SEC595: Applied Data Science and AI/Machine Learning for Cybersecurity Professionals
SEC595Cyber Defense, Artificial Intelligence
SANS Community Benefits
Connect, learn, and share with other cybersecurity professionals
VOLUME 23ISSUE 44
The Consensus Security Vulnerability Alert
Internet Storm Center Spotlight
ISC provides a free analysis and warning service to thousands of Internet users and organizations, and is actively working with Internet Service Providers to fight back against the most malicious attackers. https://isc.sans.edu/about.html
Exploit Activity for CVE-2023-22518, Atlassian Confluence Data Center and Server
Published: 2023-11-06
Last Updated: 2023-11-06 13:40:13 UTC
by Johannes Ullrich (Version: 1)
Last week, Atlassian published an advisory for CVE-2023-22518. The vulnerability is a trivial to exploit authentication bypass vulnerability. Atlassian emphasized the importance of the advisory with a quote from its CISO: "There are no reports of active exploitation at this time; customers must take immediate action to protect their instances." On Friday, Atlassian confirmed that attackers are actively exploiting the vulnerability.
The vulnerability is rated with a CVSS score of 9.1. Three different URLs are affected according to the advisory ...
I went back through our data to see how much exploitation we see for these URLs. We started seeing the first attempts on November 2nd (Thursday), just as Atlassian reported seeing these exploits being used against customers.
Read the full entry:
Example of Phishing Campaign Project File
Published: 2023-11-08
Last Updated: 2023-11-08 06:37:08 UTC
by Xavier Mertens (Version: 1)
We all have a love and hate relation with emails. When newcomers on the Internet starts to get emails, they are so happy but their feeling changes quickly. Then, they hope to reduce the flood of emails received daily... Good luck! Of course, tools have been developed to organize marketing campaigns. From marketing to spam or phishing, there is only one step. Bad guys started to use the same programs for malicious purpose.
Yesterday, I found on VT an interesting file. It triggered one of my hunting rules because the file contained a reference to one of my customer’s domain. I had a look at the file named “EwoExcel (1)<dot>mmp’ (SHA256:0e016a41b6df3dc7daf076805e3cbb21df1ff33712b615d38ecf066cd25b6e06).
I was not aware of the file extension “.mmp” (it’s not a “.mpp” used by Microsoft Project). But it seems to be a project file.
Read tech full entry:
https://isc.sans.edu/diary/Example+of+Phishing+Campaign+Project+File/30384/
Internet Storm Center Entries
What's Normal: New uses of DNS, Discovery of Designated Resolvers (DDR) (2023.11.07)
https://isc.sans.edu/diary/Whats+Normal+New+uses+of+DNS+Discovery+of+Designated+Resolvers+DDR/30380/
Quick Tip For Artificially Inflated PE Files (2023.11.02)
https://isc.sans.edu/diary/Quick+Tip+For+Artificially+Inflated+PE+Files/30370/
Recent CVEs
The list is assembled by pulling recent vulnerabilities from NIST NVD, Microsoft, Twitter mentions of vulnerabilities, ISC Diaries and Podcast, and the CISA list of known exploited vulnerabilities. There are also some unscored, but significant, vulnerabilities at the end. This includes vulnerabilities that have not been added to the NVD yet.
CVE-2023-22518 - Confluence Data Center and Server versions are vulnerable, but Atlassian Cloud sites are not affected.
CVE-2023-46604 - Apache ActiveMQ is vulnerable to Remote Code Execution through manipulation of serialized class types in the OpenWire protocol, allowing an attacker to run arbitrary shell commands on the broker.
CVE-2023-27846 - PrestaShop themevolty v.4.0.8 and before allows remote attackers to gain privileges through SQL injection in various components.
CVE-2023-45378 - PrestaBlog (prestablog) version 4.4.7 and before from HDclic for PrestaShop allows for SQL injection through a trivial http call in the script ajax slider_positions.php.
CVE-2023-46356 - CSV Feeds PRO (csvfeeds) before 2.6.1 from Bl Modules for PrestaShop allows guest users to perform SQL injection via a trivial http call to the method `SearchApiCsv::getProducts()`.
CVE-2023-24000 - GamiPress 2.5.7 and lower versions allow SQL Injection.
CVE-2023-46976 - TOTOLINK A3300R 17.0.0cu.557_B20221024 contains a command injection via the file_name parameter in the UploadFirmwareFile function.
CVE-2023-46977 - TOTOLINK LR1200GB V9.1.0u.6619_B20230130 was discovered to contain a stack overflow via the password parameter in the function loginAuth.
