SEC595: Applied Data Science and AI/Machine Learning for Cybersecurity Professionals
SEC595Cyber Defense
SANS Community Benefits
Connect, learn, and share with other cybersecurity professionals
VOLUME 24ISSUE 04
The Consensus Security Vulnerability Alert
Internet Storm Center Spotlight
ISC provides a free analysis and warning service to thousands of Internet users and organizations, and is actively working with Internet Service Providers to fight back against the most malicious attackers. https://isc.sans.edu/about.html
Scans/Exploit Attempts for Atlassian Confluence RCE Vulnerability CVE-2023-22527
Published: 2024-01-22
Last Updated: 2024-01-22 15:20:40 UTC
by Johannes Ullrich (Version: 1)
Last week (January 16th), Atlassian released its January 2024 Security Bulletin. Included with the bulletin was a patch for CVE-2023-22527, a remote code execution vulnerability in Confluence Data Center and Confluence Server. Atlassian assigned a CVSS score of 10.0 to the vulnerability. Exploitation does not require authentication.
The update fixed a template injection vulnerability. Similar vulnerabilities have been patched in Atlassian products in the past. Confluence, like most (all?) Atlassian products are written in Java. Java, particularly the Struts framework, uses OGNL (Object-Graph Navigation Language) to represent Java objects. An attacker able to inject an arbitrary OGNL object can execute Java code.
Yesterday, more details regarding the vulnerability were released, including proof of concept code. The proof of concept code was created by reversing the patch Atlassian had released. The blog post highlighted how the URL can be used to execute arbitrary code.
Following the release of this blog post, we saw an increase in exploit attempts in our honeypots. For example...
Read the full entry: https://isc.sans.edu/diary/ScansExploit+Attempts+for+Atlassian+Confluence+RCE+Vulnerability+CVE202322527/30576/
Update on Atlassian Exploit Activity
Published: 2024-01-23
Last Updated: 2024-01-23 16:06:49 UTC
by Johannes Ullrich (Version: 1)
Exploit activity against Atlassian Confluence servers has exploded since we first discussed it yesterday. The combination of a simple-to-exploit vulnerability and a potential set of high-value targets makes this an ideal vulnerability for many attackers.
It is questionable how many high-value targets are vulnerable. Most organizations have migrated to the Atlassian cloud offerings and do not host tools like Confluence on premises.
One of the first IPs we saw exploit the vulnerability was 38.150.12.131. This IP address started with a simple "cat /etc/shadow" style exploit, likely testing exploitability.
Read the full entry: https://isc.sans.edu/diary/Update+on+Atlassian+Exploit+Activity/30582/
More Scans for Ivanti Connect "Secure" VPN. Exploits Public
Published: 2024-01-18
Last Updated: 2024-01-18 13:54:31 UTC
by Johannes Ullrich (Version: 1)
Exploits around the Ivanti Connect "Secure" VPN appliance, taking advantage of CVE-2023-46805, continue evolving. Late on Tuesday, more details became public, particularly the blog post by Rapid7 explaining the underlying vulnerability in depth [1]. Rapid7 also does a good job walking you through how Ivanti obfuscates the LUKS key in its appliance. This will make it easier for security researchers to inspect the code, hopefully pointing out additional vulnerabilities to Ivanti in the future. In other words, get ready for more Ivanti exploits, and hopefully patches, this year.
Currently, we do see two specific URLs in our honeypots that match Rapid7's analysis...
Read the full entry: https://isc.sans.edu/diary/More+Scans+for+Ivanti+Connect+Secure+VPN+Exploits+Public/30568/
Internet Storm Center Entries
How Bad User Interfaces Make Security Tools Harmful (2024.01.24)
https://isc.sans.edu/diary/How+Bad+User+Interfaces+Make+Security+Tools+Harmful/30586/
Apple Updates Everything - New 0 Day in WebKit (2024.01.22)
https://isc.sans.edu/diary/Apple+Updates+Everything+New+0+Day+in+WebKit/30578/
macOS Python Script Replacing Wallet Applications with Rogue Apps (2024.01.19)
https://isc.sans.edu/diary/macOS+Python+Script+Replacing+Wallet+Applications+with+Rogue+Apps/30572/
Recent CVEs
The list is assembled by pulling recent vulnerabilities from NIST NVD, Microsoft, Twitter mentions of vulnerabilities, ISC Diaries and Podcast, and the CISA list of known exploited vulnerabilities. There are also some unscored, but significant, vulnerabilities at the end. This includes vulnerabilities that have not been added to the NVD yet.
CVE-2023-22527 - Confluence Data Center and Server versions prior to the most recent supported versions are susceptible to template injection vulnerability, enabling unauthenticated attackers to achieve remote code execution.
CVE-2024-0204 - Fortra's GoAnywhere MFT prior to 7.4.1 allows unauthorized creation of an admin user via the administration portal, bypassing authentication.
CVE-2023-42916 - Apple iOS, iPadOS, macOS, and Safari WebKit contain an out-of-bounds read vulnerability that may disclose sensitive information when processing web content.
CVE-2023-42917 - Apple iOS, iPadOS, macOS, and Safari WebKit contain a memory corruption vulnerability that leads to code execution when processing web content.
CVE-2024-23222 - tvOS, iOS, iPadOS, macOS Sonoma, iOS, Safari, macOS Ventura, macOS Monterey are vulnerable to a type confusion issue that allows arbitrary code execution via processing maliciously crafted web content, with Apple acknowledging the possibility of exploitation.
CVE-2023-38545 - An out-of-bounds write vulnerability makes cURL overflow a heap based buffer in the SOCKS5 proxy handshake.
CVE-2024-0519 - Chromium:
CVE-2023-6549 - Improper Restriction of Operations within the Bounds of a Memory Buffer in NetScaler ADC and NetScaler Gateway allows Unauthenticated Denial of Service
CVE-2023-6548 - Improper Control of Generation of Code ('Code Injection') in NetScaler ADC and NetScaler Gateway allows an attacker with access to NSIP, CLIP or SNIP with management interface to perform Authenticated (low privileged) remote code execution on Management Interface.
CVE-2023-46805 - Ivanti Connect Secure (ICS, formerly known as Pulse Connect Secure) and Ivanti Policy Secure gateways contain an authentication bypass vulnerability in the web component that allows an attacker to access restricted resources by bypassing control checks. This vulnerability can be leveraged in conjunction with
CVE-2023-46805 - Authentication-Bypass-
CVE-2023-46805-Authentication-Bypass-
CVE-2024-21887 - Command-Injection-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure-Gateways?language=en_US
CVE-2024-21887-Command-Injection-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure-Gateways?language=en_US">https://forums.ivanti.com/s/article/CVE-2023-46805-Authentication-Bypass-CVE-2024-21887-Command-Injection-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure-Gateways?language=en_US
CVE-2024-21887 - Ivanti Connect Secure (ICS, formerly known as Pulse Connect Secure) and Ivanti Policy Secure contain a command injection vulnerability in the web components of these products, which can allow an authenticated administrator to send crafted requests to execute code on affected appliances. This vulnerability can be leveraged in conjunction with
CVE-2023-46805 - Authentication-Bypass-
CVE-2023-46805-Authentication-Bypass-
CVE-2024-21887 - Command-Injection-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure-Gateways?language=en_US
CVE-2023-35082 - Ivanti Endpoint Manager Mobile (EPMM) and MobileIron Core contain an authentication bypass vulnerability that allows unauthorized users to access restricted functionality or resources of the application.
CVE-2023-35082 - Remote-Unauthenticated-API-Access-Vulnerability-in-MobileIron-Core-11-2-and-older?language=en_US
CVE-2023-35082-Remote-Unauthenticated-API-Access-Vulnerability-in-MobileIron-Core-11-2-and-older?language=en_US">https://forums.ivanti.com/s/article/CVE-2023-35082-Remote-Unauthenticated-API-Access-Vulnerability-in-MobileIron-Core-11-2-and-older?language=en_US
CVE-2023-51714 - An issue was discovered in the HTTP2 implementation in Qt before 5.15.17, 6.x before 6.2.11, 6.3.x through 6.5.x before 6.5.4, and 6.6.x before 6.6.2. network/access/http2/hpacktable.cpp has an incorrect HPack integer overflow check.
CVE-2024-0057 - NET, .NET Framework, and Visual Studio Security Feature Bypass Vulnerability
CVE-2023-52101 - Component exposure vulnerability in the Wi-Fi module. Successful exploitation of this vulnerability may affect service availability and integrity.
CVE-2023-52103 - Buffer overflow vulnerability in the FLP module. Successful exploitation of this vulnerability may cause out-of-bounds read.
CVE-2023-52106 - The DownloadProviderMain module has a vulnerability in API permission verification. Successful exploitation of this vulnerability may affect integrity and availability.
CVE-2024-0570 - Totolink N350RT 9.3.5u.6265: Improper access controls in the Setting Handler component (/cgi-bin/cstecgi.cgi) allow remote attackers to initiate attacks, necessitating an upgrade to the affected component (VDB-250786).
CVE-2024-0571 - Totolink LR1200GB 9.1.0u.6619_B20230130 is vulnerable to a critical remote stack-based buffer overflow in the function setSmsCfg of the file /cgi-bin/cstecgi.cgi, allowing for potential exploitation by an attacker, with the associated identifier VDB-250787.
CVE-2024-0572 - Totolink LR1200GB 9.1.0u.6619_B20230130 is affected by a critical vulnerability in the function setOpModeCfg of the file /cgi-bin/cstecgi.cgi, leading to a remote stack-based buffer overflow via manipulation of the argument pppoeUser (VDB-250788).
CVE-2024-0573 - Totolink LR1200GB 9.1.0u.6619_B20230130 is vulnerable to a critical stack-based buffer overflow in the function setDiagnosisCfg of the file /cgi-bin/cstecgi.cgi, allowing for remote code execution.
CVE-2024-0574 - The Totolink LR1200GB 9.1.0u.6619_B20230130 is vulnerable to a critical stack-based buffer overflow in the function setParentalRules of the file /cgi-bin/cstecgi.cgi via the manipulation of the sTime argument, allowing for remote attackers to launch an exploit that has been publicly disclosed and is applicable, as identified by VDB-250790.
CVE-2024-0575 - The Totolink LR1200GB 9.1.0u.6619_B20230130 is vulnerable to a critical stack-based buffer overflow via remote attack.
CVE-2022-1609 - The School Management WordPress plugin before 9.9.7 allows unauthenticated attackers to execute arbitrary PHP code via an obfuscated backdoor.
CVE-2023-0224 - The GiveWP WordPress plugin before 2.24.1 allows unauthenticated attackers to perform SQL Injection attacks due to improper user input sanitization.
CVE-2023-37522 - HCL BigFix Bare OSD Metal Server WebUI version 311.19 or lower allows execution of malicious scripts through insecure tags.
CVE-2023-3211 - The WordPress Database Administrator WordPress plugin through 1.0.3 allows for SQL injection due to inadequate sanitization of user inputs in an AJAX action available to unauthenticated users.
CVE-2024-0576 - Totolink LR1200GB 9.1.0u.6619_B20230130 is prone to a critical stack-based buffer overflow vulnerability in the setIpPortFilterRules function of /cgi-bin/cstecgi.cgi, allowing remote attackers to initiate an attack by manipulating the sPort argument, with the exploit already disclosed publicly as VDB-250792 and the vendor not responding to the disclosure.
CVE-2024-0577 - Totolink LR1200GB 9.1.0u.6619_B20230130 is susceptible to a critical stack-based buffer overflow vulnerability (
CVE-2024-0578 - Totolink LR1200GB 9.1.0u.6619_B20230130 is vulnerable to a critical stack-based buffer overflow in the function UploadCustomModule of the file /cgi-bin/cstecgi.cgi, allowing remote attackers to launch an exploit; disclosed with identifier VDB-250794.
CVE-2024-0579 - The Totolink X2000R 1.0.0-B20221212.1452 is vulnerable to command injection through the manipulation of the macstr argument, allowing remote attackers to launch attacks, as identified by VDB-250795.
CVE-2023-37523 - HCL BigFix Bare OSD Metal Server WebUI version 311.19 or lower lacks secure tags, enabling an attacker to execute a malicious script on the user's browser.
CVE-2023-52041 - The Totolink X6000R V9.4.0cu.852_B20230719 allows arbitrary code execution through the sub_410118 function of the shttpd program.
CVE-2024-0200 - GitHub Enterprise Server was vulnerable to an unsafe reflection bug, enabling reflection injection and allowing user-controlled methods execution and remote code execution if an actor with the organization owner role was logged into an account on the GHES instance.
CVE-2023-39691 - An issue discovered in kodbox through 1.43 allows attackers to arbitrarily add Administrator accounts via crafted GET request.
CVE-2023-52042 - An issue discovered in sub_4117F8 function in TOTOLINK X6000R V9.4.0cu.852_B20230719 allows attackers to run arbitrary commands via the 'lang' parameter.
CVE-2024-0603 - ZhiCms up to 4.0 allows remote attackers to initiate a critical deserialization attack via the mylike argument in app/plug/controller/giftcontroller.php.
CVE-2024-22406 - Shopware's 'name' field in the "aggregations" object is vulnerable to SQL injection and can be exploited using time-based SQL queries, requiring users to update to version 6.5.7.4 or install corresponding security measures.
CVE-2021-4434 - The Social Warfare plugin for WordPress up to version 3.5.2 is vulnerable to Remote Code Execution through the 'swp_url' parameter, enabling server code execution by malicious actors.
CVE-2024-0642 - C21 Live Encoder and Live Mosaic product (version 5.3) allows remote attackers to access the application as an administrator user due to inadequate access control and poor credential management.
CVE-2024-0643 - The C21 Live Encoder and Live Mosaic product, version 5.3, allows remote attackers to fully compromise the system through unrestricted uploading of dangerous file types.
CVE-2024-22416 - pyLoad, a free and open-source Download Manager written in pure Python, is vulnerable to Cross-Site Request Forgery (CSRF) attacks allowing unauthenticated users to make any API call via a CSRF attack, which has been fixed in release 0.5.0b3.dev78 and users are recommended to upgrade.
CVE-2023-5806 - Mergen Software Quality Management System before v1.2 allows SQL Injection.
CVE-2024-22317 - IBM App Connect Enterprise versions 11.0.0.1 through 11.0.0.24 and 12.0.1.0 through 12.0.11.0 have a vulnerability that allows remote attackers to obtain sensitive information or cause a denial of service.
CVE-2023-40051 - Progress Application Server (PAS) for OpenEdge versions 11.7 prior to 11.7.18, 12.2 prior to 12.2.13, and innovation releases prior to 12.8.0 allows unintended file uploads through a crafted request, potentially leading to a larger scale attack.
CVE-2024-22212 - Nextcloud Global Site Selector allows unauthorized user authentication due to a flaw in its password verification method, potentially granting attackers access as other users, and can only be mitigated through upgrading to versions 1.4.1, 2.1.2, 2.3.4, or 2.4.5.
CVE-2023-5716 - ASUS Armoury Crate allows remote attackers to access or modify arbitrary files through specific HTTP requests without permission.
CVE-2024-0705 - The Stripe Payment Plugin for WooCommerce plugin for WordPress is vulnerable to SQL Injection.
CVE-2023-49657 - Apache Superset before 3.0.3 is vulnerable to stored cross-site scripting (XSS) attacks.
CVE-2024-22203 - Whoogle Search prior to 0.8.4 allows server-side request forgery due to unvalidated user-controlled variables, leading to unauthorized access to internal and external resources on behalf of the server.
CVE-2024-22205 - Whoogle Search versions 0.8.3 and prior allow for server-side request forgery due to unsanitized user input in the `window` endpoint, allowing unauthorized access to internal and external resources, fixed in version 0.8.4.
CVE-2024-23636 - SOFARPC, a Java RPC framework, allows an attack through a gadget chain that overcomes its blacklist mechanism, posing a security risk prior to version 5.12.0.
CVE-2018-15133 - Laravel Deserialization of Untrusted Data Vulnerability
Sponsors
SANS
*********** Sponsored By SANS *********** SANS CTI Summit Solutions Track 2024 kicks off on January 30! Tune in as Ismael Valenzuela and industry leaders dive into cutting-edge CTI case studies and specific examples, while highlighting how the integration of AI technologies can provide unprecedented insights and advantages. | Save your seat:
BreachLock Inc
Automating Vulnerability Management with BreachLock | Tune in on Tue, February 27 with Dave Shackleford - For many security operations teams, it’s time to look at continuous scanning and assessment services to help to discover assets, report on vulnerabilities and risk posture, and help coordinate and comminute these risks across a diverse group of teams and stakeholders. | Register now:
Palo Alto Networks
A SANS Survey: The Future of Network Security Technology | Join Matt Bromiley and invited guest speakers from Palo Alto Networks on February 28 as they dive into spending habits, priorities, and decision-making processes when it comes to security technology. | Register now:
Carbon Black
The results are in for the SANS 2024 Threat Hunting Survey! Join survey authors Josh Lemon and Mathias Fuchs on Wed, March 20 as they reveal the results from this year's survey and take a look at how organizations are changing their proactive hunting activities. Register now to receive the accompanying white paper: