Skip to content

Commit

Permalink
Merge branch 'wagov:main' into main
Browse files Browse the repository at this point in the history
  • Loading branch information
@LSerki
LSerki authored Sep 26, 2024
2 parents facbbf9 + ae8af15 commit 83dce58
Show file tree
Hide file tree
Showing 11 changed files with 236 additions and 4 deletions.
8 changes: 8 additions & 0 deletions docs/advisories/20240826002-Progress-WhatsUp-Gold-Critical-Update.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,8 @@ The Progress WhatsUp Gold team has recently disclosed multiple critical vulnerab

There is no evidence of exploitation affecting Western Australian Government networks at the time of publishing.

Since publication, there has been evidence of exploitation in the wild.

## Recommendation

The WA SOC recommends administrators apply the solutions as per vendor instructions to all affected devices within expected timeframe of *48 Hours...* (refer [Patch Management](../guidelines/patch-management.md)):
Expand All @@ -23,3 +25,9 @@ The WA SOC recommends administrators apply the solutions as per vendor instructi
## Additional References

- Cybersecurity News article: <https://securityonline.info/critical-vulnerabilities-uncovered-in-progress-whatsup-gold-cve-2024-6670-cve-2024-6671/>
- Protecting Against RCE Attacks Abusing WhatsUp Gold Vulnerabilities: https://www.trendmicro.com/en_us/research/24/i/whatsup-gold-rce.html

### Change log

- 2024-08-26: Advisory created.
- 2024-09-13: Update of “What has been observed” with evidence of exploitation and secondary additional reference link.
29 changes: 29 additions & 0 deletions docs/advisories/20240913002-WordPress-LMS-Crit-vulns.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,29 @@
# WordPress Plugin Critical Update - 20240913002

## Overview

The WA SOC has been made aware of 2 CVSS 10 critical vulnerablities in the "LearnPress – WordPress LMS Plugin".

The vulnerabilities allow an unauthenticated attacker to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. The plugin author has released an update that patches the vulnerabilties.

## What is vulnerable?

| Product(s) Affected | Version(s) | CVE | CVSS | Severity |
| --------------------------------- | ---------- | --------------------------------------------------------------- | ---- | ------------ |
| LearnPress – WordPress LMS Plugin | \<= 4.2.7 | [CVE-2024-8529](https://nvd.nist.gov/vuln/detail/CVE-2024-8529) | 10.0 | **Critical** |
| LearnPress – WordPress LMS Plugin | \<= 4.2.7 | [CVE-2024-8522](https://nvd.nist.gov/vuln/detail/CVE-2024-8522) | 10.0 | **Critical** |

## What has been observed?

There is no evidence of exploitation affecting Western Australian Government networks at the time of publishing.

## Recommendation

The WA SOC recommends administrators apply the solutions as per vendor instructions to all affected devices within expected timeframe of *48 hours* (refer [Patch Management](../guidelines/patch-management.md)):

- https://wordpress.org/plugins/learnpress/

## Additional References

- Wordfence: [LearnPress – WordPress LMS Plugin \<= 4.2.7 - Unauthenticated SQL Injection via 'c_only_fields'](https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/learnpress/learnpress-wordpress-lms-plugin-427-unauthenticated-sql-injection-via-c-only-fields)
- Wordfence: [LearnPress – WordPress LMS Plugin \<= 4.2.7 - Unauthenticated SQL Injection via 'c_fields'](https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/learnpress/learnpress-wordpress-lms-plugin-427-unauthenticated-sql-injection-via-c-fields)
25 changes: 25 additions & 0 deletions docs/advisories/20240913003-GitLab-Critical-Update.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,25 @@
# GitLab Publishes Critical Update - 20240913003

## Overview

GitLab has released critical updates to address multiple vulnerabilities, the most severe of them allowing an attacker to trigger pipelines as arbitrary users under certain conditions.

## What is vulnerable?

| Product(s) Affected | Version(s) | CVE | CVSS | Severity |
| ------------------- | ------------------------------------------------------------------------ | --------------------------------------------------------------- | ------- | ------------ |
| GitLab CE/EE | 8.14 prior to 17.1.7 <br> 17.2 prior to 17.2.5 <br> 17.3 prior to 17.3.2 | [CVE-2024-6678](https://nvd.nist.gov/vuln/detail/CVE-2024-6678) | **9.9** | **Critical** |

## What has been observed?

There is no evidence of exploitation affecting Western Australian Government networks at the time of publishing.

## Recommendation

The WA SOC recommends administrators apply the solutions as per vendor instructions to all affected devices within expected timeframe of *48 hours...* (refer [Patch Management](../guidelines/patch-management.md)):

- GitLab Critical Patch Release Notes: <https://about.gitlab.com/releases/2024/09/11/patch-release-gitlab-17-3-2-released/>

## Additional References

- BleepingComputer article: <https://www.bleepingcomputer.com/news/security/gitlab-warns-of-critical-pipeline-execution-vulnerability/>
28 changes: 28 additions & 0 deletions docs/advisories/20240913004-CISA-Siemens-New-ICS-Advisories.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,28 @@
# CISA and Siemens Release New ICS Advisories - 20240913004

## Overview

CISA and Siemens has released advisories for Industrial Control Systems (ICS) related products and vendors.

## What is vulnerable?

### Siemens Advisory

| Vendor | Advisory Link(s) | CVE # | CVSS | Severity |
| ------- | ------------------------------------------------------------------------------ | ----------------------------------------------------------------- | ---- | -------- |
| Siemens | [SSA-629254](https://cert-portal.siemens.com/productcert/html/ssa-629254.html) | [CVE-2024-35783](https://nvd.nist.gov/vuln/detail/CVE-2024-35783) | 9.4 | Critical |

### CISA Advisories

| Vendor | Advisory Link(s) |
| -------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| Siemens | [ICSA-24-256-01](https://www.cisa.gov/news-events/ics-advisories/icsa-24-256-01) <br> [ICSA-24-256-02](https://www.cisa.gov/news-events/ics-advisories/icsa-24-256-02) <br>[ICSA-24-256-03](https://www.cisa.gov/news-events/ics-advisories/icsa-24-256-03) <br> [ICSA-24-256-04](https://www.cisa.gov/news-events/ics-advisories/icsa-24-256-04) <br> [ICSA-24-256-05](https://www.cisa.gov/news-events/ics-advisories/icsa-24-256-05) <br> [ICSA-24-256-06](https://www.cisa.gov/news-events/ics-advisories/icsa-24-256-06) <br> [ICSA-24-256-07](https://www.cisa.gov/news-events/ics-advisories/icsa-24-256-07) <br> [ICSA-24-256-08](https://www.cisa.gov/news-events/ics-advisories/icsa-24-256-08) <br> [ICSA-24-256-09](https://www.cisa.gov/news-events/ics-advisories/icsa-24-256-09) <br> [ICSA-24-256-10](https://www.cisa.gov/news-events/ics-advisories/icsa-24-256-10) <br> [ICSA-24-256-11](https://www.cisa.gov/news-events/ics-advisories/icsa-24-256-11) <br> [ICSA-24-256-12](https://www.cisa.gov/news-events/ics-advisories/icsa-24-256-12) <br> [ICSA-24-256-13](https://www.cisa.gov/news-events/ics-advisories/icsa-24-256-13) <br> [ICSA-24-256-14](https://www.cisa.gov/news-events/ics-advisories/icsa-24-256-14) <br> [ICSA-24-256-15](https://www.cisa.gov/news-events/ics-advisories/icsa-24-256-15) <br> [ICSA-24-256-16](https://www.cisa.gov/news-events/ics-advisories/icsa-24-256-16) |
| AutomationDirect | [ICSA-24-256-17](https://www.cisa.gov/news-events/ics-advisories/icsa-24-256-17) |
| Rockewell Automation | [ICSA-24-256-18](https://www.cisa.gov/news-events/ics-advisories/icsa-24-256-18) <br> [ICSA-24-256-19](https://www.cisa.gov/news-events/ics-advisories/icsa-24-256-19) <br>[ICSA-24-256-20](https://www.cisa.gov/news-events/ics-advisories/icsa-24-256-20) <br> [ICSA-24-256-21](https://www.cisa.gov/news-events/ics-advisories/icsa-24-256-21) <br> [ICSA-24-256-22](https://www.cisa.gov/news-events/ics-advisories/icsa-24-256-22) <br> [ICSA-24-256-23](https://www.cisa.gov/news-events/ics-advisories/icsa-24-256-23) <br> [ICSA-24-256-24](https://www.cisa.gov/news-events/ics-advisories/icsa-24-256-24) <br> [ICSA-24-256-25](https://www.cisa.gov/news-events/ics-advisories/icsa-24-256-25) |

## Recommendation

The WA SOC recommends administrators apply the solutions as per vendor instructions to all affected devices within expected timeframe (refer [Patch Management](../guidelines/patch-management.md)):

- Siemens Advisory: <https://cert-portal.siemens.com/productcert/html/ssa-629254.html>
- CISA Advisory: <https://www.cisa.gov/news-events/alerts/2024/09/12/cisa-releases-twenty-five-industrial-control-systems-advisories>
19 changes: 19 additions & 0 deletions docs/advisories/20240918001-CISA-New-ICS-Advisories.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,19 @@
# CISA Releases New ICS Advisories - 20240918001

## Overview

CISA has released multiple advisories for Industrial Control Systems (ICS) related vendors.

## What is vulnerable?

| Vendor | Advisory Link(s) |
| ----------------------- | -------------------------------------------------------------------------------- |
| Siemens | [ICSA-24-261-01](https://www.cisa.gov/news-events/ics-advisories/icsa-24-261-01) |
| Millbeck Communications | [ICSA-24-261-02](https://www.cisa.gov/news-events/ics-advisories/icsa-24-261-02) |
| Yokogawa | [ICSA-24-261-03](https://www.cisa.gov/news-events/ics-advisories/icsa-24-261-03) |

## Recommendation

The WA SOC recommends administrators review relevant advisories and apply the recommended actions to all affected devices.

- CISA Advisory: <https://www.cisa.gov/news-events/alerts/2024/09/17/cisa-releases-three-industrial-control-systems-advisories>
20 changes: 20 additions & 0 deletions docs/advisories/20240919001-ASD-Joint-Advisory-Botnet-Discovery.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,20 @@
# ASD Publishes Joint Advisory on China Linked Botnet Operations - 20240919001

## Overview

The Australian Signals Directorate (ASD) have published a joint advisory reporting People's Republic of China (PRC)-linked cyber actors have compromised thousands of Internet-connected devices, including small office/home office (SOHO) routers, firewalls, network-attached storage (NAS) and Internet of Things (IoT) devices with the goal of creating a network of compromised nodes (a "botnet") positioned for malicious activity.

## What has been observed?

Integrity Technology Group, a PRC-based company, has controlled and managed a botnet active since mid-2021. The botnet has regularly maintained between tens to hundreds of thousands of compromised devices. As of June 2024, the botnet consisted of over 260,000 devices, of which there is an estimated 2,400 nodes discovered within Australia.

While devices aged beyond their end-of-life dates are known to be more vulnerable to intrusion, many of the compromised devices in the Integrity Tech controlled botnet are likely still supported by their respective vendors.

## Recommendation

The WA SOC recommends administrators perform the following:

- ASD Advisory: <https://www.cyber.gov.au/about-us/view-all-content/alerts-and-advisories/peoples-republic-china-linked-actors-compromise-routers-and-iot-devices-botnet-operations>
- Review '**Appendix A: Indicators of Compromise**' section to perform scoping of any potentially related activity,
- Review '**Appendix B: Observed CVEs**' section to perform discovery of potentially vulnerable devices,
- Review the '**Recommended Mitigations**' section for relevant information.
26 changes: 26 additions & 0 deletions docs/advisories/20240919002-Broadcom-VMware-Critical-Update.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,26 @@
# Broadcom VMware Critical Update - 20240919002

## Overview

Broadcom released security updates to address a critical vulnerability in VMware vCenter Server that could lead to remote code execution.

## What is vulnerable?

| Product(s) Affected | Version(s) | CVE # | CVSS v4/v3 | Severity |
| ----------------------- | ---------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------- | ------------ | -------------------------- |
| vCenter Server | 8.0 \< U3b <br> 7.0 \< U3s | [CVE-2024-38812](https://nvd.nist.gov/vuln/detail/CVE-2024-38812) <br> [CVE-2024-38813](https://nvd.nist.gov/vuln/detail/CVE-2024-38813) | 9.8 <br> 7.5 | **Critical** <br> **High** |
| VMware Cloud Foundation | 5.x \< 8.0 U3b <br> 4.x \< 7.0 U3s | [CVE-2024-38812](https://nvd.nist.gov/vuln/detail/CVE-2024-38812) <br> [CVE-2024-38813](https://nvd.nist.gov/vuln/detail/CVE-2024-38813) | 9.8 <br> 7.5 | **Critical** <br> **High** |

## What has been observed?

There is no evidence of exploitation affecting Western Australian Government networks at the time of publishing.

## Recommendation

The WA SOC recommends administrators apply the solutions as per vendor instructions to all affected devices within expected timeframe of *48 hrs...* (refer [Patch Management](../guidelines/patch-management.md)):

- Broadcom Advisory: <https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/24968>

## Additional References

- SecurityAffairs article: <https://securityaffairs.com/168536/security/vmware-vcenter-server-cve-2024-38812.html>
27 changes: 27 additions & 0 deletions docs/advisories/20240924001-Grafana-Plugin-Critical-Vuln.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,27 @@
# Grafana Plugin SDK Information Leakage Vulnerabilty - 20240924001

## Overview

The WA SOC has been made aware of a vulnerability affecting Grafana.

The Grafana plugin SDK bundles build metadata into the binaries it compiles; this metadata includes the repository URI for the plugin being built, as retrieved by running `git remote get-url origin`. If credentials are included in the repository URI (for instance, to allow for fetching of private dependencies), the final binary will contain the full URI, including said credentials.

## What is vulnerable?

| Product(s) Affected | Version(s) | CVE | CVSS | Severity |
| ------------------- | ------------------------ | --------------------------------------------------------------- | ---- | ------------ |
| Grafana Plugin SDK | all versions \<= 0.249.0 | [CVE-2024-8986](https://nvd.nist.gov/vuln/detail/CVE-2024-8986) | 9.1 | **Critical** |

## What has been observed?

There is no evidence of exploitation affecting Western Australian Government networks at the time of publishing.

## Recommendation

The WA SOC recommends administrators apply the solutions as per vendor instructions to all affected devices within expected timeframe of *48 hours* (refer [Patch Management](../guidelines/patch-management.md)):

- <https://grafana.com/security/security-advisories/cve-2024-8986/>

## Additional References

- Security Online: <https://securityonline.info/cve-2024-8986-cvss-9-1-critical-grafana-plugin-sdk-flaw-exposes-sensitive-information/>
Loading

0 comments on commit 83dce58

Please sign in to comment.