SEC595: Applied Data Science and AI/Machine Learning for Cybersecurity Professionals
SEC595Cyber Defense
SANS Community Benefits
Connect, learn, and share with other cybersecurity professionals
VOLUME 23ISSUE 46
The Consensus Security Vulnerability Alert
Internet Storm Center Spotlight
ISC provides a free analysis and warning service to thousands of Internet users and organizations, and is actively working with Internet Service Providers to fight back against the most malicious attackers. https://isc.sans.edu/about.html
Pro Russian Attackers Scanning for Sharepoint Servers to Exploit CVE-2023-29357
Published: 2023-11-28
Last Updated: 2023-11-28 12:59:52 UTC
by Johannes Ullrich (Version: 1)
In June, Microsoft released a patch for CVE-2023-29357, a critical privilege escalation vulnerability for Sharepoint. An exploit for this vulnerability was released in late September. Combined with CVE-2023-24955, a remote code execution vulnerability that was patched in May. The first vulnerability bypasses authentication to enable code execution via the second vulnerability.
Earlier today, I noticed the URL for CVE-2023-2023-29357 show up in our "first seen URL" list. This list notes URLs collected by our honeypots that reached certain thresholds for the first time. Our honeypots saw the first exploit attempts on September 30th, but at the time, they did not reach the threshold yet to be considered significant.
Read the full entry:
Scans for ownCloud Vulnerability (CVE-2023-49103)
Published: 2023-11-27
Last Updated: 2023-11-27 14:22:54 UTC
by Johannes Ullrich (Version: 1)
Last week, ownCloud released an advisory disclosing a new vulnerability, CVE-2023-49103 [1]. The vulnerability will allow attackers to gain access to admin passwords. To exploit the vulnerability, the attacker will use the "graphapi" app to access the output of "phpinfo". If the ownCloud install runs in a container, it will allow access to admin passwords, mail server credentials, and license keys.
As of Sunday, we are seeing individual scans for one of the affected URLs.
Read the full entry:
https://isc.sans.edu/diary/Scans+for+ownCloud+Vulnerability+CVE202349103/30432/
Decoding the Patterns: Analyzing DShield Honeypot Activity [Guest Diary]
Published: 2023-11-27
Last Updated: 2023-11-29 02:12:28 UTC
by Guy Bruneau (Version: 1)
[This is a Guest Diary by Alex Rodriguez, an ISC intern as part of the SANS.edu BACS program]
Honeypots can be an effective means of discovering the variety of ways hackers target vulnerable systems on the Internet. The first thing you may ask yourself is, “What is a honeypot?” In short, it is a magnificent tool that can be attached to your home router and is designed to lure potential hackers into attacking it by pretending to be a vulnerable system. As part of my internship with the SANS Internet Storm Center, I have had the pleasure of setting up a honeypot and monitoring activity to assist me in identifying some of the trends hackers use to target vulnerable systems.
Monitoring activity on a honeypot usually entailed reviewing logs, which in my case meant combing through JSON-formatted, SSH and Web logs looking for activity that piqued my interest. According to my SSH logs, the honeypot captured 26171 IP addresses, 48548 Source Ports, 13201 Usernames, and 43794 Passwords between July 30, 2023, and October 30, 2023. Listed below are the Top 10 IPs, Ports, Usernames, and Passwords captured during the four-month period.
Read the full entry:
Internet Storm Center Entries
OVA Files (2023.11.25)
https://isc.sans.edu/diary/OVA+Files/30424/
Wireshark 4.2.0 Released (2023.11.25)
https://isc.sans.edu/diary/Wireshark+420+Released/30422/
Happy Birthday DShield (2023.11.24)
https://isc.sans.edu/diary/Happy+Birthday+DShield/30420/
CVE-2023-1389: A New Means to Expand Botnets (2023.11.22)
https://isc.sans.edu/diary/CVE20231389+A+New+Means+to+Expand+Botnets/30418/
Overflowing Web Honeypot Logs (2023.11.20)
https://isc.sans.edu/diary/Overflowing+Web+Honeypot+Logs/30416/
Quasar RAT Delivered Through Updated SharpLoader (2023.11.18)
https://isc.sans.edu/diary/Quasar+RAT+Delivered+Through+Updated+SharpLoader/30414/
Phishing page with trivial anti-analysis features (2023.11.17)
https://isc.sans.edu/diary/Phishing+page+with+trivial+antianalysis+features/30412/
Beyond -n: Optimizing tcpdump performance (2023.11.16)
https://isc.sans.edu/diary/Beyond+n+Optimizing+tcpdump+performance/30408/
Recent CVEs
The list is assembled by pulling recent vulnerabilities from NIST NVD, Microsoft, Twitter mentions of vulnerabilities, ISC Diaries and Podcast, and the CISA list of known exploited vulnerabilities. There are also some unscored, but significant, vulnerabilities at the end. This includes vulnerabilities that have not been added to the NVD yet.
CVE-2023-49103 - The ownCloud owncloud/graphapi app before version 0.3.1 exposes sensitive configuration details, including credentials, through a third-party library, posing a security risk.
CVE-2023-49105 - ownCloud before 10.13.1 allows an attacker to access, modify, or delete any file without authentication if the victim's username is known and no signing-key is configured, through acceptance of pre-signed URLs.
