Internet Storm Center Spotlight


INTERNET STORM CENTER SPOTLIGHT

ISC provides a free analysis and warning service to thousands of Internet users and organizations, and is actively working with Internet Service Providers to fight back against the most malicious attackers. https://isc.sans.edu/about.html

Handling BOM MIME Files

Published: 2024-06-19

Last Updated: 2024-06-19 09:23:22 UTC

by Didier Stevens (Version: 1)

A reader contacted me with an eml file (which turned out to be benign) that emldump.py could not parse correctly.

I've written several diary entries explaining how to analyse MIME/eml files with my emldump.py tool, back in the days when threat actors were discovering all kinds of obfuscation tricks that I tried to defeat in my emldump.py tool.

The output of emldump.py for a sample MIME/eml file looks like this ...

Red the full entry:

https://isc.sans.edu/diary/Handling+BOM+MIME+Files/31022/

New NetSupport Campaign Delivered Through MSIX Packages

Published: 2024-06-17

Last Updated: 2024-06-17 07:22:40 UTC

by Xavier Mertens (Version: 1)

It's amazing to see how attackers reuse and combine known techniques to target their victims with new campaigns! Last week, I spotted some malicious MSIX packages on VT that drop a NetSupport client preconfigured to phone home to an attacker's controlled manager. Remote support tools are really "cool" for attackers because they provide a perfect way to communicate with infected computers without the need to develop their own C2 infrastructure and protocol! If some are popular and often searched as evidence of compromise, like AnyDesk or TeamViewer), there are others, like NetSupport, that tend to remain below the radar. This one is available for free for 30 days (more than enough to launch a campaign) and provides all the expected features to interact with victims ...

Red the full entry:

https://isc.sans.edu/diary/New+NetSupport+Campaign+Delivered+Through+MSIX+Packages/31018/

Port 1801 Traffic: Microsoft Message Queue

Published: 2024-06-12

Last Updated: 2024-06-12 17:49:25 UTC

by Johannes Ullrich (Version: 1)

I planned a bit a more conclusive story here, but after running into issues decoding the packets and running out of time between looking at student papers, I figured I would leave it up to the audience ;-) Maybe someone here better understands the Microsoft Message Queue (MSMQ) protocol.

Yesterday's Microsoft patch Tuesday included a single critical vulnerability, a code execution vulnerability in MSMQ. I noted in the podcast that we see some "background hum" on port 1801, the port used by MSMQ ...

So I fired up some netcat listeners on port 1801, and after a short wait, this is what I got ...

Red the full entry:

https://isc.sans.edu/diary/Port+1801+Traffic+Microsoft+Message+Queue/31004/

Internet Storm Center Entries


Video Meta Data: DJI Drones (2024.06.16)

https://isc.sans.edu/diary/Video+Meta+Data+DJI+Drones/31014/

Overview of My Tools That Handle JSON Data (2024.06.15)

https://isc.sans.edu/diary/Overview+of+My+Tools+That+Handle+JSON+Data/31012/

The Art of JQ and Command-line Fu [Guest Diary] (2024.06.13)

https://isc.sans.edu/diary/The+Art+of+JQ+and+Commandline+Fu+Guest+Diary/31006/

Recent CVEs


The list is assembled by pulling recent vulnerabilities from NIST NVD, Microsoft, Twitter mentions of vulnerabilities, ISC Diaries and Podcast, and the CISA list of known exploited vulnerabilities. There are also some unscored, but significant, vulnerabilities at the end. This includes vulnerabilities that have not been added to the NVD yet.

CVE-2024-26169 - Windows Error Reporting Service Elevation of Privilege Vulnerability

Product: Microsoft Windows Error Reporting Service

CVSS Score: 0

** KEV since 2024-06-13 **

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-26169

ISC Podcast: https://isc.sans.edu/podcastdetail/9022

CVE-2024-32896 - Android Pixel Firmware has a logic error that could allow for local privilege escalation without the need for additional execution privileges, but requires user interaction for exploitation.

Product: Google Android Pixel Firmware

CVSS Score: 7.8 AtRiskScore 40

** KEV since 2024-06-13 **

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-32896

NVD References: https://source.android.com/security/bulletin/pixel/2024-06-01

CVE-2024-2012 - FOXMAN-UN/UNEM server / API Gateway has a vulnerability that could allow attackers to execute unintended commands and access or modify sensitive data.

Product: FOXMAN UNEM Server / API Gateway

CVSS Score: 9.1

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-2012

NVD References: https://publisher.hitachienergy.com/preview?DocumentId=8DBD000201&languageCode=en&Preview=true

CVE-2024-2013 - FOXMAN-UN/UNEM server / API Gateway component exposes an authentication bypass vulnerability, granting attackers unauthorized interaction with services and post-authentication attack surface.