CVE-2023-46979 - TOTOLINK X6000R V9.4.0cu.852_B20230719 was discovered to contain a command injection vulnerability via the enable parameter in the setLedCfg function.
CVE-2023-40050 - Chef Automate prior to and including version 4.10.29 allows remote code execution when a maliciously crafted profile is uploaded through API or user interface using InSpec check command.
Product: Chef Automate InSpecCVSS Score: 9.9NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-40050NVD References: - https://community.progress.com/s/article/Product-Alert-Bulletin-October-2023-CHEF-Automate-CVE-2023-40050- https://docs.chef.io/automate/profiles/- https://docs.chef.io/release_notes_automate/CVE-2023-46248 - The Cody AI VSCode extension versions 0.10.0 through 0.14.0 allows arbitrary code execution if a user opens a malicious repository with the extension loaded.Product: Cody AI VSCode extension CVSS Score: 9.0NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-46248NVD References: - https://github.com/sourcegraph/cody/pull/1414- https://github.com/sourcegraph/cody/security/advisories/GHSA-8wmq-fwv7-xmwqCVE-2023-46249 - authentik, an open-source Identity Provider, allows an attacker to set the password of the default admin user without authentication in versions prior to 2023.8.4 and 2023.10.2.Product: authentik Identity ProviderCVSS Score: 9.6NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-46249NVD References: - https://github.com/goauthentik/authentik/commit/261879022d25016d58867cf1f24e90b81ad618d0- https://github.com/goauthentik/authentik/commit/ea75741ec22ecef34bc7073f1163e17a8a2bf9fc- https://github.com/goauthentik/authentik/releases/tag/version%2F2023.10.2- https://github.com/goauthentik/authentik/releases/tag/version%2F2023.8.4- https://github.com/goauthentik/authentik/security/advisories/GHSA-rjvp-29xq-f62wCVE-2023-1715 - Bitrix24 22.0.300 allows XSS bypass through a logic error in mb_strpos() due to HTML tags placed at the beginning of the payload.Product: Bitrix24 22.0.300CVSS Score: 9.0NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-1715NVD References: https://starlabs.sg/advisories/23/23-1715/CVE-2023-1716 - Bitrix24 22.0.300 allows arbitrary execution of JavaScript code in a victim's browser via a XSS vulnerability in the Invoice Edit Page, potentially leading to execution of PHP code on the server if victim has admin privilege.Product: Bitrix24 22.0.300CVSS Score: 9.0NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-1716NVD References: https://starlabs.sg/advisories/23/23-1716/CVE-2023-1717 - Bitrix24 22.0.300 is vulnerable to prototype pollution in bitrix/templates/bitrix24/components/bitrix/menu/left_vertical/script.js, allowing remote attackers to execute arbitrary JavaScript code in the victim’s browser and potentially execute arbitrary PHP code on the server if the victim has administrator privilege.Product: Bitrix24 22.0.300CVSS Score: 9.6NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-1717NVD References: https://starlabs.sg/advisories/23/23-1717/CVE-2023-1720 - Bitrix24 22.0.300 lacks a mime type response header, allowing attackers to execute arbitrary JavaScript code in the victim's browser and potentially execute arbitrary PHP code on the server, via uploading a crafted HTML file through /desktop_app/file.ajax.php?action=uploadfile if the victim has administrator privilege.Product: Bitrix24 22.0.300CVSS Score: 9.6NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-1720NVD References: https://starlabs.sg/advisories/23/23-1720/CVE-2023-20048 - The vulnerable product, Cisco Firepower Management Center (FMC) Software, allows an attacker to execute unauthorized configuration commands on a managed Firepower Threat Defense (FTD) device.Product: Cisco Firepower Management Center (FMC) SoftwareCVSS Score: 9.9NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-20048NVD References: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-fmc-cmd-inj-29MP49hNCVE-2023-45111 - Online Examination System v1.0 is vulnerable to Unauthenticated SQL Injection due to improper validation of the 'email' parameter in feed.php, allowing unfiltered characters to be sent to the database.Product: Online Examination System v1.0CVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-45111NVD References: - https://fluidattacks.com/advisories/pires- https://projectworlds.in/CVE-2023-45112 - The Online Examination System v1.0 is susceptible to multiple Unauthenticated SQL Injection vulnerabilities due to inadequate validation of characters in the 'feedback' parameter.Product: Online Examination System v1.0 CVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-45112NVD References: - https://fluidattacks.com/advisories/pires- https://projectworlds.in/CVE-2023-45113 & CVE-2023-45114 - Online Examination System v1.0 multiple unauthenticated SQL Injection vulnerabilitiesProduct: Online Examination System v1.0CVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-45113NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-45114NVD References: https://fluidattacks.com/advisories/piresNVD References: https://projectworlds.in/CVE-2023-45012 through CVE-2023-45019 - Online Bus Booking System v1.0 multiple unauthenticated SQL injection vulnerabilitiesProduct: Online Bus Booking System v1.0 CVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-45012NVD: https://nvd.nist.gov/vuln/detail/…
CVE-2023-46248 - The Cody AI VSCode extension versions 0.10.0 through 0.14.0 allows arbitrary code execution if a user opens a malicious repository with the extension loaded.
CVE-2023-46249 - authentik, an open-source Identity Provider, allows an attacker to set the password of the default admin user without authentication in versions prior to 2023.8.4 and 2023.10.2.
CVE-2023-1715 - Bitrix24 22.0.300 allows XSS bypass through a logic error in mb_strpos() due to HTML tags placed at the beginning of the payload.
CVE-2023-1716 - Bitrix24 22.0.300 allows arbitrary execution of JavaScript code in a victim's browser via a XSS vulnerability in the Invoice Edit Page, potentially leading to execution of PHP code on the server if victim has admin privilege.
CVE-2023-1717 - Bitrix24 22.0.300 is vulnerable to prototype pollution in bitrix/templates/bitrix24/components/bitrix/menu/left_vertical/script.js, allowing remote attackers to execute arbitrary JavaScript code in the victim’s browser and potentially execute arbitrary PHP code on the server if the victim has administrator privilege.
CVE-2023-1720 - Bitrix24 22.0.300 lacks a mime type response header, allowing attackers to execute arbitrary JavaScript code in the victim's browser and potentially execute arbitrary PHP code on the server, via uploading a crafted HTML file through /desktop_app/file.ajax.php?action=uploadfile if the victim has administrator privilege.
CVE-2023-20048 - The vulnerable product, Cisco Firepower Management Center (FMC) Software, allows an attacker to execute unauthorized configuration commands on a managed Firepower Threat Defense (FTD) device.
CVE-2023-45111 - Online Examination System v1.0 is vulnerable to Unauthenticated SQL Injection due to improper validation of the 'email' parameter in feed.php, allowing unfiltered characters to be sent to the database.
CVE-2023-45112 - The Online Examination System v1.0 is susceptible to multiple Unauthenticated SQL Injection vulnerabilities due to inadequate validation of characters in the 'feedback' parameter.
CVE-2023-45113 & CVE-2023-45114 - Online Examination System v1.0 multiple unauthenticated SQL Injection vulnerabilities
CVE-2023-45012 through CVE-2023-45019 - Online Bus Booking System v1.0 multiple unauthenticated SQL injection vulnerabilities
CVE-2023-42802 - GLPI is vulnerable to an unverified object instantiation leading to the upload of malicious PHP files to unauthorized directories, allowing for potential execution by a web server request; workaround involves removing write access on specific files.
CVE-2023-45323 through CVE-2023-45347 - Online Food Ordering System v1.0 multiple unauthenticated SQL Injection vulnerabilities
CVE-2023-41351 - Chunghwa Telecom NOKIA G-040W-Q allows unauthenticated remote attackers to bypass authentication and gain unauthorized access to perform system operations or disrupt service.
CVE-2023-41355 - Chunghwa Telecom NOKIA G-040W-Q Firewall suffers from an input validation vulnerability in its ICMP redirect message handling, allowing remote unauthorized attackers to disrupt network routing or disclose sensitive information.
CVE-2023-46846 - SQUID is vulnerable to HTTP request smuggling due to lenient chunked decoder, enabling remote attackers to bypass firewall and frontend security systems.
CVE-2023-46847 - Squid is prone to a remote Denial of Service caused by a buffer overflow vulnerability triggered by writing excessive arbitrary data to heap memory during configuration of HTTP Digest Authentication.
CVE-2023-5824 - Squid is vulnerable to Denial of Service attack due to an Improper Handling of Structural Elements bug impacting HTTP and HTTPS clients.
CVE-2023-3277 - The MStore API plugin for WordPress allows unauthenticated attackers to gain unauthorized access and escalate their privileges by exploiting the improper implementation of the Apple login feature in versions up to 4.10.7.
CVE-2023-25960 - Zendrop – Global Dropshipping allows SQL Injection from version n/a through 1.0.0.
CVE-2023-23368 - QNAP operating system versions are vulnerable to OS command injection, allowing users to execute commands via a network.
CVE-2023-23369 - QNAP operating system versions are vulnerable to an OS command injection, enabling remote command execution.
CVE-2023-4699 - Mitsubishi Electric Corporation MELSEC-F and MELSEC iQ-F Series modules allow a remote attacker to reset product memory to default state and cause DoS by sending specific packets.
CVE-2023-45161 - The Network product pack on the 1E Exchange allows for arbitrary code execution with SYSTEM permissions due to improper validation in the 1E-Exchange-URLResponseTime instruction.
CVE-2023-45163 - The 1E-Exchange-CommandLinePing instruction in the 1E Network product pack allows arbitrary code execution with SYSTEM permissions due to lack of input parameter validation.
CVE-2023-5964 - The End-User Interaction product pack's 1E-Exchange-DisplayMessage instruction allows arbitrary code execution with SYSTEM permissions due to improper validation of Caption and Message parameters.
CVE-2023-46731 - XWiki Platform allows remote code execution via an improperly escaped section URL parameter in the administration sections, compromising the confidentiality, integrity, and availability of the system.
CVE-2023-46732 - XWiki platform is vulnerable to reflected cross-site scripting (RXSS) via the `rev` parameter, allowing an attacker to execute arbitrary actions and compromise the confidentiality, integrity, and availability of the entire installation, but this vulnerability has been patched in XWiki 15.6 RC1, 15.5.1, and 14.10.14.
CVE-2023-46242 - XWiki Platform allows the execution of unauthorized content by any user with programming privileges via a manipulated URL, which has been patched in versions 14.10.7 and 15.2RC1, requiring users to upgrade as there are no workarounds available.
CVE-2023-46243 - XWiki Platform allows execution of arbitrary groovy code by crafting a specific URL, potentially compromising the server.
CVE-2023-46244 - XWiki Platform allows execution of unauthorized scripts leading to potential extraction of XWiki.superadmin privilege.
CVE-2023-5777 - Weintek EasyBuilder Pro exposes the private key to the public, potentially leading to remote control of the crash report server.
CVE-2023-21671 - Memory Corruption in Core during syscall for Sectools Fuse comparison feature.
CVE-2023-22388 - Memory Corruption in Multi-mode Call Processor while processing bit mask API.
CVE-2023-28574 - Memory corruption in core services when Diag handler receives a command to configure event listeners.
CVE-2023-33045 - Memory corruption in WLAN Firmware while parsing a NAN management frame carrying a S3 attribute.
CVE-2023-42659 - WS_FTP Server versions prior to 8.7.6 and 8.8.4 allow authenticated Ad Hoc Transfer users to upload files to the underlying operating system using a crafted API call.
CVE-2023-4295 - A local non-privileged user can make improper GPU memory processing operations to gain access to already freed memory.
CVE-2023-46253 - Squidex, an open source headless CMS and content management hub, is vulnerable to arbitrary file write leading to remote code execution.
CVE-2023-46676 through CVE-2023-46680 - Online Job Portal v1.0 multiple unauthenticated SQL injection vulnerabilities
CVE-2023-46785 through CVE-2023-46790, CVE-2023-46792 through CVE-2023-46800 - Multiple unauthenticated SQL injection vulnerabilities in The Online Matrimonial Project v1.0
Sponsors
SANS
*********** Sponsored By SANS ***********Zero Trust Solutions Forum 2023 | Join Matt Bromiley and invited speakers tomorrow, November 10, for our final solutions-focused virtual event of the year! Our presenters will cover the key challenges and opportunities in implementing a Zero Trust approach, and share their insights on best practices for securing your digital assets in today's rapidly evolving threat landscape. | Register now to save your seat:
Fortinet, Inc.
Safeguard Your Business-Critical Web Apps and APIs with a WAF | Join Dave Shackleford and Srija Allam from Fortinet on November 14 to discuss Fortinet's latest solution designed to protect applications from web application attacks, API attacks, malicious bots, and much more. | Register now:
ReversingLabs
Software Supply Chain Security: Hunting Hidden Threats Before They Strike | Tune in on November 15 as Dave Shackleford and Jasmine Noel from ReversingLabs dive into the different types of software supply chain attacks, and how to improve existing detective capabilities. | Register now:
Gem Security
How the Cloud Changes SecOps and Incident Response: Lessons from a Real-World Living-Off-The-Cloud Attack | Join us on Wed, November 15 at 3:30pm ET as our guest speakers provide practical and actionable lessons to strengthen cloud detection and response capabilities. | Register now: