From 278edaebc81a93726b170b31f1eab97c9d81a49b Mon Sep 17 00:00:00 2001 From: Serki Ashagre <132869385+LSerki@users.noreply.github.com> Date: Mon, 19 Feb 2024 14:25:34 +0800 Subject: [PATCH 01/82] =?UTF-8?q?SolarWinds=20Releases=20Patches=20for=20A?= =?UTF-8?q?ccess=20Rights=C2=A0Manager=20vulnerabilities=20-=2020240219001?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- ...-Access-Rights-Manager-vulnerabilities .md | 24 +++++++++++++++++++ 1 file changed, 24 insertions(+) create mode 100644 docs/advisories/20240219001-SolarWinds-Releases-Patches-for-Access-Rights-Manager-vulnerabilities .md diff --git a/docs/advisories/20240219001-SolarWinds-Releases-Patches-for-Access-Rights-Manager-vulnerabilities .md b/docs/advisories/20240219001-SolarWinds-Releases-Patches-for-Access-Rights-Manager-vulnerabilities .md new file mode 100644 index 00000000..cf35ee42 --- /dev/null +++ b/docs/advisories/20240219001-SolarWinds-Releases-Patches-for-Access-Rights-Manager-vulnerabilities .md @@ -0,0 +1,24 @@ +# SolarWinds Releases Patches for Access Rights Manager vulnerabilities - 20240219001 + +## Overview + +SolarWinds has patched five remote code execution (RCE) flaws in its Access Rights Manager (ARM) solution, including three critical severity vulnerabilities that allow unauthenticated exploitation. + +## What is vulnerable? + +| Product(s) Affected | Summary | Severity | CVSS | +| ------------------- | ------- | ------------ | ---- | +| SolarWinds Access Rights Manager (ARM) **2023.2.2** | [CVE-2024-23476](https://www.solarwinds.com/trust-center/security-advisories/cve-2024-23476) | **Critical** | 9.6 | +| SolarWinds Access Rights Manager (ARM) **2023.2.2** | [CVE-2024-23479](https://www.solarwinds.com/trust-center/security-advisories/cve-2024-23479) | **Critical** | 9.6 | +| SolarWinds Access Rights Manager (ARM) **2023.2.2** | [CVE-2023-40057](https://www.solarwinds.com/trust-center/security-advisories/cve-2023-40057) | **Critical** | 9.0 | +| SolarWinds Access Rights Manager (ARM) **2023.2.2** | [CVE-2024-23478](https://www.solarwinds.com/trust-center/security-advisories/cve-2024-23478) | **High** | 8.0 | +| SolarWinds Access Rights Manager (ARM) **2023.2.2**| [CVE-2024-23477](https://www.solarwinds.com/trust-center/security-advisories/cve-2024-23477) | **High** | 7.9 | + +## Recommendation + +The WA SOC recommends administrators apply the solutions as per vendor instructions to all affected devices within expected timeframe (refer [Patch Management](../guidelines/patch-management.md)): +- [SolarWinds Security Vulnerablities](https://www.solarwinds.com/trust-center/security-advisories) +- [ARM 2023.2.3 Release Notes](https://documentation.solarwinds.com/en/success_center/arm/content/release_notes/arm_2023-2-3_release_notes.htm) +## Additional References + +- [SolarWinds fixes critical RCE bugs in access rights audit solution](https://www.bleepingcomputer.com/news/security/solarwinds-fixes-critical-rce-bugs-in-access-rights-audit-solution/) From c3843ff9695664484f97a40ef29fac988e9324db Mon Sep 17 00:00:00 2001 From: GitHub Actions Date: Mon, 19 Feb 2024 06:26:34 +0000 Subject: [PATCH 02/82] Format markdown files --- ...for-Access-Rights-Manager-vulnerabilities .md | 16 +++++++++------- 1 file changed, 9 insertions(+), 7 deletions(-) diff --git a/docs/advisories/20240219001-SolarWinds-Releases-Patches-for-Access-Rights-Manager-vulnerabilities .md b/docs/advisories/20240219001-SolarWinds-Releases-Patches-for-Access-Rights-Manager-vulnerabilities .md index cf35ee42..3109f019 100644 --- a/docs/advisories/20240219001-SolarWinds-Releases-Patches-for-Access-Rights-Manager-vulnerabilities .md +++ b/docs/advisories/20240219001-SolarWinds-Releases-Patches-for-Access-Rights-Manager-vulnerabilities .md @@ -6,19 +6,21 @@ SolarWinds has patched five remote code execution (RCE) flaws in its Access Righ ## What is vulnerable? -| Product(s) Affected | Summary | Severity | CVSS | -| ------------------- | ------- | ------------ | ---- | -| SolarWinds Access Rights Manager (ARM) **2023.2.2** | [CVE-2024-23476](https://www.solarwinds.com/trust-center/security-advisories/cve-2024-23476) | **Critical** | 9.6 | -| SolarWinds Access Rights Manager (ARM) **2023.2.2** | [CVE-2024-23479](https://www.solarwinds.com/trust-center/security-advisories/cve-2024-23479) | **Critical** | 9.6 | -| SolarWinds Access Rights Manager (ARM) **2023.2.2** | [CVE-2023-40057](https://www.solarwinds.com/trust-center/security-advisories/cve-2023-40057) | **Critical** | 9.0 | -| SolarWinds Access Rights Manager (ARM) **2023.2.2** | [CVE-2024-23478](https://www.solarwinds.com/trust-center/security-advisories/cve-2024-23478) | **High** | 8.0 | -| SolarWinds Access Rights Manager (ARM) **2023.2.2**| [CVE-2024-23477](https://www.solarwinds.com/trust-center/security-advisories/cve-2024-23477) | **High** | 7.9 | +| Product(s) Affected | Summary | Severity | CVSS | +| --------------------------------------------------- | -------------------------------------------------------------------------------------------- | ------------ | ---- | +| SolarWinds Access Rights Manager (ARM) **2023.2.2** | [CVE-2024-23476](https://www.solarwinds.com/trust-center/security-advisories/cve-2024-23476) | **Critical** | 9.6 | +| SolarWinds Access Rights Manager (ARM) **2023.2.2** | [CVE-2024-23479](https://www.solarwinds.com/trust-center/security-advisories/cve-2024-23479) | **Critical** | 9.6 | +| SolarWinds Access Rights Manager (ARM) **2023.2.2** | [CVE-2023-40057](https://www.solarwinds.com/trust-center/security-advisories/cve-2023-40057) | **Critical** | 9.0 | +| SolarWinds Access Rights Manager (ARM) **2023.2.2** | [CVE-2024-23478](https://www.solarwinds.com/trust-center/security-advisories/cve-2024-23478) | **High** | 8.0 | +| SolarWinds Access Rights Manager (ARM) **2023.2.2** | [CVE-2024-23477](https://www.solarwinds.com/trust-center/security-advisories/cve-2024-23477) | **High** | 7.9 | ## Recommendation The WA SOC recommends administrators apply the solutions as per vendor instructions to all affected devices within expected timeframe (refer [Patch Management](../guidelines/patch-management.md)): + - [SolarWinds Security Vulnerablities](https://www.solarwinds.com/trust-center/security-advisories) - [ARM 2023.2.3 Release Notes](https://documentation.solarwinds.com/en/success_center/arm/content/release_notes/arm_2023-2-3_release_notes.htm) + ## Additional References - [SolarWinds fixes critical RCE bugs in access rights audit solution](https://www.bleepingcomputer.com/news/security/solarwinds-fixes-critical-rce-bugs-in-access-rights-audit-solution/) From 8f618ef17c62287cef7ad7c5c3a39dcf532dbc84 Mon Sep 17 00:00:00 2001 From: GitHub Actions Date: Mon, 19 Feb 2024 08:05:28 +0000 Subject: [PATCH 03/82] Format markdown files --- .../TTP_Hunt/ADS_forms/S0154-CobaltStrike-DNS.md | 4 ++-- .../ADS_forms/S0154-CobaltStrike-NamedPipe.md | 12 ++++++------ .../TTP_Hunt/ADS_forms/S0357-Impacket-DirCommand.md | 6 +++--- .../ADS_forms/S0357-Impacket-SecretdumpSMB2.md | 6 +++--- .../TTP_Hunt/ADS_forms/S0552-ADFind-Execution.md | 4 ++-- .../ADS_forms/S0650-Qakbot-DefenderExclusions.md | 2 +- .../S0650-Qakbot-Post-compromise-commands.md | 4 ++-- .../ADS_forms/S0650-Qakbot-ProcessExecution.md | 2 +- .../T1003.001-OSCredentialDumping-LSASSMemory.md | 6 +++--- ...003.003-OSCredentialDumping-Exfiltratentds.dit.md | 6 +++--- .../T1003.003-OSCredentialDumping-NTDSusingTools.md | 6 +++--- .../ADS_forms/T1016-Info-stealer-tool-Grixba.md | 4 ++-- ...Persistence-Attempt-Via-Run-Keys-Using-Reg.EXE.md | 2 +- ...ble-Defender-Functionalities-Via-Registry-Keys.md | 2 +- ...fy-Tools-Potential-PowerShell-Downgrade-Attack.md | 2 +- ...efenses-Removal-Of-AMSI-Provider-Registry-Keys.md | 4 ++-- ...efenses-Disable-Windows-Logging-using-wevtutil.md | 2 +- ...2-Impair-Defenses-Disable-WindowsLoggingMiniNT.md | 2 +- ...Impair-Defenses-DisableWindowsLoggingonEventID.md | 4 ++-- ...-Diamond-Sleet-APT-Process-Activity-Indicators.md | 2 +- 20 files changed, 41 insertions(+), 41 deletions(-) diff --git a/docs/guidelines/TTP_Hunt/ADS_forms/S0154-CobaltStrike-DNS.md b/docs/guidelines/TTP_Hunt/ADS_forms/S0154-CobaltStrike-DNS.md index 5e248328..be896b04 100644 --- a/docs/guidelines/TTP_Hunt/ADS_forms/S0154-CobaltStrike-DNS.md +++ b/docs/guidelines/TTP_Hunt/ADS_forms/S0154-CobaltStrike-DNS.md @@ -16,8 +16,8 @@ The query tries to detect suspicious DNS queries known from Cobalt Strike beacon CobaltStrike **Reference:**\ -https://github.com/SigmaHQ/sigma/blob/dcfb4c5c28431dcdc1d26ed4e008945965afd8ed/rules/network/dns/net_dns_mal_cobaltstrike.yml#L4\ -https://blog.sekoia.io/hunting-and-detecting-cobalt-strike/\ +https://github.com/SigmaHQ/sigma/blob/dcfb4c5c28431dcdc1d26ed4e008945965afd8ed/rules/network/dns/net_dns_mal_cobaltstrike.yml#L4%5C +https://blog.sekoia.io/hunting-and-detecting-cobalt-strike/%5C https://blog.gigamon.com/2017/07/26/footprints-of-fin7-tracking-actor-patterns-part-1/ #### ATT&CK TACTICS
diff --git a/docs/guidelines/TTP_Hunt/ADS_forms/S0154-CobaltStrike-NamedPipe.md b/docs/guidelines/TTP_Hunt/ADS_forms/S0154-CobaltStrike-NamedPipe.md index eadd49af..3c102890 100644 --- a/docs/guidelines/TTP_Hunt/ADS_forms/S0154-CobaltStrike-NamedPipe.md +++ b/docs/guidelines/TTP_Hunt/ADS_forms/S0154-CobaltStrike-NamedPipe.md @@ -13,12 +13,12 @@ CobaltStrike uses named pipes for communication between processes. Default beaco CobaltStrike **Reference:**\ -https://github.com/SigmaHQ/sigma/blob/dcfb4c5c28431dcdc1d26ed4e008945965afd8ed/rules/windows/pipe_created/pipe_created_mal_cobaltstrike.yml#L4\ -https://twitter.com/d4rksystem/status/1357010969264873472\ -https://labs.f-secure.com/blog/detecting-cobalt-strike-default-modules-via-named-pipe-analysis/\ -https://github.com/SigmaHQ/sigma/issues/253\ -https://blog.cobaltstrike.com/2021/02/09/learn-pipe-fitting-for-all-of-your-offense-projects/\ -https://redcanary.com/threat-detection-report/threats/cobalt-strike/\ +https://github.com/SigmaHQ/sigma/blob/dcfb4c5c28431dcdc1d26ed4e008945965afd8ed/rules/windows/pipe_created/pipe_created_mal_cobaltstrike.yml#L4%5C +https://twitter.com/d4rksystem/status/1357010969264873472%5C +https://labs.f-secure.com/blog/detecting-cobalt-strike-default-modules-via-named-pipe-analysis/%5C +https://github.com/SigmaHQ/sigma/issues/253%5C +https://blog.cobaltstrike.com/2021/02/09/learn-pipe-fitting-for-all-of-your-offense-projects/%5C +https://redcanary.com/threat-detection-report/threats/cobalt-strike/%5C https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Command%20and%20Control/C2-NamedPipe.yaml #### ATT&CK TACTICS
diff --git a/docs/guidelines/TTP_Hunt/ADS_forms/S0357-Impacket-DirCommand.md b/docs/guidelines/TTP_Hunt/ADS_forms/S0357-Impacket-DirCommand.md index 9e1040bb..0a9db308 100644 --- a/docs/guidelines/TTP_Hunt/ADS_forms/S0357-Impacket-DirCommand.md +++ b/docs/guidelines/TTP_Hunt/ADS_forms/S0357-Impacket-DirCommand.md @@ -12,9 +12,9 @@ Actor may use Impacket’s wmiexec, which redirects output to a file within the Volt Typhoon activity **Reference:**\ -https://www.cyber.gov.au/about-us/advisories/prc-state-sponsored-cyber-actor-living-off-the-land-to-evade-detection\ -https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/\ -https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-277a\ +https://www.cyber.gov.au/about-us/advisories/prc-state-sponsored-cyber-actor-living-off-the-land-to-evade-detection%5C +https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/%5C +https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-277a%5C https://github.com/Azure/Azure-Sentinel/blob/3833100de05ce61d6972c43dd5af7b9706e4674c/Solutions/Windows%20Security%20Events/Hunting%20Queries/CommandsexecutedbyWMIonnewhosts-potentialImpacket.yaml#L21 #### ATT&CK TACTICS
diff --git a/docs/guidelines/TTP_Hunt/ADS_forms/S0357-Impacket-SecretdumpSMB2.md b/docs/guidelines/TTP_Hunt/ADS_forms/S0357-Impacket-SecretdumpSMB2.md index 70f4dbe3..6808e263 100644 --- a/docs/guidelines/TTP_Hunt/ADS_forms/S0357-Impacket-SecretdumpSMB2.md +++ b/docs/guidelines/TTP_Hunt/ADS_forms/S0357-Impacket-SecretdumpSMB2.md @@ -12,9 +12,9 @@ Actor may use Impacket’s wmiexec, which redirects output to a file within the Volt Typhoon activity **Reference:**\ -https://www.cyber.gov.au/about-us/advisories/prc-state-sponsored-cyber-actor-living-off-the-land-to-evade-detection\ -https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/\ -https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-277a\ +https://www.cyber.gov.au/about-us/advisories/prc-state-sponsored-cyber-actor-living-off-the-land-to-evade-detection%5C +https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/%5C +https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-277a%5C https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Attacker%20Tools%20Threat%20Protection%20Essentials/Hunting%20Queries/PotentialImpacketExecution.yaml #### ATT&CK TACTICS
diff --git a/docs/guidelines/TTP_Hunt/ADS_forms/S0552-ADFind-Execution.md b/docs/guidelines/TTP_Hunt/ADS_forms/S0552-ADFind-Execution.md index 30efb0ca..e3346cf9 100644 --- a/docs/guidelines/TTP_Hunt/ADS_forms/S0552-ADFind-Execution.md +++ b/docs/guidelines/TTP_Hunt/ADS_forms/S0552-ADFind-Execution.md @@ -22,9 +22,9 @@ Detects the use of Adfind. AdFind continues to be seen across majority of breach Common tool **Reference:**\ -https://github.com/SigmaHQ/sigma/blob/cac07b8ecd07ffe729ed82dfa2082fdb6a1ceabc/rules/windows/process_creation/proc_creation_win_pua_adfind_susp_usage.yml\ +https://github.com/SigmaHQ/sigma/blob/cac07b8ecd07ffe729ed82dfa2082fdb6a1ceabc/rules/windows/process_creation/proc_creation_win_pua_adfind_susp_usage.yml%5C https://github.com/SigmaHQ/sigma/blob/b9c0dd661eac6b6efdb47f7cfcbb20b5a5c169da/rules/windows/process_creation/proc_creation_win_renamed_adfind.yml -https://thedfirreport.com/2020/05/08/adfind-recon/\ +https://thedfirreport.com/2020/05/08/adfind-recon/%5C https://thedfirreport.com/2021/01/11/trickbot-still-alive-and-well/ #### ATT&CK TACTICS
diff --git a/docs/guidelines/TTP_Hunt/ADS_forms/S0650-Qakbot-DefenderExclusions.md b/docs/guidelines/TTP_Hunt/ADS_forms/S0650-Qakbot-DefenderExclusions.md index 086d53e4..b53c4238 100644 --- a/docs/guidelines/TTP_Hunt/ADS_forms/S0650-Qakbot-DefenderExclusions.md +++ b/docs/guidelines/TTP_Hunt/ADS_forms/S0650-Qakbot-DefenderExclusions.md @@ -13,7 +13,7 @@ Qbot used reg.exe to add Defender folder exceptions for folders within AppData a Malware **Reference**\ -https://github.com/SigmaHQ/sigma/blob/4de6102dc7d94c9ee70995aeea27b77184d62c35/rules/windows/process_creation/proc_creation_win_reg_defender_exclusion.yml#L4\ +https://github.com/SigmaHQ/sigma/blob/4de6102dc7d94c9ee70995aeea27b77184d62c35/rules/windows/process_creation/proc_creation_win_reg_defender_exclusion.yml#L4%5C https://thedfirreport.com/2022/02/07/qbot-likes-to-move-it-move-it/ #### ATT&CK TACTICS diff --git a/docs/guidelines/TTP_Hunt/ADS_forms/S0650-Qakbot-Post-compromise-commands.md b/docs/guidelines/TTP_Hunt/ADS_forms/S0650-Qakbot-Post-compromise-commands.md index a12c1575..f79275d4 100644 --- a/docs/guidelines/TTP_Hunt/ADS_forms/S0650-Qakbot-Post-compromise-commands.md +++ b/docs/guidelines/TTP_Hunt/ADS_forms/S0650-Qakbot-Post-compromise-commands.md @@ -12,8 +12,8 @@ nslookup -querytype=ALL -timeout=12 \_ldap.\_tcp.dc.\_msdcs.\ Malware **Reference**\ -https://github.com/Bert-JanP/Hunting-Queries-Detection-Rules/blob/22cf7b2e0ef909e3f8ba1b39e2a8e897b6f49fb5/Defender%20For%20Endpoint/QakbotPostCompromiseCommandsExecuted.md?plain=1\ -https://github.com/Azure/Azure-Sentinel/blob/2030f55a46b18e9d9723b06557d0653f38e21724/Hunting%20Queries/Microsoft%20365%20Defender/Campaigns/Qakbot/Qakbot%20reconnaissance%20activities.yaml#L2\ +https://github.com/Bert-JanP/Hunting-Queries-Detection-Rules/blob/22cf7b2e0ef909e3f8ba1b39e2a8e897b6f49fb5/Defender%20For%20Endpoint/QakbotPostCompromiseCommandsExecuted.md?plain=1%5C +https://github.com/Azure/Azure-Sentinel/blob/2030f55a46b18e9d9723b06557d0653f38e21724/Hunting%20Queries/Microsoft%20365%20Defender/Campaigns/Qakbot/Qakbot%20reconnaissance%20activities.yaml#L2%5C https://www.trendmicro.com/en_au/research/22/j/black-basta-infiltrates-networks-via-qakbot-brute-ratel-and-coba.html #### ATT&CK TACTICS
