The Consensus Security Vulnerability Alert

ISC provides a free analysis and warning service to thousands of Internet users and organizations, and is actively working with Internet Service Providers to fight back against the most malicious attackers. https://isc.sans.edu/about.html

Got MFA? If not, Now is the Time!

Published: 2024-05-15

Last Updated: 2024-05-15 12:04:47 UTC

by Rob VandenBrink (Version: 1)

I had an interesting call from a client recently - they had a number of "net use" and "psexec" commands pop up on a domain controller, all called from PSEXEC (thank goodness for a good EDR deployed across the board!!). The source IP was a VPN session.

Anyway, we almost immediately declared an incident, and the VPN that was in use that had just Userid / Password authentication was the ingress. We found a US employee with an active VPN session from Europe (the classic "impossible geography session") - so the standard "kill the session, deactivate the account / change the password action" ensued.

Followed by a serious conversation - really your userid/password protected VPN is only as strong as your weakest password. Any you KNOW that some folks have kept their "Welcome123" password that they got at their last "I forgot my password" helpdesk call. Also, your userid/password VPN is only as strong as the weakest other site that your folks have used their work credentials for.

Anyway the actions and discussion above was followed by the "who would want to target us?" conversation, so off to the logs we went.

The standard Cisco VPN rejected login syslog message looks like this ...

Read the full entry:

https://isc.sans.edu/diary/Got+MFA+If+not+Now+is+the+Time/30926/

Microsoft May 2024 Patch Tuesday

Published: 2024-05-14

Last Updated: 2024-05-14 17:28:16 UTC

by Renato Marinho (Version: 1)

This month we got patches for 67 vulnerabilities. Of these, 1 are critical, and 1 is being exploited according to Microsoft.

The critical vulnerability is a Remote Code Execution (RCE) affecting the Microsoft Sharepoint Server (CVE-2024-30044). According to the advisory, an authenticated attacker with Site Owner permissions or higher could upload a specially crafted file to the targeted Sharepoint Server and craft specialized API requests to trigger deserialization of file's parameters. This would enable the attacker to perform remote code execution in the context of the Sharepoint Server. The CVSS for the vulnerability is 8.8.

The zero-day vulnerability is an elevation of privilege on Windows DWM (Desktop Windows Management) Core Library (CVE-2024-30051). According to the advisory, an attacker who successfully exploited this vulnerability could gain SYSTEM privileges. The CVSS for the vulnerability is 7.8.

There is an important vulnerability affecting MinGit software (CVE-2024-32002), used by Microsoft Visual Studio, caused by an improper limitation of a pathname to a restricted directory ('Path Traversal') making it susceptible to Remote Code Execution. It is being documented in the Security Update Guide to announce that the latest builds of Visual Studio are no longer vulnerable. Please see Security Update Guide Supports CVEs Assigned by Industry Partners for more information. The CVSS for the vulnerability is 9.0 – the highest for this month.

See the full list of patches ...

Read the full entry:

https://isc.sans.edu/diary/Microsoft+May+2024+Patch+Tuesday/30920/

Apple Patches Everything: macOS, iOS, iPadOS, watchOS, tvOS updated.

Published: 2024-05-14

Last Updated: 2024-05-14 01:43:19 UTC

by Johannes Ullrich (Version: 1)

Apple today released updates for its various operating systems. The updates cover iOS, iPadOS, macOS, watchOS and tvOS. A standalone update for Safari was released for older versions of macOS. One already exploited vulnerability, CVE-2024-23296 is patched for older versions of macOS and iOS. In March, Apple patched this vulnerability for more recent versions of iOS and macOS ...

Read the full entry:

https://isc.sans.edu/diary/Apple+Patches+Everything+macOS+iOS+iPadOS+watchOS+tvOS+updated/30916/

DNS Suffixes on Windows (2024.05.12)

https://isc.sans.edu/diary/DNS+Suffixes+on+Windows/30912/

Analyzing PDF Streams (2024.05.09)

https://isc.sans.edu/diary/Analyzing+PDF+Streams/30908/

The list is assembled by pulling recent vulnerabilities from NIST NVD, Microsoft, Twitter mentions of vulnerabilities, ISC Diaries and Podcast, and the CISA list of known exploited vulnerabilities. There are also some unscored, but significant, vulnerabilities at the end. This includes vulnerabilities that have not been added to the NVD yet.CVE-2024-30051 - Windows DWM Core Library Elevation of Privilege VulnerabilityProduct: Microsoft Windows DWM Core LibraryCVSS Score: 7.8** KEV since 2024-05-14 **NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-30051ISC Diary: https://isc.sans.edu/diary/30920MSFT Details: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-30051NVD References: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-30051CVE-2024-32002 - Recursive clones on case-insensitive filesystems that support symlinks are susceptible to Remote Code ExecutionProduct: GitCVSS Score: 9.0NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-32002ISC Diary: https://isc.sans.edu/diary/30920MSFT Details: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-32002NVD References: - https://git-scm.com/docs/git-clone#Documentation/git-clone.txt---recurse-submodulesltpathspecgt- https://git-scm.com/docs/git-config#Documentation/git-config.txt-coresymlinks- https://github.com/git/git/commit/97065761333fd62db1912d81b489db938d8c991d- https://github.com/git/git/security/advisories/GHSA-8h77-4q3w-gfgvCVE-2024-4671 - Chromium: Use after free in VisualsProduct: Google Chrome CVSS Score: 0** KEV since 2024-05-13 **NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-4671ISC Diary: https://isc.sans.edu/diary/30920MSFT Details: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-4671NVD References: - https://chromereleases.googleblog.com/2024/05/stable-channel-update-for-desktop_9.html- https://issues.chromium.org/issues/339266700CVE-2024-4558 - Chromium: Use after free in ANGLEProduct: Google ChromeCVSS Score: 0NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-4558ISC Diary: https://isc.sans.edu/diary/30920MSFT Details: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-4558NVD References: - https://chromereleases.googleblog.com/2024/05/stable-channel-update-for-desktop_7.html- https://issues.chromium.org/issues/337766133CVE-2024-4559 - Chromium: Heap buffer overflow in WebAudioProduct: Google ChromeCVSS Score: 0NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-4559ISC Diary: https://isc.sans.edu/diary/30920MSFT Details: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-4559NVD References: - https://chromereleases.googleblog.com/2024/05/stable-channel-update-for-desktop_7.html- https://issues.chromium.org/issues/331369797CVE-2024-4331 - Chromium: Use after free in Picture In PictureProduct: Google ChromeCVSS Score: 0NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-4331ISC Diary: https://isc.sans.edu/diary/30920MSFT Details: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-4331CVE-2024-4368 - Chromium: Use after free in DawnProduct: Google ChromeCVSS Score: 0NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-4368ISC Diary: https://isc.sans.edu/diary/30920MSFT Details: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-4368CVE-2024-30040 - Windows MSHTML Platform Security Feature Bypass VulnerabilityProduct: Microsoft Windows MSHTML PlatformCVSS Score: 8.8** KEV since 2024-05-14 **NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-30040ISC Diary: https://isc.sans.edu/diary/30920MSFT Details: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-30040NVD References: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-30040CVE-2024-21006 - Oracle WebLogic Server product of Oracle Fusion Middleware (component: Core) is vulnerable to an easily exploitable flaw, allowing unauthenticated attackers to compromise critical data or gain complete access to all server data.Product: Oracle WebLogic ServerCVSS Score: 0NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-21006ISC Podcast: https://isc.sans.edu/podcast/8972CVE-2024-30044 - Microsoft SharePoint Server Remote Code Execution VulnerabilityProduct: Microsoft SharePoint ServerCVSS Score: 7.2NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-30044ISC Diary: https://isc.sans.edu/diary/30920MSFT Details: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-30044NVD References: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-30044CVE-2024-32004 - GitHub: Remote Code Execution while cloning special-crafted local repositoriesProduct: GitHubCVSS Score: 8.1NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-32004ISC Diary: https://isc.sans.edu/diary/30920MSFT Details: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-32004NVD References: - https://git-scm.com/docs/git-clone- https://github.com/git/git/commit/f4aa8c8bb11dae6e769cd930565173808cbb69c8- https://github.com/git/git/security/advisories/GHSA-xfc6-vwr8-r389CVE-2024-34342 - react-pdf is vulnerable to unrestricted attacker-contro…