homepage
Open menu
Contact Sales

@RISK

The Consensus Security Vulnerability Alert

August 3, 2023  |  Vol. 23, Num. 30

Internet Storm Center SpotlightInternet Storm Center EntriesRecent CVEs

Internet Storm Center Spotlight

INTERNET STORM CENTER SPOTLIGHT

ISC provides a free analysis and warning service to thousands of Internet users and organizations, and is actively working with Internet Service Providers to fight back against the most malicious attackers. https://isc.sans.edu/about.html

USPS Phishing Scam Targeting iOS Users

Published: 2023-07-30

Last Updated: 2023-07-30 15:33:55 UTC

by Johannes Ullrich (Version: 1)

Phishing scams have frequently arrived as an SMS message (sometimes called "Smishing"). SMS messages are easy and cheap to send, and we have documented how attackers like to scan for exposed credentials for services like Twilio to make it even cheaper.

But today, I received a message on my Apple devices that didn't arrive as an green SMS, but instead as a blue iMessage.

As I always do, I clicked on the link on my Mac. But I was immediately redirected to the legitimate USPS page (usps.com). It didn't matter if I used Safari or Chrome on macOS. So I tried Safari on my iPhone and was directed to the phishing page.

Read the full entry:

https://isc.sans.edu/diary/USPS+Phishing+Scam+Targeting+iOS+Users/30078/

Summary of DNS over HTTPS requests against our honeypots

Published: 2023-08-01

Last Updated: 2023-08-01 14:04:17 UTC

by Johannes Ullrich (Version: 1)

Our honeypots see a lot of DNS over HTTP(s) requests against the "/dns-query" endpoint. This endpoint is used by DNS over HTTPs requests to receive queries. Queries can use different encodings. You may either see the more readable URL encoding, like "?name=google.com&type=A" or the raw DNS data encoding, like "?dns=mNwBAAABAAAAAAAABmdvb2dsZQNjb20AAAEAAQ".

Decoding the raw queries isn't hard, but note that the padding "=" characters are cut off at the end. Some base64 implementations will refuse to decode data with missing padding.

Our database lists a total of 5,727 different URLs starting with "dns-query". Only 12 of them use the "URL encoded" format...

A few used queries to echodns.xyz to find open resolvers. For DNS over HTTP(s), an attacker would not use an open resolver for denial of service attacks (at least there is no amplification). But they may use it to obtain an anonymous DNS relay. Shadowserver uses these queries to populate their open resolver feed.

The remaining 5,714 queries use DNS encoding. DNS encoding does include a random query ID (not required for DNS over HTTP(s), but still often set). We need to decode the names to find out which unique names are being resolved.

Read the full entry:

https://isc.sans.edu/diary/Summary+of+DNS+over+HTTPS+requests+against+our+honeypots/30084/

ShellCode Hidden with Steganography

Published: 2023-07-28

Last Updated: 2023-07-28 07:13:40 UTC

by Xavier Mertens (Version: 1)

When hunting, I'm often surprised by the interesting pieces of code that you may discover... Attackers (or pentesters/redteamers) like to share scripts on VT to evaluate the detection rates against many antivirus products. Sometimes, you find something cool stuffs.

Yesterday, I found a small Python script that inject a shellcode into memory but, this time, the payload is hidden in a PNG picture using a well-known technique: steganography. The technique used in the sample, is to use the LSB (least significant bit) of each pixel with a bit of the payload. On the Internet, you can find a lot of free services to hide a text message into a picture (and vice-versa) but you can absolutely store any type of data, like in this case, executable code (the shellcode).

The script (SHA256:465b63b8661f2175d1063bfefdde2f949d366448e34d6e1a4f9853709352d02e) has a VT score of 16/60.

Read the full entry:

https://isc.sans.edu/diary/ShellCode+Hidden+with+Steganography/30074/

Internet Storm Center Entries

Zeek and Defender Endpoint (2023.08.02)

https://isc.sans.edu/diary/Zeek+and+Defender+Endpoint/30088/

Do Attackers Pay More Attention to IPv6? (2023.07.29)

https://isc.sans.edu/diary/Do+Attackers+Pay+More+Attention+to+IPv6/30076/

Recent CVEs



The list is assembled by pulling recent vulnerabilities from NIST NVD, Microsoft, Twitter mentions of vulnerabilities, ISC Diaries and Podcast, and the CISA list of known exploited vulnerabilities. There are also some unscored, but significant, vulnerabilities at the end. This includes vulnerabilities that have not been added to the NVD yet.


CVE-2023-35078 - Ivanti Endpoint Manager Mobile (EPMM) allows remote attackers to bypass authentication and perform unauthorized actions, including accessing personal identifiable information (PII), adding an administrative account, and modifying the configuration. [Note: A second vulnerability affecting Ivanti's mobile device management platform was added to the "Manual Review" section at the end of the list. This vulnerability by itself is not serious enough to make our list. It was discovered when investigating compromised Ivanti devices. If you are responding to a compromised device, take into account that an attacker could have used this new vulnerability to obtain persistence.]

Product: Ivanti Endpoint Manager Mobile (EPMM) MobileIron 

CVSS Score: 10.0

** KEV since 2023-07-25 **

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-35078

ISC Podcast: https://isc.sans.edu/podcastdetail.html?podcastid=8588

NVD References: 

- https://forums.ivanti.com/s/article/CVE-2023-35078-Remote-unauthenticated-API-access-vulnerability

- https://forums.ivanti.com/s/article/KB-Remote-unauthenticated-API-access-vulnerability-CVE-2023-35078

- https://www.cisa.gov/news-events/alerts/2023/07/24/ivanti-releases-security-updates-endpoint-manager-mobile-epmm-cve-2023-35078

- https://www.ivanti.com/blog/cve-2023-35078-new-ivanti-epmm-vulnerability




CVE-2023-20891 - VMware Tanzu Application Service for VMs and Isolation Segment log credentials in hex encoding, enabling unauthorized access to admin credentials and potential application tampering.

Product: VMware Tanzu Application Service for VMs and Isolation Segment

CVSS Score: 6.5

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-20891

ISC Podcast: https://isc.sans.edu/podcastdetail.html?podcastid=8588

NVD References: https://www.vmware.com/security/advisories/VMSA-2023-0016.html




CVE-2023-37450 - iOS, iPadOS, Safari, tvOS, macOS Ventura, and watchOS versions 16.6, 16.5.2, 16.6, 13.5, and 9.6 respectively have fixed a vulnerability that allowed arbitrary code execution when processing web content, which Apple is aware of being actively exploited.

Product: Apple Safari

CVSS Score: 8.8

** KEV since 2023-07-13 **

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-37450

NVD References: 

- https://support.apple.com/en-us/HT213826

- https://support.apple.com/en-us/HT213841

- https://support.apple.com/en-us/HT213843

- https://support.apple.com/en-us/HT213846

- https://support.apple.com/en-us/HT213848




CVE-2023-38606 - macOS, iOS, iPadOS, tvOS, macOS Big Sur, macOS Ventura, watchOS: An app may be able to modify sensitive kernel state, potentially leading to exploitation on older versions of iOS.

Product: Apple iPadOS

CVSS Score: 5.5

** KEV since 2023-07-26 **

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-38606

NVD References: 

- https://support.apple.com/en-us/HT213841

- https://support.apple.com/en-us/HT213842

- https://support.apple.com/en-us/HT213843

- https://support.apple.com/en-us/HT213844

- https://support.apple.com/en-us/HT213845

- https://support.apple.com/en-us/HT213846

- https://support.apple.com/en-us/HT213848




CVE-2023-3046 - Biltay Technology Scienta before 20230630.1953 is vulnerable to SQL Injection.

Product: Biltay Scienta

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-3046

NVD References: https://www.usom.gov.tr/bildirim/tr-23-0418




CVE-2023-35066 - Infodrom Software E-Invoice Approval System before v.20230701 allows SQL Injection.

Product: Infodrom E-Invoice Approval System

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-35066

NVD References: https://www.usom.gov.tr/bildirim/tr-23-0419




CVE-2023-35088 - Apache InLong versions 1.4.0 through 1.7.0 are vulnerable to SQL injection attacks due to improper neutralization of special elements in the toAuditCkSql method.

Product: Apache InLong

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-35088

NVD References: 

- http://seclists.org/fulldisclosure/2023/Jul/43

- http://www.openwall.com/lists/oss-security/2023/07/25/4

- https://lists.apache.org/thread/os7b66x4n8dbtrdpb7c6x37bb1vjb0tk




CVE-2023-35980 - Aruba's access point management protocol (PAPI) is vulnerable to buffer overflow flaws, enabling unauthenticated remote code execution with arbitrary privileges.

Product: Aruba PAPI

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-35980

NVD References: https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2023-009.txt




CVE-2023-35981, CVE-2023-35982 - Aruba's access point management protocol (PAPI) is vulnerable to buffer overflow flaws, enabling unauthenticated remote code execution with arbitrary privileges.

Product: Aruba PAPI

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-35981

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-35982

NVD References: https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2023-009.txt




CVE-2022-46898 - Vocera Report Server and Voice Server 5.x through 5.8 are vulnerable to a path traversal attack via the "restore SQL data" filename, allowing an attacker to execute SQL commands against the database.

Product: Vocera Report Server

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-46898

NVD References: 

- https://www.stryker.com/us/en/about/governance/cyber-security/product-security/

- https://www.stryker.com/us/en/about/governance/cyber-security/product-security/vocera-report-server-vulnerabilities--cve-2022-46898--cve-2022-4.html




CVE-2023-34798 - An arbitrary file upload vulnerability in eOffice before v9.5 allows attackers to execute arbitrary code via uploading a crafted file.

Product: Weaver E-Office

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-34798

NVD References: https://gist.github.com/Zhu013/e5e6e03613704a2a4107cc6456f1e8e2




CVE-2023-37258 - DataEase prior to version 1.18.9 allows SQL injection bypassing blacklists, but this vulnerability has been addressed in v1.18.9 with no known workarounds.

Product: DataEase 

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-37258

NVD References: 

- https://github.com/dataease/dataease/blob/dev/backend/src/main/java/io/dataease/controller/panel/AppLogController.java#L41

- https://github.com/dataease/dataease/blob/dev/backend/src/main/java/io/dataease/ext/ExtDataSourceMapper.java

- https://github.com/dataease/dataease/security/advisories/GHSA-r39x-fcc6-47g4




CVE-2023-38669 - Use after free in paddle.diagonal in PaddlePaddle before 2.5.0. This resulted in a potentially exploitable condition.

Product: PaddlePaddle 

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-38669

NVD References: https://github.com/PaddlePaddle/Paddle/blob/develop/security/advisory/pdsa-2023-001.md




CVE-2023-38671 - PaddlePaddle before 2.5.0 allows a heap buffer overflow in paddle.trace, leading to a range of potential damages, including denial of service and information disclosure.

Product: PaddlePaddle 

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-38671

NVD References: https://github.com/PaddlePaddle/Paddle/blob/develop/security/advisory/pdsa-2023-003.md




CVE-2023-38673 - PaddlePaddle before 2.5.0 allows arbitrary command execution due to command injection in fs.py.

Product: PaddlePaddle 

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-38673

NVD References: https://github.com/PaddlePaddle/Paddle/blob/develop/security/advisory/pdsa-2023-005.md




CVE-2023-33308 - Fortinet FortiOS versions 7.0.0 through 7.0.10 and 7.2.0 through 7.2.3 and FortiProxy versions 7.0.0 through 7.0.9 and 7.2.0 through 7.2.2 are vulnerable to a stack-based overflow (CWE-124) that enables remote unauthenticated attackers to execute arbitrary code or command through specially crafted packets reaching proxy or firewall policies with proxy mode alongside deep or full packet inspection.

Product: Fortinet FortiProxy

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-33308

NVD References: https://fortiguard.com/psirt/FG-IR-23-183




CVE-2023-3956 - The InstaWP Connect plugin for WordPress allows unauthenticated attackers to unauthorizedly access, modify, and delete data, including posts, taxonomy, users (including administrators), as well as manipulate plugin activation, customizer settings, due to a missing capability check in versions up to, and including, 0.0.9.18.

Product: InstaWP Connect plugin for WordPress

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-3956

NVD References: 

- https://plugins.trac.wordpress.org/browser/instawp-connect/tags/0.0.9.18/includes/class-instawp-rest-apis.php#L103

- https://plugins.trac.wordpress.org/changeset/2942363/instawp-connect#file5

- https://www.wordfence.com/threat-intel/vulnerabilities/id/48e7acf2-61d4-4762-8657-0701910ce69b?source=cve




CVE-2023-32225 - Sysaid allows a user with administrative privileges to upload a dangerous filetype using an unspecified method.

Product: Sysaid Unrestricted Upload of File

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-32225

NVD References: https://www.gov.il/en/Departments/faq/cve_advisories




CVE-2023-32227 -  Synel SYnergy Fingerprint Terminals - CWE-798: Use of Hard-coded Credentials

Product: Synel SYnergy Fingerprint Terminals

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-32227

NVD References: https://www.gov.il/en/Departments/faq/cve_advisories




CVE-2023-37214 - Heights Telecom ERO1xS-Pro Dual-Band FW version BZ_ERO1XP.025.

Product: Heights Telecom ERO1xS-Pro Dual-Band

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-37214

NVD References: https://www.gov.il/en/Departments/faq/cve_advisories




CVE-2023-37580 - Zimbra Collaboration (ZCS) 8 before 8.8.15 Patch 41 allows XSS in the Zimbra Classic Web Client.

Product: Zimbra Collaboration

CVSS Score: 0

** KEV since 2023-07-27 **

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-37580

NVD References: 

- https://wiki.zimbra.com/wiki/Security_Center

- https://wiki.zimbra.com/wiki/Zimbra_Responsible_Disclosure_Policy




CVE-2023-33493 - PrestaShop through 2.3.0 allows remote attackers to upload dangerous files without restrictions.

Product: PrestaShop Ajaxmanager File and Database explorer

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-33493

NVD References: https://security.friendsofpresta.org/module/2023/07/28/ajaxmanager.html




Manual Review Needed:


CVE-2023-35081 - Ivanti Endpoint Manager Mobile (EPMM) contains a path traversal vulnerability that enables an authenticated administrator to perform malicious file writes to the EPMM server. This vulnerability can be used in conjunction with CVE-2023-35078 to bypass authentication and ACLs restrictions (if applicable).

Ivanti Endpoint Manager Mobile (EPMM) Path Traversal Vulnerability

Product: Ivanti Endpoint Manager Mobile (EPMM)

** KEV since 2023-07-31 **

Ivanti Reference: https://www.ivanti.com/blog/cve-2023-35081-new-ivanti-epmm-vulnerability