Merge branch 'wagov:main' into main

docs/advisories/20230317001-Honeywell-OneWireless-Device-Manage-Vulnerability.md

@@ -26,8 +26,8 @@ CWEs:
 
 - CWW-77:Command Injection <https://cwe.mitre.org/data/definitions/77.html>
     <https://cwe.mitre.org/data/definitions/306.html>
-- CWE-330: Use of Insufficiently Random Values <https://cwe.mitre.org/data/definitions/330.html>
-- CWE-306: Missing Authentication for Critical Function <https://cwe.mitre.org/data/definitions/306.html>
+    - CWE-330: Use of Insufficiently Random Values <https://cwe.mitre.org/data/definitions/330.html>
+    - CWE-306: Missing Authentication for Critical Function <https://cwe.mitre.org/data/definitions/306.html>
 
 ## Recommendation
 

docs/advisories/20240123001-VMWare-added-to-CISA-Known-Exploited-Catalog.md

@@ -2,14 +2,14 @@
 
 ## Overview
 
-The vCenter Server contains a known exploited an out-of-bounds write vulnerability in the implementation of the DCERPC (Distributed Computing Environment / Remote Procedure Calls) protocol and a partical information disclosure vulnerabilities. A malicious actor with network access to vCenter Server may trigger an out-of-bounds write potentially leading to remote code execution.
+VMWare have released a critical advisory relating to vulnerabilities affecting their vCenter Server and VMware Cloud Foundation products. A malicious actor with network access to vCenter Server may trigger an out-of-bounds write, potentially leading to remote code execution.
 
 ## What is vulnerable?
 
-| CVE ID                                                            | Product(s) Affected                                                                                 | Summary                                        | Severity     | CVSS |
-| ----------------------------------------------------------------- | --------------------------------------------------------------------------------------------------- | ---------------------------------------------- | ------------ | ---- |
-| [CVE-2023-34048](https://nvd.nist.gov/vuln/detail/CVE-2023-34048) | VMware vCenter Server **versions before** 8.0, VMware Cloud Foundation **versions before** 5.x, 4.x | An out-of-bounds write vulnerability           | **Critical** | 9.8  |
-| [CVE-2023-34056](https://nvd.nist.gov/vuln/detail/CVE-2023-34056) | VMware vCenter Server **versions before** 8.0, VMware Cloud Foundation **versions before** 5.x, 4.x | A partial information disclosure vulnerability | **Moderate** | 4.3  |
+| CVE ID                                                            | Product(s) Affected                                                                                                                                                          | Summary                              | Severity     | CVSS |
+| ----------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------ | ------------ | ---- |
+| [CVE-2023-34048](https://nvd.nist.gov/vuln/detail/CVE-2023-34048) | VMware vCenter Server 8.x versions **before 8.0U1d**, VMware vCenter Server 7.x versions **before 7.0U30**, VMware Cloud Foundation versions 5.x and 4.x **without KB88287** | An out-of-bounds write vulnerability | **Critical** | 9.8  |
+| [CVE-2023-34056](https://nvd.nist.gov/vuln/detail/CVE-2023-34056) | VMware vCenter Server 8.x versions **before 8.0U1d**, VMware vCenter Server 7.x versions **before 7.0U30**, VMware Cloud Foundation versions 5.x and 4.x **without KB88287** | An out-of-bounds write vulnerability | **Moderate** | 4.3  |
 
 ## What has been observed?
 

docs/advisories/20240125001-thunderbird-firefox-updates.md

@@ -0,0 +1,23 @@
+# Mozilla Releases Security Updates for Thunderbird and Firefox - 20240125001
+
+## Overview
+
+Mozilla has released security updates to address vulnerabilities in Thunderbird and Firefox. A cyber threat actor could exploit one of these vulnerabilities to take control of an affected system.
+
+## What is vulnerable?
+
+The vulnerabilities affect products prior to the following versions:
+
+- [Thunderbird 115.7](https://www.mozilla.org/en-US/security/advisories/mfsa2024-04/)
+- [Firefox ESR 115.7](https://www.mozilla.org/en-US/security/advisories/mfsa2024-02/)
+- [Firefox 122](https://www.mozilla.org/en-US/security/advisories/mfsa2024-01/)
+
+## What has been observed?
+
+There is no evidence of exploitation affecting Western Australian Government networks at the time of publishing.
+
+## Recommendation
+
+The WA SOC recommends administrators apply the solutions as per vendor instructions to all affected devices within expected timeframe of *one month...* (refer [Patch Management](../guidelines/patch-management.md))
+
+- https://www.cisa.gov/news-events/alerts/2024/01/24/mozilla-releases-security-updates-thunderbird-and-firefox

docs/advisories/20240125002-Cisco-Critical-Advisory.md

@@ -0,0 +1,38 @@
+# Cisco Critical Advisory - 20240125002
+
+## Overview
+
+Cisco has released software updates that addresses a vulnerability in multiple Cisco Unified Communications and Contact Center Solutions products could allow an unauthenticated, remote attacker to execute arbitrary code on an affected device.
+
+## What is the vulnerability?
+
+| CVE                                                               | Severity     | CVSS |
+| ----------------------------------------------------------------- | ------------ | ---- |
+| [CVE-2024-20253](https://nvd.nist.gov/vuln/detail/CVE-2024-20253) | **Critical** | 9.9  |
+
+## What is vulnerable?
+
+| Product(s) Affected                                                        |                          |
+| -------------------------------------------------------------------------- | ------------------------ |
+| Packaged Contact Center Enterprise (PCCE)                                  | **versions before** 12.0 |
+| Unified Communications Manager (Unified CM)                                | **versions before** 11.5 |
+| Unified Communications Manager IM & Presence Service (Unified CM IM&P)     | **versions before** 11.5 |
+| Unified Communications Manager Session Management Edition (Unified CM SME) | **versions before** 11.5 |
+| Unified Contact Center Enterprise (UCCE)                                   | **versions before** 12.0 |
+| Unified Contact Center Express (UCCX)                                      | **versions before** 12.0 |
+| Unity Connection                                                           | **versions before** 11.5 |
+| Virtualized Voice Browser(VVB)                                             | **versions before** 12.0 |
+
+## What has been observed?
+
+There is no evidence of exploitation affecting Western Australian Government networks at the time of publishing.
+
+## Recommendation
+
+The WA SOC recommends administrators apply the solutions as per vendor instructions to all affected devices within expected timeframe of *one month* (refer [Patch Management](../guidelines/patch-management.md)):
+
+- [Cisco Security](https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cucm-rce-bWNzQcUm#fs)
+
+## Additional References
+
+- [IT News](https://www.itnews.com.au/news/cisco-unified-comms-systems-patched-against-rce-604400)

docs/advisories/20240129001-Microsoft-Edge-Elevation-of-Privilege-Vulnerability.md

@@ -0,0 +1,29 @@
+# Microsoft Edge Elevation of Privilege Vulnerability - 20240129001
+
+## Overview
+
+Microsoft has released the latest Microsoft Edge-specific Security Updates of the Chromium project.
+
+## What is the vulnerability?
+
+| CVE                                                               | Severity     | CVSS |
+| ----------------------------------------------------------------- | ------------ | ---- |
+| [CVE-2024-21326](https://nvd.nist.gov/vuln/detail/CVE-2024-21326) | **Critical** | 9.6  |
+| [CVE-2024-21385](https://nvd.nist.gov/vuln/detail/CVE-2024-21385) | **High**     | 8.3  |
+
+## What is vulnerable?
+
+| Product(s) Affected                    |                            |
+| -------------------------------------- | -------------------------- |
+| Microsoft Edge Stable Channel          | **version** 12.0           |
+| Microsoft Edge Extended Stable Channel | **version** 120.0.2210.160 |
+
+## What has been observed?
+
+There is no evidence of exploitation affecting Western Australian Government networks at the time of publishing.
+
+## Recommendation
+
+The WA SOC recommends administrators apply the solutions as per vendor instructions to all affected devices within expected timeframe of *one month* (refer [Patch Management](../guidelines/patch-management.md)):
+
+- [Microsoft Edge Security](https://learn.microsoft.com/en-us/DeployEdge/microsoft-edge-relnotes-security)

docs/advisories/20240129002-GitLab-Arbitrary-File-Write-Vulnerability.md

@@ -0,0 +1,29 @@
+# GitLab Arbitrary File Write Vulnerability - 20240129002
+
+## Overview
+
+A critical severity vulnerability has been discovered in GitLab CE/EE, which allows an authenticated user to write files to arbitrary locations on the GitLab server while creating a workspace.
+
+## What is the vulnerability?
+
+| CVE                                                             | Severity     | CVSS |
+| --------------------------------------------------------------- | ------------ | ---- |
+| [CVE-2024-0402](https://nvd.nist.gov/vuln/detail/CVE-2024-0402) | **Critical** | 9.9  |
+
+## What is vulnerable?
+
+| Product(s) Affected |                                    |
+| ------------------- | ---------------------------------- |
+| GitLab CE/EE        | **versions before** 16.0 to 16.6.6 |
+|                     | **versions before** 16.7 to 16.7.4 |
+|                     | **versions before** 16.8 to 16.8.1 |
+
+## What has been observed?
+
+There is no evidence of exploitation affecting Western Australian Government networks at the time of publishing.
+
+## Recommendation
+
+The WA SOC recommends administrators apply the solutions as per vendor instructions to all affected devices within expected timeframe of *two weeks* (refer [Patch Management](../guidelines/patch-management.md)):
+
+- [Gitlab security release](https://about.gitlab.com/releases/2024/01/25/critical-security-release-gitlab-16-8-1-released/#arbitrary-file-write-while-creating-workspace)

docs/advisories/20240129002-GitLab-Critical-Security-Advisory.md

@@ -0,0 +1,29 @@
+# GitLab Critical Security Advisory - 20240129002
+
+## Overview
+
+GitLab has released patches for crtical vulnerability discovered in GitLab CE/EE, which allows an authenticated user to write files to arbitrary locations on the GitLab server while creating a workspace.
+
+## What is the vulnerability?
+
+| CVE                                                             | Severity     | CVSS |
+| --------------------------------------------------------------- | ------------ | ---- |
+| [CVE-2024-0402](https://nvd.nist.gov/vuln/detail/CVE-2024-0402) | **Critical** | 9.9  |
+
+## What is vulnerable?
+
+| Product(s) Affected |                                    |
+| ------------------- | ---------------------------------- |
+| GitLab CE/EE        | **versions before** 16.0 to 16.6.6 |
+| GitLab CE/EE        | **versions before** 16.7 to 16.7.4 |
+| GitLab CE/EE        | **versions before** 16.8 to 16.8.1 |
+
+## What has been observed?
+
+There is no evidence of exploitation affecting Western Australian Government networks at the time of publishing.
+
+## Recommendation
+
+The WA SOC recommends administrators apply the solutions as per vendor instructions to all affected devices within expected timeframe of *two weeks* (refer [Patch Management](../guidelines/patch-management.md)):
+
+- [Gotlab security release](https://about.gitlab.com/releases/2024/01/25/critical-security-release-gitlab-16-8-1-released/#arbitrary-file-write-while-creating-workspace)

docs/advisories/20240130001-Juniper-Networks-Security-Advisory.md

@@ -0,0 +1,31 @@
+# Juniper Networks Security Advisory - 20240130001
+
+## Overview
+
+Juniper has released a security advisories relating to Missing Authentication for Critical Function vulnerability combined with a Generation of Error Message Containing Sensitive Information vulnerability in J-Web of Juniper Networks Junos OS on SRX Series and EX Series allows an unauthenticated, network-based attacker to access sensitive system information.
+
+## What is vulnerable?
+
+| Product(s) Affected   | Severity | CVSS |
+| --------------------- | -------- | ---- |
+| **20.4R3-S9**         | **High** | 8.8  |
+| **21.2R3-S7**         | **High** | 8.8  |
+| **21.3R3-S5**         | **High** | 8.8  |
+| **21.4R3-S6**         | **High** | 8.8  |
+| **22.1R3-S5**         | **High** | 8.8  |
+| **22.2R3-S3**         | **High** | 8.8  |
+| **22.3R3-S2**         | **High** | 8.8  |
+| **22.4R3**            | **High** | 8.8  |
+| **23.2R1-S2, 23.2R2** | **High** | 8.8  |
+
+## What has been observed?
+
+There is no evidence of exploitation affecting Western Australian Government networks at the time of publishing.
+
+## Recommendation
+
+The WA SOC recommends administrators apply the solutions as per vendor instructions to all affected devices within expected timeframe of *one month...* (refer [Patch Management](../guidelines/patch-management.md)):
+
+## Additional References
+
+[Juniper Networks Security Release](https://supportportal.juniper.net/JSA76390)

