated security risk. A fix is planned but not yet scheduled.
CVSS Score: 9.8
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-27584
NVD References: https://sick.com/psirt



CVE-2022-27585 - Password recovery vulnerability in SICK SIM1000 FX Partnumber 1097816 and 1097817 with firmware version < 1.6.0 allows an unprivileged remote attacker to gain access to the userlevel defined as RecoverableUserLevel by invocating the password recovery mechanism method. The recommended solution is to update the firmware to a version >= 1.6.0 as soon as possible. (available in SICK Support Portal)
CVSS Score: 9.8
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-27585
NVD References: https://sick.com/psirt



CVE-2022-27586 - Password recovery vulnerability in SICK SIM1004 Partnumber 1098148 with firmware version < 2.0.0allows an unprivileged remote attacker to gain access to the userlevel defined as RecoverableUserLevel by invocating the password recovery mechanism method. This leads to a increase in their privileges on the system and thereby affecting the confidentiality integrity and availability of the system. An attacker can expect repeatable success by exploiting the vulnerability. The recommended solution is to update the firmware to a version >= 2.0.0 as soon as possible.
CVSS Score: 9.8
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-27586
NVD References: https://sick.com/psirt



CVE-2022-38381 - An improper handling of malformed request vulnerability [CWE-228] exists in FortiADC 5.0 all versions, 6.0.0 all versions, 6.1.0 all versions, 6.2.0 through 6.2.3, and 7.0.0 through 7.0.2. This may allow a remote attacker without privileges to bypass some Web Application Firewall (WAF) protection such as the SQL Injection and XSS filters via a malformed HTTP request.
CVSS Score: 9.8
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-38381
NVD References: https://fortiguard.com/psirt/FG-IR-22-234



CVE-2022-39379 - Fluentd collects events from various data sources and writes them to files, RDBMS, NoSQL, IaaS, SaaS, Hadoop and so on. A remote code execution (RCE) vulnerability in non-default configurations of Fluentd allows unauthenticated attackers to execute arbitrary code via specially crafted JSON payloads. Fluentd setups are only affected if the environment variable `FLUENT_OJ_OPTION_MODE` is explicitly set to `object`. Please note: The option FLUENT_OJ_OPTION_MODE was introduced in Fluentd version 1.13.2. Earlier versions of Fluentd are not affected by this vulnerability. This issue was patched in version 1.15.3. As a workaround do not use `FLUENT_OJ_OPTION_MODE=object`.
CVSS Score: 9.8
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-39379
NVD References:
- https://github.com/fluent/fluentd/commit/48e5b85dab1b6d4c273090d538fc11b3f2fd8135
- https://github.com/fluent/fluentd/security/advisories/GHSA-fppq-mj76-fpj2



CVE-2022-3827 - A vulnerability was found in centreon. It has been declared as critical. This vulnerability affects unknown code of the file formContactGroup.php of the component Contact Groups Form. The manipulation of the argument cg_id leads to sql injection. The attack can be initiated remotely. The name of the patch is 293b10628f7d9f83c6c82c78cf637cbe9b907369. It is recommended to apply a patch to fix this issue. VDB-212794 is the identifier assigned to this vulnerability.
CVSS Score: 9.8
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-3827
NVD References:
- https://github.com/centreon/centreon/commit/293b10628f7d9f83c6c82c78cf637cbe9b907369
- https://github.com/centreon/centreon/pull/11869
- https://vuldb.com/?id.212794


Manual Review Needed
:

CVE-2022-26486: Mozilla Firefox Use-After-Free Vulnerability
Mozilla Firefox contains a use-after-free vulnerability in WebGPU IPC Framework which can be exploited to perform arbitrary code execution. Apply updates per vendor instructions.


CVE-2022-26485: Mozilla Firefox Use-After-Free Vulnerability
Mozilla Firefox contains a use-after-free vulnerability in XSLT parameter processing which can be exploited to perform arbitrary code execution. Apply updates per vendor instructions.


CVE-2019-8720: WebKitGTK Memory Corruption Vulnerability
WebKitGTK contains a memory corruption vulnerability which can allow an attacker to perform remote code execution. Apply updates per vendor instructions.