SEC595: Applied Data Science and AI/Machine Learning for Cybersecurity Professionals

Experience SANS training through course previews.
Learn MoreLet us help.
Contact usBecome a member for instant access to our free resources.
Sign UpWe're here to help.
Contact UsISC provides a free analysis and warning service to thousands of Internet users and organizations, and is actively working with Internet Service Providers to fight back against the most malicious attackers.https://isc.sans.edu/about.html
A First Malicious OneNote Document
Published: 2023-01-25
Last Updated: 2023-01-25 08:45:41 UTC
by Xavier Mertens (Version: 1)
Attackers are always trying to find new ways to deliver malware to victims. They recently started sending Microsoft OneNote files in massive phishing campaigns[1]. OneNote files (ending the extension ".one") are handled automatically by computers that have the Microsoft Office suite installed. Yesterday, my honeypot caught a first sample. This is a good opportunity to have a look at these files. The file, called "delivery-note.one", was delivered as an attachment to a classic phishing email.
Read the complete entry:
https://isc.sans.edu/diary/A+First+Malicious+OneNote+Document/29470/
Importance of signing in Windows environments
Published: 2023-01-20
Last Updated: 2023-01-20 09:29:29 UTC
by Bojan Zdrnja (Version: 1)
NTLM relaying has been a plague in Windows environments for many years – and we have witnessed many exploits that rely on the fact that it is possible to relay NTLM authentication attempts to various target services.
While there are many potential targets here, in most red team engagements my colleagues and myself are relaying credentials to other SMB, LDAP or HTTP(S) services (especially on AD CS server, used for issuing certificates). So one of the mandatory “health check” activities should be to verify if your systems really have signing enabled. Here are two *very simple* ways on how I do it when I encounter large number of internal assets.
Read the complete entry:
https://isc.sans.edu/diary/Importance+of+signing+in+Windows+environments/29456/
SPF and DMARC use on 100k most popular domains
Published: 2023-01-19
Last Updated: 2023-01-19 11:16:28 UTC
by Jan Kopriva (Version: 1)
Not too long ago, I wrote a diary discussing SPF and DMARC use on GOV subdomains in different ccTLDs around the world[1]. The results weren’t too optimistic – it turned out that only about 42% of gov.cctld domains had a valid SPF record published and only about 19% of such domains had a valid DMARC record published.
Since I created a quick script for gathering SPF and DMARC records for an arbitrary list of domains for that diary, I thought it might be interesting to use it again this week, hopefully to get some more optimistic data. Specifically, I used it to take a look at SPF and DMARC adoption on world’s most popular domains – the top 100 thousand (as well as th top 10 thousand and the top 1 thousand) most visited domains according to the Tranco list[2].
Read the complete entry:
https://isc.sans.edu/diary/SPF+and+DMARC+use+on+100k+most+popular+domains/29452/
Apple Updates (almost) Everything: Patch Overview (2023.01.24)
https://isc.sans.edu/diary/Apple+Updates+almost+Everything+Patch+Overview/29472/
Who's Resolving This Domain? (2023.01.23)
https://isc.sans.edu/diary/Whos+Resolving+This+Domain/29462/
Wireshark 4.0.3 Released (2023.01.22)
https://isc.sans.edu/diary/Wireshark+403+Released/29460/
DShield Sensor JSON Log to Elasticsearch (2023.01.21)
https://isc.sans.edu/diary/DShield+Sensor+JSON+Log+to+Elasticsearch/29458/
The list is assembled by pulling recent vulnerabilities from NIST NVD, Microsoft, Twitter mentions of vulnerabilities, ISC Diaries and Podcast, and the CISA list of known exploited vulnerabilities. There are also some unscored, but significant, vulnerabilities at the end. This includes vulnerabilities that have not been added to the NVD yet.CVE-2022-47966 - Multiple Zoho ManageEngine on-premise products, such as ServiceDesk Plus through 14003, allow remote code execution due to use of Apache xmlsec (aka XML Security for Java) 1.4.1, because the xmlsec XSLT features, by design in that version, make the application responsible for certain security protections, and the ManageEngine applications did not provide those protections.CVSS Score: 0CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N** KEV since 2023-01-23 **NVD:https://nvd.nist.gov/vuln/detail/CVE-2022-47966ISC Podcast:https://isc.sans.edu/podcastdetail.html?podcastid=8334NVD References:-https://github.com/apache/santuario-xml-security-java/tags?after=1.4.6-https://manageengine.com-https://www.manageengine.com/security/advisory/CVE/cve-2022-47966.htmlCVE-2022-42856 - A type confusion issue was addressed with improved state handling. This issue is fixed in Safari 16.2, tvOS 16.2, macOS Ventura 13.1, iOS 15.7.2 and iPadOS 15.7.2, iOS 16.1.2. Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited against versions of iOS released before iOS 15.1.CISA KEV: YESCVSS Score: 8.8CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HNVD:https://nvd.nist.gov/vuln/detail/CVE-2022-42856Reference:https://support.apple.com/en-us/HT213597CVE-2022-3970 - A vulnerability was found in LibTIFF. It has been classified as critical. This affects the function TIFFReadRGBATileExt of the file libtiff/tif_getimage.c. The manipulation leads to integer overflow. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The name of the patch is 227500897dfb07fb7d27f7aa570050e62617e3be. It is recommended to apply a patch to fix this issue. The identifier VDB-213549 was assigned to this vulnerability.CVSS Score: 9.8CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HNVD:https://nvd.nist.gov/vuln/detail/CVE-2022-3970MSFT Details:https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-3970CVE-2023-0332 - A vulnerability was found in SourceCodester Online Food Ordering System 2.0. It has been classified as critical. Affected is an unknown function of the file admin/manage_user.php. The manipulation of the argument id leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-218472.CVSS Score: 9.8CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HNVD:https://nvd.nist.gov/vuln/detail/CVE-2023-0332NVD References:-https://github.com/qyhmsys/cve-list/blob/master/Online%20Food%20Ordering%20System%20manage_user.php%20has%20SQLinject.md-https://vuldb.com/?ctiid.218472-https://vuldb.com/?id.218472CVE-2023-22279 - MAHO-PBX NetDevancer Lite/Uni/Pro/Cloud prior to Ver.1.11.00, MAHO-PBX NetDevancer VSG Lite/Uni prior to Ver.1.11.00, and MAHO-PBX NetDevancer MobileGate Home/Office prior to Ver.1.11.00 allow a remote unauthenticated attacker to execute an arbitrary OS command.CVSS Score: 9.8CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HNVD:https://nvd.nist.gov/vuln/detail/CVE-2023-22279NVD References:-https://jvn.jp/en/jp/JVN99957889/index.html-https://www.ate-mahoroba.jp/netdevancer/manual/CVE-2023-22303 - TP-Link SG105PE firmware prior to 'TL-SG105PE(UN) 1.0_1.0.0 Build 20221208' contains an authentication bypass vulnerability. Under the certain conditions, an attacker may impersonate an administrator of the product. As a result, information may be obtained and/or the product's settings may be altered with the privilege of the administrator.CVSS Score: 9.8CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HNVD:https://nvd.nist.gov/vuln/detail/CVE-2023-22303NVD References:-https://jvn.jp/en/jp/JVN78481846/index.html-https://www.tp-link.com/en/business-networking/easy-smart-switch/tl-sg105pe/-https://www.tp-link.com/jp/support/download/tl-sg105pe/v1/#FirmwareCVE-2023-22357 - Active debug code exists in OMRON CP1L-EL20DR-D all versions, which may lead to a command that is not specified in FINS protocol being executed without authentication. A remote unauthenticated attacker may read/write in arbitrary area of the device memory, which may lead to overwriting the firmware, causing a denial-of-service (DoS) condition, and/or arbitrary code execution.CVSS Score: 9.8CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HNVD:https://nvd.nist.gov/vuln/detail/CVE-2023-22357NVD References:https://jvn.jp/en/vu/JVNVU97575890/index.htmlCVE-2015-10060 - A vulnerability was found in MNBikeways database and classified as critical. This issue affects some unknown processing of the file Data/views…
CVE-2022-41903 - Git is distributed revision control system. `git log` can display commits in an arbitrary format using its `--format` specifiers. This functionality is also exposed to `git archive` via the `export-subst` gitattribute. When processing the padding operators, there is a integer overflow in `pretty.c::format_and_pad_commit()` where a `size_t` is stored improperly as an `int`, and then added as an offset to a `memcpy()`. This overflow can be triggered directly by a user running a command which invokes the commit formatting machinery (e.g., `git log --format=...`). It may also be triggered indirectly through git archive via the export-subst mechanism, which expands format specifiers inside of files within the repository during a git archive. This integer overflow can result in arbitrary heap writes, which may result in arbitrary code execution. The problem has been patched in the versions published on 2023-01-17, going back to v2.30.7. Users are advised to upgrade. Users who are unable to upgrade should disable `git archive` in untrusted repositories. If you expose git archive via `git daemon`, disable it by running `git config --global daemon.uploadArch false`.CVSS Score: 9.8CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HNVD:-https://nvd.nist.gov/vuln/detail/CVE-2022-23521-https://nvd.nist.gov/vuln/detail/CVE-2022-41903NVD References:-https://github.com/git/git/commit/508386c6c5857b4faa2c3e491f422c98cc69ae76-https://github.com/git/git/security/advisories/GHSA-c738-c5qq-xg89-https://git-scm.com/book/en/v2/Customizing-Git-Git-Attributes#_export_subst-https://git-scm.com/docs/pretty-formats#Documentation/pretty-formats.txt-emltltNgttruncltruncmtruncem-https://github.com/git/git/commit/508386c6c5857b4faa2c3e491f422c98cc69ae76-https://github.com/git/git/security/advisories/GHSA-475x-2q3q-hvwqCVE-2014-125082 - A vulnerability was found in nivit redports. It has been declared as critical. This vulnerability affects unknown code of the file redports-trac/redports/model.py. The manipulation leads to sql injection. The name of the patch is fc2c1ea1b8d795094abb15ac73cab90830534e04. It is recommended to apply a patch to fix this issue. The identifier of this vulnerability is VDB-218464.CVSS Score: 9.8CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HNVD:https://nvd.nist.gov/vuln/detail/CVE-2014-125082NVD References:-https://github.com/nivit/redports/commit/fc2c1ea1b8d795094abb15ac73cab90830534e04-https://vuldb.com/?ctiid.218464-https://vuldb.com/?id.218464CVE-2015-10066 - A vulnerability was found in tynx wuersch and classified as critical. Affected by this issue is the function packValue/getByCustomQuery of the file backend/base/Store.class.php. The manipulation leads to sql injection. The name of the patch is 66d4718750a741d1053d327a79e285fd50372519. It is recommended to apply a patch to fix this issue. VDB-218462 is the identifier assigned to this vulnerability.CVSS Score: 9.8CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HNVD:https://nvd.nist.gov/vuln/detail/CVE-2015-10066NVD References:-https://github.com/tynx/wuersch/commit/66d4718750a741d1053d327a79e285fd50372519-https://vuldb.com/?ctiid.218462-https://vuldb.com/?id.218462CVE-2023-21890 - Vulnerability in the Oracle Communications Converged Application Server product of Oracle Communications (component: Core). Supported versions that are affected are 7.1.0 and 8.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via UDP to compromise Oracle Communications Converged Application Server. Successful attacks of this vulnerability can result in takeover of Oracle Communications Converged Application Server. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).CVSS Score: 9.8CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HNVD:https://nvd.nist.gov/vuln/detail/CVE-2023-21890NVD References:https://www.oracle.com/security-alerts/cpujan2023.htmlCVE-2022-41989 - Sewio’s Real-Time Location System (RTLS) Studio version 2.0.0 up to and including version 2.6.2 does not validate the length of RTLS report payloads during communication. This allows an attacker to send an exceedingly long payload, resulting in an out-of-bounds write to cause a denial-of-service condition or code execution.CVE-2022-43483 - Sewio’s Real-Time Location System (RTLS) Studio version 2.0.0 up to and including version 2.6.2 does not properly validate the input module name to the monitor services of the software. This could allow a remote attacker to access sensitive functions of the application and execute arbitrary system commands.CVE-2022-45444 - Sewio’s Real-Time Location System (RTLS) Studio version 2.0.0 up to and including version 2.6.2 contains hard-coded passwords for select users in the application’s database. This could allow a remote attacker to login to the database with unrestricted access.CVE-2022-47911 - Sewio’s Real-Time Location System (RTLS) Studio version 2.0.0 up t…
CVE-2022-47911 - Sewio’s Real-Time Location System (RTLS) Studio version 2.0.0 up to and including version 2.6.2 does not properly validate the input module name to the backup services of the software. This could allow a remote attacker to access sensitive functions of the application and execute arbitrary system commands.
