SEC595: Applied Data Science and AI/Machine Learning for Cybersecurity Professionals
SEC595Cyber Defense
SANS Community Benefits
Connect, learn, and share with other cybersecurity professionals
VOLUME 23ISSUE 32
The Consensus Security Vulnerability Alert
Internet Storm Center Spotlight
ISC provides a free analysis and warning service to thousands of Internet users and organizations, and is actively working with Internet Service Providers to fight back against the most malicious attackers. https://isc.sans.edu/about.html
Some things never change ? such as SQL Authentication ?encryption?
Published: 2023-08-10
Last Updated: 2023-08-10 11:26:47 UTC
by Bojan Zdrnja (Version: 1)
Fat client applications running on (usually) Windows are still extremely common in enterprises. When I look at internal penetration tests or red team engagements for any larger enterprise, it is almost 100% guaranteed that one will stumble upon such an application.
These fat client applications have also usually been originally written many, many years ago, when security was maybe not one of the primary requirements. Whenever one encounters such a fat client application, or if this is perhaps part of your penetration test, one of the primary goals is to analyze how the application communicates with the rest of the world (or, usually, other internal systems).
While modern applications that you might encounter will most of the time consume some web services (usually SOAP, but I can see modern RESTful interfaces being consumed more and more), “traditional” fat client applications will most of the time connect directly to a database (again, since we’re looking at Windows environment primarily here, this will be most of the time a Microsoft SQL Server database). Such setup will appear quite simple...
The first step in identifying such an application will usually be to inspect its network traffic. In 99% of cases, this will be trivial to perform by using a tool such as Wireshark. This will allow not only to identify the target MS SQL Server, but also to inspect traffic on the wire. We will be looking for any traffic with destination TCP port set to 1433.
Again, due to the age of such applications, in almost every case I worked on, the data on the wire is most of the time sent in plain text, without any encryption. This is, obviously, very bad as we could easily perform a MitM attack (see more below), but the TDS protocol will, luckily, have one step encrypted: authentication.
Read the full entry:
https://isc.sans.edu/diary/Some+things+never+change+such+as+SQL+Authentication+encryption/30112/
A Gentle Reminder: The Evolving Nature of Digital Scams
Published: 2023-08-16
Last Updated: 2023-08-16 08:45:06 UTC
by Yee Ching Tok (Version: 1)
Considering the global turbulence from destabilizing events such as physical conflicts, freak weather and pandemics, financial wealth has never been more critical for a nation and its citizens so that daily life can continue. Money is needed for daily necessities such as food, medication, appropriate clothing and fuel. When faced with unexpected events such as retrenchment and newly detected health issues, citizens would also have to tap on the monetary buffer that should have been built up during less challenging times. Considering the current state of international affairs and employment prospects, one potential way to disrupt a nation’s peace and stability could be stealing their citizens’ monetary savings via financial scams and fraud.
Unlike conventional cyber-attacks such as phishing, where adversaries target to harvest credentials to gain access to accounts, digital scams aim to bypass the harvesting of credentials but instead attempt to convince the victim to authenticate and part with their assets directly. A multitude of factors could cause this change. For example, end users have gotten savvier about phishing attacks and stopped interacting with such messages that try to masquerade as a well-known entity (e.g. shipping companies/social media sites). Applications could also have implemented additional security controls such as two-factor authentication (2FA), preventing adversaries from directly using credentials to authenticate with the target application. The main issue is that adversaries are likely to employ some means to wire away a victim’s hard-earned money and keep on doing so should these tactics be successful.
Read the full entry:
https://isc.sans.edu/diary/A+Gentle+Reminder+The+Evolving+Nature+of+Digital+Scams/30130/
Internet Storm Center Entries
Recent CVEs
The list is assembled by pulling recent vulnerabilities from NIST NVD, Microsoft, Twitter mentions of vulnerabilities, ISC Diaries and Podcast, and the CISA list of known exploited vulnerabilities. There are also some unscored, but significant, vulnerabilities at the end. This includes vulnerabilities that have not been added to the NVD yet.
CVE-2023-38180 - .NET and Visual Studio Denial of Service Vulnerability
CVE-2023-21709 - Microsoft Exchange Server Elevation of Privilege Vulnerability
CVE-2023-35385, CVE-2023-36910, CVE-2023-36911 - Microsoft Message Queuing Remote Code Execution Vulnerabilities
Product: Microsoft Windows 10CVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-35385NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-36910NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-36911MSFT Details: - https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-35385- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36910- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36911CVE-2023-37483 - SAP PowerDesigner version 16.7 allows unauthenticated attackers to run arbitrary queries against the back-end database via Proxy due to improper access control.Product: Sap PowerdesignerCVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-37483NVD References: - https://me.sap.com/notes/3341460- https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.htmlCVE-2023-37490 - The SAP Business Objects Installer (versions 420, 430) allows an authenticated attacker within the network to compromise the system by overwriting an executable file during installation, leading to complete confidentiality, integrity, and availability compromise.Product: Sap Businessobjects Business IntelligenceCVSS Score: 9.0 NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-37490NVD References: - https://me.sap.com/notes/3317710- https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.htmlCVE-2023-39439 - SAP Commerce Cloud allows unauthorized login without a passphrase by accepting an empty passphrase for user ID and passphrase authentication.Product: Sap Commerce CloudCVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-39439NVD References: - https://me.sap.com/notes/3346500- https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.htmlCVE-2023-39976 - log_blackbox.c in libqb before 2.0.8 allows a buffer overflow via long log messages because the header size is not considered.Product: Clusterlabs LibqbCVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-39976NVD References: - https://github.com/ClusterLabs/libqb/commit/1bbaa929b77113532785c408dd1b41cd0521ffc8- https://github.com/ClusterLabs/libqb/compare/v2.0.7...v2.0.8- https://github.com/ClusterLabs/libqb/pull/490CVE-2023-3526 - PHOENIX CONTACTs TC ROUTER and TC CLOUD CLIENT versions prior to 2.07.2 and CLOUD CLIENT 1101T-TX/TX prior to 2.06.10 are vulnerable to unauthenticated remote code execution via reflective XSS in the license viewer page.Product: Phoenixcontact Cloud Client 1101T-TxCVSS Score: 9.6NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-3526NVD References: - http://packetstormsecurity.com/files/174152/Phoenix-Contact-TC-Cloud-TC-Router-2.x-XSS-Memory-Consumption.html- http://seclists.org/fulldisclosure/2023/Aug/12- https://cert.vde.com/en/advisories/VDE-2023-017CVE-2023-3572 - PHOENIX CONTACTs WP 6xxx series web panels prior to 4.0.10 allow remote attackers with low privileges to gain full access utilizing a specific HTTP POST request attribute for date/time operations.Product: Phoenixcontact Pp 6070-WvpsCVSS Score: 9.9NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-3572NVD References: https://cert.vde.com/en/advisories/VDE-2023-018/CVE-2023-3898 - mAyaNet E-Commerce Software before 1.1 is vulnerable to SQL Injection.Product: Mayanets E-CommerceCVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-3898NVD References: https://www.usom.gov.tr/bildirim/tr-23-0440CVE-2022-40510 - Memory corruption due to buffer copy without checking size of input in Audio while voice call with EVS vocoder.Product: Qualcomm Apq8009CVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-40510NVD References: https://www.qualcomm.com/company/product-security/bulletins/august-2023-bulletinCVE-2023-28561 - Memory corruption in QESL while processing payload from external ESL device to firmware.Product: Qualcomm Qcn7606CVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-28561NVD References: https://www.qualcomm.com/company/product-security/bulletins/august-2023-bulletinCVE-2023-37372 - RUGGEDCOM CROSSBOW (All versions < V5.4) is susceptible to SQL injection, permitting unauthenticated remote attackers to execute arbitrary SQL queries on the server database.Product: Siemens Ruggedcom CrossbowCVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-37372NVD References: https://cert-portal.siemens.com/productcert/pdf/ssa-472630.pdfCVE-2023-3717 - Farmakom Remote Administration Console before 1.02 is vulnerable to SQL Injection.Product: Farmakom Remote Administration ConsoleCVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-3717NVD References: https://www.usom.gov.tr/bildirim/tr-23-0441CVE-2023-37682 - Judging Management System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /php-jms/deductScores.php.Product: Judging Management System Project CVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-37682NVD References: - https://github.com/rt122001/CVES/blob/main/CVE-2023-37682.txt- https://www.sourcecodester.com/p…
CVE-2023-37483 - SAP PowerDesigner version 16.7 allows unauthenticated attackers to run arbitrary queries against the back-end database via Proxy due to improper access control.
CVE-2023-37490 - The SAP Business Objects Installer (versions 420, 430) allows an authenticated attacker within the network to compromise the system by overwriting an executable file during installation, leading to complete confidentiality, integrity, and availability compromise.
CVE-2023-39439 - SAP Commerce Cloud allows unauthorized login without a passphrase by accepting an empty passphrase for user ID and passphrase authentication.
CVE-2023-39976 - log_blackbox.c in libqb before 2.0.8 allows a buffer overflow via long log messages because the header size is not considered.
CVE-2023-3526 - PHOENIX CONTACTs TC ROUTER and TC CLOUD CLIENT versions prior to 2.07.2 and CLOUD CLIENT 1101T-TX/TX prior to 2.06.10 are vulnerable to unauthenticated remote code execution via reflective XSS in the license viewer page.
CVE-2023-3572 - PHOENIX CONTACTs WP 6xxx series web panels prior to 4.0.10 allow remote attackers with low privileges to gain full access utilizing a specific HTTP POST request attribute for date/time operations.
CVE-2023-3898 - mAyaNet E-Commerce Software before 1.1 is vulnerable to SQL Injection.
CVE-2022-40510 - Memory corruption due to buffer copy without checking size of input in Audio while voice call with EVS vocoder.
CVE-2023-28561 - Memory corruption in QESL while processing payload from external ESL device to firmware.
CVE-2023-37372 - RUGGEDCOM CROSSBOW (All versions < V5.4) is susceptible to SQL injection, permitting unauthenticated remote attackers to execute arbitrary SQL queries on the server database.
CVE-2023-3717 - Farmakom Remote Administration Console before 1.02 is vulnerable to SQL Injection.
CVE-2023-37682 - Judging Management System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /php-jms/deductScores.php.
CVE-2023-3716 - Oduyo Online Collection Software before 1.0.1 is vulnerable to SQL Injection.
CVE-2023-3651 - Digital Ant E-Commerce Software before 11 is vulnerable to SQL injection, enabling the injection of malicious SQL commands.
CVE-2023-3386 - The a2 Camera Trap Tracking System before 3.1905 allows SQL Injection.
CVE-2023-3522 - License Portal System before 1.48 is vulnerable to SQL injection allowing improper neutralization of special elements used in an SQL command.
CVE-2023-39532 - SES is vulnerable to a confinement hole that allows guest programs to access the host's dynamic import, potentially leading to information exfiltration or execution of arbitrary code.
CVE-2023-36534 - Zoom Desktop Client for Windows before 5.14.7 allows unauthenticated users to escalate privileges via network access due to path traversal vulnerability.
CVE-2023-39216 - Zoom Desktop Client for Windows before version 5.14.7 allows unauthenticated users to escalate privileges through network access due to improper input validation.
CVE-2023-40041 - The TOTOLINK T10_v2 5.9c.5061_B20200511 router is vulnerable to a stack-based buffer overflow in setWiFiWpsConfig in /lib/cste_modules/wps.so, allowing attackers to control the return address and execute code via crafted data in an MQTT packet through the pin parameter.
CVE-2023-40042 - TOTOLINK T10_v2 5.9c.5061_B20200511 is vulnerable to a stack-based buffer overflow, allowing attackers to control the return address and execute arbitrary code by sending crafted data via an MQTT packet's comment parameter in setStaticDhcpConfig function in /lib/cste_modules/lan.so.
CVE-2023-39213 - The Zoom Desktop and VDI Clients before 5.15.2 allow unauthorized users to escalate privileges via network access.
CVE-2023-26310 - There is a command injection problem in the old version of the mobile phone backup app.
CVE-2023-33934 - Improper Input Validation vulnerability in Apache Software Foundation Apache Traffic Server.This issue affects Apache Traffic Server: through 9.2.1.
CVE-2023-3632 - Kunduz - Homework Helper App before 6.2.3 is vulnerable to Authentication Abuse and Bypass due to the use of a hard-coded cryptographic key.
CVE-2023-34545 - CSZCMS 1.3.0 is vulnerable to SQL injection, enabling remote attackers to execute arbitrary SQL commands through the p parameter or the search URL.
CVE-2023-39969 - uthenticode version 1.0.9 allows attackers to modify code within a binary without changing its Authenticode hash, making it appear valid.
CVE-2023-38997 - OPNsense before 23.7 is vulnerable to directory traversal, enabling attackers to achieve root-level command execution by exploiting the Captive Portal template.
CVE-2023-39001 - OPNsense before 23.7 is vulnerable to command injection, allowing attackers to execute arbitrary commands via a crafted backup configuration file.
CVE-2023-39004 - OPNsense before 23.7 has insecure permissions in its configuration directory (/conf/) allowing access to sensitive information and potential privilege escalation.
CVE-2023-39007 - /ui/cron/item/open in the Cron component of OPNsense before 23.7 allows XSS.
CVE-2023-39008 - A command injection vulnerability in the component /api/cron/settings/setJob/ of OPNsense before 23.7 allows attackers to execute arbitrary system commands.
CVE-2023-37068 - Code-Projects Gym Management System V1.0 is vulnerable to remote SQL Injection attacks through the login form, enabling unauthorized access and potential data manipulation.
CVE-2023-37068 - Exploit.md
CVE-2023-37068-Exploit.md">https://github.com/Mr-Secure-Code/My-CVE/blob/main/CVE-2023-37068-Exploit.md
CVE-2023-33241 - Crypto wallets implementing the GG18 or GG20 TSS protocol have a vulnerability that enables an attacker to extract a full ECDSA private key by injecting a malicious pallier key and manipulating the range proof, potentially exfiltrating private key shares of other parties.
CVE-2023-33242 - Crypto wallets implementing the Lindell17 TSS protocol have a vulnerability that could enable an attacker to retrieve the entire ECDSA private key by exfiltrating a single bit in each signature attempt due to failure in handling aborts as assumed by the paper's security proof.
CVE-2023-30699 - Libsimba library prior to SMR Aug-2023 Release 1 allows remote code execution due to an out-of-bounds write vulnerability in the parser_hvcC function.
CVE-2023-26309 - A remote code execution vulnerability in the webview component of OnePlus Mall app.
CVE-2023-26311 - A remote code execution vulnerability in the webview component of OPPO Store app.
CVE-2023-37069 - Code-Projects Online Hospital Management System V1.0 is vulnerable to SQL Injection (SQLI) attacks due to lack of input validation in the login id and password fields, allowing an attacker to manipulate the SQL queries.
CVE-2023-37069 - Exploit.md
CVE-2023-37069-Exploit.md">https://github.com/Mr-Secure-Code/My-CVE/blob/main/CVE-2023-37069-Exploit.md
CVE-2023-39776 - PHPJabbers Ticket Support Script v3.2 is vulnerable to arbitrary code execution due to a file upload vulnerability.
CVE-2023-36311 - There is a SQL injection (SQLi) vulnerability in the "column" parameter of index.php in PHPJabbers Document Creator v1.0.
CVE-2023-32566 - Version 6.4.0 of the vulnerable product allows an attacker to execute a resource-based DoS attack or leak sensitive data.
CVE-2023-32567 - Ivanti Avalanche decodeToMap XML External Entity Processing. Fixed in version 6.4.1.
CVE-2023-32562 - Avalanche versions 6.3.x and below have an unrestricted file upload vulnerability, enabling attackers to execute remote code; fixed in version 6.4.1.
CVE-2023-32563 - An unauthenticated attacker could achieve the code execution through a RemoteControl server.
CVE-2023-32564 - Avalanche versions 6.4.1 and below have an unrestricted file upload vulnerability, enabling attackers to achieve remote code execution.
CVE-2023-32565 - Version 6.4.0 of the vulnerable product allows an attacker to execute a resource-based DoS attack or leak sensitive data.
CVE-2023-39805 - iCMS v7.0.16 was discovered to contain a SQL injection vulnerability via the where parameter at admincp.php.
CVE-2023-39806 - iCMS v7.0.16 was discovered to contain a SQL injection vulnerability via the bakupdata function.
CVE-2023-40256 - Veritas NetBackup Snapshot Manager before 10.2.0.1 allows untrusted clients to interact with the RabbitMQ service, impacting the confidentiality and integrity of backup and restore jobs and potentially causing service unavailability.
CVE-2023-3824 - PHP versions 8.0.* before 8.0.30, 8.1.* before 8.1.22, and 8.2.* before 8.2.8 allow for a stack buffer overflow and potential RCE when reading PHAR directory entries while loading a phar file due to insufficient length checking.
CVE-2023-3452 - The Canto plugin for WordPress is vulnerable to Remote File Inclusion and Local File Inclusion, allowing unauthenticated attackers to execute arbitrary code on the server.
CVE-2023-3259 - The Dataprobe iBoot PDU running firmware version 1.43.03312023 or earlier is vulnerable to authentication bypass, allowing a malicious agent to gain administrator privileges and perform unauthorized actions such as power manipulation, user account modification, and confidential user information extraction.
CVE-2023-3260 - Dataprobe iBoot PDU running firmware version 1.43.03312023 or earlier is vulnerable to command injection, allowing authenticated malicious agents to execute arbitrary commands on the Linux OS.
CVE-2023-3265 - CyberPower PowerPanel Enterprise allows an authentication bypass, enabling an attacker to login as an administrator with default credentials.
CVE-2023-3266 - CyberPower PowerPanel Enterprise allows an unauthenticated attacker to bypass authentication checks by selecting LDAP authentication and logging in as an administrator with knowledge of at least one username on the device.
CVE-2023-3267 - CyberPower PowerPanel Enterprise server allows authenticated users to execute arbitrary code with system-level access by passing OS commands through the username field when adding a remote backup location.
CVE-2023-40020 - PrivateUploader open source image hosting server allows unauthorized users to continue processing requests without proper verification if they are an administrator or moderator, leading to potential updates/changes, addressed in version 3.2.49.
CVE-2023-32019 - Windows Kernel Information Disclosure Vulnerability
Sponsors
Vulcan Cyber
*********** Sponsored By Vulcan Cyber ***********Attack path modeling for enterprise vulnerability risk prioritization | Next week Vulcan Cyber will demonstrate a new approach to vulnerability risk prioritization via attack path modeling. Attend this webinar to learn how vulnerability management teams can clearly visualize risk impact across cyber attack surfaces using business context, asset dependency, and attacker perspective. Prioritize the most-critical cyber risk to your organization, and orchestrate the most-impactful mitigating actions, with Vulcan Cyber. Register here >>
SANS
Cloud Security Exchange 2023 - TOMORROW, August 18 | Led by SANS Fellow Frank Kim, thousands of cyber professionals from around the globe will learn what’s working and what’s not working in cloud security architecture and cloud threat detection with the titans in cloud security: AWS, Google Cloud & Microsoft Azure - on ONE virtual stage! | Don't miss it, register today:
Corelight, Inc.
Upcoming webcast on Thu, August 24 at 10:30am ET | The Importance of NDR Detection-in-Depth with Matt Bromiley and Corelight's Sr. Director of Product Marketing John Gamble - Register today to receive first free access to the accompanying whitepaper written by Matt Bromiley. | Sign up now:
Oligo Security
Tune in for our upcoming webcast, Navigating the App Sec Alert Overload: Strategies for Effective Application Security Monitoring on Tuesday, August 29 at 10:30am ET | Register Now: