The Consensus Security Vulnerability Alert

ISC provides a free analysis and warning service to thousands of Internet users and organizations, and is actively working with Internet Service Providers to fight back against the most malicious attackers. https://isc.sans.edu/about.html



Apple Updates Everything (again)

Published: 2023-07-24

Last Updated: 2023-07-24 18:18:56 UTC

by Johannes Ullrich (Version: 1)


Apple released one of its usual "step" upgrades for its operating systems. This covers iOS, iPadOS, macOS, tvOS and watchOS. The update also includes the vulnerability patched in the last rapid security response update.


Our "ChatGPT CVSS calculator" didn't work well this time. I still left the scores in, but if you see "0", "?" or "unknown,": This means ChatGPT didn't respond with a CVSS score.


Read the complete entry:

https://isc.sans.edu/diary/Apple+Updates+Everything+again/30062/




Deobfuscation of Malware Delivered Through a .bat File

Published: 2023-07-20

Last Updated: 2023-07-20 06:57:58 UTC

by Xavier Mertens (Version: 1)


I found a phishing email that delivered a RAR archive (password protected). Inside the archive, there was a simple .bat file (SHA256: 57ebd5a707eb69dd719d461e1fbd14f98a42c6c3dcb8505e4669c55762810e70) with the following name: SRI DISTRITAL - DPTO DE COBRO -SRI Informa-Deuda pendiente.bat. Its current VT score is only 1/59!


Let’s have a look at this file! After the classic “@echo off”, there is a very long line that looks like a payload, it starts with “::”, a comment in .bat files (a common alternative to the REM command)...


Read the complete entry:

https://isc.sans.edu/diary/Deobfuscation+of+Malware+Delivered+Through+a+bat+File/30048/




Suspicious IP Addresses Avoided by Malware Samples

Published: 2023-07-26

Last Updated: 2023-07-26 05:49:03 UTC

by Xavier Mertens (Version: 1)


Modern malware samples implement a lot of anti-debugging and anti-analysis techniques. The idea is to slow down the malware analyst's job or, more simply, to bypass security solutions like sandboxes. These days, I see more and more malware samples written in Python that have these built-in capabilities. One of them is the detection of “suspicious” IP addresses.


The last one I found has the SHA256 9d4d651095f9e03a0321def2dc47252ed22334664218f3df9e2f3dbbf99cdc1b with a VT score of 8/57.


Read the complete entry:

https://isc.sans.edu/diary/Suspicious+IP+Addresses+Avoided+by+Malware+Samples/30068/

The list is assembled by pulling recent vulnerabilities from NIST NVD, Microsoft, Twitter mentions of vulnerabilities, ISC Diaries and Podcast, and the CISA list of known exploited vulnerabilities. There are also some unscored, but significant, vulnerabilities at the end. This includes vulnerabilities that have not been added to the NVD yet.


CVE-2023-3519 - Unauthenticated remote code execution

Product: Citrix Netscaler Application Delivery Controller

CVSS Score: 9.8

** KEV since 2023-07-19 **

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-3519

ISC Podcast: https://isc.sans.edu/podcastdetail.html?podcastid=8580

NVD References: https://support.citrix.com/article/CTX561482/citrix-adc-and-citrix-gateway-security-bulletin-for-cve20233519-cve20233466-cve20233467




CVE-2023-35078 - Ivanti Endpoint Manager Mobile (EPMM) allows remote attackers to bypass authentication and perform unauthorized actions, including accessing personal identifiable information (PII), adding an administrative account, and modifying the configuration.

Product: Ivanti Endpoint Manager Mobile (EPMM) MobileIron

CVSS Score: 10.0

** KEV since 2023-07-25 **

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-35078

ISC Podcast: https://isc.sans.edu/podcastdetail.html?podcastid=8588

NVD References: 

- https://forums.ivanti.com/s/article/CVE-2023-35078-Remote-unauthenticated-API-access-vulnerability

- https://forums.ivanti.com/s/article/KB-Remote-unauthenticated-API-access-vulnerability-CVE-2023-35078

- https://www.cisa.gov/news-events/alerts/2023/07/24/ivanti-releases-security-updates-endpoint-manager-mobile-epmm-cve-2023-35078

- https://www.ivanti.com/blog/cve-2023-35078-new-ivanti-epmm-vulnerability




CVE-2023-34034 - Spring Security's use of "**" as a pattern in configuration for WebFlux leads to pattern matching mismatch with Spring WebFlux, allowing a security bypass.

Product: Spring Security Spring WebFlux

CVSS Score: 9.1

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-34034

ISC Podcast: https://isc.sans.edu/podcastdetail.html?podcastid=8582

NVD References: https://spring.io/security/cve-2023-34034




CVE-2023-35311 - Microsoft Outlook Security Feature Bypass Vulnerability

Product: Microsoft Outlook

CVSS Score: 8.8

** KEV since 2023-07-11 **

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-35311

MSFT Details: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-35311




CVE-2023-35189 - Iagona ScrutisWeb versions 2.1.37 and prior allow unauthenticated users to upload malicious payloads and execute remote code.

Product: Iagona ScrutisWeb

CVSS Score: 10.0

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-35189

NVD References: https://www.cisa.gov/news-events/ics-advisories/icsa-23-199-03




CVE-2023-30153 - Payplug module for PrestaShop versions 3.6.0 to 3.7.1 allows remote attackers to execute arbitrary SQL commands via ajax.php front controller.

Product: Payplug PrestaShop

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-30153

NVD References: 

- https://addons.prestashop.com/en/payment-card-wallet/8795--payplug-accept-customer-payments-wherever-they-are.html

- https://security.friendsofpresta.org/module/2023/07/18/payplug.html




CVE-2023-21974 - The vulnerability in Oracle Application Express (component: User Account) allows a low privileged attacker with HTTP network access to compromise the Application Express Team Calendar Plugin, potentially resulting in a takeover.

Product: Oracle Application Express Team Calendar Plugin

CVSS Score: 9.0

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-21974

NVD References: https://www.oracle.com/security-alerts/cpujul2023.html




CVE-2023-21975 - The Application Express Customers Plugin product of Oracle Application Express has a vulnerability that allows a low privileged attacker to compromise the plugin and potentially impact additional products, resulting in a takeover of Application Express Customers Plugin.

Product: Oracle Application Express Customers Plugin

CVSS Score: 9.0

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-21975

NVD References: https://www.oracle.com/security-alerts/cpujul2023.html




CVE-2023-30799 - MikroTik RouterOS versions 6.49.7 and below have a privilege escalation vulnerability allowing remote attackers to execute arbitrary code by escalating privileges from admin to super-admin on the Winbox or HTTP interface.

Product: MikroTik RouterOS

CVSS Score: 9.1

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-30799

NVD References: 

- https://github.com/MarginResearch/FOISted

- https://vulncheck.com/advisories/mikrotik-foisted




CVE-2023-3638 - In GeoVision GV-ADR2701 cameras, an attacker could edit the login response to access the web application.

Product: GeoVision GV-ADR2701 cameras

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-3638

NVD References: https://www.cisa.gov/news-events/ics-advisories/icsa-23-199-05




CVE-2023-3466 - Reflected Cross-Site Scripting (XSS)

Product: Citrix ADC and Citrix Gateway

CVSS Score: 8.3

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-3466

ISC Podcast: https://isc.sans.edu/podcastdetail.html?podcastid=8580

NVD References: https://support.citrix.com/article/CTX561482/citrix-adc-and-citrix-gateway-security-bulletin-for-cve20233519-cve20233466-cve20233467




CVE-2023-3467 - Privilege Escalation to root administrator (nsroot)

Product: Citrix ADC and Citrix Gateway 

CVSS Score: 8.0

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-3467

ISC Podcast: https://isc.sans.edu/podcastdetail.html?podcastid=8580

NVD References: https://support.citrix.com/article/CTX561482/citrix-adc-and-citrix-gateway-security-bulletin-for-cve20233519-cve20233466-cve20233467




CVE-2023-37289 - InfoDoc Document On-line Submission and Approval System is vulnerable to an unrestricted file upload vulnerability, allowing unauthenticated attackers to upload and execute arbitrary files, enabling them to execute arbitrary commands or disrupt services.

Product: InfoDoc  Document On-line Submission and Approval System

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-37289

NVD References: https://www.twcert.org.tw/tw/cp-132-7225-cef32-1.html




CVE-2023-38203 - Adobe ColdFusion versions 2018u17 (and earlier), 2021u7 (and earlier), and 2023u1 (and earlier) can be exploited by an Untrusted Data Deserialization vulnerability, allowing for arbitrary code execution without user interaction.

Product: Adobe Coldfusion 2023

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-38203

NVD References: https://helpx.adobe.com/security/products/coldfusion/apsb23-41.html




CVE-2023-37471 - OpenAM up to version 14.7.2 does not properly validate the signature of SAML responses, allowing attackers to impersonate any OpenAM user, including the administrator.

Product: Open Identity Platform OpenAM

CVSS Score: 9.1

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-37471

NVD References: 

- https://github.com/OpenIdentityPlatform/OpenAM/commit/7c18543d126e8a567b83bb4535631825aaa9d742

- https://github.com/OpenIdentityPlatform/OpenAM/pull/624

- https://github.com/OpenIdentityPlatform/OpenAM/security/advisories/GHSA-4mh8-9wq6-rjxg




CVE-2023-37292 - HGiga iSherlock 4.5 and HGiga iSherlock 5.5 are vulnerable to OS Command Injection prior to specific versions.

Product: HGiga iSherlock

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-37292

NVD References: https://www.twcert.org.tw/tw/cp-132-7239-8fc29-1.html




CVE-2023-32478 - Dell PowerStore versions prior to 3.5.0.1 allow high privileged malicious users to disclose sensitive information via insertion into log files.

Product: Dell PowerStore

CVSS Score: 9.0

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-32478

NVD References: https://www.dell.com/support/kbdoc/en-us/000215171/dsa-2023-173-dell-powerstore-family-security-update-for-multiple-vulnerabilities




CVE-2023-35086 - ASUS RT-AX56U V2 & RT-AC86U routers are vulnerable to remote arbitrary code execution and system disruption due to a format string vulnerability in the logmessage_normal function of the do_detwan_cgi module in httpd, caused by directly using input as a format string when calling syslog.

Product: ASUS RT-AX56U V2 & RT-AC86U

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-35086

NVD References: https://www.twcert.org.tw/tw/cp-132-7240-a5f96-1.html




CVE-2023-35087 - ASUS RT-AX56U V2 & RT-AC86U are vulnerable to a format string vulnerability that enables unauthenticated remote attackers to execute arbitrary code or disrupt services.

Product: ASUS RT-AX56U V2 & RT-AC86U

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-35087

NVD References: https://www.twcert.org.tw/tw/cp-132-7249-ab2d1-1.html




CVE-2023-37903 -  vm2 is vulnerable to remote code execution due to an exploit in the Node.js custom inspect function for versions up to and including 3.9.19, with no available patches or workarounds, necessitating the use of alternative software.

Product: Nodejs vm2

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-37903

NVD References: https://github.com/patriksimek/vm2/security/advisories/GHSA-g644-9gfx-q4q4




CVE-2022-41793 - Open Babel 3.1.1 and master commit 530dbfa3 allows arbitrary code execution via a specially crafted CSR format title file.

Product: Open Babel

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-41793

NVD References: https://talosintelligence.com/vulnerability_reports/TALOS-2022-1667




CVE-2022-42885 - Open Babel 3.1.1 and master commit 530dbfa3 allow arbitrary code execution via a specially crafted malformed file due to an uninitialized pointer vulnerability in the GRO format res functionality.

Product: Open Babel GRO format res

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-42885

NVD References: https://talosintelligence.com/vulnerability_reports/TALOS-2022-1668




CVE-2022-43467 -  Open Babel 3.1.1 and master commit 530dbfa3 allows arbitrary code execution via a specially crafted PQS format coord_file.

Product: Open Babel 3.1.1

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-43467

NVD References: https://talosintelligence.com/vulnerability_reports/TALOS-2022-1671




CVE-2022-44451 - Open Babel 3.1.1 and master commit 530dbfa3 is vulnerable to an uninitialized pointer issue in its MSI format atom functionality, allowing arbitrary code execution via a specially crafted file.

Product: Open Babel MSI format atom functionality

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-44451

NVD References: https://talosintelligence.com/vulnerability_reports/TALOS-2022-1669




CVE-2022-46280 - Open Babel 3.1.1 and master commit 530dbfa3 are vulnerable to an uninitialized pointer vulnerability in the PQS format pFormat, allowing arbitrary code execution via a specially crafted file.

Product: Open Babel PQS format

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-46280

NVD References: https://talosintelligence.com/vulnerability_reports/TALOS-2022-1670




CVE-2022-46289 - Open Babel 3.1.1 and master commit 530dbfa3 allows arbitrary code execution through the ORCA format nAtoms functionality when a specially-crafted malformed file is provided, due to multiple out-of-bounds write vulnerabilities, including a wrap-around calculation leading to a small buffer allocation.

Product: Open Babel ORCA format

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-46289

NVD References: https://talosintelligence.com/vulnerability_reports/TALOS-2022-1665




CVE-2022-46290 - Open Babel 3.1.1 and master commit 530dbfa3 contain multiple out-of-bounds write vulnerabilities in the ORCA format nAtoms functionality, which allows arbitrary code execution via a specially-crafted malformed file provided by an attacker.

Product: Open Babel ORCA format

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-46290

NVD References: https://talosintelligence.com/vulnerability_reports/TALOS-2022-1665




CVE-2022-46291 - Open Babel 3.1.1 and master commit 530dbfa3 are vulnerable to multiple out-of-bounds write vulnerabilities when parsing translationVectors in supported formats, allowing arbitrary code execution via a malicious file, particularly affecting the MSI format.

Product: Open Babel MSI

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-46291

NVD References: https://talosintelligence.com/vulnerability_reports/TALOS-2022-1666




CVE-2022-46292 - Open Babel 3.1.1 and master commit 530dbfa3 have multiple out-of-bounds write vulnerabilities in their translationVectors parsing functionality, which can allow arbitrary code execution by providing a specially-crafted malformed file, specifically affecting the MOPAC file format in the Unit Cell Translation section.

Product: Open Babel MOPAC file format

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-46292

NVD References: https://talosintelligence.com/vulnerability_reports/TALOS-2022-1666




CVE-2022-46293 - Open Babel 3.1.1 and master commit 530dbfa3 allow arbitrary code execution via specially-crafted malformed MOPAC files.

Product: Open Babel MOPAC

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-46293

NVD References: https://talosintelligence.com/vulnerability_reports/TALOS-2022-1666




CVE-2022-46294 - Open Babel 3.1.1 and master commit 530dbfa3 are vulnerable to multiple out-of-bounds write vulnerabilities in translationVectors parsing, allowing arbitrary code execution by exploiting a specially-crafted malformed file, specifically impacting the MOPAC Cartesian file format.

Product: Open Babel MOPAC

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-46294

NVD References: https://talosintelligence.com/vulnerability_reports/TALOS-2022-1666




CVE-2022-46295 - Open Babel 3.1.1 and master commit 530dbfa3 contains multiple out-of-bounds write vulnerabilities in the translationVectors parsing functionality, allowing arbitrary code execution via a specially-crafted Gaussian file.

Product: Open Babel Gaussian

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-46295

NVD References: https://talosintelligence.com/vulnerability_reports/TALOS-2022-1666




CVE-2023-37917 - KubePi allows any user to become an admin by editing the `isadmin` value in the request, leading to unauthorized administrative control.

Product: KubePi Kubernetes Management Panel

CVSS Score: 9.1

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-37917

NVD References: https://github.com/1Panel-dev/KubePi/security/advisories/GHSA-757p-vx43-fp9r




CVE-2023-26045 - NodeBB forum software allows arbitrary execution of local javascript files on the disk, due to a path traversal vulnerability combined with a specially crafted payload, in versions 2.5.0 to 2.8.6.

Product: NodeBB forum software

CVSS Score: 10.0

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-26045

NVD References: 

- https://github.com/NodeBB/NodeBB/commit/ec58700f6dff8e5b4af1544f6205ec362b593092

- https://github.com/NodeBB/NodeBB/security/advisories/GHSA-vh2g-6c4x-5hmp




CVE-2023-3046 - Biltay Technology Scienta before 20230630.1953 is vulnerable to SQL Injection.

Product: Biltay Technology Scienta

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-3046

NVD References: https://www.usom.gov.tr/bildirim/tr-23-0418




CVE-2023-35066 - Infodrom Software E-Invoice Approval System before v.20230701 allows SQL Injection.

Product: Infodrom Software E-Invoice Approval System

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-35066

NVD References: https://www.usom.gov.tr/bildirim/tr-23-0419




CVE-2023-35067 - Infodrom Software E-Invoice Approval System before v.20230701 allows reading sensitive strings within an executable due to plaintext storage of a password vulnerability.

Product: Infodrom Software E-Invoice Approval System

CVSS Score: 9.1

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-35067

NVD References: https://www.usom.gov.tr/bildirim/tr-23-0419




CVE-2023-35980 - Aruba's access point management protocol (PAPI) is vulnerable to buffer overflow flaws, enabling unauthenticated remote code execution with arbitrary privileges.

Product: Aruba PAPI

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-35980

NVD References: https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2023-009.txt




CVE-2023-35981 - Aruba's access point management protocol (PAPI) is vulnerable to buffer overflow flaws, enabling unauthenticated remote code execution with arbitrary privileges.

Product: Aruba PAPI

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-35981

NVD References: https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2023-009.txt




CVE-2023-35982 -  Aruba's access point management protocol (PAPI) is vulnerable to buffer overflow flaws, enabling unauthenticated remote code execution with arbitrary privileges.

Product: Aruba PAPI

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-35982

NVD References: https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2023-009.txt



  

The following vulnerabilities need a manual review:


CVE-2023-38606 - Apple iOS, iPadOS, macOS, tvOS, and watchOS contain an unspecified vulnerability allowing an app to modify sensitive kernel state.

Product: Multiple Apple Products

** KEV since 2023-07-26 **

    

CVE-2023-37450 - Apple iOS, iPadOS, macOS, and Safari WebKit contain an unspecified vulnerability that can allow an attacker to execute code when processing web content.

Product: Multiple Apple Products

** KEV since 2023-07-13 **



CVE-2023-32409 - Apple iOS, iPadOS, macOS, tvOS, watchOS, and Safari WebKit contain an unspecified vulnerability that can allow a remote attacker to break out of the Web Content sandbox.

Product: Multiple Apple Products