Product: FOXMAN-UN/UNEM server / API Gateway

CVSS Score: 10.0

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-2013

NVD References: https://publisher.hitachienergy.com/preview?DocumentId=8DBD000201&languageCode=en&Preview=true

CVE-2024-30080 - Microsoft Message Queuing (MSMQ) Remote Code Execution Vulnerability

Product: Microsoft Windows 10 1507

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-30080

NVD References: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-30080

CVE-2024-30103 - Microsoft Outlook Remote Code Execution Vulnerability

Product: Microsoft Outlook

CVSS Score: 8.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-30103

ISC Podcast: https://isc.sans.edu/podcastdetail/9024

NVD References: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-30103

CVE-2024-35213 - QNX SDP versions 6.6, 7.0, and 7.1 are vulnerable to improper input validation in the SGI Image Codec, potentially enabling a denial-of-service attack or code execution by an attacker.

Product: QNX SDP

CVSS Score: 9.0

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-35213

NVD References: https://support.blackberry.com/pkb/s/article/139914

CVE-2024-37301 - Document Merge Service is vulnerable to remote code execution via server-side template injection in versions 6.5.1 and prior, allowing for full system takeover with no available patch or workaround.

Product: Vendor Name: Fossun Document Merge Service

CVSS Score: 9.9

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-37301

NVD References:

- https://github.com/adfinis/document-merge-service/commit/a1edd39d33d1bdf75c31ea01c317547be90ca074

- https://github.com/adfinis/document-merge-service/security/advisories/GHSA-v5gf-r78h-55q6

CVE-2024-35225 - Jupyter Server Proxy allows users to run arbitrary external processes alongside their notebook server and provide authenticated web access to them, with versions of 3.x prior to 3.2.4 and 4.x prior to 4.2.0 vulnerable to a reflected cross-site scripting (XSS) issue in the `/proxy` endpoint.

Product: Jupyter Server Proxy

CVSS Score: 9.6

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-35225

NVD References:

- https://github.com/jupyterhub/jupyter-server-proxy/blob/62a290f08750f7ae55a0c29ca339c9a39a7b2a7b/jupyter_server_proxy/handlers.py#L328

- https://github.com/jupyterhub/jupyter-server-proxy/commit/7abc9dc5bbb0b4b440548a5375261b8b8192fc22

- https://github.com/jupyterhub/jupyter-server-proxy/commit/ff78128087e73fb9d0909e1366f8bf051e8ea878

- https://github.com/jupyterhub/jupyter-server-proxy/security/advisories/GHSA-fvcq-4x64-hqxr

CVE-2024-4898 - The InstaWP Connect plugin for WordPress allows unauthenticated attackers to edit site options and create administrator accounts.

Product: InstaWP Connect Plugin for WordPress

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-4898

NVD References:

- https://plugins.trac.wordpress.org/browser/instawp-connect/tags/0.1.0.38/includes/class-instawp-rest-api.php#L926

- https://www.wordfence.com/threat-intel/vulnerabilities/id/92a00fb4-7b50-43fd-ac04-5d6e29336e9c?source=cve

CVE-2024-37036 - Out of Bounds Write Vulnerability in Schneider Electric SAGE RTU products could allow for authentication bypass through out-of-bounds write when sending a malformed POST request with specific configuration parameters.

Product: Schneider Electric SAGE RTU Products

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-37036

NVD References: https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2024-163-05&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2024-163-05.pdf

CVE-2024-3922 - Dokan Pro plugin for WordPress is vulnerable to SQL Injection via the 'code' parameter, allowing unauthenticated attackers to extract sensitive information from the database.

Product: WordPress Dokan Pro plugin

CVSS Score: 10.0

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-3922

NVD References:

- https://dokan.co/docs/wordpress/changelog/

- https://www.wordfence.com/threat-intel/vulnerabilities/id/d9de41de-f2f7-4b16-8ec9-d30bbd3d8786?source=cve

CVE-2024-34102 & CVE-2024-34108 - Adobe Commerce versions 2.4.7, 2.4.6-p5, 2.4.5-p7, 2.4.4-p8 and earlier contain an XXE vulnerability (CVE-2024-34102) and an improper input validation vulnerability (CVE-2024-34108).

Product: Adobe Commerce

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-34102

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-34108

NVD References: https://helpx.adobe.com/security/products/magento/apsb24-40.html

CVE-2024-4371 - The CoDesigner WooCommerce Builder for Elementor plugin for WordPress is vulnerable to PHP Object Injection, allowing unauthenticated attackers to inject a PHP Object via deserialization of untrusted input from the recently_viewed_products cookie.

Product: CoDesigner WooCommerce Builder for Elementor

CVSS Score: 9.0

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-4371

NVD References:

- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3099922%40woolementor&new=3099922%40woolementor&sfp_email=&sfph_mail=

- https://www.wordfence.com/threat-intel/vulnerabilities/id/d1e5131a-9e72-441d-971c-8b9af35cf3f7?source=cve

CVE-2024-30299 & CVE-2024-30300 - Adobe Framemaker Publishing Server versions 2020.3, 2022.2, and earlier are vulnerable to improper authentication (CVE-2024-30299) and information exposure (CVE-2024-30300).

Product: Adobe Framemaker Publishing Server

CVSS Score: 10.0

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-30299

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-30300

NVD References: https://helpx.adobe.com/security/products/framemaker-publishing-server/apsb24-38.html

CVE-2024-0095 - NVIDIA Triton Inference Server is vulnerable to injection attacks allowing unauthorized code execution and various security risks.

Product: NVIDIA Triton Inference Server

CVSS Score: 9.0

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-0095

NVD References: https://nvidia.custhelp.com/app/answers/detail/a_id/5546

CVE-2024-27143, CVE-2024-27144, & CVE-2024-27145 - Toshiba printers are vulnerable to remote root access due to SNMP configuration (CVE-2024-27143), multiple file upload vulnerabilities (CVE-2024-27144), and remote compromise and file overwrite attacks through multiple pathways in the admin web interface (CVE-2024-27145).

Product: Toshiba Printers

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-27143

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-27144

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-27145

NVD References:

- https://jvn.jp/en/vu/JVNVU97136265/index.html

- https://www.toshibatec.com/information/20240531_01.html

- https://www.toshibatec.com/information/pdf/information20240531_01.pdf

CVE-2024-3080 - Certain ASUS router models have authentication bypass vulnerability, allowing unauthenticated remote attackers to log in the device.

Product: ASUS Routers

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-3080

NVD References:

- https://www.twcert.org.tw/en/cp-139-7860-760b1-2.html

- https://www.twcert.org.tw/tw/cp-132-7859-0e104-1.html

CVE-2024-3912 - ASUS routers are vulnerable to arbitrary firmware upload, allowing remote attackers to execute system commands without authentication.

Product: ASUS routers

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-3912

NVD References:

- https://www.twcert.org.tw/en/cp-139-7876-396bd-2.html

- https://www.twcert.org.tw/tw/cp-132-7875-872d3-1.html

CVE-2024-27172, CVE-2024-27173, & CVE-2024-27174 - Remote Command program vulnerabilities allow an attacker to get Remote Code Execution. For the affected products/models/versions, see the reference URL.

Product: Toshiba Remote Command program

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-27172

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-27173

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-27174

NVD References:

- https://jvn.jp/en/vu/JVNVU97136265/index.html

- https://www.toshibatec.com/information/20240531_01.html

- https://www.toshibatec.com/information/pdf/information20240531_01.pdf

CVE-2024-4936 - The Canto plugin for WordPress is vulnerable to Remote File Inclusion up to version 3.0.8, allowing unauthenticated attackers to execute code by including remote files through the abspath parameter.

Product: Canto WordPress plugin

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-4936

NVD References:

- https://plugins.trac.wordpress.org/browser/canto/trunk/includes/lib/sizes.php#L15

- https://www.wordfence.com/threat-intel/vulnerabilities/id/95a68ae0-36da-499b-a09d-4c91db8aa338?source=cve

CVE-2024-5577 - The Where I Was, Where I Will Be plugin for WordPress is vulnerable to Remote File Inclusion in version <= 1.1.1.

Product: WordPress Where I Was, Where I Will Be plugin

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-5577

NVD References:

- https://plugins.trac.wordpress.org/browser/where-i-was-where-i-will-be/trunk/system/include/include_user.php

- https://www.wordfence.com/threat-intel/vulnerabilities/id/68e0f54d-08ec-4e41-ac9b-d72cdde5a724?source=cve

CVE-2024-2472 - The LatePoint Plugin for WordPress is vulnerable to unauthorized access and modification of customer data in versions up to 4.9.9.

Product: LatePoint Plugin, UnityEngine

CVSS Score: 9.1

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-2472

NVD References:

- https://aramhairchitects.nl/

- https://wpdocs.latepoint.com/changelog/

- https://www.wordfence.com/threat-intel/vulnerabilities/id/6215fa9f-06bc-4dc8-b1f5-a3bb75749f1d?source=cve

CVE-2024-5671 - Trellix IPS Manager is vulnerable to unauthenticated remote attackers executing arbitrary code and gaining access to the system.

Product: Trellix IPS Manager

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-5671

NVD References: https://thrive.trellix.com/s/article/000013623

CVE-2024-5871 - The WooCommerce - Social Login plugin for WordPress is vulnerable to PHP Object Injection in all versions up to 2.6.2, allowing unauthenticated attackers to inject a PHP Object and potentially execute malicious actions.

Product: WooCommerce Social Login

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-5871

NVD References:

- https://codecanyon.net/item/social-login-wordpress-woocommerce-plugin/8495883

- https://www.wordfence.com/threat-intel/vulnerabilities/id/ffd592e6-2ac4-4af4-bfc0-d4f834157d71?source=cve

CVE-2024-3105 - The Woody code snippets plugin for WordPress allows authenticated attackers with contributor-level access to execute code remotely via the 'insert_php' shortcode.

Product: The Woody Code Snippets Insert Header Footer Code, AdSense Ads

CVSS Score: 9.9

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-3105

NVD References:

- https://plugins.trac.wordpress.org/browser/insert-php/trunk/includes/class.plugin.php#L166

- https://plugins.trac.wordpress.org/browser/insert-php/trunk/includes/shortcodes/shortcode-insert-php.php

- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3102522%40insert-php&new=3102522%40insert-php&sfp_email=&sfph_mail=

- https://www.wordfence.com/threat-intel/vulnerabilities/id/134ad095-b0a0-4f0f-832d-3e558d4a250a?source=cve

CVE-2024-4258 - The Video Gallery – YouTube Playlist, Channel Gallery by YotuWP plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.3.13, allowing unauthenticated attackers to execute arbitrary files on the server.

Product: YotuWP Video Gallery - YouTube Playlist, Channel Gallery

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-4258

NVD References:

- https://plugins.trac.wordpress.org/browser/yotuwp-easy-youtube-embed/trunk/yotuwp.php#L731

- https://www.wordfence.com/threat-intel/vulnerabilities/id/6feae1c4-3735-4a33-85a5-867d458d2e8a?source=cve

CVE-2024-6047 - GeoVision devices have a vulnerability where unauthenticated remote attackers can inject and execute arbitrary system commands.

Product: GeoVision EOL GeoVision devices

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-6047

NVD References:

- https://www.twcert.org.tw/en/cp-139-7884-c5a8b-2.html

- https://www.twcert.org.tw/tw/cp-132-7883-f5635-1.html

CVE-2024-6048 - Openfind's MailGates and MailAudit products are vulnerable to remote code execution due to improper filtering of user input in email attachments.

Product: Openfind MailGates and MailAudit

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-6048

NVD References:

- https://www.twcert.org.tw/en/cp-139-7886-20b61-2.html

- https://www.twcert.org.tw/tw/cp-132-7885-a8013-1.html

CVE-2024-37902 - DeepJavaLibrary(DJL) versions 0.1.0 through 0.27.0 allow absolute path archived artifacts to overwrite system files, fixed in version 0.28.0 and patched in DJL Large Model Inference containers 0.27.0.

Product: DeepJavaLibrary DJL

CVSS Score: 10.0

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-37902

NVD References:

- https://github.com/deepjavalibrary/djl/releases/tag/v0.28.0

- https://github.com/deepjavalibrary/djl/security/advisories/GHSA-w877-jfw7-46rj

CVE-2024-37079 & CVE-2024-37080 - VMware vCenter Server is susceptible to heap-overflow vulnerabilities in its DCERPC protocol implementation, allowing remote code execution through specially crafted network packets.

Product: VMware vCenter Server

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-37079

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-37080

NVD References: https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/24453

CVE-2024-5021 - The WordPress Picture / Portfolio / Media Gallery plugin is vulnerable to Server-Side Request Forgery in all versions up to 3.0.1, allowing unauthenticated attackers to make web requests to arbitrary locations.

Product: WordPress Picture / Portfolio / Media Gallery

CVSS Score: 9.3

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-5021

NVD References:

- https://plugins.trac.wordpress.org/browser/nimble-portfolio/trunk/includes/prettyphoto/download-image.php#L17

- https://www.wordfence.com/threat-intel/vulnerabilities/id/224a2d6d-7fdc-43a8-a8c9-26213b604433?source=cve

CVE-2024-29855 - Hard-coded JWT secret allows authentication bypass in Veeam Recovery Orchestrator

Product: Veeam Recovery Orchestrator

CVSS Score: 0

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-29855

ISC Podcast: https://isc.sans.edu/podcastdetail/9020

NVD References: https://www.veeam.com/kb4585