@RISK: The Consensus Security Vulnerability Alert: Vol. 23, Num. 03

@RISK: The Consensus Security Vulnerability Alert
January 19, 2023 – Vol. 23, Num. 03

CONTENTS:
=========================================================
INTERNET STORM CENTER SPOTLIGHT
OTHER INTERNET STORM CENTER ENTRIES
RECENT CVEs
=========================================================

INTERNET STORM CENTER SPOTLIGHT
ISC provides a free analysis and warning service to thousands of Internet users and organizations, and is actively working with Internet Service Providers to fight back against the most malicious attackers. https://isc.sans.edu/about.html

Malicious Google Ad –> Fake Notepad++ Page –> Aurora Stealer malware
Published: 2023-01-18
Last Updated: 2023-01-18 07:31:54 UTC
by Brad Duncan (Version: 1)

Introduction

Google ads are a common vector for malware distribution. Do a Google search for any popular free software download. Review any search results marked “Ad” or “Sponsored,” then check the link to see if anything is unusual.

I’ve already written two diaries and authored various tweets about this type of activity:

https://isc.sans.edu/diary/Google+ad+traffic+leads+to+stealer+packages+based+on+free+software/29376
https://isc.sans.edu/diary/Google+ads+lead+to+fake+software+pages+pushing+IcedID+Bokbot/29344
https://twitter.com/Unit42_Intel/status/1615470858067222568
https://twitter.com/Unit42_Intel/status/1608567622856998912

Others have also reported his activity. Recent posts include:

https://www.bleepingcomputer.com/news/security/google-ad-for-gimporg-served-info-stealing-malware-via-lookalike-site/
https://heimdalsecurity.com/blog/google-ads-exploited-to-spread-malware/
https://labs.guard.io/masquerads-googles-ad-words-massively-abused-by-threat-actors-targeting-organizations-gpus-42ae73ee8a1e
https://www.hackread.com/google-ads-malware-nft-crypto-wallet/

One example of free software routinely spoofed for Google ads is Notepad++. Almost without fail, I can find a fake webpage for Notepad++ every day through Google ads. For today’s diary, I found a Google ad for a malicious site at notopod-plos-plus[.]com.

Read the complete entry:
https://isc.sans.edu/diary/Malicious+Google+Ad+Fake+Notepad+Page+Aurora+Stealer+malware/29448/

PSA: Why you must run an ad blocker when using Google
Published: 2023-01-16
Last Updated: 2023-01-16 13:50:18 UTC
by Johannes Ullrich (Version: 1)

Today, I just have a short public service announcement: You MUST run an adblocker while using Google. It may be best just to keep the adblocker enabled all the time.

Ads have been important in supporting many good (and, of course, bad) content on the web. It has been a long standing “social contract” to allow ads to help support creators of valuable content. But sadly, ad networks have not provided any due diligence verification of the ad buys they accept. As a result, in particular, ads displayed as part of Google search results are often used to distribute malicious software impersonating popular products. Open-source and free products are particularly vulnerable. They usually cannot pay for competing for ads to reduce the effectiveness of malicious advertisements.

Read the complete entry:
https://isc.sans.edu/diary/PSA+Why+you+must+run+an+ad+blocker+when+using+Google/29438/

Elon Musk Themed Crypto Scams Flooding YouTube Today
Published: 2023-01-15
Last Updated: 2023-01-15 17:09:34 UTC
by Johannes Ullrich (Version: 1)

I noticed several videos posted to YouTube today attempting to direct users to crypto coin scam websites. The overall ruse is quite old: The scam promises that Elon Musk, or an organization associated with him, is giving away crypto coins. The catch: You first have to send crypto coins to the address to receive multiple of them back.

It all starts with a video promising a live stream of Elon Musk covering current developments around SpaceX. The channel being used for these videos, SpaceXMission, has over 2 Million subscribers right now and around 430 Million views. Interestingly, this is not a new channel, but it started on August 25th, 2008. Currently, around 4 thousand users are watching the “live streams”.

During the video, a QR code is displayed alongside an image that claims to show a tweet by Elon Musk promising crypto coins.

Read the complete entry:
https://isc.sans.edu/diary/Elon+Musk+Themed+Crypto+Scams+Flooding+YouTube+Today/29434/

=========================================================
OTHER INTERNET STORM CENTER ENTRIES
=========================================================

Finding that one GPO Setting in a Pool of Hundreds of GPOs (2023.01.17)
https://isc.sans.edu/diary/Finding+that+one+GPO+Setting+in+a+Pool+of+Hundreds+of+GPOs/29442/

Prowler v3: AWS & Azure security assessments (2023.01.12)
https://isc.sans.edu/diary/Prowler+v3+AWS+Azure+security+assessments/29430/

=========================================================
RECENT CVEs
=========================================================

The list is assembled by pulling recent vulnerabilities from NIST NVD, Microsoft, Twitter mentions of vulnerabilities, ISC Diaries and Podcast, and the CISA list of known exploited vulnerabilities. There are also some unscored, but significant, vulnerabilities at the end. This includes vulnerabilities that have not been added to the NVD yet.

CVE-2023-21674 – Windows Advanced Local Procedure Call (ALPC) Elevation of Privilege VulnerabilityCVSS Score: 8.8
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:F/RL:O/RC:C
** KEV since 2023-01-10 **
NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-21674
MSFT Details: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21674

CVE-2023-0014 – SAP NetWeaver ABAP Server and ABAP Platform – versions SAP_BASIS 700, 701, 702, 710, 711, 730, 731, 740, 750, 751, 752, 753, 754, 755, 756, 757, KERNEL 7.22, 7.53, 7.77, 7.81, 7.85, 7.89, KRNL64UC 7.22, 7.22EXT, 7.53, KRNL64NUC 7.22, 7.22EXT, creates information about system identity in an ambiguous format. This could lead to capture-replay vulnerability and may be exploited by malicious users to obtain illegitimate access to the system.CVSS Score: 9.8
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-0014
NVD References:
https://launchpad.support.sap.com/#/notes/3089413
https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html

CVE-2023-0017 – An unauthenticated attacker in SAP NetWeaver AS for Java – version 7.50, due to improper access control, can attach to an open interface and make use of an open naming and directory API to access services which can be used to perform unauthorized operations affecting users and data on the current system. This could allow the attacker to have full read access to user data, make modifications to user data, and make services within the system unavailable.CVSS Score: 9.8
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-0017
NVD References:
https://launchpad.support.sap.com/#/notes/3268093
https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html

CVE-2017-20166 – Ecto 2.2.0 lacks a certain protection mechanism associated with the interaction between is_nil and raise.CVSS Score: 9.8
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
NVD: https://nvd.nist.gov/vuln/detail/CVE-2017-20166
NVD References:
https://github.com/advisories/GHSA-2xxx-fhc8-9qvq
https://github.com/elixir-ecto/ecto/commit/db55b0cba6525c24ebddc88ef9ae0c1c00620250
https://github.com/elixir-ecto/ecto/pull/2125
https://groups.google.com/forum/#!topic/elixir-ecto/0m4NPfg_MMU

CVE-2023-22903 – api/views/user.py in LibrePhotos before e19e539 has incorrect access control.CVSS Score: 9.8
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-22903
NVD References: https://github.com/LibrePhotos/librephotos/commit/e19e539356df77f6f59e7d1eea22d452b268e120

CVE-2022-43514 – A vulnerability has been identified in Automation License Manager V5 (All versions), Automation License Manager V6 (All versions < V6.0 SP9 Upd4). The affected component does not correctly validate the root path on folder related operations, allowing to modify files and folders outside the intended root directory. This could allow an unauthenticated remote attacker to execute file operations of files outside of the specified root folder. Chained with CVE-2022-43513 this could allow Remote Code Execution.CVSS Score: 9.8
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-43514
NVD References: https://cert-portal.siemens.com/productcert/pdf/ssa-476715.pdf

CVE-2022-3792 – This issue affects: Terminal Operating System versions before 5.0.13CVSS Score: 9.8
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-3792
NVD References:
https://fordefence.com/cve-2022-3792-gullseye-terminal-operation-system/
https://omrylmz.com/cve-2022-3792-terminal-operation-system/
https://www.usom.gov.tr/bildirim/tr-22-0747-2

CVE-2022-4422 – This issue affects: Bulutses Bilgi Teknolojileri LTD. ?T?. BULUTDESK CALLCENTER versions prior to 3.0.CVSS Score: 9.8
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-4422
NVD References: https://www.usom.gov.tr/bildirim/tr-22-0747

CVE-2016-15017 – A vulnerability has been found in fabarea media_upload and classified as critical. This vulnerability affects the function getUploadedFileList of the file Classes/Service/UploadFileService.php. The manipulation leads to pathname traversal. Upgrading to version 0.9.0 is able to address this issue. The name of the patch is b25d42a4981072321c1a363311d8ea2a4ac8763a. It is recommended to upgrade the affected component. VDB-217786 is the identifier assigned to this vulnerability.CVSS Score: 9.8
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
NVD: https://nvd.nist.gov/vuln/detail/CVE-2016-15017
NVD References:
https://github.com/fabarea/media_upload/commit/b25d42a4981072321c1a363311d8ea2a4ac8763a
https://github.com/fabarea/media_upload/issues/6
https://github.com/fabarea/media_upload/releases/tag/0.9.0
https://vuldb.com/?ctiid.217786
https://vuldb.com/?id.217786

CVE-2014-125073 – A vulnerability was found in mapoor voteapp. It has been rated as critical. Affected by this issue is the function create_poll/do_poll/show_poll/show_refresh of the file app.py. The manipulation leads to sql injection. The name of the patch is b290c21a0d8bcdbd55db860afd3cadec97388e72. It is recommended to apply a patch to fix this issue. VDB-217790 is the identifier assigned to this vulnerability.CVSS Score: 9.8
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
NVD: https://nvd.nist.gov/vuln/detail/CVE-2014-125073
NVD References:
https://github.com/mapoor/voteapp/commit/b290c21a0d8bcdbd55db860afd3cadec97388e72
https://vuldb.com/?ctiid.217790
https://vuldb.com/?id.217790

CVE-2022-4337 – An out-of-bounds read in Organization Specific TLV was found in various versions of OpenvSwitch.CVSS Score: 9.8
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-4337
NVD References:
https://github.com/openvswitch/ovs/pull/405
https://mail.openvswitch.org/pipermail/ovs-dev/2022-December/400596.html
https://www.debian.org/security/2023/dsa-5319
https://www.openwall.com/lists/oss-security/2022/12/21/4

CVE-2022-4338 – An integer underflow in Organization Specific TLV was found in various versions of OpenvSwitch.CVSS Score: 9.8
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-4338
NVD References:
https://github.com/openvswitch/ovs/pull/405
https://mail.openvswitch.org/pipermail/ovs-dev/2022-December/400596.html
https://www.debian.org/security/2023/dsa-5319
https://www.openwall.com/lists/oss-security/2022/12/21/4

CVE-2021-3966 – usb device bluetooth class includes a buffer overflow related to implementation of net_buf_add_mem.CVSS Score: 9.6
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:H
NVD: https://nvd.nist.gov/vuln/detail/CVE-2021-3966
NVD References: https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-hfxq-3w6x-fv2m

CVE-2022-47865 – Lead Management System v1.0 is vulnerable to SQL Injection via the id parameter in removeOrder.php.CVE-2022-47866 – Lead management system v1.0 is vulnerable to SQL Injection via the id parameter in removeBrand.php.CVE-2022-47859 – Lead Management System v1.0 is vulnerable to SQL Injection via the user_id parameter in changePassword.php.CVE-2022-47860 – Lead Management System v1.0 is vulnerable to SQL Injection via the id parameter in removeProduct.php.CVE-2022-47861 – Lead Management System v1.0 is vulnerable to SQL Injection via the id parameter in removeLead.php.CVE-2022-47862 – Lead Management System v1.0 is vulnerable to SQL Injection via the customer_id parameter in ajax_represent.php.CVE-2022-47864 – Lead Management System v1.0 is vulnerable to SQL Injection via the id parameter in removeCategories.php.CVSS Score: 9.8
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-47865
NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-47866
NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-47859
NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-47860
NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-47861
NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-47862
NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-47864
NVD References:
https://github.com/xiumulty/CVE/blob/main/Lead%20management%20system%20v1.0/sql%20in%20removeOrder.php.md
https://github.com/xiumulty/CVE/blob/main/Lead%20management%20system%20v1.0/sql%20in%20removeBrand.php.md
https://github.com/xiumulty/CVE/blob/main/Lead%20management%20system%20v1.0/sql%20in%20changePassword.php.md
https://github.com/xiumulty/CVE/blob/main/Lead%20management%20system%20v1.0/sql%20in%20removeProduct.php.md
https://github.com/xiumulty/CVE/blob/main/Lead%20management%20system%20v1.0/sql%20in%20removeLead.php.md
https://github.com/xiumulty/CVE/blob/main/Lead%20management%20system%20v1.0/sql%20in%20ajax_represent.php%20.md
https://github.com/xiumulty/CVE/blob/main/Lead%20management%20system%20v1.0/sql%20in%20removeCategories.php.md
https://www.sourcecodester.com/php/15933/lead-management-system-php-open-source-free-download.html

CVE-2022-39184 – EXFO – BV-10 Performance Endpoint Unit authentication bypass User can manually manipulate access enabling authentication bypass.CVSS Score: 9.8
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-39184
NVD References: https://www.gov.il/en/Departments/faq/cve_advisories

CVE-2022-39185 – EXFO – BV-10 Performance Endpoint Unit Undocumented privileged user. Unit has an undocumented hard-coded privileged user.CVSS Score: 9.8
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-39185
NVD References: https://www.gov.il/en/Departments/faq/cve_advisories

CVE-2023-22600 – InHand Networks InRouter 302, prior to version IR302 V3.5.56, and InRouter 615, prior to version InRouter6XX-S-V2.3.0.r5542, contain vulnerability CWE-284: Improper Access Control. They allow unauthenticated devices to subscribe to MQTT topics on the same network as the device manager. An unauthorized user who knows of an existing topic name could send and receive messages to and from that topic. This includes the ability to send GET/SET configuration commands, reboot commands, and push firmware updates.CVE-2023-22601 – InHand Networks InRouter 302, prior to version IR302 V3.5.56, and InRouter 615, prior to version InRouter6XX-S-V2.3.0.r5542, contain vulnerability CWE-330: Use of Insufficiently Random Values. They do not properly randomize MQTT ClientID parameters. An unauthorized user could calculate this parameter and use it to gather additional information about other InHand devices managed on the same cloud platform.CVSS Score: 10.0
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:H
NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-22600
NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-22601
NVD References: https://www.cisa.gov/uscert/ics/advisories/icsa-23-012-03

CVE-2022-41778 – Delta Electronics InfraSuite Device Master versions 00.00.01a and prior deserialize user-supplied data provided through the Device-DataCollect service port without proper verification. An attacker could provide malicious serialized objects to execute arbitrary code upon deserialization.CVSS Score: 9.8
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-41778
NVD References: https://www.cisa.gov/uscert/ics/advisories/icsa-22-298-07

CVE-2023-22495 – Izanami is a shared configuration service well-suited for micro-service architecture implementation. Attackers can bypass the authentication in this application when deployed using the official Docker image. Because a hard coded secret is used to sign the authentication token (JWT), an attacker could compromise another instance of Izanami. This issue has been patched in version 1.11.0.CVSS Score: 9.8
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-22495
NVD References:
https://github.com/MAIF/izanami/releases/tag/v1.11.0
https://github.com/MAIF/izanami/security/advisories/GHSA-9r7j-m337-792c

CVE-2022-43462 – Auth. SQL Injection (SQLi) vulnerability in Adeel Ahmed’s IP Blacklist Cloud plugin <= 5.00 versions.CVSS Score: 9.1
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-43462
NVD References: https://patchstack.com/database/vulnerability/ip-blacklist-cloud/wordpress-ip-blacklist-cloud-plugin-5-00-auth-sql-injection-sqli-vulnerability?_s_id=cve

CVE-2023-22727 – CakePHP is a development framework for PHP web apps. In affected versions the `Cake\Database\Query::limit()` and `Cake\Database\Query::offset()` methods are vulnerable to SQL injection if passed un-sanitized user request data. This issue has been fixed in 4.2.12, 4.3.11, 4.4.10. Users are advised to upgrade. Users unable to upgrade may mitigate this issue by using CakePHP’s Pagination library. Manually validating or casting parameters to these methods will also mitigate the issue.CVSS Score: 9.8
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-22727
NVD References:
https://bakery.cakephp.org/2023/01/06/cakephp_4211_4311_4410_released.html
https://github.com/cakephp/cakephp/commit/3f463e7084b5a15e67205ced3a622577cca7a239
https://github.com/cakephp/cakephp/security/advisories/GHSA-6g8q-qfpv-57wp

CVE-2023-22731 – Shopware is an open source commerce platform based on Symfony Framework and Vue js. In a Twig environment **without the Sandbox extension**, it is possible to refer to PHP functions in twig filters like `map`, `filter`, `sort`. This allows a template to call any global PHP function and thus execute arbitrary code. The attacker must have access to a Twig environment in order to exploit this vulnerability. This problem has been fixed with 6.4.18.1 with an override of the specified filters until the integration of the Sandbox extension has been finished. Users are advised to upgrade. Users of major versions 6.1, 6.2, and 6.3 may also receive this fix via a plugin.CVSS Score: 9.9
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-22731
NVD References:
https://docs.shopware.com/en/shopware-6-en/security-updates/security-update-01-2023?category=security-updates
https://github.com/shopware/platform/commit/89d1ea154689cb6202e0d3a0ceeae0febb0c09e1
https://github.com/shopware/platform/security/advisories/GHSA-93cw-f5jj-x85w

CVE-2022-23521 – Git is distributed revision control system. gitattributes are a mechanism to allow defining attributes for paths. These attributes can be defined by adding a `.gitattributes` file to the repository, which contains a set of file patterns and the attributes that should be set for paths matching this pattern. When parsing gitattributes, multiple integer overflows can occur when there is a huge number of path patterns, a huge number of attributes for a single pattern, or when the declared attribute names are huge. These overflows can be triggered via a crafted `.gitattributes` file that may be part of the commit history. Git silently splits lines longer than 2KB when parsing gitattributes from a file, but not when parsing them from the index. Consequentially, the failure mode depends on whether the file exists in the working tree, the index or both. This integer overflow can result in arbitrary heap reads and writes, which may result in remote code execution. The problem has been patched in the versions published on 2023-01-17, going back to v2.30.7. Users are advised to upgrade. There are no known workarounds for this issue.CVSS Score: 9.8
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-23521
NVD References:
https://github.com/git/git/commit/508386c6c5857b4faa2c3e491f422c98cc69ae76
https://github.com/git/git/security/advisories/GHSA-c738-c5qq-xg89

CVE-2022-41903 – Git is distributed revision control system. `git log` can display commits in an arbitrary format using its `–format` specifiers. This functionality is also exposed to `git archive` via the `export-subst` gitattribute. When processing the padding operators, there is a integer overflow in `pretty.c::format_and_pad_commit()` where a `size_t` is stored improperly as an `int`, and then added as an offset to a `memcpy()`. This overflow can be triggered directly by a user running a command which invokes the commit formatting machinery (e.g., `git log –format=…`). It may also be triggered indirectly through git archive via the export-subst mechanism, which expands format specifiers inside of files within the repository during a git archive. This integer overflow can result in arbitrary heap writes, which may result in arbitrary code execution. The problem has been patched in the versions published on 2023-01-17, going back to v2.30.7. Users are advised to upgrade. Users who are unable to upgrade should disable `git archive` in untrusted repositories. If you expose git archive via `git daemon`, disable it by running `git config –global daemon.uploadArch false`.CVSS Score: 9.8
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-41903
NVD References:
https://git-scm.com/book/en/v2/Customizing-Git-Git-Attributes#_export_subst
https://git-scm.com/docs/pretty-formats#Documentation/pretty-formats.txt-emltltNgttruncltruncmtruncem
https://github.com/git/git/commit/508386c6c5857b4faa2c3e491f422c98cc69ae76
https://github.com/git/git/security/advisories/GHSA-475x-2q3q-hvwq

CVE-2022-46732 – Even if the authentication fails for local service authentication, the requested command could still execute regardless of authentication status.CVSS Score: 9.8
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-46732
NVD References:
https://digitalsupport.ge.com/s/article/GE-Digital-Product-Security-Advisory-GED-23-01
https://www.cisa.gov/uscert/ics/advisories/icsa-23-017-01

CVE-2023-21890 – Vulnerability in the Oracle Communications Converged Application Server product of Oracle Communications (component: Core). Supported versions that are affected are 7.1.0 and 8.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via UDP to compromise Oracle Communications Converged Application Server. Successful attacks of this vulnerability can result in takeover of Oracle Communications Converged Application Server. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).CVSS Score: 9.8
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-21890
NVD References: https://www.oracle.com/security-alerts/cpujan2023.html

CVE-2022-41989 – Sewio’s Real-Time Location System (RTLS) Studio version 2.0.0 up to and including version 2.6.2 does not validate the length of RTLS report payloads during communication. This allows an attacker to send an exceedingly long payload, resulting in an out-of-bounds write to cause a denial-of-service condition or code execution.CVE-2022-43483 – Sewio’s Real-Time Location System (RTLS) Studio version 2.0.0 up to and including version 2.6.2 does not properly validate the input module name to the monitor services of the software. This could allow a remote attacker to access sensitive functions of the application and execute arbitrary system commands.CVE-2022-47911 – Sewio’s Real-Time Location System (RTLS) Studio version 2.0.0 up to and including version 2.6.2 does not properly validate the input module name to the backup services of the software. This could allow a remote attacker to access sensitive functions of the application and execute arbitrary system commands.CVE-2022-45444 – Sewio’s Real-Time Location System (RTLS) Studio version 2.0.0 up to and including version 2.6.2 contains hard-coded passwords for select users in the application’s database. This could allow a remote attacker to login to the database with unrestricted access.CVSS Scores: 9.0 – 10.0
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H, 3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-41989
NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-43483
NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-47911
NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-45444
NVD References: https://www.cisa.gov/uscert/ics/advisories/icsa-23-012-01

@RISK: The Consensus Security Vulnerability Alert: Vol. 20, Num. 16

@RISK: The Consensus Security Vulnerability Alert
April 16, 2020 – Vol. 20, Num. 16

CONTENTS:
=========================================================
NOTABLE RECENT SECURITY ISSUES
INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY
VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
MOST PREVALENT MALWARE FILES April 9 – 16, 2020
=========================================================
TOP VULNERABILITY THIS WEEK: 18 critical vulnerabilities disclosed as part of Microsoft Patch Tuesday
=========================================================
NOTABLE RECENT SECURITY ISSUES
SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP

Title: Microsoft releases monthly security update
Description: Microsoft released its monthly security update this week, disclosing vulnerabilities across many of its products and releasing corresponding updates. This month’s Patch Tuesday covers 113 vulnerabilities. Eighteen of the flaws Microsoft disclosed are considered critical, while one is considered “moderate.” The remainders are scored as being “important” updates. This month’s security update covers security issues in a variety of Microsoft services and software, including SharePoint, the Windows font library and the Windows kernel.
Reference: https://blog.talosintelligence.com/2020/04/microsoft-patch-tuesday-april-2020.html
Snort SIDs: 53489 – 53492, 53619 – 53630, 53652 – 53655

Title: DrayTek routers, switches open to attack
Description: Tech company DrayTek recently patched two zero-day vulnerabilities in some of its routers and switches that could allow malicious actors to monitor traffic and install backdoors on affected networks. DrayTek worked with security researchers to discover the vulnerabilities and active exploitations in December, and patches were made available in late March. Users are encouraged to patch their devices as soon as possible or disable remote admin access.
Reference: https://www.scmagazine.com/home/security-news/vulnerabilities/zero-day-vulnerabilities-used-against-draytek-routers-and-switches/
Snort SIDs: 53591, 53592

INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY

Apple and Google announced plans to jointly develop a service that will alert users if they’ve been near someone who’s been diagnosed with COVID-19.
https://techcrunch.com/2020/04/10/apple-and-google-are-launching-a-joint-covid-19-tracing-tool/

This “contact tracing” service has raised some concerns over privacy, however, and potential inequalities over individuals’ access to wireless networks.
https://www.cnet.com/news/how-youll-get-apple-and-googles-contact-tracing-update-for-your-phone/

Cisco Talos researchers discovered many devices’ fingerprint scanners can be tricked using 3-D printed models and resin copies of users’ fingerprints.
https://blog.talosintelligence.com/2020/04/fingerprint-research.html

Foreign currency exchange company Travelex paid a $2.3 million ransomware demand in January. (Please note that this story is behind a paywall.)
https://www.wsj.com/articles/travelex-paid-hackers-multimillion-dollar-ransom-before-hitting-new-obstacles-11586440800

Teleconferencing platform Zoom has taken steps to address some of the privacy and security concerns raised by experts.
https://www.fastcompany.com/90488717/can-you-trust-zoom

Microsoft says every country in the world has now seen at least one COVID-19-themed cyber attack, many of them utilizing the Emotet and Trickbot families.
https://www.microsoft.com/security/blog/2020/04/08/microsoft-shares-new-threat-intelligence-security-guidance-during-global-crisis/

Individuals working from home are looking toward upgrading to mesh Wi-Fi networks to improve their wireless internet speed while more employees work from home during the pandemic.
https://arstechnica.com/gadgets/2020/04/remote-work-lagging-if-you-cant-plug-it-in-upgrade-to-mesh/

Scammers are attempting to capitalize on the COVID-19 pandemic by offering phony services and health products through “gig economy” apps like Fiverr.
https://www.vice.com/en_us/article/v74ay9/fiverr-coronavirus-healers-mask-sellers

Online casino magnate SBTech is setting aside $30 million to respond to a cyber attack from last month part of an acquisition agreement.
https://zdnet.com/article/gambling-company-to-set-aside-30-million-to-deal-with-cyber-attack-fallout/

MOST PREVALENT MALWARE FILES April 9 – 16, 2020
COMPILED BY TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP

SHA 256: a545df34334b39522b9cc8cc0c11a1591e016539b209ca1d4ab8626d70a54776
MD5: 5d34464531ddbdc7b0a4dba5b4c1cfea
VirusTotal: scan analysis
Typical Filename: FlashHelperServices.exe
Claimed Product: Flash Helper Service
Detection Name: PUA.Win.Adware.Flashserv::in03.talos

SHA 256: 589d9977a5b0420d29acc0c1968a2ff48102ac3ddc0a1f3188be79d0a4949c82
MD5: bf1d79fad6471fcf50e38a9ea1f646a5
VirusTotal: scan analysis
Typical Filename: wupxarch.exe
Claimed Product: N/A
Detection Name: W32.Auto:589d99.in03.Talos

SHA 256: 85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5
MD5: 8c80dd97c37525927c1e549cb59bcbf3
VirusTotal: scan analysis
Typical Filename: Eternalblue-2.2.0.exe
Claimed Product: N/A
Detection Name: W32.85B936960F.5A5226262.auto.Talos

SHA 256: 518a8844dae953d7f2510d38ba916f1c4ccc01cfba58f69290938b6ddde8b472
MD5: 9b47b9f19455bf56138ddb81c93b6c0c
VirusTotal: scan analysis
Typical Filename: updateprofile.exe
Claimed Product: N/A
Detection Name: Win.Dropper.Generic::tpd

SHA 256: 1c3ed460a7f78a43bab0ae575056d00c629f35cf7e72443b4e874ede0f305871
MD5: c2406fc0fce67ae79e625013325e2a68
VirusTotal: scan analysis
Typical Filename: SegurazoIC.exe
Claimed Product: Segurazo IC
Detection Name: PUA.Win.Adware.Ursu::95.sbx.tg

@RISK: The Consensus Security Vulnerability Alert: Vol. 20, Num. 15

@RISK: The Consensus Security Vulnerability Alert
April 09, 2020 – Vol. 20, Num. 15

CONTENTS:
=========================================================
NOTABLE RECENT SECURITY ISSUES
INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY
VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
MOST PREVALENT MALWARE FILES April 2 – 9, 2020
=========================================================
TOP VULNERABILITY THIS WEEK: Mozilla Firefox patches two use-after-free vulnerabilities exploited in the wild
=========================================================
NOTABLE RECENT SECURITY ISSUES
SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP

Title: Mozilla releases fixes for two use-after-free vulnerabilities in Firefox
Description: Mozilla released patches for two use-after-free vulnerabilities in its Firefox web browser. The company said it saw attackers actively exploiting bugs in the wild, which caused them to release the emergency updates. In both cases, a race condition in the browser can cause a use-after-free condition, though Mozilla has not provided information on how, exactly, these vulnerabilities were used in attacks.
Reference: https://duo.com/decipher/mozilla-fixes-two-firefox-flaws-under-active-attack
Snort SIDs: 53580, 53581

Title: Critical CODESYS vulnerability could allow attacker to crash server, execute remote code
Description: A critical bug in 3S’ CODESYS automation software could allow an attacker to crash an affected server or execute remote code on the web server. 3S released a patch for the vulnerability, identified as CVE-2020-10245, which received a severity score of 10 out of 10. The bug is a heap-based buffer overflow in the software that could cause a denial of service.
Reference: https://threatpost.com/critical-codesys-bug-remote-code-execution/154213/
Snort SIDs: 53557, 53558

INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY

Marriott disclosed that hackers used login credential belonging to two employees of a franchise company to access customer data, compromising the information of more than 5 million customers.
https://www.cnet.com/news/marriott-discloses-new-data-breach-impacting-5-point-2-million-guests/

Researchers discovered potential security flaws in video conference platform Zoom’s encryption method, including sending some encryption keys through servers in China.
https://citizenlab.ca/2020/04/move-fast-roll-your-own-crypto-a-quick-look-at-the-confidentiality-of-zoom-meetings/

After a wave of negative headlines concerning Zoom and its security features, the Taiwanese government informed employees they should not be using the conferencing app while they work from home during the COVID-19 crisis.
https://www.bloomberg.com/news/articles/2020-04-07/taiwan-bans-government-use-of-zoom-over-cybersecurity-concerns

A critical vulnerability in a popular WordPress plugin could allow attackers to completely lock admins out of their sites, the latest in a string of bugs for plugins for the popular content management system.
https://threatpost.com/critical-wordpress-plugin-bug-lock-admins-out/154354/

A new COVID-19-themed malware family can totally wipe victim’s computers and in some cases, rewrite MBR sectors.
https://www.zdnet.com/article/theres-now-covid-19-malware-that-will-wipe-your-pc-and-rewrite-your-mbr/

Microsoft purchased controversial domain corp[.]com with the goal of keeping it out of bad actors’ hands.
https://krebsonsecurity.com/2020/04/microsoft-buys-corp-com-so-bad-guys-cant/

While the vast majority of individuals across the globe are staying home during the COVID-19 crisis, their internet usage has changed, including spending an increasing amount of time on streaming sites while seeing a reduction in mobile device usage.
https://www.nytimes.com/interactive/2020/04/07/technology/coronavirus-internet-use.html

With more college classes moving completely online for the remainder of the semester, some schools have started using online proctor services, which students and professors say is an invasion of privacy.
https://www.washingtonpost.com/technology/2020/04/01/online-proctoring-college-exams-coronavirus/

NASA says its seen an “exponential” increase in attempted cyber attacks as more of its employees began working remotely due to COVID-19 pandemic.
https://arstechnica.com/information-technology/2020/04/nasa-sees-an-exponential-jump-in-malware-attacks-as-personnel-work-from-home/

A cyber attack on Italy’s Social Security website took down its services, temporarily preventing individuals from receiving government stimulus checks connected to a COVID-19 relief package.
https://www.forbes.com/sites/daveywinder/2020/04/02/covid-19-payouts-disrupted-as-heartless-hackers-attack-italian-crisis-benefits-site/

MOST PREVALENT MALWARE FILES April 2 – 9, 2020
COMPILED BY TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP

SHA 256: 3f6e3d8741da950451668c8333a4958330e96245be1d592fcaa485f4ee4eadb3
MD5: 47b97de62ae8b2b927542aa5d7f3c858
VirusTotal: scan analysis
Typical Filename: qmreportupload.exe
Claimed Product: qmreportupload
Detection Name: Win.Trojan.Generic::in10.talos

SHA 256: a545df34334b39522b9cc8cc0c11a1591e016539b209ca1d4ab8626d70a54776
MD5: 5d34464531ddbdc7b0a4dba5b4c1cfea
VirusTotal: scan analysis
Typical Filename: FlashHelperServices.exe
Claimed Product: Flash Helper Service
Detection Name: PUA.Win.Adware.Flashserv::in03.talos

SHA 256: c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f
MD5: e2ea315d9a83e7577053f52c974f6a5a
VirusTotal: scan analysis
Typical Filename: c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f.bin
Claimed Product: N/A
Detection Name: W32.AgentWDCR:Gen.21gn.1201

SHA 256: 15716598f456637a3be3d6c5ac91266142266a9910f6f3f85cfd193ec1d6ed8b
MD5: 799b30f47060ca05d80ece53866e01cc
VirusTotal: scan analysis
Typical Filename: f2016341595.exe
Claimed Product: N/A
Detection Name: W32.Generic:Gen.22fz.1201

SHA 256: 85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5
MD5: 8c80dd97c37525927c1e549cb59bcbf3
VirusTotal: scan analysis
Typical Filename: Eternalblue-2.2.0.exe
Claimed Product: N/A
Detection Name: W32.85B936960F.5A5226262.auto.Talos

Wildcard SSL