INTERNET STORM CENTER SPOTLIGHT
ISC provides a free analysis and warning service to thousands of Internet users and organizations, and is actively working with Internet Service Providers to fight back against the most malicious attackers. https://isc.sans.edu/about.html
Scans for Apache OfBiz
Published: 2024-03-27
Last Updated: 2024-03-27 12:08:56 UTC
by Johannes Ullrich (Version: 1)
Today, I noticed in our "first seen URL" list, two URLs I didn't immediately recognize ...
These two URLs appear to be associated with Apache's OfBiz product. According to the project, "Apache OFBiz is a suite of business applications flexible enough to be used across any industry. A common architecture allows developers to easily extend or enhance it to create custom features". OfBiz includes features to manage catalogs, e-commerce, payments and several other tasks.
Searching for related URLs, I found the following other URLs being scanned occasionally ...
One recently patched vulnerability, CVE-2023-51467, sports a CVSS score of 9.8. The vulnerability allows code execution without authentication. Exploits have been available for a while now. Two additional path traversal authentication bypass vulnerabilities have been fixed this year (CVE-2024-25065, CVE-2024-23946).
Based on the exploit, exploitation of CVE-2023-51467 is as easy as sending this POST request to a vulnerable server ...
Read the full entry:
https://isc.sans.edu/diary/Scans+for+Apache+OfBiz/30784/
Apple Updates for MacOS, iOS/iPadOS and visionOS
Published: 2024-03-25
Last Updated: 2024-03-26 00:15:45 UTC
by Johannes Ullrich (Version: 1)
Last week, Apple published updates for iOS and iPadOS. At that time, Apple withheld details about the security content of the update. This is typical if future updates for other operating systems will fix the same vulnerability. Apple's operating systems share a lot of code, and specific vulnerabilities are frequently found in all operating systems.
Today, Apple released the corresponding macOS updates and with that delivered the missing security details.
A total of two vulnerabilities are being patched. They affect macOS (14 and 13), iOS/iPadOS (16 and 17), and the brand new visionOS.
CVE-2024-1580: An arbitrary code execution vulnerability that could be triggered by processing a crafted image.
CVE-2024-1580: An arbitrary code execution vulnerability that could also be triggered by processing an image.
Note: this is not a typo above. There is only one CVE, but Apple shows two distinct vulnerabilities. The reason is that this is the same issue that happened in two different components.
Read the full entry:
https://isc.sans.edu/diary/Apple+Updates+for+MacOS+iOSiPadOS+and+visionOS/30778/
Whois "geofeed" Data
Published: 2024-03-21
Last Updated: 2024-03-22 19:54:31 UTC
by Johannes Ullrich (Version: 1)
Attributing a particular IP address to a specific location is hard and often fails miserably. There are several difficulties that I have talked about before: Out-of-date whois data, data that is outright fake, or was never correct in the first place. Companies that have been allocated a larger address range are splitting it up into different geographic regions, but do not reflect this in their whois records.
And beyond giving threat intel geeks a quick attribution high, the fact that the IP address is allocated to a particular country is useless information that costs a ton of CPU power to acquire. You are better off mining Dogecoin with those cycles.
But... if you are still reading... I saw something new, at least new to me: geofeed attributes in whois data! This appears to be particularly common in Europe. To our US readers, Europe is odd in that it is subdivided into entities referred to as "Countries", not "States". Just like states in the US, different countries may have different local laws. For example, in France, it is illegal to name your pet pig "Napoleon". Enforcement of these laws across the Internet often requires specific geolocation knowledge, and I can only assume that this lead to the "geofeed" attribute.
Read the full entry: