Internet Storm Center Spotlight


INTERNET STORM CENTER SPOTLIGHT

ISC provides a free analysis and warning service to thousands of Internet users and organizations, and is actively working with Internet Service Providers to fight back against the most malicious attackers. https://isc.sans.edu/about.html

Analyzing Synology Disks on Linux

Published: 2024-05-08

Last Updated: 2024-05-08 07:00:07 UTC

by Xavier Mertens (Version: 1)

Synology NAS solutions are popular devices. They are also used in many organizations. Their product range goes from small boxes with two disks (I’m not sure they still sell a single-disk enclosure today) up to monsters, rackable with plenty of disks. They offer multiple disk management options but rely on many open-source software (like most appliances). For example, there are no expensive hardware RAID controllers in the box. They use the good old “MD” (“multiple devices”) technology, managed with the well-known mdadm tool. Synology NAS run a Linux distribution called DSM. This operating system has plenty of third-party tools but lacks pure forensics tools.

In a recent investigation, I had to investigate a NAS that was involved in a ransomware attack. Many files (backups) were deleted. The attacker just deleted some shared folders. The device had two drives configured in RAID0 (not the best solution I know but they lack storage capacity). The idea was to mount the file system (or at least have the block device) on a Linux host and run forensic tools, for example, photorec.

In such a situation, the biggest challenge will be to connect all the drivers to the analysis host! Here, I had only two drives but imagine that you are facing a bigger model with 5+ disks. In my case, I used two USB-C/SATA adapters to connect the drives. Besides the software RAID, Synology volumes also rely on LVM2 (“Logical Volume Manager”). In most distributions, the packages mdadm and lvm2 are available (for example on SIFT Workstation). Otherwise, just install them ...

Read the full entry:

https://isc.sans.edu/diary/Analyzing+Synology+Disks+on+Linux/30904/

Detecting XFinity/Comcast DNS Spoofing

Published: 2024-05-06

Last Updated: 2024-05-08 00:15:59 UTC

by Johannes Ullrich (Version: 1)

ISPs have a history of intercepting DNS. Often, DNS interception is done as part of a "value add" feature to block access to known malicious websites. Sometimes, users are directed to advertisements if they attempt to access a site that doesn't exist. There are two common techniques how DNS spoofing/interception is done:

1. The ISP provides a recommended DNS server. This DNS server will filter requests to known malicious sites.

2. The ISP intercepts all DNS requests, not just requests directed at the ISPs DNS server.

The first method is what I would consider a "recommended" or "best practice" method. The customer can use the ISP's DNS server, but traffic is left untouched if a customer selects a different recursive resolver. The problem with this approach is that malware sometimes alters the user's DNS settings.

Comcast, as part of its "Business Class" offer, provides a tool called "Security Edge". It is typically included for free as part of the service. Security Edge is supposed to interface with the customer's modem but can only do so for specific configurations. Part of the service is provided by DNS interception. Even if "Security Edge" is disabled in the customer's dashboard, DNS interception may still be active.

One issue with any filtering based on blocklists is false positives. In some cases, what constitutes a "malicious" hostname may not even be well defined. I could not find a definition on Comcast's website. But Bleeping Computer (www.bleepingcomputer.com) recently ended up on Comcast's "naughty list". I know all to well that it is easy for a website that covers security topics to end up on these lists. The Internet Storm Center website has been on lists like this before. Usually, sloppy signature-based checks will flag a site as malicious. An article may discuss a specific attack and quote strings triggering these signatures.

Comcast offers recursive resolvers to it's customers: 75.75.75.75, 75.75.76.76, 2001:558:feed:1 and 2001:558:feed:2. There are advantages to using your ISP's DNS servers. They are often faster as they are physically closer to your network, and you profit from responses cached by other users. My internal resolver is configured as a forwarding resolver, spreading queries among different well performing resolvers like Quad9, Cloudflare and Google.

So what happened to bleepingcomputer.com? When I wasn't able to resolve bleepingcomputer.com, I checked my DNS logs, and this entry stuck out ...

Read the full entry:

https://isc.sans.edu/diary/Detecting+XFinityComcast+DNS+Spoofing/30898/

nslookup's Debug Options

Published: 2024-05-05

Last Updated: 2024-05-05 07:24:11 UTC

by Didier Stevens (Version: 1)

A friend was having unexpected results with DNS queries on a Windows machine. I told him to use nslookup's debug options.

When you execute a simple DNS query like "nslookup example.com. 8.8.8.8", you get an answer like this (notice that in my nslookup query, I terminated the FQDN with a dot: "example.com.", I do that to prevent Windows from adding suffixes)...

You see the result of a reverse DNS lookup (8.8.8.8 is dns.google) and you get 2 IP addresses for example.com in your answer: an IPv6 address and an IPv4 address.

If my friend would have been able to run packet capture on the machine, he would have seen 3 DNS queries and answers ...

A PTR query to do a reverse DNS lookup for 8.8.8.8, an A query to lookup IPv4 addresses for example.com, and an AAAA query to lookup IPv6 addresses for example.com.

One can use nslookup's debug options to obtain equivalent information, without doing a packet capture.

Debug option -d displays extra information for each DNS response packet ...

Read the full entry:

https://isc.sans.edu/diary/nslookups+Debug+Options/30894/

Scans Probing for LB-Link and Vinga WR-AC1200 routers CVE-2023-24796

Published: 2024-05-02

Last Updated: 2024-05-02 18:07:05 UTC

by Johannes Ullrich (Version: 1)

Before diving into the vulnerability, a bit about the affected devices. LB-Link, the make of the devices affected by this vulnerability, produces various wireless equipment that is sometimes sold under different brands and labels. This will make it difficult to identify affected devices. These devices are often low-cost "no name" solutions or, in some cases, may even be embedded, which makes it even more difficult to find firmware updates.

Before buying any IoT device, WiFi router, or similar piece of equipment, please make sure the vendor does:

1. Offer firmware updates for download from an easy-to-find location.

2. Provide an "end of life" policy stating how long a particular device will receive updates.

Alternatively, you may want to verify if the device can be "re-flashed" using an open source firmware.

But let us go back to this vulnerability. There are two URLs affected, one of which showed up in our "First Seen URLs" ...

Read the full entry:

https://isc.sans.edu/diary/Scans+Probing+for+LBLink+and+Vinga+WRAC1200+routers+CVE202324796/30890/

Internet Storm Center Entries


Analyzing Synology Disks on Linux (2024.05.08)

https://isc.sans.edu/diary/Analyzing+Synology+Disks+on+Linux/30904/

Detecting XFinity/Comcast DNS Spoofing (2024.05.06)

https://isc.sans.edu/diary/Detecting+XFinityComcast+DNS+Spoofing/30898/

nslookup's Debug Options (2024.05.05)

https://isc.sans.edu/diary/nslookups+Debug+Options/30894/

Scans Probing for LB-Link and Vinga WR-AC1200 routers CVE-2023-24796 (2024.05.02)

https://isc.sans.edu/diary/Scans+Probing+for+LBLink+and+Vinga+WRAC1200+routers+CVE202324796/30890/

Recent CVEs


The list is assembled by pulling recent vulnerabilities from NIST NVD, Microsoft, Twitter mentions of vulnerabilities, ISC Diaries and Podcast, and the CISA list of known exploited vulnerabilities. There are also some unscored, but significant, vulnerabilities at the end. This includes vulnerabilities that have not been added to the NVD yet.

CVE-2024-21006 - Oracle WebLogic Server product of Oracle Fusion Middleware (component: Core) is vulnerable to an easily exploitable flaw, allowing unauthenticated attackers to compromise critical data or gain complete access to all server data.

Product: Oracle WebLogic Server

CVSS Score: 0

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-21006

ISC Podcast: https://isc.sans.edu/podcastdetail/8972

CVE-2023-24796 - Vinga WR-AC1200 81.102.1.4370 and earlier versions are vulnerable to remote code execution via password parameter manipulation at /goform/sysTools and /adm/systools.asp endpoints.

Product: Vinga WR-AC1200_Firmware

CVSS Score: 0

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-24796

ISC Podcast: https://isc.sans.edu/podcastdetail/8966

CVE-2024-2912 - BentoML framework is vulnerable to insecure deserialization, enabling remote code execution through specially crafted POST requests, allowing attackers to execute arbitrary commands on the server.

Product: BentoML framework

CVSS Score: 0

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-2912

ISC Podcast: https://isc.sans.edu/podcastdetail/8964

CVE-2023-4473 - The Zyxel NAS326 and NAS542 firmware versions V5.21(AAZF.14)C0 and V5.21(ABAG.11)C0 are susceptible to command injection, enabling unauthorized execution of operating system commands via a manipulated URL.

Product: Zyxel Nas542_Firmware

CVSS Score: 0

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-4473

ISC Podcast: https://isc.sans.edu/podcastdetail/8962

CVE-2023-4474 - The Zyxel NAS326 and NAS542 firmware versions V5.21(AAZF.14)C0 and V5.21(ABAG.11)C0 improperly neutralize special elements, allowing unauthenticated attackers to execute OS commands via a crafted URL.

Product: Zyxel Nas542_Firmware

CVSS Score: 0

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-4474

ISC Podcast: https://isc.sans.edu/podcastdetail/8962

CVE-2024-32017 - RIOT operating system is vulnerable to buffer overflows due to a typo in the size check of the `gcoap_dns_server_proxy_get()` function, potentially leading to denial of service or arbitrary code execution if not manually checked.

Product: RIOT Operating System

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-32017

NVD References:

- http://www.openwall.com/lists/oss-security/2024/05/07/3

- https://github.com/RIOT-OS/RIOT/blob/master/sys/net/application_layer/gcoap/dns.c#L319-L325

- https://github.com/RIOT-OS/RIOT/blob/master/sys/net/application_layer/gcoap/forward_proxy.c#L352

- https://github.com/RIOT-OS/RIOT/security/advisories/GHSA-v97j-w9m6-c4h3

CVE-2024-26304 - Aruba's L2/L3 Management service is vulnerable to buffer overflow, allowing unauthenticated remote code execution via specially crafted packets sent to the PAPI UDP port.

Product: Aruba's access point management protocol

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-26304

NVD References: https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2024-004.txt

CVE-2024-26305 - The underlying Utility daemon in Aruba's access point management protocol (PAPI) is vulnerable to a buffer overflow that allows unauthenticated remote code execution via specially crafted packets on UDP port 8211.

Product: Aruba Utility daemon

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-26305

NVD References: https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2024-004.txt

CVE-2024-33511 - Aruba's Automatic Reporting service is vulnerable to buffer overflow attacks via specially crafted packets sent to the PAPI UDP port (8211), allowing unauthenticated remote code execution as a privileged user on the operating system.

Product: Aruba Automatic Reporting Service

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-33511

NVD References: https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2024-004.txt

CVE-2024-33512 - Aruba's Local User Authentication Database service has a buffer overflow vulnerability that allows unauthenticated remote code execution via specially crafted packets sent to the PAPI UDP port (8211), granting the attacker the ability to run arbitrary code as a privileged user on the operating system.

Product: Aruba Networks access point management protocol)

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-33512

NVD References: https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2024-004.txt

CVE-2023-47212 - stb_vorbis.c v1.22 is vulnerable to a heap-based buffer overflow through a specially crafted .ogg file, leading to an out-of-bounds write triggered by a malicious attacker.

Product: stb stb_vorbis

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-47212

NVD References: https://talosintelligence.com/vulnerability_reports/TALOS-2023-1846

CVE-2023-49606 - Tinyproxy is vulnerable to a use-after-free flaw in HTTP Connection Headers parsing, allowing an attacker to execute remote code with an unauthenticated HTTP request.

Product: Tinyproxy

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-49606

NVD References:

- http://www.openwall.com/lists/oss-security/2024/05/07/1

- https://talosintelligence.com/vulnerability_reports/TALOS-2023-1889

CVE-2024-4142 - JFrog Artifactory has a vulnerability in input validation that allows for privilege escalation, potentially granting low privilege users administrative access and affecting platforms with anonymous access enabled.

Product: JFrog Artifactory

CVSS Score: 9.0

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-4142

NVD References: https://jfrog.com/help/r/jfrog-release-information/jfrog-security-advisories

CVE-2024-32962 - xml-crypto is an xml digital signature and encryption library for Node.js that allows a malicious actor to re-sign an XML document and spoof signature verification in affected versions.

Product: xml-crypto Node.js

CVSS Score: 10.0

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-32962

NVD References:

- https://github.com/node-saml/xml-crypto/commit/21201723d2ca9bc11288f62cf72552b7d659b000

- https://github.com/node-saml/xml-crypto/commit/c2b83f984049edb68ad1d7c6ad0739ec92af11ca

- https://github.com/node-saml/xml-crypto/pull/301

- https://github.com/node-saml/xml-crypto/pull/445

- https://github.com/node-saml/xml-crypto/security/advisories/GHSA-2xp3-57p7-qf4v

- https://www.w3.org/TR/2008/REC-xmldsig-core-20080610/#sec-CoreValidation

CVE-2024-32971 - Apollo Router is vulnerable to a bug that could lead to unexpected operations being executed in limited circumstances, due to a defect in cache retrieval logic when using distributed query plan caching.

Product: Apollo Router

CVSS Score: 9.0

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-32971

NVD References:

- https://github.com/apollographql/router/commit/ff9f666598cd17661880fe7fc6e9c9611316e529

- https://github.com/apollographql/router/releases/tag/v1.45.1

- https://github.com/apollographql/router/security/advisories/GHSA-q9p4-hw9m-fj2v

- https://www.apollographql.com/docs/router/configuration/distributed-caching/#distributed-query-plan-caching

CVE-2024-33913 - Xserver Migrator is vulnerable to a Cross-Site Request Forgery flaw that allows for Arbitrary File Upload from versions n/a through 1.6.1.

Product: Xen Orchestra Xserver Migrator

CVSS Score: 9.6

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-33913

NVD References: https://patchstack.com/database/vulnerability/xserver-migrator/wordpress-xserver-migrator-plugin-1-6-1-csrf-to-arbitrary-file-upload-vulnerability?_s_id=cve

CVE-2024-2667 - The InstaWP Connect plugin for WordPress is vulnerable to arbitrary file uploads through the /wp-json/instawp-connect/v1/config REST API endpoint, allowing unauthenticated attackers to upload files.

Product: InstaWP Connect - 1-click WP Staging & Migration plugin

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-2667

NVD References:

- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3061039%40instawp-connect&new=3061039%40instawp-connect&sfp_email=&sfph_mail=

- https://www.wordfence.com/threat-intel/vulnerabilities/id/f6aead8d-c136-4952-ad03-86fe0f144dea?source=cve

CVE-2024-2876 - The Email Subscribers by Icegram Express plugin for WordPress is vulnerable to SQL Injection in all versions up to 5.7.14, allowing unauthenticated attackers to extract sensitive information from the database.

Product: Email Subscribers by Icegram Express

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-2876

NVD References:

- https://github.com/WordpressPluginDirectory/email-subscribers/blob/main/email-subscribers/lite/admin/class-email-subscribers-admin.php#L1433

- https://github.com/WordpressPluginDirectory/email-subscribers/blob/main/email-subscribers/lite/includes/classes/class-ig-es-subscriber-query.php#L304

- https://plugins.trac.wordpress.org/changeset/3060251/email-subscribers/trunk/lite/includes/classes/class-ig-es-subscriber-query.php

- https://www.wordfence.com/threat-intel/vulnerabilities/id/e0ca6ac4-0d89-4601-94fc-cce5a0af9c56?source=cve

CVE-2024-3729 - The Frontend Admin by DynamiApps plugin for WordPress is vulnerable to improper encryption exception handling, allowing unauthenticated attackers to manipulate user processing forms and potentially escalate privileges, bypass authentication, or inject malicious web scripts.

Product: DynamiApps Frontend Admin by DynamiApps

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-3729

NVD References:

- https://plugins.trac.wordpress.org/browser/acf-frontend-form-element/tags/3.18.15/main/helpers.php#L617

- https://plugins.trac.wordpress.org/changeset/3073379/acf-frontend-form-element#file4

- https://www.wordfence.com/threat-intel/vulnerabilities/id/a2d22c5d-5ef5-4920-a1b5-e8284394c7e8?source=cve

CVE-2024-32986 - PWAsForFirefox allows malicious web apps to inject arbitrary code via improper sanitization of web app properties, impacting Linux and PortableApps.com users up to version 2.12.0.

Product: PWAsForFirefox PWAsForFirefox

CVSS Score: 9.6

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-32986

NVD References:

- https://github.com/filips123/PWAsForFirefox/commit/9932d4b289631d447f88ace09a2fabafe4cd5bd5

- https://github.com/filips123/PWAsForFirefox/releases/tag/v2.12.0

- https://github.com/filips123/PWAsForFirefox/security/advisories/GHSA-jmhv-m7v5-g5jq

CVE-2024-4466 - Gescen on the centrosdigitales.net platform is vulnerable to SQL injection, allowing attackers to access sensitive database information by sending malicious SQL queries.

Product: Gescen centrosdigitales.net

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-4466

NVD References: https://www.incibe.es/en/incibe-cert/notices/aviso/sql-injection-vulnerability-gescen

CVE-2024-4547 & CVE-2024-4548 - Delta Electronics DIAEnergie v1.10.1.8610 and prior SQL injection vulnerabilities

Product: Delta Electronics DIAEnergie

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-4547

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-4548

NVD References: https://www.tenable.com/security/research/tra-2024-13

CVE-2024-4186 - The Build App Online plugin for WordPress is vulnerable to authentication bypass due to an empty default value for 'eb_user_email_verification_key' and missing check in 'eb_user_email_verify', allowing unauthenticated attackers to log in as any existing user if they have access to the user id and 'Email Verification' setting is enabled.

Product: WordPress Build App Online plugin

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-4186

NVD References:

- https://plugins.trac.wordpress.org/browser/edwiser-bridge/tags/3.0.4/includes/class-eb-user-manager.php#L1571

- https://plugins.trac.wordpress.org/changeset/3081961/edwiser-bridge#file1

- https://www.wordfence.com/threat-intel/vulnerabilities/id/6969d281-f280-4714-9859-38ac66e9cc60?source=cve

CVE-2024-4345 - The Startklar Elementor Addons plugin for WordPress is vulnerable to arbitrary file uploads, allowing unauthenticated attackers to potentially achieve remote code execution.

Product: Startklar Elementor Addons

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-4345

NVD References:

- https://plugins.trac.wordpress.org/browser/startklar-elmentor-forms-extwidgets/trunk/startklarDropZoneUploadProcess.php?rev=3061298#L7

- https://plugins.trac.wordpress.org/changeset/3081987/startklar-elmentor-forms-extwidgets

- https://www.wordfence.com/threat-intel/vulnerabilities/id/4221b33c-5cfa-48db-92bf-bf25ff3c5a5f?source=cve

CVE-2024-4346 - The Startklar Elementor Addons plugin for WordPress up to version 1.7.13 is vulnerable to arbitrary file deletion due to improper validation of uploaded file paths, allowing unauthenticated attackers to delete critical files and potentially execute remote code.

Product: Startklar Elementor Addons

CVSS Score: 9.1

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-4346

NVD References:

- https://plugins.trac.wordpress.org/browser/startklar-elmentor-forms-extwidgets/trunk/startklarDropZoneUploadProcess.php?rev=3061298#L7

- https://plugins.trac.wordpress.org/changeset/3081987/startklar-elmentor-forms-extwidgets

- https://www.wordfence.com/threat-intel/vulnerabilities/id/a125bbf1-8ff6-4f3d-a4fb-caaaefe1df2a?source=cve

CVE-2024-34342 - react-pdf is vulnerable to unrestricted attacker-controlled JavaScript execution when loading malicious PDFs using PDF.js with `isEvalSupported` set to `true`, fixed in versions 7.7.3 and 8.0.2.

Product: react-pdf PDF.js

CVSS Score: 7.1

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-34342

ISC Podcast: https://isc.sans.edu/podcastdetail/8972

NVD References:

- https://github.com/mozilla/pdf.js/commit/85e64b5c16c9aaef738f421733c12911a441cec6

- https://github.com/mozilla/pdf.js/pull/18015

- https://github.com/mozilla/pdf.js/security/advisories/GHSA-wgrm-67xf-hhpq

- https://github.com/wojtekmaj/react-pdf/commit/208f28dd47fe38c33ce4bac4205b2b0a0bb207fe

- https://github.com/wojtekmaj/react-pdf/commit/671e6eaa2e373e404040c13cc6b668fe39839cad

- https://github.com/wojtekmaj/react-pdf/security/advisories/GHSA-87hq-q4gp-9wr4

CVE-2024-4393 - The Social Connect plugin for WordPress up to version 1.2 is vulnerable to authentication bypass due to insufficient verification on the OpenID server during social login, allowing unauthenticated attackers to login as any existing user on the site, including administrators, if they have the email access.

Product: WordPress Social Connect plugin

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-4393

NVD References:

- https://plugins.trac.wordpress.org/browser/social-connect/tags/1.2/openid/openid.php#L575

- https://www.wordfence.com/threat-intel/vulnerabilities/id/2882d9dd-0c73-4c9a-99cb-d10900503103?source=cve

The following vulnerability needs a manual review:

CVE-2024-4367 - A vulnerability in Mozilla PDF.js could allow for arbitrary code execution

Product: Mozilla PDF.js PDF viewer

CVSS Score: N/A

NVD: N/A

NVD References:

- https://github.com/advisories/GHSA-wgrm-67xf-hhpq

- https://www.cisecurity.org/advisory/a-vulnerability-in-mozilla-pdfjs-could-allow-for-arbitrary-code-execution_2024-046