Skip to content

Commit

Permalink
Merge branch 'main' into main
Browse files Browse the repository at this point in the history
  • Loading branch information
@DGovEnterprise
DGovEnterprise authored Jul 4, 2024
2 parents 02e2ee9 + 5bafcfd commit 8c81113
Show file tree
Hide file tree
Showing 22 changed files with 6,899 additions and 27 deletions.
25 changes: 25 additions & 0 deletions ...visories/20240626001-VMware-ESXi-and-vCenter-Server-multiple-vulnerabilities.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,25 @@
# VMware ESXi and vCenter Server multiple vulnerabilities - 20240626001

## Overview

The WA SOC has been made aware of multiple vulnerabilities affecting VMware ESXi and vCenter Server.

## What is vulnerable?

| Products Affected | CVE | CVSSv3 | Severity |
| ------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------- | ---------- |
| **versions before** <br> vCenter Server 7.0 <br> vCenter Server 8.0 <br> VMware Cloud Foundation 5.x <br> VMware Cloud Foundation 4.x | [CVE-2024-37085](https://nvd.nist.gov/vuln/detail/CVE-2024-37085)<br>[CVE-2024-37086](https://nvd.nist.gov/vuln/detail/CVE-2024-37086)<br>[CVE-2024-37087](https://nvd.nist.gov/vuln/detail/CVE-2024-37087) | 5.3 - 6.8 | **Medium** |

## What has been observed?

There is no evidence of exploitation affecting Western Australian Government networks at the time of publishing.

## Recommendation

The WA SOC recommends administrators apply the solutions as per vendor instructions to all affected devices within expected timeframe of *one month...* (refer [Patch Management](../guidelines/patch-management.md)):

- <https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/24505>

## Additional References

- <https://www.zerodayinitiative.com/advisories/ZDI-24-882/>
28 changes: 28 additions & 0 deletions docs/advisories/20240626002-Windows-Bluetooth-Service-Exploit-PoC-Published.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,28 @@
# Windows Bluetooth Service Exploit PoC Published - 20240626002

## Overview

A Proof-of-Concept (PoC) exploit code for vulnerability in the Bluetooth Low Energy library in Windows has been published. This integer overflow vulnerability allows attackers to execute arbitrary code without requiring authentication.

## What is vulnerable?

| Product(s) Affected | CVE | Severity | CVSS |
| ------------------------------------------------------------------------ | ----------------------------------------------------------------- | -------- | ---- |
| Windows 10 20H2 to 22H2, Windows 11 21H2 to 22H2 and Windows Server 2022 | [CVE-2023-24871](https://nvd.nist.gov/vuln/detail/CVE-2023-24871) | **High** | 8.8 |

## What has been observed?

There is no evidence of exploitation affecting Western Australian Government networks at the time of publishing.

## Recommendation

The WA SOC recommends administrators apply the solutions as per vendor instructions to all affected devices within expected timeframe of 48 hours (refer [Patch Management](../guidelines/patch-management.md)):

- <https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-24871>

At the time of publishing, Microsoft only addresses the Remote Code Execution aspect but not the Local Privilege Escalation aspect. Therefore, it is recommended that administrators also take necessary actions to prevent Local Privilege Escalation

## Additional References

- Cybersecurity News: <https://securityonline.info/researcher-unveils-poc-for-windows-bluetooth-service-rce-vulnerability/>
- CrowdStrike: <https://www.crowdstrike.com/cybersecurity-101/privilege-escalation>
2 changes: 1 addition & 1 deletion docs/advisories/20240626003-WordPress-Plugin-Vulnerabilities.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@ Several plugins for WordPress hosted on WordPress.org have been compromised and

## What is vulnerable?

| Products Affected. | CVE | CVSS | Severity |
| Products Affected | CVE | CVSS | Severity |
| ------------------------------------------------------------------------------- | --------------------------------------------------------------- | ---- | ------------ |
| **[List of Affected Products](https://www.cve.org/CVERecord?id=CVE-2024-6297)** | [CVE-2024-6297](https://www.cve.org/CVERecord?id=CVE-2024-6297) | 10 | **Critical** |

Expand Down
53 changes: 50 additions & 3 deletions docs/advisories/20240626004-JavaScript-Polyfill-Supply-Chain-Attack.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -14,10 +14,57 @@ Currently, the cdn.polyfill.io domain is inexplicably diverted to Cloudflare's m

Google has also started blocking Google Ads for websites using the affected code to reduce the number of potential targets.

## Recommended Mitigations
## The Threat?

The WA SOC recommends that any website currently using Polyfill.io to immediately remove its code to avoid potential security breaches. The web administrator are encouraged to support secure and sustainable alternatives to ensure the integrity of their projects.
**End-User**:

- MITRE Technique:

- **Drive-by Compromise** - <https://attack.mitre.org/techniques/T1189/>

- **Command and Scripting Interpreter: JavaScript** - <https://attack.mitre.org/techniques/T1059/007/>

- When a user accessed a website that uses polyfill library, the Polyfill library will perform a request to hxxps://cdn.polyfill.io/v2/polyfill.min.js OR hxxps://cdn.polyfill.io/v3/polyfill.min.js

- If the user matches certain criterion (i.e. mobile devices, specific mobile OS platform, specific hours, specific user-agent), it will return an original polyfill code injected with malicious code, which will run a malicious javascript. (See <https://github.com/polyfillpolyfill/polyfill-service/issues/2873#issuecomment-2182491302> for details)

- See below IOCs for identified domain-name used to deliver payload.

**Website Provider (Agencies):**

- MITRE Techniques: **Supply Chain Compromise** - <https://attack.mitre.org/techniques/T1195/>

- Agencies that uses the old polyfill library on their websites may cause user's visiting their website vulnerable to the drive-by compromise attack.

- As of 25 June 2024, Google have started blocking Google Ads for eCommerce sites that uses polyfill\[.\]io

## What has been observed?

WA SOC has not observed any signs of outbound activities to malicious payload within SOC connected entities. (subject to data connector's availability). (Note: Based on current write-ups, the threat actor seemed to be targeting mobile devices)

## Recommended Actions:

WA SOC recommends entities to perform the following actions:

- Agency to search for instance of cdn\[.\]polyfill\[.\]io in source code across the projects within the organisation

- Agency may have 2 options in regards to the use of Polyfill:

- **Option-1**: Deprecate the usage of polyfill. Reference: <https://x.com/triblondon/status/1761852117579427975>

- **Option-2**: If polyfill still needed, use alternatives polyfill library from Fastly and Cloudflare (Reference: <https://blog.cloudflare.com/polyfill-io-now-available-on-cdnjs-reduce-your-supply-chain-risk>, <https://community.fastly.com/t/new-options-for-polyfill-io-users/2540>

## IOC:

| Indicator | Type | Description |
| ------------------------------------------------------------- | ---------- | ----------- |
| hxxps://kuurza\[.\]com/redirect?from=bitget | domainName | Payload C&C |
| hxxps://www\[.\]googie-anaiytics\[.\]com/html/checkcachehw.js | domainName | Payload C&C |
| hxxps://www\[.\]googie-anaiytics\[.\]com/ga.js | domainName | Payload C&C |

## Reference

- Bleeping Computer: <https://www.bleepingcomputer.com/news/security/polyfillio-javascript-supply-chain-attack-impacts-over-100k-sites/>
- <https://remysharp.com/2010/10/08/what-is-a-polyfill/>
- <https://polykill.io/>
- <https://sansec.io/research/polyfill-supply-chain-attack>
- <https://web.archive.org/web/20240624110153/https://github.com/polyfillpolyfill/polyfill-service/issues/2873>
27 changes: 27 additions & 0 deletions docs/advisories/20240627001-Win-Kernel-Priv-Esc-POC.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,27 @@
# Windows Kernel Elevation of Privilege PoC Released - 20240627001

## Overview

The WA SOC has been made aware of the release of proof-of-concept (PoC) code targeting a recent high-severity vulnerability (CVE-2024-30088) in Microsoft Windows. By using a relatively simple race condition vulnerability, an attacker can gain SYSTEM privileges.

Organisations are encouraged to review the information regarding the vulnerability and apply the relevant security fixes as soon as possible.

## What is vulnerable?

| Products Affected. | CVE | CVSS | Severity |
| ------------------------------------------ | ----------------------------------------------------------------- | ---- | -------- |
| Windows 10, 11 and Server 2016, 2019, 2022 | [CVE-2024-30088](https://nvd.nist.gov/vuln/detail/CVE-2024-30088) | 7.0 | **High** |

## What has been observed?

There is no evidence of exploitation affecting Western Australian Government networks at the time of publishing.

## Recommendation

The WA SOC recommends administrators apply the solutions as per vendor instructions to all affected devices within expected timeframe of one month (refer [Patch Management](../guidelines/patch-management.md)):

- [Microsoft - Windows Kernel Elevation of Privilege Vulnerability](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-30088)

## Additional References

- [GitHub - CVE-2024-30088 PoC](https://github.com/tykawaii98/CVE-2024-30088)
42 changes: 42 additions & 0 deletions docs/advisories/20240628001-GitLab-Vulnerabilities-June-2024r.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,42 @@
# GitLab Vulnerabilities June 2024 - 20240628001

## Overview

GitLab, the web-based DevOps platform has released security patches to address several a vulnerabilities including a critical 9.6 CVSS that allows an attacker to run pipelines as any user.

## What is the Vulnerability?

| CVE | Severity | CVSS Score | Summary | Dated |
| ----------------------------------------------------------------------------- | ------------ | ---------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------- |
| [CVE-2024-5655](https://nvd.nist.gov/vuln/detail/CVE-2024-5655) | **Critical** | 9.6 | An issue was discovered in GitLab CE/EE affecting all versions starting from 15.8 prior to 16.11.5, starting from 17.0 prior to 17.0.3, and starting from 17.1 prior to 17.1.1, which allows an attacker to trigger a pipeline as another user under certain circumstances. | 26 June, 2024 |
| [CVE-2024-4901](https://nvd.nist.gov/vuln/detail/CVE-2024-4901) | **High** | 8.7 | An issue was discovered in GitLab CE/EE affecting all versions starting from 16.9 prior to 16.11.5, starting from 17.0 prior to 17.0.3, and starting from 17.1 prior to 17.1.1, where a stored XSS vulnerability could be imported from a project with malicious commit notes. | 26 June, 2024 |
| [CVE-2024-4994](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-4994) | **High** | 8.1 | An issue has been discovered in GitLab CE/EE affecting all versions from 16.1.0 before 16.11.5, all versions starting from 17.0 before 17.0.3, all versions starting from 17.1.0 before 17.1.1 which allowed for a CSRF attack on GitLab's GraphQL API leading to the execution of arbitrary GraphQL mutations. | 26 June, 2024 |
| [CVE-2024-6323](https://nvd.nist.gov/vuln/detail/CVE-2024-6323) | **High** | 7.7 | Improper authorization in global search in GitLab EE affecting all versions from 16.11 prior to 16.11.5 and 17.0 prior to 17.0.3 and 17.1 prior to 17.1.1 allows an attacker leak content of a private repository in a public project. | 26 June, 2024 |

## What is vulnerable?

The most severe vulnerability, CVE-2024-5655 (CVSS 9.6), involves use of the GitLab piplines which are a feature of the CI/CD system that enables users to autmatically run processes and tasks. The vulnerability gives an attacker the opportunity to run these pipelines as any user.

For this most critical vulnerability, it affects the following products:

GitLab - All deployment types:

- 15.8 before 16.11.5
- 17.0 before 17.03
- 17.1 before 17.1.1

Each vulnerability affects different versions listed in above table.

## What has been observed?

There is no evidence of exploitation affecting Western Australian Government networks at the time of publishing.

## Recommendation

The WA SOC recommends administrators apply the solutions as per vendor instructions to all affected devices within expected timeframes (refer [Patch Management](../guidelines/patch-management.md)):

- <https://about.gitlab.com/releases/2024/06/26/patch-release-gitlab-17-1-1-released/>

## Additional References

- [Critical GitLab bug lets attackers run pipelines as any user](https://www.bleepingcomputer.com/news/security/critical-gitlab-bug-lets-attackers-run-pipelines-as-any-user/)
18 changes: 18 additions & 0 deletions docs/advisories/20240628002-CISA-New-ICS-Advisories.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
# CISA Releases Multiple Critical Infrastructure Related Advisories - 20240628002

## Overview

CISA has released multiple advisories for Critical Infrastructure related products.

## What is vulnerable?

| Industry | Vendor | Advisory |
| ---------------------------------------------------------------------------------------------------- | ---------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| Communications | TELSAT | [ICSA-24-179-01 ](https://www.cisa.gov/news-events/ics-advisories/icsa-24-179-01) |
| Energy, Water and Wastewater Systems, Critical Manufacturing | SDG Technologies | [ICSA-24-179-02 ](https://www.cisa.gov/news-events/ics-advisories/icsa-24-179-02) |
| Energy, Food and Agriculture, Critical Manufacturing | Yokogawa | [ICSA-24-179-03 ](https://www.cisa.gov/news-events/ics-advisories/icsa-24-179-03) |
| Transportation Systems, Energy, Critical Manufacturing, Commercial Facilities, Government Facilities | Johnson Controls | [ICSA-24-179-04 ](https://www.cisa.gov/news-events/ics-advisories/icsa-24-179-04) </br> [ICSA-24-179-05 ](https://www.cisa.gov/news-events/ics-advisories/icsa-24-179-05) </br> [ICSA-24-179-06 ](https://www.cisa.gov/news-events/ics-advisories/icsa-24-179-06) </br> [ICSA-24-179-07 ](https://www.cisa.gov/news-events/ics-advisories/icsa-24-179-07) |

## Recommendation

The WA SOC recommends administrators review relevant advisories and apply the recommended actions to all affected devices.
32 changes: 32 additions & 0 deletions docs/advisories/20240701001-Juniper-Releases-Urgent-Advisory.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,32 @@
# Juniper Releases Urgent Advisory - 20240701001

## Overview

Juniper Networks has released an emergency update to address a maximum severity vulnerability that leads to authentication bypass in Session Smart Router (SSR), Session Smart Conductor, and WAN Assurance Router products. Exploitation of this vulnerability could allow an attacker to take full control of the device.

## What is vulnerable?

| Products Affected | Versions | CVE | CVSS | Severity |
| --------------------------- | ------------------------------------------------------------------------------------------------- | --------------------------------------------------------------- | ---- | ------------ |
| **Session Smart Router** | - ***All versions before*** 5.6.15<br/>- from 6.0 before 6.1.9-lts<br>- from 6.2 before 6.2.5-sts | [CVE-2024-2973](https://nvd.nist.gov/vuln/detail/CVE-2024-2973) | 10.0 | **Critical** |
| **Session Smart Conductor** | - ***All versions before*** 5.6.15<br/>- from 6.0 before 6.1.9-lts<br>- from 6.2 before 6.2.5-sts | [CVE-2024-2973](https://nvd.nist.gov/vuln/detail/CVE-2024-2973) | 10.0 | **Critical** |
| **WAN Assurance Router** | - ***6.0 versions before*** 6.1.9-lts<br/>- 6.2 versions before 6.2.5-sts | [CVE-2024-2973](https://nvd.nist.gov/vuln/detail/CVE-2024-2973) | 10.0 | **Critical** |

## What has been observed?

There is no evidence of exploitation affecting Western Australian Government networks at the time of publishing.

## Recommendation

The WA SOC recommends administrators apply the solutions as per vendor instructions to all affected devices within expected timeframe of *one month...* (refer [Patch Management](../guidelines/patch-management.md)):

- Session Smart Router: SSR-5.6.15, SSR-6.1.9-lts, SSR-6.2.5-sts, and subsequent releases.

- WAN Assurance Routers are patched automatically when connected to the Mist Cloud, but administrators of High-Availability clusters need to upgrade to SSR-6.1.9 or SSR-6.2.5.

- Juniper also notes that upgrading Conductor nodes is enough to apply the fix automatically to connected routers, but routers should still be upgraded to the latest available version.

## Additional References

- [Session Smart Router(SSR): On redundant router deployments API authentication can be bypassed (CVE-2024-2973) (juniper.net)](https://supportportal.juniper.net/s/article/2024-06-Out-Of-Cycle-Security-Bulletin-Session-Smart-Router-SSR-On-redundant-router-deployments-API-authentication-can-be-bypassed-CVE-2024-2973?language=en_US)
- [Juniper releases out-of-cycle fix for max severity auth bypass flaw (bleepingcomputer.com)](https://www.bleepingcomputer.com/news/security/juniper-releases-out-of-cycle-fix-for-max-severity-auth-bypass-flaw/)
Loading

0 comments on commit 8c81113

Please sign in to comment.