homepage
Open menu
Contact Sales

@RISK

The Consensus Security Vulnerability Alert

December 1, 2022  |  Vol. 22, Num. 47

Internet Storm Center SpotlightInternet Storm Center EntriesRecent CVEs

Internet Storm Center Spotlight

INTERNET STORM CENTER SPOTLIGHT

ISC provides a free analysis and warning service to thousands of Internet users and organizations, and is actively working with Internet Service Providers to fight back against the most malicious attackers. https://isc.sans.edu/about.html


Log4Shell campaigns are using Nashorn to get reverse shell on victim's machines

Published: 2022-11-21

Last Updated: 2022-11-21 20:48:27 UTC

by Renato Marinho (Version: 1)

Almost one year later, Log4Shell attacks are still alive and making victims. Log4shell, as you may remember, was the name given to a remote code execution (RCE) vulnerability in the Apache Log4j Java library, first known on December 10th, 2021. Information on the zero-day (CVE-2021-44228) and malicious campaigns using it were covered here in SANS ISC in different diaries:

Log4Shell, or how things can get bad quickly: https://isc.sans.edu/diary/RCE+in+log4j+Log4Shell+or+how+things+can+get+bad+quickly/28120

and Log4Shell Attacks Getting "Smarter": https://isc.sans.edu/diary/Log4Shell+Attacks+Getting+Smarter/28246

In an incident case I got last week, attackers started a reverse shell on the victim’s machine in a way I have not seen in Log4Shell exploitations. The reverse shell was issued using Nashorn, a JavaScript scripting engine used to execute JavaScript code dynamically at JVM. Similar use of Nashorn was seen in Confluence CVE-2022-26134 exploitations.

Read the entire diary entry:

https://isc.sans.edu/diary/Log4Shell+campaigns+are+using+Nashorn+to+get+reverse+shell+on+victims+machines/29266/



Ukraine Themed Twitter Spam Pushing iOS Scareware

Published: 2022-11-28

Last Updated: 2022-11-28 12:36:18 UTC

by Johannes Ullrich (Version: 1)

With the expansion of Russia's invasion of Ukraine in February, Ukraine has made heavy use of social media to demonstrate die ability of the Ukrainian armed forces to repulse the attack. Ukraine often shares video clips showing attacks against Russian troops from drones or action camera footage from the front lines. These videos have been widely distributed, and various social media channels have shared them to build an audience for themselves.

Of course, like any current significant event, these videos are also used to push more malicious content. Recently I have observed how on Twitter, many videos not hosted on the platform are attempting to push scareware/malware. The type of software being advertised with the videos depends on the device used to view the content.

Read the entire diary entry:

https://isc.sans.edu/diary/Ukraine+Themed+Twitter+Spam+Pushing+iOS+Scareware/29276/

Internet Storm Center Entries

OTHER INTERNET STORM CENTER ENTRIES

What's the deal with these router vulnerabilities? (2022-12-01)

https://isc.sans.edu/diary/Whats+the+deal+with+these+router+vulnerabilities/29288/


Identifying Groups of "Bot" Accounts on LinkedIn (2022-11-29)

https://isc.sans.edu/diary/Identifying+Groups+of+Bot+Accounts+on+LinkedIn/29282/


Happy 22nd Birthday DShield.org! (2022-11-25)

https://isc.sans.edu/diary/Happy+22nd+Birthday+DShieldorg/29272/


Attackers Keep Phishing Victims Under Stress (2022-11-24)

https://isc.sans.edu/diary/Attackers+Keep+Phishing+Victims+Under+Stress/29270/


Packet Tuesday: Episode 2 - Extended DNS Option Type 0 (2022-11-22)

https://isc.sans.edu/diary/Packet+Tuesday+Episode+2+Extended+DNS+Option+Type+0/29268/


McAfee Fake Antivirus Phishing Campaign is Back! (2022-11-19)

https://isc.sans.edu/diary/McAfee+Fake+Antivirus+Phishing+Campaign+is+Back/29264/


Lessons Learned from Automatic Failover: When 8.8.8.8 "disappears". IPv6 to the Rescue? (2022-11-17)

https://isc.sans.edu/diary/Lessons+Learned+from+Automatic+Failover+When+8888+disappears+IPv6+to+the+Rescue/29260/

Recent CVEs

RECENT CVEs

The list is assembled by pulling recent vulnerabilities from NIST NVD, Microsoft, Twitter mentions of vulnerabilities, ISC Diaries and Podcast, and the CISA list of known exploited vulnerabilities. There are also some unscored, but significant, vulnerabilities at the end. This includes vulnerabilities that have not been added to the NVD yet.


CVE-2021-35587 - Oracle Fusion Middleware Unspecified Vulnerability

CVSS Score: 0

** KEV since 2022-11-28 **

NVD: https://nvd.nist.gov/vuln/detail/CVE-2021-35587

ISC Podcast: https://isc.sans.edu/podcastdetail.html?id=8270



CVE-2022-4135 - Chromium: CVE-2022-4135 Heap buffer overflow in GPU

CVSS Score: 0

** KEV since 2022-11-28 **

NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-4135

MSFT Details: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-4135

NVD References

- https://chromereleases.googleblog.com/2022/11/stable-channel-update-for-desktop_24.html

- https://crbug.com/1392715



CVE-2022-41326 - The web conferencing component of Mitel MiCollab through 9.6.0.13 could allow an unauthenticated attacker to upload arbitrary scripts due to improper authorization controls. A successful exploit could allow remote code execution within the context of the application.

CVSS Score: 9.8

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-41326

NVD References:

- https://www.mitel.com/support/security-advisories

- https://www.mitel.com/support/security-advisories/mitel-product-security-advisory-22-0009



CVE-2022-43214/43215 - Billing System Project v1.0 was discovered to contain a SQL injection vulnerability via the orderId parameter at printOrder.php.

CVSS Score: 9.8

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-43214

NVD References:

- https://github.com/Qrayyy/CVE/blob/main/Billing%20System%20Project%20v1.0/CVE-2022-43214(sql%20in%20printOrder.php).md

- https://www.sourcecodester.com/php/14831/billing-system-project-php-source-code-free-download.html



CVE-2022-36227 - In libarchive 3.6.1, the software does not check for an error after calling calloc function that can return with a NULL pointer if the function fails, which leads to a resultant NULL pointer dereference. NOTE: the discoverer cites this CWE-476 remark but third parties dispute the code-execution impact: "In rare circumstances, when NULL is equivalent to the 0x0 memory address and privileged code can access it, then writing or reading memory is possible, which may lead to code execution."

CVSS Score: 9.8

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-36227

NVD References:

- https://bugs.gentoo.org/882521

- https://github.com/libarchive/libarchive/issues/1754



CVE-2022-40602 - A flaw in the Zyxel LTE3301-M209 firmware verisons prior to V1.00(ABLG.6)C0 could allow a remote attacker to access the device using an improper pre-configured password if the remote administration feature has been enabled by an authenticated administrator.

CVSS Score: 9.8

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-40602

NVD References: https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-pre-configured-password-vulnerability-of-lte3301-m209



CVE-2022-40189 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in Apache Airflow Pig Provider, Apache Airflow allows an attacker to control commands executed in the task execution context, without write access to DAG files. This issue affects Pig Provider versions prior to 4.0.0. It also impacts any Apache Airflow versions prior to 2.3.0 in case Pig Provider is installed (Pig Provider 4.0.0 can only be installed for Airflow 2.3.0+). Note that you need to manually install the Pig Provider version 4.0.0 in order to get rid of the vulnerability on top of Airflow 2.3.0+ version.

CVSS Score: 9.8

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-40189

NVD References:

- https://github.com/apache/airflow/pull/27644

- https://lists.apache.org/thread/yxnfzfw2w9pj5s785k3rlyly4y44sd15



CVE-2022-44186 - Netgear R7000P V1.3.1.64 is vulnerable to Buffer Overflow in /usr/sbin/httpd via parameter wan_dns1_pri.

CVE-2022-44187 - Netgear R7000P V1.3.0.8 is vulnerable to Buffer Overflow via wan_dns1_pri.

CVE-2022-44188 - Netgear R7000P V1.3.0.8 is vulnerable to Buffer Overflow in /usr/sbin/httpd via parameter enable_band_steering.

CVE-2022-44190 - Netgear R7000P V1.3.1.64 is vulnerable to Buffer Overflow via parameter enable_band_steering.

CVE-2022-44191 - Netgear R7000P V1.3.1.64 is vulnerable to Buffer Overflow via parameters KEY1 and KEY2.

CVE-2022-44193 - Netgear R7000P V1.3.1.64 is vulnerable to Buffer Overflow in /usr/sbin/httpd via parameters: starthour, startminute , endhour, and endminute.

CVE-2022-44194 - Netgear R7000P V1.3.0.8 is vulnerable to Buffer Overflow via parameters apmode_dns1_pri and apmode_dns1_sec.

CVE-2022-44196 - Netgear R7000P V1.3.0.8 is vulnerable to Buffer Overflow via parameter openvpn_push1.

CVE-2022-44197 - Netgear R7000P V1.3.0.8 is vulnerable to Buffer Overflow via parameter openvpn_server_ip.

CVE-2022-44198 - Netgear R7000P V1.3.1.64 is vulnerable to Buffer Overflow via parameter openvpn_push1.

CVE-2022-44199 - Netgear R7000P V1.3.1.64 is vulnerable to Buffer Overflow via parameter openvpn_server_ip.

CVE-2022-44200 - Netgear R7000P V1.3.0.8, V1.3.1.64 is vulnerable to Buffer Overflow via parameters: stamode_dns1_pri and stamode_dns1_sec.

CVE-2022-44184 - Netgear R7000P V1.3.0.8 is vulnerable to Buffer Overflow in /usr/sbin/httpd via parameter wan_dns1_sec.

CVSS Score: 9.8

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

NVD References:

- https://github.com/RobinWang825/IoT_vuln/tree/main/Netgear/R7000P

- https://www.netgear.com/about/security/



CVE-2022-44201 - D-Link DIR823G 1.02B05 is vulnerable to Commad Injection.

CVE-2022-44202 - D-Link DIR878 1.02B04 and 1.02B05 are vulnerable to Buffer Overflow.

CVE-2022-44801 - D-Link DIR-878 1.02B05 is vulnerable to Incorrect Access Control.

CVE-2022-44804 - D-Link DIR-882 1.10B02 and1.20B06 is vulnerable to Buffer Overflow via the websRedirect function.

CVE-2022-44806 - D-Link DIR-882 1.10B02 and 1.20B06 is vulnerable to Buffer Overflow.

CVE-2022-44807 - D-Link DIR-882 1.10B02 and 1.20B06 is vulnerable to Buffer Overflow via webGetVarString.

CVE-2022-44808 - A command injection vulnerability has been found on D-Link DIR-823G devices with firmware version 1.02B03 that allows an attacker to execute arbitrary operating system commands through well-designed /HNAP1 requests. Before the HNAP API function can process the request, the system function executes an untrusted command that triggers the vulnerability.

CVSS Score: 9.8

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

NVD References:

- https://github.com/RobinWang825/IoT_vuln/blob/main/D-Link/DIR-823G/1/readme.md

- https://www.dlink.com/en/security-bulletin/



CVE-2022-39070 - There is an access control vulnerability in some ZTE PON OLT products. Due to improper access control settings, remote attackers could use the vulnerability to log in to the device and execute any operation.

CVSS Score: 9.8

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-39070

NVD References: https://support.zte.com.cn/support/news/LoopholeInfoDetail.aspx?newsId=1027824



CVE-2020-23583 - OPTILINK OP-XT71000N V2.2 is vulnerable to Remote Code Execution. The issue occurs when the attacker sends an arbitrary code on "/diag_ping_admin.asp" to "PingTest" interface that leads to COMMAND EXECUTION. An attacker can successfully trigger the COMMAND and can compromise full system.

CVE-2020-23584 - Unauthenticated remote code execution in OPTILINK OP-XT71000N, Hardware Version: V2.2 occurs when the attacker passes arbitrary commands with IP-ADDRESS sing " | " to execute commands on " /diag_tracert_admin.asp " in the "PingTest" parameter that leads to command execution.

CVE-2020-23591 - A vulnerability in OPTILINK OP-XT71000N Hardware Version: V2.2 , Firmware Version: OP_V3.3.1-191028 allows an attacker to upload arbitrary files through " /mgm_dev_upgrade.asp " which can "delete every file for Denial of Service (using 'rm -rf *.*' in the code), reverse connection (using '.asp' webshell), backdoor.

CVSS Score: 9.8

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

NVD References: https://github.com/huzaifahussain98


CVE-2022-44249 - TOTOLINK NR1800X V9.1.0u.6279_B20210910 contains a command injection via the FileName parameter in the UploadFirmwareFile function.

CVE-2022-44250 - TOTOLINK NR1800X V9.1.0u.6279_B20210910 contains a command injection via the hostName parameter in the setOpModeCfg function.

CVE-2022-44251 - TOTOLINK NR1800X V9.1.0u.6279_B20210910 contains a command injection via the ussd parameter in the setUssd function.

CVE-2022-44252 - TOTOLINK NR1800X V9.1.0u.6279_B20210910 contains a command injection via the FileName parameter in the setUploadSetting function.

CVE-2022-44255 - TOTOLINK LR350 V9.3.5u.6369_B20220309 contains a pre-authentication buffer overflow in the main function via long post data.

CVSS Score: 9.8

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-44249

NVD References:

- https://brief-nymphea-813.notion.site/LR350-command-injection-UploadFirmwareFile-f006f70e9e6540529d262a8d34154d24

- https://brief-nymphea-813.notion.site/LR350-command-injection-setUploadSetting-b6d3012a3c2f43adac79c44edd57c937



CVE-2022-41923 - Grails Spring Security Core plugin is vulnerable to privilege escalation. The vulnerability allows an attacker access to one endpoint (i.e. the targeted endpoint) using the authorization requirements of a different endpoint (i.e. the donor endpoint). In some Grails framework applications, access to the targeted endpoint will be granted based on meeting the authorization requirements of the donor endpoint, which can result in a privilege escalation attack. This vulnerability has been patched in grails-spring-security-core versions 3.3.2, 4.0.5 and 5.1.1. Impacted Applications: Grails Spring Security Core plugin versions: 1.x 2.x >=3.0.0 <3.3.2 >=4.0.0 <4.0.5 >=5.0.0 <5.1.1 We strongly suggest that all Grails framework applications using the Grails Spring Security Core plugin be updated to a patched release of the plugin. Workarounds: Users should create a subclass extending one of the following classes from the `grails.plugin.springsecurity.web.access.intercept` package, depending on their security configuration: * `AnnotationFilterInvocationDefinition` * `InterceptUrlMapFilterInvocationDefinition` * `RequestmapFilterInvocationDefinition` In each case, the subclass should override the `calculateUri` method like so: ``` @Override protected String calculateUri(HttpServletRequest request) { UrlPathHelper.defaultInstance.getRequestUri(request) } ``` This should be considered a temporary measure, as the patched versions of grails-spring-security-core deprecates the `calculateUri` method. Once upgraded to a patched version of the plugin, this workaround is no longer needed. The workaround is especially important for version 2.x, as no patch is available version 2.x of the GSSC plugin.

CVSS Score: 9.1

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-41923

NVD References:

- https://github.com/grails/GSSC-CVE-2022-41923

- https://github.com/grails/grails-spring-security-core/security/advisories/GHSA-frqg-vvxg-jqqh

- https://grails.org/blog/2022-11-22-ss-plugin-auth-cve.html



CVE-2022-44117 - Boa 0.94.14rc21 is vulnerable to SQL Injection via username.

CVSS Score: 9.8

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-44117

NVD References: https://gist.github.com/yinfei6/20bd1d3ebe0803c2d8756ace3e173676



CVE-2022-29830 - Use of Hard-coded Cryptographic Key vulnerability in Mitsubishi Electric GX Works3 all versions allows a remote unauthenticated attacker to disclose or tamper with sensitive information. As a result, unauthorized users may obtain information about project files illegally.

CVSS Score: 9.1

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-29830

NVD References:

- https://jvn.jp/vu/JVNVU97244961/index.html

- https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2022-015_en.pdf



CVE-2022-45907 - In PyTorch before trunk/89695, torch.jit.annotations.parse_type_line can cause arbitrary code execution because eval is used unsafely.

CVSS Score: 9.8

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-45907

NVD References:

- https://github.com/pytorch/pytorch/commit/767f6aa49fe20a2766b9843d01e3b7f7793df6a3

- https://github.com/pytorch/pytorch/issues/88868



CVE-2022-3603 - The Export customers list csv for WooCommerce, WordPress users csv, export Guest customer list WordPress plugin before 2.0.69 does not validate data when outputting it back in a CSV file, which could lead to CSV injection.

CVSS Score: 9.8

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-3603

NVD References: https://wpscan.com/vulnerability/376e2bc7-2eb9-4e0a-809c-1582940ebdc7



CVE-2022-34721 - Windows Internet Key Exchange (IKE) Protocol Extensions Remote Code Execution Vulnerability. This CVE ID is unique from CVE-2022-34722.

CVSS Score: 0

NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-34721

ISC Podcast: https://isc.sans.edu/podcastdetail.html?id=8270

NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-37301

NVD References: https://www.se.com/us/en/download/document/SEVD-2022-221-02/