Internet Storm Center Spotlight


INTERNET STORM CENTER SPOTLIGHT

ISC provides a free analysis and warning service to thousands of Internet users and organizations, and is actively working with Internet Service Providers to fight back against the most malicious attackers. https://isc.sans.edu/about.html

Apple Updates Everything

Published: 2022-12-13

Last Updated: 2022-12-13 20:53:27 UTC

by Johannes Ullrich (Version: 1)

Apple released updates for iOS/iPadOS, MacOS, TVOS, and WatchOS. This significant update fixes 39 vulnerabilities. Many affect multiple operating systems. One vulnerability in WebKit is already being exploited. Please consider the table below "experimental," as we still try to figure out how to correctly parse and rank the Apple updates.

This update will also enable end-to-end encryption for some iCloud data, like backups. It should be obvious that once enabled, and your data will be lost if you lose access to your devices or iCloud credentials. During the setup process, Apple does allow you to setup a recovery contact, essentially a trusted person that will be able to authenticate you during password recovery.

Read the entire diary entry:

https://isc.sans.edu/diary/Apple+Updates+Everything/29338/



Microsoft December 2022 Patch Tuesday

Published: 2022-12-13

Last Updated: 2022-12-13 18:31:55 UTC

by Renato Marinho (Version: 1)

In the last Patch Tuesday of 2022, we got patches for 74 vulnerabilities. Of these, 7 are critical, 1 was previously disclosed, and 1 is already being exploited, according to Microsoft.

The exploited vulnerability is a Windows SmartScreen Security Feature Bypass Vulnerability (CVE-2022-44698). When you download a file from the internet, Windows adds the zone identifier or Mark of the Web as an NTFS stream to the file. So, when you run the file, Windows SmartScreen checks if there is a zone identifier Alternate Data Stream (ADS) attached to the file. If the ADS indicates ZoneId=3 which means that the file was downloaded from the internet, the SmartScreen does a reputation check. Exploiting this vulnerability, an attacker can craft a malicious file that would evade Mark of the Web (MOTW) defenses. The CVSS for this vulnerability is 5.4.

Amongst critical vulnerabilities, there is a Remote Code Execution (RCE) affecting the .Net Framework (CVE-2022-41089). The exploitability for this one is ‘less likely’ according to Microsoft. The CVSS is 8.8.

A second critical vulnerability is an RCE affecting Microsoft SharePoint Server (CVE-2022-44690). According to the advisory, in a network-based attack, an authenticated attacker with Manage List permissions could execute code remotely on the SharePoint Server. The CVSS for this vulnerability is 8.8.

Another critical vulnerability worth mentioning is an RCE in Powershell (CVE-2022-41076). The advisory says that the attack complexity is high as to exploit this vulnerability requires an attacker to take additional actions prior to exploitation to prepare the target environment. Additionally, it says that an authenticated attacker could escape the PowerShell Remoting Session Configuration and run unapproved commands on the target system. The CVSS for this vulnerability is 8.5.

See my dashboard for a more detailed breakout: https://patchtuesdaydashboard.com/

Read the entire diary entry:

https://isc.sans.edu/diary/Microsoft+December+2022+Patch+Tuesday/29336/



What you need to know about OpenAI's new ChatGPT bot - and how it affects your security. Lightning Talks and Panel Sessions

OpenAI is a leading research institute focused on developing artificial intelligence technology in a safe and responsible manner.

On Wednesday, December 21 at 11:00am EST (UTC-5) Rob Lee, Jorge Orchilles, and David Hoelzer will discuss the potential risks that advanced AI poses to cybersecurity, and what steps are being taken to address these challenges. We will also explore the ways in which AI can be used to improve cybersecurity and protect against cyber threats. Join us for this comprehensive overview of the role of AI in the field of cybersecurity and its potential impact on society. Register now.


If you are unable to attend the webcast live, please register anyway and you will be able to view the recording on demand once it’s available.

https://www.sans.org/webcasts/what-you-need-to-know-about-openai-new-chatgpt-bot-and-how-it-affects-your-security-lightning-talks-panel-sessions/






Internet Storm Center Entries


Quickie: CyberChef Sorting By String Length (2022-12-11)

https://isc.sans.edu/diary/Quickie+CyberChef+Sorting+By+String+Length/29328/

Open Now: 2022 SANS Holiday Hack Challenge & KringleCon (2022-12-10)

https://isc.sans.edu/diary/Open+Now+2022+SANS+Holiday+Hack+Challenge+KringleCon/29326/

Port Scanning in Powershell Redux: Speeding Up the Results (challenge accepted!) (2022-12-09)

https://isc.sans.edu/diary/Port+Scanning+in+Powershell+Redux+Speeding+Up+the+Results+challenge+accepted/29324/

Recent CVEs


The list is assembled by pulling recent vulnerabilities from NIST NVD, Microsoft, Twitter mentions of vulnerabilities, ISC Diaries and Podcast, and the CISA list of known exploited vulnerabilities. There are also some unscored, but significant, vulnerabilities at the end. This includes vulnerabilities that have not been added to the NVD yet.


CVE-2022-27518 - Citrix Application Delivery Controller (ADC) and Gateway Authentication Bypass Vulnerability

CVSS Score: 9.8

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

** KEV since 2022-12-13 **

NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-27518

NVD References: https://support.citrix.com/article/CTX474995



CVE-2022-44698 - Windows SmartScreen Security Feature Bypass Vulnerability

CVSS Score: 5.4

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L/E:F/RL:O/RC:C

** KEV since 2022-12-13 **

NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-44698

ISC Diary: https://isc.sans.edu/diary/29336

MSFT Details: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-44698



CVE-2022-37958 - SPNEGO Extended Negotiation (NEGOEX) Security Mechanism Information Disclosure Vulnerability

CVSS Score: 7.7

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-37958

MSFT Details: https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-37958



CVE-2022-20968 - A vulnerability in the Cisco Discovery Protocol processing feature of Cisco IP Phone 7800 and 8800 Series firmware could allow an unauthenticated, adjacent attacker to cause a stack overflow on an affected device. This vulnerability is due to insufficient input validation of received Cisco Discovery Protocol packets. An attacker could exploit this vulnerability by sending crafted Cisco Discovery Protocol traffic to an affected device. A successful exploit could allow the attacker to cause a stack overflow, resulting in possible remote code execution or a denial of service (DoS) condition on an affected device.

CVSS Score: 8.8

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-20968

ISC Podcast: https://isc.sans.edu/podcastdetail.html?id=8284

NVD References: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ipp-oobwrite-8cMF5r7U



CVE-2022-44667 - Windows Media Remote Code Execution Vulnerability

CVE-2022-44668 - Windows Media Remote Code Execution Vulnerability

CVSS Score: 7.8

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C

NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-44667

ISC Diary: https://isc.sans.edu/diary/29336

MSFT Details:

- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-44667

- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-44668



CVE-2022-44666 - Windows Contacts Remote Code Execution Vulnerability

CVSS Score: 7.8

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C

NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-44666

ISC Diary: https://isc.sans.edu/diary/29336

MSFT Details: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-44666

CVE-2022-44669 - Windows Error Reporting Elevation of Privilege Vulnerability

CVSS Score: 7.0

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C

NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-44669

ISC Diary: https://isc.sans.edu/diary/29336

MSFT Details: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-44669



CVE-2022-44670 - Windows Secure Socket Tunneling Protocol (SSTP) Remote Code Execution Vulnerability

CVE-2022-44676 - Windows Secure Socket Tunneling Protocol (SSTP) Remote Code Execution Vulnerability

CVSS Score: 8.1

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C

NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-44670

ISC Diary: https://isc.sans.edu/diary/29336

MSFT Details:

- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-44670

- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-44676



CVE-2022-44673 - Windows Client Server Run-Time Subsystem (CSRSS) Elevation of Privilege Vulnerability

CVSS Score: 7.0 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C AtRiskScore 30

NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-44673

ISC Diary: https://isc.sans.edu/diary/29336

MSFT Details: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-44673



CVE-2022-44675 - Windows Bluetooth Driver Elevation of Privilege Vulnerability

CVSS Score: 7.8

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C

NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-44675

ISC Diary: https://isc.sans.edu/diary/29336

MSFT Details: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-44675



CVE-2022-44677 - Windows Projected File System Elevation of Privilege Vulnerability

CVSS Score: 7.8

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C

NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-44677

ISC Diary: https://isc.sans.edu/diary/29336

MSFT Details: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-44677



CVE-2022-44678 - Windows Print Spooler Elevation of Privilege Vulnerability

CVE-2022-44681 - Windows Print Spooler Elevation of Privilege Vulnerability

CVSS Score: 7.8

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C

NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-44678

ISC Diary: https://isc.sans.edu/diary/29336

MSFT Details:

- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-44678

- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-44681



CVE-2022-44683 - Windows Kernel Elevation of Privilege Vulnerability

CVSS Score: 7.8

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C

NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-44683

ISC Diary: https://isc.sans.edu/diary/29336

MSFT Details: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-44683



CVE-2022-44687 - Raw Image Extension Remote Code Execution Vulnerability

CVSS Score: 7.8

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C

NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-44687

ISC Diary: https://isc.sans.edu/diary/29336

MSFT Details: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-44687



CVE-2022-44689 - Windows Subsystem for Linux (WSL2) Kernel Elevation of Privilege Vulnerability

CVSS Score: 7.8

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C

NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-44689

ISC Diary: https://isc.sans.edu/diary/29336

MSFT Details: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-44689



CVE-2022-44691 - Microsoft Office OneNote Remote Code Execution Vulnerability

CVSS Score: 7.8

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C

NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-44691

ISC Diary: https://isc.sans.edu/diary/29336

MSFT Details: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-44691



CVE-2022-44692 - Microsoft Office Graphics Remote Code Execution Vulnerability

CVE-2022-26804 - Microsoft Office Graphics Remote Code Execution Vulnerability

CVE-2022-26805 - Microsoft Office Graphics Remote Code Execution Vulnerability

CVE-2022-26806 - Microsoft Office Graphics Remote Code Execution Vulnerability

CVSS Score: 7.8

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C

NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-44692

ISC Diary: https://isc.sans.edu/diary/29336

MSFT Details:

- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-44692

- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26804

- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26805

- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26806



CVE-2022-44690 - Microsoft SharePoint Server Remote Code Execution Vulnerability

CVE-2022-44693 - Microsoft SharePoint Server Remote Code Execution Vulnerability

CVSS Score: 8.8

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C

NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-44690

ISC Diary: https://isc.sans.edu/diary/29336

MSFT Details:

- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-44690

- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-44693



CVE-2022-44694 - Microsoft Office Visio Remote Code Execution Vulnerability

CVE-2022-44695 - Microsoft Office Visio Remote Code Execution Vulnerability

CVE-2022-44696 - Microsoft Office Visio Remote Code Execution Vulnerability

CVSS Score: 7.8

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C

NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-44694

ISC Diary: https://isc.sans.edu/diary/29336

MSFT Details:

- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-44694

- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-44695

- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-44696



CVE-2022-44702 - Windows Terminal Remote Code Execution Vulnerability

CVSS Score: 7.8

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C

NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-44702

ISC Diary: https://isc.sans.edu/diary/29336

MSFT Details: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-44702



CVE-2022-44704 - Microsoft Windows Sysmon Elevation of Privilege Vulnerability

CVSS Score: 7.8

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C

NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-44704

ISC Diary: https://isc.sans.edu/diary/29336

MSFT Details: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-44704



CVE-2022-44708 - Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability

CVSS Score: 8.3

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C

NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-44708

ISC Diary: https://isc.sans.edu/diary/29336

MSFT Details: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-44708



CVE-2022-44713 - Microsoft Outlook for Mac Spoofing Vulnerability

CVSS Score: 7.5

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C

NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-44713

ISC Diary: https://isc.sans.edu/diary/29336

MSFT Details: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-44713