Internet Storm Center Spotlight


INTERNET STORM CENTER SPOTLIGHT

ISC provides a free analysis and warning service to thousands of Internet users and organizations, and is actively working with Internet Service Providers to fight back against the most malicious attackers. https://isc.sans.edu/about.html

Increased Number of Configuration File Scans

Published: 2023-05-03

Last Updated: 2023-05-03 06:37:52 UTC

by Xavier Mertens (Version: 1)

Today, automation is a crucial point for many organizations. In cloud environments, in containers, many apps are deployed automatically, for example, to face a sudden peak of activity or to reduce costs. Automation means that everything must be pre-configured: specifications of the applications but also critical information to interact with the hosting platform (credentials, API keys, secret keys, …)

Such information is often stored in environment files. The best example is probably the “.env’ file used by Docker. Such files contain credentials in key-value format for services. They should be stored locally and not be uploaded to code repositories. The verb “should” is the problem. Many developers include .env files in online repositories and, when the application is deployed, they become publicly available!

Of course, bots are looking for such files. I detected a recent peak of activity in my logs:

Read the full entry:

https://isc.sans.edu/diary/Increased+Number+of+Configuration+File+Scans/29806/

Quick IOC Scan With Docker

Published: 2023-04-28

Last Updated: 2023-04-28 10:27:38 UTC

by Xavier Mertens (Version: 1)

When investigating an incident, you must perform initial tasks quickly. There is one tool in my arsenal that I'm using to quickly scan for interesting IOCs ("Indicators of Compromise"). This tool is called Loki, the free version of the Thor scanner. I like this tool because you can scan for a computer (processes & files) or a specific directory (only files) for suspicious content. The tool has many interesting YARA rules, but you can always add your own to increase the detection capabilities.

Loki is delivered as a package with an executable for the Windows environment but is being developed in Python. Therefore, why not create a Docker image ready to scan your pieces of evidence?

Read the full entry:

https://isc.sans.edu/diary/Quick+IOC+Scan+With+Docker/29788/

SANS.edu Research Journal: Volume 3

Published: 2023-04-27

Last Updated: 2023-04-27 15:39:04 UTC

by Johannes Ullrich (Version: 1)

One of my privileges as dean of research for the SANS.edu college is the ability to work with some of our graduate students as they complete their research projects. More recently, I have also been lucky to advise many of our undergraduate students as they participate in our Internet Storm Center internship. You may have seen me highlight some of the work done by our students as part of diaries or as part of the daily podcast. At times, I could interview some of our students for some episodes.

Yesterday, SANS.edu released the third volume of our research journal, summarizing the best papers completed by students over the last year. Each student is assigned a member of our research committee to assist them as they conduct the research. Thanks to this research committee, our writing center, and all the other resources assisting our students in creating this fantastic work. To be included in the journal, papers must be graded with an "A."

When selecting research topics, students are asked to investigate solutions to current, relevant problems. Papers not only present the solution but also prove that the solution works. Our students are asked to conduct experiments to test solutions and to show how they apply to the problem they are supposed to address.

In line with our "SANS promise," the research papers, just like any SANS class, should provide you with information you can apply "the next day at work." This year, we are also highlighting some of the work of our undergraduate interns.

The SANS.edu college research journal is available for download here: https://www.sans.edu/cyber-security-research.

Read the full entry:

https://isc.sans.edu/diary/SANSedu+Research+Journal+Volume+3/29784/

Internet Storm Center Entries


VBA Project References (2023.05.02)

https://isc.sans.edu/diary/VBA+Project+References/29800/

"Passive" analysis of a phishing attachment (2023.05.01)

https://isc.sans.edu/diary/Passive+analysis+of+a+phishing+attachment/29798/

Deobfuscating Scripts: When Encodings Help (2023.04.30)

https://isc.sans.edu/diary/Deobfuscating+Scripts+When+Encodings+Help/29792/

Wireshark 4.0.5 Released (2023.04.29)

https://isc.sans.edu/diary/Wireshark+405+Released/29790/

Recent CVEs


The list is assembled by pulling recent vulnerabilities from NIST NVD, Microsoft, Twitter mentions of vulnerabilities, ISC Diaries and Podcast, and the CISA list of known exploited vulnerabilities. There are also some unscored, but significant, vulnerabilities at the end. This includes vulnerabilities that have not been added to the NVD yet.

CVE-2023-30839 - PrestaShop prior to 8.0.4 and 1.7.8.9 has a SQL filtering vulnerability allowing BO users to write, update, and delete in the database without specific rights.Product: PrestaShop e-commerce web applicationCVSS Score: 9.9
NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-30839
NVD References: 
- https://github.com/PrestaShop/PrestaShop/commit/0f2a9b7fdd42d1dd3b21d4fad586a849642f3c30
- https://github.com/PrestaShop/PrestaShop/commit/d1d27dc371599713c912b71bc2a455cacd7f2149
- https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-p379-cxqh-q822

CVE-2012-5872 - ARC (aka ARC2) through 2011-12-01 allows blind SQL Injection in getTriplePatternSQL in ARC2_StoreSelectQueryHandler.php via comments in a SPARQL WHERE clause.
Product: ARC ARC2
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2012-5872
NVD References: https://www.ush.it/2012/11/22/arc-v2011-12-01-multiple-vulnerabilities/

CVE-2023-29268 - TIBCO Spotfire Statistics Services is vulnerable to remote attackers uploading or modifying arbitrary files in the web server directory.

Product: TIBCO Software Inc. TIBCO Spotfire Statistics Services
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-29268
NVD References: https://www.tibco.com/services/support/advisories


CVE-2023-30546 - Contiki-NG's Antelope database management system has an off-by-one error in versions 4.8 and prior, allowing for memory access beyond allocated buffer size.
Product: Contiki-NG Antelope database management system
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-30546
NVD References: 
- https://github.com/contiki-ng/contiki-ng/pull/2425
- https://github.com/contiki-ng/contiki-ng/security/advisories/GHSA-257g-w39m-5jj4


CVE-2023-30846 - Typed-rest-client versions 1.7.3 or lower allow third party authentication data leakage when BasicCredentialHandler, BearerCredentialHandler, or PersonalAccessTokenCredentialHandler are used, which was fixed in version 1.8.0 without workarounds.
Product: typed-rest-client library
CVSS Score: 9.1
NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-30846
NVD References: 
- https://github.com/microsoft/typed-rest-client/commit/f9ff755631b982ee1303dfc3e3c823d0d31233e8
- https://github.com/microsoft/typed-rest-client/security/advisories/GHSA-558p-m34m-vpmq

CVE-2023-2297 - The Profile Builder - User Profile & User Registration Forms plugin for WordPress allows unauthorized password resets due to insufficient validation on the password reset function.
Product: Profile Builder User Profile & User Registration Forms plugin
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-2297
NVD References: 
- https://lana.codes/lanavdb/512e7307-04a5-4d8b-8f79-f75f37784a9f/
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=2864329%40profile-builder&new=2864329%40profile-builder&sfp_email=&sfph_mail=
- https://www.wordfence.com/blog/2023/03/vulnerability-patched-in-cozmolabs-profile-builder-plugin-information-disclosure-leads-to-account-takeover/
- https://www.wordfence.com/threat-intel/vulnerabilities/id/e731292a-4f95-46eb-889e-b00d58f3444e?source=cve

CVE-2023-20852- aEnrich Technology's a+HRD is vulnerable to remote code execution via untrusted data deserialization in its MSMQ interpreter.
Product: aEnrich Technology a+HRD
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-20852
NVD References: https://www.twcert.org.tw/tw/cp-132-7023-8368b-1.html

CVE-2023-20853 - aEnrich Technology a+HRD allows unauthenticated remote attackers to execute arbitrary system commands via Deserialization of Untrusted Data in its MSMQ asynchronized message process.
Product: aEnrich Technology a+HRD
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-20853
NVD References: https://www.twcert.org.tw/tw/cp-132-7024-bdefe-1.html

CVE-2023-28697- Moxa MiiNePort E1 suffers from insufficient access control, allowing unauthenticated remote users to perform arbitrary system operations or disrupt service.
Product: Moxa MiiNePort E1
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-28697
NVD References: 
- https://cdn-cms.azureedge.net/Moxa/media/PDIM/S100000223/MiiNePort%20E1%20Series_moxa-miineport-e1-series-firmware-v1.9.rom_Software%20Release%20History.pdf
- https://www.twcert.org.tw/tw/cp-132-7021-eb43a-1.html

CVE-2023-28769 - Zyxel DX5401-B0 firmware versions prior to V5.17(ABYO.1)C0 allow remote attackers to execute OS commands or cause DoS via a buffer overflow vulnerability in the library "libclinkc.so" of the web server "zhttpd".
Product: Zyxel DX5401-B0
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-28769
NVD References: https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-multiple-vulnerabilities

CVE-2023-1778 - GajShield Data Security Firewall firmware versions prior to v4.28 (except v4.21) have insecure default credentials allowing remote attackers to execute arbitrary commands with administrative privileges via web-based management interface and/or exposed SSH port, which has been fixed by forcing a password change.
Product: GajShield Data Security Firewall
CVSS Score: 10.0
NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-1778
NVD References: https://www.cert-in.org.in/s2cMainServlet?pageid=PUBVLNOTES01&VLCODE=CIVN-2023-0119

CVE-2023-30466 - Milesight 4K/H.265 Series NVR models have a weak password reset mechanism, allowing remote attackers to perform account takeover by sending specially crafted http requests on the device.
Product: Milesight 4K/H.265 Series NVR models
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-30466
NVD References: https://www.cert-in.org.in/s2cMainServlet?pageid=PUBVLNOTES01&VLCODE=CIVN-2023-0121

CVE-2023-1968 - Illumina Universal Copy Service v2.x is vulnerable to unauthenticated remote eavesdropping via unrestricted IP address binding.
Product: Illumina Universal Copy Service v2.x
CVSS Score: 10.0
NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-1968
NVD References: 
- https://support.illumina.com/downloads/illumina-universal-copy-service-1-0.html
- https://www.cisa.gov/news-events/ics-medical-advisories/icsma-23-117-01

CVE-2023-30869 - Easy Digital Downloads plugin allows unauthenticated users to escalate privileges due to improper authentication.
Product: Easy Digital Downloads plugin Easy Digital Downloads
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-30869
NVD References: 
- https://patchstack.com/articles/critical-easy-digital-downloads-vulnerability?_s_id=cve
- https://patchstack.com/database/vulnerability/easy-digital-downloads/wordpress-easy-digital-downloads-plugin-3-1-1-4-1-unauthenticated-privilege-escalation-vulnerability?_s_id=cve

CVE-2023-1387 - Grafana allows for JWT tokens to be leaked and used for authentication if the 'url_login' configuration option is enabled.
Product: Grafana
CVSS Score: 4.2
NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-1387
ISC Podcast: https://isc.sans.edu/podcastdetail.html?podcastid=8478
NVD References: 
- https://github.com/grafana/bugbounty/security/advisories/GHSA-5585-m9r5-p86j
- https://grafana.com/security/security-advisories/cve-2023-1387/

CVE-2023-29552 - SLP (RFC 2608) allows an unauthenticated attacker to register arbitrary services, enabling a significant amplification factor in a denial-of-service attack using spoofed UDP traffic.
Product: RFC Service Location Protocol
CVSS Score: 0
NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-29552
ISC Podcast: https://isc.sans.edu/podcastdetail.html?podcastid=8470
NVD References: 
- https://blogs.vmware.com/security/2023/04/vmware-response-to-cve-2023-29552-reflective-denial-of-service-dos-amplification-vulnerability-in-slp.html
- https://curesec.com/blog/article/CVE-2023-29552-Service-Location-Protocol-Denial-of-Service-Amplification-Attack-212.html
- https://datatracker.ietf.org/doc/html/rfc2608
- https://github.com/curesec/slpload
- https://security.netapp.com/advisory/ntap-20230426-0001/
- https://www.bitsight.com/blog/new-high-severity-vulnerability-cve-2023-29552-discovered-service-location-protocol-slp
- https://www.cisa.gov/news-events/alerts/2023/04/25/abuse-service-location-protocol-may-lead-dos-attacks
- https://www.suse.com/support/kb/doc/?id=000021051

CVE-2023-28119 - The crewjam/saml go library prior to version 0.4.13 allows an attacker to achieve a reliable crash by sending more than 1MB of data in the HTTP request.
Product: crewjam SAML Go library
CVSS Score: 0
NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-28119
ISC Podcast: https://isc.sans.edu/podcastdetail.html?podcastid=8478

CVE-2023-27524- Apache Superset versions up to and including 2.0.1 allow session validation attacks if default configured SECRET_KEY is not altered according to installation instructions.
Product: Apache Superset
CVSS Score: 0
NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-27524
ISC Podcast: https://isc.sans.edu/podcastdetail.html?podcastid=8470

CVE-2023-1671 -  Sophos Web Appliance older than version 4.3.10.4 is vulnerable to pre-auth command injection allowing arbitrary code execution in the warn-proceed handler.
Product: Sophos Web Appliance
CVSS Score: 0
NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-1671
ISC Podcast: https://isc.sans.edu/podcastdetail.html?podcastid=8470

The following vulnerability needs a manual review:
CVE-2023-0264 - Keycloak's OpenID Connect user authentication was found to incorrectly authenticate requests.
Product: Keycloak OpenID Connect
References:
- https://github.com/advisories/GHSA-9g98-5mj6-f9mv
- https://github.com/keycloak/keycloak/commit/ec8109112e67208c13e13f6d1f8706a5a3ba8d4c
- https://www.mend.io/vulnerability-database/CVE-2023-0264