CVSS Scores: 9.0 - 10.6
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H, CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
NVD:
-https://nvd.nist.gov/vuln/detail/CVE-2022-41989
-https://nvd.nist.gov/vuln/detail/CVE-2022-43483
-https://nvd.nist.gov/vuln/detail/CVE-2022-45444
-https://nvd.nist.gov/vuln/detail/CVE-2022-47911
NVD References:https://www.cisa.gov/uscert/ics/advisories/icsa-23-012-01
CVE-2023-0397 - A malicious / defect bluetooth controller can cause a Denial of Service due to unchecked input in le_read_buffer_size_complete.
CVSS Score: 9.6
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:H
NVD:https://nvd.nist.gov/vuln/detail/CVE-2023-0397
NVD References:https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-wc2h-h868-q7hj
CVE-2023-22741 - Sofia-SIP is an open-source SIP User-Agent library, compliant with the IETF RFC3261 specification. In affected versions Sofia-SIP **lacks both message length and attributes length checks** when it handles STUN packets, leading to controllable heap-over-flow. For example, in stun_parse_attribute(), after we get the attribute's type and length value, the length will be used directly to copy from the heap, regardless of the message's left size. Since network users control the overflowed length, and the data is written to heap chunks later, attackers may achieve remote code execution by heap grooming or other exploitation methods. The bug was introduced 16 years ago in sofia-sip 1.12.4 (plus some patches through 12/21/2006) to in tree libs with git-svn-id:http://svn.freeswitch.org/svn/freeswitch/trunk@3774d0543943-73ff-0310-b7d9-9358b9ac24b2. Users are advised to upgrade. There are no known workarounds for this vulnerability.
CVSS Score: 9.8
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
NVD:https://nvd.nist.gov/vuln/detail/CVE-2023-22741
NVD References:
-https://github.com/freeswitch/sofia-sip/commit/da53e4fbcb138b080a75576dd49c1fff2ada2764
-https://github.com/freeswitch/sofia-sip/security/advisories/GHSA-8599-x7rq-fr54
CVE-2023-20025 - A vulnerability in the web-based management interface of Cisco Small Business RV042 Series Routers could allow an unauthenticated, remote attacker to bypass authentication on the affected device. This vulnerability is due to incorrect user input validation of incoming HTTP packets. An attacker could exploit this vulnerability by sending crafted requests to the web-based management interface. A successful exploit could allow the attacker to gain root privileges on the affected device.
CVSS Score: 9.0
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
NVD:https://nvd.nist.gov/vuln/detail/CVE-2023-20025
NVD References:https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sbr042-multi-vuln-ej76Pke5
CVE-2023-23607 - erohtar/Dasherr is a dashboard for self-hosted services. In affected versions unrestricted file upload allows any unauthenticated user to execute arbitrary code on the server. The file /www/include/filesave.php allows for any file to uploaded to anywhere. If an attacker uploads a php file they can execute code on the server. This issue has been addressed in version 1.05.00. Users are advised to upgrade. There are no known workarounds for this issue.
CVSS Score: 9.8
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
NVD:https://nvd.nist.gov/vuln/detail/CVE-2023-23607
NVD References:
-https://github.com/erohtar/Dasherr/commit/445325c7cf1148a8cd38af3a90789c6cbf6c5112
-https://github.com/erohtar/Dasherr/security/advisories/GHSA-6rgc-2x44-7phq
CVE-2023-0052 - SAUTER Controls Nova 200–220 Series with firmware version 3.3-006 and prior and BACnetstac version 4.2.1 and prior allows the execution of commands without credentials. As Telnet and file transfer protocol (FTP) are the only protocols available for device management, an unauthorized user could access the system and modify the device configuration, which could result in the unauthorized user executing unrestricted malicious commands.
CVSS Score: 9.8
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
NVD:https://nvd.nist.gov/vuln/detail/CVE-2023-0052
NVD References:https://www.cisa.gov/uscert/ics/advisories/icsa-23-012-05
CVE-2023-22809 - In Sudo before 1.9.12p2, the sudoedit (aka -e) feature mishandles extra arguments passed in the user-provided environment variables (SUDO_EDITOR, VISUAL, and EDITOR), allowing a local attacker to append arbitrary entries to the list of files to process. This can lead to privilege escalation. Affected versions are 1.8.0 through 1.9.12.p1. The problem exists because a user-specified editor may contain a "--" argument that defeats a protection mechanism, e.g., an EDITOR='vim -- /path/to/extra/file' value.
CVSS Score: 0
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
NVD:https://nvd.nist.gov/vuln/detail/CVE-2023-22809
ISC Podcast: hhttps://isc.sans.edu/podcastdetail.html?podcastid=8332
NVD References:
-https://www.openwall.com/lists/oss-security/2023/01/19/1
-https://lists.debian.org/debian-lts-announce/2023/01/msg00012.html
-https://www.debian.org/security/2023/dsa-5321
-https://www.sudo.ws/security/advisories/sudoedit_any/
-https://www.synacktiv.com/sites/default/files/2023-01/sudo-CVE-2023-22809.pdf
CVE-2023-21775, CVE-2023-21795, CVE-2023-21796 - Microsoft Edge (Chromium-based) Remote Code Execution Vulnerabilities
CVE-2023-21719 - Microsoft Edge (Chromium-based) Security Feature Bypass Vulnerability
CVSS Scores: 6.5 - 8.3
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C, 3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C, 3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
NVD:
-https://nvd.nist.gov/vuln/detail/CVE-2023-21775
-https://nvd.nist.gov/vuln/detail/CVE-2023-21795
-https://nvd.nist.gov/vuln/detail/CVE-2023-21796
-https://nvd.nist.gov/vuln/detail/CVE-2023-21719
MSFT Details:
-https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21775
-https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21795
-https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21796
-https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21719
CVE-2022-41120 and CVE-2022-44704 - Microsoft Windows Sysmon Elevation of Privilege Vulnerabilities.
CVSS Score: 0
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
NVD:
-https://nvd.nist.gov/vuln/detail/CVE-2022-41120
-https://nvd.nist.gov/vuln/detail/CVE-2022-44704
ISC Podcast:https://isc.sans.edu/podcastdetail.html?podcastid=8334
Manual Review Needed:
CVE: CVE-2023-0210
Linux Kernel Unauthenticated Remote Heap Overflow Within KSMBD
CVE-2023-21719 - Microsoft Edge (Chromium-based) Security Feature Bypass Vulnerability
CVSS Scores: 6.5 - 8.3
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C, 3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C, 3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
NVD:
-https://nvd.nist.gov/vuln/detail/CVE-2023-21775
-https://nvd.nist.gov/vuln/detail/CVE-2023-21795
-https://nvd.nist.gov/vuln/detail/CVE-2023-21796
-https://nvd.nist.gov/vuln/detail/CVE-2023-21719
MSFT Details:
-https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21775
-https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21795
-https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21796
-https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21719
CVE-2022-41120 and CVE-2022-44704 - Microsoft Windows Sysmon Elevation of Privilege Vulnerabilities.
CVSS Score: 0
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
NVD:
-https://nvd.nist.gov/vuln/detail/CVE-2022-41120
-https://nvd.nist.gov/vuln/detail/CVE-2022-44704
ISC Podcast:https://isc.sans.edu/podcastdetail.html?podcastid=8334
Manual Review Needed:
CVE: CVE-2023-0210
Linux Kernel Unauthenticated Remote Heap Overflow Within KSMBD