diff --git a/docs/guidelines/TTP_Hunt/ADS_forms/S0650-Qakbot-ProcessExecution.md b/docs/guidelines/TTP_Hunt/ADS_forms/S0650-Qakbot-ProcessExecution.md index b1853cad..6e70d466 100644 --- a/docs/guidelines/TTP_Hunt/ADS_forms/S0650-Qakbot-ProcessExecution.md +++ b/docs/guidelines/TTP_Hunt/ADS_forms/S0650-Qakbot-ProcessExecution.md @@ -12,7 +12,7 @@ Detects potential QBot activity by looking for process executions used previousl Malware **Reference**\ -https://github.com/SigmaHQ/sigma/blob/4de6102dc7d94c9ee70995aeea27b77184d62c35/rules-emerging-threats/2019/Malware/QBot/proc_creation_win_malware_qbot.yml#L4\ +https://github.com/SigmaHQ/sigma/blob/4de6102dc7d94c9ee70995aeea27b77184d62c35/rules-emerging-threats/2019/Malware/QBot/proc_creation_win_malware_qbot.yml#L4%5C https://www.trendmicro.com/en_au/research/22/j/black-basta-infiltrates-networks-via-qakbot-brute-ratel-and-coba.html #### ATT&CK TACTICS diff --git a/docs/guidelines/TTP_Hunt/ADS_forms/T1003.001-OSCredentialDumping-LSASSMemory.md b/docs/guidelines/TTP_Hunt/ADS_forms/T1003.001-OSCredentialDumping-LSASSMemory.md index fb01ec12..d54238ce 100644 --- a/docs/guidelines/TTP_Hunt/ADS_forms/T1003.001-OSCredentialDumping-LSASSMemory.md +++ b/docs/guidelines/TTP_Hunt/ADS_forms/T1003.001-OSCredentialDumping-LSASSMemory.md @@ -14,9 +14,9 @@ Volt Typhoon activity ### Reference: -https://www.microsoft.com/en-us/security/blog/2022/10/05/detecting-and-preventing-lsass-credential-dumping-attacks/\ -https://www.cyber.gov.au/about-us/advisories/prc-state-sponsored-cyber-actor-living-off-the-land-to-evade-detection\ -https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Windows%20Security%20Events/Hunting%20Queries/SuspectedLSASSDump.yaml\ +https://www.microsoft.com/en-us/security/blog/2022/10/05/detecting-and-preventing-lsass-credential-dumping-attacks/%5C +https://www.cyber.gov.au/about-us/advisories/prc-state-sponsored-cyber-actor-living-off-the-land-to-evade-detection%5C +https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Windows%20Security%20Events/Hunting%20Queries/SuspectedLSASSDump.yaml%5C https://docs.microsoft.com/sysinternals/downloads/procdump #### ATT&CK TACTICS diff --git a/docs/guidelines/TTP_Hunt/ADS_forms/T1003.003-OSCredentialDumping-Exfiltratentds.dit.md b/docs/guidelines/TTP_Hunt/ADS_forms/T1003.003-OSCredentialDumping-Exfiltratentds.dit.md index d429c74e..52553d75 100644 --- a/docs/guidelines/TTP_Hunt/ADS_forms/T1003.003-OSCredentialDumping-Exfiltratentds.dit.md +++ b/docs/guidelines/TTP_Hunt/ADS_forms/T1003.003-OSCredentialDumping-Exfiltratentds.dit.md @@ -13,9 +13,9 @@ Volt Typhoon activity ### Reference: -https://www.microsoft.com/en-us/security/blog/2022/10/05/detecting-and-preventing-lsass-credential-dumping-attacks/\ -https://www.cyber.gov.au/about-us/advisories/prc-state-sponsored-cyber-actor-living-off-the-land-to-evade-detection\ -https://risksense.com/blog/hidden-gems-in-windows-the-hunt-is-on\ +https://www.microsoft.com/en-us/security/blog/2022/10/05/detecting-and-preventing-lsass-credential-dumping-attacks/%5C +https://www.cyber.gov.au/about-us/advisories/prc-state-sponsored-cyber-actor-living-off-the-land-to-evade-detection%5C +https://risksense.com/blog/hidden-gems-in-windows-the-hunt-is-on%5C https://docs.microsoft.com/sysinternals/downloads/procdump #### ATT&CK TACTICS diff --git a/docs/guidelines/TTP_Hunt/ADS_forms/T1003.003-OSCredentialDumping-NTDSusingTools.md b/docs/guidelines/TTP_Hunt/ADS_forms/T1003.003-OSCredentialDumping-NTDSusingTools.md index d8432352..3090170a 100644 --- a/docs/guidelines/TTP_Hunt/ADS_forms/T1003.003-OSCredentialDumping-NTDSusingTools.md +++ b/docs/guidelines/TTP_Hunt/ADS_forms/T1003.003-OSCredentialDumping-NTDSusingTools.md @@ -13,9 +13,9 @@ Volt Typhoon activity ### Reference: -https://www.microsoft.com/en-us/security/blog/2022/10/05/detecting-and-preventing-lsass-credential-dumping-attacks/\ -https://www.cyber.gov.au/about-us/advisories/prc-state-sponsored-cyber-actor-living-off-the-land-to-evade-detection\ -https://risksense.com/blog/hidden-gems-in-windows-the-hunt-is-on\ +https://www.microsoft.com/en-us/security/blog/2022/10/05/detecting-and-preventing-lsass-credential-dumping-attacks/%5C +https://www.cyber.gov.au/about-us/advisories/prc-state-sponsored-cyber-actor-living-off-the-land-to-evade-detection%5C +https://risksense.com/blog/hidden-gems-in-windows-the-hunt-is-on%5C https://docs.microsoft.com/sysinternals/downloads/procdump #### ATT&CK TACTICS diff --git a/docs/guidelines/TTP_Hunt/ADS_forms/T1016-Info-stealer-tool-Grixba.md b/docs/guidelines/TTP_Hunt/ADS_forms/T1016-Info-stealer-tool-Grixba.md index 9a43e039..7c5a2546 100644 --- a/docs/guidelines/TTP_Hunt/ADS_forms/T1016-Info-stealer-tool-Grixba.md +++ b/docs/guidelines/TTP_Hunt/ADS_forms/T1016-Info-stealer-tool-Grixba.md @@ -12,8 +12,8 @@ Imageload log containing file name costura.commandline.dll which is used by Grix Play ransomware **Reference:**\ -https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-352a\ -https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/play-ransomware-volume-shadow-copy\ +https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-352a%5C +https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/play-ransomware-volume-shadow-copy%5C https://www.bleepingcomputer.com/news/security/play-ransomware-gang-uses-custom-shadow-volume-copy-data-theft-tool/ #### ATT&CK TACTICS
diff --git a/docs/guidelines/TTP_Hunt/ADS_forms/T1547.001-Potential-Persistence-Attempt-Via-Run-Keys-Using-Reg.EXE.md b/docs/guidelines/TTP_Hunt/ADS_forms/T1547.001-Potential-Persistence-Attempt-Via-Run-Keys-Using-Reg.EXE.md index 85f9958a..19977e07 100644 --- a/docs/guidelines/TTP_Hunt/ADS_forms/T1547.001-Potential-Persistence-Attempt-Via-Run-Keys-Using-Reg.EXE.md +++ b/docs/guidelines/TTP_Hunt/ADS_forms/T1547.001-Potential-Persistence-Attempt-Via-Run-Keys-Using-Reg.EXE.md @@ -11,7 +11,7 @@ REG ADD "HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" /V "softoz" / common persistance **Reference:**\ -https://github.com/SigmaHQ/sigma/blob/cac07b8ecd07ffe729ed82dfa2082fdb6a1ceabc/rules/windows/process_creation/proc_creation_win_reg_add_run_key.yml#L22\ +https://github.com/SigmaHQ/sigma/blob/cac07b8ecd07ffe729ed82dfa2082fdb6a1ceabc/rules/windows/process_creation/proc_creation_win_reg_add_run_key.yml#L22%5C https://docs.microsoft.com/en-us/windows/win32/setupapi/run-and-runonce-registry-keys #### ATT&CK TACTICS
diff --git a/docs/guidelines/TTP_Hunt/ADS_forms/T1562.001-Impair-Defenses-Disable-Defender-Functionalities-Via-Registry-Keys.md b/docs/guidelines/TTP_Hunt/ADS_forms/T1562.001-Impair-Defenses-Disable-Defender-Functionalities-Via-Registry-Keys.md index dbc8fad9..1f193af9 100644 --- a/docs/guidelines/TTP_Hunt/ADS_forms/T1562.001-Impair-Defenses-Disable-Defender-Functionalities-Via-Registry-Keys.md +++ b/docs/guidelines/TTP_Hunt/ADS_forms/T1562.001-Impair-Defenses-Disable-Defender-Functionalities-Via-Registry-Keys.md @@ -13,7 +13,7 @@ Detects when attackers or tools disable Windows Defender functionalities via the Ransomware **Reference:**\ -https://github.com/SigmaHQ/sigma/blob/8d28609c041867e1cea7821900e43c0106e6c766/rules/windows/registry/registry_set/registry_set_windows_defender_tamper.yml#L42\ +https://github.com/SigmaHQ/sigma/blob/8d28609c041867e1cea7821900e43c0106e6c766/rules/windows/registry/registry_set/registry_set_windows_defender_tamper.yml#L42%5C https://admx.help/?Category=Windows_7_2008R2&Policy=Microsoft.Policies.WindowsDefender::DisableAntiSpyware #### ATT&CK TACTICS
diff --git a/docs/guidelines/TTP_Hunt/ADS_forms/T1562.001-Impair-Defenses-Disable-or-Modify-Tools-Potential-PowerShell-Downgrade-Attack.md b/docs/guidelines/TTP_Hunt/ADS_forms/T1562.001-Impair-Defenses-Disable-or-Modify-Tools-Potential-PowerShell-Downgrade-Attack.md index 9391bfa0..5270a13e 100644 --- a/docs/guidelines/TTP_Hunt/ADS_forms/T1562.001-Impair-Defenses-Disable-or-Modify-Tools-Potential-PowerShell-Downgrade-Attack.md +++ b/docs/guidelines/TTP_Hunt/ADS_forms/T1562.001-Impair-Defenses-Disable-or-Modify-Tools-Potential-PowerShell-Downgrade-Attack.md @@ -12,7 +12,7 @@ Detects command execution and arguments associated with disabling or modificatio N/A **Reference:** -https://github.com/SigmaHQ/sigma/blob/6eaba7e37ebb17541991c99a764ccb6866696bc6/rules/windows/process_creation/proc_creation_win_powershell_downgrade_attack.yml\ +https://github.com/SigmaHQ/sigma/blob/6eaba7e37ebb17541991c99a764ccb6866696bc6/rules/windows/process_creation/proc_creation_win_powershell_downgrade_attack.yml%5C https://www.leeholmes.com/detecting-and-preventing-powershell-downgrade-attacks/ #### ATT&CK TACTICS
diff --git a/docs/guidelines/TTP_Hunt/ADS_forms/T1562.001-Impair-Defenses-Removal-Of-AMSI-Provider-Registry-Keys.md b/docs/guidelines/TTP_Hunt/ADS_forms/T1562.001-Impair-Defenses-Removal-Of-AMSI-Provider-Registry-Keys.md index 7680d068..c450a155 100644 --- a/docs/guidelines/TTP_Hunt/ADS_forms/T1562.001-Impair-Defenses-Removal-Of-AMSI-Provider-Registry-Keys.md +++ b/docs/guidelines/TTP_Hunt/ADS_forms/T1562.001-Impair-Defenses-Removal-Of-AMSI-Provider-Registry-Keys.md @@ -14,8 +14,8 @@ Ransomware\ Persistence **Reference:**\ -https://github.com/SigmaHQ/sigma/blob/8d28609c041867e1cea7821900e43c0106e6c766/rules/windows/registry/registry_delete/registry_delete_removal_amsi_registry_key.yml\ -https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md\ +https://github.com/SigmaHQ/sigma/blob/8d28609c041867e1cea7821900e43c0106e6c766/rules/windows/registry/registry_delete/registry_delete_removal_amsi_registry_key.yml%5C +https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md%5C https://seclists.org/fulldisclosure/2020/Mar/45 #### ATT&CK TACTICS diff --git a/docs/guidelines/TTP_Hunt/ADS_forms/T1562.002-Impair-Defenses-Disable-Windows-Logging-using-wevtutil.md b/docs/guidelines/TTP_Hunt/ADS_forms/T1562.002-Impair-Defenses-Disable-Windows-Logging-using-wevtutil.md index 877603b7..bd9a21db 100644 --- a/docs/guidelines/TTP_Hunt/ADS_forms/T1562.002-Impair-Defenses-Disable-Windows-Logging-using-wevtutil.md +++ b/docs/guidelines/TTP_Hunt/ADS_forms/T1562.002-Impair-Defenses-Disable-Windows-Logging-using-wevtutil.md @@ -12,7 +12,7 @@ wevtutil /e:false // Disables a log Ransomware **Reference:**\ -https://www.microsoft.com/en-us/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/\ +https://www.microsoft.com/en-us/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/%5C https://github.com/Azure/Azure-Sentinel/blob/c6dce9c3aa4d4b4d02423ac4eb5a6b677a39e432/Hunting%20Queries/Microsoft%20365%20Defender/Ransomware/Clearing%20of%20forensic%20evidence%20from%20event%20logs%20using%20wevtutil.yaml #### ATT&CK TACTICS
diff --git a/docs/guidelines/TTP_Hunt/ADS_forms/T1562.002-Impair-Defenses-Disable-WindowsLoggingMiniNT.md b/docs/guidelines/TTP_Hunt/ADS_forms/T1562.002-Impair-Defenses-Disable-WindowsLoggingMiniNT.md index 7ad48bbb..dd28a074 100644 --- a/docs/guidelines/TTP_Hunt/ADS_forms/T1562.002-Impair-Defenses-Disable-WindowsLoggingMiniNT.md +++ b/docs/guidelines/TTP_Hunt/ADS_forms/T1562.002-Impair-Defenses-Disable-WindowsLoggingMiniNT.md @@ -12,7 +12,7 @@ Detects the addition of the MiniNT registry key in HKEY_LOCAL_MACHINE\\SYSTEM\\C N/A **Reference:**\ -https://github.com/SigmaHQ/sigma/blob/cac07b8ecd07ffe729ed82dfa2082fdb6a1ceabc/rules/windows/registry/registry_event/registry_event_disable_security_events_logging_adding_reg_key_minint.yml\ +https://github.com/SigmaHQ/sigma/blob/cac07b8ecd07ffe729ed82dfa2082fdb6a1ceabc/rules/windows/registry/registry_event/registry_event_disable_security_events_logging_adding_reg_key_minint.yml%5C https://twitter.com/0gtweet/status/1182516740955226112 #### ATT&CK TACTICS diff --git a/docs/guidelines/TTP_Hunt/ADS_forms/T1562.002-Impair-Defenses-DisableWindowsLoggingonEventID.md b/docs/guidelines/TTP_Hunt/ADS_forms/T1562.002-Impair-Defenses-DisableWindowsLoggingonEventID.md index 8765d963..d167a49f 100644 --- a/docs/guidelines/TTP_Hunt/ADS_forms/T1562.002-Impair-Defenses-DisableWindowsLoggingonEventID.md +++ b/docs/guidelines/TTP_Hunt/ADS_forms/T1562.002-Impair-Defenses-DisableWindowsLoggingonEventID.md @@ -11,8 +11,8 @@ N/A Log clearing **Reference:**\ -https://www.microsoft.com/en-us/security/blog/2020/04/01/microsoft-works-with-healthcare-organizations-to-protect-from-popular-ransomware-during-covid-19-crisis-heres-what-to-do/\ -https://github.com/SigmaHQ/sigma/blob/cac07b8ecd07ffe729ed82dfa2082fdb6a1ceabc/rules/windows/builtin/security/win_security_event_log_cleared.yml#L4\ +https://www.microsoft.com/en-us/security/blog/2020/04/01/microsoft-works-with-healthcare-organizations-to-protect-from-popular-ransomware-during-covid-19-crisis-heres-what-to-do/%5C +https://github.com/SigmaHQ/sigma/blob/cac07b8ecd07ffe729ed82dfa2082fdb6a1ceabc/rules/windows/builtin/security/win_security_event_log_cleared.yml#L4%5C https://lantern.splunk.com/Splunk_Platform/UCE/Security/Threat_Hunting/Detecting_a_ransomware_attack/Windows_event_log_cleared #### ATT&CK TACTICS diff --git a/docs/guidelines/TTP_Hunt/ADS_forms/T1574.002-Diamond-Sleet-APT-Process-Activity-Indicators.md b/docs/guidelines/TTP_Hunt/ADS_forms/T1574.002-Diamond-Sleet-APT-Process-Activity-Indicators.md index d8c8e860..0e027f06 100644 --- a/docs/guidelines/TTP_Hunt/ADS_forms/T1574.002-Diamond-Sleet-APT-Process-Activity-Indicators.md +++ b/docs/guidelines/TTP_Hunt/ADS_forms/T1574.002-Diamond-Sleet-APT-Process-Activity-Indicators.md @@ -12,7 +12,7 @@ Detects process creation activity indicators related to Diamond Sleet APT Diamond Sleet **Reference:** -https://github.com/SigmaHQ/sigma/blob/7509f6ab6bc32e7bca66fc638363a92dfbf0449d/rules-emerging-threats/2023/TA/Diamond-Sleet/proc_creation_win_apt_diamond_sleet_indicators.yml\ +https://github.com/SigmaHQ/sigma/blob/7509f6ab6bc32e7bca66fc638363a92dfbf0449d/rules-emerging-threats/2023/TA/Diamond-Sleet/proc_creation_win_apt_diamond_sleet_indicators.yml%5C https://www.microsoft.com/en-us/security/blog/2023/10/18/multiple-north-korean-threat-actors-exploiting-the-teamcity-cve-2023-42793-vulnerability/ #### ATT&CK TACTICS
From 1085825db28f4369b086f895481d802aa18ccd3d Mon Sep 17 00:00:00 2001 From: Serki Ashagre <132869385+LSerki@users.noreply.github.com> Date: Mon, 26 Feb 2024 12:39:48 +0800 Subject: [PATCH 04/82] Junos OS RCE Vulnerability - 20240226002 --- .../20240226002-Junos-OS-RCE-Vulnerability.md | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) create mode 100644 docs/advisories/20240226002-Junos-OS-RCE-Vulnerability.md diff --git a/docs/advisories/20240226002-Junos-OS-RCE-Vulnerability.md b/docs/advisories/20240226002-Junos-OS-RCE-Vulnerability.md new file mode 100644 index 00000000..e85b1882 --- /dev/null +++ b/docs/advisories/20240226002-Junos-OS-RCE-Vulnerability.md @@ -0,0 +1,17 @@ +# Junos OS RCE Vulnerability - 20240226002 + +## Overview + +A vulnerability has been discovered in the Junos OS, successful exploitation could allow for remote code execution. + +## What is vulnerable? + +| Product(s) Affected | Summary | Severity | CVSS | +| ------------------- | ------- | ------------ | ---- | +| **All versions of Junos OS on SRX Series and EX Series** | [CVE-2024-21591](https://nvd.nist.gov/vuln/detail/CVE-2024-21591) | **Critical** | 9.8 | + +## Recommendation + +The WA SOC recommends administrators apply the solutions as per vendor instructions to all affected devices within expected timeframe of *one month...* (refer [Patch Management](../guidelines/patch-management.md)): + +- [Junos OS: SRX Series and EX Series: Security Vulnerability in J-web allows a preAuth Remote Code Execution (CVE-2024-21591)](https://supportportal.juniper.net/s/article/2024-01-Security-Bulletin-Junos-OS-SRX-Series-and-EX-Series-Security-Vulnerability-in-J-web-allows-a-preAuth-Remote-Code-Execution-CVE-2024-21591?language=en_US) \ No newline at end of file From 3a8ebc5c577743626835277f1724e28f966a9730 Mon Sep 17 00:00:00 2001 From: GitHub Actions Date: Mon, 26 Feb 2024 04:40:58 +0000 Subject: [PATCH 05/82] Format markdown files --- docs/advisories/20240226002-Junos-OS-RCE-Vulnerability.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/docs/advisories/20240226002-Junos-OS-RCE-Vulnerability.md b/docs/advisories/20240226002-Junos-OS-RCE-Vulnerability.md index e85b1882..f03d8730 100644 --- a/docs/advisories/20240226002-Junos-OS-RCE-Vulnerability.md +++ b/docs/advisories/20240226002-Junos-OS-RCE-Vulnerability.md @@ -6,12 +6,12 @@ A vulnerability has been discovered in the Junos OS, successful exploitation cou ## What is vulnerable? -| Product(s) Affected | Summary | Severity | CVSS | -| ------------------- | ------- | ------------ | ---- | -| **All versions of Junos OS on SRX Series and EX Series** | [CVE-2024-21591](https://nvd.nist.gov/vuln/detail/CVE-2024-21591) | **Critical** | 9.8 | +| Product(s) Affected | Summary | Severity | CVSS | +| -------------------------------------------------------- | ----------------------------------------------------------------- | ------------ | ---- | +| **All versions of Junos OS on SRX Series and EX Series** | [CVE-2024-21591](https://nvd.nist.gov/vuln/detail/CVE-2024-21591) | **Critical** | 9.8 | ## Recommendation The WA SOC recommends administrators apply the solutions as per vendor instructions to all affected devices within expected timeframe of *one month...* (refer [Patch Management](../guidelines/patch-management.md)): -- [Junos OS: SRX Series and EX Series: Security Vulnerability in J-web allows a preAuth Remote Code Execution (CVE-2024-21591)](https://supportportal.juniper.net/s/article/2024-01-Security-Bulletin-Junos-OS-SRX-Series-and-EX-Series-Security-Vulnerability-in-J-web-allows-a-preAuth-Remote-Code-Execution-CVE-2024-21591?language=en_US) \ No newline at end of file +- [Junos OS: SRX Series and EX Series: Security Vulnerability in J-web allows a preAuth Remote Code Execution (CVE-2024-21591)](https://supportportal.juniper.net/s/article/2024-01-Security-Bulletin-Junos-OS-SRX-Series-and-EX-Series-Security-Vulnerability-in-J-web-allows-a-preAuth-Remote-Code-Execution-CVE-2024-21591?language=en_US) From d4b486a57f4f7166e41837d7013eeaea97168f33 Mon Sep 17 00:00:00 2001 From: Serki Ashagre <132869385+LSerki@users.noreply.github.com> Date: Fri, 8 Mar 2024 14:05:51 +0800 Subject: [PATCH 06/82] Windows Themes Spoofing Vulnerability - 20240308003 --- ...3-Windows-Themes-Spoofing-Vulnerability.md | 22 +++++++++++++++++++ 1 file changed, 22 insertions(+) create mode 100644 docs/advisories/20240308003-Windows-Themes-Spoofing-Vulnerability.md diff --git a/docs/advisories/20240308003-Windows-Themes-Spoofing-Vulnerability.md b/docs/advisories/20240308003-Windows-Themes-Spoofing-Vulnerability.md new file mode 100644 index 00000000..62091f58 --- /dev/null +++ b/docs/advisories/20240308003-Windows-Themes-Spoofing-Vulnerability.md @@ -0,0 +1,22 @@ +# Windows Themes Spoofing Vulnerability - 20240308003 + +## Overview + +A spoofing vulnerability has been discoverd in Microsoft Themes. The vulnerability allows a remote attacker to perform spoofing attack. + + + +## What is vulnerable? + +| Product(s) Affected | Summary | Severity | CVSS | +| ------------------- | ------- | ------------ | ---- | +| All Windows versions | [CVE-2024-21320](https://nvd.nist.gov/vuln/detail/CVE-2024-21320) | **Medium** | 6.5 | + + +## Recommendation + +The WA SOC recommends administrators apply the solutions as per vendor instructions to all affected devices within expected timeframe of *one month...* (refer [Patch Management](../guidelines/patch-management.md)): + +- [Windows Themes Spoofing Vulnerability](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-21320) + + From 6b07eddc421b3bcac11e239f4abf8e48557cb0a8 Mon Sep 17 00:00:00 2001 From: GitHub Actions Date: Fri, 8 Mar 2024 06:06:50 +0000 Subject: [PATCH 07/82] Format markdown files --- ...240308003-Windows-Themes-Spoofing-Vulnerability.md | 11 +++-------- 1 file changed, 3 insertions(+), 8 deletions(-) diff --git a/docs/advisories/20240308003-Windows-Themes-Spoofing-Vulnerability.md b/docs/advisories/20240308003-Windows-Themes-Spoofing-Vulnerability.md index 62091f58..a1349d20 100644 --- a/docs/advisories/20240308003-Windows-Themes-Spoofing-Vulnerability.md +++ b/docs/advisories/20240308003-Windows-Themes-Spoofing-Vulnerability.md @@ -4,19 +4,14 @@ A spoofing vulnerability has been discoverd in Microsoft Themes. The vulnerability allows a remote attacker to perform spoofing attack. - - ## What is vulnerable? -| Product(s) Affected | Summary | Severity | CVSS | -| ------------------- | ------- | ------------ | ---- | -| All Windows versions | [CVE-2024-21320](https://nvd.nist.gov/vuln/detail/CVE-2024-21320) | **Medium** | 6.5 | - +| Product(s) Affected | Summary | Severity | CVSS | +| -------------------- | ----------------------------------------------------------------- | ---------- | ---- | +| All Windows versions | [CVE-2024-21320](https://nvd.nist.gov/vuln/detail/CVE-2024-21320) | **Medium** | 6.5 | ## Recommendation The WA SOC recommends administrators apply the solutions as per vendor instructions to all affected devices within expected timeframe of *one month...* (refer [Patch Management](../guidelines/patch-management.md)): - [Windows Themes Spoofing Vulnerability](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-21320) - - From a69b437aa7eb8889cf5269e2ae60d587a19bdaa6 Mon Sep 17 00:00:00 2001 From: Serki Ashagre <132869385+LSerki@users.noreply.github.com> Date: Fri, 8 Mar 2024 14:26:46 +0800 Subject: [PATCH 08/82] Windows Themes Spoofing Vulnerability - 20240308003 - edited --- .../20240308003-Windows-Themes-Spoofing-Vulnerability.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/advisories/20240308003-Windows-Themes-Spoofing-Vulnerability.md b/docs/advisories/20240308003-Windows-Themes-Spoofing-Vulnerability.md index a1349d20..8946ce80 100644 --- a/docs/advisories/20240308003-Windows-Themes-Spoofing-Vulnerability.md +++ b/docs/advisories/20240308003-Windows-Themes-Spoofing-Vulnerability.md @@ -12,6 +12,6 @@ A spoofing vulnerability has been discoverd in Microsoft Themes. The vulnerabili ## Recommendation -The WA SOC recommends administrators apply the solutions as per vendor instructions to all affected devices within expected timeframe of *one month...* (refer [Patch Management](../guidelines/patch-management.md)): +The WA SOC recommends administrators apply the solutions as per vendor instructions to all affected devices within expected timeframe (refer [Patch Management](../guidelines/patch-management.md)): - [Windows Themes Spoofing Vulnerability](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-21320) From ad72a953797ac382e720c8838c1cbca5f3511b08 Mon Sep 17 00:00:00 2001 From: Serki Ashagre <132869385+LSerki@users.noreply.github.com> Date: Mon, 18 Mar 2024 10:54:07 +0800 Subject: [PATCH 09/82] Akamai Kubernetes Vulnerability - 20240318002 --- ...0318002-Akamai-Kubernetes-Vulnerability.md | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) create mode 100644 docs/advisories/20240318002-Akamai-Kubernetes-Vulnerability.md diff --git a/docs/advisories/20240318002-Akamai-Kubernetes-Vulnerability.md b/docs/advisories/20240318002-Akamai-Kubernetes-Vulnerability.md new file mode 100644 index 00000000..c77b1f47 --- /dev/null +++ b/docs/advisories/20240318002-Akamai-Kubernetes-Vulnerability.md @@ -0,0 +1,19 @@ +# Akamai Kubernetes Vulnerability - 20240318002 + +## Overview + +A security issue was discovered in Kubernetes where a user that can create pods and persistent volumes on Windows nodes may be able to escalate to admin privileges on those nodes. + +## What is vulnerable? + +| CVE | Severity | CVSS | Product(s) Affected | +| --- | -------- | ---- | ------------------- | +| [CVE-2023-5528](https://github.com/kubernetes/kubernetes/issues/121879) | **High** | 8.8 | **kubelet >= v1.8.0 (including all later minor versions)** | + + +## Recommendation + +The WA SOC recommends administrators apply the solutions as per vendor instructions to all affected devices within expected timeframe (refer [Patch Management](../guidelines/patch-management.md)): + +- [kubernetes](https://github.com/kubernetes/kubernetes/issues/121879) + From 60190b7c9ed511440896803a2b3aa5c8618fe9b3 Mon Sep 17 00:00:00 2001 From: GitHub Actions Date: Mon, 18 Mar 2024 02:55:21 +0000 Subject: [PATCH 10/82] Format markdown files --- .../20240318002-Akamai-Kubernetes-Vulnerability.md | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/docs/advisories/20240318002-Akamai-Kubernetes-Vulnerability.md b/docs/advisories/20240318002-Akamai-Kubernetes-Vulnerability.md index c77b1f47..204d3da1 100644 --- a/docs/advisories/20240318002-Akamai-Kubernetes-Vulnerability.md +++ b/docs/advisories/20240318002-Akamai-Kubernetes-Vulnerability.md @@ -6,14 +6,12 @@ A security issue was discovered in Kubernetes where a user that can create pods ## What is vulnerable? -| CVE | Severity | CVSS | Product(s) Affected | -| --- | -------- | ---- | ------------------- | -| [CVE-2023-5528](https://github.com/kubernetes/kubernetes/issues/121879) | **High** | 8.8 | **kubelet >= v1.8.0 (including all later minor versions)** | - +| CVE | Severity | CVSS | Product(s) Affected | +| ----------------------------------------------------------------------- | -------- | ---- | ---------------------------------------------------------- | +| [CVE-2023-5528](https://github.com/kubernetes/kubernetes/issues/121879) | **High** | 8.8 | **kubelet >= v1.8.0 (including all later minor versions)** | ## Recommendation The WA SOC recommends administrators apply the solutions as per vendor instructions to all affected devices within expected timeframe (refer [Patch Management](../guidelines/patch-management.md)): - [kubernetes](https://github.com/kubernetes/kubernetes/issues/121879) - From 0fa90ae45f5170fb7c6c47212fcd868f281d5005 Mon Sep 17 00:00:00 2001 From: Serki Ashagre <132869385+LSerki@users.noreply.github.com> Date: Wed, 27 Mar 2024 14:46:17 +0800 Subject: [PATCH 11/82] CISA Releases Multiple Critical Infrastructure Related Advisories - 20240327001 --- ...itical-Infrastructure-Related-Advisories.md | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) create mode 100644 docs/advisories/20240327001-CISA-Releases-Multiple-Critical-Infrastructure-Related-Advisories.md diff --git a/docs/advisories/20240327001-CISA-Releases-Multiple-Critical-Infrastructure-Related-Advisories.md b/docs/advisories/20240327001-CISA-Releases-Multiple-Critical-Infrastructure-Related-Advisories.md new file mode 100644 index 00000000..1a5cbd80 --- /dev/null +++ b/docs/advisories/20240327001-CISA-Releases-Multiple-Critical-Infrastructure-Related-Advisories.md @@ -0,0 +1,18 @@ +# CISA Releases Multiple Critical Infrastructure Related Advisories - 20240327001 + +## Overview + +CISA has released multiple advisories for Critical Infrastructure related products. + +## What is vulnerable? + +| Industry | Product | Advisory | +| ---------------------------------- | ------------------------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------ | +| Commercial Facilities, Critical Manufacturing, Energy, Water and Wastewater | Multiple versions of C-MORE EA9 HMI | [ICSA-24-086-01](https://www.cisa.gov/news-events/ics-advisories/icsa-24-086-01) | +| Critical Manufacturing | PowerFlex 527: Versions v2.001.x and later | [ICSA-24-086-02](https://www.cisa.gov/news-events/ics-advisories/icsa-24-086-02) | +| Food and Agriculture, Healthcare and Public Health, Critical Manufacturing, Transportation Systems | Arena Simulation Software: version 16.00 | [ICSA-24-086-03](https://www.cisa.gov/news-events/ics-advisories/icsa-24-086-03) | +| Critical Manufacturing | FactoryTalk View ME: prior to v14 | [ICSA-24-086-04](https://www.cisa.gov/news-events/ics-advisories/icsa-24-086-04) | + +## Recommendation + +The WA SOC recommends administrators review relevant advisories and apply the recommended actions to all affected devices. From 0b4714395d3144962622bda47217a07fb242b43f Mon Sep 17 00:00:00 2001 From: GitHub Actions Date: Wed, 27 Mar 2024 06:47:28 +0000 Subject: [PATCH 12/82] Format markdown files --- ...ple-Critical-Infrastructure-Related-Advisories.md | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/docs/advisories/20240327001-CISA-Releases-Multiple-Critical-Infrastructure-Related-Advisories.md b/docs/advisories/20240327001-CISA-Releases-Multiple-Critical-Infrastructure-Related-Advisories.md index 1a5cbd80..d8734288 100644 --- a/docs/advisories/20240327001-CISA-Releases-Multiple-Critical-Infrastructure-Related-Advisories.md +++ b/docs/advisories/20240327001-CISA-Releases-Multiple-Critical-Infrastructure-Related-Advisories.md @@ -6,12 +6,12 @@ CISA has released multiple advisories for Critical Infrastructure related produc ## What is vulnerable? -| Industry | Product | Advisory | -| ---------------------------------- | ------------------------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------ | -| Commercial Facilities, Critical Manufacturing, Energy, Water and Wastewater | Multiple versions of C-MORE EA9 HMI | [ICSA-24-086-01](https://www.cisa.gov/news-events/ics-advisories/icsa-24-086-01) | -| Critical Manufacturing | PowerFlex 527: Versions v2.001.x and later | [ICSA-24-086-02](https://www.cisa.gov/news-events/ics-advisories/icsa-24-086-02) | -| Food and Agriculture, Healthcare and Public Health, Critical Manufacturing, Transportation Systems | Arena Simulation Software: version 16.00 | [ICSA-24-086-03](https://www.cisa.gov/news-events/ics-advisories/icsa-24-086-03) | -| Critical Manufacturing | FactoryTalk View ME: prior to v14 | [ICSA-24-086-04](https://www.cisa.gov/news-events/ics-advisories/icsa-24-086-04) | +| Industry | Product | Advisory | +| -------------------------------------------------------------------------------------------------- | ------------------------------------------ | -------------------------------------------------------------------------------- | +| Commercial Facilities, Critical Manufacturing, Energy, Water and Wastewater | Multiple versions of C-MORE EA9 HMI | [ICSA-24-086-01](https://www.cisa.gov/news-events/ics-advisories/icsa-24-086-01) | +| Critical Manufacturing | PowerFlex 527: Versions v2.001.x and later | [ICSA-24-086-02](https://www.cisa.gov/news-events/ics-advisories/icsa-24-086-02) | +| Food and Agriculture, Healthcare and Public Health, Critical Manufacturing, Transportation Systems | Arena Simulation Software: version 16.00 | [ICSA-24-086-03](https://www.cisa.gov/news-events/ics-advisories/icsa-24-086-03) | +| Critical Manufacturing | FactoryTalk View ME: prior to v14 | [ICSA-24-086-04](https://www.cisa.gov/news-events/ics-advisories/icsa-24-086-04) | ## Recommendation From e61faa25e4c35a37b507066fdf1ecd10a76475f3 Mon Sep 17 00:00:00 2001 From: Serki Ashagre <132869385+LSerki@users.noreply.github.com> Date: Mon, 8 Apr 2024 13:59:55 +0800 Subject: [PATCH 13/82] PGAdmin Remote Code Execution Vulnerability - 20240408001 --- ...min-Remote-Code-Execution-Vulnerability.md | 22 +++++++++++++++++++ 1 file changed, 22 insertions(+) create mode 100644 docs/advisories/20240408001-PGAdmin-Remote-Code-Execution-Vulnerability.md diff --git a/docs/advisories/20240408001-PGAdmin-Remote-Code-Execution-Vulnerability.md b/docs/advisories/20240408001-PGAdmin-Remote-Code-Execution-Vulnerability.md new file mode 100644 index 00000000..c9654a00 --- /dev/null +++ b/docs/advisories/20240408001-PGAdmin-Remote-Code-Execution-Vulnerability.md @@ -0,0 +1,22 @@ +# PGAdmin Remote Code Execution Vulnerability - 20240408001 + +## Overview + +The vulnerability allows attackers to execute arbitrary code on the server hosting PGAdmin, posing a severe risk to both the database management system's integrity and the security of the underlying data. + +## What is vulnerable? + +| CVE | Severity | CVSS | Product(s) Affected | Summary | Dated | +| ------ | ------------ | ---- | ------------------- | ------- | ----- | +| [CVE-2024-3116]() | **High** | 7.4 | **pgAdmin <= 8.4** | | | + + +## Recommendation + +The WA SOC recommends administrators apply the solutions as per vendor instructions to all affected devices within expected timeframe.* (refer [Patch Management](../guidelines/patch-management.md)): + +- [Remote Code Execution Vulnerability in PGAdmin](https://github.com/pgadmin-org/pgadmin4/issues/7326) + +## Additional References + +- [CVE-2024-3116 – Remote Code Execution Vulnerability in pgAdmin]() From b26ffaa2c045f062ca0b3c41f7feebdfb3c6597b Mon Sep 17 00:00:00 2001 From: GitHub Actions Date: Mon, 8 Apr 2024 06:01:17 +0000 Subject: [PATCH 14/82] Format markdown files --- ...001-PGAdmin-Remote-Code-Execution-Vulnerability.md | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) diff --git a/docs/advisories/20240408001-PGAdmin-Remote-Code-Execution-Vulnerability.md b/docs/advisories/20240408001-PGAdmin-Remote-Code-Execution-Vulnerability.md index c9654a00..38db6a7d 100644 --- a/docs/advisories/20240408001-PGAdmin-Remote-Code-Execution-Vulnerability.md +++ b/docs/advisories/20240408001-PGAdmin-Remote-Code-Execution-Vulnerability.md @@ -6,17 +6,16 @@ The vulnerability allows attackers to execute arbitrary code on the server hosti ## What is vulnerable? -| CVE | Severity | CVSS | Product(s) Affected | Summary | Dated | -| ------ | ------------ | ---- | ------------------- | ------- | ----- | -| [CVE-2024-3116]() | **High** | 7.4 | **pgAdmin <= 8.4** | | | - +| CVE | Severity | CVSS | Product(s) Affected | Summary | Dated | +| --------------------------------------------------------------- | -------- | ---- | ------------------- | ------- | ----- | +| [CVE-2024-3116](https://nvd.nist.gov/vuln/detail/CVE-2024-3116) | **High** | 7.4 | **pgAdmin \<= 8.4** | | | ## Recommendation -The WA SOC recommends administrators apply the solutions as per vendor instructions to all affected devices within expected timeframe.* (refer [Patch Management](../guidelines/patch-management.md)): +The WA SOC recommends administrators apply the solutions as per vendor instructions to all affected devices within expected timeframe.\* (refer [Patch Management](../guidelines/patch-management.md)): - [Remote Code Execution Vulnerability in PGAdmin](https://github.com/pgadmin-org/pgadmin4/issues/7326) ## Additional References -- [CVE-2024-3116 – Remote Code Execution Vulnerability in pgAdmin]() +- [CVE-2024-3116 – Remote Code Execution Vulnerability in pgAdmin](https://ayoubmokhtar.com/post/remote_code_execution_pgadmin_8.4-cve-2024-3116/) From d01dc78662ef0056515a374a9316fc75f13bdb90 Mon Sep 17 00:00:00 2001 From: "Joshua Hitchen (DGov)" <86041569+DGovEnterprise@users.noreply.github.com> Date: Mon, 8 Apr 2024 17:02:46 +0800 Subject: [PATCH 15/82] Update 20240408001-PGAdmin-Remote-Code-Execution-Vulnerability.md FIxing tables --- ...240408001-PGAdmin-Remote-Code-Execution-Vulnerability.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/docs/advisories/20240408001-PGAdmin-Remote-Code-Execution-Vulnerability.md b/docs/advisories/20240408001-PGAdmin-Remote-Code-Execution-Vulnerability.md index 38db6a7d..df012668 100644 --- a/docs/advisories/20240408001-PGAdmin-Remote-Code-Execution-Vulnerability.md +++ b/docs/advisories/20240408001-PGAdmin-Remote-Code-Execution-Vulnerability.md @@ -6,9 +6,9 @@ The vulnerability allows attackers to execute arbitrary code on the server hosti ## What is vulnerable? -| CVE | Severity | CVSS | Product(s) Affected | Summary | Dated | -| --------------------------------------------------------------- | -------- | ---- | ------------------- | ------- | ----- | -| [CVE-2024-3116](https://nvd.nist.gov/vuln/detail/CVE-2024-3116) | **High** | 7.4 | **pgAdmin \<= 8.4** | | | +| CVE | Severity | CVSS | Product(s) Affected | +| --------------------------------------------------------------- | -------- | ---- | ------------------- | +| [CVE-2024-3116](https://nvd.nist.gov/vuln/detail/CVE-2024-3116) | **High** | 7.4 | **pgAdmin \<= 8.4** | ## Recommendation From d4849d93e59211aa809fd7d74d2ce271795d91c7 Mon Sep 17 00:00:00 2001 From: GitHub Actions Date: Mon, 8 Apr 2024 09:04:20 +0000 Subject: [PATCH 16/82] Format markdown files --- .../20240408001-PGAdmin-Remote-Code-Execution-Vulnerability.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/advisories/20240408001-PGAdmin-Remote-Code-Execution-Vulnerability.md b/docs/advisories/20240408001-PGAdmin-Remote-Code-Execution-Vulnerability.md index df012668..808cb36b 100644 --- a/docs/advisories/20240408001-PGAdmin-Remote-Code-Execution-Vulnerability.md +++ b/docs/advisories/20240408001-PGAdmin-Remote-Code-Execution-Vulnerability.md @@ -6,7 +6,7 @@ The vulnerability allows attackers to execute arbitrary code on the server hosti ## What is vulnerable? -| CVE | Severity | CVSS | Product(s) Affected | +| CVE | Severity | CVSS | Product(s) Affected | | --------------------------------------------------------------- | -------- | ---- | ------------------- | | [CVE-2024-3116](https://nvd.nist.gov/vuln/detail/CVE-2024-3116) | **High** | 7.4 | **pgAdmin \<= 8.4** | From 1d093d3e3a45fdc338f71cd1ad0c5e2d3f2e63b3 Mon Sep 17 00:00:00 2001 From: Serki Ashagre <132869385+LSerki@users.noreply.github.com> Date: Mon, 15 Apr 2024 14:09:58 +0800 Subject: [PATCH 17/82] Palo Alto Networks PAN-OS Command Injection Vulnerability added to CISA Known Exploited Catalog - 20240415001 --- ...y-added-to-CISA-Known-Exploited-Catalog.md | 33 +++++++++++++++++++ 1 file changed, 33 insertions(+) create mode 100644 docs/advisories/20240415001-PaloAlto-Networks-PAN-OS-Command-Injection-Vulnerability-added-to-CISA-Known-Exploited-Catalog.md diff --git a/docs/advisories/20240415001-PaloAlto-Networks-PAN-OS-Command-Injection-Vulnerability-added-to-CISA-Known-Exploited-Catalog.md b/docs/advisories/20240415001-PaloAlto-Networks-PAN-OS-Command-Injection-Vulnerability-added-to-CISA-Known-Exploited-Catalog.md new file mode 100644 index 00000000..21633b3f --- /dev/null +++ b/docs/advisories/20240415001-PaloAlto-Networks-PAN-OS-Command-Injection-Vulnerability-added-to-CISA-Known-Exploited-Catalog.md @@ -0,0 +1,33 @@ +# Palo Alto Networks PAN-OS Command Injection Vulnerability added to CISA Known Exploited Catalog - 20240415001 + +## Overview + +Palo Alto Networks PAN-OS GlobalProtect feature contains a command injection vulnerability that allows an unauthenticated attacker to execute commands with root privileges on the firewall. + +## What is vulnerable? + +| Product(s) Affected | CVE | Severity | CVSS | +| ---------------------- | ------------------------------------------------------------------------------- | -------------------------------- | ---- | +| **PAN-OS 10.2**, **PAN-OS 11.0**, and **PAN-OS 11.1** | [CVE-2024-3400](https://nvd.nist.gov/vuln/detail/CVE-2024-3400) | **Critical** | 10 | + +## What has been observed? + +CISA added this vulnerability in their [Known Exploited Vulnerabilities](https://www.cisa.gov/known-exploited-vulnerabilities-catalog) catalog. + +## Recommendation + +The WA SOC recommends administrators apply the solutions as per vendor instructions to all affected devices within expected timeframe (refer [Patch Management](../guidelines/patch-management.md)): + +- [Palo Alto Networks Security Advisories-CVE-2024-3400](https://security.paloaltonetworks.com/CVE-2024-3400) +- [PAN-OS 11.0.4-h1 Addressed Issues (paloaltonetworks.com)](https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-release-notes/pan-os-11-0-4-known-and-addressed-issues/pan-os-11-0-4-h1-addressed-issues "https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-release-notes/pan-os-11-0-4-known-and-addressed-issues/pan-os-11-0-4-h1-addressed-issues") + +- [PAN-OS 11.1.2-h3 Addressed Issues (paloaltonetworks.com)](https://docs.paloaltonetworks.com/pan-os/11-1/pan-os-release-notes/pan-os-11-1-2-known-and-addressed-issues/pan-os-11-1-2-h3-addressed-issues "https://docs.paloaltonetworks.com/pan-os/11-1/pan-os-release-notes/pan-os-11-1-2-known-and-addressed-issues/pan-os-11-1-2-h3-addressed-issues") + +- [PAN-OS 10.2.9-h1 Addressed Issues (paloaltonetworks.com)](https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-release-notes/pan-os-10-2-9-known-and-addressed-issues/pan-os-10-2-9-h1-addressed-issues "https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-release-notes/pan-os-10-2-9-known-and-addressed-issues/pan-os-10-2-9-h1-addressed-issues") + +### Additional Resources + +- [Known Exploited Vulnerabilities Catalog](https://www.cisa.gov/known-exploited-vulnerabilities-catalog) +- [Threat Brief: Operation MidnightEclipse, Post-Exploitation Activity Related to CVE-2024-3400](https://unit42.paloaltonetworks.com/cve-2024-3400/ "https://unit42.paloaltonetworks.com/cve-2024-3400/") + +- [Zero-Day Exploitation of Unauthenticated Remote Code Execution Vulnerability in GlobalProtect (CVE-2024-3400)](https://www.volexity.com/blog/2024/04/12/zero-day-exploitation-of-unauthenticated-remote-code-execution-vulnerability-in-globalprotect-cve-2024-3400/ "https://www.volexity.com/blog/2024/04/12/zero-day-exploitation-of-unauthenticated-remote-code-execution-vulnerability-in-globalprotect-cve-2024-3400/") From fe1b80e7814b7912c1cc9ee17a4315250aa2998c Mon Sep 17 00:00:00 2001 From: GitHub Actions Date: Mon, 15 Apr 2024 06:11:23 +0000 Subject: [PATCH 18/82] Format markdown files --- ...bility-added-to-CISA-Known-Exploited-Catalog.md | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/docs/advisories/20240415001-PaloAlto-Networks-PAN-OS-Command-Injection-Vulnerability-added-to-CISA-Known-Exploited-Catalog.md b/docs/advisories/20240415001-PaloAlto-Networks-PAN-OS-Command-Injection-Vulnerability-added-to-CISA-Known-Exploited-Catalog.md index 21633b3f..174320db 100644 --- a/docs/advisories/20240415001-PaloAlto-Networks-PAN-OS-Command-Injection-Vulnerability-added-to-CISA-Known-Exploited-Catalog.md +++ b/docs/advisories/20240415001-PaloAlto-Networks-PAN-OS-Command-Injection-Vulnerability-added-to-CISA-Known-Exploited-Catalog.md @@ -6,19 +6,20 @@ Palo Alto Networks PAN-OS GlobalProtect feature contains a command injection vul ## What is vulnerable? -| Product(s) Affected | CVE | Severity | CVSS | -| ---------------------- | ------------------------------------------------------------------------------- | -------------------------------- | ---- | -| **PAN-OS 10.2**, **PAN-OS 11.0**, and **PAN-OS 11.1** | [CVE-2024-3400](https://nvd.nist.gov/vuln/detail/CVE-2024-3400) | **Critical** | 10 | +| Product(s) Affected | CVE | Severity | CVSS | +| ----------------------------------------------------- | --------------------------------------------------------------- | ------------ | ---- | +| **PAN-OS 10.2**, **PAN-OS 11.0**, and **PAN-OS 11.1** | [CVE-2024-3400](https://nvd.nist.gov/vuln/detail/CVE-2024-3400) | **Critical** | 10 | ## What has been observed? -CISA added this vulnerability in their [Known Exploited Vulnerabilities](https://www.cisa.gov/known-exploited-vulnerabilities-catalog) catalog. +CISA added this vulnerability in their [Known Exploited Vulnerabilities](https://www.cisa.gov/known-exploited-vulnerabilities-catalog) catalog. ## Recommendation The WA SOC recommends administrators apply the solutions as per vendor instructions to all affected devices within expected timeframe (refer [Patch Management](../guidelines/patch-management.md)): - [Palo Alto Networks Security Advisories-CVE-2024-3400](https://security.paloaltonetworks.com/CVE-2024-3400) + - [PAN-OS 11.0.4-h1 Addressed Issues (paloaltonetworks.com)](https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-release-notes/pan-os-11-0-4-known-and-addressed-issues/pan-os-11-0-4-h1-addressed-issues "https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-release-notes/pan-os-11-0-4-known-and-addressed-issues/pan-os-11-0-4-h1-addressed-issues") - [PAN-OS 11.1.2-h3 Addressed Issues (paloaltonetworks.com)](https://docs.paloaltonetworks.com/pan-os/11-1/pan-os-release-notes/pan-os-11-1-2-known-and-addressed-issues/pan-os-11-1-2-h3-addressed-issues "https://docs.paloaltonetworks.com/pan-os/11-1/pan-os-release-notes/pan-os-11-1-2-known-and-addressed-issues/pan-os-11-1-2-h3-addressed-issues") @@ -28,6 +29,7 @@ The WA SOC recommends administrators apply the solutions as per vendor instructi ### Additional Resources - [Known Exploited Vulnerabilities Catalog](https://www.cisa.gov/known-exploited-vulnerabilities-catalog) -- [Threat Brief: Operation MidnightEclipse, Post-Exploitation Activity Related to CVE-2024-3400](https://unit42.paloaltonetworks.com/cve-2024-3400/ "https://unit42.paloaltonetworks.com/cve-2024-3400/") -- [Zero-Day Exploitation of Unauthenticated Remote Code Execution Vulnerability in GlobalProtect (CVE-2024-3400)](https://www.volexity.com/blog/2024/04/12/zero-day-exploitation-of-unauthenticated-remote-code-execution-vulnerability-in-globalprotect-cve-2024-3400/ "https://www.volexity.com/blog/2024/04/12/zero-day-exploitation-of-unauthenticated-remote-code-execution-vulnerability-in-globalprotect-cve-2024-3400/") +- [Threat Brief: Operation MidnightEclipse, Post-Exploitation Activity Related to CVE-2024-3400](https://unit42.paloaltonetworks.com/cve-2024-3400/ "https://unit42.paloaltonetworks.com/cve-2024-3400/") + +- [Zero-Day Exploitation of Unauthenticated Remote Code Execution Vulnerability in GlobalProtect (CVE-2024-3400)](https://www.volexity.com/blog/2024/04/12/zero-day-exploitation-of-unauthenticated-remote-code-execution-vulnerability-in-globalprotect-cve-2024-3400/ "https://www.volexity.com/blog/2024/04/12/zero-day-exploitation-of-unauthenticated-remote-code-execution-vulnerability-in-globalprotect-cve-2024-3400/") From 7baaae69747f843e6e97080022ab645196bf3c10 Mon Sep 17 00:00:00 2001 From: Serki Ashagre <132869385+LSerki@users.noreply.github.com> Date: Mon, 15 Apr 2024 14:32:18 +0800 Subject: [PATCH 19/82] Palo Alto Networks PAN-OS Command Injection Vulnerability added to CISA Known Exploited Catalog - 20240415001 --- ...y-added-to-CISA-Known-Exploited-Catalog.md | 68 +++++++++---------- 1 file changed, 33 insertions(+), 35 deletions(-) diff --git a/docs/advisories/20240415001-PaloAlto-Networks-PAN-OS-Command-Injection-Vulnerability-added-to-CISA-Known-Exploited-Catalog.md b/docs/advisories/20240415001-PaloAlto-Networks-PAN-OS-Command-Injection-Vulnerability-added-to-CISA-Known-Exploited-Catalog.md index 174320db..980cb3cf 100644 --- a/docs/advisories/20240415001-PaloAlto-Networks-PAN-OS-Command-Injection-Vulnerability-added-to-CISA-Known-Exploited-Catalog.md +++ b/docs/advisories/20240415001-PaloAlto-Networks-PAN-OS-Command-Injection-Vulnerability-added-to-CISA-Known-Exploited-Catalog.md @@ -1,35 +1,33 @@ -# Palo Alto Networks PAN-OS Command Injection Vulnerability added to CISA Known Exploited Catalog - 20240415001 - -## Overview - -Palo Alto Networks PAN-OS GlobalProtect feature contains a command injection vulnerability that allows an unauthenticated attacker to execute commands with root privileges on the firewall. - -## What is vulnerable? - -| Product(s) Affected | CVE | Severity | CVSS | -| ----------------------------------------------------- | --------------------------------------------------------------- | ------------ | ---- | -| **PAN-OS 10.2**, **PAN-OS 11.0**, and **PAN-OS 11.1** | [CVE-2024-3400](https://nvd.nist.gov/vuln/detail/CVE-2024-3400) | **Critical** | 10 | - -## What has been observed? - -CISA added this vulnerability in their [Known Exploited Vulnerabilities](https://www.cisa.gov/known-exploited-vulnerabilities-catalog) catalog. - -## Recommendation - -The WA SOC recommends administrators apply the solutions as per vendor instructions to all affected devices within expected timeframe (refer [Patch Management](../guidelines/patch-management.md)): - -- [Palo Alto Networks Security Advisories-CVE-2024-3400](https://security.paloaltonetworks.com/CVE-2024-3400) - -- [PAN-OS 11.0.4-h1 Addressed Issues (paloaltonetworks.com)](https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-release-notes/pan-os-11-0-4-known-and-addressed-issues/pan-os-11-0-4-h1-addressed-issues "https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-release-notes/pan-os-11-0-4-known-and-addressed-issues/pan-os-11-0-4-h1-addressed-issues") - -- [PAN-OS 11.1.2-h3 Addressed Issues (paloaltonetworks.com)](https://docs.paloaltonetworks.com/pan-os/11-1/pan-os-release-notes/pan-os-11-1-2-known-and-addressed-issues/pan-os-11-1-2-h3-addressed-issues "https://docs.paloaltonetworks.com/pan-os/11-1/pan-os-release-notes/pan-os-11-1-2-known-and-addressed-issues/pan-os-11-1-2-h3-addressed-issues") - -- [PAN-OS 10.2.9-h1 Addressed Issues (paloaltonetworks.com)](https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-release-notes/pan-os-10-2-9-known-and-addressed-issues/pan-os-10-2-9-h1-addressed-issues "https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-release-notes/pan-os-10-2-9-known-and-addressed-issues/pan-os-10-2-9-h1-addressed-issues") - -### Additional Resources - -- [Known Exploited Vulnerabilities Catalog](https://www.cisa.gov/known-exploited-vulnerabilities-catalog) - -- [Threat Brief: Operation MidnightEclipse, Post-Exploitation Activity Related to CVE-2024-3400](https://unit42.paloaltonetworks.com/cve-2024-3400/ "https://unit42.paloaltonetworks.com/cve-2024-3400/") - -- [Zero-Day Exploitation of Unauthenticated Remote Code Execution Vulnerability in GlobalProtect (CVE-2024-3400)](https://www.volexity.com/blog/2024/04/12/zero-day-exploitation-of-unauthenticated-remote-code-execution-vulnerability-in-globalprotect-cve-2024-3400/ "https://www.volexity.com/blog/2024/04/12/zero-day-exploitation-of-unauthenticated-remote-code-execution-vulnerability-in-globalprotect-cve-2024-3400/") +# Palo Alto Networks PAN-OS Command Injection Vulnerability added to CISA Known Exploited Catalog - 20240415001 + +## Overview + +Palo Alto Networks PAN-OS GlobalProtect feature contains a command injection vulnerability that allows an unauthenticated attacker to execute commands with root privileges on the firewall. + +## What is vulnerable? + +| Product(s) Affected | CVE | Severity | CVSS | +| ---------------------- | ------------------------------------------------------------------------------- | -------------------------------- | ---- | +| **PAN-OS 10.2**, **PAN-OS 11.0**, and **PAN-OS 11.1** | [CVE-2024-3400](https://nvd.nist.gov/vuln/detail/CVE-2024-3400) | **Critical** | 10 | + +## What has been observed? + +CISA added this vulnerability in their [Known Exploited Vulnerabilities](https://www.cisa.gov/known-exploited-vulnerabilities-catalog) catalog. + +## Recommendation + +The WA SOC recommends administrators apply the solutions as per vendor instructions to all affected devices within expected timeframe (refer [Patch Management](../guidelines/patch-management.md)): + +- [Palo Alto Networks Security Advisories-CVE-2024-3400](https://security.paloaltonetworks.com/CVE-2024-3400) +- [PAN-OS 11.0.4-h1 Addressed Issues (paloaltonetworks.com)](https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-release-notes/pan-os-11-0-4-known-and-addressed-issues/pan-os-11-0-4-h1-addressed-issues "https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-release-notes/pan-os-11-0-4-known-and-addressed-issues/pan-os-11-0-4-h1-addressed-issues") + +- [PAN-OS 11.1.2-h3 Addressed Issues (paloaltonetworks.com)](https://docs.paloaltonetworks.com/pan-os/11-1/pan-os-release-notes/pan-os-11-1-2-known-and-addressed-issues/pan-os-11-1-2-h3-addressed-issues "https://docs.paloaltonetworks.com/pan-os/11-1/pan-os-release-notes/pan-os-11-1-2-known-and-addressed-issues/pan-os-11-1-2-h3-addressed-issues") + +- [PAN-OS 10.2.9-h1 Addressed Issues (paloaltonetworks.com)](https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-release-notes/pan-os-10-2-9-known-and-addressed-issues/pan-os-10-2-9-h1-addressed-issues "https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-release-notes/pan-os-10-2-9-known-and-addressed-issues/pan-os-10-2-9-h1-addressed-issues") + +### Additional Resources + +- [Known Exploited Vulnerabilities Catalog](https://www.cisa.gov/known-exploited-vulnerabilities-catalog) +- [Threat Brief: Operation MidnightEclipse, Post-Exploitation Activity Related to CVE-2024-3400](https://unit42.paloaltonetworks.com/cve-2024-3400/ "https://unit42.paloaltonetworks.com/cve-2024-3400/") + +- [Zero-Day Exploitation of Unauthenticated Remote Code Execution Vulnerability in GlobalProtect (CVE-2024-3400)](https://www.volexity.com/blog/2024/04/12/zero-day-exploitation-of-unauthenticated-remote-code-execution-vulnerability-in-globalprotect-cve-2024-3400/ "https://www.volexity.com/blog/2024/04/12/zero-day-exploitation-of-unauthenticated-remote-code-execution-vulnerability-in-globalprotect-cve-2024-3400/") From c00daeff8f44df60337acc1ef99696a126b8532e Mon Sep 17 00:00:00 2001 From: GitHub Actions Date: Mon, 15 Apr 2024 06:33:46 +0000 Subject: [PATCH 20/82] Format markdown files --- ...y-added-to-CISA-Known-Exploited-Catalog.md | 68 ++++++++++--------- 1 file changed, 35 insertions(+), 33 deletions(-) diff --git a/docs/advisories/20240415001-PaloAlto-Networks-PAN-OS-Command-Injection-Vulnerability-added-to-CISA-Known-Exploited-Catalog.md b/docs/advisories/20240415001-PaloAlto-Networks-PAN-OS-Command-Injection-Vulnerability-added-to-CISA-Known-Exploited-Catalog.md index 980cb3cf..174320db 100644 --- a/docs/advisories/20240415001-PaloAlto-Networks-PAN-OS-Command-Injection-Vulnerability-added-to-CISA-Known-Exploited-Catalog.md +++ b/docs/advisories/20240415001-PaloAlto-Networks-PAN-OS-Command-Injection-Vulnerability-added-to-CISA-Known-Exploited-Catalog.md @@ -1,33 +1,35 @@ -# Palo Alto Networks PAN-OS Command Injection Vulnerability added to CISA Known Exploited Catalog - 20240415001 - -## Overview - -Palo Alto Networks PAN-OS GlobalProtect feature contains a command injection vulnerability that allows an unauthenticated attacker to execute commands with root privileges on the firewall. - -## What is vulnerable? - -| Product(s) Affected | CVE | Severity | CVSS | -| ---------------------- | ------------------------------------------------------------------------------- | -------------------------------- | ---- | -| **PAN-OS 10.2**, **PAN-OS 11.0**, and **PAN-OS 11.1** | [CVE-2024-3400](https://nvd.nist.gov/vuln/detail/CVE-2024-3400) | **Critical** | 10 | - -## What has been observed? - -CISA added this vulnerability in their [Known Exploited Vulnerabilities](https://www.cisa.gov/known-exploited-vulnerabilities-catalog) catalog. - -## Recommendation - -The WA SOC recommends administrators apply the solutions as per vendor instructions to all affected devices within expected timeframe (refer [Patch Management](../guidelines/patch-management.md)): - -- [Palo Alto Networks Security Advisories-CVE-2024-3400](https://security.paloaltonetworks.com/CVE-2024-3400) -- [PAN-OS 11.0.4-h1 Addressed Issues (paloaltonetworks.com)](https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-release-notes/pan-os-11-0-4-known-and-addressed-issues/pan-os-11-0-4-h1-addressed-issues "https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-release-notes/pan-os-11-0-4-known-and-addressed-issues/pan-os-11-0-4-h1-addressed-issues") - -- [PAN-OS 11.1.2-h3 Addressed Issues (paloaltonetworks.com)](https://docs.paloaltonetworks.com/pan-os/11-1/pan-os-release-notes/pan-os-11-1-2-known-and-addressed-issues/pan-os-11-1-2-h3-addressed-issues "https://docs.paloaltonetworks.com/pan-os/11-1/pan-os-release-notes/pan-os-11-1-2-known-and-addressed-issues/pan-os-11-1-2-h3-addressed-issues") - -- [PAN-OS 10.2.9-h1 Addressed Issues (paloaltonetworks.com)](https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-release-notes/pan-os-10-2-9-known-and-addressed-issues/pan-os-10-2-9-h1-addressed-issues "https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-release-notes/pan-os-10-2-9-known-and-addressed-issues/pan-os-10-2-9-h1-addressed-issues") - -### Additional Resources - -- [Known Exploited Vulnerabilities Catalog](https://www.cisa.gov/known-exploited-vulnerabilities-catalog) -- [Threat Brief: Operation MidnightEclipse, Post-Exploitation Activity Related to CVE-2024-3400](https://unit42.paloaltonetworks.com/cve-2024-3400/ "https://unit42.paloaltonetworks.com/cve-2024-3400/") - -- [Zero-Day Exploitation of Unauthenticated Remote Code Execution Vulnerability in GlobalProtect (CVE-2024-3400)](https://www.volexity.com/blog/2024/04/12/zero-day-exploitation-of-unauthenticated-remote-code-execution-vulnerability-in-globalprotect-cve-2024-3400/ "https://www.volexity.com/blog/2024/04/12/zero-day-exploitation-of-unauthenticated-remote-code-execution-vulnerability-in-globalprotect-cve-2024-3400/") +# Palo Alto Networks PAN-OS Command Injection Vulnerability added to CISA Known Exploited Catalog - 20240415001 + +## Overview + +Palo Alto Networks PAN-OS GlobalProtect feature contains a command injection vulnerability that allows an unauthenticated attacker to execute commands with root privileges on the firewall. + +## What is vulnerable? + +| Product(s) Affected | CVE | Severity | CVSS | +| ----------------------------------------------------- | --------------------------------------------------------------- | ------------ | ---- | +| **PAN-OS 10.2**, **PAN-OS 11.0**, and **PAN-OS 11.1** | [CVE-2024-3400](https://nvd.nist.gov/vuln/detail/CVE-2024-3400) | **Critical** | 10 | + +## What has been observed? + +CISA added this vulnerability in their [Known Exploited Vulnerabilities](https://www.cisa.gov/known-exploited-vulnerabilities-catalog) catalog. + +## Recommendation + +The WA SOC recommends administrators apply the solutions as per vendor instructions to all affected devices within expected timeframe (refer [Patch Management](../guidelines/patch-management.md)): + +- [Palo Alto Networks Security Advisories-CVE-2024-3400](https://security.paloaltonetworks.com/CVE-2024-3400) + +- [PAN-OS 11.0.4-h1 Addressed Issues (paloaltonetworks.com)](https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-release-notes/pan-os-11-0-4-known-and-addressed-issues/pan-os-11-0-4-h1-addressed-issues "https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-release-notes/pan-os-11-0-4-known-and-addressed-issues/pan-os-11-0-4-h1-addressed-issues") + +- [PAN-OS 11.1.2-h3 Addressed Issues (paloaltonetworks.com)](https://docs.paloaltonetworks.com/pan-os/11-1/pan-os-release-notes/pan-os-11-1-2-known-and-addressed-issues/pan-os-11-1-2-h3-addressed-issues "https://docs.paloaltonetworks.com/pan-os/11-1/pan-os-release-notes/pan-os-11-1-2-known-and-addressed-issues/pan-os-11-1-2-h3-addressed-issues") + +- [PAN-OS 10.2.9-h1 Addressed Issues (paloaltonetworks.com)](https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-release-notes/pan-os-10-2-9-known-and-addressed-issues/pan-os-10-2-9-h1-addressed-issues "https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-release-notes/pan-os-10-2-9-known-and-addressed-issues/pan-os-10-2-9-h1-addressed-issues") + +### Additional Resources + +- [Known Exploited Vulnerabilities Catalog](https://www.cisa.gov/known-exploited-vulnerabilities-catalog) + +- [Threat Brief: Operation MidnightEclipse, Post-Exploitation Activity Related to CVE-2024-3400](https://unit42.paloaltonetworks.com/cve-2024-3400/ "https://unit42.paloaltonetworks.com/cve-2024-3400/") + +- [Zero-Day Exploitation of Unauthenticated Remote Code Execution Vulnerability in GlobalProtect (CVE-2024-3400)](https://www.volexity.com/blog/2024/04/12/zero-day-exploitation-of-unauthenticated-remote-code-execution-vulnerability-in-globalprotect-cve-2024-3400/ "https://www.volexity.com/blog/2024/04/12/zero-day-exploitation-of-unauthenticated-remote-code-execution-vulnerability-in-globalprotect-cve-2024-3400/") From 5a1258f4beff1c278a8775803aff54cfeee54668 Mon Sep 17 00:00:00 2001 From: "Joshua Hitchen (DGov)" <86041569+DGovEnterprise@users.noreply.github.com> Date: Mon, 15 Apr 2024 14:51:06 +0800 Subject: [PATCH 21/82] Update 20240415001-PaloAlto-Networks-PAN-OS-Command-Injection-Vulnerability-added-to-CISA-Known-Exploited-Catalog.md Added older versions updates and Zero day notes --- ...y-added-to-CISA-Known-Exploited-Catalog.md | 37 ++++++++++++++++--- 1 file changed, 32 insertions(+), 5 deletions(-) diff --git a/docs/advisories/20240415001-PaloAlto-Networks-PAN-OS-Command-Injection-Vulnerability-added-to-CISA-Known-Exploited-Catalog.md b/docs/advisories/20240415001-PaloAlto-Networks-PAN-OS-Command-Injection-Vulnerability-added-to-CISA-Known-Exploited-Catalog.md index 174320db..b1faead0 100644 --- a/docs/advisories/20240415001-PaloAlto-Networks-PAN-OS-Command-Injection-Vulnerability-added-to-CISA-Known-Exploited-Catalog.md +++ b/docs/advisories/20240415001-PaloAlto-Networks-PAN-OS-Command-Injection-Vulnerability-added-to-CISA-Known-Exploited-Catalog.md @@ -2,22 +2,23 @@ ## Overview -Palo Alto Networks PAN-OS GlobalProtect feature contains a command injection vulnerability that allows an unauthenticated attacker to execute commands with root privileges on the firewall. +Palo Alto Networks PAN-OS GlobalProtect contains a **Zero-day** command injection vulnerability that allows an unauthenticated attacker to execute commands with root privileges on the firewall. ## What is vulnerable? -| Product(s) Affected | CVE | Severity | CVSS | -| ----------------------------------------------------- | --------------------------------------------------------------- | ------------ | ---- | -| **PAN-OS 10.2**, **PAN-OS 11.0**, and **PAN-OS 11.1** | [CVE-2024-3400](https://nvd.nist.gov/vuln/detail/CVE-2024-3400) | **Critical** | 10 | +| Product(s) Affected | CVE | Severity | CVSS | Exploitable | +| ----------------------------------------------------- | --------------------------------------------------------------- | ------------ | ---- | -----| +| **PAN-OS 10.2**, **PAN-OS 11.0**, and **PAN-OS 11.1** | [CVE-2024-3400](https://nvd.nist.gov/vuln/detail/CVE-2024-3400) | **Critical** | 10 | Yes ## What has been observed? -CISA added this vulnerability in their [Known Exploited Vulnerabilities](https://www.cisa.gov/known-exploited-vulnerabilities-catalog) catalog. +This **Zero-day** has been added to the CISA [Known Exploited Vulnerabilities](https://www.cisa.gov/known-exploited-vulnerabilities-catalog) catalog. ## Recommendation The WA SOC recommends administrators apply the solutions as per vendor instructions to all affected devices within expected timeframe (refer [Patch Management](../guidelines/patch-management.md)): + - [Palo Alto Networks Security Advisories-CVE-2024-3400](https://security.paloaltonetworks.com/CVE-2024-3400) - [PAN-OS 11.0.4-h1 Addressed Issues (paloaltonetworks.com)](https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-release-notes/pan-os-11-0-4-known-and-addressed-issues/pan-os-11-0-4-h1-addressed-issues "https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-release-notes/pan-os-11-0-4-known-and-addressed-issues/pan-os-11-0-4-h1-addressed-issues") @@ -26,6 +27,32 @@ The WA SOC recommends administrators apply the solutions as per vendor instructi - [PAN-OS 10.2.9-h1 Addressed Issues (paloaltonetworks.com)](https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-release-notes/pan-os-10-2-9-known-and-addressed-issues/pan-os-10-2-9-h1-addressed-issues "https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-release-notes/pan-os-10-2-9-known-and-addressed-issues/pan-os-10-2-9-h1-addressed-issues") +Hot Fixes for older versions of affetced PAN-OS services will be released with the following Timeline: + +PAN-OS 10.2: +- 10.2.9-h1 (Released 4/14/24) +- 10.2.8-h3 (ETA: 4/15/24) +- 10.2.7-h8 (ETA: 4/15/24) +- 10.2.6-h3 (ETA: 4/15/24) +- 10.2.5-h6 (ETA: 4/16/24) +- 10.2.3-h13 (ETA: 4/17/24) +- 10.2.1-h2 (ETA: 4/17/24) +- 10.2.2-h5 (ETA: 4/18/24) +- 10.2.0-h3 (ETA: 4/18/24) +- 10.2.4-h16 (ETA: 4/19/24) + +PAN-OS 11.0: +- 11.0.4-h1 (Released 4/14/24) +- 11.0.3-h10 (ETA: 4/15/24) +- 11.0.2-h4 (ETA: 4/16/24) +- 11.0.1-h4 (ETA: 4/17/24) +- 11.0.0-h3 (ETA: 4/18/24) + +PAN-OS 11.1: +- 11.1.2-h3 (Released 4/14/24) +- 11.1.1-h1 (ETA: 4/16/24) +- 11.1.0-h3 (ETA: 4/17/24) + ### Additional Resources - [Known Exploited Vulnerabilities Catalog](https://www.cisa.gov/known-exploited-vulnerabilities-catalog) From 5f3fe635bcd4fe5491a0d46f8fadfaac3619be76 Mon Sep 17 00:00:00 2001 From: GitHub Actions Date: Mon, 15 Apr 2024 06:52:23 +0000 Subject: [PATCH 22/82] Format markdown files --- ...Vulnerability-added-to-CISA-Known-Exploited-Catalog.md | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/docs/advisories/20240415001-PaloAlto-Networks-PAN-OS-Command-Injection-Vulnerability-added-to-CISA-Known-Exploited-Catalog.md b/docs/advisories/20240415001-PaloAlto-Networks-PAN-OS-Command-Injection-Vulnerability-added-to-CISA-Known-Exploited-Catalog.md index b1faead0..ce5b6d0f 100644 --- a/docs/advisories/20240415001-PaloAlto-Networks-PAN-OS-Command-Injection-Vulnerability-added-to-CISA-Known-Exploited-Catalog.md +++ b/docs/advisories/20240415001-PaloAlto-Networks-PAN-OS-Command-Injection-Vulnerability-added-to-CISA-Known-Exploited-Catalog.md @@ -7,8 +7,8 @@ Palo Alto Networks PAN-OS GlobalProtect contains a **Zero-day** command injectio ## What is vulnerable? | Product(s) Affected | CVE | Severity | CVSS | Exploitable | -| ----------------------------------------------------- | --------------------------------------------------------------- | ------------ | ---- | -----| -| **PAN-OS 10.2**, **PAN-OS 11.0**, and **PAN-OS 11.1** | [CVE-2024-3400](https://nvd.nist.gov/vuln/detail/CVE-2024-3400) | **Critical** | 10 | Yes +| ----------------------------------------------------- | --------------------------------------------------------------- | ------------ | ---- | ----------- | +| **PAN-OS 10.2**, **PAN-OS 11.0**, and **PAN-OS 11.1** | [CVE-2024-3400](https://nvd.nist.gov/vuln/detail/CVE-2024-3400) | **Critical** | 10 | Yes | ## What has been observed? @@ -18,7 +18,6 @@ This **Zero-day** has been added to the CISA [Known Exploited Vulnerabilities](h The WA SOC recommends administrators apply the solutions as per vendor instructions to all affected devices within expected timeframe (refer [Patch Management](../guidelines/patch-management.md)): - - [Palo Alto Networks Security Advisories-CVE-2024-3400](https://security.paloaltonetworks.com/CVE-2024-3400) - [PAN-OS 11.0.4-h1 Addressed Issues (paloaltonetworks.com)](https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-release-notes/pan-os-11-0-4-known-and-addressed-issues/pan-os-11-0-4-h1-addressed-issues "https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-release-notes/pan-os-11-0-4-known-and-addressed-issues/pan-os-11-0-4-h1-addressed-issues") @@ -30,6 +29,7 @@ The WA SOC recommends administrators apply the solutions as per vendor instructi Hot Fixes for older versions of affetced PAN-OS services will be released with the following Timeline: PAN-OS 10.2: + - 10.2.9-h1 (Released 4/14/24) - 10.2.8-h3 (ETA: 4/15/24) - 10.2.7-h8 (ETA: 4/15/24) @@ -42,6 +42,7 @@ PAN-OS 10.2: - 10.2.4-h16 (ETA: 4/19/24) PAN-OS 11.0: + - 11.0.4-h1 (Released 4/14/24) - 11.0.3-h10 (ETA: 4/15/24) - 11.0.2-h4 (ETA: 4/16/24) @@ -49,6 +50,7 @@ PAN-OS 11.0: - 11.0.0-h3 (ETA: 4/18/24) PAN-OS 11.1: + - 11.1.2-h3 (Released 4/14/24) - 11.1.1-h1 (ETA: 4/16/24) - 11.1.0-h3 (ETA: 4/17/24) From 80309c73e9171037de7d08894c5a19dd24f68735 Mon Sep 17 00:00:00 2001 From: Serki Ashagre <132869385+LSerki@users.noreply.github.com> Date: Thu, 18 Apr 2024 13:04:17 +0800 Subject: [PATCH 23/82] Google Chrome Multiple RCE Vulnerabilities - 20240418002 --- ...gle-Chrome-Multiple-RCE-Vulnerabilities.md | 21 +++++++++++++++++++ 1 file changed, 21 insertions(+) create mode 100644 docs/advisories/20240418002-Google-Chrome-Multiple-RCE-Vulnerabilities.md diff --git a/docs/advisories/20240418002-Google-Chrome-Multiple-RCE-Vulnerabilities.md b/docs/advisories/20240418002-Google-Chrome-Multiple-RCE-Vulnerabilities.md new file mode 100644 index 00000000..93b26ab3 --- /dev/null +++ b/docs/advisories/20240418002-Google-Chrome-Multiple-RCE-Vulnerabilities.md @@ -0,0 +1,21 @@ +# Google Chrome Multiple RCE Vulnerabilities - 20240418002 + +## Overview + +Multiple vulnerabilities have been discovered in Google Chrome, which could allow for remote code execution. Successful exploitation of these vulnerabilities could allow for remote code execution in the context of the logged on user. + +## What is vulnerable? + +| CVE | Severity | CVSS | Product(s) Affected | Summary | Dated | +| ------ | ------------ | ---- | ------------------- | ------- | ----- | +| [CVE-2024-1673](https://nvd.nist.gov/vuln/detail/CVE-2024-1673) | **Critical** | 9.8 | **Chrome versions prior to 124.0.6367.60/.61 for Wins & Mac and 124.0.6367.60 for Linux** | | | + +## Recommendation + +The WA SOC recommends administrators apply the solutions as per vendor instructions to all affected devices within expected timeframe (refer [Patch Management](../guidelines/patch-management.md)): + +- [Chrome Releases](https://chromereleases.googleblog.com/2024/04/stable-channel-update-for-desktop_16.html) + +## Additional References + +- [Multiple Vulnerabilities in Google Chrome Could Allow for Remote Code Execution](https://www.cisecurity.org/advisory/multiple-vulnerabilities-in-google-chrome-could-allow-for-remote-code-execution_2024-040) From a3ee4fea653f102783c0404e50605353296cf62a Mon Sep 17 00:00:00 2001 From: LSerki Date: Thu, 18 Apr 2024 05:04:57 +0000 Subject: [PATCH 24/82] Format markdown docs --- .../20240418002-Google-Chrome-Multiple-RCE-Vulnerabilities.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/advisories/20240418002-Google-Chrome-Multiple-RCE-Vulnerabilities.md b/docs/advisories/20240418002-Google-Chrome-Multiple-RCE-Vulnerabilities.md index 93b26ab3..94917945 100644 --- a/docs/advisories/20240418002-Google-Chrome-Multiple-RCE-Vulnerabilities.md +++ b/docs/advisories/20240418002-Google-Chrome-Multiple-RCE-Vulnerabilities.md @@ -6,8 +6,8 @@ Multiple vulnerabilities have been discovered in Google Chrome, which could allo ## What is vulnerable? -| CVE | Severity | CVSS | Product(s) Affected | Summary | Dated | -| ------ | ------------ | ---- | ------------------- | ------- | ----- | +| CVE | Severity | CVSS | Product(s) Affected | Summary | Dated | +| --------------------------------------------------------------- | ------------ | ---- | ----------------------------------------------------------------------------------------- | ------- | ----- | | [CVE-2024-1673](https://nvd.nist.gov/vuln/detail/CVE-2024-1673) | **Critical** | 9.8 | **Chrome versions prior to 124.0.6367.60/.61 for Wins & Mac and 124.0.6367.60 for Linux** | | | ## Recommendation From ee2dff09891f10a28ca78876ad86bc5cfdb6c705 Mon Sep 17 00:00:00 2001 From: Serki Ashagre <132869385+LSerki@users.noreply.github.com> Date: Thu, 18 Apr 2024 13:18:11 +0800 Subject: [PATCH 25/82] Remove duplicate 20240415001-PaloAlto --- ...y-added-to-CISA-Known-Exploited-Catalog.md | 64 ------------------- 1 file changed, 64 deletions(-) delete mode 100644 docs/advisories/20240415001-PaloAlto-Networks-PAN-OS-Command-Injection-Vulnerability-added-to-CISA-Known-Exploited-Catalog.md diff --git a/docs/advisories/20240415001-PaloAlto-Networks-PAN-OS-Command-Injection-Vulnerability-added-to-CISA-Known-Exploited-Catalog.md b/docs/advisories/20240415001-PaloAlto-Networks-PAN-OS-Command-Injection-Vulnerability-added-to-CISA-Known-Exploited-Catalog.md deleted file mode 100644 index ce5b6d0f..00000000 --- a/docs/advisories/20240415001-PaloAlto-Networks-PAN-OS-Command-Injection-Vulnerability-added-to-CISA-Known-Exploited-Catalog.md +++ /dev/null @@ -1,64 +0,0 @@ -# Palo Alto Networks PAN-OS Command Injection Vulnerability added to CISA Known Exploited Catalog - 20240415001 - -## Overview - -Palo Alto Networks PAN-OS GlobalProtect contains a **Zero-day** command injection vulnerability that allows an unauthenticated attacker to execute commands with root privileges on the firewall. - -## What is vulnerable? - -| Product(s) Affected | CVE | Severity | CVSS | Exploitable | -| ----------------------------------------------------- | --------------------------------------------------------------- | ------------ | ---- | ----------- | -| **PAN-OS 10.2**, **PAN-OS 11.0**, and **PAN-OS 11.1** | [CVE-2024-3400](https://nvd.nist.gov/vuln/detail/CVE-2024-3400) | **Critical** | 10 | Yes | - -## What has been observed? - -This **Zero-day** has been added to the CISA [Known Exploited Vulnerabilities](https://www.cisa.gov/known-exploited-vulnerabilities-catalog) catalog. - -## Recommendation - -The WA SOC recommends administrators apply the solutions as per vendor instructions to all affected devices within expected timeframe (refer [Patch Management](../guidelines/patch-management.md)): - -- [Palo Alto Networks Security Advisories-CVE-2024-3400](https://security.paloaltonetworks.com/CVE-2024-3400) - -- [PAN-OS 11.0.4-h1 Addressed Issues (paloaltonetworks.com)](https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-release-notes/pan-os-11-0-4-known-and-addressed-issues/pan-os-11-0-4-h1-addressed-issues "https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-release-notes/pan-os-11-0-4-known-and-addressed-issues/pan-os-11-0-4-h1-addressed-issues") - -- [PAN-OS 11.1.2-h3 Addressed Issues (paloaltonetworks.com)](https://docs.paloaltonetworks.com/pan-os/11-1/pan-os-release-notes/pan-os-11-1-2-known-and-addressed-issues/pan-os-11-1-2-h3-addressed-issues "https://docs.paloaltonetworks.com/pan-os/11-1/pan-os-release-notes/pan-os-11-1-2-known-and-addressed-issues/pan-os-11-1-2-h3-addressed-issues") - -- [PAN-OS 10.2.9-h1 Addressed Issues (paloaltonetworks.com)](https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-release-notes/pan-os-10-2-9-known-and-addressed-issues/pan-os-10-2-9-h1-addressed-issues "https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-release-notes/pan-os-10-2-9-known-and-addressed-issues/pan-os-10-2-9-h1-addressed-issues") - -Hot Fixes for older versions of affetced PAN-OS services will be released with the following Timeline: - -PAN-OS 10.2: - -- 10.2.9-h1 (Released 4/14/24) -- 10.2.8-h3 (ETA: 4/15/24) -- 10.2.7-h8 (ETA: 4/15/24) -- 10.2.6-h3 (ETA: 4/15/24) -- 10.2.5-h6 (ETA: 4/16/24) -- 10.2.3-h13 (ETA: 4/17/24) -- 10.2.1-h2 (ETA: 4/17/24) -- 10.2.2-h5 (ETA: 4/18/24) -- 10.2.0-h3 (ETA: 4/18/24) -- 10.2.4-h16 (ETA: 4/19/24) - -PAN-OS 11.0: - -- 11.0.4-h1 (Released 4/14/24) -- 11.0.3-h10 (ETA: 4/15/24) -- 11.0.2-h4 (ETA: 4/16/24) -- 11.0.1-h4 (ETA: 4/17/24) -- 11.0.0-h3 (ETA: 4/18/24) - -PAN-OS 11.1: - -- 11.1.2-h3 (Released 4/14/24) -- 11.1.1-h1 (ETA: 4/16/24) -- 11.1.0-h3 (ETA: 4/17/24) - -### Additional Resources - -- [Known Exploited Vulnerabilities Catalog](https://www.cisa.gov/known-exploited-vulnerabilities-catalog) - -- [Threat Brief: Operation MidnightEclipse, Post-Exploitation Activity Related to CVE-2024-3400](https://unit42.paloaltonetworks.com/cve-2024-3400/ "https://unit42.paloaltonetworks.com/cve-2024-3400/") - -- [Zero-Day Exploitation of Unauthenticated Remote Code Execution Vulnerability in GlobalProtect (CVE-2024-3400)](https://www.volexity.com/blog/2024/04/12/zero-day-exploitation-of-unauthenticated-remote-code-execution-vulnerability-in-globalprotect-cve-2024-3400/ "https://www.volexity.com/blog/2024/04/12/zero-day-exploitation-of-unauthenticated-remote-code-execution-vulnerability-in-globalprotect-cve-2024-3400/") From 1b02629f02914a83931ba043a06ccf188209cdd4 Mon Sep 17 00:00:00 2001 From: "Joshua Hitchen (DGov)" <86041569+DGovEnterprise@users.noreply.github.com> Date: Fri, 19 Apr 2024 07:32:35 +0800 Subject: [PATCH 26/82] Update 20240418002-Google-Chrome-Multiple-RCE-Vulnerabilities.md Reviewed and Approved --- ...0240418002-Google-Chrome-Multiple-RCE-Vulnerabilities.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/docs/advisories/20240418002-Google-Chrome-Multiple-RCE-Vulnerabilities.md b/docs/advisories/20240418002-Google-Chrome-Multiple-RCE-Vulnerabilities.md index 94917945..95dfa50b 100644 --- a/docs/advisories/20240418002-Google-Chrome-Multiple-RCE-Vulnerabilities.md +++ b/docs/advisories/20240418002-Google-Chrome-Multiple-RCE-Vulnerabilities.md @@ -6,9 +6,9 @@ Multiple vulnerabilities have been discovered in Google Chrome, which could allo ## What is vulnerable? -| CVE | Severity | CVSS | Product(s) Affected | Summary | Dated | -| --------------------------------------------------------------- | ------------ | ---- | ----------------------------------------------------------------------------------------- | ------- | ----- | -| [CVE-2024-1673](https://nvd.nist.gov/vuln/detail/CVE-2024-1673) | **Critical** | 9.8 | **Chrome versions prior to 124.0.6367.60/.61 for Wins & Mac and 124.0.6367.60 for Linux** | | | +| CVE | Severity | CVSS | Product(s) Affected | +| --------------------------------------------------------------- | ------------ | ---- | ----------------------------------------------------------------------------------------- | +| [CVE-2024-1673](https://nvd.nist.gov/vuln/detail/CVE-2024-1673) | **Critical** | 9.8 | **Chrome versions prior to 124.0.6367.60/.61 for Wins & Mac and 124.0.6367.60 for Linux** | ## Recommendation From dc6cd3da0ece892ea4859b3bbf3a17bed76f106d Mon Sep 17 00:00:00 2001 From: DGovEnterprise Date: Thu, 18 Apr 2024 23:33:15 +0000 Subject: [PATCH 27/82] Format markdown docs --- .../20240418002-Google-Chrome-Multiple-RCE-Vulnerabilities.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/advisories/20240418002-Google-Chrome-Multiple-RCE-Vulnerabilities.md b/docs/advisories/20240418002-Google-Chrome-Multiple-RCE-Vulnerabilities.md index 95dfa50b..60dd0d1b 100644 --- a/docs/advisories/20240418002-Google-Chrome-Multiple-RCE-Vulnerabilities.md +++ b/docs/advisories/20240418002-Google-Chrome-Multiple-RCE-Vulnerabilities.md @@ -6,8 +6,8 @@ Multiple vulnerabilities have been discovered in Google Chrome, which could allo ## What is vulnerable? -| CVE | Severity | CVSS | Product(s) Affected | -| --------------------------------------------------------------- | ------------ | ---- | ----------------------------------------------------------------------------------------- | +| CVE | Severity | CVSS | Product(s) Affected | +| --------------------------------------------------------------- | ------------ | ---- | ----------------------------------------------------------------------------------------- | | [CVE-2024-1673](https://nvd.nist.gov/vuln/detail/CVE-2024-1673) | **Critical** | 9.8 | **Chrome versions prior to 124.0.6367.60/.61 for Wins & Mac and 124.0.6367.60 for Linux** | ## Recommendation From c4c283c0e03cb7cf1de73f4c908cb3cffa6198bb Mon Sep 17 00:00:00 2001 From: Serki Ashagre <132869385+LSerki@users.noreply.github.com> Date: Fri, 19 Apr 2024 14:43:52 +0800 Subject: [PATCH 28/82] Libreswan Popular VPN Software Vulnerability - 20240419004 --- ...reswan-Popular-VPN-Software-Vulnerability.md | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) create mode 100644 docs/advisories/20240419004-Libreswan-Popular-VPN-Software-Vulnerability.md diff --git a/docs/advisories/20240419004-Libreswan-Popular-VPN-Software-Vulnerability.md b/docs/advisories/20240419004-Libreswan-Popular-VPN-Software-Vulnerability.md new file mode 100644 index 00000000..e77b7ed3 --- /dev/null +++ b/docs/advisories/20240419004-Libreswan-Popular-VPN-Software-Vulnerability.md @@ -0,0 +1,17 @@ +# Libreswan Popular VPN Software Vulnerability - 20240419004 + +## Overview + +The Libreswan Project was notified of an issue causing libreswan to restart when using IKEv1 without specifying an esp= line. When the peer requests AES-GMAC, libreswan's default proposal handler causes an assertion failure and crashes and restarts. + +## What is vulnerable? + +| CVE | Severity | CVSS | Product(s) Affected | Summary | Dated | +| ------ | ------------ | ---- | ------------------- | ------- | ----- | +| [CVE-2024-3652](https://nvd.nist.gov/vuln/detail/CVE-2024-3652) | **High** | 7.5 | **Libreswan 3.22 - 4.14** | | | + +## Recommendation + +The WA SOC recommends administrators apply the solutions as per vendor instructions to all affected devices within expected timeframe (refer [Patch Management](../guidelines/patch-management.md)): + +- https://libreswan.org/security/CVE-2024-3652/ \ No newline at end of file From 06cb0041a74616d05fe2902dd11376b418880191 Mon Sep 17 00:00:00 2001 From: LSerki Date: Fri, 19 Apr 2024 06:44:39 +0000 Subject: [PATCH 29/82] Format markdown docs --- ...40419004-Libreswan-Popular-VPN-Software-Vulnerability.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/docs/advisories/20240419004-Libreswan-Popular-VPN-Software-Vulnerability.md b/docs/advisories/20240419004-Libreswan-Popular-VPN-Software-Vulnerability.md index e77b7ed3..7ef56323 100644 --- a/docs/advisories/20240419004-Libreswan-Popular-VPN-Software-Vulnerability.md +++ b/docs/advisories/20240419004-Libreswan-Popular-VPN-Software-Vulnerability.md @@ -6,12 +6,12 @@ The Libreswan Project was notified of an issue causing libreswan to restart when ## What is vulnerable? -| CVE | Severity | CVSS | Product(s) Affected | Summary | Dated | -| ------ | ------------ | ---- | ------------------- | ------- | ----- | +| CVE | Severity | CVSS | Product(s) Affected | Summary | Dated | +| --------------------------------------------------------------- | -------- | ---- | ------------------------- | ------- | ----- | | [CVE-2024-3652](https://nvd.nist.gov/vuln/detail/CVE-2024-3652) | **High** | 7.5 | **Libreswan 3.22 - 4.14** | | | ## Recommendation The WA SOC recommends administrators apply the solutions as per vendor instructions to all affected devices within expected timeframe (refer [Patch Management](../guidelines/patch-management.md)): -- https://libreswan.org/security/CVE-2024-3652/ \ No newline at end of file +- https://libreswan.org/security/CVE-2024-3652/ From b74d3dce420598945ef3582aa78848cfa278dced Mon Sep 17 00:00:00 2001 From: "Joshua Hitchen (DGov)" <86041569+DGovEnterprise@users.noreply.github.com> Date: Fri, 19 Apr 2024 15:35:17 +0800 Subject: [PATCH 30/82] Update 20240419004-Libreswan-Popular-VPN-Software-Vulnerability.md Fix table --- ...40419004-Libreswan-Popular-VPN-Software-Vulnerability.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/docs/advisories/20240419004-Libreswan-Popular-VPN-Software-Vulnerability.md b/docs/advisories/20240419004-Libreswan-Popular-VPN-Software-Vulnerability.md index 7ef56323..370724b2 100644 --- a/docs/advisories/20240419004-Libreswan-Popular-VPN-Software-Vulnerability.md +++ b/docs/advisories/20240419004-Libreswan-Popular-VPN-Software-Vulnerability.md @@ -6,9 +6,9 @@ The Libreswan Project was notified of an issue causing libreswan to restart when ## What is vulnerable? -| CVE | Severity | CVSS | Product(s) Affected | Summary | Dated | -| --------------------------------------------------------------- | -------- | ---- | ------------------------- | ------- | ----- | -| [CVE-2024-3652](https://nvd.nist.gov/vuln/detail/CVE-2024-3652) | **High** | 7.5 | **Libreswan 3.22 - 4.14** | | | +| CVE | Severity | CVSS | Product(s) Affected | +| --------------------------------------------------------------- | -------- | ---- | ------------------------- | +| [CVE-2024-3652](https://nvd.nist.gov/vuln/detail/CVE-2024-3652) | **High** | 7.5 | **Libreswan 3.22 - 4.14** | ## Recommendation From 91507bb84f0c1faad92d8a22d30e17c34a5b0406 Mon Sep 17 00:00:00 2001 From: Serki Ashagre <132869385+LSerki@users.noreply.github.com> Date: Mon, 22 Apr 2024 12:14:54 +0800 Subject: [PATCH 31/82] Microsoft Edge (Chromium-based) Security Feature Bypass Vulnerability - 20240422002 --- ...d-Security-Feature-Bypass-Vulnerability.md | 21 +++++++++++++++++++ 1 file changed, 21 insertions(+) create mode 100644 docs/advisories/20240422002-Microsoft-Edge-Chromium-based-Security-Feature-Bypass-Vulnerability.md diff --git a/docs/advisories/20240422002-Microsoft-Edge-Chromium-based-Security-Feature-Bypass-Vulnerability.md b/docs/advisories/20240422002-Microsoft-Edge-Chromium-based-Security-Feature-Bypass-Vulnerability.md new file mode 100644 index 00000000..a610af84 --- /dev/null +++ b/docs/advisories/20240422002-Microsoft-Edge-Chromium-based-Security-Feature-Bypass-Vulnerability.md @@ -0,0 +1,21 @@ +# Microsoft Edge (Chromium-based) Security Feature Bypass Vulnerability - 20240422002 + +## Overview + +Microsoft Edge (Chromium-based) Security Feature Bypass Vulnerability. + +## What is vulnerable? + +| CVE | Severity | CVSS | Product(s) Affected | Summary | Dated | +| ------ | ------------ | ---- | ------------------- | ------- | ----- | +| [CVE-2024-29991](https://nvd.nist.gov/vuln/detail/CVE-2024-29991) | **Medium** | 5.0 | **versions before 124.0.2478.51** | | | + +## Recommendation + +The WA SOC recommends administrators apply the solutions as per vendor instructions to all affected devices within expected timeframe (refer [Patch Management](../guidelines/patch-management.md)): + +- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-29991 + +## Additional References + +- reference and URL link From 05d1d36b839876a5051e8c8a07bb8d4eee367c7e Mon Sep 17 00:00:00 2001 From: LSerki Date: Mon, 22 Apr 2024 04:15:37 +0000 Subject: [PATCH 32/82] Format markdown docs --- ...ge-Chromium-based-Security-Feature-Bypass-Vulnerability.