The Consensus Security Vulnerability Alert

ISC provides a free analysis and warning service to thousands of Internet users and organizations, and is actively working with Internet Service Providers to fight back against the most malicious attackers. https://isc.sans.edu/about.html

Apple Updates Everything

Published: 2023-05-18

Last Updated: 2023-05-18 20:41:33 UTC

by Johannes Ullrich (Version: 1)

Today, Apple released macOS, iOS, iPadOS, tvOS, watchOS, and Safari updates.

Three of the vulnerabilities are already exploited in the wild. Combining the three vulnerabilities, an attacker can gain complete system access as the user visits a malicious website. CVE-2023-32373 allows for arbitrary code execution as WebKit processes malicious content. CVE-2023-32409, in turn, enables breaking out of the web content sandbox, completing the full system compromise. The vulnerabilities are not indicated as "patched" for older versions of macOS, but they are covered in the Safari update, which applies the patch to older versions of macOS.

As usual, Apple's vulnerability descriptions are terse. As promised in a prior diary, I let ChatGPT "guess" the CVSS score for these updates. Let me know if you agree or not. The rating (moderate/important/critical) are mine. ChatGPT refused to provide a CVSS score for some vulnerabilities based on insufficient information. Let me know if you feel ChatGPT did ok or not (or if it is worthwhile keeping these ChatGPT CVSS scores or not)

Read the full entry:

https://isc.sans.edu/diary/Apple+Updates+Everything/29860/

A Quick Survey of .zip Domains: Your highest risk is running into Rick Astley.

Published: 2023-05-18

Last Updated: 2023-05-18 18:54:29 UTC

by Johannes Ullrich (Version: 1)

A week ago, I wrote about Google starting to offer ".zip" domains and the possible risks associated with this (https://isc.sans.edu/diary/The+zip+gTLD+Risks+and+Opportunities/29838/). Earlier today, I quickly surveyed registered .zip domains to see what people are doing with them.

I found a total of 2,753 domains with content. Out of these files, I was able to categorize 1,928. The remaining is still a work in progress.

So far, most domains are "Parked" (1,506). This is typical for new domains displaying a registrar default page until the owner configures content. 229 of the domains are showing various errors. I classified 143 domains as harmless, meaning they link to different other pages that, as far as I can tell, do not provide malicious content. Some "harmless" sites appear registered by security companies or individuals either directing to their page or displaying messages warning about the .zip TLD issues. A few of the pages do, for example, direct to individual LinkedIn profiles.

48 domains direct to Rick Astley ("rickrolling") content or similar videos mostly meant to annoy visitors.

Read the full entry:

https://isc.sans.edu/diary/A+Quick+Survey+of+zip+Domains+Your+highest+risk+is+running+into+Rick+Astley/29858/

Help us figure this out: Scans for Apache "Nifi"

Published: 2023-05-23

Last Updated: 2023-05-23 16:45:26 UTC

by Johannes Ullrich (Version: 1)

Please let me know if you have any idea what they are trying to do here :)

I noticed today that our honeypots detected a few scans for Apache "Nifi." Nifi is a Java-based system that allows for the routing of data. It will enable you to select data from a source (let's say from a CSV file) and output it to a database. Numerous sources and destinations are supported. Dataflows are created via a web-based GUI. One critical use case of Apache Nifi is to prepare and import data into machine learning systems.

Today, I noticed a spike in requests for the URL "/nifi", the default URL used for the NiFi GUI.

Read the full entry:

https://isc.sans.edu/diary/Help+us+figure+this+out+Scans+for+Apache+Nifi/29874/

More Data Enrichment for Cowrie Logs (2023.05.24)

https://isc.sans.edu/diary/More+Data+Enrichment+for+Cowrie+Logs/29878/

Probes for recent ABUS Security Camera Vulnerability: Attackers keep an eye on everything. (2023.05.22)

https://isc.sans.edu/diary/Probes+for+recent+ABUS+Security+Camera+Vulnerability+Attackers+keep+an+eye+on+everything/29870/

Another Malicious HTA File Analysis - Part 3 (2023.05.21)

https://isc.sans.edu/diary/Another+Malicious+HTA+File+Analysis+Part+3/29678/

Phishing Kit Collecting Victim's IP Address (2023.05.20)

https://isc.sans.edu/diary/Phishing+Kit+Collecting+Victims+IP+Address/29866/

When the Phisher Messes Up With Encoding (2023.05.19)

https://isc.sans.edu/diary/When+the+Phisher+Messes+Up+With+Encoding/29864/

Product: BP Social Connect plugin for WordPressCVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-2704NVD References: - https://plugins.trac.wordpress.org/browser/bp-social-connect/tags/1.5/includes/social/facebook/class.facebook.php#L138- https://plugins.trac.wordpress.org/browser/bp-social-connect/tags/1.5/includes/social/facebook/class.facebook.php#L188- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=2914042%40bp-social-connect%2Ftrunk&old=1904372%40bp-social-connect%2Ftrunk&sfp_email=&sfph_mail=#file6- https://www.wordfence.com/threat-intel/vulnerabilities/id/44c96df2-530a-4ebe-b722-c606a7b135f9?source=cveCVE-2023-2276 - WCFM Membership - WooCommerce Memberships for Multivendor Marketplace plugin for WordPress allows unauthenticated attackers to change user passwords and potentially take over administrator accounts due to Insecure Direct Object References.Product: WCFM Membership WooCommerce MembershipsCVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-2276NVD References: - https://plugins.trac.wordpress.org/browser/wc-multivendor-membership/tags/2.10.7/controllers/wcfmvm-controller-memberships-registration.php#L124- https://plugins.trac.wordpress.org/changeset/2907455/- https://www.wordfence.com/threat-intel/vulnerabilities/id/42222c64-6492-4774-b5bc-8e62a1a328cf?source=cveCVE-2023-2712 - The Rental Module developed by a third-party for Ideasoft's E-commerce Platform before 23.05.15 allows Command Injection via Unrestricted Upload of Dangerous Files, leading to the upload of a Web Shell to a Web Server.Product: Ideasoft Rental ModuleCVSS Score: 10.0NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-2712NVD References: https://www.usom.gov.tr/bildirim/tr-23-0276CVE-2023-33236 - MXsecurity version 1.0 has a hardcoded credential vulnerability that allows for arbitrary JWT tokens to be crafted and authentication to be bypassed for web-based APIs.Product: MXsecurity version 1.0CVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-33236NVD References: https://www.moxa.com/en/support/product-support/security-advisory/mxsecurity-command-injection-and-hardcoded-credential-vulnerabilitiesCVE-2023-2586 - Teltonika's Remote Management System version 4.14.0 allows unauthorized devices to be registered, which could give attackers 'root' privileges and enable remote code execution.Product: Teltonika Remote Management SystemCVSS Score: 9.0NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-2586NVD References: https://www.cisa.gov/news-events/ics-advisories/icsa-23-131-08CVE-2023-1508 - Adam Retail Automation Systems Mobilmen Terminal Software before 3 allows SQL Injection due to improper neutralization of special elements in an SQL command.Product: Adam Retail Automation Systems Mobilmen Terminal SoftwareCVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-1508NVD References: https://www.usom.gov.tr/bildirim/tr-23-0284CVE-2023-33281 - Nissan Sylphy Classic 2021's remote keyfob system is vulnerable to a replay attack due to the use of identical RF signals for each door-open request.Product: Nissan Sylphy Classic 2021CVSS Score: 0NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-33281ISC Podcast: https://isc.sans.edu/podcastdetail.html?podcastid=8508NVD References: https://chaos-lab.blogspot.com/2023/05/nissan-sylphy-classic-2021-fixed-code.htmlNVD References: https://twitter.com/Kevin2600/status/1658059570806415365NVD References: https://www.youtube.com/watch?v=GG1utSdYG1kCVE-2023-24902 - Win32k Elevation of Privilege VulnerabilityProduct: Microsoft Win32kCVSS Score: 7.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-24902MSFT Details: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-24902CVE-2023-29340 - AV1 Video Extension Remote Code Execution VulnerabilityProduct: Mozilla FirefoxCVSS Score: 7.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-29340MSFT Details: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-29340CVE-2023-29341 - AV1 Video Extension Remote Code Execution VulnerabilityProduct: Mozilla FirefoxCVSS Score: 7.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-29341MSFT Details: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-29341The following vulnerabilities need a manual review:CVE-2023-32409 - Apple Multiple Products WebKit Sandbox Escape VulnerabilityCISA KEV: YESVendor: Apple WebkitProduct: Multiple ProductsDescription: Apple iOS, iPadOS, macOS, tvOS, watchOS, and Safari WebKit contain an unspecified vulnerability that can allow a remote attacker to break out of the Web Content sandbox.               CVE-2023-28204 - Apple Multiple Products WebKit Out-of-Bounds Read VulnerabilityCISA KEV: YESVendor: Apple WebkitProduct: Multiple ProductsDescription: Apple iOS, iPadOS, macOS, tvOS, watchOS, and Safari WebKit contain an out-of-bounds read vulnerability that may disclose sensitive information.                CVE-2023-32373 - Apple Multiple Products WebKit Use-After-Free VulnerabilityCISA KEV: YESVendor: A…