SEC595: Applied Data Science and AI/Machine Learning for Cybersecurity Professionals
SEC595Cyber Defense
SANS Community Benefits
Connect, learn, and share with other cybersecurity professionals
VOLUME 23ISSUE 29
The Consensus Security Vulnerability Alert
Internet Storm Center Entries
JQ: Another Tool We Thought We Knew (2023.07.24)
https://isc.sans.edu/diary/JQ+Another+Tool+We+Thought+We+Knew/30060/
Install & Configure Filebeat on Raspberry Pi ARM64 to Parse DShield Sensor Logs (2023.07.23)
YARA Error Codes (2023.07.22)
https://isc.sans.edu/diary/YARA+Error+Codes/30054/
Shodan's API For The (Recon) Win! (2023.07.21)
https://isc.sans.edu/diary/Shodans+API+For+The+Recon+Win/30050/
Recent CVEs
The list is assembled by pulling recent vulnerabilities from NIST NVD, Microsoft, Twitter mentions of vulnerabilities, ISC Diaries and Podcast, and the CISA list of known exploited vulnerabilities. There are also some unscored, but significant, vulnerabilities at the end. This includes vulnerabilities that have not been added to the NVD yet.
CVE-2023-3519 - Unauthenticated remote code execution
CVE-2023-35078 - Ivanti Endpoint Manager Mobile (EPMM) allows remote attackers to bypass authentication and perform unauthorized actions, including accessing personal identifiable information (PII), adding an administrative account, and modifying the configuration.
Product: Ivanti Endpoint Manager Mobile (EPMM) MobileIronCVSS Score: 10.0** KEV since 2023-07-25 **NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-35078ISC Podcast: https://isc.sans.edu/podcastdetail.html?podcastid=8588NVD References: - https://forums.ivanti.com/s/article/CVE-2023-35078-Remote-unauthenticated-API-access-vulnerability- https://forums.ivanti.com/s/article/KB-Remote-unauthenticated-API-access-vulnerability-CVE-2023-35078- https://www.cisa.gov/news-events/alerts/2023/07/24/ivanti-releases-security-updates-endpoint-manager-mobile-epmm-cve-2023-35078- https://www.ivanti.com/blog/cve-2023-35078-new-ivanti-epmm-vulnerabilityCVE-2023-34034 - Spring Security's use of "**" as a pattern in configuration for WebFlux leads to pattern matching mismatch with Spring WebFlux, allowing a security bypass.Product: Spring Security Spring WebFluxCVSS Score: 9.1NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-34034ISC Podcast: https://isc.sans.edu/podcastdetail.html?podcastid=8582NVD References: https://spring.io/security/cve-2023-34034CVE-2023-35311 - Microsoft Outlook Security Feature Bypass VulnerabilityProduct: Microsoft OutlookCVSS Score: 8.8** KEV since 2023-07-11 **NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-35311MSFT Details: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-35311CVE-2023-35189 - Iagona ScrutisWeb versions 2.1.37 and prior allow unauthenticated users to upload malicious payloads and execute remote code.Product: Iagona ScrutisWebCVSS Score: 10.0NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-35189NVD References: https://www.cisa.gov/news-events/ics-advisories/icsa-23-199-03CVE-2023-30153 - Payplug module for PrestaShop versions 3.6.0 to 3.7.1 allows remote attackers to execute arbitrary SQL commands via ajax.php front controller.Product: Payplug PrestaShopCVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-30153NVD References: - https://addons.prestashop.com/en/payment-card-wallet/8795--payplug-accept-customer-payments-wherever-they-are.html- https://security.friendsofpresta.org/module/2023/07/18/payplug.htmlCVE-2023-21974 - The vulnerability in Oracle Application Express (component: User Account) allows a low privileged attacker with HTTP network access to compromise the Application Express Team Calendar Plugin, potentially resulting in a takeover.Product: Oracle Application Express Team Calendar PluginCVSS Score: 9.0NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-21974NVD References: https://www.oracle.com/security-alerts/cpujul2023.htmlCVE-2023-21975 - The Application Express Customers Plugin product of Oracle Application Express has a vulnerability that allows a low privileged attacker to compromise the plugin and potentially impact additional products, resulting in a takeover of Application Express Customers Plugin.Product: Oracle Application Express Customers PluginCVSS Score: 9.0NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-21975NVD References: https://www.oracle.com/security-alerts/cpujul2023.htmlCVE-2023-30799 - MikroTik RouterOS versions 6.49.7 and below have a privilege escalation vulnerability allowing remote attackers to execute arbitrary code by escalating privileges from admin to super-admin on the Winbox or HTTP interface.Product: MikroTik RouterOSCVSS Score: 9.1NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-30799NVD References: - https://github.com/MarginResearch/FOISted- https://vulncheck.com/advisories/mikrotik-foistedCVE-2023-3638 - In GeoVision GV-ADR2701 cameras, an attacker could edit the login response to access the web application.Product: GeoVision GV-ADR2701 camerasCVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-3638NVD References: https://www.cisa.gov/news-events/ics-advisories/icsa-23-199-05CVE-2023-3466 - Reflected Cross-Site Scripting (XSS)Product: Citrix ADC and Citrix GatewayCVSS Score: 8.3NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-3466ISC Podcast: https://isc.sans.edu/podcastdetail.html?podcastid=8580NVD References: https://support.citrix.com/article/CTX561482/citrix-adc-and-citrix-gateway-security-bulletin-for-cve20233519-cve20233466-cve20233467CVE-2023-3467 - Privilege Escalation to root administrator (nsroot)Product: Citrix ADC and Citrix Gateway CVSS Score: 8.0NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-3467ISC Podcast: https://isc.sans.edu/podcastdetail.html?podcastid=8580NVD References: https://support.citrix.com/article/CTX561482/citrix-adc-and-citrix-gateway-security-bulletin-for-cve20233519-cve20233466-cve20233467CVE-2023-37289 - InfoDoc Document On-line Submission and Approval System is vulnerable to an unrestricted file upload vulnerability, allowing unauthenticated attackers to upload and execute arbitrary files, enabling them to execute arbitrary commands or disrupt services.Product: InfoDoc Document On-line Submission and Approval SystemCVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-37289NVD References: https://www.twcert.org.tw/tw/cp-132-7225-cef32-1.htmlCVE-2023-38203 - Adobe ColdFus…
cve-2023-35078 - new-ivanti-epmm-vulnerability
cve-2023-35078-new-ivanti-epmm-vulnerability">https://www.ivanti.com/blog/cve-2023-35078-new-ivanti-epmm-vulnerability
CVE-2023-34034 - Spring Security's use of "**" as a pattern in configuration for WebFlux leads to pattern matching mismatch with Spring WebFlux, allowing a security bypass.
CVE-2023-35311 - Microsoft Outlook Security Feature Bypass Vulnerability
CVE-2023-35189 - Iagona ScrutisWeb versions 2.1.37 and prior allow unauthenticated users to upload malicious payloads and execute remote code.
CVE-2023-30153 - Payplug module for PrestaShop versions 3.6.0 to 3.7.1 allows remote attackers to execute arbitrary SQL commands via ajax.php front controller.
CVE-2023-21974 - The vulnerability in Oracle Application Express (component: User Account) allows a low privileged attacker with HTTP network access to compromise the Application Express Team Calendar Plugin, potentially resulting in a takeover.
CVE-2023-21975 - The Application Express Customers Plugin product of Oracle Application Express has a vulnerability that allows a low privileged attacker to compromise the plugin and potentially impact additional products, resulting in a takeover of Application Express Customers Plugin.
CVE-2023-30799 - MikroTik RouterOS versions 6.49.7 and below have a privilege escalation vulnerability allowing remote attackers to execute arbitrary code by escalating privileges from admin to super-admin on the Winbox or HTTP interface.
CVE-2023-3638 - In GeoVision GV-ADR2701 cameras, an attacker could edit the login response to access the web application.
CVE-2023-3466 - Reflected Cross-Site Scripting (XSS)
CVE-2023-3467 - Privilege Escalation to root administrator (nsroot)
CVE-2023-37289 - InfoDoc Document On-line Submission and Approval System is vulnerable to an unrestricted file upload vulnerability, allowing unauthenticated attackers to upload and execute arbitrary files, enabling them to execute arbitrary commands or disrupt services.
CVE-2023-38203 - Adobe ColdFusion versions 2018u17 (and earlier), 2021u7 (and earlier), and 2023u1 (and earlier) can be exploited by an Untrusted Data Deserialization vulnerability, allowing for arbitrary code execution without user interaction.
CVE-2023-37471 - OpenAM up to version 14.7.2 does not properly validate the signature of SAML responses, allowing attackers to impersonate any OpenAM user, including the administrator.
CVE-2023-37292 - HGiga iSherlock 4.5 and HGiga iSherlock 5.5 are vulnerable to OS Command Injection prior to specific versions.
CVE-2023-32478 - Dell PowerStore versions prior to 3.5.0.1 allow high privileged malicious users to disclose sensitive information via insertion into log files.
CVE-2023-35086 - ASUS RT-AX56U V2 & RT-AC86U routers are vulnerable to remote arbitrary code execution and system disruption due to a format string vulnerability in the logmessage_normal function of the do_detwan_cgi module in httpd, caused by directly using input as a format string when calling syslog.
CVE-2023-35087 - ASUS RT-AX56U V2 & RT-AC86U are vulnerable to a format string vulnerability that enables unauthenticated remote attackers to execute arbitrary code or disrupt services.
CVE-2023-37903 - vm2 is vulnerable to remote code execution due to an exploit in the Node.js custom inspect function for versions up to and including 3.9.19, with no available patches or workarounds, necessitating the use of alternative software.
CVE-2022-41793 - Open Babel 3.1.1 and master commit 530dbfa3 allows arbitrary code execution via a specially crafted CSR format title file.
CVE-2022-42885 - Open Babel 3.1.1 and master commit 530dbfa3 allow arbitrary code execution via a specially crafted malformed file due to an uninitialized pointer vulnerability in the GRO format res functionality.
CVE-2022-43467 - Open Babel 3.1.1 and master commit 530dbfa3 allows arbitrary code execution via a specially crafted PQS format coord_file.
CVE-2022-44451 - Open Babel 3.1.1 and master commit 530dbfa3 is vulnerable to an uninitialized pointer issue in its MSI format atom functionality, allowing arbitrary code execution via a specially crafted file.
CVE-2022-46280 - Open Babel 3.1.1 and master commit 530dbfa3 are vulnerable to an uninitialized pointer vulnerability in the PQS format pFormat, allowing arbitrary code execution via a specially crafted file.
CVE-2022-46289 - Open Babel 3.1.1 and master commit 530dbfa3 allows arbitrary code execution through the ORCA format nAtoms functionality when a specially-crafted malformed file is provided, due to multiple out-of-bounds write vulnerabilities, including a wrap-around calculation leading to a small buffer allocation.
CVE-2022-46290 - Open Babel 3.1.1 and master commit 530dbfa3 contain multiple out-of-bounds write vulnerabilities in the ORCA format nAtoms functionality, which allows arbitrary code execution via a specially-crafted malformed file provided by an attacker.
CVE-2022-46291 - Open Babel 3.1.1 and master commit 530dbfa3 are vulnerable to multiple out-of-bounds write vulnerabilities when parsing translationVectors in supported formats, allowing arbitrary code execution via a malicious file, particularly affecting the MSI format.
CVE-2022-46292 - Open Babel 3.1.1 and master commit 530dbfa3 have multiple out-of-bounds write vulnerabilities in their translationVectors parsing functionality, which can allow arbitrary code execution by providing a specially-crafted malformed file, specifically affecting the MOPAC file format in the Unit Cell Translation section.
CVE-2022-46293 - Open Babel 3.1.1 and master commit 530dbfa3 allow arbitrary code execution via specially-crafted malformed MOPAC files.
CVE-2022-46294 - Open Babel 3.1.1 and master commit 530dbfa3 are vulnerable to multiple out-of-bounds write vulnerabilities in translationVectors parsing, allowing arbitrary code execution by exploiting a specially-crafted malformed file, specifically impacting the MOPAC Cartesian file format.
CVE-2022-46295 - Open Babel 3.1.1 and master commit 530dbfa3 contains multiple out-of-bounds write vulnerabilities in the translationVectors parsing functionality, allowing arbitrary code execution via a specially-crafted Gaussian file.
CVE-2023-37917 - KubePi allows any user to become an admin by editing the `isadmin` value in the request, leading to unauthorized administrative control.
CVE-2023-26045 - NodeBB forum software allows arbitrary execution of local javascript files on the disk, due to a path traversal vulnerability combined with a specially crafted payload, in versions 2.5.0 to 2.8.6.
CVE-2023-3046 - Biltay Technology Scienta before 20230630.1953 is vulnerable to SQL Injection.
CVE-2023-35066 - Infodrom Software E-Invoice Approval System before v.20230701 allows SQL Injection.
CVE-2023-35067 - Infodrom Software E-Invoice Approval System before v.20230701 allows reading sensitive strings within an executable due to plaintext storage of a password vulnerability.
CVE-2023-35980 - Aruba's access point management protocol (PAPI) is vulnerable to buffer overflow flaws, enabling unauthenticated remote code execution with arbitrary privileges.
CVE-2023-35981 - Aruba's access point management protocol (PAPI) is vulnerable to buffer overflow flaws, enabling unauthenticated remote code execution with arbitrary privileges.
CVE-2023-35982 - Aruba's access point management protocol (PAPI) is vulnerable to buffer overflow flaws, enabling unauthenticated remote code execution with arbitrary privileges.
CVE-2023-38606 - Apple iOS, iPadOS, macOS, tvOS, and watchOS contain an unspecified vulnerability allowing an app to modify sensitive kernel state.
Product: Multiple Apple Products
** KEV since 2023-07-26 **
CVE-2023-37450 - Apple iOS, iPadOS, macOS, and Safari WebKit contain an unspecified vulnerability that can allow an attacker to execute code when processing web content.
Product: Multiple Apple Products
** KEV since 2023-07-13 **
CVE-2023-32409 - Apple iOS, iPadOS, macOS, tvOS, watchOS, and Safari WebKit contain an unspecified vulnerability that can allow a remote attacker to break out of the Web Content sandbox.
Product: Multiple Apple Products
Sponsors
Snyk
*********** Sponsored By SNYK Limited ***********Snyk’s 5th annual State of Open Source Security report is here! Snyk surveyed hundreds of security and development teams to uncover the latest trends with open source security. Check out the full report to see how your organization stacks up against today’s open source security trends and key learnings for the future.
Randori
Tune in on Thursday, July 27 for the FREE Building Red Team Capability Solutions Forum 2023 - How can we empower security leaders and their teams to respond in minutes or even seconds? Hear directly from leaders who are using emerging innovations to close the time gap and inspire confidence as they move from reacting to anticipating. | Register now:
Expel
Join us on Wednesday, August 2 at 1:00pm ET for Focusing on The Right Cybersecurity Priorities - Matt Bromiley will lead the conversation as we dive into how security teams should be utilizing the most popular and common frameworks. | Register now:
Zscaler
Upcoming webcast on Thursday, August 17 at 1:00pm ET | How to Use Zero Trust to Secure Workloads in the Public Cloud - Register for this free virtual webcast to receive first free access to the accompanying whitepaper written by Dave Shackleford. | Register Now: