INTERNET STORM CENTER SPOTLIGHT
ISC provides a free analysis and warning service to thousands of Internet users and organizations, and is actively working with Internet Service Providers to fight back against the most malicious attackers. https://isc.sans.edu/about.html
A Survey of Scans for GeoServer Vulnerabilities
Published: 2024-08-06.
Last Updated: 2024-08-06 14:20:15 UTC
by Johannes Ullrich (Version: 1)
A little bit over a year ago, I wrote about scans for GeoServer. GeoServer is a platform to process geographic data. It makes it easy to share geospatial data in various common standard formats. Recently, new vulnerabilities were discovered in GeoServer, prompting me to look again at what our honeypots pick up.
Let's first look at the "big picture": How many scans did we see? The total number of requests for URLs starting with "/geoserver" was 211,143 since the beginning of the year ...
Interest in GeoServer started in 2023. It ceased after August but then came back early this year. After the latest SQL exploit was discovered (July 5th), scans for GeoServer surged.
When I wrote about the GeoServer scans last year, a reader noted that Shadowserver had just started scanning for GeoServer. Indeed, most of the time, all GeoServer scans on particular days can be attributed to researchers. In addition to Shadowserver, Internet Census (associated with BitSight) is scanning for GeoServer instances. Personally, I think this is a good thing. Shadowserver will notify ISPs who host insecure instances, and they will find them before the bad guys.
Read the full entry:
https://isc.sans.edu/diary/A+Survey+of+Scans+for+GeoServer+Vulnerabilities/31148/
OOXML Spreadsheets Protected By Verifier Hashes
Published: 2024-08-03.
Last Updated: 2024-08-04 07:23:41 UTC
by Didier Stevens (Version: 1)
When I wrote about the internal file format of protected spreadsheets, I mentioned a simple 16-bit hash for .xls files in diary entry "16-bit Hash Collisions in .xls Spreadsheets" and a complex hash based on SHA256 for .xlsx files in diary entry "Protected OOXML Spreadsheets".
But what happens if you open a protected spreadsheet in OLE format (.xls) and save it in OOXML format (.xlsx)?
In that exceptional case, the XML protection elements in the OOXML file will store the 16-bit hash taken from the OLE file ...
Read the full entry:
https://isc.sans.edu/diary/OOXML+Spreadsheets+Protected+By+Verifier+Hashes/31072/
Even Linux users should take a look at this Microsoft KB article.
Published: 2024-08-02.
Last Updated: 2024-08-02 20:07:36 UTC
by Johannes Ullrich (Version: 1)
Secure boot has been a standard feature since at least Windows 8. As the name implies, the feature protects the boot process. The integrity of the boot process is ensured by digitally signing any software ("firmware") used during the boot process. As with any digital signature, this process requires the use of certificates to verify the validity of the signatures.
One issue with Secure Boot has been that not all boot loaders are necessarily properly signed, even if they are not malicious. In particular, open-source operating systems like Linux initially had problems with Secure Boot support. However, this has mostly been mitigated with major distributions like Ubuntu and Redhat (among others) supporting Secure Boot.
However, as always, when certificates are involved, there is the possibility of certificates expiring. Microsoft currently relies on certificates known as "Windows Production CA 2011". There are two of them, and as the name implies, this certificate was first used around 2011. Windows 8 was released in 2012. Let's look at one of the two certificates ...
Read the full entry:
https://isc.sans.edu/diary/Even+Linux+users+should+take+a+look+at+this+Microsoft+KB+article/31140/