The Consensus Security Vulnerability Alert

ISC provides a free analysis and warning service to thousands of Internet users and organizations, and is actively working with Internet Service Providers to fight back against the most malicious attackers. https://isc.sans.edu/about.html

Increased Number of Configuration File Scans

Published: 2023-05-03

Last Updated: 2023-05-03 06:37:52 UTC

by Xavier Mertens (Version: 1)

Today, automation is a crucial point for many organizations. In cloud environments, in containers, many apps are deployed automatically, for example, to face a sudden peak of activity or to reduce costs. Automation means that everything must be pre-configured: specifications of the applications but also critical information to interact with the hosting platform (credentials, API keys, secret keys, …)

Such information is often stored in environment files. The best example is probably the “.env’ file used by Docker. Such files contain credentials in key-value format for services. They should be stored locally and not be uploaded to code repositories. The verb “should” is the problem. Many developers include .env files in online repositories and, when the application is deployed, they become publicly available!

Of course, bots are looking for such files. I detected a recent peak of activity in my logs:

Read the full entry:

https://isc.sans.edu/diary/Increased+Number+of+Configuration+File+Scans/29806/

Quick IOC Scan With Docker

Published: 2023-04-28

Last Updated: 2023-04-28 10:27:38 UTC

by Xavier Mertens (Version: 1)

When investigating an incident, you must perform initial tasks quickly. There is one tool in my arsenal that I'm using to quickly scan for interesting IOCs ("Indicators of Compromise"). This tool is called Loki, the free version of the Thor scanner. I like this tool because you can scan for a computer (processes & files) or a specific directory (only files) for suspicious content. The tool has many interesting YARA rules, but you can always add your own to increase the detection capabilities.

Loki is delivered as a package with an executable for the Windows environment but is being developed in Python. Therefore, why not create a Docker image ready to scan your pieces of evidence?

Read the full entry:

https://isc.sans.edu/diary/Quick+IOC+Scan+With+Docker/29788/

SANS.edu Research Journal: Volume 3

Published: 2023-04-27

Last Updated: 2023-04-27 15:39:04 UTC

by Johannes Ullrich (Version: 1)

One of my privileges as dean of research for the SANS.edu college is the ability to work with some of our graduate students as they complete their research projects. More recently, I have also been lucky to advise many of our undergraduate students as they participate in our Internet Storm Center internship. You may have seen me highlight some of the work done by our students as part of diaries or as part of the daily podcast. At times, I could interview some of our students for some episodes.

Yesterday, SANS.edu released the third volume of our research journal, summarizing the best papers completed by students over the last year. Each student is assigned a member of our research committee to assist them as they conduct the research. Thanks to this research committee, our writing center, and all the other resources assisting our students in creating this fantastic work. To be included in the journal, papers must be graded with an "A."

When selecting research topics, students are asked to investigate solutions to current, relevant problems. Papers not only present the solution but also prove that the solution works. Our students are asked to conduct experiments to test solutions and to show how they apply to the problem they are supposed to address.

In line with our "SANS promise," the research papers, just like any SANS class, should provide you with information you can apply "the next day at work." This year, we are also highlighting some of the work of our undergraduate interns.

The SANS.edu college research journal is available for download here: https://www.sans.edu/cyber-security-research.

Read the full entry:

https://isc.sans.edu/diary/SANSedu+Research+Journal+Volume+3/29784/

VBA Project References (2023.05.02)

https://isc.sans.edu/diary/VBA+Project+References/29800/

"Passive" analysis of a phishing attachment (2023.05.01)

https://isc.sans.edu/diary/Passive+analysis+of+a+phishing+attachment/29798/

Deobfuscating Scripts: When Encodings Help (2023.04.30)

https://isc.sans.edu/diary/Deobfuscating+Scripts+When+Encodings+Help/29792/

Wireshark 4.0.5 Released (2023.04.29)

https://isc.sans.edu/diary/Wireshark+405+Released/29790/

The list is assembled by pulling recent vulnerabilities from NIST NVD, Microsoft, Twitter mentions of vulnerabilities, ISC Diaries and Podcast, and the CISA list of known exploited vulnerabilities. There are also some unscored, but significant, vulnerabilities at the end. This includes vulnerabilities that have not been added to the NVD yet.CVE-2023-30839 - PrestaShop prior to 8.0.4 and 1.7.8.9 has a SQL filtering vulnerability allowing BO users to write, update, and delete in the database without specific rights.Product: PrestaShop e-commerce web applicationCVSS Score: 9.9NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-30839NVD References: - https://github.com/PrestaShop/PrestaShop/commit/0f2a9b7fdd42d1dd3b21d4fad586a849642f3c30- https://github.com/PrestaShop/PrestaShop/commit/d1d27dc371599713c912b71bc2a455cacd7f2149- https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-p379-cxqh-q822CVE-2012-5872 - ARC (aka ARC2) through 2011-12-01 allows blind SQL Injection in getTriplePatternSQL in ARC2_StoreSelectQueryHandler.php via comments in a SPARQL WHERE clause.Product: ARC ARC2CVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2012-5872NVD References: https://www.ush.it/2012/11/22/arc-v2011-12-01-multiple-vulnerabilities/CVE-2023-29268 - TIBCO Spotfire Statistics Services is vulnerable to remote attackers uploading or modifying arbitrary files in the web server directory.Product: TIBCO Software Inc. TIBCO Spotfire Statistics ServicesCVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-29268NVD References: https://www.tibco.com/services/support/advisoriesCVE-2023-30546 - Contiki-NG's Antelope database management system has an off-by-one error in versions 4.8 and prior, allowing for memory access beyond allocated buffer size.Product: Contiki-NG Antelope database management systemCVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-30546NVD References: - https://github.com/contiki-ng/contiki-ng/pull/2425- https://github.com/contiki-ng/contiki-ng/security/advisories/GHSA-257g-w39m-5jj4CVE-2023-30846 - Typed-rest-client versions 1.7.3 or lower allow third party authentication data leakage when BasicCredentialHandler, BearerCredentialHandler, or PersonalAccessTokenCredentialHandler are used, which was fixed in version 1.8.0 without workarounds.Product: typed-rest-client libraryCVSS Score: 9.1NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-30846NVD References: - https://github.com/microsoft/typed-rest-client/commit/f9ff755631b982ee1303dfc3e3c823d0d31233e8- https://github.com/microsoft/typed-rest-client/security/advisories/GHSA-558p-m34m-vpmqCVE-2023-2297 - The Profile Builder - User Profile & User Registration Forms plugin for WordPress allows unauthorized password resets due to insufficient validation on the password reset function.Product: Profile Builder User Profile & User Registration Forms pluginCVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-2297NVD References: - https://lana.codes/lanavdb/512e7307-04a5-4d8b-8f79-f75f37784a9f/- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=2864329%40profile-builder&new=2864329%40profile-builder&sfp_email=&sfph_mail=- https://www.wordfence.com/blog/2023/03/vulnerability-patched-in-cozmolabs-profile-builder-plugin-information-disclosure-leads-to-account-takeover/- https://www.wordfence.com/threat-intel/vulnerabilities/id/e731292a-4f95-46eb-889e-b00d58f3444e?source=cveCVE-2023-20852- aEnrich Technology's a+HRD is vulnerable to remote code execution via untrusted data deserialization in its MSMQ interpreter.Product: aEnrich Technology a+HRDCVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-20852NVD References: https://www.twcert.org.tw/tw/cp-132-7023-8368b-1.htmlCVE-2023-20853 - aEnrich Technology a+HRD allows unauthenticated remote attackers to execute arbitrary system commands via Deserialization of Untrusted Data in its MSMQ asynchronized message process.Product: aEnrich Technology a+HRDCVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-20853NVD References: https://www.twcert.org.tw/tw/cp-132-7024-bdefe-1.htmlCVE-2023-28697- Moxa MiiNePort E1 suffers from insufficient access control, allowing unauthenticated remote users to perform arbitrary system operations or disrupt service.Product: Moxa MiiNePort E1CVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-28697NVD References: - https://cdn-cms.azureedge.net/Moxa/media/PDIM/S100000223/MiiNePort%20E1%20Series_moxa-miineport-e1-series-firmware-v1.9.rom_Software%20Release%20History.pdf- https://www.twcert.org.tw/tw/cp-132-7021-eb43a-1.htmlCVE-2023-28769 - Zyxel DX5401-B0 firmware versions prior to V5.17(ABYO.1)C0 allow remote attackers to execute OS commands or cause DoS via a buffer overflow vulnerability in the library "libclinkc.so" of the web server "zhttpd".Product: Zyxel DX5401-B0CVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-28769NVD References: https://www.zyxel.com/global/en/support/security-advis…