SEC595: Applied Data Science and AI/Machine Learning for Cybersecurity Professionals
SEC595Cyber Defense
SANS Community Benefits
Connect, learn, and share with other cybersecurity professionals
VOLUME 23ISSUE 15
The Consensus Security Vulnerability Alert
Internet Storm Center Spotlight
ISC provides a free analysis and warning service to thousands of Internet users and organizations, and is actively working with Internet Service Providers to fight back against the most malicious attackers. https://isc.sans.edu/about.html
Microsoft April 2023 Patch Tuesday
Published: 2023-04-11
Last Updated: 2023-04-11 17:45:46 UTC
by Renato Marinho (Version: 1)
This month we got patches for 114 vulnerabilities. Of these, 7 are critical, and 1 is already being exploited, according to Microsoft.
The exploited vulnerability is an Elevation of Privilege affecting the Windows Common Log File System Driver (CVE-2023-28252). The advisory says that the vulnerability severity is important, the attack vector is local, and the attack complexity is low. An attacker who successfully exploited this vulnerability could gain SYSTEM privileges. As this vulnerability is being exploited, it is recommended that you apply the patch as soon as possible. The CVSS for this vulnerability is 7.8.
Among critical vulnerabilities, there is a Remote Code Execution (RCE) affecting Microsoft Message Queuing (MSMQ) (CVE-2023-21554). MSMQ technology enables applications running at different times to communicate across heterogeneous networks and systems that may be temporarily offline. To exploit this vulnerability, an attacker must send a specially crafted malicious MSMQ packet to an MSMQ server. This could result in remote code execution on the server side. The MSMQ service, which is a Windows component, needs to be enabled for a system to be exploitable by this vulnerability. You can check to see if there is a service running named Message Queuing, and TCP port 1801 is listening on the machine. The CVSS for this vulnerability is 9.8.
There is also an RCE affecting DHCP Server Service (CVE-2023-28231). According to the advisory, an authenticated attacker could exploit this vulnerability by leveraging a specially crafted RPC call to the DHCP service. Successful exploitation of this vulnerability requires that an attacker first gain access to the restricted network before running an attack. The CVSS for this vulnerability is 8.8.
Read the full entry:
https://isc.sans.edu/diary/Microsoft+April+2023+Patch+Tuesday/29736/
Apple Patching Two 0-Day Vulnerabilities in iOS and macOS
Published: 2023-04-07
Last Updated: 2023-04-07 19:17:21 UTC
by Johannes Ullrich (Version: 1)
Apple today released updates for iOS and macOS (as well as Safari). The update fixes two vulnerabilities that are already being exploited:
- CVE-2023-28205: This vulnerability could lead to a "zero-click" exploit as a user visits a malicious web page.
- CVE-2023-28206: The first vulnerability "only" provides code execution in the Safari sandbox. But this second vulnerability could be used to escape the sandbox and achieve full system access. We rate this as "important" as it implements a privilege escalation. The full potential of the vulnerability is only realized with a remote code execution vulnerability like CVE-2023-28205.
These two vulnerabilities are likely going to be used together. Both vulnerabilities were reported by the Google TAG and the Amnesty International Security Lab. This indicates that they were used in targeted attacks, likely by state-sponsored spyware. I hope either will provide us with more details.
Read the full entry:
https://isc.sans.edu/diary/Apple+Patching+Two+0Day+Vulnerabilities+in+iOS+and+macOS/29726/
Another Malicious HTA File Analysis - Part 2
Published: 2023-04-10
Last Updated: 2023-04-10 08:13:31 UTC
by Didier Stevens (Version: 1)
The first part in this series can be found here: https://isc.sans.edu/diary/Another+Malicious+HTA+File+Analysis+Part+1/29674
In the first part, we ended with a decoded PowerShell script. We will now start to decrypt the payload found inside this PowerShell script...
Read the full entry:
https://isc.sans.edu/diary/Another+Malicious+HTA+File+Analysis+Part+2/29676/
Internet Storm Center Entries
Recent IcedID (Bokbot) activity (2023.04.12)
https://isc.sans.edu/diary/Recent+IcedID+Bokbot+activity/29740/
Chrome's Download Tab: Dangerous Files (2023.04.09)
https://isc.sans.edu/diary/Chromes+Download+Tab+Dangerous+Files/29730/
Microsoft Netlogon: Potential Upcoming Impacts of CVE-2022-38023 (2023.04.08)
https://isc.sans.edu/diary/Microsoft+Netlogon+Potential+Upcoming+Impacts+of+CVE202238023/29728/
Detecting Suspicious API Usage with YARA Rules (2023.04.07)
https://isc.sans.edu/diary/Detecting+Suspicious+API+Usage+with+YARA+Rules/29724/
Security headers you should add into your application to increase cyber risk protection (2023.04.06)
Recent CVEs
The list is assembled by pulling recent vulnerabilities from NIST NVD, Microsoft, Twitter mentions of vulnerabilities, ISC Diaries and Podcast, and the CISA list of known exploited vulnerabilities. There are also some unscored, but significant, vulnerabilities at the end. This includes vulnerabilities that have not been added to the NVD yet.CVE-2022-38023 - Netlogon RPC Elevation of Privilege Vulnerability.Product: Microsoft Windows_Server_2022 -CVSS Score: 0NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-38023ISC Podcast: https://isc.sans.edu/podcastdetail.html?podcastid=8446CVE-2023-28268 - Netlogon RPC Elevation of Privilege VulnerabilityProduct: Netlogon RPCCVSS Score: 8.1NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-28268ISC Diary: https://isc.sans.edu/diary/29736MSFT Details: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-28268CVE-2023-28252 - Windows Common Log File System Driver Elevation of Privilege VulnerabilityProduct: Windows Common Log File System DriverCVSS Score: 7.8** KEV since 2023-04-11 **NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-28252ISC Diary: https://isc.sans.edu/diary/29736MSFT Details: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-28252CVE-2023-21554 - Microsoft Message Queuing Remote Code Execution VulnerabilityProduct: Microsoft Message QueuingCVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-21554ISC Diary: https://isc.sans.edu/diary/29736MSFT Details: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21554CVE-2023-21769 - Microsoft Message Queuing Denial of Service VulnerabilityProduct: Microsoft Message QueuingCVSS Score: 7.5NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-21769ISC Diary: https://isc.sans.edu/diary/29736MSFT Details: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21769CVE-2023-28302 - Microsoft Message Queuing Denial of Service VulnerabilityProduct: Microsoft Message QueuingCVSS Score: 7.5NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-28302ISC Diary: https://isc.sans.edu/diary/29736MSFT Details: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-28302CVE-2023-28231 - DHCP Server Service Remote Code Execution VulnerabilityProduct: DHCP Server ServiceCVSS Score: 8.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-28231ISC Diary: https://isc.sans.edu/diary/29736MSFT Details: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-28231CVE-2023-28250 - Windows Pragmatic General Multicast (PGM) Remote Code Execution VulnerabilityProduct: Windows Pragmatic General Multicast (PGM)CVSS Score: 9.8 AtRiskScore 50NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-28250ISC Diary: https://isc.sans.edu/diary/29736MSFT Details: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-28250CVE-2023-28205 - Apple's use after free issue allows arbitrary code execution when processing malicious web content, fixed in various updates, but may have been actively exploited.Product: Apple SafariCVSS Score: 8.8** KEV since 2023-04-10 **NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-28205NVD References: - https://seclists.org/fulldisclosure/2023/Apr/1- https://seclists.org/fulldisclosure/2023/Apr/2- https://seclists.org/fulldisclosure/2023/Apr/3- https://seclists.org/fulldisclosure/2023/Apr/5- https://support.apple.com/en-us/HT213720- https://support.apple.com/en-us/HT213721- https://support.apple.com/en-us/HT213722- https://support.apple.com/en-us/HT213723CVE-2023-28206 - Apple iOS, iPadOS, and macOS are vulnerable to an out-of-bounds write, allowing app execution of arbitrary code with kernel privileges that may have been actively exploited.Product: Apple iPadOS CVSS Score: 8.6** KEV since 2023-04-10 **NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-28206NVD References: - https://seclists.org/fulldisclosure/2023/Apr/1- https://seclists.org/fulldisclosure/2023/Apr/2- https://seclists.org/fulldisclosure/2023/Apr/4- https://seclists.org/fulldisclosure/2023/Apr/5- https://seclists.org/fulldisclosure/2023/Apr/6- https://support.apple.com/en-us/HT213720- https://support.apple.com/en-us/HT213721- https://support.apple.com/en-us/HT213723- https://support.apple.com/en-us/HT213724- https://support.apple.com/en-us/HT213725CVE-2023-26083 - Mali GPU Kernel Driver in multiple versions has a memory leak vulnerability that exposes sensitive kernel metadata.Product: Arm Avalon GPU Kernel DriverCVSS Score: 5.5** KEV since 2023-04-07 **NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-26083NVD References: - https://developer.arm.com/Arm%20Security%20Center/Mali%20GPU%20Driver%20Vulnerabilities- https://www.cybersecurity-help.cz/vdb/SB2023033049- https://www.cybersecurity-help.cz/vulnerabilities/74210/CVE-2023-1728 - Fernus Informatics LMS is vulnerable to OS Command Injection and SSI Injection due to unrestricted upload of dangerous file types, affecting versions before 23.04.03.Product: Fernus Learning Management SystemsCVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-1728NVD References: https://www.…