Skip to content

Commit

Permalink
Merge branch 'wagov:main' into main
Browse files Browse the repository at this point in the history
  • Loading branch information
@LSerki
LSerki authored Mar 8, 2024
2 parents 3a8ebc5 + de71f58 commit 32a6776
Show file tree
Hide file tree
Showing 15 changed files with 303 additions and 64 deletions.
23 changes: 10 additions & 13 deletions docs/advisories/20240111001-Ivanti-Critical-Security-Advisory.md
View file
Original file line number Diff line number Diff line change
@@ -1,19 +1,20 @@
# Ivanti Connect Secure and Ivanti Policy Secure Gateways - 20240111001
# Ivanti Multiple Vulnerabilities Added in CISA Known Exploits List - 20240111001

## Overview

Ivanti has released a security advisory relating to critical vulnerabilities in their products Ivanti Connect Secure (formerly known as Pulse Connect Secure) and Ivanti Policy Secure Gateways.
CISA and their partners released joint Cybersecurity Advisory [Threat Actors Exploit Multiple Vulnerabilities in Ivanti Connect Secure and Policy Secure Gateways](https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-060b)

If CVE-2024-21887 is used in conjunction with CVE-2023-46805, exploitation does not require authentication and enables a threat actor to craft malicious requests and execute arbitrary commands on the system.
Threat actors can exploit in a chain to bypass authentication, craft malicious requests, and execute arbitrary commands with elevated privileges.

## What is vulnerable?

The following vulnerabilities impact **all supported versions of Ivanti Connect Secure and Ivanti Policy Secure gateways**.

| CVE | Severity | CVSS | Summary |
| ----------------------------------------------------------------- | ------------ | ---- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
| [CVE-2023-46805](https://www.cve.org/CVERecord?id=CVE-2023-46805) | **High** | 8.2 | An authentication bypass vulnerability in the web component allows a remote attacker to access restricted resources by bypassing control checks. |
| [CVE-2024-21887](https://www.cve.org/CVERecord?id=CVE-2024-21887) | **Critical** | 9.1 | A command injection vulnerability in web components allows an authenticated administrator to send specially crafted requests and execute arbitrary commands on the appliance. This vulnerability can be exploited over the internet. |
| CVE | Severity | CVSS | Summary | Exploitation | Dated |
| ----------------------------------------------------------------- | ------------ | ---- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------ | ----------- |
| [CVE-2023-46805](https://www.cve.org/CVERecord?id=CVE-2023-46805) | **High** | 8.2 | An authentication bypass vulnerability in the web component allows a remote attacker to access restricted resources by bypassing control checks. | Yes | 1 Feb, 2024 |
| [CVE-2024-21887](https://www.cve.org/CVERecord?id=CVE-2024-21887) | **Critical** | 9.1 | A command injection vulnerability in web components allows an authenticated administrator to send specially crafted requests and execute arbitrary commands on the appliance. This vulnerability can be exploited over the internet. | Yes | 1 Feb, 2024 |
| [CVE-2024-21893](https://www.cve.org/CVERecord?id=CVE-2024-21893) | **High** | 8.2 | A server-side request forgery vulnerability in the SAML component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) and Ivanti Neurons for ZTA allows an attacker to access certain restricted resources without authentication. | Yes | 1 Feb, 2024 |

## What has been observed?

Expand All @@ -23,9 +24,5 @@ Ivanti have seen evidence of threat actors attempting to manipulate Ivanti’s i

The WA SOC recommends administrators apply the solutions as per vendor instructions to all affected devices within expected timeframe of *48 Hours...* (refer [Patch Management](../guidelines/patch-management.md)):

- <https://forums.ivanti.com/s/article/KB-CVE-2023-46805-Authentication-Bypass-CVE-2024-21887-Command-Injection-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure-Gateways?language=en_US>

### Additional References

- Ivanti original security advisory "C*VE-2023-46805 (Authentication Bypass) & CVE-2024-21887 (Command Injection) for Ivanti Connect Secure and Ivanti Policy Secure Gateways*": <https://forums.ivanti.com/s/article/CVE-2023-46805-Authentication-Bypass-CVE-2024-21887-Command-Injection-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure-Gateways?language=en_US>
- CISA Known Exploited Vulnerabilities Catalog: <https://www.cisa.gov/known-exploited-vulnerabilities-catalog>
- [Ivanti original security advisory](https://forums.ivanti.com/s/article/CVE-2023-46805-Authentication-Bypass-CVE-2024-21887-Command-Injection-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure-Gateways?language=en_US)
- [CISA Known Exploited Vulnerabilities Catalog](https://www.cisa.gov/news-events/alerts/2024/02/29/cisa-and-partners-release-advisory-threat-actors-exploiting-ivanti-connect-secure-and-policy-secure)
38 changes: 19 additions & 19 deletions docs/advisories/20240123002-Apple-Curl-Overflow.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,25 +6,25 @@ Apple have released security advisories relating to several vulnerabilities impa

## What is the vulnerability?

| CVE | Severity | CVSS |
| ------------------------------------------------------------------------------- | ------------ | ---- |
| [CVE-2023-38039](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-38039) | **High** | 7.5 |
| [CVE-2023-38545](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-38545) | **Critical** | 9.8 |
| [CVE-2023-38546](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-38546) | Low | 3.7 |
| [CVE-2023-40528](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-40528) | TBA | TBA |
| [CVE-2023-42887](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-42887) | TBA | TBA |
| [CVE-2023-42888](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-42888) | TBA | TBA |
| [CVE-2023-42915](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-42915) | TBA | TBA |
| [CVE-2023-42935](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-42935) | TBA | TBA |
| [CVE-2023-42937](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-42937) | TBA | TBA |
| [CVE-2024-23206](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-23206) | TBA | TBA |
| [CVE-2024-23207](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-23207) | TBA | TBA |
| [CVE-2024-23211](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-23211) | TBA | TBA |
| [CVE-2024-23212](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-23212) | TBA | TBA |
| [CVE-2024-23213](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-23213) | TBA | TBA |
| [CVE-2024-23214](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-23214) | TBA | TBA |
| [CVE-2024-23222](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-23222) | TBA | TBA |
| [CVE-2024-23224](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-23224) | TBA | TBA |
| CVE | Severity | CVSS | Exploited |
| ------------------------------------------------------------------------------- | ------------ | ---- | --------- |
| [CVE-2023-38039](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-38039) | **High** | 7.5 | No |
| [CVE-2023-38545](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-38545) | **Critical** | 9.8 | No |
| [CVE-2023-38546](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-38546) | Low | 3.7 | No |
| [CVE-2023-40528](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-40528) | TBA | TBA | No |
| [CVE-2023-42887](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-42887) | TBA | TBA | No |
| [CVE-2023-42888](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-42888) | TBA | TBA | No |
| [CVE-2023-42915](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-42915) | TBA | TBA | No |
| [CVE-2023-42935](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-42935) | TBA | TBA | No |
| [CVE-2023-42937](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-42937) | TBA | TBA | No |
| [CVE-2024-23206](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-23206) | TBA | TBA | No |
| [CVE-2024-23207](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-23207) | TBA | TBA | No |
| [CVE-2024-23211](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-23211) | TBA | TBA | No |
| [CVE-2024-23212](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-23212) | TBA | TBA | No |
| [CVE-2024-23213](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-23213) | TBA | TBA | No |
| [CVE-2024-23214](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-23214) | TBA | TBA | No |
| [CVE-2024-23222](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-23222) | High | 8.8 | Yes |
| [CVE-2024-23224](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-23224) | TBA | TBA | No |

## What is vulnerable?

Expand Down
12 changes: 6 additions & 6 deletions docs/advisories/20240202002-Docker-Container-Vulnerabilities.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,12 +6,12 @@ An attacker could use the core container infrastructure components of docker con

## What is vulnerable?

| Component(s) Affected | CVE | Severity | CVSS |
| -------------------------- | ----------------------------------------------------------------- | ------------ | ---- |
| OCI runc | [CVE-2024-21626](https://nvd.nist.gov/vuln/detail/CVE-2024-21626) | **High** | 8.6 |
| Buildkit Mount | [CVE-2024-23653](https://nvd.nist.gov/vuln/detail/CVE-2024-23651) | **High** | 8.7 |
| Buildkit GRPC SecurityMode | [CVE-2024-23653](https://nvd.nist.gov/vuln/detail/CVE-2024-23653) | **Critical** | 10.0 |
| BuildKit Buildtime | [CVE-2024-23652](https://nvd.nist.gov/vuln/detail/CVE-2024-23652) | **Critical** | 9.8 |
| Component(s) Affected | CVE | Severity | CVSS | Exploitation | Dated |
| -------------------------- | ----------------------------------------------------------------- | ------------ | ---- | ------------ | ---------- |
| OCI runc | [CVE-2024-21626](https://nvd.nist.gov/vuln/detail/CVE-2024-21626) | **High** | 8.6 | Yes | 18.02.2024 |
| Buildkit Mount | [CVE-2024-23651](https://nvd.nist.gov/vuln/detail/CVE-2024-23651) | **High** | 7.4 | No | 08.02.2024 |
| Buildkit GRPC SecurityMode | [CVE-2024-23653](https://nvd.nist.gov/vuln/detail/CVE-2024-23653) | **Critical** | 9.8 | No | 08.02.2024 |
| BuildKit Buildtime | [CVE-2024-23652](https://nvd.nist.gov/vuln/detail/CVE-2024-23652) | **Critical** | 9.1 | No | 08.02.2024 |

## What has been observed?

Expand Down
6 changes: 3 additions & 3 deletions ...20240212001-Microsoft-Streaming-Service-Elevation-of-Privilege-Vulnerability.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,9 +6,9 @@ Microsoft Streaming Service Proxy with high local privilege escalation vulnerabi

## What is the vulnerability?

| CVE ID | Severity | CVSS |
| ----------------------------------------------------------------- | -------- | ---- |
| [CVE-2023-29360](https://nvd.nist.gov/vuln/detail/CVE-2023-29360) | **High** | 8.4 |
| CVE ID | Severity | CVSS | Exploitation | Dated |
| ----------------------------------------------------------------- | -------- | ---- | ------------ | ----------- |
| [CVE-2023-29360](https://nvd.nist.gov/vuln/detail/CVE-2023-29360) | **High** | 8.4 | Yes | 29 Feb,2024 |

## What is vulnerable?

Expand Down
14 changes: 7 additions & 7 deletions docs/advisories/20240214002-Microsoft-Releases-Multiple-Updates.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,13 +6,13 @@ Microsoft has released security updates to address vulnerabilities in multiple p

## What is vulnerable?

| Product(s) Affected | Summary | Severity | CVSS | Active Exploitation | Dated |
| -------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------- | ------------ | ---- | ------------------- | ------------ |
| [**February 2024 Security Updates**](https://msrc.microsoft.com/update-guide/releaseNote/2024-Feb) | | | | | 13 Feb, 2024 |
| **Internet Shortcut Files Security Feature Bypass Vulnerability** | [CVE-2024-21412](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-21412) | **High** | 8.1 | **Yes** | 13 Feb, 2024 |
| **Windows SmartScreen Security Feature Bypass Vulnerability** | [CVE-2024-21351](https://nvd.nist.gov/vuln/detail/CVE-2024-21351) | **High** | 7.6 | **Yes** | 13 Feb, 2024 |
| **Microsoft Exchange Server Elevation of Privilege Vulnerability** | [CVE-2024-21410](https://nvd.nist.gov/vuln/detail/CVE-2024-21410) | **Critical** | 9.8 | **Yes** | 15 Feb, 2024 |
| **Microsoft Outlook Remote Code Execution Vulnerability** | [CVE-2024-21413](https://nvd.nist.gov/vuln/detail/CVE-2024-21413) | **Critical** | 9.8 | **No** | 19 Feb, 2024 |
| Product(s) Affected | Summary | Severity | CVSS | Active Exploitation | Dated |
| -------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------- | ------------ | ---- | ------------------- | ------------- |
| [**February 2024 Security Updates**](https://msrc.microsoft.com/update-guide/releaseNote/2024-Feb) | | | | | 13 Feb, 2024 |
| **Internet Shortcut Files Security Feature Bypass Vulnerability** | [CVE-2024-21412](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-21412) | **High** | 8.1 | **Yes** | 13 Feb, 2024 |
| **Windows SmartScreen Security Feature Bypass Vulnerability** | [CVE-2024-21351](https://nvd.nist.gov/vuln/detail/CVE-2024-21351) | **High** | 7.6 | **Yes** | 13 Feb, 2024 |
| **Microsoft Exchange Server Elevation of Privilege Vulnerability** | [CVE-2024-21410](https://nvd.nist.gov/vuln/detail/CVE-2024-21410) | **Critical** | 9.8 | **Yes** | 15 Feb, 2024 |
| **Microsoft Windows Kernel Exposed IOCTL with Insufficient Access Control Vulnerabilityy** | [CVE-2024-21338](https://nvd.nist.gov/vuln/detail/CVE-2024-21338) | **High** | 7.8 | **Yes** | 04, Mar, 2024 |

## What has been observed?

Expand Down
24 changes: 24 additions & 0 deletions docs/advisories/20240226001-Multiple-Microsoft-Edge-Vulnerabilities.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,24 @@
# Microsoft Edge Spoofing and Information Disclosure Vulnerabilities - 20240226001

## Overview

Microsoft has released security advisories relating to multiple vulnerabilities present in select Microsoft Edge versions.
An attacker who has successfully exploited these vulnerabilities could obfuscate and spoof of elements in the UI and lead to escape of the browser sandbox environment.

## What is vulnerable?

| Product(s) Affected | Summary | Severity | CVSS |
| -------------------------------------- | ----------------------------------------------------------------- | -------- | ---- |
| **versions before** <br> 122.0.2365.52 | [CVE-2024-26188](https://nvd.nist.gov/vuln/detail/CVE-2024-26188) | **Low** | 4.3 |
| **versions before** <br> 122.0.2365.52 | [CVE-2024-26192](https://nvd.nist.gov/vuln/detail/CVE-2024-26192) | **High** | 8.2 |

## What has been observed?

There is no evidence of exploitation affecting Western Australian Government networks at the time of publishing.

## Recommendation

The WA SOC recommends administrators apply the solutions as per vendor instructions to all affected devices within expected timeframe of *one month...* (refer [Patch Management](../guidelines/patch-management.md)):

- https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2024-26188
- https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2024-26192
30 changes: 30 additions & 0 deletions docs/advisories/20240305001-Cisco-NX-OS-DOS.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,30 @@
# Cisco Patches NX-OS DoS Vulnerabilities - 20240305001

## Overview

Cisco have released updates for their NX-OS products that address high severity Denial of Service (DoS) vulnerabilities which could cause a vulnerable device to stop processing network traffic or restart. There are no workarounds.

## What is vulnerable?

Affected Cisco products:

- Nexus 3000 Series Switches
- Nexus 5500 Platform Switches
- Nexus 5600 Platform Switches
- Nexus 6000 Series Switches
- Nexus 7000 Series Switches
- Nexus 9000 Series Switches in standalone NX-OS mode
- Cisco Nexus 9500 R-Series Line Cards

For more details about the vulnerable products, please refer to the *Recommendation* section below.

## What has been observed?

There is no evidence of exploitation affecting Western Australian Government networks at the time of publishing.

## Recommendation

The WA SOC recommends administrators apply the solutions as per vendor instructions to all affected devices within expected timeframe of *48 hours* if the products are internet facing (refer [Patch Management](../guidelines/patch-management.md)):

- [Cisco NX-OS Software MPLS Encapsulated IPv6 Denial of Service Vulnerability](https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ipv6-mpls-dos-R9ycXkwM)
- [Cisco NX-OS Software External Border Gateway Protocol Denial of Service Vulnerability](https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-nxos-ebgp-dos-L3QCwVJ)
Loading

0 comments on commit 32a6776

Please sign in to comment.