SEC595: Applied Data Science and AI/Machine Learning for Cybersecurity Professionals
SEC595Cyber Defense
SANS Community Benefits
Connect, learn, and share with other cybersecurity professionals
VOLUME 23ISSUE 28
The Consensus Security Vulnerability Alert
Internet Storm Center Spotlight
ISC provides a free analysis and warning service to thousands of Internet users and organizations, and is actively working with Internet Service Providers to fight back against the most malicious attackers. https://isc.sans.edu/about.html
Citrix ADC Vulnerability CVE-2023-3519, 3466 and 3467 - Patch Now!
Published: 2023-07-19
Last Updated: 2023-07-19 16:22:55 UTC
by Rob VandenBrink (Version: 1)
Citrix released details on a new vulnerability on their ADC (Application Delivery Controller) yesterday (18 July 2023), CVE-2023-3519. This is an unauthenticated RCE (remote code execution), which means an attacker can run arbitrary code on your ADC without authentication.
This affects ADC hosts configured in any of the "gateway" roles (VPN virtual server, ICA Proxy, CVPN, RDP Proxy), which commonly face the internet, or as an authentication virtual server (AAA server), which is usually visible only from internal or management subnets.
This issue is especially urgent because malicious activity targeting this is already being seen in the wild, this definitely makes this a "patch now" situation (or as soon as you can schedule it). If your ADC faces the internet and you wait until the weekend, chances are someone else will own your ADC by then!
This fix also resolves a reflected XSS (cross site scripting) issue CVE-2023-3466 and a privilege escallation issue CVE-2023-3467.
Full details can be found here: https://support.citrix.com/article/CTX561482/citrix-adc-and-citrix-gateway-security-bulletin-for-cve20233519-cve20233466-cve20233467
Read the full entry:
https://isc.sans.edu/diary/Citrix+ADC+Vulnerability+CVE20233519+3466+and+3467+Patch+Now/30044/
Exploit Attempts for "Stagil navigation for Jira Menus & Themes" CVE-2023-26255 and CVE-2023-26256
Published: 2023-07-18
Last Updated: 2023-07-18 11:47:48 UTC
by Johannes Ullrich (Version: 1)
Today, I noticed the following URL on our "first seen URLs" page...
We had one report for this URL on March 28th, but nothing since then. Yesterday, the request showed up again and reached our reporting threshold.
All of yesterday's requests appear to come from a single Chinese consumer broadband IP address...
The vulnerability was disclosed in March as one of two vulnerabilities in "Stagil navigation for Jira – Menus & Themes" [1]. The tool is a plugin for Jira to customize the look and feel of Jira. It is distributed via the Atlassian Marketplace.
CVE-2023-26255 and CVE-2023-26256 were both made public at the same time and describe similar directory traversal vulnerabilities. These vulnerabilities allow attackers to retrieve arbitrary files from the server. As you can see in the exploit above, the attacker attempts to download the "/etc/passwd" file. Typically, '/etc/passwd/ is not that interesting. But it is often used to verify a vulnerability. The attacker may later retrieve other files that are more interesting.
Read the full entry:
Internet Storm Center Entries
HAM Radio + Enigma Machine Challenge (2023.07.19)
https://isc.sans.edu/diary/HAM+Radio+Enigma+Machine+Challenge/30042/
Brute-Force ZIP Password Cracking with zipdump.py: FP Fix (2023.07.16)
https://isc.sans.edu/diary/BruteForce+ZIP+Password+Cracking+with+zipdumppy+FP+Fix/30032/
Wireshark 4.0.7 Released (2023.07.15)
https://isc.sans.edu/diary/Wireshark+407+Released/30030/
DShield Honeypot Maintenance and Data Retention (2023.07.13)
https://isc.sans.edu/diary/DShield+Honeypot+Maintenance+and+Data+Retention/30024/
Recent CVEs
The list is assembled by pulling recent vulnerabilities from NIST NVD, Microsoft, Twitter mentions of vulnerabilities, ISC Diaries and Podcast, and the CISA list of known exploited vulnerabilities. There are also some unscored, but significant, vulnerabilities at the end. This includes vulnerabilities that have not been added to the NVD yet.
