The Consensus Security Vulnerability Alert

ISC provides a free analysis and warning service to thousands of Internet users and organizations, and is actively working with Internet Service Providers to fight back against the most malicious attackers. https://isc.sans.edu/about.html

Microsoft March 2023 Patch Tuesday

Published: 2023-03-14

Last Updated: 2023-03-14 19:43:59 UTC

by Renato Marinho (Version: 1)

This month we got patches for 76 vulnerabilities. Of these, 9 are critical and 2 are already being exploited, according to Microsoft.

One of the exploited vulnerabilities is an elevation of privilege affecting Microsoft Outlook (CVE-2023-23397). According to the advisory, an attacker who successfully exploited this vulnerability could access a user's Net-NTLMv2 hash which could be used as a basis of an NTLM Relay attack against another service to authenticate as the user. The attacker could exploit this vulnerability by sending a specially crafted email that triggers automatically when it is retrieved and processed by the Outlook client. This could lead to exploitation BEFORE the email is viewed in the Preview Pane. The CVSS for this vulnerability is 9.8.

The second exploit vulnerability is a security feature bypass affecting Windows SmartScreen (CVE-2023-24880). According to the advisory, an attacker can craft a malicious file that would evade Mark of the Web (MOTW) defenses, resulting in a limited loss of integrity and availability of security features such as Protected View in Microsoft Office, which rely on MOTW tagging. The CVSS for this vulnerability is 5.4.

There is another critical vulnerability worth mentioning which is Remote Code Execution (RCE) affecting HTTP Protocol Stack (CVE-2023-23392). A prerequisite for a server to be vulnerable is that the binding has HTTP/3 enabled and the server uses buffered I/O. HTTP/3 support for services is a new feature of Windows Server 2022. This vulnerability requires no user interaction, no privileges, and the attack complexity is low. The CVSS for this vulnerability is 9.8.

Read the full entry:

https://isc.sans.edu/diary/Microsoft+March+2023+Patch+Tuesday/29634/

Incoming Silicon Valley Bank Related Scams

Published: 2023-03-13

Last Updated: 2023-03-13 14:53:24 UTC

by Johannes Ullrich (Version: 1)

Any big news story tends to attract its set of scams. We have seen this happening for disasters, political events, and wars. So it isn't a big surprise that last week's failure of Silicon Valley Bank is starting to get some traction.

If you see any scams (phishing, malware...): Please let us know via our contact page or email (handlers - at - isc.sans.edu )

The failure of Silicon Valley Bank has some particularly enticing properties for scammers:

It involves a lot of money

Urgency: Many companies and individuals employed by companies have questions about how to pay urgent bills. Will my employer be able to make payroll? Is there anything I need to do right now?

Uncertainty: For many, it isn't clear how to communicate with SVB, what website to use, or what emails to expect (or where they will come from?)

All this is bound to result in some simple but also targeted scams.

You should expect some targeted scams if it is known that you or the company you work for banks with SVB. Most of the time, this information is more or less public. Expect not just email but also SMS or phone call scams.

Some of the legitimate offers may be indistinguishable from scams. People may offer loans or legal services to affected companies. As with natural disasters in the past, we also see law firms setting up dedicated pages to attract clients for an eventual lawsuit.

We do already see a little race to register SVB related domains

Read the full entry:

https://isc.sans.edu/diary/Incoming+Silicon+Valley+Bank+Related+Scams/29630/

IPFS phishing and the need for correctly set HTTP security headers (2023.03.15)

https://isc.sans.edu/diary/IPFS+phishing+and+the+need+for+correctly+set+HTTP+security+headers/29638/

AsynRAT Trojan - Bill Payment (Pago de la factura) (2023.03.12)

https://isc.sans.edu/diary/AsynRAT+Trojan+Bill+Payment+Pago+de+la+factura/29626/

Overview of a Mirai Payload Generator (2023.03.11)

https://isc.sans.edu/diary/Overview+of+a+Mirai+Payload+Generator/29624/

Multi-Technology Script Leading to Browser Hijacking (2023.03.10)

https://isc.sans.edu/diary/MultiTechnology+Script+Leading+to+Browser+Hijacking/29620/

Today I Learned .. a new thing about GREP (2023.03.09)

https://isc.sans.edu/diary/Today+I+Learned+a+new+thing+about+GREP/29618/

The list is assembled by pulling recent vulnerabilities from NIST NVD, Microsoft, Twitter mentions of vulnerabilities, ISC Diaries and Podcast, and the CISA list of known exploited vulnerabilities. There are also some unscored, but significant, vulnerabilities at the end. This includes vulnerabilities that have not been added to the NVD yet.CVE-2023-21716 - Microsoft Word Remote Code Execution VulnerabilityCVSS Score: 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:CNVD: https://nvd.nist.gov/vuln/detail/CVE-2023-21716ISC Podcast: https://isc.sans.edu/podcastdetail.html?podcastid=8398MSFT Details: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21716CVE-2023-23397 - Microsoft Outlook Elevation of Privilege VulnerabilityCVSS Score: 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C** KEV since 2023-03-14 **NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-23397ISC Diary: https://isc.sans.edu/diary/29634MSFT Details: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-23397CVE-2023-24880 - Windows SmartScreen Security Feature Bypass VulnerabilityCVSS Score: 5.4 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L/E:F/RL:O/RC:C** KEV since 2023-03-14 **NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-24880ISC Diary: https://isc.sans.edu/diary/29634MSFT Details: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-24880CVE-2023-23392 - HTTP Protocol Stack Remote Code Execution VulnerabilityCVSS Score: 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:CNVD: https://nvd.nist.gov/vuln/detail/CVE-2023-23392ISC Diary: https://isc.sans.edu/diary/29634MSFT Details: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-23392CVE-2023-21708 - Remote Procedure Call Runtime Remote Code Execution VulnerabilityCVSS Score: 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C AtRiskScore 50NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-21708ISC Diary: https://isc.sans.edu/diary/29634MSFT Details: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21708CVE-2023-23415 - Internet Control Message Protocol (ICMP) Remote Code Execution VulnerabilityCVSS Score: 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:CNVD: https://nvd.nist.gov/vuln/detail/CVE-2023-23415ISC Diary: https://isc.sans.edu/diary/29634MSFT Details: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-23415CVE-2022-41328 - A improper limitation of a pathname to a restricted directory vulnerability ('path traversal') [CWE-22] in Fortinet FortiOS version 7.2.0 through 7.2.3, 7.0.0 through 7.0.9 and before 6.4.11 allows a privileged attacker to read and write files on the underlying Linux system via crafted CLI commands.CVSS Score: 7.1 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N** KEV since 2023-03-14 **NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-41328NVD References: https://fortiguard.com/psirt/FG-IR-22-369CVE-2023-1017 - CERT/CC: CVE-2023-1017 TPM2.0 Module Library Elevation of Privilege VulnerabilityCVSS Score: 8.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:CNVD: https://nvd.nist.gov/vuln/detail/CVE-2023-1017ISC Diary: https://isc.sans.edu/diary/29634MSFT Details: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-1017CVE-2023-1018 - CERT/CC: CVE-2023-1018 TPM2.0 Module Library Elevation of Privilege VulnerabilityCVSS Score: 8.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:CNVD: https://nvd.nist.gov/vuln/detail/CVE-2023-1018ISC Diary: https://isc.sans.edu/diary/29634MSFT Details: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-1018CVE-2023-23752 - An issue was discovered in Joomla! 4.0.0 through 4.2.7. An improper access check allows unauthorized access to webservice endpoints.CVSS Score: 0NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-23752ISC Podcast: https://isc.sans.edu/podcastdetail.html?podcastid=8402CVE-2019-8720 - A vulnerability was found in WebKit. The flaw is triggered when processing maliciously crafted web content that may lead to arbitrary code execution. Improved memory handling addresses the multiple memory corruption issues.CVSS Score: 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H** KEV since 2022-05-23 **NVD: https://nvd.nist.gov/vuln/detail/CVE-2019-8720NVD References: https://bugzilla.redhat.com/show_bug.cgi?id=1876611NVD References: https://webkitgtk.org/security/WSA-2019-0005.htmlCVE-2022-3760 -  Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Mia Technology Mia-Med.This issue affects Mia-Med: before 1.0.0.58.CVSS Score: 9.8CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HNVD: https://nvd.nist.gov/vuln/detail/CVE-2022-3760NVD References: https://www.usom.gov.tr/bildirim/tr-23-0130CVE-2023-23403, CVE-2023-23406, CVE-2023-23413, CVE-2023-24864, CVE-2023-24867, CVE-2023-24868, CVE-2023-24872, CVE-2023-24876, CVE-2023-24907, CVE-2023-24909, CVE-2023-24913 - Microsoft PostScript and PCL6 Class Printer Driver Remote Code Execution Vul…