The Consensus Security Vulnerability Alert

ISC provides a free analysis and warning service to thousands of Internet users and organizations, and is actively working with Internet Service Providers to fight back against the most malicious attackers. https://isc.sans.edu/about.html Microsoft Patch Tuesday June 2024 Published: 2024-06-11 Last Updated: 2024-06-11 19:06:06 UTC by Johannes Ullrich (Version: 1) Microsoft's June 2024 update fixes a total of 58 vulnerabilities. 7 of these vulnerabilities are associated with Chromium and Microsoft's Brave browser. Only one vulnerability is rated critical. One of the vulnerabilities had been disclosed before today. Vulnerabilities of Interest: CVE-2023-50868 NSEC closest enclosed proof can exhaust CPU: This issue became public in February. It affects not only Microsoft's DNS implementations but several other DNS servers. The vulnerability was made public by researchers from several German universities and research labs. They called it "KEYTRAP" and released a paper with details ... CVE-2024-30080 Microsoft Message Queuing (MSMQ) Remote Code Execution Vulnerability: MSMQ is the service that keeps on giving. The tricky part with MSMQ is that third party software often uses it. MSMQ usually listens on port port 1801/TCP. We do see a good amount of "background hum" on port 1801, and I do not see a good reason to expose it to the internet. Read the full entry: https://isc.sans.edu/diary/Microsoft+Patch+Tuesday+June+2024/31000/ Attacker Probing for New PHP Vulnerability CVE-2024-4577 Published: 2024-06-09 Last Updated: 2024-06-09 21:03:28 UTC by Johannes Ullrich (Version: 1) Our honeypots have detected the first probes for CVE-2024-4577. This vulnerability was originally discovered by Orange Tsai on Friday (June 7th). Watchtwr labs followed up with a detailed blog post and a proof of concept exploit. Watchtwr Labs says PHP is only vulnerable if used in CGI mode in Chinese and Japanese locales. According to Orange Tsai, other locales may be vulnerable as well. In CGI mode on Windows, the web server will execute "php.exe" and pass user-supplied parameters as command line or environment variables. This may potentially lead to OS command injection, a vulnerability I just covered last week in a video. As parameters are passed from Apache to the command line, Apache will escape hyphens and render them harmless. However, an attacker may provide a "soft hyphen" (Unicode code point 0x00AD). PHP performs "best fit mapping" on characters passed on the command line, translating it to a dash. This allows an attacker to bypass the Apache escape process, and inject dashes. With that, an attacker can supply command line arguments to php.exe. A possibly choice outlined by Watchtwr is ... Read the full entry: https://isc.sans.edu/diary/Attacker+Probing+for+New+PHP+Vulnerablity+CVE20244577/30994/ Brute Force Attacks Against Watchguard VPN Endpoints Published: 2024-06-05 Last Updated: 2024-06-05 14:05:58 UTC by Johannes Ullrich (Version: 1) If you have a pulse and work in information security (or are a new scraping script without a pulse), you have probably seen reports of attacks against VPN endpoints. Running any VPN without strong authentication has been negligent for years, but in recent times, ransomware gangs, in particular, picked them off pretty quickly. One of our honeypots just saw an attacker move through, attempting to brute force a Watchguard firewall VPN. I haven't seen much written about Watchguard lately, so I figured this may be a good reminder. The requests I was seeing against one honeypot in particular ... Read the full entry: https://isc.sans.edu/diary/Brute+Force+Attacks+Against+Watchguard+VPN+Endpoints/30984/

Finding End of Support Dates: UK PTSI Regulation (2024.06.07) https://isc.sans.edu/diary/Finding+End+of+Support+Dates+UK+PTSI+Regulation/30992/

Malicious Python Script with a "Best Before" Date (2024.06.06) https://isc.sans.edu/diary/Malicious+Python+Script+with+a+Best+Before+Date/30988/

The list is assembled by pulling recent vulnerabilities from NIST NVD, Microsoft, Twitter mentions of vulnerabilities, ISC Diaries and Podcast, and the CISA list of known exploited vulnerabilities. There are also some unscored, but significant, vulnerabilities at the end. This includes vulnerabilities that have not been added to the NVD yet.

Product: PHPCVSS Score: 9.8** KEV since 2024-06-12 **NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-4577ISC Diary: https://isc.sans.edu/diary/30994ISC Podcast: https://isc.sans.edu/podcastdetail/9016NVD References: - http://www.openwall.com/lists/oss-security/2024/06/07/1- https://blog.orange.tw/2024/06/cve-2024-4577-yet-another-php-rce.html- https://labs.watchtowr.com/no-way-php-strikes-again-cve-2024-4577/- https://cert.be/en/advisory/warning-php-remote-code-execution-patch-immediately NVD References: https://devco.re/blog/2024/06/06/security-alert-cve-2024-4577-php-cgi-argument-injection-vulnerability-en/NVD References: https://github.com/11whoami99/CVE-2024-4577NVD References: https://github.com/php/php-src/security/advisories/GHSA-3qgc-jrrr-25jvNVD References: https://github.com/rapid7/metasploit-framework/pull/19247NVD References: https://github.com/watchtowrlabs/CVE-2024-4577NVD References: https://github.com/xcanwin/CVE-2024-4577-PHP-RCENVD References: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PKGTQUOA2NTZ3RXN22CSAUJPIRUYRB4B/NVD References: https://www.imperva.com/blog/imperva-protects-against-critical-php-vulnerability-cve-2024-4577/NVD References: https://www.php.net/ChangeLog-8.php#8.1.29NVD References: https://www.php.net/ChangeLog-8.php#8.2.20NVD References: https://www.php.net/ChangeLog-8.php#8.3.8CVE-2024-30080 - Microsoft Message Queuing (MSMQ) Remote Code Execution VulnerabilityProduct: Microsoft Message Queuing (MSMQ)CVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-30080ISC Diary: https://isc.sans.edu/diary/31000NVD References: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-30080CVE-2024-29849 - Veeam Backup Enterprise Manager allows unauthenticated users to log in as any user to enterprise manager web interface.Product: Veeam Backup Enterprise ManagerCVSS Score: 0NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-29849ISC Podcast: https://isc.sans.edu/podcastdetail/9018CVE-2024-4610 - Arm Ltd Bifrost and Valhall GPU Kernel Drivers from r34p0 through r40p0 allow local non-privileged users to access already freed memory through improper GPU memory processing operations.Product: Arm Bifrost Gpu Kernel DriverCVSS Score: 5.5** KEV since 2024-06-12 **NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-4610NVD References: https://developer.arm.com/Arm%20Security%20Center/Mali%20GPU%20Driver%20VulnerabilitiesCVE-2024-29972 & CVE-2024-29973 - Zyxel NAS326 and NAS542 are vulnerable to command injectionProduct: Zyxel NAS326CVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-29972NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-29973NVD References: - https://outpost24.com/blog/zyxel-nas-critical-vulnerabilities/- https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-multiple-vulnerabilities-in-nas-products-06-04-2024CVE-2024-29974 - Zyxel NAS326 and NAS542 are vulnerable to remote code execution via crafted configuration file uploads.Product: Zyxel NAS326CVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-29974NVD References: - https://outpost24.com/blog/zyxel-nas-critical-vulnerabilities/- https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-multiple-vulnerabilities-in-nas-products-06-04-2024CVE-2024-4552 - The Social Login Lite For WooCommerce plugin for WordPress is vulnerable to authentication bypass through social login, allowing unauthenticated attackers to log in as any existing user on the site, up to version 1.6.0.Product: WordPress Social Login Lite For WooCommerce pluginCVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-4552NVD References: - https://plugins.trac.wordpress.org/browser/social-login-lite-for-woocommerce/tags/1.6.0/woocommerce_social_login.php#L499- https://www.wordfence.com/threat-intel/vulnerabilities/id/f91d6ad6-82fc-4507-90e2-aedfff26bac5?source=cveCVE-2023-33930 - Unlimited Elements For Elementor (Free Widgets, Addons, Templates) before version 1.5.66 allows Code Injection through unrestricted upload of dangerous file types.Product: Unlimited Elements For ElementorCVSS Score: 9.1NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-33930NVD References: https://patchstack.com/database/vulnerability/unlimited-elements-for-elementor/wordpress-unlimited-elements-for-elementor-plugin-1-5-66-unrestricted-zip-extraction-vulnerability?_s_id=cveCVE-2024-25600 - Bricks Builder by Codeer Limited is vulnerable to Code Injection from versions n/a through 1.9.6.Product: Codeer Limited Bricks BuilderCVSS Score: 10.0NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-25600NVD References: - https://github.com/Chocapikk/CVE-2024-25600- https://github.com/K3ysTr0K3R/CVE-2024-25600-EXPLOIT- https://patchstack.com/articles/critical-rce-patched-in-bricks-builder-theme?_s_id=cve- https://patchstack.com/database/vulnerability/bricks/wordpress-bricks-theme-1-9-6-unauthenticated-remote-code-execution-rce-vulnerability?_s_id=cve- https:…

Product: Codeer Limited Bricks BuilderCVSS Score: 10.0NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-25600NVD References: - https://github.com/Chocapikk/CVE-2024-25600- https://github.com/K3ysTr0K3R/CVE-2024-25600-EXPLOIT- https://patchstack.com/articles/critical-rce-patched-in-bricks-builder-theme?_s_id=cve- https://patchstack.com/database/vulnerability/bricks/wordpress-bricks-theme-1-9-6-unauthenticated-remote-code-execution-rce-vulnerability?_s_id=cve- https://snicco.io/vulnerability-disclosure/bricks/unauthenticated-rce-in-bricks-1-9-6CVE-2024-33560 - XStore is vulnerable to improper limitation of a pathname, allowing PHP local file inclusion from n/a through 9.3.8.Product: 8theme XStoreCVSS Score: 9.0NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-33560NVD References: https://patchstack.com/database/vulnerability/xstore/wordpress-xstore-theme-9-3-5-unauthenticated-local-file-inclusion-vulnerability?_s_id=cveCVE-2024-34551 - Stockholm: from n/a through 9.6 is vulnerable to a Path Traversal issue allowing PHP Local File Inclusion.Product: Select-Themes StockholmCVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-34551NVD References: https://patchstack.com/database/vulnerability/stockholm/wordpress-stockholm-theme-9-6-unauthenticated-local-file-inclusion-vulnerability?_s_id=cveCVE-2024-35629 - Wow-Company Easy Digital Downloads – Recent Purchases is vulnerable to PHP Remote File Inclusion due to improper control of filename for include/require statement.Product: Wow-Company Easy Digital DownloadsCVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-35629NVD References: https://patchstack.com/database/vulnerability/edd-recent-purchases/wordpress-easy-digital-downloads-recent-purchases-plugin-1-0-2-remote-file-inclusion-vulnerability?_s_id=cveCVE-2024-35700 - Improper Privilege Management vulnerability in DeluxeThemes Userpro allows Privilege Escalation.This issue affects Userpro: from n/a through 5.1.8.Product: Userpro plugin CVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-35700NVD References: https://patchstack.com/database/vulnerability/userpro/wordpress-userpro-plugin-5-1-8-unauthenticated-account-takeover-vulnerability?_s_id=cveCVE-2024-36400 - Nano-id is a unique string ID generator for Rust that incorrectly generated IDs with a reduced character set, leading to predictability and vulnerability in security-sensitive contexts.Product: Viz Nano IDCVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-36400NVD References: - https://github.com/viz-rs/nano-id/commit/a9022772b2f1ce38929b5b81eccc670ac9d3ab23- https://github.com/viz-rs/nano-id/security/advisories/GHSA-9hc7-6w9r-wj94CVE-2024-35670 - Broken Authentication vulnerability in SoftLab Integrate Google Drive.This issue affects Integrate Google Drive: from n/a through 1.3.93.Product: Softlab Integrate Google DriveCVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-35670NVD References: https://patchstack.com/database/vulnerability/integrate-google-drive/wordpress-integrate-google-drive-plugin-1-3-93-broken-access-control-vulnerability?_s_id=cveCVE-2024-35672 - Missing Authorization vulnerability in Netgsm. This issue affects Netgsm: from n/a through 2.9.16.Product: Netgsm CVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-35672NVD References: https://patchstack.com/database/vulnerability/netgsm/wordpress-netgsm-plugin-2-9-16-broken-access-control-vulnerability-2?_s_id=cveCVE-2024-36604 - Tenda O3V2 v1.0.0.12(3880) is vulnerable to Blind Command Injection via stpEn parameter, enabling attackers to run arbitrary codes as root.Product: Tenda O3V2CVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-36604NVD References: https://exzettabyte.me/blind-command-injection-in-stp-service-on-tenda-o3v2/CVE-2024-36858 & CVE-2024-37273 - Jan v0.4.12 is vulnerable to arbitrary file upload flawsProduct: Homebrew JanCVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-36858NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-37273NVD References: https://github.com/HackAllSec/CVEs/tree/main/Jan%20Arbitrary%20File%20Upload%20vulnerabilityCVE-2024-28103 - Action Pack does not properly handle the application configurable Permissions-Policy in non-HTML responses, leading to a vulnerability in versions prior to 6.1.7.8, 7.0.8.2, and 7.1.3.3.Product: Rubyonrails RailsCVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-28103NVD References: - https://github.com/rails/rails/commit/35858f1d9d57f6c4050a8d9ab754bd5d088b4523- https://github.com/rails/rails/security/advisories/GHSA-fwhr-88qx-h9g7CVE-2024-4219 - BeyondInsight is vulnerable to server-side request forgery prior to version 23.2 via HTTP-based connectors.Product: BeyondTrust BeyondInsightCVSS Score: 9.1NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-4219NVD References: https://www.beyondtrust.com/trust-center/security-advisories/BT24-05CVE-2024-36121 - Netty-incubator-codec-ohttp is vulnerable to an encryption nonce repetition attack due to err…