CVE-2023-32046 - Windows MSHTML Platform Elevation of Privilege Vulnerability
CVE-2023-32049 - Windows SmartScreen Security Feature Bypass Vulnerability
CVE-2023-35311 - Microsoft Outlook Security Feature Bypass Vulnerability
CVE-2023-36874 - Windows Error Reporting Service Elevation of Privilege Vulnerability
CVE-2023-36884 - Office and Windows HTML Remote Code Execution Vulnerability
CVE-2023-32057 - Microsoft Message Queuing Remote Code Execution Vulnerability
CVE-2023-33150 - Microsoft Office Security Feature Bypass Vulnerability
CVE-2023-35365, CVE-2023-35366, CVE-2023-35367 - Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerabilities
CVE-2023-26256 - The "STAGIL Navigation for Jira - Menu & Themes" plugin before 2.0.52 for Jira allows unauthenticated path traversal by modifying the fileName parameter.
CVE-2023-36664 - Artifex Ghostscript through 10.01.2 mishandles permission validation for pipe devices (with the %pipe% prefix or the | pipe character prefix).
CVE-2023-33987 - SAP Web Dispatcher versions WEBDISP 7.49-7.90, KERNEL 7.49-7.90, KRNL64NUC 7.49, KRNL64UC 7.49-7.53, HDB 2.00, XS_ADVANCED_RUNTIME 1.00, SAP_EXTENDED_APP_SERVICES 1 allow an unauthenticated attacker to execute a malicious payload, leading to unauthorized information access or server disruption.
CVE-2023-35871 - The SAP Web Dispatcher versions WEBDISP 7.53 to 7.93, KERNEL 7.53 to 7.93, KRNL64UC 7.53, HDB 2.00, XS_ADVANCED_RUNTIME 1.00, SAP_EXTENDED_APP_SERVICES 1, is vulnerable to memory corruption due to logical errors in memory management, leading to potential information disclosure or system crashes, impacting system integrity and availability.
CVE-2023-29130 - SIMATIC CN 4100 (All versions < V2.5) suffers from improper access controls in configuration files, allowing attackers to escalate privileges and gain admin access for complete device control.
CVE-2023-29131 - SIMATIC CN 4100 (All versions < V2.5) has an incorrect default value in SSH configuration, enabling network isolation bypass for potential attackers.
CVE-2023-34561 - Geometry Dash v2.113 by RobTop Games AB is vulnerable to a buffer overflow in the level parsing code, enabling attackers to execute arbitrary code by supplying a malicious Geometry Dash level.
CVE-2023-2746 - The Rockwell Automation Enhanced HIM software is vulnerable to a CSRF attack due to insufficient protection of its API and incorrect CORS settings, potentially leading to sensitive information disclosure and remote access.
CVE-2023-37656 - WebsiteGuide v0.2 is vulnerable to Remote Command Execution (RCE) via image upload.
CVE-2023-37659 - xalpha v0.11.4 is vulnerable to Remote Command Execution (RCE).
CVE-2023-3617 - SourceCodester Best POS Management System 1.0 is vulnerable to a remote sql injection attack via the 'username' argument in the admin_class.php file of the Login Page component (VDB-233565).
CVE-2023-3619 - SourceCodester AC Repair and Services System 1.0 is vulnerable to a critical remote SQL injection in Master.php?f=save_service, allowing attackers to manipulate the id argument.
Product: AC Repair And Services System Project CVSS Score: 9.8NVD: - https://nvd.nist.gov/vuln/detail/CVE-2023-3619- https://vuldb.com/?ctiid.233573- https://vuldb.com/?id.233573CVE-2023-26861 - PrestaShop vivawallet v.1.7.10 and earlier versions are susceptible to an SQL injection vulnerability, enabling remote attackers to elevate privileges through the vivawallet() module.Product: Vivawallet Viva WalletCVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-26861NVD References: - https://addons.prestashop.com/fr/paiement/89363-viva-wallet-smart-checkout.html- https://github.com/VivaPayments/API/commit/c1169680508c6e144d3e102ebdb257612e4cd84a- https://security.friendsofpresta.org/modules/2023/07/11/vivawallet.htmlCVE-2023-28001 - Fortinet FortiOS 7.0.0 - 7.0.12 and 7.2.0 - 7.2.4 allows unauthorized code execution or command execution through session reuse in the REST API.Product: Fortinet FortiOSCVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-28001NVD References: https://fortiguard.com/psirt/FG-IR-23-028CVE-2023-36825 - Decidim is vulnerable to remote code execution due to a deserialization issue in the `_state` query parameter, fixed in version `14.5.0` and later.Product: No vendor name or product name is mentioned in the given vulnerability description. CVSS Score: 9.6NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-36825NVD References: - https://github.com/orchidsoftware/platform/releases/tag/14.5.0- https://github.com/orchidsoftware/platform/security/advisories/GHSA-ph6g-p72v-pc3pCVE-2023-24492 - Citrix Secure Access client for Ubuntu is vulnerable to remote code execution through an attacker-crafted link if a user accepts malicious prompts.Product: Citrix Secure AccessCVSS Score: 9.6NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-24492NVD References: https://support.citrix.com/article/CTX564169/citrix-secure-access-client-for-ubuntu-security-bulletin-for-cve202324492CVE-2023-30429 - Apache Pulsar before 2.10.4 and 2.11.0 incorrectly performs authorization, allowing privilege escalation through mTLS authentication with the Pulsar Proxy, particularly if the proxy has a superuser role, by using the proxy's role instead of the client's role.Product: Apache Software Foundation Apache PulsarCVSS Score: 9.6NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-30429NVD References: https://lists.apache.org/thread/v0gcvvxswr830314q4b1kybsfmcf3jf8CVE-2023-3595 - The Rockwell Automation 1756 EN2* and 1756 EN3* ControlLogix communication products contain a vulnerability that enables a remote attacker to execute arbitrary code and manipulate data through maliciously crafted CIP messages.Product: Rockwell Automation 1756 EN2* and 1756 EN3* ControlLogixCVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-3595NVD References: https://rockwellautomation.custhelp.com/app/answers/answer_view/a_id/1140010CVE-2023-29300 - Adobe ColdFusion versions 2018u16 (and earlier), 2021u6 (and earlier), and 2023.0.0.330468 (and earlier) allow arbitrary code execution via a Deserialization of Untrusted Data vulnerability, without user interaction.Product: Adobe ColdFusionCVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-29300NVD References: https://helpx.adobe.com/security/products/coldfusion/apsb23-40.htmlCVE-2023-3342 - The vulnerability in the User Registration plugin for WordPress allows authenticated attackers to upload arbitrary files and potentially achieve remote code execution due to a hardcoded encryption key and missing file type validation in versions up to, and including, 3.0.2, partially patched in version 3.0.2 and fully patched in version 3.0.2.1.Product: WordPress User Registration pluginCVSS Score: 9.9NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-3342NVD References: - http://packetstormsecurity.com/files/173434/WordPress-User-Registration-3.0.2-Arbitrary-File-Upload.html- https://lana.codes/lanavdb/c0a58dff-7a5b-4cc0-82d6-2255e61d801c/- https://plugins.trac.wordpress.org/browser/user-registration/tags/3.0.1/includes/functions-ur-core.php#L3156- https://plugins.trac.wordpress.org/changeset/2933689/user-registration/trunk/includes/functions-ur-core.php- https://www.wordfence.com/threat-intel/vulnerabilities/id/a979e885-f7dd-4616-a881-64f3d97c309d?source=cveCVE-2023-1547 - Parkmatik before 02.01-a51 is vulnerable to SQL Injection through SOAP Parameter Tampering and Command Line Execution.Product: Elra ParkmatikCVSS Score: 10.0NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-1547NVD References: https://www.usom.gov.tr/bildirim/tr-23-0404CVE-2023-2957 - Lisa Software Florist Site before 3.0 allows SQL Injection.Product: Lisa Software Florist SiteCVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-2957NVD References: https://www.usom.gov.tr/bildirim/tr-23-0403CVE-2023-23585 - Experion server can be affected by a heap overflow vulnerability leading to denial of service when processing a specially crafted message for a specific configuration operation.Product: Experion Server DoSCVSS S…
CVE-2023-26861 - PrestaShop vivawallet v.1.7.10 and earlier versions are susceptible to an SQL injection vulnerability, enabling remote attackers to elevate privileges through the vivawallet() module.
CVE-2023-28001 - Fortinet FortiOS 7.0.0 - 7.0.12 and 7.2.0 - 7.2.4 allows unauthorized code execution or command execution through session reuse in the REST API.
CVE-2023-36825 - Decidim is vulnerable to remote code execution due to a deserialization issue in the `_state` query parameter, fixed in version `14.5.0` and later.
CVE-2023-24492 - Citrix Secure Access client for Ubuntu is vulnerable to remote code execution through an attacker-crafted link if a user accepts malicious prompts.
CVE-2023-30429 - Apache Pulsar before 2.10.4 and 2.11.0 incorrectly performs authorization, allowing privilege escalation through mTLS authentication with the Pulsar Proxy, particularly if the proxy has a superuser role, by using the proxy's role instead of the client's role.
CVE-2023-3595 - The Rockwell Automation 1756 EN2* and 1756 EN3* ControlLogix communication products contain a vulnerability that enables a remote attacker to execute arbitrary code and manipulate data through maliciously crafted CIP messages.
CVE-2023-29300 - Adobe ColdFusion versions 2018u16 (and earlier), 2021u6 (and earlier), and 2023.0.0.330468 (and earlier) allow arbitrary code execution via a Deserialization of Untrusted Data vulnerability, without user interaction.
CVE-2023-3342 - The vulnerability in the User Registration plugin for WordPress allows authenticated attackers to upload arbitrary files and potentially achieve remote code execution due to a hardcoded encryption key and missing file type validation in versions up to, and including, 3.0.2, partially patched in version 3.0.2 and fully patched in version 3.0.2.1.
CVE-2023-1547 - Parkmatik before 02.01-a51 is vulnerable to SQL Injection through SOAP Parameter Tampering and Command Line Execution.
CVE-2023-2957 - Lisa Software Florist Site before 3.0 allows SQL Injection.
CVE-2023-23585 - Experion server can be affected by a heap overflow vulnerability leading to denial of service when processing a specially crafted message for a specific configuration operation.
CVE-2023-24480 - Controller DoS due to stack overflow when decoding a message from the server
CVE-2023-25078 - Server or Console Station DoS vulnerability in a specific configuration operation due to heap overflow from handling a crafted message.
CVE-2023-25178 - Controller may be loaded with malicious firmware which could enable remote code execution
CVE-2023-25770 - Controller DoS may occur due to buffer overflow when an error is generated in response to a specially crafted message.
CVE-2023-2003 - Vision1210 is vulnerable to an embedded malicious code flaw in version 4.3 OS build 5, allowing remote attackers to store and execute base64-encoded malicious code via PCOM protocol.
CVE-2023-35070 - VegaGroup Web Collection before 31197 is vulnerable to SQL Injection.
CVE-2023-37466 - Vm2, an advanced vm/sandbox for Node.js, allows attackers to escape the sandbox and execute arbitrary code through the bypassing of `Promise` handler sanitization, resulting in Remote Code Execution.
CVE-2023-37462 - XWiki Platform is vulnerable to an injection vector through improper escaping in the document `SkinsCode.XWikiSkinsSheet`, allowing for remote code execution and unrestricted read/write access to all wiki contents.
CVE-2023-2507 - CleverTap Cordova Plugin version 2.6.2 allows remote JavaScript code execution through specially constructed deeplinks due to inadequate data validation.
CVE-2023-2963 - Oliva Expertise EKS before 1.2 is vulnerable to SQL Injection.
CVE-2023-3376 - Zekiweb is vulnerable to SQL Injection in versions before 2.
CVE-2023-37265 - CasaOS, an open-source Personal Cloud system, allows unauthenticated attackers to execute arbitrary commands as `root` due to a lack of IP address verification, but this vulnerability was addressed in CasaOS 0.4.4 through improved client IP address detection, so users should upgrade or restrict access to untrusted users.
CVE-2023-37266 - CasaOS, an open-source Personal Cloud system, is vulnerable to unauthenticated attackers who can manipulate JWTs to gain unauthorized access to features and execute commands as `root`, but this issue has been fixed in commit `705bf1f` of CasaOS 0.4.4, therefore users should upgrade to this version or restrict access to untrusted users temporarily.
CVE-2023-3724 - WolfSSL TLS 1.3 client allows eavesdroppers to reconstruct the session master secret key and potentially access or tamper with message contents in the session if it does not receive a PSK or KSE from a malicious server.
CVE-2023-34142 - Hitachi Device Manager before 8.8.5-02 allows interception of sensitive information during cleartext transmission.
CVE-2023-34329 - AMI SPx has an authentication bypass vulnerability in BMC when an attacker spoofs the HTTP header, resulting in potential loss of confidentiality, integrity, and availability.
CVE-2023-35189 - Iagona ScrutisWeb versions 2.1.37 and prior allow unauthenticated users to upload malicious payloads and execute remote code.
CVE-2023-30153 - Payplug module for PrestaShop versions 3.6.0 to 3.7.1 allows remote attackers to execute arbitrary SQL commands via ajax.php front controller.
CVE-2023-21974 - The vulnerability in Oracle Application Express (component: User Account) allows a low privileged attacker with HTTP network access to compromise the Application Express Team Calendar Plugin, potentially resulting in a takeover.
CVE-2023-21975 - The Application Express Customers Plugin product of Oracle Application Express has a vulnerability that allows a low privileged attacker to compromise the plugin and potentially impact additional products, resulting in a takeover of Application Express Customers Plugin.
CVE-2023-26255 - The "STAGIL Navigation for Jira - Menu & Themes" plugin before 2.0.52 for Jira allows unauthenticated users to traverse and read the file system via a path traversal vulnerability in the snjCustomDesignConfig endpoint.
Sponsors
Vulcan Cyber
*********** Sponsored By Vulcan Cyber ***********How old is your vulnerability prioritization tool? A lot has changed in the decade since vulnerability prioritization technology was first introduced to the market. In 2023, it's crucial for organizations to prioritize risk across all attack surfaces, including the cloud. By leveraging contextual asset and risk data, custom risk scoring, and robust analytics Vulcan Cyber brings the modern, cloud-scale approach to your vulnerability risk management program. Explore Vulcan Cyber:
Dragos
The Dragos public intelligence brief, COSMICENERGY – Not an Immediate Threat, provides an analysis of this latest malware discovery and how it compares to other more concerning threats like CRASHOVERRIDE and Industroyer2. We want to help you break through the hype with actionable defensive recommendations and potential impacts on ICS/OT environments. Download Intelligence Brief:
Randori
Join us on Thursday, July 27 for the FREE Building Red Team Capability Solutions Forum 2023 - Hear directly from leaders who are using emerging innovations to close the time gap and inspire confidence as they move from reacting to anticipating. | Register now:
Expel
Join us on Wednesday, August 2 at 1:00pm ET for Focusing on The Right Cybersecurity Priorities - Matt Bromiley will lead the conversation as we dive into how security teams should be utilizing the most popular and common frameworks. | Register now: