@RISK: The Consensus Security Vulnerability Alert: Vol. 23, Num. 06

@RISK: The Consensus Security Vulnerability Alert
February 9, 2023 – Vol. 23, Num. 06

CONTENTS:
=========================================================
INTERNET STORM CENTER SPOTLIGHT
OTHER INTERNET STORM CENTER ENTRIES
RECENT CVEs
=========================================================

INTERNET STORM CENTER SPOTLIGHT
ISC provides a free analysis and warning service to thousands of Internet users and organizations, and is actively working with Internet Service Providers to fight back against the most malicious attackers. https://isc.sans.edu/about.html

Simple HTML Phishing via Telegram Bot
Published: 2023-02-08
Last Updated: 2023-02-08 13:56:11 UTC
by Johannes Ullrich (Version: 1)

Monday, I wrote about the use of IP lookup APIs by bots. It turns out that it is not just bots using these APIs, but phishing e-mails are also taking advantage of them.

The phish itself is not particularly remarkable. It is arriving as an email claiming to include a payment confirmation. The email includes a small thread of messages likely to make it more plausible. The best I can guess, the email is supposed to make the recipient curious to open the attachment. The attachment itself is a simple HTML file simulating an Office 365 page.

Read the full entry:
https://isc.sans.edu/diary/Simple+HTML+Phishing+via+Telegram+Bot/29528/

Earthquake in Turkey and Syria: Be Aware of Possible Donation Scams
Published: 2023-02-06
Last Updated: 2023-02-06 18:40:43 UTC
by Johannes Ullrich (Version: 1)

Last night, Turkey and Syria were affected by a significant earthquake. Sadly, experience teaches us that disasters like this will often be abused. The most common scam involves fake donation websites. But you may also see malware disguised as a video or images from the affected region.

Here are some tips to share:

Do not donate to organizations you have not heard of before the event. Only donate to organizations that have an established track record.
If you have contacts in the affected area: Try to reach out to them to find out how to help them.
Scams may target people with links to the affected region. Be careful with phone calls or emails claiming to ask for money on behalf of a relative or friend. Scammers may use social media data and may contact you via social media.
Do not blindly believe requests for help on social media.
Do not just Google for ways to donate money.

Read the full entry: https://isc.sans.edu/diary/Earthquake+in+Turkey+and+Syria+Be+Aware+of+Possible+Donation+Scams/29518/

Assemblyline as a Malware Analysis Sandbox
Published: 2023-02-04
Last Updated: 2023-02-04 23:53:30 UTC
by Guy Bruneau (Version: 1)

If you are looking for a malware sandbox that is easy to install and maintain, Assenblyline (AL) [1] is likely the system you want to be part of your toolbox. “Once a file is submitted to Assemblyline, the system will automatically perform multiple checks to determine how to best process the file. One of Assemblyline’s most powerful functionalities is its recursive analysis model.”[2]

First step, install the server. My server configuration is as follow:

Ubuntu 22.04
Ubuntu Server (minimized)
8+ Cores
16+ GB RAM
100 GB
100+ GB /var/lib/docker
Static IP

Read the full entry:
https://isc.sans.edu/diary/Assemblyline+as+a+Malware+Analysis+Sandbox/29510/

=========================================================
OTHER INTERNET STORM CENTER ENTRIES
=========================================================

A Survey of Bluetooth Vulnerabilities Trends (2023 Edition) (2023.02.07)
https://isc.sans.edu/diary/A+Survey+of+Bluetooth+Vulnerabilities+Trends+2023+Edition/29522

APIs Used by Bots to Detect Public IP address (2023.02.06)
https://isc.sans.edu/diary/APIs+Used+by+Bots+to+Detect+Public+IP+address/29516/

Video: Analyzing Malicious OneNote Documents (2023.02.05)
https://isc.sans.edu/diary/Video+Analyzing+Malicious+OneNote+Documents/29512/

Check out a couple of my older posts (2023.02.02)
https://isc.sans.edu/diary/Check+out+a+couple+of+my+older+posts/29504/

=========================================================
RECENT CVEs
=========================================================

The list is assembled by pulling recent vulnerabilities from NIST NVD, Microsoft, Twitter mentions of vulnerabilities, ISC Diaries and Podcast, and the CISA list of known exploited vulnerabilities. There are also some unscored, but significant, vulnerabilities at the end. This includes vulnerabilities that have not been added to the NVD yet.

CVE-2023-22501 – An authentication vulnerability was discovered in Jira Service Management Server and Data Center which allows an attacker to impersonate another user and gain access to a Jira Service Management instance under certain circumstances_._ With write access to a User Directory and outgoing email enabled on a Jira Service Management instance, an attacker could gain access to signup tokens sent to users with accounts that have never been logged into. Access to these tokens can be obtained in two cases: * If the attacker is included on Jira issues or requests with these users, or * If the attacker is forwarded or otherwise gains access to emails containing a “View Request” link from these users. Bot accounts are particularly susceptible to this scenario. On instances with single sign-on, external customer accounts can be affected in projects where anyone can create their own account.CVSS Score: 0
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-22501
ISC Podcast: https://isc.sans.edu/podcastdetail.html?podcastid=8356
NVD References: https://jira.atlassian.com/browse/JSDSERVER-12312

CVE-2022-21129 – Versions of the package nemo-appium before 0.0.9 are vulnerable to Command Injection due to improper input sanitization in the ‘module.exports.setup’ function. **Note:** In order to exploit this vulnerability appium-running 0.1.3 has to be installed as one of nemo-appium dependencies.CVSS Score: 9.8
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-21129
NVD References:
https://github.com/paypal/nemo-appium/commit/aa271d36dd5c81baae3c43aa2616c84f0ee4195f
https://security.snyk.io/vuln/SNYK-JS-NEMOAPPIUM-3183747

CVE-2022-45789 – A CWE-294: Authentication Bypass by Capture-replay vulnerability exists that could cause execution of unauthorized Modbus functions on the controller when hijacking an authenticated Modbus session. Affected Products: EcoStruxure™ Control Expert (All Versions), EcoStruxure™ Process Expert (Version V2020 & prior), Modicon M340 CPU (part numbers BMXP34*) (All Versions), Modicon M580 CPU (part numbers BMEP* and BMEH*) (All Versions), Modicon M580 CPU Safety (part numbers BMEP58*S and BMEH58*S) (All Versions)CVSS Score: 9.8
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-45789
NVD References: https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2023-010-06&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2023-010-06_Modicon_Controllers_Security_Notification.pdf

CVE-2022-24324 – A CWE-120: Buffer Copy without Checking Size of Input vulnerability exists that could cause a stack-based buffer overflow potentially leading to remote code execution when an attacker sends a specially crafted message. Affected Products: IGSS Data Server – IGSSdataServer.exe (Versions prior to V15.0.0.22073)CVE-2022-2329 – A CWE-190: Integer Overflow or Wraparound vulnerability exists that could cause heap-based buffer overflow, leading to denial of service and potentially remote code execution when an attacker sends multiple specially crafted messages. Affected Products: IGSS Data Server – IGSSdataServer.exe (Versions prior to V15.0.0.22073)CVSS Score: 9.8
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-24324
NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-2329
NVD References: https://download.schneider-electric.com/files?p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2022-102-01_IGSS_Security_Notification_V2.0.pdf

CVE-2022-42970 – A CWE-306: Missing Authentication for Critical Function The software does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources. Affected Products: APC Easy UPS Online Monitoring Software (Windows 7, 10, 11 & Windows Server 2016, 2019, 2022 – Versions prior to V2.5-GA), APC Easy UPS Online Monitoring Software (Windows 11, Windows Server 2019, 2022 – Versions prior to V2.5-GA-01-22261), Schneider Electric Easy UPS Online Monitoring Software (Windows 7, 10, 11 & Windows Server 2016, 2019, 2022 – Versions prior to V2.5-GS), Schneider Electric Easy UPS Online Monitoring Software (Windows 11, Windows Server 2019, 2022 – Versions prior to V2.5-GS-01-22261)CVE-2022-42971 – A CWE-434: Unrestricted Upload of File with Dangerous Type vulnerability exists that could cause remote code execution when the attacker uploads a malicious JSP file. Affected Products: APC Easy UPS Online Monitoring Software (Windows 7, 10, 11 & Windows Server 2016, 2019, 2022 – Versions prior to V2.5-GA), APC Easy UPS Online Monitoring Software (Windows 11, Windows Server 2019, 2022 – Versions prior to V2.5-GA-01-22261), Schneider Electric Easy UPS Online Monitoring Software (Windows 7, 10, 11 & Windows Server 2016, 2019, 2022 – Versions prior to V2.5-GS), Schneider Electric Easy UPS Online Monitoring Software (Windows 11, Windows Server 2019, 2022 – Versions prior to V2.5-GS-01-22261)CVSS Score: 9.8
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-42970
NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-42971
NVD References: https://download.schneider-electric.com/files?p_Doc_SEVD-2022-347-01&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2022-347-01_Easy_UPS_Online_Monitoring_Software_Security_Notification.pdf

CVE-2022-39060 – ChangingTech MegaServiSignAdapter component has a vulnerability of improper input validation. An unauthenticated remote attacker can exploit this vulnerability to access and modify HKEY_CURRENT_USER subkey (ex: AutoRUN) in Registry where malicious scripts can be executed to take control of the system or to terminate the service.CVSS Score: 9.8
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-39060
NVD References: https://www.twcert.org.tw/tw/cp-132-6887-6ed4f-1.html

CVE-2023-22900 – Efence login function has insufficient validation for user input. An unauthenticated remote attacker can exploit this vulnerability to inject arbitrary SQL commands to access, modify or delete database.CVSS Score: 9.8
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-22900
NVD References: https://www.twcert.org.tw/tw/cp-132-6885-d679e-1.html

CVE-2022-24963 – Integer Overflow or Wraparound vulnerability in apr_encode functions of Apache Portable Runtime (APR) allows an attacker to write beyond bounds of a buffer. This issue affects Apache Portable Runtime (APR) version 1.7.0.CVE-2022-25147 – Integer Overflow or Wraparound vulnerability in apr_base64 functions of Apache Portable Runtime Utility (APR-util) allows an attacker to write beyond bounds of a buffer. This issue affects Apache Portable Runtime Utility (APR-util) 1.6.1 and prior versions.CVSS Score: 9.8
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-24963
NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-25147
NVD References: https://lists.apache.org/thread/np5gjqlohc4f62lr09vrn61vl44cylh8

CVE-2022-47035 – Buffer Overflow Vulnerability in D-Link DIR-825 v1.33.0.44ebdd4-embedded and below allows attacker to execute arbitrary code via the GetConfig method to the /CPE endpoint.CVSS Score: 9.8
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-47035
NVD References:
– https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10314
https://www.dlink.com/en/security-bulletin/

CVE-2022-47780 – SQL Injection vulnerability in Bangresto 1.0 via the itemID parameter.CVSS Score: 9.8
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-47780
NVD References: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/Bangresto

CVE-2023-24162 – Deserialization vulnerability in Dromara Hutool v5.8.11 allows attacker to execute arbitrary code via the XmlUtil.readObjectFromXml parameter.CVE-2023-24163 – SQL Inection vulnerability in Dromara hutool v5.8.11 allows attacker to execute arbitrary code via the aviator template engine.CVSS Score: 9.8
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-24162
NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-24163
NVD References:
https://gitee.com/dromara/hutool/issues/I6AEX2
https://github.com/dromara/hutool/issues/2855
https://gitee.com/dromara/hutool/issues/I6AJWJ#note_15801868

CVE-2022-47697 – COMFAST (Shenzhen Sihai Zhonglian Network Technology Co., Ltd) CF-WR623N Router firmware V2.3.0.1 and before is vulnerable to Account takeover. Anyone can reset the password of the admin accounts.CVE-2022-47699 – COMFAST (Shenzhen Sihai Zhonglian Network Technology Co., Ltd) CF-WR623N Router firmware V2.3.0.1 is vulnerable to Incorrect Access Control.CVSS Score: 9.8
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-47697
NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-47699

CVE-2022-45297 – EQ v1.5.31 to v2.2.0 was discovered to contain a SQL injection vulnerability via the UserPwd parameter.CVSS Score: 9.8
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-45297
NVD References: https://github.com/tlfyyds/EQ

CVE-2022-47873 – Netcad KEOS 1.0 is vulnerable to XML External Entity (XXE) resulting in SSRF with XXE (remote).CVSS Score: 9.8
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-47873

CVE-2023-23924 – Dompdf is an HTML to PDF converter. The URI validation on dompdf 2.0.1 can be bypassed on SVG parsing by passing “ tags with uppercase letters. This may lead to arbitrary object unserialize on PHP < 8, through the `phar` URL wrapper. An attacker can exploit the vulnerability to call arbitrary URL with arbitrary protocols, if they can provide a SVG file to dompdf. In PHP versions before 8.0.0, it leads to arbitrary unserialize, that will lead to the very least to an arbitrary file deletion and even remote code execution, depending on classes that are available.CVSS Score: 10.0
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:H
NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-23924
NVD References:
https://github.com/dompdf/dompdf/commit/7558f07f693b2ac3266089f21051e6b78c6a0c85
https://github.com/dompdf/dompdf/releases/tag/v2.0.2
https://github.com/dompdf/dompdf/security/advisories/GHSA-3cw5-7cxw-v5qg

CVE-2023-24813 – Dompdf is an HTML to PDF converter written in php. Due to the difference in the attribute parser of Dompdf and php-svg-lib, an attacker can still call arbitrary URLs with arbitrary protocols. Dompdf parses the href attribute of `image` tags and respects `xlink:href` even if `href` is specified. However, php-svg-lib, which is later used to parse the svg file, parses the href attribute. Since `href` is respected if both `xlink:href` and `href` is specified, it’s possible to bypass the protection on the Dompdf side by providing an empty `xlink:href` attribute. An attacker can exploit the vulnerability to call arbitrary URLs with arbitrary protocols if they provide an SVG file to the Dompdf. In PHP versions before 8.0.0, it leads to arbitrary unserialize, which will lead, at the very least, to arbitrary file deletion and might lead to remote code execution, depending on available classes. This vulnerability has been addressed in commit `95009ea98` which has been included in release version 2.0.3. Users are advised to upgrade. There are no known workarounds for this vulnerability.CVSS Score: 10.0
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-24813
NVD References:
https://github.com/dompdf/dompdf/commit/95009ea98230f9b084b040c34e3869ef3dccc9aa
https://github.com/dompdf/dompdf/security/advisories/GHSA-56gj-mvh6-rp75

CVE-2023-24241 – Forget Heart Message Box v1.1 was discovered to contain a SQL injection vulnerability via the name parameter at /admin/loginpost.php.CVSS Score: 9.8
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-24241
NVD References: https://github.com/Mortalwangxin/lives/issues/1

CVE-2023-23928 – reason-jose is a JOSE implementation in ReasonML and OCaml.`Jose.Jws.validate` does not check HS256 signatures. This allows tampering of JWS header and payload data if the service does not perform additional checks. Such tampering could expose applications using reason-jose to authorization bypass. Applications relying on JWS claims assertion to enforce security boundaries may be vulnerable to privilege escalation. This issue has been patched in version 0.8.2.CVSS Score: 9.8
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-23928
NVD References:
https://github.com/ulrikstrid/reason-jose/commit/36cd724db3cbec121757624da49072386bd869e5
https://github.com/ulrikstrid/reason-jose/releases/tag/v0.8.2
https://github.com/ulrikstrid/reason-jose/security/advisories/GHSA-7jj9-6qwv-wpm7

CVE-2022-47769 – An arbitrary file write vulnerability in Serenissima Informatica Fast Checkin v1.0 allows unauthenticated attackers to upload malicious files in the web root of the application to gain access to the server via the web shell.CVE-2022-47770 – Serenissima Informatica Fast Checkin version v1.0 is vulnerable to Unauthenticated SQL Injection.CVSS Score: 9.8
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-47769
NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-47770
NVD References:
https://www.swascan.com/it/security-advisory-serenissima-informatica-fastcheckin/
https://fast.com

CVE-2023-0587 – A file upload vulnerability in exists in Trend Micro Apex One server build 11110. Using a malformed Content-Length header in an HTTP PUT message sent to URL /officescan/console/html/cgi/fcgiOfcDDA.exe, an unauthenticated remote attacker can upload arbitrary files to the SampleSubmission directory (i.e., \PCCSRV\TEMP\SampleSubmission) on the server. The attacker can upload a large number of large files to fill up the file system on which the Apex One server is installed.CVSS Score: 9.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-0587
NVD References: https://www.tenable.com/security/research/tra-2023-5

CVE-2023-22374 – In BIG-IP starting in versions 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, and 13.1.5 on their respective branches, a format string vulnerability exists in iControl SOAP that allows an authenticated attacker to crash the iControl SOAP CGI process or, potentially execute arbitrary code. In appliance mode BIG-IP, a successful exploit of this vulnerability can allow the attacker to cross a security boundary. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.CVSS Score: 7.5
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-22374
ISC Podcast: https://isc.sans.edu/podcastdetail.html?podcastid=8356
NVD References: https://my.f5.com/manage/s/article/K000130415

CVE-2022-22486 – IBM Tivoli Workload Scheduler 9.4, 9.5, and 10.1 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 226328.CVSS Score: 10.0
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-22486
NVD References:
https://exchange.xforce.ibmcloud.com/vulnerabilities/226328
https://www.ibm.com/support/pages/node/6890697

CVE-2022-43757 – A Cleartext Storage of Sensitive Information vulnerability in SUSE Rancher allows users on managed clusters to gain access to credentials. The impact depends on the credentials exposed This issue affects: SUSE Rancher Rancher versions prior to 2.5.17; Rancher versions prior to 2.6.10; Rancher versions prior to 2.7.1.CVSS Score: 9.9
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-43757
NVD References: https://bugzilla.suse.com/show_bug.cgi?id=1205295

Wildcard SSL