The Consensus Security Vulnerability Alert

ISC provides a free analysis and warning service to thousands of Internet users and organizations, and is actively working with Internet Service Providers to fight back against the most malicious attackers. https://isc.sans.edu/about.html

USPS Phishing Scam Targeting iOS Users

Published: 2023-07-30

Last Updated: 2023-07-30 15:33:55 UTC

by Johannes Ullrich (Version: 1)

Phishing scams have frequently arrived as an SMS message (sometimes called "Smishing"). SMS messages are easy and cheap to send, and we have documented how attackers like to scan for exposed credentials for services like Twilio to make it even cheaper.

But today, I received a message on my Apple devices that didn't arrive as an green SMS, but instead as a blue iMessage.

As I always do, I clicked on the link on my Mac. But I was immediately redirected to the legitimate USPS page (usps.com). It didn't matter if I used Safari or Chrome on macOS. So I tried Safari on my iPhone and was directed to the phishing page.

Read the full entry:

https://isc.sans.edu/diary/USPS+Phishing+Scam+Targeting+iOS+Users/30078/

Summary of DNS over HTTPS requests against our honeypots

Published: 2023-08-01

Last Updated: 2023-08-01 14:04:17 UTC

by Johannes Ullrich (Version: 1)

Our honeypots see a lot of DNS over HTTP(s) requests against the "/dns-query" endpoint. This endpoint is used by DNS over HTTPs requests to receive queries. Queries can use different encodings. You may either see the more readable URL encoding, like "?name=google.com&type=A" or the raw DNS data encoding, like "?dns=mNwBAAABAAAAAAAABmdvb2dsZQNjb20AAAEAAQ".

Decoding the raw queries isn't hard, but note that the padding "=" characters are cut off at the end. Some base64 implementations will refuse to decode data with missing padding.

Our database lists a total of 5,727 different URLs starting with "dns-query". Only 12 of them use the "URL encoded" format...

A few used queries to echodns.xyz to find open resolvers. For DNS over HTTP(s), an attacker would not use an open resolver for denial of service attacks (at least there is no amplification). But they may use it to obtain an anonymous DNS relay. Shadowserver uses these queries to populate their open resolver feed.

The remaining 5,714 queries use DNS encoding. DNS encoding does include a random query ID (not required for DNS over HTTP(s), but still often set). We need to decode the names to find out which unique names are being resolved.

Read the full entry:

https://isc.sans.edu/diary/Summary+of+DNS+over+HTTPS+requests+against+our+honeypots/30084/

ShellCode Hidden with Steganography

Published: 2023-07-28

Last Updated: 2023-07-28 07:13:40 UTC

by Xavier Mertens (Version: 1)

When hunting, I'm often surprised by the interesting pieces of code that you may discover... Attackers (or pentesters/redteamers) like to share scripts on VT to evaluate the detection rates against many antivirus products. Sometimes, you find something cool stuffs.

Yesterday, I found a small Python script that inject a shellcode into memory but, this time, the payload is hidden in a PNG picture using a well-known technique: steganography. The technique used in the sample, is to use the LSB (least significant bit) of each pixel with a bit of the payload. On the Internet, you can find a lot of free services to hide a text message into a picture (and vice-versa) but you can absolutely store any type of data, like in this case, executable code (the shellcode).

The script (SHA256:465b63b8661f2175d1063bfefdde2f949d366448e34d6e1a4f9853709352d02e) has a VT score of 16/60.

Read the full entry:

https://isc.sans.edu/diary/ShellCode+Hidden+with+Steganography/30074/

Zeek and Defender Endpoint (2023.08.02)

https://isc.sans.edu/diary/Zeek+and+Defender+Endpoint/30088/

Do Attackers Pay More Attention to IPv6? (2023.07.29)

https://isc.sans.edu/diary/Do+Attackers+Pay+More+Attention+to+IPv6/30076/

The list is assembled by pulling recent vulnerabilities from NIST NVD, Microsoft, Twitter mentions of vulnerabilities, ISC Diaries and Podcast, and the CISA list of known exploited vulnerabilities. There are also some unscored, but significant, vulnerabilities at the end. This includes vulnerabilities that have not been added to the NVD yet.CVE-2023-35078 - Ivanti Endpoint Manager Mobile (EPMM) allows remote attackers to bypass authentication and perform unauthorized actions, including accessing personal identifiable information (PII), adding an administrative account, and modifying the configuration. [Note: A second vulnerability affecting Ivanti's mobile device management platform was added to the "Manual Review" section at the end of the list. This vulnerability by itself is not serious enough to make our list. It was discovered when investigating compromised Ivanti devices. If you are responding to a compromised device, take into account that an attacker could have used this new vulnerability to obtain persistence.]Product: Ivanti Endpoint Manager Mobile (EPMM) MobileIron CVSS Score: 10.0** KEV since 2023-07-25 **NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-35078ISC Podcast: https://isc.sans.edu/podcastdetail.html?podcastid=8588NVD References: - https://forums.ivanti.com/s/article/CVE-2023-35078-Remote-unauthenticated-API-access-vulnerability- https://forums.ivanti.com/s/article/KB-Remote-unauthenticated-API-access-vulnerability-CVE-2023-35078- https://www.cisa.gov/news-events/alerts/2023/07/24/ivanti-releases-security-updates-endpoint-manager-mobile-epmm-cve-2023-35078- https://www.ivanti.com/blog/cve-2023-35078-new-ivanti-epmm-vulnerabilityCVE-2023-20891 - VMware Tanzu Application Service for VMs and Isolation Segment log credentials in hex encoding, enabling unauthorized access to admin credentials and potential application tampering.Product: VMware Tanzu Application Service for VMs and Isolation SegmentCVSS Score: 6.5NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-20891ISC Podcast: https://isc.sans.edu/podcastdetail.html?podcastid=8588NVD References: https://www.vmware.com/security/advisories/VMSA-2023-0016.htmlCVE-2023-37450 - iOS, iPadOS, Safari, tvOS, macOS Ventura, and watchOS versions 16.6, 16.5.2, 16.6, 13.5, and 9.6 respectively have fixed a vulnerability that allowed arbitrary code execution when processing web content, which Apple is aware of being actively exploited.Product: Apple SafariCVSS Score: 8.8** KEV since 2023-07-13 **NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-37450NVD References: - https://support.apple.com/en-us/HT213826- https://support.apple.com/en-us/HT213841- https://support.apple.com/en-us/HT213843- https://support.apple.com/en-us/HT213846- https://support.apple.com/en-us/HT213848CVE-2023-38606 - macOS, iOS, iPadOS, tvOS, macOS Big Sur, macOS Ventura, watchOS: An app may be able to modify sensitive kernel state, potentially leading to exploitation on older versions of iOS.Product: Apple iPadOSCVSS Score: 5.5** KEV since 2023-07-26 **NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-38606NVD References: - https://support.apple.com/en-us/HT213841- https://support.apple.com/en-us/HT213842- https://support.apple.com/en-us/HT213843- https://support.apple.com/en-us/HT213844- https://support.apple.com/en-us/HT213845- https://support.apple.com/en-us/HT213846- https://support.apple.com/en-us/HT213848CVE-2023-3046 - Biltay Technology Scienta before 20230630.1953 is vulnerable to SQL Injection.Product: Biltay ScientaCVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-3046NVD References: https://www.usom.gov.tr/bildirim/tr-23-0418CVE-2023-35066 - Infodrom Software E-Invoice Approval System before v.20230701 allows SQL Injection.Product: Infodrom E-Invoice Approval SystemCVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-35066NVD References: https://www.usom.gov.tr/bildirim/tr-23-0419CVE-2023-35088 - Apache InLong versions 1.4.0 through 1.7.0 are vulnerable to SQL injection attacks due to improper neutralization of special elements in the toAuditCkSql method.Product: Apache InLongCVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-35088NVD References: - http://seclists.org/fulldisclosure/2023/Jul/43- http://www.openwall.com/lists/oss-security/2023/07/25/4- https://lists.apache.org/thread/os7b66x4n8dbtrdpb7c6x37bb1vjb0tkCVE-2023-35980 - Aruba's access point management protocol (PAPI) is vulnerable to buffer overflow flaws, enabling unauthenticated remote code execution with arbitrary privileges.Product: Aruba PAPICVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-35980NVD References: https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2023-009.txtCVE-2023-35981, CVE-2023-35982 - Aruba's access point management protocol (PAPI) is vulnerable to buffer overflow flaws, enabling unauthenticated remote code execution with arbitrary privileges.Product: Aruba PAPICVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-35981NVD: https://nvd.nist.…

cve-2022-46898--cve-2022-4.html">https://www.stryker.com/us/en/about/governance/cyber-security/product-security/vocera-report-server-vulnerabilities--cve-2022-46898--cve-2022-4.htmlCVE-2023-34798 - An arbitrary file upload vulnerability in eOffice before v9.5 allows attackers to execute arbitrary code via uploading a crafted file.Product: Weaver E-OfficeCVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-34798NVD References: https://gist.github.com/Zhu013/e5e6e03613704a2a4107cc6456f1e8e2CVE-2023-37258 - DataEase prior to version 1.18.9 allows SQL injection bypassing blacklists, but this vulnerability has been addressed in v1.18.9 with no known workarounds.Product: DataEase CVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-37258NVD References: - https://github.com/dataease/dataease/blob/dev/backend/src/main/java/io/dataease/controller/panel/AppLogController.java#L41- https://github.com/dataease/dataease/blob/dev/backend/src/main/java/io/dataease/ext/ExtDataSourceMapper.java- https://github.com/dataease/dataease/security/advisories/GHSA-r39x-fcc6-47g4CVE-2023-38669 - Use after free in paddle.diagonal in PaddlePaddle before 2.5.0. This resulted in a potentially exploitable condition.Product: PaddlePaddle CVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-38669NVD References: https://github.com/PaddlePaddle/Paddle/blob/develop/security/advisory/pdsa-2023-001.mdCVE-2023-38671 - PaddlePaddle before 2.5.0 allows a heap buffer overflow in paddle.trace, leading to a range of potential damages, including denial of service and information disclosure.Product: PaddlePaddle CVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-38671NVD References: https://github.com/PaddlePaddle/Paddle/blob/develop/security/advisory/pdsa-2023-003.mdCVE-2023-38673 - PaddlePaddle before 2.5.0 allows arbitrary command execution due to command injection in fs.py.Product: PaddlePaddle CVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-38673NVD References: https://github.com/PaddlePaddle/Paddle/blob/develop/security/advisory/pdsa-2023-005.mdCVE-2023-33308 - Fortinet FortiOS versions 7.0.0 through 7.0.10 and 7.2.0 through 7.2.3 and FortiProxy versions 7.0.0 through 7.0.9 and 7.2.0 through 7.2.2 are vulnerable to a stack-based overflow (CWE-124) that enables remote unauthenticated attackers to execute arbitrary code or command through specially crafted packets reaching proxy or firewall policies with proxy mode alongside deep or full packet inspection.Product: Fortinet FortiProxyCVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-33308NVD References: https://fortiguard.com/psirt/FG-IR-23-183CVE-2023-3956 - The InstaWP Connect plugin for WordPress allows unauthenticated attackers to unauthorizedly access, modify, and delete data, including posts, taxonomy, users (including administrators), as well as manipulate plugin activation, customizer settings, due to a missing capability check in versions up to, and including, 0.0.9.18.Product: InstaWP Connect plugin for WordPressCVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-3956NVD References: - https://plugins.trac.wordpress.org/browser/instawp-connect/tags/0.0.9.18/includes/class-instawp-rest-apis.php#L103- https://plugins.trac.wordpress.org/changeset/2942363/instawp-connect#file5- https://www.wordfence.com/threat-intel/vulnerabilities/id/48e7acf2-61d4-4762-8657-0701910ce69b?source=cveCVE-2023-32225 - Sysaid allows a user with administrative privileges to upload a dangerous filetype using an unspecified method.Product: Sysaid Unrestricted Upload of FileCVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-32225NVD References: https://www.gov.il/en/Departments/faq/cve_advisoriesCVE-2023-32227 -  Synel SYnergy Fingerprint Terminals - CWE-798: Use of Hard-coded CredentialsProduct: Synel SYnergy Fingerprint TerminalsCVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-32227NVD References: https://www.gov.il/en/Departments/faq/cve_advisoriesCVE-2023-37214 - Heights Telecom ERO1xS-Pro Dual-Band FW version BZ_ERO1XP.025.Product: Heights Telecom ERO1xS-Pro Dual-BandCVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-37214NVD References: https://www.gov.il/en/Departments/faq/cve_advisoriesCVE-2023-37580 - Zimbra Collaboration (ZCS) 8 before 8.8.15 Patch 41 allows XSS in the Zimbra Classic Web Client.Product: Zimbra CollaborationCVSS Score: 0** KEV since 2023-07-27 **NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-37580NVD References: - https://wiki.zimbra.com/wiki/Security_Center- https://wiki.zimbra.com/wiki/Zimbra_Responsible_Disclosure_PolicyCVE-2023-33493 - PrestaShop through 2.3.0 allows remote attackers to upload dangerous files without restrictions.Product: PrestaShop Ajaxmanager File and Database explorerCVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-33493NVD References: https://security.friendsofpresta.org/module/2023/07/28/ajaxmanager.htmlManual Review Needed:CVE-2023-35081 - Ivanti En…

cve-2023-35081-new-ivanti-epmm-vulnerability">https://www.ivanti.com/blog/cve-2023-35081-new-ivanti-epmm-vulnerability