Internet Storm Center Spotlight


INTERNET STORM CENTER SPOTLIGHT

ISC provides a free analysis and warning service to thousands of Internet users and organizations, and is actively working with Internet Service Providers to fight back against the most malicious attackers. https://isc.sans.edu/about.html


Evil Maid Attacks - Remediation for the Cheap

Published: 2022-11-16

Last Updated: 2022-11-16 18:15:23 UTC

by Johannes Ullrich (Version: 1)

[This is a guest diary submitted by Gebhard. For feedback, you can connect with Gebhard via our DShield slack]


Preliminary note

In this diary, we are assuming PC-like devices with state-of-the-art disk encryption (full disk encryption, FDE) and a "normal" desktop OS (Linux, Windows, ...).

What is the evil maid attack?

The so-called evil maid attack is an attack against hardware devices utilizing hard- and/or software. It is carried out when the hardware is left unattended, e.g., in a hotel room when you're out for breakfast. The attacker manipulates the device in a malicious way, e.g.:

if the device is running: cool down and take out RAM to copy it (e.g., to find sensitive information)

manipulate the mainboard / BIOS (e.g., to add a backdoor)

manipulate the content from the unencrypted bootloader (e.g., to add a backdoor)

The last attack may even work with secure boot enabled because of 0-day vulnerabilities in the signed boot code or known vulnerabilities in the signed boot code, which is not disabled due to outdated revocation lists in the BIOS.


Your possible options

There are several ways to minimize the risk of an unnoticed, successful evil maid attack. Which road you go depends on your personal threat model (and your budget, of course).


Take the risk

If evil maid attacks do not matter in your situation, e.g., because you're using a disposable device that is already assumed to be compromised, then you can simply take the risk.

Read the entire diary entry at: https://isc.sans.edu/diary/Evil+Maid+Attacks+Remediation+for+the+Cheap/29256/



Packet Tuesday: Network Traffic Analysis for the Whole Family

Published: 2022-11-15

Last Updated: 2022-11-15 17:17:06 UTC

by Johannes Ullrich (Version: 1)


A short while ago, I floated the idea of a weekly video series with short lessons about packets, protocols, and networks. Today, we are kicking of "Packet Tuesday". Packet Tuesday, as the name implies, will release a new video each Tuesday. We will discuss packets in detail. See the first two videos below. For future videos, please subscribe to the YouTube channel. I will also use PacketTuesday.com for videos and related materials. There is usually a PCAP file to go with each video.

Packet Tuesday Website: https://packettuesday.com

YouTube Playlist: https://www.youtube.com/playlist?list=PLs4eo9Tja8biVteSW4a3GHY8qi0t1lFLL

Read the entire diary entry at: https://isc.sans.edu/diary/Packet+Tuesday+Network+Traffic+Analysis+for+the+Whole+Family/29252/

Internet Storm Center Entries


ADDITIONAL INTERNET STORM CENTER ENTRIES

Extracting 'HTTP CONNECT' Requests with Python (2022-11-14)

https://isc.sans.edu/diary/Extracting+HTTP+CONNECT+Requests+with+Python/29246

Extracting Information From "logfmt" Files With CyberChef (2022-11-12)

https://isc.sans.edu/diary/Extracting+Information+From+logfmt+Files+With+CyberChef/29244

Update: IPv4 Address Representations (2022-11-11)

https://isc.sans.edu/diary/Update+IPv4+Address+Representations/29242

Do you collect "Observables" or "IOCs"? (2022-11-10)

https://isc.sans.edu/diary/Do+you+collect+Observables+or+IOCs/29238

Recent CVEs


RECENT CVEs

The list is assembled by pulling recent vulnerabilities from NIST NVD, Microsoft, Twitter mentions of vulnerabilities, ISC Diaries and Podcast, and the CISA list of known exploited vulnerabilities. There are also some unscored, but significant, vulnerabilities at the end. This includes vulnerabilities that have not been added to the NVD yet.


CVE-2022-27510 - Unauthorized access to Gateway user capabilities

CVSS Score: 9.8

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-27510

ISC Podcast: https://isc.sans.edu/podcastdetail.html?id=8250

NVD References: https://support.citrix.com/article/CTX463706/citrix-gateway-and-citrix-adc-security-bulletin-for-cve202227510-cve202227513-and-cve202227516


CVE-2022-45063 - xterm before 375 allows code execution via font ops, e.g., because an OSC 50 response may have Ctrl-g and therefore lead to command execution within the vi line-editing mode of Zsh. NOTE: font ops are not allowed in the xterm default configurations of some Linux distributions.

CVSS Score: 9.8

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-45063

ISC Podcast: https://isc.sans.edu/podcastdetail.html?id=8254

NVD References:

- https://www.openwall.com/lists/oss-security/2022/11/10/1

- https://www.openwall.com/lists/oss-security/2022/11/10/5

- https://invisible-island.net/xterm/xterm.log.html

- https://news.ycombinator.com/item?id=33546415


CVE-2022-37015 - Symantec Endpoint Detection and Response (SEDR) Appliance, prior to 4.7.0, may be susceptible to a privilege escalation vulnerability, which is a type of issue whereby an attacker may attempt to compromise the software application to gain elevated access to resources that are normally protected from an application or user.

CVSS Score: 9.8

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-37015

NVD References: https://support.broadcom.com/external/content/SecurityAdvisories/0/21005


CVE-2022-25932 - The firmware of InHand Networks InRouter302 V3.5.45 introduces fixes for TALOS-2022-1472 and TALOS-2022-1474. The fixes are incomplete. An attacker can still perform, respectively, a privilege escalation and an information disclosure vulnerability.

CVSS Score: 9.8

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-25932

NVD References:

- https://inhandnetworks.com/upload/attachment/202210/25/InHand-PSA-2022-02.pdf

- https://talosintelligence.com/vulnerability_reports/TALOS-2022-1523


CVE-2022-44727 - The EU Cookie Law GDPR (Banner + Blocker) module before 2.1.3 for PrestaShop allows SQL Injection via a cookie ( lgcookieslaw or __lglaw ).

CVSS Score: 9.1

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-44727

NVD References:

- https://addons.prestashop.com/en/legal/8734-eu-cookie-law-gdpr-banner-blocker.html

- https://securityandstuff.com/posts/cve-2022-44727/

- https://www.lineagrafica.es/modp/lgcookieslaw/en/readme_en.pdf


CVE-2022-43672 - Zoho ManageEngine Password Manager Pro before 12122, PAM360 before 5711, and Access Manager Plus before 4306 allow SQL Injection (in a different software component relative to CVE-2022-43671.

CVSS Score: 9.8

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-43672

NVD References: https://www.manageengine.com/products/passwordmanagerpro/advisory/cve-2022-43672.html


CVE-2022-31685 - VMware Workspace ONE Assist prior to 22.10 contains an Authentication Bypass vulnerability. A malicious actor with network access to Workspace ONE Assist may be able to obtain administrative access without the need to authenticate to the application.

CVSS Score: 9.8

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-31685

NVD References: https://www.vmware.com/security/advisories/VMSA-2022-0028.html


CVE-2022-31686 - VMware Workspace ONE Assist prior to 22.10 contains a Broken Authentication Method vulnerability. A malicious actor with network access to Workspace ONE Assist may be able to obtain administrative access without the need to authenticate to the application.

CVSS Score: 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-31686

ISC Podcast: https://isc.sans.edu/https://isc.sans.edu/podcastdetail.html?id=8250

NVD References: https://www.vmware.com/security/advisories/VMSA-2022-0028.html


CVE-2022-31687 - VMware Workspace ONE Assist prior to 22.10 contains a Broken Access Control vulnerability. A malicious actor with network access to Workspace ONE Assist may be able to obtain administrative access without the need to authenticate to the application.

CVSS Score: 9.8

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-31687

ISC Podcast: https://isc.sans.edu/podcastdetail.html?id=8250

NVD References: https://www.vmware.com/security/advisories/VMSA-2022-0028.html


CVE-2022-31689 - VMware Workspace ONE Assist prior to 22.10 contains a Session fixation vulnerability. A malicious actor who obtains a valid session token may be able to authenticate to the application using that token.

CVSS Score: 9.8

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H AtRiskScore 30

NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-31689

NVD References: https://www.vmware.com/security/advisories/VMSA-2022-0028.html


CVE-2022-32932 - The issue was addressed with improved memory handling. This issue is fixed in iOS 15.7.1 and iPadOS 15.7.1, iOS 16.1 and iPadOS 16, watchOS 9.1. An app may be able to execute arbitrary code with kernel privileges.

CVSS Score: 7.8

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-32932

NVD References:

- https://support.apple.com/en-us/HT213489

- https://support.apple.com/en-us/HT213490

- https://support.apple.com/en-us/HT213491