SEC595: Applied Data Science and AI/Machine Learning for Cybersecurity Professionals
SEC595Cyber Defense
SANS Community Benefits
Connect, learn, and share with other cybersecurity professionals
VOLUME 24ISSUE 19
The Consensus Security Vulnerability Alert
Internet Storm Center Spotlight
ISC provides a free analysis and warning service to thousands of Internet users and organizations, and is actively working with Internet Service Providers to fight back against the most malicious attackers. https://isc.sans.edu/about.html
Analyzing Synology Disks on Linux
Published: 2024-05-08
Last Updated: 2024-05-08 07:00:07 UTC
by Xavier Mertens (Version: 1)
Synology NAS solutions are popular devices. They are also used in many organizations. Their product range goes from small boxes with two disks (I’m not sure they still sell a single-disk enclosure today) up to monsters, rackable with plenty of disks. They offer multiple disk management options but rely on many open-source software (like most appliances). For example, there are no expensive hardware RAID controllers in the box. They use the good old “MD” (“multiple devices”) technology, managed with the well-known mdadm tool. Synology NAS run a Linux distribution called DSM. This operating system has plenty of third-party tools but lacks pure forensics tools.
In a recent investigation, I had to investigate a NAS that was involved in a ransomware attack. Many files (backups) were deleted. The attacker just deleted some shared folders. The device had two drives configured in RAID0 (not the best solution I know but they lack storage capacity). The idea was to mount the file system (or at least have the block device) on a Linux host and run forensic tools, for example, photorec.
In such a situation, the biggest challenge will be to connect all the drivers to the analysis host! Here, I had only two drives but imagine that you are facing a bigger model with 5+ disks. In my case, I used two USB-C/SATA adapters to connect the drives. Besides the software RAID, Synology volumes also rely on LVM2 (“Logical Volume Manager”). In most distributions, the packages mdadm and lvm2 are available (for example on SIFT Workstation). Otherwise, just install them ...
Read the full entry:
https://isc.sans.edu/diary/Analyzing+Synology+Disks+on+Linux/30904/
Detecting XFinity/Comcast DNS Spoofing
Published: 2024-05-06
Last Updated: 2024-05-08 00:15:59 UTC
by Johannes Ullrich (Version: 1)
ISPs have a history of intercepting DNS. Often, DNS interception is done as part of a "value add" feature to block access to known malicious websites. Sometimes, users are directed to advertisements if they attempt to access a site that doesn't exist. There are two common techniques how DNS spoofing/interception is done:
1. The ISP provides a recommended DNS server. This DNS server will filter requests to known malicious sites.
2. The ISP intercepts all DNS requests, not just requests directed at the ISPs DNS server.
The first method is what I would consider a "recommended" or "best practice" method. The customer can use the ISP's DNS server, but traffic is left untouched if a customer selects a different recursive resolver. The problem with this approach is that malware sometimes alters the user's DNS settings.
Comcast, as part of its "Business Class" offer, provides a tool called "Security Edge". It is typically included for free as part of the service. Security Edge is supposed to interface with the customer's modem but can only do so for specific configurations. Part of the service is provided by DNS interception. Even if "Security Edge" is disabled in the customer's dashboard, DNS interception may still be active.
One issue with any filtering based on blocklists is false positives. In some cases, what constitutes a "malicious" hostname may not even be well defined. I could not find a definition on Comcast's website. But Bleeping Computer (www.bleepingcomputer.com) recently ended up on Comcast's "naughty list". I know all to well that it is easy for a website that covers security topics to end up on these lists. The Internet Storm Center website has been on lists like this before. Usually, sloppy signature-based checks will flag a site as malicious. An article may discuss a specific attack and quote strings triggering these signatures.
Comcast offers recursive resolvers to it's customers: 75.75.75.75, 75.75.76.76, 2001:558:feed:1 and 2001:558:feed:2. There are advantages to using your ISP's DNS servers. They are often faster as they are physically closer to your network, and you profit from responses cached by other users. My internal resolver is configured as a forwarding resolver, spreading queries among different well performing resolvers like Quad9, Cloudflare and Google.
So what happened to bleepingcomputer.com? When I wasn't able to resolve bleepingcomputer.com, I checked my DNS logs, and this entry stuck out ...
Read the full entry:
https://isc.sans.edu/diary/Detecting+XFinityComcast+DNS+Spoofing/30898/
Scans Probing for LB-Link and Vinga WR-AC1200 routers CVE-2023-24796
Published: 2024-05-02
Last Updated: 2024-05-02 18:07:05 UTC
by Johannes Ullrich (Version: 1)
Before diving into the vulnerability, a bit about the affected devices. LB-Link, the make of the devices affected by this vulnerability, produces various wireless equipment that is sometimes sold under different brands and labels. This will make it difficult to identify affected devices. These devices are often low-cost "no name" solutions or, in some cases, may even be embedded, which makes it even more difficult to find firmware updates.
Before buying any IoT device, WiFi router, or similar piece of equipment, please make sure the vendor does:
1. Offer firmware updates for download from an easy-to-find location.
2. Provide an "end of life" policy stating how long a particular device will receive updates.
Alternatively, you may want to verify if the device can be "re-flashed" using an open source firmware.
But let us go back to this vulnerability. There are two URLs affected, one of which showed up in our "First Seen URLs" ...
Read the full entry:
https://isc.sans.edu/diary/Scans+Probing+for+LBLink+and+Vinga+WRAC1200+routers+CVE202324796/30890/
Internet Storm Center Entries
nslookup's Debug Options (2024.05.05)
Recent CVEs
The list is assembled by pulling recent vulnerabilities from NIST NVD, Microsoft, Twitter mentions of vulnerabilities, ISC Diaries and Podcast, and the CISA list of known exploited vulnerabilities. There are also some unscored, but significant, vulnerabilities at the end. This includes vulnerabilities that have not been added to the NVD yet.
CVE-2024-21006 - Oracle WebLogic Server product of Oracle Fusion Middleware (component: Core) is vulnerable to an easily exploitable flaw, allowing unauthenticated attackers to compromise critical data or gain complete access to all server data.
Product: Oracle WebLogic Server
CVSS Score: 0
NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-21006
ISC Podcast: https://isc.sans.edu/podcastdetail/8972
CVE-2023-24796 - Vinga WR-AC1200 81.102.1.4370 and earlier versions are vulnerable to remote code execution via password parameter manipulation at /goform/sysTools and /adm/systools.asp endpoints.
Product: Vinga WR-AC1200_Firmware
CVSS Score: 0
NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-24796
ISC Podcast: https://isc.sans.edu/podcastdetail/8966
CVE-2024-2912 - BentoML framework is vulnerable to insecure deserialization, enabling remote code execution through specially crafted POST requests, allowing attackers to execute arbitrary commands on the server.
Product: BentoML framework
CVSS Score: 0
NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-2912
ISC Podcast: https://isc.sans.edu/podcastdetail/8964
CVE-2023-4473 - The Zyxel NAS326 and NAS542 firmware versions V5.21(AAZF.14)C0 and V5.21(ABAG.11)C0 are susceptible to command injection, enabling unauthorized execution of operating system commands via a manipulated URL.
Product: Zyxel Nas542_Firmware
CVSS Score: 0
NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-4473
ISC Podcast: https://isc.sans.edu/podcastdetail/8962
CVE-2023-4474 - The Zyxel NAS326 and NAS542 firmware versions V5.21(AAZF.14)C0 and V5.21(ABAG.11)C0 improperly neutralize special elements, allowing unauthenticated attackers to execute OS commands via a crafted URL.
Product: Zyxel Nas542_Firmware
CVSS Score: 0
NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-4474
ISC Podcast: https://isc.sans.edu/podcastdetail/8962
CVE-2024-32017 - RIOT operating system is vulnerable to buffer overflows due to a typo in the size check of the `gcoap_dns_server_proxy_get()` function, potentially leading to denial of service or arbitrary code execution if not manually checked.
Product: RIOT Operating System
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-32017
NVD References:
- http://www.openwall.com/lists/oss-security/2024/05/07/3
- https://github.com/RIOT-OS/RIOT/blob/master/sys/net/application_layer/gcoap/dns.c#L319-L325
- https://github.com/RIOT-OS/RIOT/blob/master/sys/net/application_layer/gcoap/forward_proxy.c#L352
- https://github.com/RIOT-OS/RIOT/security/advisories/GHSA-v97j-w9m6-c4h3
CVE-2024-26304 - Aruba's L2/L3 Management service is vulnerable to buffer overflow, allowing unauthenticated remote code execution via specially crafted packets sent to the PAPI UDP port.
Product: Aruba's access point management protocol
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-26304
NVD References: https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2024-004.txt
CVE-2024-26305 - The underlying Utility daemon in Aruba's access point management protocol (PAPI) is vulnerable to a buffer overflow that allows unauthenticated remote code execution via specially crafted packets on UDP port 8211.
Product: Aruba Utility daemon
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-26305
NVD References: https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2024-004.txt
CVE-2024-33511 - Aruba's Automatic Reporting service is vulnerable to buffer overflow attacks via specially crafted packets sent to the PAPI UDP port (8211), allowing unauthenticated remote code execution as a privileged user on the operating system.
Product: Aruba Automatic Reporting Service
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-33511
NVD References: https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2024-004.txt
CVE-2024-33512 - Aruba's Local User Authentication Database service has a buffer overflow vulnerability that allows unauthenticated remote code execution via specially crafted packets sent to the PAPI UDP port (8211), granting the attacker the ability to run arbitrary code as a privileged user on the operating system.
Product: Aruba Networks access point management protocol)
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-33512
NVD References: https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2024-004.txt
CVE-2023-47212 - stb_vorbis.c v1.22 is vulnerable to a heap-based buffer overflow through a specially crafted .ogg file, leading to an out-of-bounds write triggered by a malicious attacker.
Product: stb stb_vorbis
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-47212
NVD References: https://talosintelligence.com/vulnerability_reports/TALOS-2023-1846
CVE-2023-49606 - Tinyproxy is vulnerable to a use-after-free flaw in HTTP Connection Headers parsing, allowing an attacker to execute remote code with an unauthenticated HTTP request.
Product: Tinyproxy
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-49606
NVD References:
- http://www.openwall.com/lists/oss-security/2024/05/07/1
- https://talosintelligence.com/vulnerability_reports/TALOS-2023-1889
CVE-2024-4142 - JFrog Artifactory has a vulnerability in input validation that allows for privilege escalation, potentially granting low privilege users administrative access and affecting platforms with anonymous access enabled.
Product: JFrog Artifactory
CVSS Score: 9.0
NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-4142
NVD References: https://jfrog.com/help/r/jfrog-release-information/jfrog-security-advisories
CVE-2024-32962 - xml-crypto is an xml digital signature and encryption library for Node.js that allows a malicious actor to re-sign an XML document and spoof signature verification in affected versions.
Product: xml-crypto Node.js
CVSS Score: 10.0
NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-32962
NVD References:
- https://github.com/node-saml/xml-crypto/commit/21201723d2ca9bc11288f62cf72552b7d659b000
- https://github.com/node-saml/xml-crypto/commit/c2b83f984049edb68ad1d7c6ad0739ec92af11ca
- https://github.com/node-saml/xml-crypto/pull/301
- https://github.com/node-saml/xml-crypto/pull/445
- https://github.com/node-saml/xml-crypto/security/advisories/GHSA-2xp3-57p7-qf4v
- https://www.w3.org/TR/2008/REC-xmldsig-core-20080610/#sec-CoreValidation
CVE-2024-32971 - Apollo Router is vulnerable to a bug that could lead to unexpected operations being executed in limited circumstances, due to a defect in cache retrieval logic when using distributed query plan caching.
Product: Apollo Router
CVSS Score: 9.0
NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-32971
NVD References:
- https://github.com/apollographql/router/commit/ff9f666598cd17661880fe7fc6e9c9611316e529
- https://github.com/apollographql/router/releases/tag/v1.45.1
- https://github.com/apollographql/router/security/advisories/GHSA-q9p4-hw9m-fj2v
CVE-2024-33913 - Xserver Migrator is vulnerable to a Cross-Site Request Forgery flaw that allows for Arbitrary File Upload from versions n/a through 1.6.1.
Product: Xen Orchestra Xserver Migrator
CVSS Score: 9.6
CVE-2024-2667 - The InstaWP Connect plugin for WordPress is vulnerable to arbitrary file uploads through the /wp-json/instawp-connect/v1/config REST API endpoint, allowing unauthenticated attackers to upload files.
Product: InstaWP Connect - 1-click WP Staging & Migration plugin
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-2667
NVD References:
CVE-2024-2876 - The Email Subscribers by Icegram Express plugin for WordPress is vulnerable to SQL Injection in all versions up to 5.7.14, allowing unauthenticated attackers to extract sensitive information from the database.
Product: Email Subscribers by Icegram Express
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-2876
NVD References:
CVE-2024-3729 - The Frontend Admin by DynamiApps plugin for WordPress is vulnerable to improper encryption exception handling, allowing unauthenticated attackers to manipulate user processing forms and potentially escalate privileges, bypass authentication, or inject malicious web scripts.
Product: DynamiApps Frontend Admin by DynamiApps
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-3729
NVD References:
- https://plugins.trac.wordpress.org/changeset/3073379/acf-frontend-form-element#file4
CVE-2024-32986 - PWAsForFirefox allows malicious web apps to inject arbitrary code via improper sanitization of web app properties, impacting Linux and PortableApps.com users up to version 2.12.0.
Product: PWAsForFirefox PWAsForFirefox
CVSS Score: 9.6
NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-32986
NVD References:
- https://github.com/filips123/PWAsForFirefox/commit/9932d4b289631d447f88ace09a2fabafe4cd5bd5
- https://github.com/filips123/PWAsForFirefox/releases/tag/v2.12.0
- https://github.com/filips123/PWAsForFirefox/security/advisories/GHSA-jmhv-m7v5-g5jq
CVE-2024-4466 - Gescen on the centrosdigitales.net platform is vulnerable to SQL injection, allowing attackers to access sensitive database information by sending malicious SQL queries.
Product: Gescen centrosdigitales.net
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-4466
NVD References: https://www.incibe.es/en/incibe-cert/notices/aviso/sql-injection-vulnerability-gescen
CVE-2024-4547 & CVE-2024-4548 - Delta Electronics DIAEnergie v1.10.1.8610 and prior SQL injection vulnerabilities
Product: Delta Electronics DIAEnergie
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-4547
NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-4548
NVD References: https://www.tenable.com/security/research/tra-2024-13
CVE-2024-4186 - The Build App Online plugin for WordPress is vulnerable to authentication bypass due to an empty default value for 'eb_user_email_verification_key' and missing check in 'eb_user_email_verify', allowing unauthenticated attackers to log in as any existing user if they have access to the user id and 'Email Verification' setting is enabled.
Product: WordPress Build App Online plugin
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-4186
NVD References:
- https://plugins.trac.wordpress.org/changeset/3081961/edwiser-bridge#file1
CVE-2024-4345 - The Startklar Elementor Addons plugin for WordPress is vulnerable to arbitrary file uploads, allowing unauthenticated attackers to potentially achieve remote code execution.
Product: Startklar Elementor Addons
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-4345
NVD References:
- https://plugins.trac.wordpress.org/changeset/3081987/startklar-elmentor-forms-extwidgets
CVE-2024-4346 - The Startklar Elementor Addons plugin for WordPress up to version 1.7.13 is vulnerable to arbitrary file deletion due to improper validation of uploaded file paths, allowing unauthenticated attackers to delete critical files and potentially execute remote code.
Product: Startklar Elementor Addons
CVSS Score: 9.1
NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-4346
NVD References:
- https://plugins.trac.wordpress.org/changeset/3081987/startklar-elmentor-forms-extwidgets
CVE-2024-34342 - react-pdf is vulnerable to unrestricted attacker-controlled JavaScript execution when loading malicious PDFs using PDF.js with `isEvalSupported` set to `true`, fixed in versions 7.7.3 and 8.0.2.
Product: react-pdf PDF.js
CVSS Score: 7.1
NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-34342
ISC Podcast: https://isc.sans.edu/podcastdetail/8972
NVD References:
- https://github.com/mozilla/pdf.js/commit/85e64b5c16c9aaef738f421733c12911a441cec6
- https://github.com/mozilla/pdf.js/pull/18015
- https://github.com/mozilla/pdf.js/security/advisories/GHSA-wgrm-67xf-hhpq
- https://github.com/wojtekmaj/react-pdf/commit/208f28dd47fe38c33ce4bac4205b2b0a0bb207fe
- https://github.com/wojtekmaj/react-pdf/commit/671e6eaa2e373e404040c13cc6b668fe39839cad
- https://github.com/wojtekmaj/react-pdf/security/advisories/GHSA-87hq-q4gp-9wr4
CVE-2024-4393 - The Social Connect plugin for WordPress up to version 1.2 is vulnerable to authentication bypass due to insufficient verification on the OpenID server during social login, allowing unauthenticated attackers to login as any existing user on the site, including administrators, if they have the email access.
Product: WordPress Social Connect plugin
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-4393
NVD References:
- https://plugins.trac.wordpress.org/browser/social-connect/tags/1.2/openid/openid.php#L575
The following vulnerability needs a manual review:
CVE-2024-4367 - A vulnerability in Mozilla PDF.js could allow for arbitrary code execution
Product: Mozilla PDF.js PDF viewer
CVSS Score: N/A
NVD: N/A
NVD References:
Sponsors
Corelight, Inc.
A Fortune 500 company was ransomed by an adversary who claimed to have their stolen IP. But the company was able to track what the adversary actually took, confidently refused the $10 million ransom, and said, “Keep the data.” Here’s how they closed the ransomware case:
SANS
Take the SANS 2024 Multicloud Survey: Securing Multiple Clouds Amid Constant Changes | This survey will explore the underlying forces behind why multicloud customers make the cloud adoption decisions that have been identified in past surveys. Complete this survey and you'll be entered to win a $400 Amazon gift card for your time.
SANS
Take the SANS 2024 Multicloud Survey: Securing Multiple Clouds Amid Constant Changes | This survey will explore the underlying forces behind why multicloud customers make the cloud adoption decisions that have been identified in past surveys. Complete this survey and you'll be entered to win a $400 Amazon gift card for your time.
SANS
Take the SANS 2024 Multicloud Survey: Securing Multiple Clouds Amid Constant Changes | This survey will explore the underlying forces behind why multicloud customers make the cloud adoption decisions that have been identified in past surveys. Complete this survey and you'll be entered to win a $400 Amazon gift card for your time.