INTERNET STORM CENTER SPOTLIGHT
ISC provides a free analysis and warning service to thousands of Internet users and organizations, and is actively working with Internet Service Providers to fight back against the most malicious attackers. https://isc.sans.edu/about.html
Microsoft Patch Tuesday June 2024
Published: 2024-06-11
Last Updated: 2024-06-11 19:06:06 UTC
by Johannes Ullrich (Version: 1)
Microsoft's June 2024 update fixes a total of 58 vulnerabilities. 7 of these vulnerabilities are associated with Chromium and Microsoft's Brave browser. Only one vulnerability is rated critical. One of the vulnerabilities had been disclosed before today.
Vulnerabilities of Interest:
CVE-2023-50868 NSEC closest enclosed proof can exhaust CPU: This issue became public in February. It affects not only Microsoft's DNS implementations but several other DNS servers. The vulnerability was made public by researchers from several German universities and research labs. They called it "KEYTRAP" and released a paper with details ...
CVE-2024-30080 Microsoft Message Queuing (MSMQ) Remote Code Execution Vulnerability: MSMQ is the service that keeps on giving. The tricky part with MSMQ is that third party software often uses it. MSMQ usually listens on port port 1801/TCP. We do see a good amount of "background hum" on port 1801, and I do not see a good reason to expose it to the internet.
Read the full entry:
https://isc.sans.edu/diary/Microsoft+Patch+Tuesday+June+2024/31000/
Attacker Probing for New PHP Vulnerability CVE-2024-4577
Published: 2024-06-09
Last Updated: 2024-06-09 21:03:28 UTC
by Johannes Ullrich (Version: 1)
Our honeypots have detected the first probes for CVE-2024-4577. This vulnerability was originally discovered by Orange Tsai on Friday (June 7th). Watchtwr labs followed up with a detailed blog post and a proof of concept exploit.
Watchtwr Labs says PHP is only vulnerable if used in CGI mode in Chinese and Japanese locales. According to Orange Tsai, other locales may be vulnerable as well.
In CGI mode on Windows, the web server will execute "php.exe" and pass user-supplied parameters as command line or environment variables. This may potentially lead to OS command injection, a vulnerability I just covered last week in a video.
As parameters are passed from Apache to the command line, Apache will escape hyphens and render them harmless. However, an attacker may provide a "soft hyphen" (Unicode code point 0x00AD). PHP performs "best fit mapping" on characters passed on the command line, translating it to a dash. This allows an attacker to bypass the Apache escape process, and inject dashes. With that, an attacker can supply command line arguments to php.exe. A possibly choice outlined by Watchtwr is ...
Read the full entry:
https://isc.sans.edu/diary/Attacker+Probing+for+New+PHP+Vulnerablity+CVE20244577/30994/
Brute Force Attacks Against Watchguard VPN Endpoints
Published: 2024-06-05
Last Updated: 2024-06-05 14:05:58 UTC
by Johannes Ullrich (Version: 1)
If you have a pulse and work in information security (or are a new scraping script without a pulse), you have probably seen reports of attacks against VPN endpoints. Running any VPN without strong authentication has been negligent for years, but in recent times, ransomware gangs, in particular, picked them off pretty quickly.
One of our honeypots just saw an attacker move through, attempting to brute force a Watchguard firewall VPN. I haven't seen much written about Watchguard lately, so I figured this may be a good reminder. The requests I was seeing against one honeypot in particular ...
Read the full entry:
https://isc.sans.edu/diary/Brute+Force+Attacks+Against+Watchguard+VPN+Endpoints/30984/