CVE-2023-1389 - TP-Link Archer AX21 firmware versions prior to 1.1.4 Build 20230219 have a command injection vulnerability in the country form of the /cgi-bin/luci;stok=/locale endpoint, allowing an attacker to run commands as root.
CVE-2023-36025 - Windows SmartScreen Security Feature Bypass Vulnerability
CVE-2023-29357 - Microsoft SharePoint Server elevation of privilege vulnerability
CVE-2023-48228 - Authentik, an open-source identity provider, prior to versions 2023.10.4 and 2023.8.5, does not properly validate the `code_verifier` during the token step, allowing the acceptance of token requests without it, even when the flow was started with a `code_challenge`.
CVE-2023-48230 - Cap'n Proto versions 1.0 and 1.0.1 have a vulnerability that allows a remote denial-of-service attack by causing a buffer underrun when using KJ HTTP library with WebSocket compression enabled.
CVE-2023-6248 - The Syrus4 IoT gateway allows remote unauthenticated attackers to execute arbitrary code on any connected device and access sensitive data, including location, video, and diagnostic information, through an unsecured MQTT server.
CVE-2023-5047 - DRDrive before 20231006 is vulnerable to SQL Injection.
CVE-2023-2889 - Veon Computer Service Tracking Software through 20231122 allows SQL Injection due to improper neutralization of special elements used in an SQL command.
CVE-2023-2437 - The UserPro plugin for WordPress is vulnerable to authentication bypass allowing unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the email.
CVE-2023-2449 - The UserPro plugin for WordPress is vulnerable to unauthorized password resets.
CVE-2023-28812 - Hikvision Web browser plug-in has a buffer overflow vulnerability that enables attackers to execute arbitrary code or cause process exception by sending crafted messages.
CVE-2023-3377 - Veribilim Software Computer Veribase allows SQL Injection.
CVE-2023-3631 - Medart Notification Panel through 20231123 allows SQL Injection due to improper neutralization of special elements used in an SQL command.
CVE-2023-41807 - Pandora FMS version 700 through 773 allows privilege escalation due to improper privilege management.
CVE-2023-48312 - The vulnerable product, capsule-proxy, is subject to a privilege escalation vulnerability due to a missing check that allows unauthorized access to the upper Kubernetes API Server when running with disabled anonymous authentication.
CVE-2023-41998 - Arcserve UDP prior to 9.2 allows an attacker to upload and execute arbitrary files through a vulnerable interface.
CVE-2023-6329 - Authentication bypass vulnerability in Control iD iDSecure v4.7.32.0
CVE-2023-48188 - PrestaShop opartdevis versions 4.5.18 through 4.6.12 are vulnerable to SQL injection, enabling remote attackers to execute arbitrary code by exploiting a crafted script in the getModuleTranslation function.
CVE-2023-3368 - Chamilo LMS v1.11.20 is vulnerable to command injection in `/main/webservices/additional_webservices.php`, allowing unauthenticated attackers to execute remote code due to improper neutralisation of special characters, bypassing
CVE-2023-3533 - Chamilo LMS <= v1.11.20 allows unauthenticated attackers to execute remote code and perform stored XSS attacks through a path traversal vulnerability in the file upload functionality of `/main/webservices/additional_webservices.php`.
CVE-2023-3545 - Chamilo LMS <= v1.11.20 on Windows and Apache installations allows unauthenticated attackers to obtain remote code execution by uploading a malicious `.htaccess` file.
CVE-2023-6201 - Univera Computer System Panorama before 8.0 allows OS Command Injection.
CVE-2023-46589 - Apache Tomcat is vulnerable to an Improper Input Validation vulnerability that allows request smuggling when behind a reverse proxy, and can be fixed by upgrading to a version starting from 11.0.0-M11 onwards, 10.1.16 onwards, 9.0.83 onwards, or 8.5.96 onwards.
CVE-2023-47444 - OpenCart versions 4.0.0.0 to 4.0.2.3 allow authenticated backend users to write arbitrary untrusted data, leading to remote code execution.
Sponsors
Palo Alto Networks Cortex
*********** Sponsored By Palo Alto Networks Cortex ***********Join us for the unveiling of Cortex XSIAM 2.0 | Modern threats are moving fast, and staying ahead of the curve is a necessity. Security operations teams are facing numerous challenges daily. Cortex XSIAM significantly enhances the day-to-day SOC management. The new release adds innovative and efficient workflows for security analysts of all levels.
Egnyte
Take Sensitive Data Protection to the Next Level in 2024 | Join Dave Shackleford and Neil Jones from Egnyte on December 5 at 1:00pm ET as they discuss how to protect your mission-critical content without compromising employees’ productivity. | Register now:
Vectra®
AI in XDR: What it Means and Where it Fits | Join Dave Shackleford and Vectra AI's Aaron Turner on December 7 at 1:00pm ET as they discuss the importance signal clarity and the role of AI-driven threat detection and response. | Register now to receive the accompanying white paper:
SANS
SANS Research | In the SANS 2024 Threat Hunting Survey, we are asking organizations about how they approach threat hunting, the barriers to success, and how they measure their efforts. Share your thoughts with us for a chance to win a $400 Amazon gift card: