SEC595: Applied Data Science and AI/Machine Learning for Cybersecurity Professionals
SEC595Cyber Defense
SANS Community Benefits
Connect, learn, and share with other cybersecurity professionals
VOLUME 23ISSUE 42
The Consensus Security Vulnerability Alert
Internet Storm Center Spotlight
ISC provides a free analysis and warning service to thousands of Internet users and organizations, and is actively working with Internet Service Providers to fight back against the most malicious attackers. https://isc.sans.edu/about.html
Apple Patches Everything. Releases iOS 17.1, MacOS 14.1 and updates for older versions fixing exploited vulnerability
Published: 2023-10-25
Last Updated: 2023-10-25 19:01:33 UTC
by Johannes Ullrich (Version: 1)
Apple released iOS, iPadOS, macOS, tvOS, and Safari updates today. The iOS/macOS updates go back two "generations". This is particularly important for iOS 15, which now receives a patch for CVE-2023-32434, a vulnerability already exploited against earlier versions of iOS. This is also the only issue addressed for these earlier iOS versions.
Apple does not pre-announce these updates. But was expected to release this update yesterday to fix compliance issues unrelated to security vulnerabilities.
For Apple's original announcements, see https://support.apple.com/en-us/HT201222
Read the full entry:
How an AppleTV may take down your (#IPv6) network
Published: 2023-10-23
Last Updated: 2023-10-23 17:11:32 UTC
by Johannes Ullrich (Version: 1)
I recently ran into an odd issue with IPv6 connectivity in my home network. During a lengthy outage, I decided to redo some of my network configurations. As part of this change, I also reorganized my IPv6 setup, relying more on DHCPv6 and less on router advertisements to configure IPv6 addresses. Overall, this worked well. My Macs had no issues connecting to IPv6. However, the Linux host I use to alert me of network connectivity issues could not "ping" the test host via IPv6.
Looking at the network configuration, I noticed a unique local address was added to the interface ...
Read the full entry: https://isc.sans.edu/diary/How+an+AppleTV+may+take+down+your+IPv6+network/30336/
VMware Releases Security Patches for Fusion, Workstation and Aria Operations for Logs
Published: 2023-10-20
Last Updated: 2023-10-20 07:53:53 UTC
by Yee Ching Tok (Version: 1)
VMware released advisories VMSA-2023-0021 and VMSA-2023-0022 that have been rated as important. They are as follows:
Important: VMware Aria Operations for Logs updates address multiple vulnerabilities. (CVE-2023-34051 (CVSSv3 score 8.1), CVE-2023-34052(CVSSv3 score 8.1)) [https://www.vmware.com/security/advisories/VMSA-2023-0021.html]
Important: VMware Fusion and Workstation updates address privilege escalation and information disclosure vulnerabilities (CVE-2023-34044 (CVSSv3 score 7.1), CVE-2023-34045 (CVSSv3 score 6.6), CVE-2023-34046 (CVSSv3 score 6.7)) [https://www.vmware.com/security/advisories/VMSA-2023-0022.html]
Internet Storm Center Entries
Sporadic scans for "server-info.action", possibly looking for Confluence Server and Data Center Vulnerability CVE-2023-22515 (2023.10.25)
base64dump.py Handles More Encodings Than Just BASE64 (2023.10.22)
https://isc.sans.edu/diary/base64dumppy+Handles+More+Encodings+Than+Just+BASE64/30332/
Recent CVEs
The list is assembled by pulling recent vulnerabilities from NIST NVD, Microsoft, Twitter mentions of vulnerabilities, ISC Diaries and Podcast, and the CISA list of known exploited vulnerabilities. There are also some unscored, but significant, vulnerabilities at the end. This includes vulnerabilities that have not been added to the NVD yet.
CVE-2023-4966 - NetScaler ADC and NetScaler Gateway configured as a Gateway or AAA virtual server may reveal sensitive information.
CVE-2023-22515 - Confluence Data Center and Server instances allowed external attackers to create unauthorized administrator accounts and access Confluence instances.
CVE-2023-20198 - Cisco IOS XE Software is vulnerable to remote attackers creating privileged accounts and gaining control of the affected system.
CVE-2023-36745 - Microsoft Exchange Server Remote Code Execution Vulnerability
CVE-2023-43261 - An information disclosure in Milesight UR5X, UR32L, UR32, UR35, UR41 before v35.3.0.7 allows attackers to access sensitive router components.
CVE-2011-10004 - The reciply Plugin up to 1.1.7 on WordPress is vulnerable to unrestricted file upload in uploadImage.php, allowing remote attackers to initiate an attack.
Product: Reciply Project CVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2011-10004NVD References: - https://github.com/wp-plugins/reciply/commit/e3ff616dc08d3aadff9253f1085e13f677d0c676- https://vuldb.com/?ctiid.242189- https://vuldb.com/?id.242189CVE-2023-45386 - MyPresta.eu's module extratabspro before version 2.2.8 for PrestaShop allows SQL injection via its search functions.Product: MyPresta Product Extra Tabs ProCVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-45386NVD References: https://security.friendsofpresta.org/modules/2023/10/12/extratabspro.htmlCVE-2023-44693 - D-Link Online behavior audit gateway DAR-7000 V31R02B1413C is vulnerable to SQL Injection via /importexport.php.Product: Dlink DAR-7000CVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-44693NVD References: https://github.com/llixixi/cve/blob/main/D-LINK-DAR-7000_sql_%20importexport.mdCVE-2023-44694 - D-Link Online behavior audit gateway DAR-7000 V31R02B1413C is vulnerable to SQL Injection via /log/mailrecvview.php.Product: Dlink DAR-7000CVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-44694NVD References: https://github.com/llixixi/cve/blob/main/D-LINK-DAR-7000_rce_%20mailrecvview.mdCVE-2023-27133 - TSplus Remote Work 16.0.0.0 has weak permissions for .exe, .js, and .html files, allowing privilege escalation through modification by a different local user.Product: TSplus Remote WorkCVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-27133NVD References: https://packetstormsecurity.com/files/174272CVE-2023-45951 - lylme_spage v1.7.0 was discovered to contain a SQL injection vulnerability via the $userip parameter at function.php.Product: Lylme SpageCVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-45951NVD References: https://github.com/LyLme/lylme_spage/issues/32CVE-2023-22069 - The Oracle WebLogic Server product of Oracle Fusion Middleware (component: Core) is vulnerable to an easily exploitable vulnerability that allows unauthenticated attackers with network access via T3, IIOP to compromise the server and potentially take over.Product: Oracle WebLogic ServerCVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-22069NVD References: https://www.oracle.com/security-alerts/cpuoct2023.htmlCVE-2023-22072 - Oracle WebLogic Server in Oracle Fusion Middleware (Core component) version 12.2.1.3.0 is vulnerable to takeover by an unauthenticated attacker with network access via T3, IIOP, leading to severe impacts on confidentiality, integrity, and availability, with a CVSS 3.1 Base Score of 9.8.Product: Oracle WebLogic ServerCVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-22072NVD References: https://www.oracle.com/security-alerts/cpuoct2023.htmlCVE-2023-22089 - The Oracle WebLogic Server product of Oracle Fusion Middleware (component: Core) is vulnerable to an easily exploitable vulnerability that allows unauthenticated attackers with network access via T3, IIOP to compromise the server and potentially take over.Product: Oracle WebLogic ServerCVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-22089NVD References: https://www.oracle.com/security-alerts/cpuoct2023.htmlCVE-2023-41630 - eSST Monitoring v2.147.1 was discovered to contain a remote code execution (RCE) vulnerability via the Gii code generator component.Product: eSST MonitoringCVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-41630NVD References: https://github.com/post-cyberlabs/CVE-Advisory/blob/main/CVE-2023-41630-eSST-Preauth-RCE.pdfCVE-2023-35084 - Ivanti Endpoint Manager 2022 su3 and previous versions are vulnerable to unsafe deserialization of user input, allowing remote command execution and unauthorized operations.Product: Ivanti Endpoint ManagerCVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-35084NVD References: https://forums.ivanti.com/s/article/SA-2023-08-08-CVE-2023-35084?language=en_USCVE-2023-46005 - Sourcecodester Best Courier Management System 1.0 is vulnerable to SQL Injection via the parameter id in /edit_branch.php.Product: Mayurik Best Courier Management SystemCVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-46005NVD References: https://github.com/zerrr0/Zerrr0_Vulnerability/blob/main/Best%20Courier%20Management%20System%201.0/SQL-Injection-Vulnerability.mdCVE-2023-46006 - Sourcecodester Best Courier Management System 1.0 is vulnerable to SQL Injection via the parameter id in /edit_user.php.Product: Mayurik Best Courier Management SystemCVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-46006NVD References: https://github.com/zerrr0/Zerrr0_Vulnerability/blob/main/Best%20Courier%20Management%20System%201.0/SQL-Injection-Vulnerability-2.mdCVE-2023-46007 - Sourcecodester Best Courier Management System 1.0 is vulnerable to SQL Injection via the parameter id in /edit_staff.php.Product: Mayurik Best Courier Management SystemCVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-46007NVD References: https://github.co…
CVE-2023-44693 - D-Link Online behavior audit gateway DAR-7000 V31R02B1413C is vulnerable to SQL Injection via /importexport.php.
CVE-2023-44694 - D-Link Online behavior audit gateway DAR-7000 V31R02B1413C is vulnerable to SQL Injection via /log/mailrecvview.php.
CVE-2023-27133 - TSplus Remote Work 16.0.0.0 has weak permissions for .exe, .js, and .html files, allowing privilege escalation through modification by a different local user.
CVE-2023-45951 - lylme_spage v1.7.0 was discovered to contain a SQL injection vulnerability via the $userip parameter at function.php.
CVE-2023-22069 - The Oracle WebLogic Server product of Oracle Fusion Middleware (component: Core) is vulnerable to an easily exploitable vulnerability that allows unauthenticated attackers with network access via T3, IIOP to compromise the server and potentially take over.
CVE-2023-22072 - Oracle WebLogic Server in Oracle Fusion Middleware (Core component) version 12.2.1.3.0 is vulnerable to takeover by an unauthenticated attacker with network access via T3, IIOP, leading to severe impacts on confidentiality, integrity, and availability, with a CVSS 3.1 Base Score of 9.8.
CVE-2023-22089 - The Oracle WebLogic Server product of Oracle Fusion Middleware (component: Core) is vulnerable to an easily exploitable vulnerability that allows unauthenticated attackers with network access via T3, IIOP to compromise the server and potentially take over.
CVE-2023-41630 - eSST Monitoring v2.147.1 was discovered to contain a remote code execution (RCE) vulnerability via the Gii code generator component.
CVE-2023-41630 - eSST-Preauth-RCE.pdf
CVE-2023-41630-eSST-Preauth-RCE.pdf">https://github.com/post-cyberlabs/CVE-Advisory/blob/main/CVE-2023-41630-eSST-Preauth-RCE.pdf
CVE-2023-35084 - Ivanti Endpoint Manager 2022 su3 and previous versions are vulnerable to unsafe deserialization of user input, allowing remote command execution and unauthorized operations.
CVE-2023-46005 - Sourcecodester Best Courier Management System 1.0 is vulnerable to SQL Injection via the parameter id in /edit_branch.php.
CVE-2023-46006 - Sourcecodester Best Courier Management System 1.0 is vulnerable to SQL Injection via the parameter id in /edit_user.php.
CVE-2023-46007 - Sourcecodester Best Courier Management System 1.0 is vulnerable to SQL Injection via the parameter id in /edit_staff.php.
CVE-2023-5642 - Advantech R-SeeNet v2.4.23 allows unauthorized access to the snmpmon.ini file, compromising sensitive information.
CVE-2023-45146 - The XXL-RPC high performance, distributed RPC framework allows attackers to execute arbitrary code and gain control over the server machine through remote code execution when using the Netty framework and Hessian serialization mechanism, as the issue remains unfixed.
CVE-2023-37502 - HCL Compass lacks file upload security, allowing an attacker to execute active code through uploaded files.
CVE-2023-5204 - The ChatBot plugin for WordPress up to version 4.8.9 is vulnerable to SQL Injection, allowing unauthenticated attackers to extract sensitive information via the $strid parameter.
CVE-2023-5212 - The AI ChatBot plugin for WordPress allows authenticated attackers with subscriber privileges in versions up to and including 4.8.9 to delete arbitrary files on the server, leading to complete compromise of affected sites and other sites hosted on the same account.
CVE-2023-5241 - The AI ChatBot for WordPress is vulnerable to Directory Traversal, allowing subscriber-level attackers to append "<?php" to critical files on the server, potentially causing a DoS.
CVE-2022-26941 - Motorola MTM5000 series firmware AT command handler for the AT+CTGL command does not properly handle an attacker-controllable string, leading to arbitrary code execution with root privileges in the teds_app binary.
CVE-2023-38584 - The cMT3000 HMI Web CGI device by Weintek suffers from a stack-based buffer overflow, enabling an anonymous attacker to bypass login authentication and seize control flow.
CVE-2023-43492 - Weintek's cMT3000 HMI Web CGI device is vulnerable to a stack-based buffer overflow, enabling an anonymous attacker to bypass login authentication and hijack control flow.
CVE-2023-34051 - The VMware Aria Operations for Logs is vulnerable to an authentication bypass that allows unauthenticated remote code execution.
CVE-2020-36706 - The Simple:Press – WordPress Forum Plugin for WordPress allows arbitrary file uploads due to missing file type validation, potentially leading to remote code execution.
CVE-2023-4488 - The vulnerable product, Dropbox Folder Share for WordPress up to version 1.9.7, is susceptible to Local File Inclusion, enabling unauthenticated attackers to execute arbitrary files and PHP code, bypass access controls, and gain access to sensitive data.
CVE-2023-5414 - The Icegram Express plugin for WordPress (up to version 5.6.23) allows administrator-level attackers to read arbitrary files on the server, potentially exposing sensitive information of other sites in shared hosting environments, via the show_es_logs function.
CVE-2023-37824 - Sitolog sitologapplicationconnect v7.8.a and before was discovered to contain a SQL injection vulnerability via the component /activate_hook.php.
CVE-2023-34044 - VMware Workstation and Fusion have an out-of-bounds read vulnerability allowing local administrators on a virtual machine to access privileged information in hypervisor memory.
CVE-2023-20273 - Cisco IOS XE contains a command injection vulnerability in the web user interface. When chained with
Sponsors
SANS
*********** Sponsored By SANS ***********Cyber Solutions Fest 2023 is in full swing! Day two of our largest solutions-focused event of the year, kicks off today with our Ransomware Attack Track chaired by Matt Bromiley. Tomorrow, we kick off our Cloud Security Track with Dave Shackleford and Threat Hunting & Intelligence Track with Ismael Valenzuela - and there's still time to register! Join us today for the Ransomware Attack Track and save your seat for tomorrow's tracks. We can't wait to see you:
Clarity Security
The bottom line: Risk centered IGA powered by ML is transforming enterprise security. Join us on Tue, October 31 at 1:00pm ET for our upcoming webcast: Identity Governance and Administration Powered by Risk Context – A Crucial Next Step in Enterprise Security | Register now:
Zimperium
Top Tips for Safeguarding your Business with Mobile App Vetting | Join Domenica Crognale on Wed, November 1 at 1:00pm ET to learn best practices for mobile app vetting to protect your organization. | Register now:
Carahsoft
Looking Ahead to the National Cybersecurity Strategy Implementation Plan | Join Matt Bromiley and invited speakers on Wed, November 8 at 1:00pm ET for a better understanding of how organizations can prepare for the NCSIP, released by the White House in March 2023. | Join the conversation: