SEC595: Applied Data Science and AI/Machine Learning for Cybersecurity Professionals
SEC595Cyber Defense
SANS Community Benefits
Connect, learn, and share with other cybersecurity professionals
VOLUME 24ISSUE 06
The Consensus Security Vulnerability Alert
Internet Storm Center Spotlight
ISC provides a free analysis and warning service to thousands of Internet users and organizations, and is actively working with Internet Service Providers to fight back against the most malicious attackers. https://isc.sans.edu/about.html
The Fun and Dangers of Top Level Domains (TLDs)
Published: 2024-01-31
Last Updated: 2024-01-31 16:55:32 UTC
by Johannes Ullrich (Version: 1)
In the beginning, life was easy. We had a very limited set of top-level domains: .com, .edu, .gov, ..int, org, .mil, .net, .org, .edu. In addition, we had .arpa for infrastructure use and various two letter country level domains.
But that initial set of TLDs was insufficient as the internet grew, and we had several additions:
- International Domains (IDN) allow for Punycode-encoded Unicode characters.
- Generic top-level domains, allowing anybody to apply for a TLD of their choice.
- A few special use TLDs like .example, .invalid, .local, .onion and .test
And I am only considering ICANN-sanctioned TLDs. We also have a couple of alternate roots.
ICANN is consistently expanding the gTLDs. But yesterday, I noticed some news about a new interesting TLD that you may want to consider adopting: .internal.
Until now, there has been no "official" TLD for internal use. ".local" is reserved for multicast DNS, and using it internally can lead to odd conflicts if your unicast and multicast DNS processes overlap. Companies have run into issues with "adopting" unused top-level domains if they become official and used. For example, the European router manufacturer AVM used "fritz.box" for the internal admin interface of its popular "FRITZ!Box" line of routers.
First, many of these issues disappear if you use a properly registered domain name. You may, for example, register "example-internal.com" for internal use. For external users, you can configure a wildcard entry directing users to a static placeholder page. It will also be easy to get proper TLS certificates for hosts within the domain, should you need them.
Read the full entry: https://isc.sans.edu/diary/The+Fun+and+Dangers+of+Top+Level+Domains+TLDs/30608/
DShield Sensor Log Collection with Elasticsearch
Published: 2024-02-03
Last Updated: 2024-02-03 15:44:16 UTC
by Guy Bruneau (Version: 1)
This is fork from the original work by Scott Jensen originally published here as guest diary part of the SANS.edu BACS program. This update has a number of new features now available in Github.
The docker compose is custom built to be used with the DShield Honeypot to collect, store, parse sensor logs and display the data in a visual and easy way to search and analyze them for research purposes. The assume the DShield sensor is already installed in a Raspberry using PI Raspbian OS or a system running Ubuntu 20.04 LTS either in your network or in the cloud of your choice.
Suggested Setup of ELK Server Based on Ubuntu
- Ubuntu 20.04 LTS Live Server 64-Bit
- Minimum 8+ GB RAM
- If the amount of RAM assigned to each container (see below) is more than 2GB, consider increasing the server RAM capacity.
- 4-8 Cores
- Minimum 40 GB partition assigned to /var/lib/docker
- Setting Up Docker
The instructions to setup docker and Elasticsearch are listed here ...
The docker package comes setup with the fleet-server and the elastic-agent pre-loaded in docker with 350+ integration for collecting and analyzing data which can be used to add threat intel to ELK, collect netflow data with softflowd or any other logs you want to send to ELK. Docker compose is configured with the following components ...
Read the full entry: https://isc.sans.edu/diary/DShield+Sensor+Log+Collection+with+Elasticsearch/30616/
Internet Storm Center Entries
Computer viruses are celebrating their 40th birthday (well, 54th, really) (2024.02.06)
Public Information and Email Spam (2024.02.05)
https://isc.sans.edu/diary/Public+Information+and+Email+Spam/30620/
What is a "Top Level Domain"? (2024.02.01)
https://isc.sans.edu/diary/What+is+a+Top+Level+Domain/30612/
Recent CVEs
The list is assembled by pulling recent vulnerabilities from NIST NVD, Microsoft, Twitter mentions of vulnerabilities, ISC Diaries and Podcast, and the CISA list of known exploited vulnerabilities. There are also some unscored, but significant, vulnerabilities at the end. This includes vulnerabilities that have not been added to the NVD yet.
CVE-2024-21893 - Ivanti Connect Secure, Ivanti Policy Secure, and Ivanti Neurons for ZTA versions 9.x and 22.x allow attackers to access restricted resources without authentication due to a server-side request forgery vulnerability in the SAML component.
CVE-2024-21888 - Privilege-Escalation-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure?language=en_US
CVE-2024-21888 - Ivanti Connect Secure and Ivanti Policy Secure (9.x, 22.x) contain a privilege escalation vulnerability that enables users to gain administrator privileges.
CVE-2024-21888 - Privilege-Escalation-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure?language=en_US
CVE-2024-23917 - In JetBrains TeamCity before 2023.11.3 authentication bypass leading to RCE was possible
CVE-2023-51837 - Ylianst MeshCentral 1.1.16 is vulnerable to Missing SSL Certificate Validation.
CVE-2023-51982 - CrateDB 5.5.1's Admin UI component allows authentication bypass by setting a specific X-Real IP request header and accessing the UI directly with default user identity.
CVE-2024-22682 - DuckDB <=0.9.2 and DuckDB extension-template <=0.9.2 are vulnerable to malicious extension injection via the custom extension feature.
CVE-2024-1027 - SourceCodester Facebook News Feed Like 1.0 allows remote attackers to perform unrestricted file uploads via manipulation of the Post Handler component.
CVE-2024-21488 - Network versions before 0.7.0 allow arbitrary command execution through the mac_address_for function due to lack of input sanitization.
CVE-2023-6943 - Mitsubishi Electric Corporation EZSocket versions 3.0 and later, FR Configurator2 all versions, GT Designer3 Version1(GOT1000) all versions, GT Designer3 Version1(GOT2000) all versions, GX Works2 versions 1.11M and later, GX Works3 all versions, MELSOFT Navigator versions 1.04E and later, MT Works2 all versions, MX Component versions 4.00A and later, and MX OPC Server DA/UA all versions allow remote unauthenticated attacker to execute malicious code through RPC with path to a malicious library.
CVE-2024-1061 - The 'HTML5 Video Player' WordPress Plugin, version < 2.5.25, is vulnerable to an unauthenticated SQL injection in the 'id' parameter of the 'get_view' function.
CVE-2024-1032 - openBI up to 1.0.8 allows remote attackers to launch a critical deserialization attack via manipulation of the testConnection function in /application/index/controller/Databasesource.php, as disclosed in VDB-252307.
CVE-2024-1034 - openBI up to 1.0.8 allows remote attackers to perform unrestricted upload via manipulation of the uploadFile function in the file /application/index/controller/File.php, with a critical vulnerability assigned the identifier VDB-252309.
CVE-2024-1035 - openBI up to 1.0.8 is vulnerable to a critical unrestricted upload flaw in the function uploadIcon, allowing remote attackers to execute arbitrary code.
CVE-2024-1036 - openBI up to 1.0.8 is vulnerable to unrestricted remote file upload in the function uploadIcon of the Icon Handler component, with the exploit publicly disclosed (VDB-252311).
CVE-2024-1113 - openBI up to 1.0.8 allows for unrestricted remote file upload via manipulation of the "file" argument in the uploadUnity function, as identified by VDB-252471.
CVE-2024-1114 - openBI up to 1.0.8 is vulnerable to a critical improper access control issue in the function dlfile of /application/index/controller/Screen.php, allowing remote attacks due to manipulation of the fileUrl argument (VDB-252472).
CVE-2024-1115 - openBI up to 1.0.8 is vulnerable to critical os command injection via manipulation of the phpPath argument in the dlfile function of Setting.php, enabling remote attackers to initiate the attack.
CVE-2024-1116 - The openBI up to 1.0.8 is vulnerable to remote unrestricted file upload in the function index of the file /application/plugins/controller/Upload.php (VDB-252474).
CVE-2024-1117 - openBI up to 1.0.8 is vulnerable to code injection via manipulation of the fileurl argument in the Screen.php controller, allowing for remote attacks, with a disclosed public exploit (VDB-252475).
CVE-2024-24324 - TOTOLINK A8000RU v7.1cu.643_B20200521 was discovered to contain a hardcoded password for root stored in /etc/shadow.
CVE-2024-24325 through CVE-2024-24333 - TOTOLINK A3300R V17.0.0cu.557_B20221024 was discovered to contain multiple command injection vulnerabilities.
CVE-2024-1019 - ModSecurity / libModSecurity 3.0.0 to 3.0.11 is vulnerable to a WAF bypass through specially crafted request URLs containing hidden attack payloads in the path component.
cve-2024-1019 - 2024-01-30
CVE-2023-5389 - Honeywell Experion VirtualUOC and UOC allow file modification, potentially enabling an attacker to execute a malicious application.
CVE-2024-23745 - Notion Web Clipper 1.0.3(7) is vulnerable to the Dirty NIB attack, allowing arbitrary command execution via manipulated .nib files, and Gatekeeper may still allow execution even if the NIB file is modified within the application.
CVE-2024-1012 - Wanhu ezOFFICE 11.1.0 is vulnerable to remote SQL injection via manipulation of the argument recordId in defaultroot/platform/bpm/work_flow/operate/wf_printnum.jsp (VDB-252281).
CVE-2023-50356 - AREAL Topkapi Vision (Server) is vulnerable to a man-in-the-middle attack due to improper certificate validation in SSL connections to NOVELL and Synology LDAP server, allowing remote unauthenticated attackers to obtain sensitive information and hinder valid user login.
CVE-2023-6246 - The glibc library is susceptible to a heap-based buffer overflow in the __vsyslog_internal function, allowing for application crashes or local privilege escalation when the openlog function is not called or called with a NULL ident argument and the program name is over 1024 bytes in size.
Product: Fedora Project Fedora 39CVSS Score: 7.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-6246ISC Podcast: https://isc.sans.edu/podcastdetail.html?podcastid=8834NVD References: - http://packetstormsecurity.com/files/176931/glibc-qsort-Out-Of-Bounds-Read-Write.html- http://packetstormsecurity.com/files/176932/glibc-syslog-Heap-Based-Buffer-Overflow.html- http://seclists.org/fulldisclosure/2024/Feb/3- http://seclists.org/fulldisclosure/2024/Feb/5- https://access.redhat.com/security/cve/CVE-2023-6246- https://bugzilla.redhat.com/show_bug.cgi?id=2249053- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/D2FIH77VHY3KCRROCXOT6L27WMZXSJ2G/- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MWQ6BZJ6CV5UAW4VZSKJ6TO4KIW2KWAQ/- https://security.gentoo.org/glsa/202402-01- https://www.openwall.com/lists/oss-security/2024/01/30/6CVE-2024-21917 - Rockwell Automation FactoryTalk® Service Platform allows a malicious user to obtain the service token and authenticate on another FTSP directory, potentially retrieving user information and modifying settings without authentication.Product: Rockwell Automation FactoryTalk® Service PlatformCVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-21917NVD References: https://www.rockwellautomation.com/en-us/support/advisory.SD1660.htmlCVE-2024-23652 - BuildKit is vulnerable to a file removal issue when using RUN --mount, allowing a malicious frontend or Dockerfile to delete files outside the container on the host system.Product: BuildKitCVSS Score: 10.0NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-23652NVD References: - https://github.com/moby/buildkit/pull/4603- https://github.com/moby/buildkit/releases/tag/v0.12.5- https://github.com/moby/buildkit/security/advisories/GHSA-4v98-7qmw-rqr8CVE-2024-23653 - BuildKit allows users to run containers with elevated privileges, which can be exploited if the `security.insecure` entitlement is enabled and the user is allowed to initialize the build request, but this vulnerability has been fixed in v0.12.5.Product: BuildKitCVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-23653NVD References: - https://github.com/moby/buildkit/pull/4602- https://github.com/moby/buildkit/releases/tag/v0.12.5- https://github.com/moby/buildkit/security/advisories/GHSA-wr6v-9f75-vh2gCVE-2024-23832 - Mastodon allows LDAP configuration for authentication, but insufficient origin validation lets attackers impersonate and take over remote accounts in multiple vulnerable versions.Product: MastodonCVSS Score: 9.4NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-23832NVD References: - http://www.openwall.com/lists/oss-security/2024/02/02/4- https://github.com/mastodon/mastodon/commit/1726085db5cd73dd30953da858f9887bcc90b958- https://github.com/mastodon/mastodon/security/advisories/GHSA-3fjr-858r-92rwCVE-2024-24561 - Vyper, a pythonic Smart Contract Language for the ethereum virtual machine, is vulnerable to an overflow issue in the bounds check for slices, allowing attackers to perform out-of-bounds (OOB) accesses and corrupt array length.Product: Vyper ethereum virtual machineCVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-24561 NVD References: - https://github.com/vyperlang/vyper/blob/b01cd686aa567b32498fefd76bd96b0597c6f099/vyper/builtins/functions.py#L404-L457- https://github.com/vyperlang/vyper/issues/3756- https://github.com/vyperlang/vyper/security/advisories/GHSA-9x7f-gwxq-6f2cCVE-2024-1039 - Gessler GmbH WEB-MASTER has a vulnerability due to weak hard coded credentials, granting an attacker full control over web management.Product: Gessler GmbH WEB-MASTERCVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-1039NVD References: https://www.cisa.gov/news-events/ics-advisories/icsa-24-032-01CVE-2023-46706 - Multiple MachineSense devices have credentials unable to be changed by the user or administrator.Product: Multiple MachineSense devicesCVSS Score: 9.1NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-46706NVD References: - https://machinesense.com/pages/about-machinesense- https://www.cisa.gov/news-events/ics-advisories/icsa-24-025-01CVE-2023-49617 - The MachineSense application programmable interface (API) allows unauthorized access, enabling retrieval and modification of sensitive information without authentication.Product: MachineSense application programmable interface (API)CVSS Score: 10.0NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-49617NVD References: - https://machinesense.com/pages/about-machinesense- https://www.cisa.gov/news-events/ics-advisories/icsa-24-025-01CVE-2024-21764 - Rapid SCADA versions prior to Version 5.8.4 have hard-coded credentials, enabling unauthorized access through a specific port.Product: Rapid Software LLC Rapid SCADACVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-21764NVD References: - https://rapidscada.org/contact/- https://www.cisa.gov/news-events/ics-advisories/icsa-24-011-03CVE-20…
CVE-2024-21917 - Rockwell Automation FactoryTalk® Service Platform allows a malicious user to obtain the service token and authenticate on another FTSP directory, potentially retrieving user information and modifying settings without authentication.
CVE-2024-23652 - BuildKit is vulnerable to a file removal issue when using RUN --mount, allowing a malicious frontend or Dockerfile to delete files outside the container on the host system.
CVE-2024-23653 - BuildKit allows users to run containers with elevated privileges, which can be exploited if the `security.insecure` entitlement is enabled and the user is allowed to initialize the build request, but this vulnerability has been fixed in v0.12.5.
CVE-2024-23832 - Mastodon allows LDAP configuration for authentication, but insufficient origin validation lets attackers impersonate and take over remote accounts in multiple vulnerable versions.
CVE-2024-24561 - Vyper, a pythonic Smart Contract Language for the ethereum virtual machine, is vulnerable to an overflow issue in the bounds check for slices, allowing attackers to perform out-of-bounds (OOB) accesses and corrupt array length.
CVE-2024-1039 - Gessler GmbH WEB-MASTER has a vulnerability due to weak hard coded credentials, granting an attacker full control over web management.
CVE-2023-46706 - Multiple MachineSense devices have credentials unable to be changed by the user or administrator.
CVE-2023-49617 - The MachineSense application programmable interface (API) allows unauthorized access, enabling retrieval and modification of sensitive information without authentication.
CVE-2024-21764 - Rapid SCADA versions prior to Version 5.8.4 have hard-coded credentials, enabling unauthorized access through a specific port.
CVE-2023-50940 - IBM PowerSC versions 1.3, 2.0, and 2.1 allow attackers to perform privileged actions and access sensitive information due to the lack of domain name restrictions in Cross-Origin Resource Sharing (CORS).
CVE-2024-22319 - IBM Operational Decision Manager versions 8.10.3 to 8.12.0.1 are vulnerable to remote LDAP injection by allowing unsanitized content to be injected into the LDAP filter.
CVE-2024-1143 - Central Dogma versions prior to 0.64.0 allow for Cross-Site Scripting (XSS), leading to leakage of user sessions and authentication bypass.
CVE-2023-47143 - IBM Tivoli Application Dependency Discovery Manager 7.3.0.0 through 7.3.0.10 is vulnerable to HTTP header injection, enabling attacks such as cross-site scripting, cache poisoning, and session hijacking.
CVE-2023-6675 - CyberMath before v.1.5 allows unrestricted upload of dangerous file types leading to web shell upload.
CVE-2022-34381 - The Dell BSAFE SSL-J and Crypto-J versions before 7.0 and 6.2.6.1 respectively have an unmaintained third-party component vulnerability that can be exploited by an unauthenticated remote attacker to compromise the system, making it critical to upgrade immediately according to Dell.
CVE-2023-39303 - QNAP operating system versions are vulnerable to improper authentication, allowing users to compromise system security via a network; this has been fixed in QTS 5.1.3.2578 build 20231110 and later, QuTS hero h5.1.3.2578 build 20231110 and later, and QuTScloud c5.1.5.2651 and later.
CVE-2023-45025 - QNAP operating system versions are vulnerable to OS command injection, allowing users to execute commands via a network, but the vulnerability has been patched in specific versions.
CVE-2024-24029 - JFinalCMS 5.0.0 is vulnerable to SQL injection via /admin/content/data.
CVE-2024-1197 - SourceCodester Testimonial Page Manager 1.0 is susceptible to remote SQL injection via the testimony argument in delete-testimonial.php file, allowing attackers to initiate an attack.
CVE-2024-23109 - Fortinet FortiSIEM versions 7.1.0 through 7.1.1 and 7.0.0 through 7.0.2 and 6.7.0 through 6.7.8 and 6.6.0 through 6.6.3 and 6.5.0 through 6.5.2 and 6.4.0 through 6.4.2 are vulnerable to os command injection flaws allowing unauthorized code execution via crafted API requests.
CVE-2024-0323 - B&R Industrial Automation Automation Runtime (SDM modules) is vulnerable to the use of a broken or risky cryptographic algorithm, allowing an attacker to conduct man-in-the-middle attacks or decrypt communications.
CVE-2023-6933 - The Better Search Replace plugin for WordPress is vulnerable to PHP Object Injection, allowing unauthenticated attackers to inject a PHP Object and potentially delete files, retrieve sensitive data, or execute code if a POP chain is present.
CVE-2023-6989 - The Shield Security – Smart Bot Blocking & Intrusion Prevention Security plugin for WordPress is vulnerable to Local File Inclusion up to version 18.5.9, allowing unauthenticated attackers to execute arbitrary PHP code on the server.
CVE-2024-0221 - The Photo Gallery by 10Web - Mobile-Friendly Image Gallery plugin for WordPress (up to version 1.8.19) allows authenticated administrators, and potentially lower level users, to perform a Directory Traversal vulnerability via the rename_item function, leading to arbitrary file renaming and potential site takeovers.
CVE-2024-0709 - The Cryptocurrency Widgets – Price Ticker & Coins List plugin for WordPress is vulnerable to SQL Injection allowing unauthenticated attackers to extract sensitive information from the database.
CVE-2023-6229 through CVE-2023-6234, CVE-2024-0244 - Multiple buffer overflow vulnerabilities in the Canon Laser Printers and Small Office Multifunctional Printers
CVE-2023-33072 - Memory corruption in Core while processing control functions.
CVE-2024-24592 through CVE-2024-24594 - Multiple vulnerabilities in Allegro AI’s ClearML platform
CVE-2023-4762 - Google Chrome prior to 116.0.5845.179 allows remote attackers to execute arbitrary code through crafted HTML pages due to a type confusion in V8.
Sponsors
Dragos
*********** Sponsored By Dragos, Inc. ***********Exclusive Webinar | 2023 OT Cybersecurity Year in Review Executive Briefing: Join Dragos CEO and SANS Fellow Robert M. Lee on Friday, February 24 @ 10:30 AM ET for a look at the most important OT cybersecurity events that shaped the threat landscape for industrial sectors in 2023. The Dragos OT Cybersecurity Year in Review is a mainstay for ICS asset owners and defenders to stay abreast of cyber threats, vulnerabilities, frontline observations from the previous year, and areas of improvement for safe and reliable operations. Register now:
Palo Alto Networks
Upcoming Webcast on Wednesday, February 28 | The Future of Network Security Technology: A SANS Survey - Join Matt Bromiley as we look at spending habits, priorities, and decision-making processes when it comes to security technology. Register now:
BreachLock Inc
Automating Vulnerability Management with BreachLock | Tune in on Tue, February 27 as Dave Shackleford takes a solutions deep dive with BreachLock’s attack surface management and penetration testing as a service offering. | Register now:
Sysdig
Upcoming Free Virtual Event on Thu, February 29 | SOAR Into 2024: Harness the Power of the 5/5/5 Benchmark for Cloud Detection and Response - Tune in as Dave Shackleford and industry experts show you how to keep your cloud-speed business innovation secure from cloud-speed exploitation. Save your seat today: