Security Vulnerability Alert Archives

February 16, 2023February 22, 2023

@RISK: The Consensus Security Vulnerability Alert: Vol. 23, Num. 07

@RISK: The Consensus Security Vulnerability Alert
February 16, 2023 – Vol. 23, Num. 07

CONTENTS:
=========================================================
INTERNET STORM CENTER SPOTLIGHT
OTHER INTERNET STORM CENTER ENTRIES
RECENT CVEs
=========================================================

INTERNET STORM CENTER SPOTLIGHT
ISC provides a free analysis and warning service to thousands of Internet users and organizations, and is actively working with Internet Service Providers to fight back against the most malicious attackers. https://isc.sans.edu/about.html

Microsoft February 2023 Patch Tuesday
Published: 2023-02-14
Last Updated: 2023-02-15 01:19:13 UTC
by Johannes Ullrich (Version: 1)

Microsoft today patched 80 different vulnerabilities. This includes the Chromium vulnerabilities affecting Microsoft Edge. Nine vulnerabilities are rated as “Critical” by Microsoft.

Three of the vulnerabilities, all rated “important”, are already being exploited:

CVE-2023-21715: Microsoft Publisher Security Feature Bypass. This vulnerability will allow the execution of macros bypassing policies blocking them.

CVE-2023-23376: Windows Common Log File Ssytem Driver Elevation of Privilege Vulnerability

CVE-2023-21823: Windows Graphics Component Remote Code Execution Vulnerability. Patches for this vulnerability may only be available via the Microsoft Store. Make sure you have these updates enabled.

Some additional vulnerabilities of interest:

CVE-2023-21803: Windows iSCSI Discovery Service Remote Code Execution Vulnerability. Likely not the most common issue to be patched this month, but something that may easily be missed. This vulnerability, if exploited, could be used for lateral movement.

CVE-2023-21716 – Microsoft Word Remote Code Execution VulnerabilityCVSS Score: 9.8
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-21716
ISC Diary: https://isc.sans.edu/diary/29548
MSFT Details: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21716

CVE-2023-21803 – Windows iSCSI Discovery Service Remote Code Execution VulnerabilityCVSS Score: 9.8
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-21803
ISC Diary: https://isc.sans.edu/diary/29548
MSFT Details: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21803

CVE-2023-21692 – Microsoft Protected Extensible Authentication Protocol (PEAP) Remote Code Execution VulnerabilitiesCVSS Score: 9.8
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
NVD:
– https://nvd.nist.gov/vuln/detail/CVE-2023-21689
– https://nvd.nist.gov/vuln/detail/CVE-2023-21690
– https://nvd.nist.gov/vuln/detail/CVE-2023-21692
ISC Diary: https://isc.sans.edu/diary/29548
MSFT Details:
– https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21689
– https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21690
– https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21692

CVE-2022-31249 – A Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’) vulnerability in wrangler of SUSE Rancher allows remote attackers to inject commands in the underlying host via crafted commands passed to Wrangler. This issue affects: SUSE Rancher wrangler version 0.7.3 and prior versions; wrangler version 0.8.4 and prior versions; wrangler version 1.0.0 and prior versions.CVSS Score: 9.8
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-31249
NVD References: https://bugzilla.suse.com/show_bug.cgi?id=1200299

CVE-2022-43757 – A Cleartext Storage of Sensitive Information vulnerability in SUSE Rancher allows users on managed clusters to gain access to credentials. The impact depends on the credentials exposed This issue affects: SUSE Rancher Rancher versions prior to 2.5.17; Rancher versions prior to 2.6.10; Rancher versions prior to 2.7.1.CVSS Score: 9.9
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-43757
NVD References: https://bugzilla.suse.com/show_bug.cgi?id=1205295

CVE-2022-24990 – TerraMaster NAS 4.2.29 and earlier allows remote attackers to discover the administrative password by sending “User-Agent: TNAS” to module/api.php?mobile/webNasIPS and then reading the PWD field in the response.CVSS Score: 0
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
** KEV since 2023-02-10 **
NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-24990
NVD References:
– https://forum.terra-master.com/en/viewforum.php?f=28
– https://github.com/0xf4n9x/CVE-2022-24990
– https://octagon.net/blog/2022/03/07/cve-2022-24990-terrmaster-tos-unauthenticated-remote-command-execution-via-php-object-instantiation/
– https://www.broadcom.com/support/security-center/attacksignatures/detail?asid=33732

CVE-2023-24813 – Dompdf is an HTML to PDF converter written in php. Due to the difference in the attribute parser of Dompdf and php-svg-lib, an attacker can still call arbitrary URLs with arbitrary protocols. Dompdf parses the href attribute of `image` tags and respects `xlink:href` even if `href` is specified. However, php-svg-lib, which is later used to parse the svg file, parses the href attribute. Since `href` is respected if both `xlink:href` and `href` is specified, it’s possible to bypass the protection on the Dompdf side by providing an empty `xlink:href` attribute. An attacker can exploit the vulnerability to call arbitrary URLs with arbitrary protocols if they provide an SVG file to the Dompdf. In PHP versions before 8.0.0, it leads to arbitrary unserialize, which will lead, at the very least, to arbitrary file deletion and might lead to remote code execution, depending on available classes. This vulnerability has been addressed in commit `95009ea98` which has been included in release version 2.0.3. Users are advised to upgrade. There are no known workarounds for this vulnerability.CVSS Score: 10.0
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-24813
NVD References:
– https://github.com/dompdf/dompdf/commit/95009ea98230f9b084b040c34e3869ef3dccc9aa
– https://github.com/dompdf/dompdf/security/advisories/GHSA-56gj-mvh6-rp75

CVE-2022-43761 – Missing authentication when creating and managing the B&R APROL database in versions < R 4.2-07 allows reading and changing the system configuration.CVE-2022-43764 – Insufficient validation of input parameters when changing configuration on Tbase server in B&R APROL versions < R 4.2-07 could result in buffer overflow. This may lead to Denial-of-Service conditions or execution of arbitrary code.CVSS Score: 9.4 – 9.8
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L and 3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
NVD:
– https://nvd.nist.gov/vuln/detail/CVE-2022-43761
– https://nvd.nist.gov/vuln/detail/CVE-2022-43764
NVD References:https://www.br-automation.com/downloads_br_productcatalogue/assets/1674823095245-en-original-1.0.pdf

CVE-2023-25168 – Wings is Pterodactyl’s server control plane. This vulnerability can be used to delete files and directories recursively on the host system. This vulnerability can be combined with `GHSA-p8r3-83r8-jwj5` to overwrite files on the host system. In order to use this exploit, an attacker must have an existing “server” allocated and controlled by Wings. This vulnerability has been resolved in version `v1.11.4` of Wings, and has been back-ported to the 1.7 release series in `v1.7.4`. Anyone running `v1.11.x` should upgrade to `v1.11.4` and anyone running `v1.7.x` should upgrade to `v1.7.4`. There are no known workarounds for this issue.CVSS Score: 9.6
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:H
NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-25168
NVD References:
– https://github.com/pterodactyl/wings/commit/429ac62dba22997a278bc709df5ac00a5a25d83d
– https://github.com/pterodactyl/wings/security/advisories/GHSA-66p8-j459-rq63
– https://github.com/pterodactyl/wings/security/advisories/GHSA-p8r3-83r8-jwj5

