INTERNET STORM CENTER SPOTLIGHT
ISC provides a free analysis and warning service to thousands of Internet users and organizations, and is actively working with Internet Service Providers to fight back against the most malicious attackers. https://isc.sans.edu/about.html
CVE-2023-38545: curl SOCKS5 oversized hostname vulnerability. How bad is it?
Published: 2023-10-11
Last Updated: 2023-10-11 12:29:24 UTC
by Johannes Ullrich (Version: 1)
Last week, Daniel Stenberg announced that he would release a new version of the curl library and command line tool today, fixing a significant vulnerability. Curl is the de-facto standard library to create HTTP requests unless you still use Perl (good old LWP..). A significant vulnerability in curl will affect pretty much anything connecting to a web server. With everything becoming an HTTP-based API, code using curl is probably written faster than ever, and Daniel's work is more important than ever.
Today, we got the promised fix for CVE-2023-38545. So here is a quick overview of how severe it is:
The vulnerability is a heap-based buffer overflow, which may lead to arbitrary code execution. Modern operating systems should make exploitation of heap-based buffer overflows more difficult, but exploitation is possible.
To exploit this vulnerability, the attacker has to be able to supply an oversized hostname to curl. Host names passed to curl should be validated, and I do not believe such an oversized hostname would pass input validation. Sure, an attacker can run "curl" on the command line, but if they can do so, they already have code execution capabilities. A valid exploit would require an attacker to trigger code execution by, for example, passing a hostname to a web app that would trigger the code execution in curl.
Next, the exploit only exists if curl is used to connect to a SOCKS5 proxy. This is another dependency, making exploitation less likely.
Read the full entry: https://isc.sans.edu/diary/CVE202338545+curl+SOCKS5+oversized+hostname+vulnerability+How+bad+is+it/30304/
October 2023 Microsoft Patch Tuesday Summary
Published: 2023-10-10
Last Updated: 2023-10-10 18:03:47 UTC
by Johannes Ullrich (Version: 1)
For October, Microsoft released patches for 105 different vulnerabilities. This count includes one Chromium vulnerability that was patched earlier this month.
There are a total of three already exploited vulnerabilities:
CVE-2023-44487 HTTP/2 Rapid Reset Attack: This vulnerability was disclosed by Cloudflare in a blog post earlier today. Cloudflare started to see these attacks late in August. This issue led to unprecedented DoS attacks. An attacker will set an HTTP/2 stream and immediately "cancel" it with a reset stream. This avoids limits on the number of streams accepted and can lead to CPU exhaustion on the server attempting to clean up the canceled streams. This is not a TCP RST but an application layer (HTTP/2) feature. On the other hand, it does look a bit like a SYN flood attack, maybe? HTTP/2 often appears to re-implement some of the features found in TCP, so it is no surprise to see similar vulnerabilities.
CVE-2023-36563 Wordpad Information Disclosure: Yet another problem with linked resources that may cause the client (Wordpad in this case) to initiate an SMB connection and in the process, automatically pass along weakly hashed credentials. See this blog post for details: https://support.microsoft.com/en-us/topic/kb5032314-how-to-manage-the-ole-object-conversion-vulnerability-in-wordpad-associated-with-cve-2023-36563-98d95ae9-2f9e-4f65-9231-46363c31cf07
CVE-2023-41763: Skype for Business elevation of privileges. This is a vulnerability in the Skype for Business server product. IP addresses and port numbers may be disclosed.
Noteworthy are the nine critical vulnerabilities in the Layer 2 Tunneling protocol and the vulnerabilities in the Microsoft Message Queue (one with a CVSS score of 9.8). These two components received numerous patches for the last couple of months.
Overall, I would rate this patch Tuesday as "average." There are no "outrageously important" vulnerabilities to patch.
Read the full entry: https://isc.sans.edu/diary/October+2023+Microsoft+Patch+Tuesday+Summary/30300/
Apple fixes vulnerabilities in iOS and iPadOS.
Published: 2023-10-04
Last Updated: 2023-10-04 19:53:02 UTC
by Johannes Ullrich (Version: 1)
Apple today released iOS/iPadOS 17.0.3. These updates fix two vulnerabilities. A WebRTC vulnerability that could be used to execute arbitrary code, establishing initial access to the device, and a Kernel vulnerability used to elevate privileges. The privilege escalation vulnerability has been exploited against older versions of iOS. See Apple's page about these vulnerabilities: https://support.apple.com/en-us/HT213961.
Read the full entry: https://isc.sans.edu/diary/Apple+fixes+vulnerabilities+in+iOS+and+iPadOS/30280/