The Consensus Security Vulnerability Alert

ISC provides a free analysis and warning service to thousands of Internet users and organizations, and is actively working with Internet Service Providers to fight back against the most malicious attackers. https://isc.sans.edu/about.html

Passive detection of internet-connected systems affected by vulnerabilities from the CISA KEV catalog

Published: 2023-01-11

Last Updated: 2023-01-11 10:46:41 UTC

by Jan Kopriva (Version: 1)

CISA’s Know Exploited Vulnerabilities (KEV) catalog is a wonderful resource for vulnerability and patch management. If you have not come across it yet, it is – as the name suggests – a list of vulnerabilities that are currently known to be actively exploited in the wild, which is published by the US Cybersecurity & Infrastructure Agency (CISA)[1]. It was started back in 2021[2] and currently contains 870 vulnerabilities[3].

Although it was primarily intended for US federal institutions, which are required to remediate vulnerabilities listed in the catalog within certain timeframes, it quickly became an important part of vulnerability and patch management processes in many organizations around the world. Since the KEV catalog covers current, actively exploited vulnerabilities, it makes sense to prioritize them in both discovery of affected systems and their patching, especially when it comes to devices that are exposed to the internet.

For organizations with vulnerability management programs of (almost) any maturity in place, the identification of their own systems affected by vulnerabilities listed in the KEV catalog is quite straightforward, as any up-to-date vulnerability scanner/vulnerability management solution will probably be able to identify all of them. For organizations that lack any active vulnerability scanning capabilities, or for researchers or security teams who would like to monitor larger areas of the internet to see how many systems in them are affected by vulnerabilities included in the KEV catalog, it is not as straightforward.

Read the complete entry:

https://isc.sans.edu/diary/Passive+detection+of+internetconnected+systems+affected+by+vulnerabilities+from+the+CISA+KEV+catalog/29426/

Microsoft January 2023 Patch Tuesday

Published: 2023-01-10

Last Updated: 2023-01-10 18:47:29 UTC

by Renato Marinho (Version: 1)

In the first Patch Tuesday of 2023, we got patches for 98 vulnerabilities. Of these, 11 are critical, 1 was previously disclosed, and 1 is already being exploited, according to Microsoft.

The zero-day is an Elevation of Privilege Vulnerability in Windows Advanced Local Procedure Call (ALPC) (CVE-2023-21674). According to the advisory, exploitation of this vulnerability could lead to a browser sandbox escape and give the attacker SYSTEM privileges. This vulnerability deserves prioritization as it is already being exploited. The CVSS of this vulnerability is 8.8, the higher this month.

The previously disclosed is a privilege elevation vulnerability affecting Windows SMB Witness Service (CVE-2023-21549). According to the advisory, to exploit this vulnerability, an attacker could execute a specially crafted malicious script that executes an RPC call to an RPC host. This could result in elevation of privilege on the server. An attacker who successfully exploited this vulnerability could execute RPC functions that are restricted to privileged accounts only. The CVSS of this vulnerability is 8.8 as well.

There is a third critical elevation of privilege vulnerability with CVSS 8.8. This one affects Microsoft Cryptographic Services (CVE-2023-21561). According to the advisory, a locally authenticated attacker could send specially crafted data to the local CSRSS service to elevate their privileges from AppContainer to SYSTEM.

Amongst critical vulnerabilities, there are 7 remote code execution, 3 elevation of privilege and 1 security feature bypass. None of the critical vulnerabilities is marked as “Exploitation More Likely” for the Microsoft exploitability assessment.

Read the complete entry:

https://isc.sans.edu/diary/Microsoft+January+2023+Patch+Tuesday/29420/

AutoIT Remains Popular in the Malware Landscape

Published: 2023-01-06

Last Updated: 2023-01-06 07:06:18 UTC

by Xavier Mertens (Version: 1)

Yesterday Brad wrote an interesting diary about a piece o malware based on AutoIT. Funny, I was also analyzing a sample that has been written in the same language. I don’t know exactly the source (it was spotted via a hunting ruile) but it seems to target the same people (based on the file name). Mine was delivered in a RAR archive called “doc-Impostos_514281.rar” (SHA256:84a35910ad7acb1455695be7aced111356fac9abc818f9ae0859677b07ac0d04). The VT score is very low: 1/61.

Read the complete entry:

https://isc.sans.edu/diary/AutoIT+Remains+Popular+in+the+Malware+Landscape/29408/

New year, old tricks: Hunting for CircleCI configuration files (2023.01.09)

https://isc.sans.edu/diary/New+year+old+tricks+Hunting+for+CircleCI+configuration+files/29416/

DShield Sensor JSON Log Analysis (2023.01.08)

https://isc.sans.edu/diary/DShield+Sensor+JSON+Log+Analysis/29412/

YARA v4.3.0-rc1 --skip-larger (2023.01.07)

https://isc.sans.edu/diary/YARA+v430rc1+skiplarger/29410/

More Brazil malspam pushing Astaroth (Guildma) in January 2023 (2023.01.05)

https://isc.sans.edu/diary/More+Brazil+malspam+pushing+Astaroth+Guildma+in+January+2023/29404/

The list is assembled by pulling recent vulnerabilities from NIST NVD, Microsoft, Twitter mentions of vulnerabilities, ISC Diaries and Podcast, and the CISA list of known exploited vulnerabilities. There are also some unscored, but significant, vulnerabilities at the end. This includes vulnerabilities that have not been added to the NVD yet.

CVE-2022-47939 - An issue was discovered in ksmbd in the Linux kernel 5.15 through 5.19 before 5.19.2. fs/ksmbd/smb2pdu.c has a use-after-free and OOPS for SMB2_TREE_DISCONNECT.

CVSS Score: 0

NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-47939

ISC Podcast: https://isc.sans.edu/podcastdetail.html?podcastid=8306

CVE-2022-42475 - A heap-based buffer overflow vulnerability [CWE-122] in FortiOS SSL-VPN 7.2.0 through 7.2.2, 7.0.0 through 7.0.8, 6.4.0 through 6.4.10, 6.2.0 through 6.2.11, 6.0.15 and earlier and FortiProxy SSL-VPN 7.2.0 through 7.2.1, 7.0.7 and earlier may allow a remote unauthenticated attacker to execute arbitrary code or commands via specifically crafted requests.

CVSS Score: 9.8

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

** KEV since 2022-12-13 **

NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-42475

NVD References: https://fortiguard.com/psirt/FG-IR-22-398

CVE-2022-23555 - authentik is an open-source Identity Provider focused on flexibility and versatility. Versions prior to 2022.11.4 and 2022.10.4 are vulnerable to Improper Authentication. Token reuse in invitation URLs leads to access control bypass via the use of a different enrollment flow than in the one provided. The vulnerability allows an attacker that knows different invitation flows names (e.g. `enrollment-invitation-test` and `enrollment-invitation-admin`) via either different invite links or via brute forcing to signup via a single invitation url for any valid invite link received (it can even be a url for a third flow as long as it's a valid invite) as the token used in the `Invitations` section of the Admin interface does NOT change when a different `enrollment flow` is selected via the interface and it is NOT bound to the selected flow, so it will be valid for any flow when used. This issue is patched in authentik 2022.11.4,2022.10.4 and 2022.12.0. Only configurations that use invitations and have multiple enrollment flows with invitation stages that grant different permissions are affected. The default configuration is not vulnerable, and neither are configurations with a single enrollment flow. As a workaround, fixed data can be added to invitations which can be checked in the flow to deny requests. Alternatively, an identifier with high entropy (like a UUID) can be used as flow slug, mitigating the attack vector by exponentially decreasing the possibility of discovering other flows.

CVSS Score: 9.4

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L

NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-23555

NVD References: https://github.com/goauthentik/authentik/security/advisories/GHSA-9qwp-jf7p-vr7h

CVE-2022-46179 - LiuOS is a small Python project meant to imitate the functions of a regular operating system. Version 0.1.0 and prior of LiuOS allow an attacker to set the GITHUB_ACTIONS environment variable to anything other than null or true and skip authentication checks. This issue is patched in the latest commit (c658b4f3e57258acf5f6207a90c2f2169698ae22) by requiring the var to be set to true, causing a test script to run instead of being able to login. A potential workaround is to check for the GITHUB_ACTIONS environment variable and set it to "" (no quotes) to null the variable and force credential checks.

CVSS Score: 9.2

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:H

NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-46179

NVD References:

- https://github.com/LiuWoodsCode/LiuOS/commit/c658b4f3e57258acf5f6207a90c2f2169698ae22

- https://github.com/LiuWoodsCode/LiuOS/security/advisories/GHSA-f9x3-mj2r-cqmf

CVE-2022-39039 - aEnrich’s a+HRD has inadequate filtering for specific URL parameter. An unauthenticated remote attacker can exploit this vulnerability to send arbitrary HTTP(s) request to launch Server-Side Request Forgery (SSRF) attack, to perform arbitrary system command or disrupt service.

CVSS Score: 9.8

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-39039

NVD References: https://www.twcert.org.tw/tw/cp-132-6792-c4a62-1.html

CVE-2022-39041 - aEnrich a+HRD has insufficient user input validation for specific API parameter. An unauthenticated remote attacker can exploit this vulnerability to inject arbitrary SQL commands to access, modify and delete database.

CVSS Score: 9.8

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-39041

NVD References: https://www.twcert.org.tw/tw/cp-132-6794-35928-1.html

CVE-2022-39042 - aEnrich a+HRD has improper validation for login function. An unauthenticated remote attacker can exploit this vulnerability to bypass authentication and access API function to perform arbitrary system command or disrupt service.

CVSS Score: 9.8

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-39042

NVD References: https://www.twcert.org.tw/tw/cp-132-6795-f7fe6-1.html

CVE-2022-47618 - Merit LILIN AH55B04 & AH55B08 DVR firm has hard-coded administrator credentials. An unauthenticated remote attacker can use these credentials to log in administrator page, to manipulate system or disrupt service.

CVSS Score: 9.8

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-47618

NVD References: https://www.twcert.org.tw/tw/cp-132-6825-6691e-1.html

CVE-2022-43931 - Out-of-bounds write vulnerability in Remote Desktop Functionality in Synology VPN Plus Server before 1.4.3-0534 and 1.4.4-0635 allows remote attackers to execute arbitrary commands via unspecified vectors.

CVSS Score: 10.0

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-43931

NVD References: https://www.synology.com/en-global/security/advisory/Synology_SA_22_26

CVE-2023-0039 - The User Post Gallery - UPG plugin for WordPress is vulnerable to authorization bypass which leads to remote command execution due to the use of a nopriv AJAX action and user supplied function calls and parameters in versions up to, and including 2.19. This makes it possible for unauthenticated attackers to call arbitrary PHP functions and perform actions like adding new files that can be webshells and updating the site's options to allow anyone to register as an administrator.

CVSS Score: 9.8

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-0039

NVD References:

- https://plugins.trac.wordpress.org/browser/wp-upg/trunk/wp-upg.php#L723

- https://github.com/advisories/GHSA-7gm9-w486-54r3

CVE-2021-32824 - Apache Dubbo is a java based, open source RPC framework. Versions prior to 2.6.10 and 2.7.10 are vulnerable to pre-auth remote code execution via arbitrary bean manipulation in the Telnet handler. The Dubbo main service port can be used to access a Telnet Handler which offers some basic methods to collect information about the providers and methods exposed by the service and it can even allow to shutdown the service. This endpoint is unprotected. Additionally, a provider method can be invoked using the `invoke` handler. This handler uses a safe version of FastJson to process the call arguments. However, the resulting list is later processed with `PojoUtils.realize` which can be used to instantiate arbitrary classes and invoke its setters. Even though FastJson is properly protected with a default blocklist, `PojoUtils.realize` is not, and an attacker can leverage that to achieve remote code execution. Versions 2.6.10 and 2.7.10 contain fixes for this issue.

CVSS Score: 9.8

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

NVD: https://nvd.nist.gov/vuln/detail/CVE-2021-32824

NVD References: https://securitylab.github.com/advisories/GHSL-2021-034_043-apache-dubbo/

CVE-2022-47633 - An image signature validation bypass vulnerability in Kyverno 1.8.3 and 1.8.4 allows a malicious image registry (or a man-in-the-middle attacker) to inject unsigned arbitrary container images into a protected Kubernetes cluster. This is fixed in 1.8.5. This has been fixed in 1.8.5 and mitigations are available for impacted releases.

CVSS Score: 0

NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-47633

ISC Podcast: https://isc.sans.edu/podcastdetail.html?podcastid=8308