CVE-2023-0776 – Baicells Nova 436Q, Nova 430E, Nova 430I, and Neutrino 430 LTE TDD eNodeB devices with firmware through QRTB 2.12.7 are vulnerable to remote shell code exploitation via HTTP command injections. Commands are executed using pre-login execution and executed with root permissions. The following methods below have been tested and validated by a 3rd party analyst and has been confirmed exploitable special thanks to Rustam Amin for providing the steps to reproduce.CVSS Score: 10.0
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-0776
NVD References: https://baicells.com/Service/Firmware

CVE-2022-25729 – Memory corruption in modem due to improper length check while copying into memoryCVE-2022-33232 – Memory corruption due to buffer copy without checking size of input while running memory sharing tests with large scattered memory.CVE-2022-33279 – Memory corruption due to stack based buffer overflow in WLAN having invalid WNM frame length.CVE-2022-40514 – Memory corruption due to buffer copy without checking the size of input in WLAN Firmware while processing CCKM IE in reassoc response frame.CVSS Score: 9.3 – 9.8
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
NVD:
– https://nvd.nist.gov/vuln/detail/CVE-2022-25729
– https://nvd.nist.gov/vuln/detail/CVE-2022-33232
– https://nvd.nist.gov/vuln/detail/CVE-2022-33279
– https://nvd.nist.gov/vuln/detail/CVE-2022-40514
NVD References: https://www.qualcomm.com/company/product-security/bulletins/february-2023-bulletin

CVE-2023-23551 – Control By Web X-600M devices run Lua scripts and are vulnerable to code injection, which could allow an attacker to remotely execute arbitrary code.CVSS Score: 9.1
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-23551
NVD References: https://www.cisa.gov/uscert/ics/advisories/icsa-23-040-01

CVE-2023-24482 – A vulnerability has been identified in COMOS V10.2 (All versions), COMOS V10.3.3.1 (All versions < V10.3.3.1.45), COMOS V10.3.3.2 (All versions < V10.3.3.2.33), COMOS V10.3.3.3 (All versions < V10.3.3.3.9), COMOS V10.3.3.4 (All versions < V10.3.3.4.6), COMOS V10.4.0.0 (All versions < V10.4.0.0.31), COMOS V10.4.1.0 (All versions < V10.4.1.0.32), COMOS V10.4.2.0 (All versions < V10.4.2.0.25). Cache validation service in COMOS is vulnerable to Structured Exception Handler (SEH) based buffer overflow. This could allow an attacker to execute arbitrary code on the target system or cause denial of service condition.CVSS Score: 10.0
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-24482
NVD References: https://cert-portal.siemens.com/productcert/pdf/ssa-693110.pdf

CVE-2023-21528 – Microsoft SQL Server Remote Code Execution VulnerabilityCVSS Score: 7.8
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-21528
ISC Diary: https://isc.sans.edu/diary/29548
MSFT Details: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21528

CVE-2023-21529 – Microsoft Exchange Server Remote Code Execution VulnerabilityCVSS Score: 8.8
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-21529
ISC Diary: https://isc.sans.edu/diary/29548
MSFT Details: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21529

CVE-2023-21564 – Azure DevOps Server Cross-Site Scripting VulnerabilityCVSS Score: 7.1
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N/E:U/RL:O/RC:C
NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-21564
ISC Diary: https://isc.sans.edu/diary/29548
MSFT Details: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21564

CVE-2023-21568 – Microsoft SQL Server Integration Service (VS extension) Remote Code Execution VulnerabilityCVSS Score: 7.3
CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-21568
ISC Diary: https://isc.sans.edu/diary/29548
MSFT Details: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21568

CVE-2023-21684 – Microsoft PostScript Printer Driver Remote Code Execution VulnerabilityCVSS Score: 8.8
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-21684
ISC Diary: https://isc.sans.edu/diary/29548
MSFT Details: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21684

CVE-2023-21685 – Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution VulnerabilityCVSS Score: 8.8
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-21685
ISC Diary: https://isc.sans.edu/diary/29548
MSFT Details: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21685

CVE-2023-21686 – Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution VulnerabilityCVSS Score: 8.8
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-21686
ISC Diary: https://isc.sans.edu/diary/29548
MSFT Details: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21686

CVE-2023-21688 – NT OS Kernel Elevation of Privilege VulnerabilityCVSS Score: 7.8
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-21688
ISC Diary: https://isc.sans.edu/diary/29548
MSFT Details: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21688

CVE-2023-21691 – Microsoft Protected Extensible Authentication Protocol (PEAP) Information Disclosure VulnerabilityCVSS Score: 7.5
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-21691
ISC Diary: https://isc.sans.edu/diary/29548
MSFT Details: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21691

CVE-2023-21695 – Microsoft Protected Extensible Authentication Protocol (PEAP) Remote Code Execution VulnerabilityCVSS Score: 7.5
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-21695
ISC Diary: https://isc.sans.edu/diary/29548
MSFT Details: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21695

CVE-2023-21701 – Microsoft Protected Extensible Authentication Protocol (PEAP) Denial of Service VulnerabilityCVSS Score: 7.5
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-21701
ISC Diary: https://isc.sans.edu/diary/29548
MSFT Details: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21701

CVE-2023-21700 – Windows iSCSI Discovery Service Denial of Service VulnerabilityCVSS Score: 7.5
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-21700
ISC Diary: https://isc.sans.edu/diary/29548
MSFT Details: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21700

CVE-2023-21702 – Windows iSCSI Service Denial of Service VulnerabilityCVSS Score: 7.5
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-21702
ISC Diary: https://isc.sans.edu/diary/29548
MSFT Details: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21702

CVE-2023-21704 – Microsoft ODBC Driver for SQL Server Remote Code Execution VulnerabilityCVSS Score: 7.8
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-21704
ISC Diary: https://isc.sans.edu/diary/29548
MSFT Details: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21704

CVE-2023-21705 and CVE-2023-21713 – Microsoft SQL Server Remote Code Execution VulnerabilitiesCVSS Score: 8.8
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
NVD:
– https://nvd.nist.gov/vuln/detail/CVE-2023-21705
– https://nvd.nist.gov/vuln/detail/CVE-2023-21713
ISC Diary: https://isc.sans.edu/diary/29548
MSFT Details:
– https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21705
– https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21713

CVE-2023-21710 – Microsoft Exchange Server Remote Code Execution VulnerabilitiesCVSS Scores: 7.2 – 8.8
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
NVD:
– https://nvd.nist.gov/vuln/detail/CVE-2023-21706
– https://nvd.nist.gov/vuln/detail/CVE-2023-21707
– https://nvd.nist.gov/vuln/detail/CVE-2023-21710
ISC Diary: https://isc.sans.edu/diary/29548
MSFT Details:
– https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21706
– https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21707
– https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21710

CVE-2023-21717 – Microsoft SharePoint Server Elevation of Privilege VulnerabilityCVSS Score: 8.8
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-21717
ISC Diary: https://isc.sans.edu/diary/29548
MSFT Details: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21717

CVE-2023-21718 – Microsoft SQL ODBC Driver Remote Code Execution VulnerabilityCVSS Score: 7.8
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-21718
ISC Diary: https://isc.sans.edu/diary/29548
MSFT Details: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21718

CVE-2023-21777 – Azure App Service on Azure Stack Hub Elevation of Privilege VulnerabilityCVSS Score: 8.7
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L/E:U/RL:O/RC:C
NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-21777
ISC Diary: https://isc.sans.edu/diary/29548
MSFT Details: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21777

CVE-2023-21797 and CVE-2023-21798 – Microsoft ODBC Driver Remote Code Execution VulnerabilitiesCVSS Score: 8.8
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
NVD:
– https://nvd.nist.gov/vuln/detail/CVE-2023-21797
– https://nvd.nist.gov/vuln/detail/CVE-2023-21798
ISC Diary: https://isc.sans.edu/diary/29548
MSFT Details:
– https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21797
– https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21798

CVE-2023-21799 – Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution VulnerabilityCVSS Score: 8.8
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-21799
ISC Diary: https://isc.sans.edu/diary/29548
MSFT Details: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21799

CVE-2023-21800 – Windows Installer Elevation of Privilege VulnerabilityCVSS Score: 7.8
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-21800
ISC Diary: https://isc.sans.edu/diary/29548
MSFT Details: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21800

CVE-2023-21801 – Microsoft PostScript Printer Driver Remote Code Execution VulnerabilityCVSS Score: 7.8
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-21801
ISC Diary: https://isc.sans.edu/diary/29548
MSFT Details: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21801

CVE-2023-21802 – Windows Media Remote Code Execution VulnerabilityCVSS Score: 7.8
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-21802
ISC Diary: https://isc.sans.edu/diary/29548
MSFT Details: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21802

CVE-2023-21804 – Windows Graphics Component Elevation of Privilege VulnerabilityCVSS Score: 7.8
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-21804
ISC Diary: https://isc.sans.edu/diary/29548
MSFT Details: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21804

CVE-2023-21805 – Windows MSHTML Platform Remote Code Execution VulnerabilityCVSS Score: 7.8
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-21805
ISC Diary: https://isc.sans.edu/diary/29548
MSFT Details: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21805

CVE-2023-21806 – Power BI Report Server Spoofing VulnerabilityCVSS Score: 8.2
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:L/E:U/RL:O/RC:C
NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-21806
ISC Diary: https://isc.sans.edu/diary/29548
MSFT Details: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21806

CVE-2023-21809 – Microsoft Defender for Endpoint Security Feature Bypass VulnerabilityCVSS Score: 7.8
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-21809
ISC Diary: https://isc.sans.edu/diary/29548
MSFT Details: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21809

CVE-2023-21811 – Windows iSCSI Service Denial of Service VulnerabilityCVSS Score: 7.5
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-21811
ISC Diary: https://isc.sans.edu/diary/29548
MSFT Details: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21811

CVE-2023-21812 – Windows Common Log File System Driver Elevation of Privilege VulnerabilityCVSS Score: 7.8
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-21812
ISC Diary: https://isc.sans.edu/diary/29548
MSFT Details: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21812

CVE-2023-21813 – Windows Secure Channel Denial of Service VulnerabilityCVSS Score: 7.5
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-21813
ISC Diary: https://isc.sans.edu/diary/29548
MSFT Details: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21813

CVE-2023-21816 – Windows Active Directory Domain Services API Denial of Service VulnerabilityCVSS Score: 7.5
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-21816
ISC Diary: https://isc.sans.edu/diary/29548
MSFT Details: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21816

CVE-2023-21817 – Windows Kerberos Elevation of Privilege VulnerabilityCVSS Score: 7.8
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-21817
ISC Diary: https://isc.sans.edu/diary/29548
MSFT Details: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21817

CVE-2023-21818 and CVE-2023-21819 – Windows Secure Channel Denial of Service VulnerabilitiesCVSS Score: 7.5
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
NVD:
– https://nvd.nist.gov/vuln/detail/CVE-2023-21818
– https://nvd.nist.gov/vuln/detail/CVE-2023-21819
ISC Diary: https://isc.sans.edu/diary/29548
MSFT Details:
– https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21818
– https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21819

CVE-2023-21820 – Windows Distributed File System (DFS) Remote Code Execution VulnerabilityCVSS Score: 7.4
CVSS:3.1/AV:A/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-21820
ISC Diary: https://isc.sans.edu/diary/29548
MSFT Details: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21820

CVE-2023-21822 – Windows Graphics Component Elevation of Privilege VulnerabilityCVSS Score: 7.8
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-21822
ISC Diary: https://isc.sans.edu/diary/29548
MSFT Details: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21822

CVE-2023-23374 – Microsoft Edge (Chromium-based) Remote Code Execution VulnerabilityCVSS Score: 8.3
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-23374
ISC Diary: https://isc.sans.edu/diary/29548
MSFT Details: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-23374

CVE-2023-23377 – 3D Builder Remote Code Execution VulnerabilityCVSS Score: 7.8
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-23377
ISC Diary: https://isc.sans.edu/diary/29548
MSFT Details: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-23377

CVE-2023-23378 – Print 3D Remote Code Execution VulnerabilityCVSS Score: 7.8
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C
NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-23378
ISC Diary: https://isc.sans.edu/diary/29548
MSFT Details: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-23378

CVE-2023-23390 – 3D Builder Remote Code Execution VulnerabilityCVSS Score: 7.8
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-23390
ISC Diary: https://isc.sans.edu/diary/29548
MSFT Details: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-23390

CVE-2023-21553 – Azure DevOps Server Remote Code Execution VulnerabilityCVSS Score: 7.5
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-21553
ISC Diary: https://isc.sans.edu/diary/29548
MSFT Details: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21553

CVE-2023-21566 – Visual Studio Elevation of Privilege VulnerabilityCVSS Score: 7.8
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-21566
ISC Diary: https://isc.sans.edu/diary/29548
MSFT Details: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21566

CVE-2023-21778 – Microsoft Dynamics Unified Service Desk Remote Code Execution VulnerabilityCVSS Score: 8.3
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-21778
ISC Diary: https://isc.sans.edu/diary/29548
MSFT Details: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21778

CVE-2023-21808 – .NET and Visual Studio Remote Code Execution VulnerabilityCVSS Score: 8.4
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-21808
ISC Diary: https://isc.sans.edu/diary/29548
MSFT Details: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21808

CVE-2023-21815 and CVE-2023-23381 – Visual Studio Remote Code Execution VulnerabilitiesCVSS Score: 8.4
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
NVD:
– https://nvd.nist.gov/vuln/detail/CVE-2023-21815
– https://nvd.nist.gov/vuln/detail/CVE-2023-23381
ISC Diary: https://isc.sans.edu/diary/29548
MSFT Details:
– https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21815
– https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-23381

CVE-2019-15126 – Specifically timed and handcrafted traffic can cause internal errors (related to state transitions) in a WLAN deviceCVSS Score: 0
NVD: https://nvd.nist.gov/vuln/detail/CVE-2019-15126
ISC Diary: https://isc.sans.edu/diary/29548
MSFT Details: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2019-15126

February 9, 2023February 22, 2023

@RISK: The Consensus Security Vulnerability Alert: Vol. 23, Num. 06

@RISK: The Consensus Security Vulnerability Alert
February 9, 2023 – Vol. 23, Num. 06

CONTENTS:
=========================================================
INTERNET STORM CENTER SPOTLIGHT
OTHER INTERNET STORM CENTER ENTRIES
RECENT CVEs
=========================================================

Simple HTML Phishing via Telegram Bot
Published: 2023-02-08
Last Updated: 2023-02-08 13:56:11 UTC
by Johannes Ullrich (Version: 1)

Monday, I wrote about the use of IP lookup APIs by bots. It turns out that it is not just bots using these APIs, but phishing e-mails are also taking advantage of them.

The phish itself is not particularly remarkable. It is arriving as an email claiming to include a payment confirmation. The email includes a small thread of messages likely to make it more plausible. The best I can guess, the email is supposed to make the recipient curious to open the attachment. The attachment itself is a simple HTML file simulating an Office 365 page.

Read the full entry:
https://isc.sans.edu/diary/Simple+HTML+Phishing+via+Telegram+Bot/29528/

Earthquake in Turkey and Syria: Be Aware of Possible Donation Scams
Published: 2023-02-06
Last Updated: 2023-02-06 18:40:43 UTC
by Johannes Ullrich (Version: 1)

Last night, Turkey and Syria were affected by a significant earthquake. Sadly, experience teaches us that disasters like this will often be abused. The most common scam involves fake donation websites. But you may also see malware disguised as a video or images from the affected region.

Here are some tips to share:

Do not donate to organizations you have not heard of before the event. Only donate to organizations that have an established track record.
If you have contacts in the affected area: Try to reach out to them to find out how to help them.
Scams may target people with links to the affected region. Be careful with phone calls or emails claiming to ask for money on behalf of a relative or friend. Scammers may use social media data and may contact you via social media.
Do not blindly believe requests for help on social media.
Do not just Google for ways to donate money.

Read the full entry: https://isc.sans.edu/diary/Earthquake+in+Turkey+and+Syria+Be+Aware+of+Possible+Donation+Scams/29518/

Assemblyline as a Malware Analysis Sandbox
Published: 2023-02-04
Last Updated: 2023-02-04 23:53:30 UTC
by Guy Bruneau (Version: 1)

If you are looking for a malware sandbox that is easy to install and maintain, Assenblyline (AL) [1] is likely the system you want to be part of your toolbox. “Once a file is submitted to Assemblyline, the system will automatically perform multiple checks to determine how to best process the file. One of Assemblyline’s most powerful functionalities is its recursive analysis model.”[2]

First step, install the server. My server configuration is as follow:

Ubuntu 22.04
Ubuntu Server (minimized)
8+ Cores
16+ GB RAM
100 GB
100+ GB /var/lib/docker
Static IP

Read the full entry:
https://isc.sans.edu/diary/Assemblyline+as+a+Malware+Analysis+Sandbox/29510/

=========================================================
OTHER INTERNET STORM CENTER ENTRIES
=========================================================

A Survey of Bluetooth Vulnerabilities Trends (2023 Edition) (2023.02.07)
https://isc.sans.edu/diary/A+Survey+of+Bluetooth+Vulnerabilities+Trends+2023+Edition/29522

APIs Used by Bots to Detect Public IP address (2023.02.06)
https://isc.sans.edu/diary/APIs+Used+by+Bots+to+Detect+Public+IP+address/29516/

Video: Analyzing Malicious OneNote Documents (2023.02.05)
https://isc.sans.edu/diary/Video+Analyzing+Malicious+OneNote+Documents/29512/

Check out a couple of my older posts (2023.02.02)
https://isc.sans.edu/diary/Check+out+a+couple+of+my+older+posts/29504/

=========================================================
RECENT CVEs
=========================================================

The list is assembled by pulling recent vulnerabilities from NIST NVD, Microsoft, Twitter mentions of vulnerabilities, ISC Diaries and Podcast, and the CISA list of known exploited vulnerabilities. There are also some unscored, but significant, vulnerabilities at the end. This includes vulnerabilities that have not been added to the NVD yet.

CVE-2023-22501 – An authentication vulnerability was discovered in Jira Service Management Server and Data Center which allows an attacker to impersonate another user and gain access to a Jira Service Management instance under certain circumstances_._ With write access to a User Directory and outgoing email enabled on a Jira Service Management instance, an attacker could gain access to signup tokens sent to users with accounts that have never been logged into. Access to these tokens can be obtained in two cases: * If the attacker is included on Jira issues or requests with these users, or * If the attacker is forwarded or otherwise gains access to emails containing a “View Request” link from these users. Bot accounts are particularly susceptible to this scenario. On instances with single sign-on, external customer accounts can be affected in projects where anyone can create their own account.CVSS Score: 0
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-22501
ISC Podcast: https://isc.sans.edu/podcastdetail.html?podcastid=8356
NVD References: https://jira.atlassian.com/browse/JSDSERVER-12312

CVE-2022-21129 – Versions of the package nemo-appium before 0.0.9 are vulnerable to Command Injection due to improper input sanitization in the ‘module.exports.setup’ function. **Note:** In order to exploit this vulnerability appium-running 0.1.3 has to be installed as one of nemo-appium dependencies.CVSS Score: 9.8
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-21129
NVD References:
– https://github.com/paypal/nemo-appium/commit/aa271d36dd5c81baae3c43aa2616c84f0ee4195f
– https://security.snyk.io/vuln/SNYK-JS-NEMOAPPIUM-3183747

CVE-2022-45789 – A CWE-294: Authentication Bypass by Capture-replay vulnerability exists that could cause execution of unauthorized Modbus functions on the controller when hijacking an authenticated Modbus session. Affected Products: EcoStruxure™ Control Expert (All Versions), EcoStruxure™ Process Expert (Version V2020 & prior), Modicon M340 CPU (part numbers BMXP34*) (All Versions), Modicon M580 CPU (part numbers BMEP* and BMEH*) (All Versions), Modicon M580 CPU Safety (part numbers BMEP58*S and BMEH58*S) (All Versions)CVSS Score: 9.8
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-45789
NVD References: https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2023-010-06&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2023-010-06_Modicon_Controllers_Security_Notification.pdf

CVE-2022-24324 – A CWE-120: Buffer Copy without Checking Size of Input vulnerability exists that could cause a stack-based buffer overflow potentially leading to remote code execution when an attacker sends a specially crafted message. Affected Products: IGSS Data Server – IGSSdataServer.exe (Versions prior to V15.0.0.22073)CVE-2022-2329 – A CWE-190: Integer Overflow or Wraparound vulnerability exists that could cause heap-based buffer overflow, leading to denial of service and potentially remote code execution when an attacker sends multiple specially crafted messages. Affected Products: IGSS Data Server – IGSSdataServer.exe (Versions prior to V15.0.0.22073)CVSS Score: 9.8
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-24324
NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-2329
NVD References: https://download.schneider-electric.com/files?p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2022-102-01_IGSS_Security_Notification_V2.0.pdf

CVE-2022-42970 – A CWE-306: Missing Authentication for Critical Function The software does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources. Affected Products: APC Easy UPS Online Monitoring Software (Windows 7, 10, 11 & Windows Server 2016, 2019, 2022 – Versions prior to V2.5-GA), APC Easy UPS Online Monitoring Software (Windows 11, Windows Server 2019, 2022 – Versions prior to V2.5-GA-01-22261), Schneider Electric Easy UPS Online Monitoring Software (Windows 7, 10, 11 & Windows Server 2016, 2019, 2022 – Versions prior to V2.5-GS), Schneider Electric Easy UPS Online Monitoring Software (Windows 11, Windows Server 2019, 2022 – Versions prior to V2.5-GS-01-22261)CVE-2022-42971 – A CWE-434: Unrestricted Upload of File with Dangerous Type vulnerability exists that could cause remote code execution when the attacker uploads a malicious JSP file. Affected Products: APC Easy UPS Online Monitoring Software (Windows 7, 10, 11 & Windows Server 2016, 2019, 2022 – Versions prior to V2.5-GA), APC Easy UPS Online Monitoring Software (Windows 11, Windows Server 2019, 2022 – Versions prior to V2.5-GA-01-22261), Schneider Electric Easy UPS Online Monitoring Software (Windows 7, 10, 11 & Windows Server 2016, 2019, 2022 – Versions prior to V2.5-GS), Schneider Electric Easy UPS Online Monitoring Software (Windows 11, Windows Server 2019, 2022 – Versions prior to V2.5-GS-01-22261)CVSS Score: 9.8
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-42970
NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-42971
NVD References: https://download.schneider-electric.com/files?p_Doc_SEVD-2022-347-01&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2022-347-01_Easy_UPS_Online_Monitoring_Software_Security_Notification.pdf

CVE-2022-39060 – ChangingTech MegaServiSignAdapter component has a vulnerability of improper input validation. An unauthenticated remote attacker can exploit this vulnerability to access and modify HKEY_CURRENT_USER subkey (ex: AutoRUN) in Registry where malicious scripts can be executed to take control of the system or to terminate the service.CVSS Score: 9.8
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-39060
NVD References: https://www.twcert.org.tw/tw/cp-132-6887-6ed4f-1.html

CVE-2023-22900 – Efence login function has insufficient validation for user input. An unauthenticated remote attacker can exploit this vulnerability to inject arbitrary SQL commands to access, modify or delete database.CVSS Score: 9.8
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-22900
NVD References: https://www.twcert.org.tw/tw/cp-132-6885-d679e-1.html

CVE-2022-24963 – Integer Overflow or Wraparound vulnerability in apr_encode functions of Apache Portable Runtime (APR) allows an attacker to write beyond bounds of a buffer. This issue affects Apache Portable Runtime (APR) version 1.7.0.CVE-2022-25147 – Integer Overflow or Wraparound vulnerability in apr_base64 functions of Apache Portable Runtime Utility (APR-util) allows an attacker to write beyond bounds of a buffer. This issue affects Apache Portable Runtime Utility (APR-util) 1.6.1 and prior versions.CVSS Score: 9.8
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-24963
NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-25147
NVD References: https://lists.apache.org/thread/np5gjqlohc4f62lr09vrn61vl44cylh8

CVE-2022-47035 – Buffer Overflow Vulnerability in D-Link DIR-825 v1.33.0.44ebdd4-embedded and below allows attacker to execute arbitrary code via the GetConfig method to the /CPE endpoint.CVSS Score: 9.8
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-47035
NVD References:
– https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10314
– https://www.dlink.com/en/security-bulletin/

CVE-2022-47780 – SQL Injection vulnerability in Bangresto 1.0 via the itemID parameter.CVSS Score: 9.8
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-47780
NVD References: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/Bangresto

CVE-2023-24162 – Deserialization vulnerability in Dromara Hutool v5.8.11 allows attacker to execute arbitrary code via the XmlUtil.readObjectFromXml parameter.CVE-2023-24163 – SQL Inection vulnerability in Dromara hutool v5.8.11 allows attacker to execute arbitrary code via the aviator template engine.CVSS Score: 9.8
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-24162
NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-24163
NVD References:
– https://gitee.com/dromara/hutool/issues/I6AEX2
– https://github.com/dromara/hutool/issues/2855
– https://gitee.com/dromara/hutool/issues/I6AJWJ#note_15801868

CVE-2022-47697 – COMFAST (Shenzhen Sihai Zhonglian Network Technology Co., Ltd) CF-WR623N Router firmware V2.3.0.1 and before is vulnerable to Account takeover. Anyone can reset the password of the admin accounts.CVE-2022-47699 – COMFAST (Shenzhen Sihai Zhonglian Network Technology Co., Ltd) CF-WR623N Router firmware V2.3.0.1 is vulnerable to Incorrect Access Control.CVSS Score: 9.8
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-47697
NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-47699

CVE-2022-45297 – EQ v1.5.31 to v2.2.0 was discovered to contain a SQL injection vulnerability via the UserPwd parameter.CVSS Score: 9.8
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-45297
NVD References: https://github.com/tlfyyds/EQ

CVE-2022-47873 – Netcad KEOS 1.0 is vulnerable to XML External Entity (XXE) resulting in SSRF with XXE (remote).CVSS Score: 9.8
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-47873

CVE-2023-23924 – Dompdf is an HTML to PDF converter. The URI validation on dompdf 2.0.1 can be bypassed on SVG parsing by passing “ tags with uppercase letters. This may lead to arbitrary object unserialize on PHP < 8, through the `phar` URL wrapper. An attacker can exploit the vulnerability to call arbitrary URL with arbitrary protocols, if they can provide a SVG file to dompdf. In PHP versions before 8.0.0, it leads to arbitrary unserialize, that will lead to the very least to an arbitrary file deletion and even remote code execution, depending on classes that are available.CVSS Score: 10.0
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:H
NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-23924
NVD References:
– https://github.com/dompdf/dompdf/commit/7558f07f693b2ac3266089f21051e6b78c6a0c85
– https://github.com/dompdf/dompdf/releases/tag/v2.0.2
– https://github.com/dompdf/dompdf/security/advisories/GHSA-3cw5-7cxw-v5qg

CVE-2023-24241 – Forget Heart Message Box v1.1 was discovered to contain a SQL injection vulnerability via the name parameter at /admin/loginpost.php.CVSS Score: 9.8
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-24241
NVD References: https://github.com/Mortalwangxin/lives/issues/1

CVE-2023-23928 – reason-jose is a JOSE implementation in ReasonML and OCaml.`Jose.Jws.validate` does not check HS256 signatures. This allows tampering of JWS header and payload data if the service does not perform additional checks. Such tampering could expose applications using reason-jose to authorization bypass. Applications relying on JWS claims assertion to enforce security boundaries may be vulnerable to privilege escalation. This issue has been patched in version 0.8.2.CVSS Score: 9.8
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-23928
NVD References:
– https://github.com/ulrikstrid/reason-jose/commit/36cd724db3cbec121757624da49072386bd869e5
– https://github.com/ulrikstrid/reason-jose/releases/tag/v0.8.2
– https://github.com/ulrikstrid/reason-jose/security/advisories/GHSA-7jj9-6qwv-wpm7

CVE-2022-47769 – An arbitrary file write vulnerability in Serenissima Informatica Fast Checkin v1.0 allows unauthenticated attackers to upload malicious files in the web root of the application to gain access to the server via the web shell.CVE-2022-47770 – Serenissima Informatica Fast Checkin version v1.0 is vulnerable to Unauthenticated SQL Injection.CVSS Score: 9.8
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-47769
NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-47770
NVD References:
– https://www.swascan.com/it/security-advisory-serenissima-informatica-fastcheckin/
– https://fast.com

CVE-2023-0587 – A file upload vulnerability in exists in Trend Micro Apex One server build 11110. Using a malformed Content-Length header in an HTTP PUT message sent to URL /officescan/console/html/cgi/fcgiOfcDDA.exe, an unauthenticated remote attacker can upload arbitrary files to the SampleSubmission directory (i.e., \PCCSRV\TEMP\SampleSubmission) on the server. The attacker can upload a large number of large files to fill up the file system on which the Apex One server is installed.CVSS Score: 9.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-0587
NVD References: https://www.tenable.com/security/research/tra-2023-5

CVE-2023-22374 – In BIG-IP starting in versions 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, and 13.1.5 on their respective branches, a format string vulnerability exists in iControl SOAP that allows an authenticated attacker to crash the iControl SOAP CGI process or, potentially execute arbitrary code. In appliance mode BIG-IP, a successful exploit of this vulnerability can allow the attacker to cross a security boundary. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.CVSS Score: 7.5
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-22374
ISC Podcast: https://isc.sans.edu/podcastdetail.html?podcastid=8356
NVD References: https://my.f5.com/manage/s/article/K000130415

CVE-2022-22486 – IBM Tivoli Workload Scheduler 9.4, 9.5, and 10.1 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 226328.CVSS Score: 10.0
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-22486
NVD References:
– https://exchange.xforce.ibmcloud.com/vulnerabilities/226328
– https://www.ibm.com/support/pages/node/6890697

February 2, 2023February 22, 2023

@RISK: The Consensus Security Vulnerability Alert: Vol. 23, Num. 05

@RISK: The Consensus Security Vulnerability Alert
February 2, 2023 – Vol. 23, Num. 05

Detecting (Malicious) OneNote Files
Published: 2023-02-01
Last Updated: 2023-02-01 08:57:26 UTC
by Didier Stevens (Version: 1)

We are starting to see malicious OneNote documents (cfr. Xavier’s diary entry “A First Malicious OneNote Document”).

OneNote files have their own binary fileformat: [MS-ONESTORE].

A OneNote file starts with GUID {7B5C52E4-D88C-4DA7-AEB1-5378D02996D3}.

Files contained in a OneNote file start with a header (FileDataStoreObject) followed by the embedded file itself. This header also starts with a GUID: {BDE316E7-2665-4511-A4C4-8D4D0B7A9EAC}.

Hence, to detect OneNote files with embedded files, look for files that start with byte sequence E4 52 5C 7B 8C D8 A7 4D AE B1 53 78 D0 29 96 D3 (that’s GUID {7B5C52E4-D88C-4DA7-AEB1-5378D02996D3}) and contain one ore more instances of byte sequence E7 16 E3 BD 65 26 11 45 A4 C4 8D 4D 0B 7A 9E AC (that’s GUID {BDE316E7-2665-4511-A4C4-8D4D0B7A9EAC}).

This allows you to detect OneNote files with embedded files. Which are not necessarily malicious … Because an embedded file can just be a picture, for example.

Read the full entry:
https://isc.sans.edu/diary/Detecting+Malicious+OneNote+Files/29494/

Decoding DNS over HTTP(s) Requests
Published: 2023-01-30
Last Updated: 2023-01-30 16:51:54 UTC
by Johannes Ullrich (Version: 1)

I have written before about scans for DNS over HTTP(s) (DoH) servers. DoH is now widely supported in different browsers and recursive resolvers. It has been an important piece in the puzzle to evade various censorship regimes, in particular, the “Big Chinese Firewall”. Malware has at times used DoH, but often uses its own HTTP(s) based resolvers that do not necessarily comply with the official DoH standard.

Read the full entry:
https://isc.sans.edu/diary/Decoding+DNS+over+HTTPs+Requests/29488/

Live Linux IR with UAC
Published: 2023-01-26
Last Updated: 2023-01-26 23:07:32 UTC
by Tom Webb (Version: 1)

The other day, I was looking for Linux IR scripts and ran across the tool Unix-like Artifacts Collector or UAC(1) created by Thiago Lahr. As you would expect, it gathers most live stats but also collects Virtual box and Docker info and other data on the system. It can dump results files to SFTP, Azure, S3, and IBM storage natively.

With any tool, you should always test to understand how it affects your system. I ran a simple file timeline collection before and after to see what changes were made.

Read the full entry: https://isc.sans.edu/diary/Live+Linux+IR+with+UAC/29480/

=========================================================
OTHER INTERNET STORM CENTER ENTRIES
=========================================================

Rotating Packet Captures with pfSense (2023.02.01)
https://isc.sans.edu/diary/Rotating+Packet+Captures+with+pfSense/29500/

DShield Honeypot Setup with pfSense (2023.01.31)
https://isc.sans.edu/diary/DShield+Honeypot+Setup+with+pfSense/29490/

=========================================================
RECENT CVEs
=========================================================

CVE-2022-47966 – Multiple Zoho ManageEngine on-premise products, such as ServiceDesk Plus through 14003, allow remote code execution due to use of Apache xmlsec (aka XML Security for Java) 1.4.1, because the xmlsec XSLT features, by design in that version, make the application responsible for certain security protections, and the ManageEngine applications did not provide those protections.CVSS Score: 9.8
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
** KEV since 2023-01-23 **
NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-47966
ISC Podcast: https://isc.sans.edu/podcastdetail.html?podcastid=8340

CVE-2022-42475 – A heap-based buffer overflow vulnerability [CWE-122] in FortiOS SSL-VPN 7.2.0 through 7.2.2, 7.0.0 through 7.0.8, 6.4.0 through 6.4.10, 6.2.0 through 6.2.11, 6.0.15 and earlier and FortiProxy SSL-VPN 7.2.0 through 7.2.1, 7.0.7 and earlier may allow a remote unauthenticated attacker to execute arbitrary code or commands via specifically crafted requests.CVSS Score: 9.8
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
** KEV Since 2022-12-23 **
NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-42475

CVE-2022-45639 – OS Command injection vulnerability in sleuthkit fls tool 4.11.1 allows attackers to execute arbitrary commands via a crafted value to the m parameter.CVSS Score: 9.8
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-45639
NVD References:
– https://www.binaryworld.it/
– https://www.binaryworld.it/guidepoc.asp#CVE-2022-45639

CVE-2022-25894 – All versions of the package com.bstek.uflo:uflo-core are vulnerable to Remote Code Execution (RCE) in the ExpressionContextImpl class via jexl.createExpression(expression).evaluate(context); functionality, due to improper user input validation.CVSS Score: 9.8
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-25894
NVD References:
– https://fmyyy1.github.io/2022/10/23/uflo2rce/
– https://security.snyk.io/vuln/SNYK-JAVA-COMBSTEKUFLO-3091112

CVE-2022-3094 – Sending a flood of dynamic DNS updates may cause `named` to allocate large amounts of memory. This, in turn, may cause `named` to exit due to a lack of free memory. We are not aware of any cases where this has been exploited. Memory is allocated prior to the checking of access permissions (ACLs) and is retained during the processing of a dynamic update from a client whose access credentials are accepted. Memory allocated to clients that are not permitted to send updates is released immediately upon rejection. The scope of this vulnerability is limited therefore to trusted clients who are permitted to make dynamic zone changes. If a dynamic update is REFUSED, memory will be released again very quickly. Therefore it is only likely to be possible to degrade or stop `named` by sending a flood of unaccepted dynamic updates comparable in magnitude to a query flood intended to achieve the same detrimental outcome. BIND 9.11 and earlier branches are also affected, but through exhaustion of internal resources rather than memory constraints. This may reduce performance but should not be a significant problem for most servers. Therefore we don’t intend to address this for BIND versions prior to BIND 9.16. This issue affects BIND 9 versions 9.16.0 through 9.16.36, 9.18.0 through 9.18.10, 9.19.0 through 9.19.8, and 9.16.8-S1 through 9.16.36-S1.CVSS Score: 7.5
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-3094
ISC Podcast: https://isc.sans.edu/podcastdetail.html?podcastid=8344
NVD References: https://kb.isc.org/docs/cve-2022-3094

CVE-2022-3572 – A cross-site scripting issue has been discovered in GitLab CE/EE affecting all versions from 13.5 prior to 15.3.5, 15.4 prior to 15.4.4, and 15.5 prior to 15.5.2. It was possible to exploit a vulnerability in setting the Jira Connect integration which could lead to a reflected XSS that allowed attackers to perform arbitrary actions on behalf of victims.CVSS Score: 9.3
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N
NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-3572
NVD References:
– https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-3572.json
– https://gitlab.com/gitlab-org/gitlab/-/issues/378214
– https://hackerone.com/reports/1727985

CVE-2022-45808 – SQL Injection vulnerability in LearnPress – WordPress LMS Plugin <= 4.1.7.3.2 versions.CVE-2022-45820 – SQL Injection (SQLi) vulnerability in LearnPress – WordPress LMS Plugin <= 4.1.7.3.2 versions.CVE-2022-47615 – Local File Inclusion vulnerability in LearnPress – WordPress LMS Plugin <= 4.1.7.3.2 versions.CVSS Scores: 9.1 – 9.9
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:L; N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L; N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N
NVD References: https://patchstack.com/articles/multiple-critical-vulnerabilities-fixed-in-learnpress-plugin-version/
NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-45808
NVD References: https://patchstack.com/database/vulnerability/learnpress/wordpress-learnpress-wordpress-lms-plugin-plugin-4-1-7-3-2-sql-injection?_s_id=cve
NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-45820
NVD References: https://patchstack.com/database/vulnerability/learnpress/wordpress-learnpress-plugin-4-1-7-3-2-auth-sql-injection-sqli-vulnerability?_s_id=cve
NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-47615
NVD References: https://patchstack.com/database/vulnerability/learnpress/wordpress-learnpress-plugin-4-1-7-3-2-local-file-inclusion?_s_id=cve

CVE-2023-0321 – Campbell Scientific dataloggers CR6, CR300, CR800, CR1000 and CR3000 may allow an attacker to download configuration files, which may contain sensitive information about the internal network. From factory defaults, the mentioned datalogges have HTTP and PakBus enabled. The devices, with the default configuration, allow this situation via the PakBus port. The exploitation of this vulnerability may allow an attacker to download, modify, and upload new configuration files.CVSS Score: 9.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-0321
NVD References:
– https://www.hackplayers.com/2023/01/cve-2023-0321-info-sensible-campbell.html
– https://www.incibe-cert.es/en/early-warning/ics-advisories/disclosure-sensitive-information-campbell-scientific-products

CVE-2023-0452 – All versions of Econolite EOS traffic control software are vulnerable to CWE-328: Use of Weak Hash, and use a weak hash algorithm for encrypting privileged user credentials. A configuration file that is accessible without authentication uses MD5 hashes for encrypting credentials, including those of administrators and technicians.CVSS Score: 9.8
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-0452
NVD References: https://www.cisa.gov/uscert/ics/advisories/icsa-23-026-02

CVE-2023-22482 – Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Versions of Argo CD starting with v1.8.2 and prior to 2.3.13, 2.4.19, 2.5.6, and 2.6.0-rc-3 are vulnerable to an improper authorization bug causing the API to accept certain invalid tokens. OIDC providers include an `aud` (audience) claim in signed tokens. The value of that claim specifies the intended audience(s) of the token (i.e. the service or services which are meant to accept the token). Argo CD _does_ validate that the token was signed by Argo CD’s configured OIDC provider. But Argo CD _does not_ validate the audience claim, so it will accept tokens that are not intended for Argo CD. If Argo CD’s configured OIDC provider also serves other audiences (for example, a file storage service), then Argo CD will accept a token intended for one of those other audiences. Argo CD will grant the user privileges based on the token’s `groups` claim, even though those groups were not intended to be used by Argo CD. This bug also increases the impact of a stolen token. If an attacker steals a valid token for a different audience, they can use it to access Argo CD. A patch for this vulnerability has been released in versions 2.6.0-rc3, 2.5.6, 2.4.19, and 2.3.13. There are no workarounds.CVSS Score: 9.0
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-22482
NVD References: https://github.com/argoproj/argo-cd/security/advisories/GHSA-q9hr-j4rf-8fjc

CVE-2023-23619 – Modelina is a library for generating data models based on inputs such as AsyncAPI, OpenAPI, or JSON Schema documents. Versions prior to 1.0.0 are vulnerable to Code injection. This issue affects anyone who is using the default presets and/or does not handle the functionality themself. This issue has been partially mitigated in version 1.0.0, with the maintainer’s GitHub Security Advisory (GHSA) noting “It is impossible to fully guard against this, because users have access to the original raw information. However, as of version 1, if you only access the constrained models, you will not encounter this issue. Further similar situations are NOT seen as a security issue, but intended behavior.” The suggested workaround from the maintainers is “Fully custom presets that change the entire rendering process which can then escape the user input.”CVSS Score: 9.9
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-23619
NVD References: https://github.com/asyncapi/modelina/security/advisories/GHSA-4jg2-84c2-pj95

CVE-2023-24022 – Baicells Nova 227, Nova 233, and Nova 243 LTE TDD eNodeB devices with firmware through RTS/RTD 3.7.11.3 have hardcoded credentials that are easily discovered and can be used by remote attackers to authenticate via ssh. (The credentials are stored in the firmware, encrypted by the crypt function.)CVSS Score: 10.0
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L
NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-24022
NVD References:
– https://baicells.zendesk.com/hc/en-us/articles/6188324645780-2023-1-17-Hard-Coded-Credential-Crypt-Vulnerability
– https://img.baicells.com//Upload/20230118/FILE/BaiBS_RTS_3.7.11.6.IMG.IMG
–https://img.baicells.com//Upload/20230118/FILE/BaiBS_RTS_3.7.11.6_Changelog.PDF.pdf

CVE-2023-0556 – The ContentStudio plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on several functions in versions up to, and including, 1.2.5. This makes it possible for unauthenticated attackers to obtain the blog metadata (via the function cstu_get_metadata) that includes the plugin’s contentstudio_token. Knowing this token allows for other interactions with the plugin such as creating posts in versions prior to 1.2.5, which added other requirements to posting and updating.CVSS Score: 9.8
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-0556
NVD References:
– https://plugins.trac.wordpress.org/browser/contentstudio/tags/1.2.1/contentstudio-plugin.php#L517
– https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=2851006%40contentstudio%2Ftrunk&old=2844028%40contentstudio%2Ftrunk&sfp_email=&sfph_mail=
– https://www.wordfence.com/threat-intel/vulnerabilities/id/52db8d41-859a-4d68-8b83-3d3af8f1bf64

CVE-2022-27596 – A vulnerability has been reported to affect QNAP device running QuTS hero, QTS. If exploited, this vulnerability allows remote attackers to inject malicious code. We have already fixed this vulnerability in the following versions of QuTS hero, QTS: QuTS hero h5.0.1.2248 build 20221215 and later QTS 5.0.1.2234 build 20221201 and laterCVSS Score: 9.8
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-27596
NVD References: https://www.qnap.com/en/security-advisory/qsa-23-01

CVE-2022-32513 – A CWE-521: Weak Password Requirements vulnerability exists that could allow an attacker to gain control of the device when the attacker brute forces the password. Affected Products: C-Bus Network Automation Controller – LSS5500NAC (Versions prior to V1.10.0), Wiser for C-Bus Automation Controller – LSS5500SHAC (Versions prior to V1.10.0), Clipsal C-Bus Network Automation Controller – 5500NAC (Versions prior to V1.10.0), Clipsal Wiser for C-Bus Automation Controller – 5500SHAC (Versions prior to V1.10.0), SpaceLogic C-Bus Network Automation Controller – 5500NAC2 (Versions prior to V1.10.0), SpaceLogic C-Bus Application Controller – 5500AC2 (Versions prior to V1.10.0)CVE-2022-32514 – A CWE-287: Improper Authentication vulnerability exists that could allow an attacker to gain control of the device when logging into a web page. Affected Products: C-Bus Network Automation Controller – LSS5500NAC (Versions prior to V1.10.0), Wiser for C-Bus Automation Controller – LSS5500SHAC (Versions prior to V1.10.0), Clipsal C-Bus Network Automation Controller – 5500NAC (Versions prior to V1.10.0), Clipsal Wiser for C-Bus Automation Controller – 5500SHAC (Versions prior to V1.10.0), SpaceLogic C-Bus Network Automation Controller – 5500NAC2 (Versions prior to V1.10.0), SpaceLogic C-Bus Application Controller – 5500AC2 (Versions prior to V1.10.0)CVSS Score: 9.8
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-32513
NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-32514
NVD References: https://download.schneider-electric.com/files?p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2022-165-06_C-Bus_Home_Automation_Products_Security_Notification.pdf

CVE-2022-32522 – A CWE-120: Buffer Copy without Checking Size of Input vulnerability exists that could cause a stack-based buffer overflow, potentially leading to remote code execution when an attacker sends specially crafted mathematically reduced data request messages. Affected Products: IGSS Data Server – IGSSdataServer.exe (Versions prior to V15.0.0.22170)CVE-2022-32523 – A CWE-120: Buffer Copy without Checking Size of Input vulnerability exists that could cause a stack-based buffer overflow, potentially leading to remote code execution when an attacker sends specially crafted online data request messages. Affected Products: IGSS Data Server – IGSSdataServer.exe (Versions prior to V15.0.0.22170)CVE-2022-32524 – A CWE-120: Buffer Copy without Checking Size of Input vulnerability exists that could cause a stack-based buffer overflow, potentially leading to remote code execution when an attacker sends specially crafted time reduced data messages. Affected Products: IGSS Data Server – IGSSdataServer.exe (Versions prior to V15.0.0.22170)CVE-2022-32525 – A CWE-120: Buffer Copy without Checking Size of Input vulnerability exists that could cause a stack-based buffer overflow, potentially leading to remote code execution when an attacker sends specially crafted alarm data messages. Affected Products: IGSS Data Server – IGSSdataServer.exe (Versions prior to V15.0.0.22170)CVE-2022-32526 – A CWE-120: Buffer Copy without Checking Size of Input vulnerability exists that could cause a stack-based buffer overflow, potentially leading to remote code execution when an attacker sends specially crafted setting value messages. Affected Products: IGSS Data Server – IGSSdataServer.exe (Versions prior to V15.0.0.22170)CVE-2022-32527 – A CWE-120: Buffer Copy without Checking Size of Input vulnerability exists that could cause a stack-based buffer overflow, potentially leading to remote code execution when an attacker sends specially crafted alarm cache data messages. Affected Products: IGSS Data Server – IGSSdataServer.exe (Versions prior to V15.0.0.22170)CVE-2022-32529 – A CWE-120: Buffer Copy without Checking Size of Input vulnerability exists that could cause a stack-based buffer overflow, potentially leading to remote code execution when an attacker sends specially crafted log data request messages. Affected Products: IGSS Data Server – IGSSdataServer.exe (Versions prior to V15.0.0.22170)CVSS Score: 9.8
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-32522
NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-32523
NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-32524
NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-32525
NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-32526
NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-32527
NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-32529
NVD References: https://download.schneider-electric.com/files?p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2022-165-01_IGSS_Security_Notification_V2.pdf

CVE-2023-22610 – A CWE-285: Improper Authorization vulnerability exists that could cause Denial of Service against the Geo SCADA server when specific messages are sent to the server over the database server TCP port. Affected Products: EcoStruxure™ Geo SCADA Expert 2019, EcoStruxure™ Geo SCADA Expert 2020, EcoStruxure™ Geo SCADA Expert 2021 (All versions prior to October 2022), ClearSCADA (All Versions).CVSS Score: 9.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-22610
NVD References: https://www.se.com/ww/en/download/document/SEVD-2023-010-02/

CVE-2023-21538 – .NET Denial of Service VulnerabilityCVSS Score: 7.5
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-21538
MSFT Details: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21538

CVE-2023-21712 – Windows Point-to-Point Tunneling Protocol Remote Code Execution VulnerabilityCVSS Score: 8.1
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-21712
MSFT Details: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21712

CVE-2022-34689 – Windows CryptoAPI Spoofing Vulnerability.CVSS Score: 0
NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-34689
ISC Podcast: https://isc.sans.edu/podcastdetail.html?podcastid=8344

CVE-2023-23560 – In certain Lexmark products through 2023-01-12, SSRF can occur because of a lack of input validation.CVSS Score: 0
NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-23560
ISC Podcast: https://isc.sans.edu/podcastdetail.html?podcastid=8342