The Consensus Security Vulnerability Alert

ISC provides a free analysis and warning service to thousands of Internet users and organizations, and is actively working with Internet Service Providers to fight back against the most malicious attackers. https://isc.sans.edu/about.html

Scanning and abusing the QUIC protocol

Published: 2024-03-06

Last Updated: 2024-03-06 09:43:39 UTC

by Bojan Zdrnja (Version: 1)

The QUIC protocol has slowly (pun intended) crawled into our browsers and many other protocols. Last week, at BSides Zagreb I presented some research I did about applications using (and abusing) this protocol, so it made sense to put this into one diary.

While QUIC has been around for some time, the official RFC 9000 that defines QUIC v1 was released in 2021. Of course, our browsers (namely Chrome, as Google was the main power behind QUIC) started supporting and using QUIC long time ago. Chrome, for example, added support for QUIC back in 2012, while Mozilla Firefox waited until 2021. Today, all browsers not only support QUIC but also use it – A LOT!

For example, if you take a look at your network traffic today to Google, YouTube, Facebook and similar web sites you will see that this network traffic consists of HTTP/3, which uses QUIC, almost exclusively – just open Developer Tools, go to the Network tab and right click on columns, add Protocol and you will see something like this ...

Read the full entry: https://isc.sans.edu/diary/Scanning+and+abusing+the+QUIC+protocol/30720/

Apple Releases iOS/iPadOS Updates with Zero Day Fixes.

Published: 2024-03-05

Last Updated: 2024-03-05 19:28:28 UTC

by Johannes Ullrich (Version: 1)

Apple today released iOS 17.4 as well as iOS 16.7.6 (and the respective iPadOS versions). These updates fix a total of four vulnerabilities. Two of the vulnerabilities are already being exploited. CVE-2024-23225 is a privilege escalation issue and only affects iOS 17 as well as iOS 16. The second already exploited vulnerability, CVE-2024-23296, only affects iOS 17.

We rated the exploited vulnerabilities as "important", not "critical". They appear to only allow for privilege escalation.

Read the full entry: https://isc.sans.edu/diary/Apple+Releases+iOSiPadOS+Updates+with+Zero+Day+Fixes/30716/

[Guest Diary] Dissecting DarkGate: Modular Malware Delivery and Persistence as a Service.

Published: 2024-02-29

Last Updated: 2024-02-29 01:41:25 UTC

by John Moutos, SANS BACS Student (Version: 1)

[This is a Guest Diary by John Moutos, an ISC intern as part of the SANS.edu Bachelor's Degree in Applied Cybersecurity (BACS) program.

Intro

From a handful of malware analysis communities I participate in, it is not uncommon for new or interesting samples to be shared, and for them to capture the attention of several members, myself included. In this case, what appeared to be a routine phishing PDF, led to the delivery of a much more suspicious MSI, signed with a valid code signing certificate, and with a surprisingly low signature-based detection rate on VirusTotal (at time of analysis) due to use of several layered stages.

Context

Modern malware utilizing multiple layers of abstraction to avoid detection or response is not a new concept, and as a result of this continuous effort, automated malware triage systems and sandboxes have become crucial in responding to new or heavily protected samples, where static analysis methods have failed, or heuristic analysis checks have come back clean. Attackers are wise to this, and often use legitimate file formats outside of the PE family, or protect their final stage payload with multiple layers to avoid being detected through static analysis, and subsequently profiled through dynamic analysis or with the aid of a sandbox / automated triage system.

Analysis

The following sample not only fit the profile previously mentioned, but was also taking advantage of a presumably stolen or fraudulent code signing certificate to pass reputation checks.

At a first glance, the downloaded PDF appears normal and is of fairly small size ...

Read the full entry: https://isc.sans.edu/diary/Guest+Diary+Dissecting+DarkGate+Modular+Malware+Delivery+and+Persistence+as+a+Service/30700/

Why Your Firewall Will Kill You (2024.03.05)

https://isc.sans.edu/diary/Why+Your+Firewall+Will+Kill+You/30714/

Capturing DShield Packets with a LAN Tap [Guest Diary] (2024.03.03)

https://isc.sans.edu/diary/Capturing+DShield+Packets+with+a+LAN+Tap+Guest+Diary/30708/

Scanning for Confluence CVE-2022-26134 (2024.03.01)

https://isc.sans.edu/diary/Scanning+for+Confluence+CVE202226134/30704/

Exploit Attempts for Unknown Password Reset Vulnerability (2024.02.28)

https://isc.sans.edu/diary/Exploit+Attempts+for+Unknown+Password+Reset+Vulnerability/30698/

Product: Joel Starnes postMashCVSS Score: 9.3NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-25927NVD References: https://patchstack.com/database/vulnerability/postmash/wordpress-postmash-custom-post-order-plugin-1-2-0-sql-injection-vulnerability?_s_id=cveCVE-2024-23328 - DataEase is vulnerable to a deserialization flaw in its Mysql.java file, allowing for arbitrary code execution and file reading without proper input validation, fixed in version 1.18.15 and 2.3.0.Product: DataEaseCVSS Score: 9.1NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-23328NVD References: - https://github.com/dataease/dataease/commit/4128adf5fc4592b55fa1722a53b178967545d46a- https://github.com/dataease/dataease/commit/bb540e6dc83df106ac3253f331066129a7487d1a- https://github.com/dataease/dataease/security/advisories/GHSA-8x8q-p622-jf25CVE-2024-25128 - Flask-AppBuilder is vulnerable to an AUTH_TYPE AUTH_OID exploit, allowing attackers to forge HTTP requests and potentially gain unauthorized privilege access through a custom OpenID service.Product: Flask-AppBuilderCVSS Score: 9.1NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-25128NVD References: - https://github.com/dpgaspar/Flask-AppBuilder/commit/6336456d83f8f111c842b2b53d1e89627f2502c8- https://github.com/dpgaspar/Flask-AppBuilder/security/advisories/GHSA-j2pw-vp55-fqqjCVE-2023-6090 - Mollie Payments for WooCommerce allows for unrestricted uploading of files with dangerous types, exposing versions from n/a through 7.3.11 to potential security risks.Product: WooCommerce Mollie PaymentsCVSS Score: 9.1NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-6090NVD References: https://patchstack.com/database/vulnerability/mollie-payments-for-woocommerce/wordpress-mollie-payments-for-woocommerce-plugin-7-3-11-arbitrary-file-upload-vulnerability?_s_id=cveCVE-2024-1981 - WPvivid plugin for WordPress is vulnerable to SQL Injection through the 'table_prefix' parameter in version 0.9.68.Product: WPvivid Migration, Backup, StagingCVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-1981NVD References: - https://plugins.trac.wordpress.org/changeset?old_path=%2Fwpvivid-backuprestore%2Ftrunk&old=2667839&new_path=%2Fwpvivid-backuprestore%2Ftrunk&new=2667839- https://research.hisolutions.com/2024/01/multiple-vulnerabilities-in-wordpress-plugin-wpvivid-backup-and-migration/- https://www.wordfence.com/threat-intel/vulnerabilities/id/ef8bfb38-4f20-4f9f-bb30-a88f3be2d2d3?source=cveCVE-2024-1624 - 3DEXPERIENCE, SIMULIA Abaqus, SIMULIA Isight, and CATIA Composer are vulnerable to OS Command Injection via specially crafted HTTP requests, allowing for arbitrary command execution.Product: Dassault Systemes 3DEXPERIENCECVSS Score: 9.4NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-1624NVD References: https://www.3ds.com/vulnerability/advisoriesCVE-2024-27298 - Parse Server for Node.js / Express is vulnerable to SQL injection when configured with PostgreSQL, but this issue has been resolved in versions 6.5.0 and 7.0.0-alpha.20.Product: Parse Platform parse-serverCVSS Score: 10.0NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-27298NVD References: - https://github.com/parse-community/parse-server/commit/a6e654943536932904a69b51e513507fcf90a504- https://github.com/parse-community/parse-server/commit/cbefe770a7260b54748a058b8a7389937dc35833- https://github.com/parse-community/parse-server/releases/tag/6.5.0- https://github.com/parse-community/parse-server/releases/tag/7.0.0-alpha.20- https://github.com/parse-community/parse-server/security/advisories/GHSA-6927-3vr9-fxf2CVE-2023-7243 - Ethercat Zeek Plugin versions d78dda6 and prior are vulnerable to out-of-bounds write when analyzing Ethercat datagrams, leading to potential arbitrary code execution by attackers.Product: Zeek Industrial Control Systems Network Protocol Parsers (ICSNPP) - EthercatCVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-7243NVD References: https://www.cisa.gov/news-events/ics-advisories/icsa-24-051-02CVE-2023-7244 - Industrial Control Systems Network Protocol Parsers (ICSNPP) - Ethercat Zeek Plugin versions d78dda6 and prior have an out-of-bounds write vulnerability in their primary analysis function for Ethercat communication packets, potentially leading to arbitrary code execution.Product: Industrial Control Systems Network Protocol Parsers (ICSNPP) EthercatCVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-7244NVD References: https://www.cisa.gov/news-events/ics-advisories/icsa-24-051-02CVE-2024-21767 - A remote attacker may be able to bypass access control of Commend WS203VICM by creating a malicious request.Product: Commend WS203VICMCVSS Score: 9.4NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-21767NVD References:- https://clibrary-online.commend.com/en/cyber-security/security-advisories.html- https://www.cisa.gov/news-events/ics-advisories/icsa-24-051-01CVE-2023-28578 - Memory corruption in Core Services while executing the command for removing a single event listener.Product: Apple Core ServicesCVSS Score: 9.3NVD:…