SEC595: Applied Data Science and AI/Machine Learning for Cybersecurity Professionals

Experience SANS training through course previews.
Learn MoreLet us help.
Contact usBecome a member for instant access to our free resources.
Sign UpWe're here to help.
Contact UsISC provides a free analysis and warning service to thousands of Internet users and organizations, and is actively working with Internet Service Providers to fight back against the most malicious attackers. https://isc.sans.edu/about.html
Apple Updates Everything (including Studio Display)
Published: 2023-03-27
Last Updated: 2023-03-27 21:01:22 UTC
by Johannes Ullrich (Version: 1)
Apple today released updates for all of its operating systems. The updates also apply for some of the older versions of iOS and macOS. For iOS/iPadOS 15, Apple now patched an already exploited vulnerability (CVE-2023-23529). Current operating systems received a patch for this vulnerability mid January.
Noteworthy is also that this is the first time, as far as I can recall, that we got a security update for the Studio Display firmware. Firmware updates were released before for the studio display, but they fixed non-security bugs.
Read the full entry:
https://isc.sans.edu/diary/Apple+Updates+Everything+including+Studio+Display/29682/
Microsoft Released an Update for Windows Snipping Tool Vulnerability
Published: 2023-03-25
Last Updated: 2023-03-25 19:56:15 UTC
by Guy Bruneau (Version: 1)
To exploit this vulnerability, the image must be created under very specific condition listed here.
According to the information provided by Microsoft, "The default Snipping Tool in Windows 10 and older versions are unaffected. Only Snip & Sketch in Windows 10 and Snipping Tool in Windows 11 are affected by this vulnerability. A security update has been released for these applications, which are available through the Microsoft Store."[1]
This is the information provide to verify if the system is affected:
For Snip and Sketch installed on Windows 10, app versions 10.2008.3001.0 and later contain this update.
For Snipping Tool installed on Windows 11, app versions 11.2302.20.0 and later contain this update.
Read the full entry:
Cropping and Redacting Images Safely
Published: 2023-03-23
Last Updated: 2023-03-23 16:09:10 UTC
by Johannes Ullrich (Version: 1)
The recent "acropalypse" vulnerabilities in Android and Windows 11 showed yet again the dangers of relying on image processing tools to redact images [1][2]. While many image formats are still fundamentally "pixel" based, many have gone beyond simple "array of pixel" formats. Added compression, metadata, and other optimization features can make it difficult to remove information from images. This is not a new issue and has been a problem many times [3].
In some cases, image modifications are just appended to the original image file and overlayed as the image is displayed. Or files retain older versions to allow users to "undo" edits. And of course there are "bugs" like what we had with the recent image issues.
Here are some approaches to make image redaction safer. But please use them with caution.
Read the full entry:
https://isc.sans.edu/diary/Cropping+and+Redacting+Images+Safely/29666/
Network Data Collector Placement Makes a Difference (2023.03.28)
https://isc.sans.edu/diary/Network+Data+Collector+Placement+Makes+a+Difference/29664/
Another Malicious HTA File Analysis - Part 1 (2023.03.27)
https://isc.sans.edu/diary/Another+Malicious+HTA+File+Analysis+Part+1/29674/
CyberChef Version 10 Released (2023.03.26)
https://isc.sans.edu/diary/CyberChef+Version+10+Released/29672/
Extra: "String Obfuscation: Character Pair Reversal" (2023.03.26)
https://isc.sans.edu/diary/Extra+String+Obfuscation+Character+Pair+Reversal/29656/
Product: Novel-Plus Project CVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-1594NVD References: - https://github.com/OYyunshen/Poc/blob/main/Novel-PlusV3.6.2Sqli.pdf- https://vuldb.com/?ctiid.223662- https://vuldb.com/?id.223662CVE-2023-1606 - Novel-plus 3.6.2 is vulnerable to a critical SQL injection in DictController.java's orderby argument, allowing for remote attacks.Product: Novel-Plus Project CVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-1606NVD References: - https://github.com/OYyunshen/Poc/blob/main/Novel-PlusSqli1.pdf- https://vuldb.com/?ctiid.223736- https://vuldb.com/?id.223736CVE-2023-27078 - "TP-Link MR3020 v.1_150921 is vulnerable to remote command injection via a crafted request to the tftp endpoint."Product: TP-Link MR3020CVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-27078NVD References: https://github.com/B2eFly/Router/blob/main/TPLINK/MR3020/1.mdCVE-2023-28610 - OMICRON StationGuard and OMICRON StationScout before 2.21 are vulnerable to remote root access by exploiting the update process with a modified firmware update image.Product: OMICRON Energy StationGuard and StationScoutCVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-28610NVD References: - https://www.omicronenergy.com/en/support/product-security/- https://www.omicronenergy.com/fileadmin/user_upload/website/files/product-security/osa-5.txtCVE-2023-28611 - OMICRON StationGuard and StationScout allow unauthorized access due to incorrect authorization.Product: OMICRON Energy StationGuard and StationScoutCVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-28611NVD References: - https://www.omicronenergy.com/en/support/product-security/- https://www.omicronenergy.com/fileadmin/user_upload/website/files/product-security/osa-6.txtCVE-2023-1608 - Zhong Bang CRMEB Java up to 1.3.4 is vulnerable to remote sql injection via the getAdminList function in the /api/admin/store/product/list file with manipulated cateId argument (VDB-223738).Product: CRMEB JavaCVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-1608NVD References: - https://github.com/crmeb/crmeb_java/issues/11- https://vuldb.com/?ctiid.223738-https://vuldb.com/?id.223738CVE-2023-25654 - baserCMS prior to version 4.7.5 has a Remote Code Execution (RCE) Vulnerability in its management system.Product: baserCMS CVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-25654NVD References: - https://github.com/baserproject/basercms/commit/002886be0998c74c386e04f0b43688a8a45d7a96- https://github.com/baserproject/basercms/commit/08247f0a633d8e836ce2e5cd2d53aa19901a1359- https://github.com/baserproject/basercms/commit/60f83054d8131b0ace60716cec7e629b5eb3a8f0- https://github.com/baserproject/basercms/releases/tag/basercms-4.7.5CVE-2023-25655 - baserCMS allows any file to be uploaded prior to version 4.7.5, but a patch is included in version 4.7.5.Product: baserCMS CVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-25655NVD References: - https://github.com/baserproject/basercms/commit/922025a98b0e697ab78f6a785a004e0729aa9100- https://github.com/baserproject/basercms/commit/9297629983ed908c7f51bf61a0231dde91404ebd- https://github.com/baserproject/basercms/releases/tag/basercms-4.7.5- https://github.com/baserproject/basercms/security/advisories/GHSA-mfvg-qwcw-qvc8CVE-2023-1612 - Rebuild version up to 3.2.3 is vulnerable to remote SQL injection via manipulation of the file /files/list-file.Product: Ruifang-Tech RebuildCVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-1612NVD References: - https://github.com/getrebuild/rebuild/issues/598- https://vuldb.com/?ctiid.223743- https://vuldb.com/?id.223743CVE-2023-27034 - PrestaShop jmsblog 2.5.5 was discovered to contain a SQL injection vulnerability.Product: Joommasters Jms BlogCVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-27034NVD References: https://friends-of-presta.github.io/security-advisories/modules/2023/03/13/jmsblog.htmlCVE-2023-28445 - Deno is vulnerable to an out-of-bound read/write caused by resizable ArrayBuffers passed to asynchronous functions that are shrunk during operation in Deno 1.32.0.CVSS Score: 9.9NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-28445NVD References: - https://github.com/denoland/deno/pull/18395- https://github.com/denoland/deno/releases/tag/v1.32.1- https://github.com/denoland/deno/security/advisories/GHSA-c25x-cm9x-qqgxCVE-2023-1177 - Path Traversal: '\..\filename' in GitHub repository mlflow/mlflow prior to 2.2.1.Product: Lfprojects MlflowCVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-1177NVD References: - https://github.com/mlflow/mlflow/commit/7162a50c654792c21f3e4a160eb1a0e6a34f6e6e- https://huntr.dev/bounties/1fe8f21a-c438-4cba-9add-e8a5dab94e28CVE-2022-20532 - Android is vulnerable to remote escalation of privilege due to an integer overflow in MPEG4Extractor.cpp.Product: Google AndroidCVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-20532NVD References: h…
Product: Joommasters Jms BlogCVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-27034NVD References: https://friends-of-presta.github.io/security-advisories/modules/2023/03/13/jmsblog.htmlCVE-2023-28445 - Deno is vulnerable to an out-of-bound read/write caused by resizable ArrayBuffers passed to asynchronous functions that are shrunk during operation in Deno 1.32.0.CVSS Score: 9.9NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-28445NVD References: - https://github.com/denoland/deno/pull/18395- https://github.com/denoland/deno/releases/tag/v1.32.1- https://github.com/denoland/deno/security/advisories/GHSA-c25x-cm9x-qqgxCVE-2023-1177 - Path Traversal: '\..\filename' in GitHub repository mlflow/mlflow prior to 2.2.1.Product: Lfprojects MlflowCVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-1177NVD References: - https://github.com/mlflow/mlflow/commit/7162a50c654792c21f3e4a160eb1a0e6a34f6e6e- https://huntr.dev/bounties/1fe8f21a-c438-4cba-9add-e8a5dab94e28CVE-2022-20532 - Android is vulnerable to remote escalation of privilege due to an integer overflow in MPEG4Extractor.cpp.Product: Google AndroidCVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-20532NVD References: https://source.android.com/security/bulletin/pixel/2023-03-01CVE-2022-42498 - Android Pixel cellular firmware allows remote code execution without additional privileges due to a missing bounds check.Product: Google AndroidCVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-42498NVD References: https://source.android.com/security/bulletin/pixel/2023-03-01CVE-2022-42499 - Android kernel in sms_MmConManagement.c allows remote code execution via out of bounds write due to heap buffer overflow without user interaction.Product: Google AndroidCVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-42499NVD References: https://source.android.com/security/bulletin/pixel/2023-03-01CVE-2023-28444 - angular-server-side-configuration is vulnerable when used in a monorepo setup, allowing exposure of backend environment variables, but can be mitigated in version 15.1.0 with a new `searchPattern` option or manual editing of the ngssc.json file.CVSS Score: 9.9NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-28444NVD References: - https://github.com/kyubisation/angular-server-side-configuration/commit/d701f51260637a84ede278e248934e0437a7ff86- https://github.com/kyubisation/angular-server-side-configuration/releases/tag/v15.1.0- https://github.com/kyubisation/angular-server-side-configuration/security/advisories/GHSA-gwvm-vrp4-4pp5CVE-2023-25668 - TensorFlow prior to versions 2.12.0 and 2.11.1 allows attackers to execute remote code or cause a crash by accessing uncontrolled heap memory.CVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-25668NVD References: - https://github.com/tensorflow/tensorflow/commit/7b174a0f2e40ff3f3aa957aecddfd5aaae35eccb- https://github.com/tensorflow/tensorflow/security/advisories/GHSA-gw97-ff7c-9v96CVE-2023-28437 - Dataease is vulnerable to SQL injection due to a missing blacklist, fixed in version 1.18.5 with no known workarounds.CVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-28437NVD References: - https://github.com/dataease/dataease/issues/4795- https://github.com/dataease/dataease/releases/tag/v1.18.5- https://github.com/dataease/dataease/security/advisories/GHSA-7j7j-9rw6-3r56CVE-2023-24838 - HGiga PowerStation allows an unauthenticated remote attacker to obtain the administrator's credential and perform arbitrary system operation or disrupt service due to an Information Leakage vulnerability.CVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-24838NVD References: https://www.twcert.org.tw/tw/cp-132-6957-d8f67-1.htmlCVE-2023-25909 - HGiga OAKlouds allows unauthenticated remote attackers to upload and execute arbitrary files.CVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-25909NVD References: https://www.twcert.org.tw/tw/cp-132-6973-45872-1.htmlCVE-2022-4126 - ABB RCCMD is vulnerable to default password use, allowing for easy access with common or default usernames on Windows, Linux, and MacOS before version 4.40 230207.CVSS Score: 9.6NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-4126NVD References: https://search.abb.com/library/Download.aspx?DocumentID=2CMT006099_EN&LanguageCode=en&DocumentPartId=&Action=LaunchCVE-2023-1133 - Delta Electronics InfraSuite Device Master versions prior to 1.0.5 allows unauthenticated remote code execution due to UDP packets being deserialized by the device-status service.CVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-1133NVD References: https://www.cisa.gov/news-events/ics-advisories/icsa-23-080-02CVE-2023-1136 - Delta Electronics InfraSuite Device Master versions prior to 1.0.5 allow unauthenticated attackers to bypass authentication by generating a valid token.CVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-1136NVD References: https://www.cisa.gov/news-events/ics-advisories/i…
Product: Google AndroidCVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-42499NVD References: https://source.android.com/security/bulletin/pixel/2023-03-01CVE-2023-28444 - angular-server-side-configuration is vulnerable when used in a monorepo setup, allowing exposure of backend environment variables, but can be mitigated in version 15.1.0 with a new `searchPattern` option or manual editing of the ngssc.json file.CVSS Score: 9.9NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-28444NVD References: - https://github.com/kyubisation/angular-server-side-configuration/commit/d701f51260637a84ede278e248934e0437a7ff86- https://github.com/kyubisation/angular-server-side-configuration/releases/tag/v15.1.0- https://github.com/kyubisation/angular-server-side-configuration/security/advisories/GHSA-gwvm-vrp4-4pp5CVE-2023-25668 - TensorFlow prior to versions 2.12.0 and 2.11.1 allows attackers to execute remote code or cause a crash by accessing uncontrolled heap memory.CVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-25668NVD References: - https://github.com/tensorflow/tensorflow/commit/7b174a0f2e40ff3f3aa957aecddfd5aaae35eccb- https://github.com/tensorflow/tensorflow/security/advisories/GHSA-gw97-ff7c-9v96CVE-2023-28437 - Dataease is vulnerable to SQL injection due to a missing blacklist, fixed in version 1.18.5 with no known workarounds.CVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-28437NVD References: - https://github.com/dataease/dataease/issues/4795- https://github.com/dataease/dataease/releases/tag/v1.18.5- https://github.com/dataease/dataease/security/advisories/GHSA-7j7j-9rw6-3r56CVE-2023-24838 - HGiga PowerStation allows an unauthenticated remote attacker to obtain the administrator's credential and perform arbitrary system operation or disrupt service due to an Information Leakage vulnerability.CVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-24838NVD References: https://www.twcert.org.tw/tw/cp-132-6957-d8f67-1.htmlCVE-2023-25909 - HGiga OAKlouds allows unauthenticated remote attackers to upload and execute arbitrary files.CVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-25909NVD References: https://www.twcert.org.tw/tw/cp-132-6973-45872-1.htmlCVE-2022-4126 - ABB RCCMD is vulnerable to default password use, allowing for easy access with common or default usernames on Windows, Linux, and MacOS before version 4.40 230207.CVSS Score: 9.6NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-4126NVD References: https://search.abb.com/library/Download.aspx?DocumentID=2CMT006099_EN&LanguageCode=en&DocumentPartId=&Action=LaunchCVE-2023-1133 - Delta Electronics InfraSuite Device Master versions prior to 1.0.5 allows unauthenticated remote code execution due to UDP packets being deserialized by the device-status service.CVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-1133NVD References: https://www.cisa.gov/news-events/ics-advisories/icsa-23-080-02CVE-2023-1136 - Delta Electronics InfraSuite Device Master versions prior to 1.0.5 allow unauthenticated attackers to bypass authentication by generating a valid token.CVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-1136NVD References: https://www.cisa.gov/news-events/ics-advisories/icsa-23-080-02CVE-2023-1140 - Delta Electronics InfraSuite Device Master versions prior to 1.0.5 allow unauthenticated remote code execution by an attacker in the context of an administrator.CVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-1140NVD References: https://www.cisa.gov/news-events/ics-advisories/icsa-23-080-02CVE-2022-46415 - The DJI Spark 01.00.0900 is vulnerable to remote attacks that exhaust the DHCP IP address pool, preventing legitimate terminal connections by an attacker who has guessed the password of the device's internal Wi-Fi network and sent many DHCP requests.CVSS Score: 9.1NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-46415NVD References: - https://github.com/bosslabdcu/Vulnerability-Reporting/security/advisories/GHSA-54q2-3r2m-9pgm- https://smartstore.naver.com/chachablues/products/6617613337- https://smartstore.naver.com/hancomawesome-tech/products/5367473135CVE-2022-46416 - Parrot Bebop 4.7.1 is vulnerable to DHCP exhaustion attacks, allowing remote attackers to prevent legitimate terminal connections by flooding the IP address pool.CVSS Score: 9.1NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-46416NVD References: - https://github.com/bosslabdcu/Vulnerability-Reporting/security/advisories/GHSA-4xx4-r27p-wcrv- https://smartstore.naver.com/chachablues/products/6617613337- https://smartstore.naver.com/hancomawesome-tech/products/5367473135CVE-2022-3682 - The Hitachi Energy SDM600 is vulnerable to arbitrary code execution via specially crafted messages uploaded by an attacker due to file permission validation issues in versions prior to 1.2 FP3 HF4.Product: Hitachi Energy SDM600CVSS Score: 9.9NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-3682NVD References: https://search.abb.com…
*********** Sponsored By SANS ***********Calling all DevSecOps practitioners! Take the annual SANS 2023 DevSecOps Survey today to share your insights with the cyber community about how DevSecOps practices are maturing as they gain mainstream adoption. Your time is valuable, upon completion you will be entered into our drawing for a chance to win a $400 Amazon gift card.Take the survey:
Featured session as a part of SANS 2023 on Tuesday, April 4th at 12:30pm ET | SOC Visibility Triad, Why You Need NDR Alongside EDR - Join us as we demo popular EDR tools and give analyst workflow examples and use cases. | Register now:
Join Chris Crowley on Wednesday, April 5th at 10:30am ET for this upcoming whitepaper discussion - Managed Detection and Response: Optimizing External Expertise | Register now:
Upcoming webcast on Tuesday, April 13th at 10:30am ET | Cloud Security: Does the Endpoint Still Matter? | Register now: