homepage
Open menu
Contact Sales

@RISK

The Consensus Security Vulnerability Alert

March 7, 2024  |  Vol. 24, Num. 10

Internet Storm Center SpotlightInternet Storm Center EntriesRecent CVEs

Internet Storm Center Spotlight

INTERNET STORM CENTER SPOTLIGHT

ISC provides a free analysis and warning service to thousands of Internet users and organizations, and is actively working with Internet Service Providers to fight back against the most malicious attackers. https://isc.sans.edu/about.html

Scanning and abusing the QUIC protocol

Published: 2024-03-06

Last Updated: 2024-03-06 09:43:39 UTC

by Bojan Zdrnja (Version: 1)

The QUIC protocol has slowly (pun intended) crawled into our browsers and many other protocols. Last week, at BSides Zagreb I presented some research I did about applications using (and abusing) this protocol, so it made sense to put this into one diary.

While QUIC has been around for some time, the official RFC 9000 that defines QUIC v1 was released in 2021. Of course, our browsers (namely Chrome, as Google was the main power behind QUIC) started supporting and using QUIC long time ago. Chrome, for example, added support for QUIC back in 2012, while Mozilla Firefox waited until 2021. Today, all browsers not only support QUIC but also use it – A LOT!

For example, if you take a look at your network traffic today to Google, YouTube, Facebook and similar web sites you will see that this network traffic consists of HTTP/3, which uses QUIC, almost exclusively – just open Developer Tools, go to the Network tab and right click on columns, add Protocol and you will see something like this ...

Read the full entry: https://isc.sans.edu/diary/Scanning+and+abusing+the+QUIC+protocol/30720/

Apple Releases iOS/iPadOS Updates with Zero Day Fixes.

Published: 2024-03-05

Last Updated: 2024-03-05 19:28:28 UTC

by Johannes Ullrich (Version: 1)

Apple today released iOS 17.4 as well as iOS 16.7.6 (and the respective iPadOS versions). These updates fix a total of four vulnerabilities. Two of the vulnerabilities are already being exploited. CVE-2024-23225 is a privilege escalation issue and only affects iOS 17 as well as iOS 16. The second already exploited vulnerability, CVE-2024-23296, only affects iOS 17.

We rated the exploited vulnerabilities as "important", not "critical". They appear to only allow for privilege escalation.

Read the full entry: https://isc.sans.edu/diary/Apple+Releases+iOSiPadOS+Updates+with+Zero+Day+Fixes/30716/

[Guest Diary] Dissecting DarkGate: Modular Malware Delivery and Persistence as a Service.

Published: 2024-02-29

Last Updated: 2024-02-29 01:41:25 UTC

by John Moutos, SANS BACS Student (Version: 1)

[This is a Guest Diary by John Moutos, an ISC intern as part of the SANS.edu Bachelor's Degree in Applied Cybersecurity (BACS) program.

Intro

From a handful of malware analysis communities I participate in, it is not uncommon for new or interesting samples to be shared, and for them to capture the attention of several members, myself included. In this case, what appeared to be a routine phishing PDF, led to the delivery of a much more suspicious MSI, signed with a valid code signing certificate, and with a surprisingly low signature-based detection rate on VirusTotal (at time of analysis) due to use of several layered stages.

Context

Modern malware utilizing multiple layers of abstraction to avoid detection or response is not a new concept, and as a result of this continuous effort, automated malware triage systems and sandboxes have become crucial in responding to new or heavily protected samples, where static analysis methods have failed, or heuristic analysis checks have come back clean. Attackers are wise to this, and often use legitimate file formats outside of the PE family, or protect their final stage payload with multiple layers to avoid being detected through static analysis, and subsequently profiled through dynamic analysis or with the aid of a sandbox / automated triage system.

Analysis

The following sample not only fit the profile previously mentioned, but was also taking advantage of a presumably stolen or fraudulent code signing certificate to pass reputation checks.

At a first glance, the downloaded PDF appears normal and is of fairly small size ...

Read the full entry: https://isc.sans.edu/diary/Guest+Diary+Dissecting+DarkGate+Modular+Malware+Delivery+and+Persistence+as+a+Service/30700/

Internet Storm Center Entries

Why Your Firewall Will Kill You (2024.03.05)

https://isc.sans.edu/diary/Why+Your+Firewall+Will+Kill+You/30714/

Capturing DShield Packets with a LAN Tap [Guest Diary] (2024.03.03)

https://isc.sans.edu/diary/Capturing+DShield+Packets+with+a+LAN+Tap+Guest+Diary/30708/

Scanning for Confluence CVE-2022-26134 (2024.03.01)

https://isc.sans.edu/diary/Scanning+for+Confluence+CVE202226134/30704/

Exploit Attempts for Unknown Password Reset Vulnerability (2024.02.28)

https://isc.sans.edu/diary/Exploit+Attempts+for+Unknown+Password+Reset+Vulnerability/30698/

Recent CVEs

The list is assembled by pulling recent vulnerabilities from NIST NVD, Microsoft, Twitter mentions of vulnerabilities, ISC Diaries and Podcast, and the CISA list of known exploited vulnerabilities. There are also some unscored, but significant, vulnerabilities at the end. This includes vulnerabilities that have not been added to the NVD yet.


CVE-2024-21410 - Microsoft Exchange Server Elevation of Privilege Vulnerability

Product: Microsoft Exchange Server

CVSS Score: 9.8

** KEV since 2024-02-15 **

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-21410

MSFT Details: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-21410



CVE-2022-26134 - Atlassian Confluence Server and Data Center Remote Code Execution Vulnerability

Product: Atlassian Confluence_Server 7.18.0

CVSS Score: 0

** KEV since 2022-06-02 **

NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-26134

ISC Podcast: https://isc.sans.edu/podcastdetail.html?podcastid=8878



CVE-2024-23225 & CVE-2024-23296 - iOS Kernel memory corruption vulnerabilities. An attacker with arbitrary kernel read and write capability may be able to bypass kernel memory protections.

Product: iOS Kernel

CVSS Score: N/A

** KEV since 2024-03-06 **

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-23225

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-23296

ISC Diary: https://isc.sans.edu/diary/Apple+Releases+iOSiPadOS+Updates+with+Zero+Day+Fixes/30716/

ISC Podcast: https://isc.sans.edu/podcastdetail.html?podcastid=8882

NVD References: 

- https://support.apple.com/en-us/HT214081

- https://support.apple.com/en-us/HT214082       



CVE-2024-23243 - iOS: An app may be able to read sensitive location information. A privacy issue was addressed with improved private data redaction for log entries.

Product: iOS

CVSS Score: N/A

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-23243

ISC Diary: https://isc.sans.edu/diary/Apple+Releases+iOSiPadOS+Updates+with+Zero+Day+Fixes/30716/

ISC Podcast: https://isc.sans.edu/podcastdetail.html?podcastid=8882

NVD References: https://support.apple.com/en-us/HT214081



CVE-2024-23256 - iOS: A user's locked tabs may be briefly visible while switching tab groups when Locked Private Browsing is enabled. A logic issue was addressed with improved state management.

Product: iOS

CVSS Score: N/A

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-23256

ISC Diary: https://isc.sans.edu/diary/Apple+Releases+iOSiPadOS+Updates+with+Zero+Day+Fixes/30716/

ISC Podcast: https://isc.sans.edu/podcastdetail.html?podcastid=8882

NVD References: https://support.apple.com/en-us/HT214081



CVE-2024-27198 - In JetBrains TeamCity before 2023.11.4 authentication bypass allowing to perform admin actions was possible

Product: JetBrains TeamCity

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-27198

ISC Podcast: https://isc.sans.edu/podcastdetail.html?podcastid=8880

NVD References: https://www.jetbrains.com/privacy-security/issues-fixed/



CVE-2024-27199 - In JetBrains TeamCity before 2023.11.4 path traversal allowing to perform limited admin actions  was possible

Product: JetBrains TeamCity

CVSS Score: 7.3

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-27199

ISC Podcast: https://isc.sans.edu/podcastdetail.html?podcastid=8880

NVD References: https://www.jetbrains.com/privacy-security/issues-fixed/



CVE-2024-21338 - Windows Kernel Elevation of Privilege Vulnerability

Product: Microsoft Windows Kernel

CVSS Score: 7.8

** KEV since 2024-03-04 **

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-21338

MSFT Details: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-21338



CVE-2024-1698 - The NotificationX plugin for WordPress is vulnerable to SQL Injection in versions up to 2.8.2, allowing unauthenticated attackers to extract sensitive information from the database.

Product: NotificationX  Best FOMO, Social Proof, WooCommerce Sales Popup & Notification Bar Plugin With Elementor

CVSS Score: 9.8 AtRiskScore 30

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-1698

NVD References: 

- https://plugins.trac.wordpress.org/changeset/3040809/notificationx/trunk/includes/Core/Database.php

- https://plugins.trac.wordpress.org/changeset/3040809/notificationx/trunk/includes/Core/Rest/Analytics.php

- https://www.wordfence.com/threat-intel/vulnerabilities/id/e110ea99-e2fa-4558-bcf3-942a35af0b91?source=cve



CVE-2024-1403 - OpenEdge Authentication Gateway and AdminServer allows for unauthorized access due to a vulnerability involving improper handling of usernames and passwords.

Product: OpenEdge Authentication Gateway

CVSS Score: 10.0

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-1403

NVD References: 

- https://community.progress.com/s/article/Important-Critical-Alert-for-OpenEdge-Authentication-Gateway-and-AdminServer

- https://www.progress.com/openedge



CVE-2024-27099 - The uAMQP library is vulnerable to a double free problem when processing an incorrect `AMQP_VALUE` failed state, potentially leading to a Remote Code Execution (RCE) exploit.

Product: Microsoft uAMQP

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-27099

NVD References: 

- https://github.com/Azure/azure-uamqp-c/commit/2ca42b6e4e098af2d17e487814a91d05f6ae4987

- https://github.com/Azure/azure-uamqp-c/security/advisories/GHSA-6rh4-fj44-v4jj



CVE-2023-50734 - Lexmark devices are susceptible to a buffer overflow vulnerability in the PostScript interpreter, allowing attackers to run arbitrary code.

Product: Lexmark PostScript interpreter

CVSS Score: 9.0

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-50734

NVD References: https://www.lexmark.com/en_us/solutions/security/lexmark-security-advisories.html



CVE-2023-50735 - Lexmark devices are vulnerable to heap corruption in their PostScript interpreter, allowing attackers to execute arbitrary code.

Product: Lexmark PostScript interpreter

CVSS Score: 9.0

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-50735

NVD References: https://www.lexmark.com/en_us/solutions/security/lexmark-security-advisories.html



CVE-2023-50736 - Lexmark devices are susceptible to a memory corruption vulnerability in their PostScript interpreter, allowing attackers to execute arbitrary code.

Product: Lexmark PostScript interpreter

CVSS Score: 9.0

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-50736

NVD References: https://www.lexmark.com/en_us/solutions/security/lexmark-security-advisories.html



CVE-2023-50737 - Lexmark's SE menu has a vulnerability that could allow attackers to execute arbitrary code.

Product: Lexmark printers

CVSS Score: 9.1

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-50737

NVD References: https://www.lexmark.com/en_us/solutions/security/lexmark-security-advisories.html



CVE-2024-1514 - WP eCommerce plugin for WordPress is vulnerable to time-based blind SQL Injection via the 'cart_contents' parameter due to insufficient parameter escaping and query preparation, allowing unauthenticated attackers to extract sensitive database information.

Product: WP eCommerce plugin

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-1514

NVD References: 

- https://plugins.trac.wordpress.org/browser/wp-e-commerce/trunk/wpsc-components/marketplace-core-v1/library/Sputnik.php#L334

- https://www.wordfence.com/threat-intel/vulnerabilities/id/0ba5da2b-6944-4243-a4f2-0f887abf7a66?source=cve



CVE-2024-25910 - Skymoonlabs MoveTo version n/a through 6.2 is vulnerable to an SQL Injection issue.

Product: Skymoonlabs MoveTo

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-25910

NVD References: https://patchstack.com/database/vulnerability/moveto/wordpress-moveto-plugin-6-2-unauthenticated-sql-injection-vulnerability?_s_id=cve



CVE-2024-25927 - postMash – custom post order is vulnerable to SQL Injection from versions n/a through 1.2.0.

Product: Joel Starnes postMash

CVSS Score: 9.3

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-25927

NVD References: https://patchstack.com/database/vulnerability/postmash/wordpress-postmash-custom-post-order-plugin-1-2-0-sql-injection-vulnerability?_s_id=cve



CVE-2024-23328 - DataEase is vulnerable to a deserialization flaw in its Mysql.java file, allowing for arbitrary code execution and file reading without proper input validation, fixed in version 1.18.15 and 2.3.0.

Product: DataEase

CVSS Score: 9.1

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-23328

NVD References: 

- https://github.com/dataease/dataease/commit/4128adf5fc4592b55fa1722a53b178967545d46a

- https://github.com/dataease/dataease/commit/bb540e6dc83df106ac3253f331066129a7487d1a

- https://github.com/dataease/dataease/security/advisories/GHSA-8x8q-p622-jf25



CVE-2024-25128 - Flask-AppBuilder is vulnerable to an AUTH_TYPE AUTH_OID exploit, allowing attackers to forge HTTP requests and potentially gain unauthorized privilege access through a custom OpenID service.

Product: Flask-AppBuilder

CVSS Score: 9.1

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-25128

NVD References: 

- https://github.com/dpgaspar/Flask-AppBuilder/commit/6336456d83f8f111c842b2b53d1e89627f2502c8

- https://github.com/dpgaspar/Flask-AppBuilder/security/advisories/GHSA-j2pw-vp55-fqqj



CVE-2023-6090 - Mollie Payments for WooCommerce allows for unrestricted uploading of files with dangerous types, exposing versions from n/a through 7.3.11 to potential security risks.

Product: WooCommerce Mollie Payments

CVSS Score: 9.1

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-6090

NVD References: https://patchstack.com/database/vulnerability/mollie-payments-for-woocommerce/wordpress-mollie-payments-for-woocommerce-plugin-7-3-11-arbitrary-file-upload-vulnerability?_s_id=cve



CVE-2024-1981 - WPvivid plugin for WordPress is vulnerable to SQL Injection through the 'table_prefix' parameter in version 0.9.68.

Product: WPvivid Migration, Backup, Staging

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-1981

NVD References: 

- https://plugins.trac.wordpress.org/changeset?old_path=%2Fwpvivid-backuprestore%2Ftrunk&old=2667839&new_path=%2Fwpvivid-backuprestore%2Ftrunk&new=2667839

- https://research.hisolutions.com/2024/01/multiple-vulnerabilities-in-wordpress-plugin-wpvivid-backup-and-migration/

- https://www.wordfence.com/threat-intel/vulnerabilities/id/ef8bfb38-4f20-4f9f-bb30-a88f3be2d2d3?source=cve



CVE-2024-1624 - 3DEXPERIENCE, SIMULIA Abaqus, SIMULIA Isight, and CATIA Composer are vulnerable to OS Command Injection via specially crafted HTTP requests, allowing for arbitrary command execution.

Product: Dassault Systemes 3DEXPERIENCE

CVSS Score: 9.4

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-1624

NVD References: https://www.3ds.com/vulnerability/advisories



CVE-2024-27298 - Parse Server for Node.js / Express is vulnerable to SQL injection when configured with PostgreSQL, but this issue has been resolved in versions 6.5.0 and 7.0.0-alpha.20.

Product: Parse Platform parse-server

CVSS Score: 10.0

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-27298

NVD References: 

- https://github.com/parse-community/parse-server/commit/a6e654943536932904a69b51e513507fcf90a504

- https://github.com/parse-community/parse-server/commit/cbefe770a7260b54748a058b8a7389937dc35833

- https://github.com/parse-community/parse-server/releases/tag/6.5.0

- https://github.com/parse-community/parse-server/releases/tag/7.0.0-alpha.20

- https://github.com/parse-community/parse-server/security/advisories/GHSA-6927-3vr9-fxf2



CVE-2023-7243 - Ethercat Zeek Plugin versions d78dda6 and prior are vulnerable to out-of-bounds write when analyzing Ethercat datagrams, leading to potential arbitrary code execution by attackers.

Product: Zeek Industrial Control Systems Network Protocol Parsers (ICSNPP) - Ethercat

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-7243

NVD References: https://www.cisa.gov/news-events/ics-advisories/icsa-24-051-02



CVE-2023-7244 - Industrial Control Systems Network Protocol Parsers (ICSNPP) - Ethercat Zeek Plugin versions d78dda6 and prior have an out-of-bounds write vulnerability in their primary analysis function for Ethercat communication packets, potentially leading to arbitrary code execution.

Product: Industrial Control Systems Network Protocol Parsers (ICSNPP) Ethercat

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-7244

NVD References: https://www.cisa.gov/news-events/ics-advisories/icsa-24-051-02



CVE-2024-21767 - A remote attacker may be able to bypass access control of Commend WS203VICM by creating a malicious request.

Product: Commend WS203VICM

CVSS Score: 9.4

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-21767

NVD References:

- https://clibrary-online.commend.com/en/cyber-security/security-advisories.html

- https://www.cisa.gov/news-events/ics-advisories/icsa-24-051-01



CVE-2023-28578 - Memory corruption in Core Services while executing the command for removing a single event listener.

Product: Apple Core Services

CVSS Score: 9.3

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-28578

NVD References: https://www.qualcomm.com/company/product-security/bulletins/march-2024-bulletin



CVE-2023-28582 - Memory corruption in Data Modem while verifying hello-verify message during the DTLS handshake.

Product: Qualcomm Data Modem

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-28582

NVD References: https://www.qualcomm.com/company/product-security/bulletins/march-2024-bulletin



CVE-2023-43552 - Memory corruption while processing MBSSID beacon containing several subelement IE.

Product: Asus RT-AX88U

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-43552

NVD References: https://www.qualcomm.com/company/product-security/bulletins/march-2024-bulletin



CVE-2023-43553 - Memory corruption while parsing beacon/probe response frame when AP sends more supported links in MLIE. Product: Broadcom Wi-Fi chips

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-43553

NVD References: https://www.qualcomm.com/company/product-security/bulletins/march-2024-bulletin



CVE-2024-21815 - Gallagher Command Centre versions prior to vEL9.00.1774 (MR2) have insufficiently protected credentials for third party DVR integrations, accessible to authenticated but unprivileged users.

Product: Gallagher Command Centre

CVSS Score: 9.1

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-21815

NVD References: https://security.gallagher.com/Security-Advisories/CVE-2024-21815



CVE-2024-21378 - Microsoft Outlook Remote Code Execution Vulnerability

Product: Microsoft Outlook

CVSS Score: 8.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-21378

MSFT Details: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-21378