The Consensus Security Vulnerability Alert

ISC provides a free analysis and warning service to thousands of Internet users and organizations, and is actively working with Internet Service Providers to fight back against the most malicious attackers. https://isc.sans.edu/about.html

The strange case of Great honeypot of China

Published: 2023-04-17

Last Updated: 2023-04-17 08:44:28 UTC

by Jan Kopriva (Version: 1)

Looking at changes that the internet as a whole goes through over time can be quite edifying. Since old servers are being decommissioned and new ones are being added all the time, the internet “landscape” can change significantly even over the course of a year or several months.

Because very few of us have ever had access to our own Carna botnet or other solution, which would enable us to periodically scan the entire public IP space, we have to depend on information provided to us by specialized services (e.g., Censys or Shodan), which conduct such scans on our behalf, to learn of these changes.

Since we are dependent on these third-party services, which are, from our viewpoint, basically “black boxes”, any large spikes that may be seen in data gathered from them may be the result of a real, rapid change in the public IP space, or the result of misconfiguration or error in some internal mechanism used by these services. And, unfortunately, it is not always easy to say which is which… Which holds true even for a recent spike in the number of honeypots that Shodan detected.

As I mentioned in some of my previous Diaries, I use my TriOp tool to periodically gather significant amounts of data from Shodan about the global internet landscape, as well as about the situation in different countries. Among other information, I use the tool to gather the number of devices that Shodan classifies as “medical” systems, which are accessible from the internet, and a few weeks ago, a script that I use to identify significant changes in the data started to generate daily notices about a sharp relative increase in such systems in China (and, several days later, about a corresponding relative increase on a global level).

Read the full entry:

https://isc.sans.edu/diary/The+strange+case+of+Great+honeypot+of+China/29750/

HTTP: What's Left of it and the OCSP Problem

Published: 2023-04-13

Last Updated: 2023-04-13 14:43:37 UTC

by Johannes Ullrich (Version: 1)

It has been well documented that most "web" traffic these days uses TLS, either as traditional HTTPS or the more modern QUIC protocol. So it is always interesting to see what traffic remains as HTTP.

Looking at the top TCP ports in my network:

325900 443

38191 22

31006 23

25884 80

22025 53

HTTPS is by far the top port (and most of the 22/23 connections are likely for my honeypot, and so are many of the port 80 connections.)

So let's dive into a bit more detail on my zeek HTTP logs. I use the JSON format for zeek logs and will use the "jq" tool to parse them instead of the usual "zeek-cut" tool.

Read the full entry:

https://isc.sans.edu/diary/HTTP+Whats+Left+of+it+and+the+OCSP+Problem/29744/

UDDIs are back? Attackers rediscovering old exploits. (2023.04.18)

https://isc.sans.edu/diary/UDDIs+are+back+Attackers+rediscovering+old+exploits/29754/

Microsoft April 2023 Patch Tuesday (2023.04.11)

https://isc.sans.edu/diary/Microsoft+April+2023+Patch+Tuesday/29736/

Apple Patching Two 0-Day Vulnerabilities in iOS and macOS (2023.04.07)

https://isc.sans.edu/diary/Apple+Patching+Two+0Day+Vulnerabilities+in+iOS+and+macOS/29726/

The list is assembled by pulling recent vulnerabilities from NIST NVD, Microsoft, Twitter mentions of vulnerabilities, ISC Diaries and Podcast, and the CISA list of known exploited vulnerabilities. There are also some unscored, but significant, vulnerabilities at the end. This includes vulnerabilities that have not been added to the NVD yet.CVE-2023-29492 - Novi Survey before version 8.9.43676 allows remote code execution on the server in the context of the service account, without giving access to stored survey or response data.Product: Novi SurveyCVSS Score: 9.8** KEV since 2023-04-13 **NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-29492NVD References: https://novisurvey.net/blog/novi-survey-security-advisory-apr-2023.aspxCVE-2023-28252 - Windows Common Log File System Driver Elevation of Privilege VulnerabilityProduct: Microsoft Windows 10 1507 CVSS Score: 7.8** KEV since 2023-04-11 **NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-28252MSFT Details: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-28252CVE-2023-21554 - Microsoft Message Queuing Remote Code Execution VulnerabilityProduct: Microsoft  Message QueuingCVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-21554MSFT Details: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21554CVE-2023-28250 - Windows Pragmatic General Multicast (PGM) Remote Code Execution VulnerabilityProduct: Microsoft Windows 10 1507CVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-28250MSFT Details: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-28250CVE-2023-22897 - SecurePoint UTM before 12.2.5.1 allows authenticated users to retrieve uninitialized data via the firewall's endpoint /spcgi.cgi, leading to information disclosure of memory contents.Product: SecurePoint UTMCVSS Score: 0NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-22897ISC Podcast: https://isc.sans.edu/podcastdetail.html?podcastid=8454NVD References: - http://packetstormsecurity.com/files/171928/SecurePoint-UTM-12.x-Memory-Leak.html- http://seclists.org/fulldisclosure/2023/Apr/8- https://github.com/MrTuxracer/advisories/blob/master/CVEs/CVE-2023-22897.txt- https://rcesecurity.comCVE-2023-2033 - Chromium: CVE-2023-2033 Type Confusion in V8Product: Google ChromeCVSS Score: 0** KEV since 2023-04-17 **NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-2033MSFT Details: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-2033NVD References: - https://chromereleases.googleblog.com/2023/04/stable-channel-update-for-desktop_14.html- https://crbug.com/1432210- https://www.debian.org/security/2023/dsa-5390CVE-2023-27497 - SAP Diagnostics Agent version 720 is vulnerable to code injection, allowing attackers to execute malicious scripts and compromise system confidentiality, integrity, and availability.Product: Sap Diagnostics AgentCVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-27497NVD References: - https://launchpad.support.sap.com/#/notes/3305369- https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.htmlCVE-2023-28765 - SAP BusinessObjects Business Intelligence Platform (Promotion Management) versions 420, 430 allows attackers to compromise the application by accessing BI user passwords through a decrypted lcmbiar file.Product: Sap Businessobjects Business IntelligenceCVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-28765NVD References: - https://launchpad.support.sap.com/#/notes/3298961- https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.htmlCVE-2023-26121 - Safe-eval package is vulnerable to Prototype Pollution via its safeEval function.Product: Safe-Eval Project CVSS Score: 10.0NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-26121NVD References: - https://gist.github.com/seongil-wi/9d9fc0cc5b7b130419cd45827e59c4f9- https://github.com/hacksparrow/safe-eval/issues/28- https://security.snyk.io/vuln/SNYK-JS-SAFEEVAL-3373062CVE-2023-26122 - Safe-eval is vulnerable to Sandbox Bypass and RCE through prototype pollution exploitation in functions like defineGetter and valueOf.Product: Safe-Eval Project CVSS Score: 10.0NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-26122NVD References: - https://gist.github.com/seongil-wi/2db6cb884e10137a93132b7f74879cce- https://github.com/hacksparrow/safe-eval/issues/27- https://github.com/hacksparrow/safe-eval/issues/31- https://github.com/hacksparrow/safe-eval/issues/32- https://github.com/hacksparrow/safe-eval/issues/33- https://github.com/hacksparrow/safe-eval/issues/34- https://github.com/hacksparrow/safe-eval/issues/35- https://security.snyk.io/vuln/SNYK-JS-SAFEEVAL-3373064CVE-2023-25950 - HAProxy versions 2.7.0 and 2.6.1 to 2.6.7 are vulnerable to HTTP request/response smuggling, allowing remote attackers to alter user requests and potentially cause a DoS condition or obtain sensitive information.Product: Haproxy CVSS Score: 9.1NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-25950NVD References: - https://git.haproxy.org/?p=haproxy-2.7.git;…