The Consensus Security Vulnerability Alert

ISC provides a free analysis and warning service to thousands of Internet users and organizations, and is actively working with Internet Service Providers to fight back against the most malicious attackers. https://isc.sans.edu/about.html

No-Defender, Yes-Defender

Published: 2024-06-04

Last Updated: 2024-06-04 19:17:41 UTC

by John Moutos (Version: 1)

Recently I was made aware of a neat utility (https://github.com/es3n1n/no-defender/) which provides the capability to disable Windows Defender by abusing the WSC (Windows Security Center) registration that other AV and EDR providers utilize to become the main provider on systems, mostly to avoid conflict with Windows Defender.

It does this by abusing the middle-man WSC proxy app Avast bundles with their software, which provides access to the necessary WSC APIs for registration, and registers itself as an fraudulent AV provider, forcing Defender to step down (periodic scanning will still function if enabled manually).

As with all utilities that have the potential to aid in defense evasion, this will eventually make the rounds with active threat groups, until it is deemed obsolete or no longer viable.

To detect usage of this or similar tools, monitoring the “SecurityCenter” Windows event log for event ID 15 is ideal. This can help identify if an unwanted application registered and enabled itself as a security provider in place of Defender.

Read the full entry:

https://isc.sans.edu/diary/NoDefender+YesDefender/30980/

"K1w1" InfoStealer Uses gofile.io for Exfiltration

Published: 2024-05-31

Last Updated: 2024-05-31 10:40:46 UTC

by Xavier Mertens (Version: 1)

Python remains a nice language for attackers and I keep finding interesting scripts that are usually not very well detected by antivirus solutions. The one I found has a VT score of 7/65! I decided to call it "k1w1" infostealer because this string is referenced in many variable and function names. The script has classic infostealer capabilities to find interesting pieces of data on the victim's computer but has some interesting techniques.

First, it uses gofile.io to exfiltrate data...

Read the full entry:

https://isc.sans.edu/diary/K1w1+InfoStealer+Uses+gofileio+for+Exfiltration/30972/

A Wireshark Lua Dissector for Fixed Field Length Protocols (2024.06.03)

https://isc.sans.edu/diary/A+Wireshark+Lua+Dissector+for+Fixed+Field+Length+Protocols/30976/

Feeding MISP with OSSEC (2024.05.30)

https://isc.sans.edu/diary/Feeding+MISP+with+OSSEC/30968/

The list is assembled by pulling recent vulnerabilities from NIST NVD, Microsoft, Twitter mentions of vulnerabilities, ISC Diaries and Podcast, and the CISA list of known exploited vulnerabilities. There are also some unscored, but significant, vulnerabilities at the end. This includes vulnerabilities that have not been added to the NVD yet.

CVE-2024-24919 - Check Point Security Gateways are vulnerable to information exposure when connected to the internet and enabled with remote Access VPN or Mobile Access Software Blades, but a security fix is available.

Product: Checkpoint Quantum Security Gateway

CVSS Score: 8.6

** KEV since 2024-05-30 **

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-24919

ISC Podcast: https://isc.sans.edu/podcastdetail//9004

NVD References: https://support.checkpoint.com/results/sk/sk182336

CVE-2024-5274 - Google Chrome prior to version 125.0.6422.112 is vulnerable to type confusion in V8, allowing remote attackers to execute arbitrary code via a specially crafted HTML page.

Product: Google Chrome

CVSS Score: 8.8

** KEV since 2024-05-28 **

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-5274

NVD References:

- https://chromereleases.googleblog.com/2024/05/stable-channel-update-for-desktop_23.html

- https://issues.chromium.org/issues/341663589

CVE-2024-23108 - Fortinet FortiSIEM versions 7.1.0 through 7.1.1 and 7.0.0 through 7.0.2 and 6.7.0 through 6.7.8 and 6.6.0 through 6.6.3 and 6.5.0 through 6.5.2 and 6.4.0 through 6.4.2 are vulnerable to an os command injection allowing unauthorized code execution via crafted API requests.

Product: Fortinet FortiSIEM 7.1.1

CVSS Score: 0

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-23108

ISC Podcast: https://isc.sans.edu/podcastdetail/9000

CVE-2024-21785 - AutomationDirect P3-550E 1.2.10.9 is vulnerable to unauthorized access via a leftover debug code in its Telnet Diagnostic Interface functionality.

Product: AutomationDirect P3-550E

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-21785

NVD References:

- https://community.automationdirect.com/s/internal-database-security-advisory/a4GPE0000003yaj2AA/sa00038

- https://talosintelligence.com/vulnerability_reports/TALOS-2024-1942

CVE-2024-22187 - AutomationDirect P3-550E 1.2.10.9 is vulnerable to a write-what-where vulnerability in the Programming Software Connection Remote Memory Diagnostics functionality, allowing an attacker to send a specially crafted network packet for an arbitrary write without authentication.

Product: AutomationDirect P3-550E

CVSS Score: 9.1

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-22187

NVD References:

- https://community.automationdirect.com/s/internal-database-security-advisory/a4GPE0000003yXV2AY/sa00036

- https://talosintelligence.com/vulnerability_reports/TALOS-2024-1940

CVE-2024-23601 - AutomationDirect P3-550E 1.2.10.9 is vulnerable to code injection in scan_lib.bin, allowing for arbitrary code execution via a specially crafted file.

Product: AutomationDirect P3-550E

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-23601

NVD References:

- https://community.automationdirect.com/s/internal-database-security-advisory/a4GPE0000003ycL2AQ/sa00039

- https://talosintelligence.com/vulnerability_reports/TALOS-2024-1943

CVE-2024-24962 & CVE-2024-24963 - AutomationDirect P3-550E 1.2.10.9 stack-based buffer overflow vulnerabilities

Product: AutomationDirect P3-550E

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-24962

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-24963

NVD References: https://talosintelligence.com/vulnerability_reports/TALOS-2024-1939

CVE-2024-5150 - The Login with phone number plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 1.7.26, allowing unauthenticated attackers to log in as any existing user on the site, but the patch in version 1.7.26 causes the function to not work, this issue is fixed in version 1.7.27.

Product: WordPress Login with phone number plugin

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-5150

NVD References:

- https://plugins.trac.wordpress.org/browser/login-with-phone-number/tags/1.7.25/login-with-phonenumber.php#L4183

- https://plugins.trac.wordpress.org/browser/login-with-phone-number/tags/1.7.25/login-with-phonenumber.php#L4220

- https://plugins.trac.wordpress.org/browser/login-with-phone-number/tags/1.7.25/login-with-phonenumber.php#L4241

- https://plugins.trac.wordpress.org/changeset/3090625/login-with-phone-number

- https://plugins.trac.wordpress.org/changeset/3090754/login-with-phone-number#file5

- https://www.wordfence.com/threat-intel/vulnerabilities/id/cf34eb9f-f6e9-4a7a-8459-c86f9fa3dad8?source=cve

CVE-2024-3412 - The WP STAGING WordPress Backup Plugin is vulnerable to arbitrary file uploads, allowing authenticated attackers to potentially execute remote code.

Product: WP STAGING WordPress Backup Plugin – Migration Backup Restore

CVSS Score: 9.1

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-3412

NVD References:

- https://plugins.trac.wordpress.org/changeset/3076275/wp-staging/trunk/Framework/Network/AjaxBackupDownloader.php

- https://www.wordfence.com/threat-intel/vulnerabilities/id/8ebb1072-ea05-4914-961d-0d8f20248078?source=cve

CVE-2024-4358 - In Progress Telerik Report Server, version 2024 Q1 or earlier, on IIS, is vulnerable to an authentication bypass issue allowing unauthenticated attackers to access restricted functionality.

Product: Progress Telerik Report Server

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-4358

NVD References: https://docs.telerik.com/report-server/knowledge-base/registration-auth-bypass-cve-2024-4358

CVE-2024-5514 - MinMax CMS contains a hidden admin account with a fixed password that allows remote attackers to bypass IP access controls without detection.

Product: MinMax Digital Technology MinMax CMS

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-5514

NVD References: https://www.twcert.org.tw/tw/cp-132-7828-c08b8-1.html

CVE-2024-3300 - DELMIA Apriso is vulnerable to an unsafe .NET object deserialization flaw that allows for pre-authentication remote code execution.

Product: DELMIA Apriso

CVSS Score: 9.0

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-3300

NVD References: https://www.3ds.com/vulnerability/advisories

CVE-2024-23692 - Rejetto HTTP File Server up to and including version 2.3m is vulnerable to template injection, allowing remote attackers to execute commands via crafted HTTP requests.

Product: Rejetto HTTP File Server

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-23692

NVD References:

- https://mohemiv.com/all/rejetto-http-file-server-2-3m-unauthenticated-rce/

- https://vulncheck.com/advisories/rejetto-unauth-rce

CVE-2024-36108 - Casgate allows remote unauthenticated attackers to obtain sensitive information via GET request to an API endpoint, potentially leading to account takeover or privilege escalation, with no known workarounds available and users advised to upgrade.

Product: Casgate Open Source Identity and Access Management system

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-36108

NVD References:

- https://github.com/casgate/casgate/pull/201

- https://github.com/casgate/casgate/security/advisories/GHSA-mj5q-rc67-h56c

CVE-2024-3200 - The wpForo Forum plugin for WordPress is vulnerable to SQL Injection via the 'slug' attribute of the 'wpforo' shortcode in all versions up to, and including, 2.3.3, allowing authenticated attackers to extract sensitive information from the database.

Product: wpForo Forum plugin

CVSS Score: 9.9

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-3200

NVD References:

- https://plugins.trac.wordpress.org/changeset?old_path=/wpforo/tags/2.3.3&new_path=/wpforo/tags/2.3.4&sfp_email=&sfph_mail=

- https://www.wordfence.com/threat-intel/vulnerabilities/id/f54cdad2-88db-4604-8064-fa6175176760?source=cve

CVE-2024-3820 - The wpDataTables plugin for WordPress is vulnerable to SQL Injection in all versions up to 6.3.1, allowing unauthenticated attackers to extract sensitive information from the database via the 'id_key' parameter of the wdt_delete_table_row AJAX action in the premium version of the plugin.

Product: wpDataTables WordPress Data Table Plugin

CVSS Score: 10.0

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-3820

NVD References:

- https://wpdatatables.com/help/whats-new-changelog/

- https://www.wordfence.com/threat-intel/vulnerabilities/id/fbba822b-172f-4167-bccf-4697a298178e?source=cve

CVE-2024-27776 - MileSight DeviceHub - CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') may allow Unauthenticated RCE

Product: MileSight DeviceHub

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-27776

NVD References: https://www.gov.il/en/Departments/faq/cve_advisories

CVE-2024-36388 - MileSight DeviceHub - CWE-305 Missing Authentication for Critical Function

Product: MileSight DeviceHub

CVSS Score: 10.0

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-36388

NVD References: https://www.gov.il/en/Departments/faq/cve_advisories

CVE-2024-36389 - MileSight DeviceHub - CWE-330 Use of Insufficiently Random Values may allow Authentication Bypass

Product: MileSight DeviceHub

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-36389

NVD References: https://www.gov.il/en/Departments/faq/cve_advisories

CVE-2024-36391 - MileSight DeviceHub - CWE-320: Key Management Errors may allow Authentication Bypass and Man-In-The-Middle Traffic

Product: MileSight DeviceHub

CVSS Score: 9.1

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-36391

NVD References: https://www.gov.il/en/Departments/faq/cve_advisories

CVE-2024-5311 - DigiWin EasyFlow .NET is vulnerable to SQL injection due to lack of input parameter validation, allowing unauthenticated attackers to access and manipulate database records.

Product: DigiWin EasyFlow

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-5311

NVD References: https://www.twcert.org.tw/tw/cp-132-7844-52dad-1.html

CVE-2024-5404 - An unauthenticated remote attacker can change the admin password in a moneo appliance due to weak password recovery mechanism.

Product: moneo appliance

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-5404

NVD References: https://cert.vde.com/en/advisories/VDE-2024-028

CVE-2023-43538 - Memory corruption in TZ Secure OS while Tunnel Invoke Manager initialization.

Product: TZ Secure OS Tunnel Invoke Manager

CVSS Score: 9.3

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-43538

NVD References: https://docs.qualcomm.com/product/publicresources/securitybulletin/june-2024-bulletin.html

CVE-2023-43551 - LTE networks may be vulnerable to cryptographic issues, allowing rogue base stations to bypass authentication and send Security Mode Commands.

Product: Samsung Galaxy S6

CVSS Score: 9.1

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-43551

NVD References: https://docs.qualcomm.com/product/publicresources/securitybulletin/june-2024-bulletin.html

CVE-2023-43556 - Memory corruption in Hypervisor when platform information mentioned is not aligned.

Product: Hypervisor Memory corruption

CVSS Score: 9.3

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-43556

NVD References: https://docs.qualcomm.com/product/publicresources/securitybulletin/june-2024-bulletin.html

CVE-2024-29972 through CVE-2024-29974 - Multiple vulnerabilities (command injection, remote code execution) in Zyxel NAS326 and NAS542 firmware

Product: Zyxel NAS326

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-29972

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-29973

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-29974

NVD References:

- https://outpost24.com/blog/zyxel-nas-critical-vulnerabilities/

- https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-multiple-vulnerabilities-in-nas-products-06-04-2024

CVE-2024-4552 - The Social Login Lite For WooCommerce plugin for WordPress is vulnerable to authentication bypass through social login, allowing unauthenticated attackers to log in as any existing user on the site, up to version 1.6.0.

Product: WordPress Social Login Lite For WooCommerce plugin

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-4552

NVD References:

- https://plugins.trac.wordpress.org/browser/social-login-lite-for-woocommerce/tags/1.6.0/woocommerce_social_login.php#L499

- https://www.wordfence.com/threat-intel/vulnerabilities/id/f91d6ad6-82fc-4507-90e2-aedfff26bac5?source=cve

CVE-2023-33930 - Unlimited Elements For Elementor (Free Widgets, Addons, Templates) before version 1.5.66 allows Code Injection through unrestricted upload of dangerous file types.

Product: Unlimited Elements For Elementor

CVSS Score: 9.1

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-33930

NVD References: https://patchstack.com/database/vulnerability/unlimited-elements-for-elementor/wordpress-unlimited-elements-for-elementor-plugin-1-5-66-unrestricted-zip-extraction-vulnerability?_s_id=cve

CVE-2024-25600 - Bricks Builder by Codeer Limited is vulnerable to Code Injection from versions n/a through 1.9.6.

Product: Codeer Limited Bricks Builder

CVSS Score: 10.0

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-25600

NVD References:

- https://github.com/Chocapikk/CVE-2024-25600

- https://github.com/K3ysTr0K3R/CVE-2024-25600-EXPLOIT

- https://patchstack.com/articles/critical-rce-patched-in-bricks-builder-theme?_s_id=cve

- https://patchstack.com/database/vulnerability/bricks/wordpress-bricks-theme-1-9-6-unauthenticated-remote-code-execution-rce-vulnerability?_s_id=cve

- https://snicco.io/vulnerability-disclosure/bricks/unauthenticated-rce-in-bricks-1-9-6

CVE-2024-33560 - XStore is vulnerable to improper limitation of a pathname, allowing PHP local file inclusion from n/a through 9.3.8.

Product: 8theme XStore

CVSS Score: 9.0

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-33560

NVD References: https://patchstack.com/database/vulnerability/xstore/wordpress-xstore-theme-9-3-5-unauthenticated-local-file-inclusion-vulnerability?_s_id=cve

CVE-2024-34551 - Stockholm: from n/a through 9.6 is vulnerable to a Path Traversal issue allowing PHP Local File Inclusion.

Product: Select-Themes Stockholm

CVSS Score: 9.0

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-34551

NVD References: https://patchstack.com/database/vulnerability/stockholm/wordpress-stockholm-theme-9-6-unauthenticated-local-file-inclusion-vulnerability?_s_id=cve

CVE-2024-34792 - Dextaz Ping from n/a through 0.65 allows Command Injection due to improper neutralization of special elements in a command.

Product: Dexta Dextaz Ping

CVSS Score: 9.1

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-34792

NVD References: https://patchstack.com/database/vulnerability/dextaz-ping/wordpress-dextaz-ping-plugin-0-65-remote-code-execution-rce-vulnerability?_s_id=cve

CVE-2024-35629 - Wow-Company Easy Digital Downloads – Recent Purchases is vulnerable to PHP Remote File Inclusion due to improper control of filename for include/require statement.

Product: Wow-Company Easy Digital Downloads – Recent Purchases

CVSS Score: 9.6

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-35629

NVD References: https://patchstack.com/database/vulnerability/edd-recent-purchases/wordpress-easy-digital-downloads-recent-purchases-plugin-1-0-2-remote-file-inclusion-vulnerability?_s_id=cve

CVE-2024-35700 - Improper Privilege Management vulnerability in DeluxeThemes Userpro allows Privilege Escalation.This issue affects Userpro: from n/a through 5.1.8.

Product: DeluxeThemes Userpro

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-35700

NVD References: https://patchstack.com/database/vulnerability/userpro/wordpress-userpro-plugin-5-1-8-unauthenticated-account-takeover-vulnerability?_s_id=cve

CVE-2024-36400 - Nano-id is a unique string ID generator for Rust that incorrectly generated IDs with a reduced character set, leading to predictability and vulnerability in security-sensitive contexts.

Product: Nano-id

CVSS Score: 9.4

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-36400

NVD References:

- https://github.com/viz-rs/nano-id/commit/a9022772b2f1ce38929b5b81eccc670ac9d3ab23

- https://github.com/viz-rs/nano-id/security/advisories/GHSA-9hc7-6w9r-wj94

CVE-2024-21683 - Confluence Data Center and Server version 5.2 is vulnerable to a high severity RCE (Remote Code Execution) issue with a CVSS Score of 8.3.

Product: Atlassian Confluence Data Center and Server

CVSS Score: 0

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-21683

ISC Podcast: https://isc.sans.edu/podcastdetail/9008

CVE-2024-27842 - The issue was addressed with improved checks. This issue is fixed in macOS Sonoma 14.5. An app may be able to execute arbitrary code with kernel privileges.

Product: macOS Sonoma

CVSS Score: N/A

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-27842

ISC Diary: https://isc.sans.edu/diary/Apple+Patches+Everything+macOS+iOS+iPadOS+watchOS+tvOS+updated/30916/

ISC Podcast: https://isc.sans.edu/podcastdetail/8980

NVD References: https://support.apple.com/en-us/HT214106