The Consensus Security Vulnerability Alert

September 21, 2023  |  Vol. 23, Num. 37

Internet Storm Center Spotlight


ISC provides a free analysis and warning service to thousands of Internet users and organizations, and is actively working with Internet Service Providers to fight back against the most malicious attackers. https://isc.sans.edu/about.html

Internet Wide Multi VPN Search From Single /24 Network

Published: 2023-09-18

Last Updated: 2023-09-18 12:54:47 UTC

by Johannes Ullrich (Version: 1)

Brute-forcing passwords for VPN access has become a standard technique for various actors to access corporate networks to exfiltrate data later or deploy ransomware. After identifying the VPN, an attacker may use simple brute forcing, credential stuffing, or social engineering in some very public cases to obtain access.

Today, I noticed in one of my honeypots new "most commonly hit" URLs...

Read the full entry:


Microsoft September 2023 Patch Tuesday

Published: 2023-09-12

Last Updated: 2023-09-12 20:37:17 UTC

by Renato Marinho (Version: 1)

This month we got patches for 66 vulnerabilities. Of these, 5 are critical, and 2 are already being exploited, according to Microsoft.

One of the exploited vulnerabilities is a Microsoft Streaming Service Proxy Elevation of Privilege Vulnerability (CVE-2023-36802). According to the advisory, an attacker who successfully exploited this vulnerability could gain SYSTEM privileges. The CVSS for this vulnerability is 6.8.

The second one is a Microsoft Word Information Disclosure Vulnerability (CVE-2023-36761). According to the advisory, the Preview Pane is an attack vector and exploiting this vulnerability could allow the disclosure of NTLM hashes.

Regarding critical vulnerabilities, one of them is a Remote Code Execution (RCE) vulnerability on Internet Connection Sharing (ICS) (CVE-2023-38148). According to the advisory, an unauthorized attacker could exploit this Internet Connection Sharing (ICS) vulnerability by sending a specially crafted network packet to the Internet Connection Sharing (ICS) Service. This vulnerability requires no user interaction and no privileges. The CVSS is 8.8 - the highest for this month.

The second highest CVSS this month is associated to a RCE affecting Visual Studio (CVE-2023-36793). To exploit this vulnerability an attacker would have to convince a user to open a maliciously crafted package file in Visual Studio. The CVSS is 7.8.

Read the full entry:


Apple fixes 0-Day Vulnerability in Older Operating Systems

Published: 2023-09-11

Last Updated: 2023-09-11 18:32:28 UTC

by Johannes Ullrich (Version: 1)

This update fixes the ImageIO vulnerability Apple patched for current operating systems last week. Now, Apple follows up with a patch for its older, but still supported, operating system versions.

According to Citizen Lab, this vulnerability is already being exploited. Exploitation took advantage of the ImageIO vulnerability and a vulnerability in the Apple wallet "PassKit" API to send a "Pass" to the victim, including the malicious image. These older operating systems support PassKit, but it needs to be clarified if they are vulnerable to the PassKit issue.

More details: Apple: https://support.apple.com/en-us/HT201222

Citizen Lab: https://citizenlab.ca/2023/09/blastpass-nso-group-iphone-zero-click-zero-day-exploit-captured-in-the-wild/

Read the full entry:


Internet Storm Center Entries

What's Normal? DNS TTL Values (2023.09.20)


Obfuscated Scans for Older Adobe Experience Manager Vulnerabilities (2023.09.19)


DShield and qemu Sitting in a Tree: L-O-G-G-I-N-G (2023.09.14)


Recent CVEs

The list is assembled by pulling recent vulnerabilities from NIST NVD, Microsoft, Twitter mentions of vulnerabilities, ISC Diaries and Podcast, and the CISA list of known exploited vulnerabilities. There are also some unscored, but significant, vulnerabilities at the end. This includes vulnerabilities that have not been added to the NVD yet.