Internet Storm Center Spotlight


INTERNET STORM CENTER SPOTLIGHT


ISC provides a free analysis and warning service to thousands of Internet users and organizations, and is actively working with Internet Service Providers to fight back against the most malicious attackers. https://isc.sans.edu/about.html


OneNote Suricata Rules

Published: 2023-02-19

Last Updated: 2023-02-20 07:46:06 UTC

by Didier Stevens (Version: 1)


I end my diary entry “Detecting (Malicious) OneNote Files” with a set of Suricata rules to detect various OneNote files.


Let’s take a closer look at these rules.


Here is the first rule, that I split over several lines so that each option has it own line, making it easier to explain.


alert http any any -> any any (

msg:"[MS-ONESTORE] .one GUID"; 

flow:established,from_server; 

file_data; 

content:"|E4 52 5C 7B 8C D8 A7 4D AE B1 53 78 D0 29 96 D3|"; 

classtype:policy-violation; 

reference:url,blog.didierstevens.com; 

reference:url,github.com/Neo23x0/signature-base/blob/master/yara/gen_onenote_phish.yar; 

sid:1000001; 

rev:1;)



The rule inspects HTTP traffic and triggers an alert when the right conditions are met.


The rule looks at any origin (any any) and any destination (any any). Usually, you would want to refine such a rule, to inspect HTTP traffic with requests originating from inside your network ($HOME_NET) and destined outside your network ($EXTERNAL_NET), typically the Internet.


Read the full entry:

https://isc.sans.edu/diary/OneNote+Suricata+Rules/29564/




HTML phishing attachment with browser-in-the-browser technique

Published: 2023-02-16

Last Updated: 2023-02-16 11:25:31 UTC

by Jan Kopriva (Version: 1)


Although the browser-in-the-browser (BitB) technique has been with us for a while now, it is far from what one might call ubiquitous. Simply put, the technique is based on displaying a simulated browser pop-up window (usually a login prompt) within the confines of an HTML page opened in a browser. The simulated pop-up may look almost indistinguishable from a real browser window and since it may contain an arbitrary URL in the simulated address bar, the use of the BitB technique for phishing can be quite effective, as most people have been repeatedly taught that they should “check the URL, and if it is the right one, the page should be genuine” during security awareness courses.


Checking the URL is undoubtedly still a good advice, however, when it comes to BitB, one should probably preface it by saying, that one first has to make sure that a browser window is actually a real browser window and that its address bar is actually a real address bar…


Read the full entry:

https://isc.sans.edu/diary/HTML+phishing+attachment+with+browserinthebrowser+technique/29556/




Internet Wide Scan Fingerprinting Confluence Servers

Published: 2023-02-22

Last Updated: 2023-02-22 13:54:55 UTC

by Johannes Ullrich (Version: 1)


Looking over some of our honeypot logs today, I noticed one IP address, 60.223.74.99, scanning for several older Confluence vulnerabilities. confluence fingerprint icon


Confluence is the collaboration component of Atlassian's suite of developer tools. Attacks against developers, and the tools they are using, are on the rise in general, and this is yet another "piece to the puzzle." A quick search using NIST's NVD shows 18 vulnerabilities in Confluence.


The scans use a known PoC exploit for CVE-2021-26084, an OGNL injection vulnerability.


Read the full entry

https://isc.sans.edu/diary/Internet+Wide+Scan+Fingerprinting+Confluence+Servers/29574/

Internet Storm Center Entries


Phishing Page Branded with Your Corporate Website (2023.02.21)

https://isc.sans.edu/diary/Phishing+Page+Branded+with+Your+Corporate+Website/29570/


"Unsupported 16-bit Application" or HTML? (2023.02.19)

https://isc.sans.edu/diary/Unsupported+16bit+Application+or+HTML/29562/


Spear Phishing Handlers for Username/Password (2023.02.18)

https://isc.sans.edu/diary/Spear+Phishing+Handlers+for+UsernamePassword/29560/

Recent CVEs




The list is assembled by pulling recent vulnerabilities from NIST NVD, Microsoft, Twitter mentions of vulnerabilities, ISC Diaries and Podcast, and the CISA list of known exploited vulnerabilities. There are also some unscored, but significant, vulnerabilities at the end. This includes vulnerabilities that have not been added to the NVD yet.



CVE-2023-25725 - HAProxy before 2.7.3 may allow a bypass of access control because HTTP/1 headers are inadvertently lost in some situations, aka "request smuggling." The HTTP header parsers in HAProxy may accept empty header field names, which could be used to truncate the list of HTTP headers and thus make some headers disappear after being parsed and processed for HTTP/1.0 and HTTP/1.1. For HTTP/2 and HTTP/3, the impact is limited because the headers disappear before being parsed and processed, as if they had not been sent by the client. The fixed versions are 2.7.3, 2.6.9, 2.5.12, 2.4.22, 2.2.29, and 2.0.31.

CVSS Score: 0 

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-25725

ISC Podcast: https://isc.sans.edu/podcastdetail.html?podcastid=8372

NVD References: 

- https://git.haproxy.org/?p=haproxy-2.7.git;a=commit;h=a0e561ad7f29ed50c473f5a9da664267b60d1112

- https://lists.debian.org/debian-lts-announce/2023/02/msg00012.html

- https://www.debian.org/security/2023/dsa-5348

- https://www.haproxy.org/




CVE-2022-39952 - A external control of file name or path in Fortinet FortiNAC versions 9.4.0, 9.2.0 through 9.2.5, 9.1.0 through 9.1.7, 8.8.0 through 8.8.11, 8.7.0 through 8.7.6, 8.6.0 through 8.6.5, 8.5.0 through 8.5.4, 8.3.7 may allow an unauthenticated attacker to execute unauthorized code or commands via specifically crafted HTTP request.

CVSS Score: 9.8 

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-39952

ISC Podcast: https://isc.sans.edu/podcastdetail.html?podcastid=8380

NVD References: https://fortiguard.com/psirt/FG-IR-22-300




CVE-2021-42756 - Multiple stack-based buffer overflow vulnerabilities [CWE-121] in the proxy daemon of FortiWeb 5.x all versions, 6.0.7 and below, 6.1.2 and below, 6.2.6 and below, 6.3.16 and below, 6.4 all versions may allow an unauthenticated remote attacker to achieve arbitrary code execution via specifically crafted HTTP requests.

CVSS Score: 9.8 

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

NVD: https://nvd.nist.gov/vuln/detail/CVE-2021-42756

NVD References: https://fortiguard.com/psirt/FG-IR-21-186




CVE-2021-42761 - A condition for session fixation vulnerability [CWE-384] in the session management of FortiWeb versions 6.4 all versions, 6.3.0 through 6.3.16, 6.2.0 through 6.2.6, 6.1.0 through 6.1.2, 6.0.0 through 6.0.7, 5.9.0 through 5.9.1 may allow a remote, unauthenticated attacker to infer the session identifier of other users and possibly usurp their session.

CVSS Score: 9.0 

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

NVD: https://nvd.nist.gov/vuln/detail/CVE-2021-42761

NVD References: https://fortiguard.com/psirt/FG-IR-21-214




CVE-2022-38375 - An improper authorization vulnerability [CWE-285] in Fortinet FortiNAC version 9.4.0 through 9.4.1 and before 9.2.6 allows an unauthenticated user to perform some administrative operations over the FortiNAC instance via crafted HTTP POST requests.

CVSS Score: 9.1 

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-38375

NVD References: https://fortiguard.com/psirt/FG-IR-22-329



CVE-2022-47986 - IBM Aspera Faspex 4.4.1 could allow a remote attacker to execute arbitrary code on the system, caused by a YAML deserialization flaw. By sending a specially crafted obsolete API call, an attacker could exploit this vulnerability to execute arbitrary code on the system. The obsolete API call was removed in Faspex 4.4.2 PL2. IBM X-Force ID: 243512.

CVSS Score: 9.8 

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

** KEV since 2023-02-21 **

NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-47986

NVD References: 

- https://exchange.xforce.ibmcloud.com/vulnerabilities/243512

- https://www.ibm.com/support/pages/node/6952319




CVE-2023-21715 - Microsoft Publisher Security Features Bypass Vulnerability

CVSS Score: 7.3 

CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C

** KEV since 2023-02-14 **

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-21715

MSFT Details: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21715




CVE-2023-23376 - Windows Common Log File System Driver Elevation of Privilege Vulnerability

CVSS Score: 7.8 

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C

** KEV since 2023-02-14 **

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-23376

MSFT Details: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-23376




CVE-2023-21823 - Windows Graphics Component Remote Code Execution Vulnerability

CVSS Score: 7.8 

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:H/RL:O/RC:C

** KEV since 2023-02-14 **

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-21823

MSFT Details: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21823




CVE-2021-26084 - Atlassian Confluence Server < 6.13.23, 6.14.0 - 7.12.5 Arbitrary Code Execution

CVSS Score: 0 

** KEV since 2021-11-03 **

NVD: https://nvd.nist.gov/vuln/detail/CVE-2021-26084

ISC Diary: https://isc.sans.edu/diary/29574




CVE-2023-21689, CVE-2023-21690, and CVE-2023-21692 - Microsoft Protected Extensible Authentication Protocol (PEAP) Remote Code Execution Vulnerabilities

CVSS Score: 9.8 

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-21689

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-21690

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-21692

MSFT Details: 

- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21689

- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21690

- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21692




CVE-2023-21716 - Microsoft Word Remote Code Execution Vulnerability

CVSS Score: 9.8 

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-21716

MSFT Details: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21716




CVE-2023-21803 - Windows iSCSI Discovery Service Remote Code Execution Vulnerability

CVSS Score: 9.8 

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-21803

MSFT Details: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21803




CVE-2023-0286 - There is a type confusion vulnerability relating to X.400 address processing inside an X.509 GeneralName. X.400 addresses were parsed as an ASN1_STRING but the public structure definition for GENERAL_NAME incorrectly specified the type of the x400Address field as ASN1_TYPE. This field is subsequently interpreted by the OpenSSL function GENERAL_NAME_cmp as an ASN1_TYPE rather than an ASN1_STRING. When CRL checking is enabled (i.e. the application sets the X509_V_FLAG_CRL_CHECK flag), this vulnerability may allow an attacker to pass arbitrary pointers to a memcmp call, enabling them to read memory contents or enact a denial of service. In most cases, the attack requires the attacker to provide both the certificate chain and CRL, neither of which need to have a valid signature. If the attacker only controls one of these inputs, the other input must already contain an X.400 address as a CRL distribution point, which is uncommon. As such, this vulnerability is most likely to only affect applications which have implemented their own functionality for retrieving CRLs over a network.

CVSS Score: 9.1 

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-0286

Reference: https://access.redhat.com/security/cve/cve-2023-0286




CVE-2023-24530 - SAP BusinessObjects Business Intelligence Platform (CMC) - versions 420, 430, allows an authenticated admin user to upload malicious code that can be executed by the application over the network. On successful exploitation, attacker can perform operations that may completely compromise the application causing high impact on confidentiality, integrity and availability of the application.

CVSS Score: 9.1 

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-24530

NVD References: 

- https://launchpad.support.sap.com/#/notes/3256787

- https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html




CVE-2023-0102 - LS ELECTRIC XBC-DN32U with operating system version 01.80 is missing authentication for its deletion command. This could allow an attacker to delete arbitrary files.

CVE-2023-22804 - LS ELECTRIC XBC-DN32U with operating system version 01.80 is missing authentication to create users on the PLC. This could allow an attacker to create and use an account with elevated privileges and take control of the device.

CVE-2023-22807 - LS ELECTRIC XBC-DN32U with operating system version 01.80 does not properly control access to the PLC over its internal XGT protocol. An attacker could control and tamper with the PLC by sending the packets to the PLC over its XGT protocol.

CVSS Score: 9.1 

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-0102

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-22804

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-22807

NVD References: https://www.cisa.gov/uscert/ics/advisories/icsa-23-040-02




CVE-2023-23459 - Priority Windows may allow Command Execution via SQL Injection using an unspecified method.

CVE-2023-23460 - Priority Web version 19.1.0.68, parameter manipulation on an unspecified end-point may allow authentication bypass.

CVSS Score: 9.1 

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-23459

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-23460

NVD References: https://www.gov.il/en/Departments/faq/cve_advisories




CVE-2023-23465 - Media CP Media Control Panel latest version. CSRF possible through unspecified endpoint.

CVSS Score: 9.1 

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-23465

NVD References: https://www.gov.il/en/Departments/faq/cve_advisories




CVE-2022-3843 - In WAGO Unmanaged Switch (852-111/000-001) in firmware version 01 an undocumented configuration interface without authorization allows an remote attacker to read system information and configure a limited set of parameters.

CVSS Score: 9.1 

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-3843

NVD References: https://cert.vde.com/en/advisories/VDE-2022-055/




CVE-2023-22578 - Due to improper artibute filtering in the sequalize js library, can a attacker peform SQL injections.

CVSS Score: 10.0 

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-22578

NVD References: 

- https://csirt.divd.nl/CVE-2023-22578

- https://csirt.divd.nl/DIVD-2022-00020/




CVE-2023-22579 - Due to improper parameter filtering in the sequalize js library, can a attacker peform injection.

CVSS Score: 9.9 

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-22579

NVD References: 

- https://csirt.divd.nl/CVE-2023-22579

- https://csirt.divd.nl/DIVD-2022-00020/




CVE-2023-23947 - Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. All Argo CD versions starting with 2.3.0-rc1 and prior to 2.3.17, 2.4.23 2.5.11, and 2.6.2 are vulnerable to an improper authorization bug which allows users who have the ability to update at least one cluster secret to update any cluster secret. The attacker could use this access to escalate privileges (potentially controlling Kubernetes resources) or to break Argo CD functionality (by preventing connections to external clusters). A patch for this vulnerability has been released in Argo CD versions 2.6.2, 2.5.11, 2.4.23, and 2.3.17. Two workarounds are available. Either modify the RBAC configuration to completely revoke all `clusters, update` access, or use the `destinations` and `clusterResourceWhitelist` fields to apply similar restrictions as the `namespaces` and `clusterResources` fields.

CVSS Score: 9.1 

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-23947

NVD References: 

- https://github.com/argoproj/argo-cd/commit/fbb0b99b1ac3361b253052bd30259fa43a520945

- https://github.com/argoproj/argo-cd/security/advisories/GHSA-3jfq-742w-xg8j




CVE-2023-25805 - versionn, software for changing version information across multiple files, has a command injection vulnerability in all versions prior to version 1.1.0. This issue is patched in version 1.1.0.

CVSS Score: 9.8 

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-25805

NVD References: 

- https://github.com/commenthol/versionn/commit/2ca128823efe962b37f2698f0eb530c2b124842d

- https://github.com/commenthol/versionn/security/advisories/GHSA-fj78-2vc5-f6cm




CVE-2022-46836 - PHP code injection in watolib auth.php and hosttags.php in Tribe29's Checkmk <= 2.1.0p10, Checkmk <= 2.0.0p27, and Checkmk <= 1.6.0p29 allows an attacker to inject and execute PHP code which will be executed upon request of the vulnerable component.

CVSS Score: 9.1 

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L

NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-46836

NVD References: https://checkmk.com/werk/14383




CVE-2023-22920 - A security misconfiguration vulnerability exists in the Zyxel LTE3316-M604 firmware version V2.00(ABMP.6)C0 due to a factory default misconfiguration intended for testing purposes. A remote attacker could leverage this vulnerability to access an affected device using Telnet.

CVSS Score: 9.8 

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-22920

NVD References: https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-security-misconfiguration-vulnerability-of-4g-lte-indoor-routers




CVE-2023-25158 - GeoTools is an open source Java library that provides tools for geospatial data. GeoTools includes support for OGC Filter expression language parsing, encoding and execution against a range of datastore. SQL Injection Vulnerabilities have been found when executing OGC Filters with JDBCDataStore implementations. Users are advised to upgrade to either version 27.4 or to 28.2 to resolve this issue. Users unable to upgrade may disable `encode functions` for PostGIS DataStores or enable `prepared statements` for JDBCDataStores as a partial mitigation.

CVSS Score: 9.8 

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-25158

NVD References: 

- https://github.com/geotools/geotools/commit/64fb4c47f43ca818c2fe96a94651bff1b3b3ed2b

- https://github.com/geotools/geotools/security/advisories/GHSA-99c3-qc2q-p94m




CVE-2023-25157 - GeoServer is an open source software server written in Java that allows users to share and edit geospatial data. GeoServer includes support for the OGC Filter expression language and the OGC Common Query Language (CQL) as part of the Web Feature Service (WFS) and Web Map Service (WMS) protocols. CQL is also supported through the Web Coverage Service (WCS) protocol for ImageMosaic coverages. Users are advised to upgrade to either version 2.21.4, or version 2.22.2 to resolve this issue. Users unable to upgrade should disable the PostGIS Datastore *encode functions* setting to mitigate ``strEndsWith``, ``strStartsWith`` and ``PropertyIsLike `` misuse and enable the PostGIS DataStore *preparedStatements* setting to mitigate the ``FeatureId`` misuse.

CVSS Score: 9.8 

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-25157

NVD References: 

- https://github.com/geoserver/geoserver/commit/145a8af798590288d270b240235e89c8f0b62e1d

- https://github.com/geoserver/geoserver/security/advisories/GHSA-7g5f-wrx8-5ccf




Manual Review Needed:


CVE-2023-24486 - A vulnerability has been identified in Citrix Workspace app for Linux that, if exploited, may result in a malicious local user being able to gain access to the Citrix Virtual Apps and Desktops session of another user who is using the same computer from which the ICA session is launched.

unknown

Vendor: Citrix

Product: Citrix Workspace App

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-0286

References: 

- https://support.citrix.com/article/CTX477618/citrix-workspace-app-for-linux-security-bulletin-for-cve202324486

- https://www.cisa.gov/uscert/ncas/current-activity/2023/02/14/citrix-releases-security-updates-workspace-apps-virtual-apps-and