homepage
Open menu
Contact Sales

SANS NewsBites

Prioritize Microsoft, MOVEit, VMware Adobe Patches, US Government Agencies Directed to Secure Web Management Interfaces or Disconnect Them From Internet Exposure

June 16, 2023  |  Volume XXV - Issue #48

Top of the NewsThe Rest of the Week's NewsInternet Storm Center Tech Corner

Top of the News

2023-06-14

Microsoft June 2023 Patch Tuesday

On Tuesday, June 13, Microsoft released updates to address nearly 80 security issues in various products. Six of the flaws are rated critical: three in Windows Pragmatic General Multicast (PGM) service; and one each in .NET/Visual Studio, SharePoint Server, and Hyper-V. None of the vulnerabilities appear to be actively exploited.

Editor's Note

This patch Tuesday turned out to be "average" in that it provided no patches for already disclosed or exploited vulnerabilities. Among the critical vulnerabilities, the SharePoint server issue deserves some attention. There is also yet another Exchange vulnerability, while only rated important, should not be overlooked.

Johannes Ullrich
Johannes Ullrich

As often happens, vulnerability hunters seem to have focused on PGM recently - this is the 3rd month in a row that critical PGM vulnerabilities need to be patched in Microsoft software. PGM is not a default on service, but it is commonly used – patching needs to be prioritized.

John Pescatore
John Pescatore

Of the nearly 80 vulnerabilities patched by Microsoft, four have a CVSS score of 9.8 [critical] and can allow for remote code execution. Organizations should place those four at the top of their prioritized patch list.

Curtis Dukes
Curtis Dukes

By now one hopes you're merely pushing these updates to commodity (Desktops, low impact servers), this bundle includes three RCE fixes for flaws in the Windows Pragmatic General Multicast (PGM) services, (CVE-2023-29363, CVE-2023-32014 and CVE-2023-32015) each with a CVSS score of 9.8, for good measure there are also critical fixes for Hyper-V and .NET. If you're still running SharePoint on-prem, you want to apply the privilege escalation flaw (CVE-2023-29357), then review why you're still running this locally.

Lee Neely
Lee Neely

2023-06-16

Progress Software Discloses Another MOVEit Vulnerability

Progress Software has disclosed a new SQL injection vulnerability in MOVEit Transfer that could be exploited to gain elevated privileges. According to Progress, “MOVEit Cloud has been patched and fully restored across all cloud clusters,” and they are in the process of rolling out patches for MOVEit Transfer.

2023-06-13

CISA Binding Operational Directive Aims to Secure Federal Networked Management Interfaces

The US Cybersecurity and Infrastructure Security Agency (CISA) has released Binding Operational Directive 23-02, Mitigating the Risk From Internet-Exposed Management Interfaces. The directive “requires agencies to take steps to reduce the attack surface created by insecure or misconfigured management interfaces across certain classes of devices.”

The Rest of the Week's News

2023-06-15

CISA: Government Agencies’ Systems Suffered Cyberattack

The MOVEit vulnerability was exploited against systems at some US federal agencies, according to Cybersecurity and Infrastructure Security Agency (CISA) executive assistant director for cybersecurity Eric Goldstein. CISA “is providing support to several federal agencies that have experienced intrusions affecting their MOVEit applications.” A Department of Energy spokesperson confirmed that they are among the affected agencies.

Editor's Note

While you're checking to see if you have vulnerable MOVEit services, check for other software from Progress, formerly IPswitch - , remember the WS_FTP server? There are a number of unsupported products, which were cool in their day, that may still be lurking on your network.

Lee Neely
Lee Neely

As we are seeing more and more supply chain attacks, we need to move beyond the traditional use of a spreadsheet containing a checklist of security questions. You need to reassess how you manage the risks associated with your supply chain and adapt your incident response plans to take into account a compromise in your supply chain. Think about the impact of a breach in your supplier (or the tools and services and third parties they use) could have on your organization and adapt accordingly.

Brian Honan
Brian Honan

The announcement shouldn’t come as a surprise as different US Federal Agencies are often users of major software applications. What is left to be determined is whether the evil-doer had exploited the vulnerable federal agencies prior to the patch release or during the weeks following announcement. One demonstrates a lack of duty of care; the other the reality of dealing with zero-days.

Curtis Dukes
Curtis Dukes

2023-06-14

Ransomware Attack Contributed to Hospital’s Decision to Shut Down Permanently

St. Margaret’s Health (SMH) will shut down multiple facilities in Spring Valley and Peru, Illinois, on Friday, June 16 due to several factors, including a ransomware attack that began in February 2021. SMH has been serving the community since 1903. The ransomware attack impacted SMH systems for four months, impeding their ability to collect payments from insurers. Other factors cited in the decision to close the facilities were COVID-19 expenses and staff shortages.

2023-06-14

FCC Will Establish Privacy and Data Protection Task Force

The US Federal Communications Commission (FCC) has announced that it will establish a Privacy and Data Protection task force. Among the task force’s responsibilities are updating the agency’s data breach rules, overseeing investigations and enforcement actions, and helping to create rules to protect consumers from SIM-swapping.

2023-06-15

Hardening Baseboard Management Controllers

The US Cybersecurity and Infrastructure Security Agency (CISA) and the National Security Agency (NSA) have jointly published guidance for hardening baseboard management controllers (BMCs). The security information sheet notes that “BMC firmware is highly privileged, executes outside the scope of operating system (OS) controls, and has access to all resources of the server-class platform on which it resides.” The document includes potential threats to BMCs and suggested actions for making them more secure.

2023-06-15

Azure Vulnerabilities Could be Exploited with iframe-postMessages

Researchers at Orca Security discovered vulnerabilities in Azure Bastion and Azure Container Registry that could be exploited to achieve cross-site scripting. Orca notified Microsoft; the issues were resolved in April and May of this year.

2023-06-14

WooCommerce Stripe Gateway WordPress Plugin Vulnerability

An unauthenticated insecure direct object reference vulnerability in the WooCommerce Stripe Gateway WordPress plugin could be exploited to bypass authentication and access sensitive information. The vulnerability affects versions 7.4.0 and older of the plugin; version 7.4.1 was released at the end of May.

2023-06-15

SEC Pushes Back Breach Notification Rule Enforcement Date

The US Securities And Exchange Commission’s (SEC’s) proposed four-day deadline for reporting data breaches will not take effect until at least October of this year. The rule was expected to go into effect last month, but announced the delay after feedback from industry trade groups concerned about the rule’s short window for reporting, which may not allow for incident containment and remediation.

Internet Storm Center Tech Corner

Deobfuscating a VBS Script With Custom Encoding

https://isc.sans.edu/diary/Deobfuscating+a+VBS+Script+With+Custom+Encoding/29940

Supervision and Verification in Vulnerability Management

https://isc.sans.edu/diary/Supervision+and+Verification+in+Vulnerability+Management/29952

Microsoft Patch Tuesday

https://isc.sans.edu/diary/June+2023+Microsoft+Patch+Tuesday/29942

How to Manage the Vulnerability Associated with CVE-2023-32019

https://support.microsoft.com/en-gb/topic/kb5028407-how-to-manage-the-vulnerability-associated-with-cve-2023-32019-bd6ed35f-48b1-41f6-bd19-d2d97270f080

More MOVEit issues

https://community.progress.com/s/article/MOVEit-Transfer-Critical-Vulnerability-15June2023

Critical Citrix Sharefile Storagezones Controller

https://support.citrix.com/article/CTX559517/sharefile-storagezones-controller-security-update-for-cve202324489

Chromeloader Malware Update

https://threatresearch.ext.hp.com/shampoo-a-new-chromeloader-campaign/

Bignum NPM Package Compromise

https://checkmarx.com/blog/hijacking-s3-buckets-new-attack-technique-exploited-in-the-wild-by-supply-chain-attackers

Every Signature is Broken: On the Insecurity of Microsoft Office’s OOXML Signatures

https://www.usenix.org/conference/usenixsecurity23/presentation/rohlmann

Fake Security Research GitHub Repos

https://vulncheck.com/blog/fake-repos-deliver-malicious-implant

Fortigate Vuln Details

https://blog.lexfo.fr/xortigate-cve-2023-27997.html

Zoom Updates

https://explore.zoom.us/en/trust/security/security-bulletin/

VMWare 0-Day

https://www.mandiant.com/resources/blog/vmware-esxi-zero-day-bypass

https://www.vmware.com/security/advisories/VMSA-2023-0013.html

SAP Patches

https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html