forked from wagov/wasocshared
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
21 changed files
with
678 additions
and
6 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
2 changes: 1 addition & 1 deletion
2
docs/advisories/20231023002-BIG-IP-Configuration-utility-vulnerability.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
29 changes: 29 additions & 0 deletions
29
docs/advisories/20231023003-Juniper-Junos-OS-authentication-backdoor.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,29 @@ | ||
# Juniper Junos OS authentication backdoor - 20231023003 | ||
|
||
## Overview | ||
|
||
An Incorrect Default Permissions vulnerability in Juniper Networks Junos OS allows an unauthenticated attacker with local access to the device to create a backdoor with root privileges. The issue is caused by improper directory permissions on a certain system directory, allowing an attacker with access to this directory to create a backdoor with root privileges. | ||
|
||
## What is the vulnerability? | ||
|
||
[**CVE-2023-44194**](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-44194) - CVSS v3 Base Score: ***8.4*** | ||
|
||
## What is vulnerable? | ||
|
||
This issue affects Juniper Networks Junos OS: | ||
|
||
- All versions prior to 20.4R3-S5; | ||
- 21.1 versions prior to 21.1R3-S4; | ||
- 21.2 versions prior to 21.2R3-S4; | ||
- 21.3 versions prior to 21.3R3-S3; | ||
- 21.4 versions prior to 21.4R3-S1. | ||
|
||
## What has been observed? | ||
|
||
There is no evidence of exploitation affecting Western Australian Government networks at the time of publishing. | ||
|
||
## Recommendation | ||
|
||
The WA SOC recommends administrators apply the solutions as per vendor instructions to all affected devices within expected timeframe of *one month* (refer [Patch Management](../guidelines/patch-management.md)): | ||
|
||
Review the following bulletin for further information: [Juniper Junos OS 2023-10 Security bulletin](https://supportportal.juniper.net/s/article/2023-10-Security-Bulletin-Junos-OS-An-unauthenticated-attacker-with-local-access-to-the-device-can-create-a-backdoor-with-root-privileges-CVE-2023-44194?language=en_US) |
66 changes: 66 additions & 0 deletions
66
docs/advisories/20231023005-SolarWinds-ARM-ThreeCriticalRCEVulnerabilities.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,66 @@ | ||
# Three critical remote code execution vulnerabilities in the SolarWinds Access Rights Manager (ARM) product - 20231023005 | ||
|
||
## Overview | ||
|
||
SolarWinds has released an advisory for eight vulnerabilities, including three critical remote code execution vulnerabilities in the SolarWinds Access Rights Manager (ARM) product that remote attackers could use to run code with SYSTEM privileges. | ||
|
||
## What is the vulnerability? | ||
|
||
**Three Critical Vulnerabilities:** | ||
|
||
[**CVE-2023-35182**](https://nvd.nist.gov/vuln/detail/CVE-2023-35182) - CVSS v3 Base Score: ***8.8*** | ||
- Remote unauthenticated attackers can execute arbitrary code in the context of SYSTEM due to the deserialization of untrusted data in the ‘createGlobalServerChannelInternal’ method | ||
|
||
|
||
[**CVE-2023-35185**](https://nvd.nist.gov/vuln/detail/CVE-2023-35185) - CVSS v3 Base Score: ***8.8*** | ||
- Remote unauthenticated attackers can execute arbitrary code in the context of SYSTEM due to a lack of validation of user-supplied paths in the ‘OpenFile’ method | ||
|
||
|
||
[**CVE-2023-35187**](https://nvd.nist.gov/vuln/detail/CVE-2023-35187) - CVSS v3 Base Score: ***8.8*** | ||
- Remote unauthenticated attackers can execute arbitrary code in the context of SYSTEM without authentication due to lack of validation of user-supplied paths in the ‘OpenClientUpdateFile’ method | ||
|
||
|
||
**Other Vulnerabilities:** | ||
|
||
[**CVE-2023-35180**](https://nvd.nist.gov/vuln/detail/CVE-2023-35180) - CVSS v3 Base Score: ***8.0*** | ||
|
||
- The SolarWinds Access Rights Manager was susceptible to Remote Code Execution Vulnerability. This vulnerability allows authenticated users to abuse SolarWinds ARM API. | ||
|
||
[**CVE-2023-35181**](https://nvd.nist.gov/vuln/detail/CVE-2023-35181) - CVSS v3 Base Score: ***7.8*** | ||
|
||
- The SolarWinds Access Rights Manager was susceptible to Privilege Escalation Vulnerability. This vulnerability allows users to abuse incorrect folder permission resulting in Privilege Escalation. | ||
|
||
[**CVE-2023-35183**](https://nvd.nist.gov/vuln/detail/CVE-2023-35183) - CVSS v3 Base Score: ***7.8*** | ||
|
||
- The SolarWinds Access Rights Manager was susceptible to Privilege Escalation Vulnerability. This vulnerability allows authenticated users to abuse local resources to Privilege Escalation. | ||
|
||
|
||
[**CVE-2023-35184**](https://nvd.nist.gov/vuln/detail/CVE-2023-35184) - CVSS v3 Base Score: ***8.8*** | ||
|
||
- The SolarWinds Access Rights Manager was susceptible to Remote Code Execution Vulnerability. This vulnerability allows an unauthenticated user to abuse a SolarWinds service resulting in a remote code execution. | ||
|
||
[**CVE-2023-35186**](https://nvd.nist.gov/vuln/detail/CVE-2023-35186) - CVSS v3 Base Score: ***8.0*** | ||
|
||
- The SolarWinds Access Rights Manager was susceptible to Remote Code Execution Vulnerability. This vulnerability allows an authenticated user to abuse SolarWinds service resulting in remote code execution. | ||
|
||
|
||
## What is vulnerable? | ||
|
||
The vulnerability affects the following products: | ||
|
||
- Access Rights Manager 2023.2 | ||
|
||
## What has been observed? | ||
|
||
There is no evidence of exploitation affecting Western Australian Government networks at the time of publishing. | ||
|
||
## Recommendation | ||
|
||
The WA SOC recommends administrators apply the solutions as per vendor instructions to all affected devices within expected timeframe of *one month...* (refer [Patch Management](../guidelines/patch-management.md)): | ||
|
||
- [ARM 2023.2.1 Release Notes (solarwinds.com)](https://documentation.solarwinds.com/en/success_center/arm/content/release_notes/arm_2023-2-1_release_notes.htm) | ||
|
||
## Additional References | ||
|
||
- [Critical RCE flaws found in SolarWinds access audit solution (bleepingcomputer.com)](https://www.bleepingcomputer.com/news/security/critical-rce-flaws-found-in-solarwinds-access-audit-solution/) | ||
- [ARM 2023.2.1 Release Notes (solarwinds.com)](https://documentation.solarwinds.com/en/success_center/arm/content/release_notes/arm_2023-2-1_release_notes.htm) |
47 changes: 47 additions & 0 deletions
47
docs/advisories/20231025001-Guidance-for-Cisco-IOS-XE-Web-UI-Vulnerabilities.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,47 @@ | ||
# Guidance for Addressing Cisco IOS XE Web UI Vulnerabilities - 20231025001 | ||
|
||
## Overview | ||
|
||
Cisco has released guidance for addressing Cisco IOS XE Web UI Vulnerabilities, where an unauthenticated remote actor could exploit these vulnerabilities to take control of an affected system. Exploiting these vulnerabilities allow actors to create privileged accounts that provides complete control over a device. | ||
|
||
## What is the vulnerability? | ||
|
||
[**CVE-2023-20198**](https://nvd.nist.gov/vuln/detail/CVE-2023-20198) - CVSS v3 Base Score: ***10.0*** | ||
- Successfully exploiting this vulnerability allows a threat actor to gain initial access and execute privilege commands to create local user accounts and passwords. | ||
|
||
[**CVE-2023-20273**](https://nvd.nist.gov/vuln/detail/CVE-2023-20273) - CVSS v3 Base Score: ***7.2*** | ||
- Allows an actor to leverage newly created local user account (from previous exploit) to elevate privilege to root and write implants to the file system. | ||
|
||
## What is vulnerable? | ||
|
||
The vulnerability affects the following products: | ||
|
||
- Cisco IOS XE Software if the web UI feature is enabled | ||
|
||
|
||
## Recommendation | ||
|
||
The WA SOC recommends administrators apply the solutions as per vendor instructions to all affected devices within expected timeframe of *one month...* (refer [Patch Management](../guidelines/patch-management.md)): | ||
|
||
|
||
| **Cisco IOS XE Software Release Train** | **First Fixed Release** | **Available** | | ||
|-----------------------------------------|-------------------------|---------------| | ||
| 17.9 | 17.9.4a | Yes | | ||
| 17.6 | 17.6.6a | TBD | | ||
| 17.3 | 17.3.8a | TBD | | ||
| 16.12 (Catalyst 3650 and 3850 only) | 16.12.10a | TBD | | ||
|
||
- [Multiple Vulnerabilities in Cisco IOS XE Software Web UI Feature](https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-webui-privesc-j22SaA4z) | ||
|
||
Additional steps for mitigation or for determining if Cisco systems are vulnerable are listed in the [Cisco Security Advisory](https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-webui-privesc-j22SaA4z). | ||
|
||
## Additional References | ||
|
||
- [CISA Updates Guidance for Addressing Cisco IOS XE Web UI Vulnerabilities | CISA](https://www.cisa.gov/news-events/alerts/2023/10/23/cisa-updates-guidance-addressing-cisco-ios-xe-web-ui-vulnerabilities) | ||
- [Guidance for Addressing Cisco IOS XE Web UI Vulnerabilities | CISA](https://www.cisa.gov/guidance-addressing-cisco-ios-xe-web-ui-vulnerabilities) | ||
- [Active exploitation of Cisco IOS XE Software Web Management User Interface vulnerabilities (talosintelligence.com)](https://blog.talosintelligence.com/active-exploitation-of-cisco-ios-xe-software/) | ||
- [Multiple Vulnerabilities in Cisco IOS XE Software Web UI Feature](https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-webui-privesc-j22SaA4z) | ||
|
||
#### Previous WASOC advisories related to Cisco IOS XE Vulnerabilities: | ||
- [Cisco IOS and IOS XE HTTP WebUI](./20231018001-Cisco-IOS-XE-HTTP-WebUI.md) | ||
- [Cisco IOS and IOS XE Group Encrypted Transport VPN Out-of-Bounds Write Vulnerability](./20231011004-Cisco-IOS-Software-Out-of-Bounds-Write-Vulnerability.md) |
37 changes: 37 additions & 0 deletions
37
...dates-address-out-of-bounds-write-and-information-disclosure-vulnerabilities.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,37 @@ | ||
# VMware vCenter Server updates address out-of-bounds write and information disclosure vulnerabilities - 20231026001 | ||
|
||
## Overview | ||
|
||
VMware has released updates to address the VMware vCenter Server Out-of-Bounds Write and information disclosure vulnerabilities which would allow threat actors to perform remote code execution and access unauthorised data respectively. | ||
|
||
## What is the vulnerability? | ||
|
||
[**CVE-2023-34048**](https://nvd.nist.gov/vuln/detail/CVE-2023-34048) - CVSS v3 Base Score: ***9.8*** | ||
- This vulnerability allows malicious actor(s) with network access to vCenter Server to perform remote code execution. | ||
|
||
[**CVE-2023-34056**](https://nvd.nist.gov/vuln/detail/CVE-2023-34056) - CVSS v3 Base Score: ***4.3*** | ||
- A malicious actor with non-administrative privileges to vCenter Server may leverage this issue to access unauthorized data. | ||
|
||
## What is vulnerable? | ||
|
||
The vulnerability affects the following products: | ||
|
||
- VMware vCenter Server 8.0 | ||
- VMware vCenter Server 7.0 | ||
- VMware Cloud Foundation (VMware vCenter Server) 5.x, 4.x | ||
|
||
## Recommendation | ||
|
||
The WA SOC recommends administrators apply the solutions as per vendor instructions to all affected devices within expected timeframe of *one month...* (refer [Patch Management](../guidelines/patch-management.md)): | ||
|
||
| Product | Version | CVE Identifier | CVSSv3 | Severity | Fixed Version | Workarounds | Additional Documentation | | ||
|-------------------------------------------------|----------|--------------------------------|----------|-----------|---------------|-------------|--------------------------| | ||
| VMware vCenter Server | 8.0 | CVE-2023-34048, CVE-2023-34056 | 9.8, 4.3 | Critical | [8.0U2](https://customerconnect.vmware.com/downloads/details?downloadGroup=VC80U2&productId=1345&rPId=110105) | None | [FAQ](https://via.vmw.com/vmsa-2023-0023-qna) | | ||
| VMware vCenter Server | 8.0 | CVE-2023-34048 | 9.8 | Critical | [8.0U1d](https://customerconnect.vmware.com/downloads/details?downloadGroup=VC80U1D&productId=1345&rPId=112378) | None | [FAQ](https://via.vmw.com/vmsa-2023-0023-qna) | | ||
| VMware vCenter Server | 7.0 | CVE-2023-34048, CVE-2023-34056 | 9.8, 4.3 | Critical | [7.0U3o](https://customerconnect.vmware.com/downloads/details?downloadGroup=VC70U3O&productId=974&rPId=110262) | None | [FAQ](https://via.vmw.com/vmsa-2023-0023-qna) | | ||
| VMware Cloud Foundation (VMware vCenter Server) | 5.x, 4.x | CVE-2023-34048, CVE-2023-34056 | 9.8, 4.3 | Critical | [KB88287](https://kb.vmware.com/s/article/88287) | None | [FAQ](https://via.vmw.com/vmsa-2023-0023-qna) | | ||
|
||
## Additional References | ||
|
||
- [VMSA-2023-0023 (vmware.com)](https://www.vmware.com/security/advisories/VMSA-2023-0023.html) | ||
- [VMware Addresses Multiple Vulnerabilities in vCenter Server (CVE-2023-34048 & CVE-2023-34056) -- Qualys ThreatPROTECT](https://threatprotect.qualys.com/2023/10/25/vmware-addresses-multiple-vulnerabilities-in-vcenter-server-cve-2023-34048-cve-2023-34056/) |
24 changes: 24 additions & 0 deletions
24
docs/advisories/20231026002-Mozilla-Releases-Updates-Multiple-Products.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,24 @@ | ||
# Mozilla Releases Security Advisories for Multiple Products - 20231026002 | ||
|
||
## Overview | ||
|
||
Mozilla has released security updates to address vulnerabilities in Firefox and Thunderbird. | ||
|
||
## What is vulnerable? | ||
|
||
The vulnerability affects the following products: | ||
|
||
- [Firefox for iOS 119](https://www.mozilla.org/en-US/security/advisories/mfsa2023-48/) | ||
- [Thunderbird 115.4.1](https://www.mozilla.org/en-US/security/advisories/mfsa2023-47/) | ||
- [Firefox ESR 115.4](https://www.mozilla.org/en-US/security/advisories/mfsa2023-46/) | ||
- [Firefox 119](https://www.mozilla.org/en-US/security/advisories/mfsa2023-45/) | ||
|
||
|
||
## What has been observed? | ||
|
||
There is no evidence of exploitation affecting Western Australian Government networks at the time of publishing. | ||
|
||
## Recommendation | ||
|
||
The WA SOC recommends administrators apply the solutions as per vendor instructions to all affected devices within expected timeframe of *one month...* (refer [Patch Management](../guidelines/patch-management.md)) | ||
|
30 changes: 30 additions & 0 deletions
30
...1027001-Roundcube-Webmail-Persistent-Cross-Site-Scripting(XSS)-Vulnerability.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,30 @@ | ||
# Roundcube Webmail Persistent Cross-Site Scripting (XSS) Vulnerability - 20231027001 | ||
|
||
## Overview | ||
|
||
The WA SOC has observed vulnerability in Roundcube (a web-based IMAP email client) allowing stored Cross Site Scripting (XSS) via an HTML e-mail message with a crafted Scalable Vector Graphics (SVG) document because of program/lib/Roundcube/rcube_washtml.php behavior. This could allow a remote attacker to load arbitrary JavaScript code. | ||
|
||
## What is the vulnerability? | ||
|
||
[**CVE-2023-5631**](https://nvd.nist.gov/vuln/detail/CVE-2023-5631) - CVSS v3 Base Score: ***5.4*** | ||
|
||
## What is vulnerable? | ||
|
||
The vulnerability affects the following Roundcube products: | ||
|
||
- Webmail versions before 1.4.15, 1.5.x before 1.5.5, and 1.6.x before 1.6.4 | ||
|
||
## What has been observed? | ||
|
||
There is no evidence of exploitation affecting Western Australian Government networks at the time of publishing. | ||
|
||
## Recommendation | ||
|
||
The WA SOC recommends administrators apply the solutions as per vendor instructions to all affected devices within expected timeframe of *two weeks* (refer [Patch Management](../guidelines/patch-management.md)): | ||
|
||
- [Roundcube Security Update 1.6.4](https://roundcube.net/news/2023/10/16/security-update-1.6.4-released) | ||
- [Roundcuber Security Update 1.5.5 and 1.4.15](https://roundcube.net/news/2023/10/16/security-updates-1.5.5-and-1.4.15) | ||
|
||
## Additional References | ||
|
||
- [CISA known Expoited Vulnerabilities](https://www.cisa.gov/known-exploited-vulnerabilities-catalog) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,40 @@ | ||
# BIG-IP Configuration utility unauthenticated RCE - 20231027003 | ||
|
||
## Overview | ||
|
||
An unauthenticated attacker with network access to the BIG-IP system through the management port and/or self IP addresses may be able to execute arbitrary system commands due to an authentication bypass vulnerability. | ||
|
||
**F5 have updated their advisory to include indicators of compromise - Please see the Recommendation section for details.** | ||
|
||
## What is the vulnerability? | ||
|
||
[**CVE-2023-46747**](https://nvd.nist.gov/vuln/detail/CVE-2023-46747) - CVSS v3 Base Score: ***9.8*** | ||
|
||
## What is vulnerable? | ||
|
||
The vulnerability affects the following product from F5: | ||
|
||
- BIG-IP | ||
- affected from 17.1.0 | ||
- unaffected from Hotfix-BIGIP-17.1.0.3.0.75.4-ENG.iso | ||
- affected from 16.1.0 | ||
- unaffected from Hotfix-BIGIP-16.1.4.1.0.50.5-ENG.iso | ||
- affected from 15.1.0 | ||
- unaffected from Hotfix-BIGIP-15.1.10.2.0.44.2-ENG.iso | ||
- affected from 14.1.0 | ||
-unaffected from Hotfix-BIGIP-14.1.5.6.0.10.6-ENG.iso | ||
- affected from 13.1.0 | ||
|
||
## What has been observed? | ||
|
||
There is no evidence of exploitation affecting Western Australian Government networks at the time of publishing. | ||
|
||
## Recommendation | ||
|
||
The WA SOC recommends administrators apply the solutions as per vendor instructions to all affected devices within expected timeframe of 2 weeks (refer [Patch Management](../guidelines/patch-management.md)): | ||
|
||
- [BIG-IP Configuration utility unauthenticated remote code execution vulnerability CVE-2023-46747](https://my.f5.com/manage/s/article/K000137353) | ||
|
||
Review your environment for **indicators of compromise**: | ||
|
||
- F5 has observed threat actors using this vulnerability to exploit CVE-2023-46748. For indicators of compromise for CVE-2023-46748, please refer to [K000137365: BIG-IP Configuration utility authenticated SQL injection vulnerability CVE-2023-46748](https://my.f5.com/manage/s/article/K000137365). |
Oops, something went wrong.