docs/advisories/20240130002-Atlassian-Confluence-Data-Center-Known-Exploited-Vulnerabilities.md

@@ -0,0 +1,39 @@
+# Atlassian Confluence Data Center Known Exploited Vulnerabilities - 20240130002
+
+## Overview
+
+The WA SOC has been made aware of a Proof of Concept (PoC) exploit code available for Confluence Data Center and Server
+SSTI (Server Side Template Injection) vulnerability.
+
+## What is vulnerable?
+
+| Product(s) Affected                   | Affected Version(s)                                                                       | Summary                                                                                                                                                                                                                                   | Severity     | CVSS |
+| ------------------------------------- | ----------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------ | ---- |
+| **Confluence Data Center and Server** | <br /> ***8.0.x,<br /> 8.1.x,<br /> 8.2.x,<br /> 8.3.x,<br /> 8.4.x,<br /> 8.5.0-8.5.3*** | A template injection vulnerability on out-of-date versions of Confluence Data Center and Server allows an unauthenticated attacker to achieve RCE on an affected version. Customers using an affected version must take immediate action. | **Critical** | 9.8  |
+
+***Note: 7.19.x LTS versions are not affected by this vulnerability***
+
+## Recommendation
+
+The WA SOC recommends administrators apply the solutions as per vendor instructions to all affected devices within expected timeframe of *one month...* (refer [Patch Management](../guidelines/patch-management.md)):
+
+- [CVE-2023-22527 - RCE (Remote Code Execution) Vulnerability In Confluence Data Center and Confluence Server | Atlassian Support | Atlassian Documentation](https://confluence.atlassian.com/security/cve-2023-22527-rce-remote-code-execution-vulnerability-in-confluence-data-center-and-confluence-server-1333990257.html)
+
+### Immediately patch to the latest version
+
+If you are on an out-of-date version, you must immediately patch. Atlassian recommends that you patch each of your affected installations to the latest version available. The listed Fixed Versions are no longer the most up-to-date and do not protect your instance from other non-critical vulnerabilities as outlined in Atlassian’s January Security Bulletin.
+
+| **Product**                       | **Fixed Versions**                                   | **Latest Versions**            |
+| --------------------------------- | ---------------------------------------------------- | ------------------------------ |
+| Confluence Data Center and Server | 8.5.4 (LTS)                                          | **_8.5.5 (LTS)_**              |
+| Confluence Data Center            | 8.6.0 (Data Center Only)<br>8.7.1 (Data Center Only) | **_8.7.2 (Data Center Only)_** |
+
+### Mitigations
+
+There are no known workarounds. To remediate this vulnerability, update each affected product installation to the latest version.
+
+## Additional References
+
+- [💀 Atlassian Confluence SSTI Injection Exploit CVE-2023-22527 (sploitus.com)](https://sploitus.com/exploit?id=1337DAY-ID-39278)
+
+- [NVD - CVE-2023-22527 (nist.gov)](https://nvd.nist.gov/vuln/detail/CVE-2023-22527#range-10266658)

docs/guidelines/TTP_Hunt/ADS_forms/S0154-CobaltStrike-DNS.md

@@ -16,8 +16,8 @@ The query tries to detect suspicious DNS queries known from Cobalt Strike beacon
 CobaltStrike
 
 **Reference:**\
-https://github.com/SigmaHQ/sigma/blob/dcfb4c5c28431dcdc1d26ed4e008945965afd8ed/rules/network/dns/net_dns_mal_cobaltstrike.yml#L4\
-https://blog.sekoia.io/hunting-and-detecting-cobalt-strike/\
+https://github.com/SigmaHQ/sigma/blob/dcfb4c5c28431dcdc1d26ed4e008945965afd8ed/rules/network/dns/net_dns_mal_cobaltstrike.yml#L4%5C
+https://blog.sekoia.io/hunting-and-detecting-cobalt-strike/%5C
 https://blog.gigamon.com/2017/07/26/footprints-of-fin7-tracking-actor-patterns-part-1/
 
 #### ATT&CK TACTICS<br>

docs/guidelines/TTP_Hunt/ADS_forms/S0154-CobaltStrike-NamedPipe.md

@@ -13,12 +13,12 @@ CobaltStrike uses named pipes for communication between processes. Default beaco
 CobaltStrike
 
 **Reference:**\
-https://github.com/SigmaHQ/sigma/blob/dcfb4c5c28431dcdc1d26ed4e008945965afd8ed/rules/windows/pipe_created/pipe_created_mal_cobaltstrike.yml#L4\
-https://twitter.com/d4rksystem/status/1357010969264873472\
-https://labs.f-secure.com/blog/detecting-cobalt-strike-default-modules-via-named-pipe-analysis/\
-https://github.com/SigmaHQ/sigma/issues/253\
-https://blog.cobaltstrike.com/2021/02/09/learn-pipe-fitting-for-all-of-your-offense-projects/\
-https://redcanary.com/threat-detection-report/threats/cobalt-strike/\
+https://github.com/SigmaHQ/sigma/blob/dcfb4c5c28431dcdc1d26ed4e008945965afd8ed/rules/windows/pipe_created/pipe_created_mal_cobaltstrike.yml#L4%5C
+https://twitter.com/d4rksystem/status/1357010969264873472%5C
+https://labs.f-secure.com/blog/detecting-cobalt-strike-default-modules-via-named-pipe-analysis/%5C
+https://github.com/SigmaHQ/sigma/issues/253%5C
+https://blog.cobaltstrike.com/2021/02/09/learn-pipe-fitting-for-all-of-your-offense-projects/%5C
+https://redcanary.com/threat-detection-report/threats/cobalt-strike/%5C
 https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Command%20and%20Control/C2-NamedPipe.yaml
 
 #### ATT&CK TACTICS<br>

docs/guidelines/TTP_Hunt/ADS_forms/S0357-Impacket-DirCommand.md

@@ -12,9 +12,9 @@ Actor may use Impacket’s wmiexec, which redirects output to a file within the
 Volt Typhoon activity
 
 **Reference:**\
-https://www.cyber.gov.au/about-us/advisories/prc-state-sponsored-cyber-actor-living-off-the-land-to-evade-detection\
-https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/\
-https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-277a\
+https://www.cyber.gov.au/about-us/advisories/prc-state-sponsored-cyber-actor-living-off-the-land-to-evade-detection%5C
+https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/%5C
+https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-277a%5C
 https://github.com/Azure/Azure-Sentinel/blob/3833100de05ce61d6972c43dd5af7b9706e4674c/Solutions/Windows%20Security%20Events/Hunting%20Queries/CommandsexecutedbyWMIonnewhosts-potentialImpacket.yaml#L21
 
 #### ATT&CK TACTICS<br>

docs/guidelines/TTP_Hunt/ADS_forms/S0357-Impacket-SecretdumpSMB2.md

@@ -12,9 +12,9 @@ Actor may use Impacket’s wmiexec, which redirects output to a file within the
 Volt Typhoon activity
 
 **Reference:**\
-https://www.cyber.gov.au/about-us/advisories/prc-state-sponsored-cyber-actor-living-off-the-land-to-evade-detection\
-https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/\
-https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-277a\
+https://www.cyber.gov.au/about-us/advisories/prc-state-sponsored-cyber-actor-living-off-the-land-to-evade-detection%5C
+https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/%5C
+https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-277a%5C
 https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Attacker%20Tools%20Threat%20Protection%20Essentials/Hunting%20Queries/PotentialImpacketExecution.yaml
 
 #### ATT&CK TACTICS<br>