Internet Storm Center Spotlight


INTERNET STORM CENTER SPOTLIGHT

INTERNET STORM CENTER SPOTLIGHT

ISC provides a free analysis and warning service to thousands of Internet users and organizations, and is actively working with Internet Service Providers to fight back against the most malicious attackers. https://isc.sans.edu/about.html

Google ad traffic leads to stealer packages based on free software

Published: 2022-12-22
Last Updated: 2022-12-23 01:22:31 UTC
by Brad Duncan (Version: 1)

Earlier this month, I wrote a diary about Google ad traffic leading to a fake AnyDesk page pushing IcedID malware. This week, the same type of ad traffic led to a fake TeamViewer page, and that page led to a different type of malware. This week's infection involved a downloaded JavaScript (.js) file that led to Microsoft Installer packages (.msi files) containing other script that used free or open source programs.

Read the full diary entry: https://isc.sans.edu/diary/Google+ad+traffic+leads+to+stealer+packages+based+on+free+software/29376/



SPF and DMARC use on GOV domains in different ccTLDs

Published: 2022-12-30
Last Updated: 2022-12-30 15:43:16 UTC
by Jan Kopriva (Version: 1)

Although e-mail is one of the cornerstones of modern interpersonal communication, its underlying Simple Mail Transfer Protocol (SMTP) is far from what we might call “robust” or “secure”[1]. By itself, the protocol lacks any security features related to ensuring (among other factors) integrity or authenticity of transferred data or the identity of their sender, and creating a “spoofed” e-mail is therefore quite easy. This poses a significant issue, especially when one considers that most ordinary people don’t tend to question the validity of officially looking messages if it appears that they were sent from a respectable/well-known domain.

Even disregarding the current geopolitical situation, it is clear that certain domains are of significantly higher interest than others to criminals as well as state-sponsored actors when it comes to spoofing e-mail. Among the more interesting ones are – without a doubt – governmental domains, i.e., domain.GOV in the US or domain.GOV.ccTLD in other countries. Which brings us to the topic of today’s diary, which is “how big of an issue e-mail spoofing might be for these particular domains”.

But first things first. Because of the aforementioned lack of "integral" security features, numerous extensions and additions to SMTP were introduced over time that were intended to add different security mechanisms to it – either on end-to-end or hop-to-hop (or originating server to recipient server) basis.

Three of these additions, which deserve special attention from any domain owner, are SPF[2] , DKIM[3] and DMARC[4], which enable domain owners to specify which servers are “allowed” to send e-mail for a specific domain, and implement a corresponding verification and reporting framework. In general, it is considered a good practice to ensure that special SPF, DKIM and DMARC DNS records are set (and corresponding mechanisms and keys are configured on relevant mail servers) for any domain which is going to be used for sending e-mail.

Read the full diary entry:
https://isc.sans.edu/diary/SPF+and+DMARC+use+on+GOV+domains+in+different+ccTLDs/29384/



Its about time: OS Fingerprinting using NTP

Published: 2023-01-03
Last Updated: 2023-01-03 17:30:07 UTC
by Johannes Ullrich (Version: 1)

Most current operating systems, including many small systems like IoT devices, use some form of NTP to sync time. NTP is lightweight and reasonably accurate in most use cases to synchronize time across the internet with millisecond accuracy [1]. Some protocols, like PTP, are more accurate but are designed for local networks and may require special hardware on the host [2]. Smaller systems with less stringent accuracy requirements sometimes use SNTP, a variant of NTP.

One of the most obvious and best-documented ways to identify an operating system based on NTP is the hostname of the NTP server. For examples:

time.apple.com for Apple
time.windows.com for Microsoft
Others use subdomains of pool.ntp.org. Pool.ntp.org offers free time servers provided by the community. They are currently claiming around 4,000 participating servers. In the past, vendors have, in a few cases, abused this system and caused a DoS against some public NTP servers. To better control traffic, vendors are offered subdomains, and you may see them used. For example:

android.pool.ntp.org - Android
amazon.pool.ntp.org - Amazon devices (Kindle, Echo)
askozia.pool.ntp.org
centos.pool.ntp.org
debian.pool.ntp.org
dragonfly.pool.ntp.org
freebsd.pool.ntp.org
irobot.pool.ntp.org
opnsense.pool.ntp.org
rhel.pool.ntp.org
smartos.pool.ntp.org
And many more.

But the opportunities for fingerprinting continue beyond DNS. Different operating systems, or versions of operating systems, use different NTP implementations. There are, for example:

timed - used by Apple
chrony - used by newer Linux versions
ntpd - old "default" and probably most used ntp servers
Windows Time Service w32time - Windows
I collected the first NTP packet emitted by different operating systems after reboot. I picked the first one as it has yet to be informed by any responses from the timeserver. All systems were reasonably in sync before the reboot. tcpdump does a decent job analyzing NTP if the verbose options are selected, and below you will see the tcpdump output. Hosts participating in pool.ntp.org could also use that to fingerprint clients. Shodan once proposed joining pool.ntp.org to find more IPv6 hosts, as scanning for them is not feasible [3].

Read the full diary entry:
https://isc.sans.edu/diary/Its+about+time+OS+Fingerprinting+using+NTP/29394/

Internet Storm Center Entries


OTHER INTERNET STORM CENTER ENTRIES

Update to RTRBK - Diff and File Dates in PowerShell (2023-01-04)
https://isc.sans.edu/diary/Update+to+RTRBK+Diff+and+File+Dates+in+PowerShell/29400/

NetworkMiner 2.8 Released (2023-01-02)
https://isc.sans.edu/diary/NetworkMiner+2.8+Released/29390

YARA v4.3.0-rc1 --print-xor-key (2022-12-31)
https://isc.sans.edu/diary/YARA+v430rc1+printxorkey/29386/

Opening the Door for a Knock: Creating a Custom DShield Listener (2022-12-29)
https://isc.sans.edu/diary/Opening+the+Door+for+a+Knock+Creating+a+Custom+DShield+Listener/29382/

Playing with Powershell and JSON (and Amazon and Firewalls) (2022-12-28)
https://isc.sans.edu/diary/Playing+with+Powershell+and+JSON+and+Amazon+and+Firewalls/29380/

DShield Sensor Setup in Azure (2022-12-21)
https://isc.sans.edu/diary/DShield+Sensor+Setup+in+Azure/29370/

Recent CVEs


RECENT CVEs
The list is assembled by pulling recent vulnerabilities from NIST NVD, Microsoft, Twitter mentions of vulnerabilities, ISC Diaries and Podcast, and the CISA list of known exploited vulnerabilities. There are also some unscored, but significant, vulnerabilities at the end. This includes vulnerabilities that have not been added to the NVD yet.

CVE-2022-47939 - An issue was discovered in ksmbd in the Linux kernel 5.15 through 5.19 before 5.19.2. fs/ksmbd/smb2pdu.c has a use-after-free and OOPS for SMB2_TREE_DISCONNECT.
CVSS Score: 0
NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-47939
ISC Podcast: https://isc.sans.edu/podcastdetail.html?id=8306



CVE-2022-42475 - A heap-based buffer overflow vulnerability [CWE-122] in FortiOS SSL-VPN 7.2.0 through 7.2.2, 7.0.0 through 7.0.8, 6.4.0 through 6.4.10, 6.2.0 through 6.2.11, 6.0.15 and earlier and FortiProxy SSL-VPN 7.2.0 through 7.2.1, 7.0.7 and earlier may allow a remote unauthenticated attacker to execute arbitrary code or commands via specifically crafted requests.
CVSS Score: 9.8
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
** KEV since 2022-12-13 **
NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-42475
NVD References: https://fortiguard.com/psirt/FG-IR-22-398



CVE-2022-23555 - authentik is an open-source Identity Provider focused on flexibility and versatility. Versions prior to 2022.11.4 and 2022.10.4 are vulnerable to Improper Authentication. Token reuse in invitation URLs leads to access control bypass via the use of a different enrollment flow than in the one provided. The vulnerability allows an attacker that knows different invitation flows names (e.g. `enrollment-invitation-test` and `enrollment-invitation-admin`) via either different invite links or via brute forcing to signup via a single invitation url for any valid invite link received (it can even be a url for a third flow as long as it's a valid invite) as the token used in the `Invitations` section of the Admin interface does NOT change when a different `enrollment flow` is selected via the interface and it is NOT bound to the selected flow, so it will be valid for any flow when used. This issue is patched in authentik 2022.11.4,2022.10.4 and 2022.12.0. Only configurations that use invitations and have multiple enrollment flows with invitation stages that grant different permissions are affected. The default configuration is not vulnerable, and neither are configurations with a single enrollment flow. As a workaround, fixed data can be added to invitations which can be checked in the flow to deny requests. Alternatively, an identifier with high entropy (like a UUID) can be used as flow slug, mitigating the attack vector by exponentially decreasing the possibility of discovering other flows.
CVSS Score: 9.4
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L
NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-23555
NVD References: https://github.com/goauthentik/authentik/security/advisories/GHSA-9qwp-jf7p-vr7h



CVE-2022-46179 - LiuOS is a small Python project meant to imitate the functions of a regular operating system. Version 0.1.0 and prior of LiuOS allow an attacker to set the GITHUB_ACTIONS environment variable to anything other than null or true and skip authentication checks. This issue is patched in the latest commit (c658b4f3e57258acf5f6207a90c2f2169698ae22) by requiring the var to be set to true, causing a test script to run instead of being able to login. A potential workaround is to check for the GITHUB_ACTIONS environment variable and set it to "" (no quotes) to null the variable and force credential checks.
CVSS Score: 9.2 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:H
NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-46179
NVD References:
- https://github.com/LiuWoodsCode/LiuOS/commit/c658b4f3e57258acf5f6207a90c2f2169698ae22
- https://github.com/LiuWoodsCode/LiuOS/security/advisories/GHSA-f9x3-mj2r-cqmf



CVE-2022-39039 - aEnrich’s a+HRD has inadequate filtering for specific URL parameter. An unauthenticated remote attacker can exploit this vulnerability to send arbitrary HTTP(s) request to launch Server-Side Request Forgery (SSRF) attack, to perform arbitrary system command or disrupt service.
CVSS Score: 9.8
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-39039
NVD References: https://www.twcert.org.tw/tw/cp-132-6792-c4a62-1.html



CVE-2022-39041 - aEnrich a+HRD has insufficient user input validation for specific API parameter. An unauthenticated remote attacker can exploit this vulnerability to inject arbitrary SQL commands to access, modify and delete database.
CVSS Score: 9.8
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-39041
NVD References: https://www.twcert.org.tw/tw/cp-132-6794-35928-1.html



CVE-2022-39042 - aEnrich a+HRD has improper validation for login function. An unauthenticated remote attacker can exploit this vulnerability to bypass authentication and access API function to perform arbitrary system command or disrupt service.
CVSS Score: 9.8
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-39042
NVD References: https://www.twcert.org.tw/tw/cp-132-6795-f7fe6-1.html



CVE-2022-47618 - Merit LILIN AH55B04 & AH55B08 DVR firm has hard-coded administrator credentials. An unauthenticated remote attacker can use these credentials to log in administrator page, to manipulate system or disrupt service.
CVSS Score: 9.8
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-47618
NVD References: https://www.twcert.org.tw/tw/cp-132-6825-6691e-1.html



CVE-2022-43931 - Out-of-bounds write vulnerability in Remote Desktop Functionality in Synology VPN Plus Server before 1.4.3-0534 and 1.4.4-0635 allows remote attackers to execute arbitrary commands via unspecified vectors.
CVSS Score: 10.0
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-43931
NVD References: https://www.synology.com/en-global/security/advisory/Synology_SA_22_26



CVE-2023-0039 - The User Post Gallery - UPG plugin for WordPress is vulnerable to authorization bypass which leads to remote command execution due to the use of a nopriv AJAX action and user supplied function calls and parameters in versions up to, and including 2.19. This makes it possible for unauthenticated attackers to call arbitrary PHP functions and perform actions like adding new files that can be webshells and updating the site's options to allow anyone to register as an administrator.
CVSS Score: 9.8
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-0039
NVD References: https://plugins.trac.wordpress.org/browser/wp-upg/trunk/wp-upg.php#L723



CVE-2021-32824 - Apache Dubbo is a java based, open source RPC framework. Versions prior to 2.6.10 and 2.7.10 are vulnerable to pre-auth remote code execution via arbitrary bean manipulation in the Telnet handler. The Dubbo main service port can be used to access a Telnet Handler which offers some basic methods to collect information about the providers and methods exposed by the service and it can even allow to shutdown the service. This endpoint is unprotected. Additionally, a provider method can be invoked using the `invoke` handler. This handler uses a safe version of FastJson to process the call arguments. However, the resulting list is later processed with `PojoUtils.realize` which can be used to instantiate arbitrary classes and invoke its setters. Even though FastJson is properly protected with a default blocklist, `PojoUtils.realize` is not, and an attacker can leverage that to achieve remote code execution. Versions 2.6.10 and 2.7.10 contain fixes for this issue.
CVSS Score: 9.8
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
NVD: https://nvd.nist.gov/vuln/detail/CVE-2021-32824
NVD References: https://securitylab.github.com/advisories/GHSL-2021-034_043-apache-dubbo/