The Consensus Security Vulnerability Alert

ISC provides a free analysis and warning service to thousands of Internet users and organizations, and is actively working with Internet Service Providers to fight back against the most malicious attackers. https://isc.sans.edu/about.html

Steam Account Checker Poisoned with Infostealer

Published: 2024-11-07.

Last Updated: 2024-11-07 07:49:23 UTC

by Xavier Mertens (Version: 1)

I found an interesting script targeting Steam users. Steam is a popular digital distribution platform for purchasing, downloading, and playing video games on personal computers. The script is called "steam-account-checker" and is available in Github[2]. Its description is:

steam account checker ? check your steam log 2024 ? simple script that validates steam logins fast and easy."

Updated two months ago, the script seems obfuscated and looks nice when checked online ...

But if you download the file and check it carefully ...

The author used a simple trick to hide malicious code: The first line appends space characters (0x20) to hide the following code. Read: It's not displayed in an editor that does not wrap up long lines. Let's remove them and the first line will look like this ...

Read the full entry:

https://isc.sans.edu/diary/Steam+Account+Checker+Poisoned+with+Infostealer/31420/

Microsoft November 2024 Patch Tuesday

Published: 2024-11-12. Last Updated: 2024-11-12 18:26:59 UTC

by Renato Marinho (Version: 1)

This month, Microsoft is addressing a total of 83 vulnerabilities. Among these, 3 are classified as critical, 2 have been exploited in the wild, and another 2 have been disclosed prior to Patch Tuesday. Organizations are encouraged to prioritize these updates to mitigate potential risks and enhance their security posture.

Notable Vulnerabilities:

NTLM Hash Disclosure Spoofing Vulnerability (CVE-2024-43451)

This vulnerability, identified as CVE-2024-43451, has been exploited and disclosed, carrying an Important severity rating with a CVSS score of 6.5. It allows an attacker to disclose a user's NTLMv2 hash, enabling them to authenticate as that user, which could lead to a total loss of confidentiality. Exploitation requires minimal user interaction, such as selecting or inspecting a malicious file. The vulnerability affects all supported versions of Microsoft Windows, and while Internet Explorer has been retired on certain platforms, updates addressing this vulnerability are included in the IE Cumulative Updates to ensure continued protection.

Windows Task Scheduler Elevation of Privilege Vulnerability (CVE-2024-49039)

This vulnerability, identified as CVE-2024-49039, has a severity rating of Important with a CVSS score of 8.8 and is currently being exploited in the wild, although it has not been disclosed publicly. An authenticated attacker can exploit this vulnerability by running a specially crafted application on the target system, allowing them to elevate their privileges to a Medium Integrity Level. Successful exploitation could enable the attacker to execute RPC functions that are typically restricted to privileged accounts, thereby compromising the security of the system. Remediation efforts should focus on monitoring for unauthorized applications and ensuring that only trusted software is executed on systems to mitigate the risk of exploitation.

Active Directory Certificate Services Elevation of Privilege Vulnerability (CVE-2024-49019)

This vulnerability, identified as CVE-2024-49019, has been disclosed but is not currently exploited in the wild. It carries a severity rating of Important with a CVSS score of 7.8, allowing an attacker to potentially gain domain administrator privileges. The vulnerability affects certificates created using a version 1 certificate template with the Source of subject name set to "Supplied in the request," particularly if the template is not secured according to best practices. To mitigate this risk, organizations are advised to remove overly broad enrollment permissions, eliminate unused templates from certification authorities, and secure templates that allow specification of the subject in requests through additional signatures, certificate manager approval, and monitoring of issued certificates.

Windows Kerberos Remote Code Execution Vulnerability (CVE-2024-43639)

This critical vulnerability, with a CVSS score of 9.8, has not been exploited in the wild nor disclosed publicly. It allows an unauthenticated attacker to leverage a cryptographic protocol vulnerability in Windows Kerberos to perform remote code execution against the target using a specially crafted application. The potential impact of this vulnerability underscores the importance of monitoring and securing systems against unauthorized access and exploitation.

Microsoft Windows VMSwitch Elevation of Privilege Vulnerability (CVE-2024-43625)

This critical vulnerability, identified as CVE-2024-43625, has a CVSS score of 8.1 and is currently not exploited or disclosed publicly. It allows an attacker with low privileges on a Hyper-V guest to traverse the security boundary and execute code on the Hyper-V host, potentially gaining SYSTEM privileges. The exploitation requires a high level of complexity, as the attacker must gather specific environmental information and perform additional preparatory actions before sending a specific series of networking requests to the VMswitch driver, triggering a use-after-free vulnerability. Notably, this vulnerability is confined to the VmSwitch component within Hyper-V and does not affect the System Center Virtual Machine Manager (SCVMM).

This summary highlights key vulnerabilities for this Patch Tuesday. Notably, CVE-2024-43451, a NTLM hash disclosure vulnerability, poses a significant risk due to its exploitation potential with minimal user interaction. CVE-2024-49039, an elevation of privilege vulnerability, is actively exploited and requires immediate attention. Additionally, CVE-2024-49019 allows potential domain admin access, necessitating strict certificate management. Critical vulnerabilities like CVE-2024-43639 (CVSS 9.8) and CVE-2024-43625, while not currently exploited, demand proactive monitoring and security measures. Prioritize patching and monitoring to mitigate these risks effectively.

November 2024 Security Updates ...

Read the full entry:

https://isc.sans.edu/diary/Microsoft+November+2024+Patch+Tuesday/31438/

Join the global cybersecurity community in the most festive and challenging event of the year! The SANS Holiday Hack Challenge offers FREE, high-quality, and super fun hands-on cybersecurity challenges designed for all skill levels. Play to learn or practice your skills and stand a chance to win exciting prizes for the top entries. https://www.sans.org/mlp/holiday-hack-challenge-2024/

2024 Challenge Topics:

Ransomware Reverse Engineering

Hardware Hacking

Web App Hacking with MQTT and Video Feed Manipulation

Video Game Hacking

Threat Hunting with KQL

SIM/SEM Analysis

Mobile App Penetration Testing

OSINT via Drone Path Analysis

Web Exploration with cURL

PowerShell for Cyber Defense

PDF Object Streams (2024.11.11)

https://isc.sans.edu/diary/PDF+Object+Streams/31430/

zipdump & PKZIP Records (2024.11.10)

https://isc.sans.edu/diary/zipdump+PKZIP+Records/31428/

zipdump & Evasive ZIP Concatenation (2024.11.09)

https://isc.sans.edu/diary/zipdump+Evasive+ZIP+Concatenation/31426/

SANS Holiday Hack Challenge 2024 (2024.11.09)

https://isc.sans.edu/diary/SANS+Holiday+Hack+Challenge+2024/31424/

The list is assembled by pulling recent vulnerabilities from NIST NVD, Microsoft, Twitter mentions of vulnerabilities, ISC Diaries and Podcast, and the CISA list of known exploited vulnerabilities. There are also some unscored, but significant, vulnerabilities at the end. This includes vulnerabilities that have not been added to the NVD yet.CVE-2024-49039 - Windows Task Scheduler Elevation of Privilege VulnerabilityProduct: Microsoft Windows Task SchedulerCVSS Score: 8.8** KEV since 2024-11-12 **NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-49039ISC Diary: https://isc.sans.edu/diary/31438NVD References: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-49039CVE-2024-43451 - NTLM Hash Disclosure Spoofing VulnerabilityProduct: Microsoft Windows Operating SystemCVSS Score: 6.5** KEV since 2024-11-12 **NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-43451ISC Diary: https://isc.sans.edu/diary/31438NVD References: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-43451CVE-2024-43639 - Windows Kerberos Remote Code Execution VulnerabilityProduct: Microsoft Windows KerberosCVSS Score: 9.8NVD: https://isc.sans.edu/diary/31438ISC Diary: https://isc.sans.edu/diary/31438NVD References: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-43639CVE-2024-43625 - Microsoft Windows VMSwitch Elevation of Privilege VulnerabilityProduct: Microsoft Windows VMSwitchCVSS Score: 8.1NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-43625ISC Diary: https://isc.sans.edu/diary/31438NVD References: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-43625CVE-2024-49019 - Active Directory Certificate Services Elevation of Privilege VulnerabilityProduct: Microsoft Active Directory Certificate ServicesCVSS Score: 7.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-49019ISC Diary: https://isc.sans.edu/diary/31438NVD References: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-49019CVE-2024-43498 - .NET and Visual Studio Remote Code Execution VulnerabilityProduct: Microsoft .NET and Visual StudioCVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-43498ISC Diary: https://isc.sans.edu/diary/31438NVD References: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-43498CVE-2024-43602 - Azure CycleCloud Remote Code Execution VulnerabilityProduct: Microsoft Azure CycleCloudCVSS Score: 9.9NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-43602ISC Diary: https://isc.sans.edu/diary/31438NVD References: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-43602CVE-2024-45409 - Ruby-SAML in <= 12.2 and 1.13.0 <= 1.16.0 allows an unauthenticated attacker to forge a SAML Response and log in as an arbitrary user.Product: Ruby-SAMLCVSS Score: 0NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-45409ISC Podcast: hhttps://isc.sans.edu/podcastdetail/9218CVE-2024-44258 - iOS, iPadOS, visionOS, and tvOS are vulnerable to modification of protected system files when restoring a maliciously crafted backup file.Product: Apple iOSCVSS Score: 0NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-44258ISC Podcast: https://isc.sans.edu/podcastdetail/9212CVE-2024-10687 - The Photos, Files, YouTube, Twitter, Instagram, TikTok, Ecommerce Contest Gallery plugin for WordPress is vulnerable to time-based SQL Injection allowing unauthenticated attackers to extract sensitive information from the database.Product: Contest-Gallery Contest GalleryActive Installations: 1,000+CVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-10687NVD References:- https://plugins.trac.wordpress.org/browser/contest-gallery/tags/24.0.1/v10/v10-frontend/ecommerce/ecommerce-get-raw-data-from-galleries.php#L61- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3175299%40contest-gallery%2Ftags%2F24.0.3&new=3180268%40contest-gallery%2Ftags%2F24.0.4- https://www.wordfence.com/threat-intel/vulnerabilities/id/fd3b4c44-d47a-45de-bcb2-0820e475b331?source=cveCVE-2024-10844 & CVE-2024-10845 - 1000 Projects Bookstore Management System 1.0 remote SQL injection vulnerabilitiesProduct: Bookstore Management System ProjectCVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-10844NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-10845NVD References:- https://github.com/sbm-98/CVE/issues/1- https://github.com/hbuzs/CVE/issues/3CVE-2024-51132 - HAPI FHIR v6.4.0 and earlier versions are vulnerable to XXE attacks allowing hackers to access sensitive data or execute unauthorized code via malicious XML entities in crafted requests.Product: HAPI FHIRCVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-51132NVD References:- https://github.com/JAckLosingHeart/CVE-2024-51132-POC- https://github.com/hapifhir/org.hl7.fhir.coreCVE-2024-42509 & CVE-2024-47460 - Aruba's CLI service is vulnerable to unauthorized remote code execution via specially crafted packets sent to the PAPI UDP port.Product: Aruba PAPI (Aruba's Access Point management protocol)CVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-…