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/advisories/20240422002-Microsoft-Edge-Chromium-based-Security-Feature-Bypass-Vulnerability.md b/docs/advisories/20240422002-Microsoft-Edge-Chromium-based-Security-Feature-Bypass-Vulnerability.md index a610af84..66995c39 100644 --- a/docs/advisories/20240422002-Microsoft-Edge-Chromium-based-Security-Feature-Bypass-Vulnerability.md +++ b/docs/advisories/20240422002-Microsoft-Edge-Chromium-based-Security-Feature-Bypass-Vulnerability.md @@ -6,8 +6,8 @@ Microsoft Edge (Chromium-based) Security Feature Bypass Vulnerability. ## What is vulnerable? -| CVE | Severity | CVSS | Product(s) Affected | Summary | Dated | -| ------ | ------------ | ---- | ------------------- | ------- | ----- | +| CVE | Severity | CVSS | Product(s) Affected | Summary | Dated | +| ----------------------------------------------------------------- | ---------- | ---- | --------------------------------- | ------- | ----- | | [CVE-2024-29991](https://nvd.nist.gov/vuln/detail/CVE-2024-29991) | **Medium** | 5.0 | **versions before 124.0.2478.51** | | | ## Recommendation From 242230157649ebec71642d4400f3dd82705a44b4 Mon Sep 17 00:00:00 2001 From: "Joshua Hitchen (DGov)" <86041569+DGovEnterprise@users.noreply.github.com> Date: Mon, 22 Apr 2024 15:21:44 +0800 Subject: [PATCH 33/82] Update 20240422002-Microsoft-Edge-Chromium-based-Security-Feature-Bypass-Vulnerability.md fix tables --- ...-Chromium-based-Security-Feature-Bypass-Vulnerability.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/docs/advisories/20240422002-Microsoft-Edge-Chromium-based-Security-Feature-Bypass-Vulnerability.md b/docs/advisories/20240422002-Microsoft-Edge-Chromium-based-Security-Feature-Bypass-Vulnerability.md index 66995c39..534583cc 100644 --- a/docs/advisories/20240422002-Microsoft-Edge-Chromium-based-Security-Feature-Bypass-Vulnerability.md +++ b/docs/advisories/20240422002-Microsoft-Edge-Chromium-based-Security-Feature-Bypass-Vulnerability.md @@ -6,9 +6,9 @@ Microsoft Edge (Chromium-based) Security Feature Bypass Vulnerability. ## What is vulnerable? -| CVE | Severity | CVSS | Product(s) Affected | Summary | Dated | -| ----------------------------------------------------------------- | ---------- | ---- | --------------------------------- | ------- | ----- | -| [CVE-2024-29991](https://nvd.nist.gov/vuln/detail/CVE-2024-29991) | **Medium** | 5.0 | **versions before 124.0.2478.51** | | | +| CVE | Severity | CVSS | Product(s) Affected | +| ----------------------------------------------------------------- | ---------- | ---- | --------------------------------- | +| [CVE-2024-29991](https://nvd.nist.gov/vuln/detail/CVE-2024-29991) | **Medium** | 5.0 | **versions before 124.0.2478.51** | ## Recommendation From b9c34fdd73071f1a0f3f5074e24b649dff3fb1ed Mon Sep 17 00:00:00 2001 From: Serki Ashagre <132869385+LSerki@users.noreply.github.com> Date: Mon, 29 Apr 2024 14:29:38 +0800 Subject: [PATCH 34/82] Windows Kernel Elevation of Privilege Vulnerability - 20240429001 --- ...rnel-Elevation-of-Privilege-Vulnerability.md | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) create mode 100644 docs/advisories/20240429001-Windows-Kernel-Elevation-of-Privilege-Vulnerability.md diff --git a/docs/advisories/20240429001-Windows-Kernel-Elevation-of-Privilege-Vulnerability.md b/docs/advisories/20240429001-Windows-Kernel-Elevation-of-Privilege-Vulnerability.md new file mode 100644 index 00000000..525084dd --- /dev/null +++ b/docs/advisories/20240429001-Windows-Kernel-Elevation-of-Privilege-Vulnerability.md @@ -0,0 +1,17 @@ +# Windows Kernel Elevation of Privilege Vulnerability - 20240429001 + +## Overview + +The Windows Kernel Elevation of Privilege vulnerability allows authenticated attackers to escalate privileges to the SYSTEM level, granting them full control over affected systems. + +## What is vulnerable? + +| CVE | Severity | CVSS | Product(s) Affected | Summary | Dated | +| ------ | ------------ | ---- | ------------------- | ------- | ----- | +| [CVE-2024-21345](https://nvd.nist.gov/vuln/detail/CVE-2024-21345) | **High** | 8.8 | **Windows Server 2022, 23H2 Edition** (Server Core installation) | | | + +## Recommendation + +The WA SOC recommends administrators apply the solutions as per vendor instructions to all affected devices within expected timeframe (refer [Patch Management](../guidelines/patch-management.md)): + +- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-21345 \ No newline at end of file From ba4f5086d8ef7b6ad8674426558f1b9404a9c721 Mon Sep 17 00:00:00 2001 From: LSerki Date: Mon, 29 Apr 2024 06:30:25 +0000 Subject: [PATCH 35/82] Format markdown docs --- ...1-Windows-Kernel-Elevation-of-Privilege-Vulnerability.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/docs/advisories/20240429001-Windows-Kernel-Elevation-of-Privilege-Vulnerability.md b/docs/advisories/20240429001-Windows-Kernel-Elevation-of-Privilege-Vulnerability.md index 525084dd..fdddc2a1 100644 --- a/docs/advisories/20240429001-Windows-Kernel-Elevation-of-Privilege-Vulnerability.md +++ b/docs/advisories/20240429001-Windows-Kernel-Elevation-of-Privilege-Vulnerability.md @@ -6,12 +6,12 @@ The Windows Kernel Elevation of Privilege vulnerability allows authenticated at ## What is vulnerable? -| CVE | Severity | CVSS | Product(s) Affected | Summary | Dated | -| ------ | ------------ | ---- | ------------------- | ------- | ----- | +| CVE | Severity | CVSS | Product(s) Affected | Summary | Dated | +| ----------------------------------------------------------------- | -------- | ---- | ---------------------------------------------------------------- | ------- | ----- | | [CVE-2024-21345](https://nvd.nist.gov/vuln/detail/CVE-2024-21345) | **High** | 8.8 | **Windows Server 2022, 23H2 Edition** (Server Core installation) | | | ## Recommendation The WA SOC recommends administrators apply the solutions as per vendor instructions to all affected devices within expected timeframe (refer [Patch Management](../guidelines/patch-management.md)): -- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-21345 \ No newline at end of file +- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-21345 From 1a57d233609c0acd547abaadcd00924df59fad68 Mon Sep 17 00:00:00 2001 From: "Joshua Hitchen (DGov)" <86041569+DGovEnterprise@users.noreply.github.com> Date: Mon, 29 Apr 2024 15:41:37 +0800 Subject: [PATCH 36/82] Update 20240429001-Windows-Kernel-Elevation-of-Privilege-Vulnerability.md fixing table --- ...1-Windows-Kernel-Elevation-of-Privilege-Vulnerability.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/docs/advisories/20240429001-Windows-Kernel-Elevation-of-Privilege-Vulnerability.md b/docs/advisories/20240429001-Windows-Kernel-Elevation-of-Privilege-Vulnerability.md index fdddc2a1..5d2b2fee 100644 --- a/docs/advisories/20240429001-Windows-Kernel-Elevation-of-Privilege-Vulnerability.md +++ b/docs/advisories/20240429001-Windows-Kernel-Elevation-of-Privilege-Vulnerability.md @@ -6,9 +6,9 @@ The Windows Kernel Elevation of Privilege vulnerability allows authenticated at ## What is vulnerable? -| CVE | Severity | CVSS | Product(s) Affected | Summary | Dated | -| ----------------------------------------------------------------- | -------- | ---- | ---------------------------------------------------------------- | ------- | ----- | -| [CVE-2024-21345](https://nvd.nist.gov/vuln/detail/CVE-2024-21345) | **High** | 8.8 | **Windows Server 2022, 23H2 Edition** (Server Core installation) | | | +| CVE | Severity | CVSS | Product(s) Affected | +| ----------------------------------------------------------------- | -------- | ---- | ---------------------------------------------------------------- | +| [CVE-2024-21345](https://nvd.nist.gov/vuln/detail/CVE-2024-21345) | **High** | 8.8 | **Windows Server 2022, 23H2 Edition** (Server Core installation) | ## Recommendation From 5249611ffb85b0be14738efdc0429a4c0a729309 Mon Sep 17 00:00:00 2001 From: Serki Ashagre <132869385+LSerki@users.noreply.github.com> Date: Fri, 3 May 2024 14:17:35 +0800 Subject: [PATCH 37/82] Acrobat Reader Vulnerability - 20240503003 --- .../20240503003-Acrobat-Reader-Vulnerability.md | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) create mode 100644 docs/advisories/20240503003-Acrobat-Reader-Vulnerability.md diff --git a/docs/advisories/20240503003-Acrobat-Reader-Vulnerability.md b/docs/advisories/20240503003-Acrobat-Reader-Vulnerability.md new file mode 100644 index 00000000..d61c2e84 --- /dev/null +++ b/docs/advisories/20240503003-Acrobat-Reader-Vulnerability.md @@ -0,0 +1,17 @@ +# Acrobat Reader Vulnerability - 20240503003 + +## Overview + +Acrobat Reader versions 20.005.30539, 23.008.20470 and earlier are affected by a Use After Free vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. + +## What is vulnerable? + +| CVE | Severity | CVSS | Product(s) Affected | Summary | Dated | +| ------ | ------------ | ---- | ------------------- | ------- | ----- | +| [CVE-2024-30305](https://www.tenable.com/cve/CVE-2024-30305) | **High** | 7.8 | **versions 20.005.30539, 23.008.20470 and earlier** | | | + +## Recommendation + +The WA SOC recommends administrators apply the solutions as per vendor instructions to all affected devices within expected timeframe (refer [Patch Management](../guidelines/patch-management.md)): + +- https://helpx.adobe.com/security/products/acrobat/apsb24-07.html \ No newline at end of file From 786af2ab401d0b9af03e98b8fcfd1bfd58f59100 Mon Sep 17 00:00:00 2001 From: LSerki Date: Fri, 3 May 2024 06:18:28 +0000 Subject: [PATCH 38/82] Format markdown docs --- docs/advisories/20240503003-Acrobat-Reader-Vulnerability.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/docs/advisories/20240503003-Acrobat-Reader-Vulnerability.md b/docs/advisories/20240503003-Acrobat-Reader-Vulnerability.md index d61c2e84..0f27dff5 100644 --- a/docs/advisories/20240503003-Acrobat-Reader-Vulnerability.md +++ b/docs/advisories/20240503003-Acrobat-Reader-Vulnerability.md @@ -6,12 +6,12 @@ Acrobat Reader versions 20.005.30539, 23.008.20470 and earlier are affected by a ## What is vulnerable? -| CVE | Severity | CVSS | Product(s) Affected | Summary | Dated | -| ------ | ------------ | ---- | ------------------- | ------- | ----- | +| CVE | Severity | CVSS | Product(s) Affected | Summary | Dated | +| ------------------------------------------------------------ | -------- | ---- | --------------------------------------------------- | ------- | ----- | | [CVE-2024-30305](https://www.tenable.com/cve/CVE-2024-30305) | **High** | 7.8 | **versions 20.005.30539, 23.008.20470 and earlier** | | | ## Recommendation The WA SOC recommends administrators apply the solutions as per vendor instructions to all affected devices within expected timeframe (refer [Patch Management](../guidelines/patch-management.md)): -- https://helpx.adobe.com/security/products/acrobat/apsb24-07.html \ No newline at end of file +- https://helpx.adobe.com/security/products/acrobat/apsb24-07.html From 845995209069d169ca8597671b3763dbc67a9e49 Mon Sep 17 00:00:00 2001 From: Serki Ashagre <132869385+LSerki@users.noreply.github.com> Date: Thu, 9 May 2024 12:55:43 +0800 Subject: [PATCH 39/82] Google Chrome Arbitrary Code Execution Multiple Vulnerabilities - 20240509001 --- ...-Code-Execution-Multiple-Vulnerabilities.md | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) create mode 100644 docs/advisories/20240509001-Google-Chrome-Arbitrary-Code-Execution-Multiple-Vulnerabilities.md diff --git a/docs/advisories/20240509001-Google-Chrome-Arbitrary-Code-Execution-Multiple-Vulnerabilities.md b/docs/advisories/20240509001-Google-Chrome-Arbitrary-Code-Execution-Multiple-Vulnerabilities.md new file mode 100644 index 00000000..4cbcfec5 --- /dev/null +++ b/docs/advisories/20240509001-Google-Chrome-Arbitrary-Code-Execution-Multiple-Vulnerabilities.md @@ -0,0 +1,18 @@ +# Google Chrome Arbitrary Code Execution Multiple Vulnerabilities - 20240509001 + +## Overview + +Use after free in ANGLE and Heap buffer overflow in WebAudio in Google Chrome prior to 124.0.6367.155 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. + +## What is vulnerable? + +| CVE | Severity | CVSS | Product(s) Affected | Summary | Dated | +| ---- | ------------ | ---- | ------------------- | ------- | ----- | +| [CVE-2024-4558](https://nvd.nist.gov/vuln/detail/CVE-2024-4558) | **High** | 8.8 | **versions prior to 124.0.6367.155** | | | +| [CVE-2024-4559](https://nvd.nist.gov/vuln/detail/CVE-2024-4559) | **High** | 8.8 | **versions prior to 124.0.6367.155** | | | + +## Recommendation + +The WA SOC recommends administrators apply the solutions as per vendor instructions to all affected devices within expected timeframe (refer [Patch Management](../guidelines/patch-management.md)): + +- https://chromereleases.googleblog.com/2024/05/stable-channel-update-for-desktop_7.html \ No newline at end of file From 81958ce60417b1f6334cfbaa34e8b7aed8afce71 Mon Sep 17 00:00:00 2001 From: LSerki Date: Thu, 9 May 2024 04:56:31 +0000 Subject: [PATCH 40/82] Format markdown docs --- ...ome-Arbitrary-Code-Execution-Multiple-Vulnerabilities.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/docs/advisories/20240509001-Google-Chrome-Arbitrary-Code-Execution-Multiple-Vulnerabilities.md b/docs/advisories/20240509001-Google-Chrome-Arbitrary-Code-Execution-Multiple-Vulnerabilities.md index 4cbcfec5..b0556d18 100644 --- a/docs/advisories/20240509001-Google-Chrome-Arbitrary-Code-Execution-Multiple-Vulnerabilities.md +++ b/docs/advisories/20240509001-Google-Chrome-Arbitrary-Code-Execution-Multiple-Vulnerabilities.md @@ -6,8 +6,8 @@ Use after free in ANGLE and Heap buffer overflow in WebAudio in Google Chrome pr ## What is vulnerable? -| CVE | Severity | CVSS | Product(s) Affected | Summary | Dated | -| ---- | ------------ | ---- | ------------------- | ------- | ----- | +| CVE | Severity | CVSS | Product(s) Affected | Summary | Dated | +| --------------------------------------------------------------- | -------- | ---- | ------------------------------------ | ------- | ----- | | [CVE-2024-4558](https://nvd.nist.gov/vuln/detail/CVE-2024-4558) | **High** | 8.8 | **versions prior to 124.0.6367.155** | | | | [CVE-2024-4559](https://nvd.nist.gov/vuln/detail/CVE-2024-4559) | **High** | 8.8 | **versions prior to 124.0.6367.155** | | | @@ -15,4 +15,4 @@ Use after free in ANGLE and Heap buffer overflow in WebAudio in Google Chrome pr The WA SOC recommends administrators apply the solutions as per vendor instructions to all affected devices within expected timeframe (refer [Patch Management](../guidelines/patch-management.md)): -- https://chromereleases.googleblog.com/2024/05/stable-channel-update-for-desktop_7.html \ No newline at end of file +- https://chromereleases.googleblog.com/2024/05/stable-channel-update-for-desktop_7.html From 4d6816b11e095a99bbe704273d2d8580df485000 Mon Sep 17 00:00:00 2001 From: "Joshua Hitchen (DGov)" <86041569+DGovEnterprise@users.noreply.github.com> Date: Fri, 10 May 2024 14:48:06 +0800 Subject: [PATCH 41/82] Update 20240509001-Google-Chrome-Arbitrary-Code-Execution-Multiple-Vulnerabilities.md Fix table --- ...e-Arbitrary-Code-Execution-Multiple-Vulnerabilities.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/docs/advisories/20240509001-Google-Chrome-Arbitrary-Code-Execution-Multiple-Vulnerabilities.md b/docs/advisories/20240509001-Google-Chrome-Arbitrary-Code-Execution-Multiple-Vulnerabilities.md index b0556d18..4cbe5cba 100644 --- a/docs/advisories/20240509001-Google-Chrome-Arbitrary-Code-Execution-Multiple-Vulnerabilities.md +++ b/docs/advisories/20240509001-Google-Chrome-Arbitrary-Code-Execution-Multiple-Vulnerabilities.md @@ -6,10 +6,10 @@ Use after free in ANGLE and Heap buffer overflow in WebAudio in Google Chrome pr ## What is vulnerable? -| CVE | Severity | CVSS | Product(s) Affected | Summary | Dated | -| --------------------------------------------------------------- | -------- | ---- | ------------------------------------ | ------- | ----- | -| [CVE-2024-4558](https://nvd.nist.gov/vuln/detail/CVE-2024-4558) | **High** | 8.8 | **versions prior to 124.0.6367.155** | | | -| [CVE-2024-4559](https://nvd.nist.gov/vuln/detail/CVE-2024-4559) | **High** | 8.8 | **versions prior to 124.0.6367.155** | | | +| CVE | Severity | CVSS | Product(s) Affected | +| --------------------------------------------------------------- | -------- | ---- | ------------------------------------ | +| [CVE-2024-4558](https://nvd.nist.gov/vuln/detail/CVE-2024-4558) | **High** | 8.8 | **versions prior to 124.0.6367.155** | +| [CVE-2024-4559](https://nvd.nist.gov/vuln/detail/CVE-2024-4559) | **High** | 8.8 | **versions prior to 124.0.6367.155** | ## Recommendation From e049466f5d50c595ba9e16bc4d2e142980a98560 Mon Sep 17 00:00:00 2001 From: Serki Ashagre <132869385+LSerki@users.noreply.github.com> Date: Mon, 13 May 2024 12:22:42 +0800 Subject: [PATCH 42/82] Microsoft Edge (Chromium-based) Spoofing Vulnerability - 20240513003 --- ...dge-Chromium-based-Spoofing-Vulnerability.md | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) create mode 100644 docs/advisories/20240513003-Microsoft-Edge-Chromium-based-Spoofing-Vulnerability.md diff --git a/docs/advisories/20240513003-Microsoft-Edge-Chromium-based-Spoofing-Vulnerability.md b/docs/advisories/20240513003-Microsoft-Edge-Chromium-based-Spoofing-Vulnerability.md new file mode 100644 index 00000000..1f9fc450 --- /dev/null +++ b/docs/advisories/20240513003-Microsoft-Edge-Chromium-based-Spoofing-Vulnerability.md @@ -0,0 +1,17 @@ +# Microsoft Edge (Chromium-based) Spoofing Vulnerability - 20240513003 + +## Overview + +Microsoft Edge (Chromium-based) Spoofing Vulnerability. + +## What is vulnerable? + +| CVE | Severity | CVSS | Product(s) Affected | Summary | Dated | +| ---- | ------------ | ---- | ------------------- | ------- | ----- | +| [CVE-2024-30055](https://www.cve.org/CVERecord?id=CVE-2024-30055) | **High** | 7.5 | **versions before 124.0.2478.97** | | | + +## Recommendation + +The WA SOC recommends administrators apply the solutions as per vendor instructions to all affected devices within expected timeframe (refer [Patch Management](../guidelines/patch-management.md)): + +- https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2024-30055 From 38241bb01630a87c7b26ac0a67a85233db6b1284 Mon Sep 17 00:00:00 2001 From: LSerki Date: Mon, 13 May 2024 04:23:37 +0000 Subject: [PATCH 43/82] Format markdown docs --- ...03-Microsoft-Edge-Chromium-based-Spoofing-Vulnerability.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/advisories/20240513003-Microsoft-Edge-Chromium-based-Spoofing-Vulnerability.md b/docs/advisories/20240513003-Microsoft-Edge-Chromium-based-Spoofing-Vulnerability.md index 1f9fc450..96cb67b6 100644 --- a/docs/advisories/20240513003-Microsoft-Edge-Chromium-based-Spoofing-Vulnerability.md +++ b/docs/advisories/20240513003-Microsoft-Edge-Chromium-based-Spoofing-Vulnerability.md @@ -6,8 +6,8 @@ Microsoft Edge (Chromium-based) Spoofing Vulnerability. ## What is vulnerable? -| CVE | Severity | CVSS | Product(s) Affected | Summary | Dated | -| ---- | ------------ | ---- | ------------------- | ------- | ----- | +| CVE | Severity | CVSS | Product(s) Affected | Summary | Dated | +| ----------------------------------------------------------------- | -------- | ---- | --------------------------------- | ------- | ----- | | [CVE-2024-30055](https://www.cve.org/CVERecord?id=CVE-2024-30055) | **High** | 7.5 | **versions before 124.0.2478.97** | | | ## Recommendation From 4c9da385b9ae790fdd6ebbb6fc642e43285de28f Mon Sep 17 00:00:00 2001 From: "Joshua Hitchen (DGov)" <86041569+DGovEnterprise@users.noreply.github.com> Date: Mon, 13 May 2024 13:33:59 +0800 Subject: [PATCH 44/82] Update 20240513003-Microsoft-Edge-Chromium-based-Spoofing-Vulnerability.md Fix table --- ...-Microsoft-Edge-Chromium-based-Spoofing-Vulnerability.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/docs/advisories/20240513003-Microsoft-Edge-Chromium-based-Spoofing-Vulnerability.md b/docs/advisories/20240513003-Microsoft-Edge-Chromium-based-Spoofing-Vulnerability.md index 96cb67b6..93663324 100644 --- a/docs/advisories/20240513003-Microsoft-Edge-Chromium-based-Spoofing-Vulnerability.md +++ b/docs/advisories/20240513003-Microsoft-Edge-Chromium-based-Spoofing-Vulnerability.md @@ -6,9 +6,9 @@ Microsoft Edge (Chromium-based) Spoofing Vulnerability. ## What is vulnerable? -| CVE | Severity | CVSS | Product(s) Affected | Summary | Dated | -| ----------------------------------------------------------------- | -------- | ---- | --------------------------------- | ------- | ----- | -| [CVE-2024-30055](https://www.cve.org/CVERecord?id=CVE-2024-30055) | **High** | 7.5 | **versions before 124.0.2478.97** | | | +| CVE | Severity | CVSS | Product(s) Affected | +| ----------------------------------------------------------------- | -------- | ---- | --------------------------------- | +| [CVE-2024-30055](https://www.cve.org/CVERecord?id=CVE-2024-30055) | **High** | 7.5 | **versions before 124.0.2478.97** | ## Recommendation From 632727d165253ab1361a974736121dd60128622c Mon Sep 17 00:00:00 2001 From: Serki Ashagre <132869385+LSerki@users.noreply.github.com> Date: Thu, 16 May 2024 13:54:16 +0800 Subject: [PATCH 45/82] Cacti Command Injection and XSS Vulnerabilities - 20240516004 --- ...mmand-Injection-and-XSS-Vulnerabilities.md | 26 +++++++++++++++++++ 1 file changed, 26 insertions(+) create mode 100644 docs/advisories/20240516004-Cacti-Command-Injection-and-XSS-Vulnerabilities.md diff --git a/docs/advisories/20240516004-Cacti-Command-Injection-and-XSS-Vulnerabilities.md b/docs/advisories/20240516004-Cacti-Command-Injection-and-XSS-Vulnerabilities.md new file mode 100644 index 00000000..1b68837c --- /dev/null +++ b/docs/advisories/20240516004-Cacti-Command-Injection-and-XSS-Vulnerabilities.md @@ -0,0 +1,26 @@ +# Cacti Command Injection and XSS Vulnerabilities - 20240516004 + +## Overview + +Cacti, an operational monitoring and fault management framework, has recently released a crucial security update to address two significant vulnerabilities that could leave systems exposed to malicious attacks. + +## What is vulnerable? + +| CVE | Severity | CVSS | Product(s) Affected | Summary | Dated | +| ---- | ------------ | ---- | ------------------- | ------- | ----- | +| [CVE-2024-29895](https://nvd.nist.gov/vuln/detail/CVE-2024-29895) | **Critical** | 10 | **versions before 1.3.x DEV** | | | +| [CVE-2024-30268](https://nvd.nist.gov/vuln/detail/CVE-2024-30268) | **Medium** | 6.1 | **versions before 1.3.x DEV** | | | + +## Recommendation + +The WA SOC recommends administrators apply the solutions as per vendor instructions to all affected devices within expected timeframe (refer [Patch Management](../guidelines/patch-management.md)): + +- https://github.com/Cacti/cacti/security/advisories/GHSA-cr28-x256-xf5m +- https://github.com/Cacti/cacti/commit/99633903cad0de5ace636249de16f77e57a3c8fc +- https://github.com/Cacti/cacti/commit/53e8014d1f082034e0646edc6286cde3800c683d +- https://github.com/Cacti/cacti/blob/501712998589763d411a68d35e3cda98fd9cfd18/cmd_realtime.php#L119 +- https://github.com/Cacti/cacti/security/advisories/GHSA-9m3v-whmr-pc2q +- https://github.com/Cacti/cacti/commit/a38b9046e9772612fda847b46308f9391a49891e +- https://github.com/Cacti/cacti/blob/08497b8bcc6a6037f7b1aae303ad8f7dfaf7364e/settings.php#L66 + + From 60042ed7d6e707cae31e020fcf53275c6663b7db Mon Sep 17 00:00:00 2001 From: LSerki Date: Thu, 16 May 2024 05:54:55 +0000 Subject: [PATCH 46/82] Format markdown docs --- ...-Cacti-Command-Injection-and-XSS-Vulnerabilities.md | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/docs/advisories/20240516004-Cacti-Command-Injection-and-XSS-Vulnerabilities.md b/docs/advisories/20240516004-Cacti-Command-Injection-and-XSS-Vulnerabilities.md index 1b68837c..84b33957 100644 --- a/docs/advisories/20240516004-Cacti-Command-Injection-and-XSS-Vulnerabilities.md +++ b/docs/advisories/20240516004-Cacti-Command-Injection-and-XSS-Vulnerabilities.md @@ -6,10 +6,10 @@ Cacti, an operational monitoring and fault management framework, has recently re ## What is vulnerable? -| CVE | Severity | CVSS | Product(s) Affected | Summary | Dated | -| ---- | ------------ | ---- | ------------------- | ------- | ----- | -| [CVE-2024-29895](https://nvd.nist.gov/vuln/detail/CVE-2024-29895) | **Critical** | 10 | **versions before 1.3.x DEV** | | | -| [CVE-2024-30268](https://nvd.nist.gov/vuln/detail/CVE-2024-30268) | **Medium** | 6.1 | **versions before 1.3.x DEV** | | | +| CVE | Severity | CVSS | Product(s) Affected | Summary | Dated | +| ----------------------------------------------------------------- | ------------ | ---- | ----------------------------- | ------- | ----- | +| [CVE-2024-29895](https://nvd.nist.gov/vuln/detail/CVE-2024-29895) | **Critical** | 10 | **versions before 1.3.x DEV** | | | +| [CVE-2024-30268](https://nvd.nist.gov/vuln/detail/CVE-2024-30268) | **Medium** | 6.1 | **versions before 1.3.x DEV** | | | ## Recommendation @@ -22,5 +22,3 @@ The WA SOC recommends administrators apply the solutions as per vendor instructi - https://github.com/Cacti/cacti/security/advisories/GHSA-9m3v-whmr-pc2q - https://github.com/Cacti/cacti/commit/a38b9046e9772612fda847b46308f9391a49891e - https://github.com/Cacti/cacti/blob/08497b8bcc6a6037f7b1aae303ad8f7dfaf7364e/settings.php#L66 - - From 25fa89240deb81e87a095724309fe5bc0187e524 Mon Sep 17 00:00:00 2001 From: Serki Ashagre <132869385+LSerki@users.noreply.github.com> Date: Thu, 23 May 2024 10:22:24 +0800 Subject: [PATCH 47/82] Ivanti EPMM Vulnerability - 20240523002 --- docs/advisories/Advisory-vulnerability.md | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) create mode 100644 docs/advisories/Advisory-vulnerability.md diff --git a/docs/advisories/Advisory-vulnerability.md b/docs/advisories/Advisory-vulnerability.md new file mode 100644 index 00000000..59d7390d --- /dev/null +++ b/docs/advisories/Advisory-vulnerability.md @@ -0,0 +1,18 @@ +# Ivanti EPMM Vulnerability - 20240523002 + +## Overview + +A local privilege escalation vulnerability in EPMM before 12.1.0.0 allows an authenticated local user to bypass shell restriction and execute arbitrary commands on the appliance. + +## What is vulnerable? + +| CVE | Severity | CVSS | Product(s) Affected | Summary | Dated | +| ---- | ------------ | ---- | ------------------- | ------- | ----- | +| [CVE-2024-22026](https://nvd.nist.gov/vuln/detail/CVE-2024-22026) | **Medium** | 6.7 | **EPMM before 12.1.0.0** | | | + +## Recommendation + +The WA SOC recommends administrators apply the solutions as per vendor instructions to all affected devices within expected timeframe (refer [Patch Management](../guidelines/patch-management.md)): + +- https://forums.ivanti.com/s/article/Security-Advisory-EPMM-May-2024?language=en_US +- https://help.ivanti.com/mi/help/en_us/core/12.x/rn/CoreConnectorReleaseNotes/IvantiEPMM_rn_12.x.pdf \ No newline at end of file From 4af6c3edad254483518b93ea3bfb512d58ded225 Mon Sep 17 00:00:00 2001 From: LSerki Date: Thu, 23 May 2024 02:23:08 +0000 Subject: [PATCH 48/82] Format markdown docs --- docs/advisories/Advisory-vulnerability.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/docs/advisories/Advisory-vulnerability.md b/docs/advisories/Advisory-vulnerability.md index 59d7390d..1834e3cf 100644 --- a/docs/advisories/Advisory-vulnerability.md +++ b/docs/advisories/Advisory-vulnerability.md @@ -6,8 +6,8 @@ A local privilege escalation vulnerability in EPMM before 12.1.0.0 allows an aut ## What is vulnerable? -| CVE | Severity | CVSS | Product(s) Affected | Summary | Dated | -| ---- | ------------ | ---- | ------------------- | ------- | ----- | +| CVE | Severity | CVSS | Product(s) Affected | Summary | Dated | +| ----------------------------------------------------------------- | ---------- | ---- | ------------------------ | ------- | ----- | | [CVE-2024-22026](https://nvd.nist.gov/vuln/detail/CVE-2024-22026) | **Medium** | 6.7 | **EPMM before 12.1.0.0** | | | ## Recommendation @@ -15,4 +15,4 @@ A local privilege escalation vulnerability in EPMM before 12.1.0.0 allows an aut The WA SOC recommends administrators apply the solutions as per vendor instructions to all affected devices within expected timeframe (refer [Patch Management](../guidelines/patch-management.md)): - https://forums.ivanti.com/s/article/Security-Advisory-EPMM-May-2024?language=en_US -- https://help.ivanti.com/mi/help/en_us/core/12.x/rn/CoreConnectorReleaseNotes/IvantiEPMM_rn_12.x.pdf \ No newline at end of file +- https://help.ivanti.com/mi/help/en_us/core/12.x/rn/CoreConnectorReleaseNotes/IvantiEPMM_rn_12.x.pdf From f64eac7a6fd05381ad9b0ac5e6b63c5aaf8341e6 Mon Sep 17 00:00:00 2001 From: Serki Ashagre <132869385+LSerki@users.noreply.github.com> Date: Thu, 23 May 2024 12:13:35 +0800 Subject: [PATCH 49/82] Ivanti EPMM Vulnerability - 20240523002 --- ...-vulnerability.md => 20240523002-Ivanti EPMM Vulnerability.md} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename docs/advisories/{Advisory-vulnerability.md => 20240523002-Ivanti EPMM Vulnerability.md} (100%) diff --git a/docs/advisories/Advisory-vulnerability.md b/docs/advisories/20240523002-Ivanti EPMM Vulnerability.md similarity index 100% rename from docs/advisories/Advisory-vulnerability.md rename to docs/advisories/20240523002-Ivanti EPMM Vulnerability.md From 4e97572c89bb8afad9f802793efd3834ce9ee908 Mon Sep 17 00:00:00 2001 From: Serki Ashagre <132869385+LSerki@users.noreply.github.com> Date: Thu, 23 May 2024 12:17:23 +0800 Subject: [PATCH 50/82] Ivanti EPMM Vulnerability - 20240523002 --- ... Vulnerability.md => 20240523002-Ivanti-EPMM-Vulnerability.md} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename docs/advisories/{20240523002-Ivanti EPMM Vulnerability.md => 20240523002-Ivanti-EPMM-Vulnerability.md} (100%) diff --git a/docs/advisories/20240523002-Ivanti EPMM Vulnerability.md b/docs/advisories/20240523002-Ivanti-EPMM-Vulnerability.md similarity index 100% rename from docs/advisories/20240523002-Ivanti EPMM Vulnerability.md rename to docs/advisories/20240523002-Ivanti-EPMM-Vulnerability.md From d1cccd76a82eb368bdcfc002f2de1277e1052511 Mon Sep 17 00:00:00 2001 From: Serki Ashagre <132869385+LSerki@users.noreply.github.com> Date: Mon, 27 May 2024 14:32:50 +0800 Subject: [PATCH 51/82] Ivanti Endpoint Manager GetRulesetsSQL SQL Injection RCE Vulnerability - 20240527003 --- ...lesetsSQL-SQL-Injection-RCE-Vulnerability.md | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) create mode 100644 docs/advisories/20240527003-Ivanti-Endpoint-Manager-GetRulesetsSQL-SQL-Injection-RCE-Vulnerability.md diff --git a/docs/advisories/20240527003-Ivanti-Endpoint-Manager-GetRulesetsSQL-SQL-Injection-RCE-Vulnerability.md b/docs/advisories/20240527003-Ivanti-Endpoint-Manager-GetRulesetsSQL-SQL-Injection-RCE-Vulnerability.md new file mode 100644 index 00000000..1c201ce7 --- /dev/null +++ b/docs/advisories/20240527003-Ivanti-Endpoint-Manager-GetRulesetsSQL-SQL-Injection-RCE-Vulnerability.md @@ -0,0 +1,17 @@ +# Ivanti Endpoint Manager GetRulesetsSQL SQL Injection RCE Vulnerability - 20240527003 + +## Overview + +An unspecified SQL Injection vulnerability in Core server of Ivanti EPM 2022 SU5 and prior allows an authenticated attacker within the same network to execute arbitrary code. + +## What is vulnerable? + +| CVE | Severity | CVSS | Product(s) Affected | Summary | Dated | +| ---- | ------------ | ---- | ------------------- | ------- | ----- | +| [CVE-2024-29828](https://nvd.nist.gov/vuln/detail/CVE-2024-29828) | **High** | 8.4 | **Ivanti EPM 2022 SU5 and prior** | | | + +## Recommendation + +The WA SOC recommends administrators apply the solutions as per vendor instructions to all affected devices within expected timeframe (refer [Patch Management](../guidelines/patch-management.md)): + +- [KB Security Advisory EPM May 2024](https://forums.ivanti.com/s/article/KB-Security-Advisory-EPM-May-2024?language=en_US) From 5c2db64f87f5602c3b20fd245b1f45ed3d98df1f Mon Sep 17 00:00:00 2001 From: LSerki Date: Mon, 27 May 2024 06:33:31 +0000 Subject: [PATCH 52/82] Format markdown docs --- ...-Manager-GetRulesetsSQL-SQL-Injection-RCE-Vulnerability.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/advisories/20240527003-Ivanti-Endpoint-Manager-GetRulesetsSQL-SQL-Injection-RCE-Vulnerability.md b/docs/advisories/20240527003-Ivanti-Endpoint-Manager-GetRulesetsSQL-SQL-Injection-RCE-Vulnerability.md index 1c201ce7..bc594654 100644 --- a/docs/advisories/20240527003-Ivanti-Endpoint-Manager-GetRulesetsSQL-SQL-Injection-RCE-Vulnerability.md +++ b/docs/advisories/20240527003-Ivanti-Endpoint-Manager-GetRulesetsSQL-SQL-Injection-RCE-Vulnerability.md @@ -6,8 +6,8 @@ An unspecified SQL Injection vulnerability in Core server of Ivanti EPM 2022 SU5 ## What is vulnerable? -| CVE | Severity | CVSS | Product(s) Affected | Summary | Dated | -| ---- | ------------ | ---- | ------------------- | ------- | ----- | +| CVE | Severity | CVSS | Product(s) Affected | Summary | Dated | +| ----------------------------------------------------------------- | -------- | ---- | --------------------------------- | ------- | ----- | | [CVE-2024-29828](https://nvd.nist.gov/vuln/detail/CVE-2024-29828) | **High** | 8.4 | **Ivanti EPM 2022 SU5 and prior** | | | ## Recommendation From 1569b9f8c4d63db7325b05306eb72edc8d53b0f9 Mon Sep 17 00:00:00 2001 From: "Joshua Hitchen (DGov)" <86041569+DGovEnterprise@users.noreply.github.com> Date: Mon, 27 May 2024 14:57:33 +0800 Subject: [PATCH 53/82] Update 20240527003-Ivanti-Endpoint-Manager-GetRulesetsSQL-SQL-Injection-RCE-Vulnerability.md Reduce size of title --- ...nt-Manager-GetRulesetsSQL-SQL-Injection-RCE-Vulnerability.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/advisories/20240527003-Ivanti-Endpoint-Manager-GetRulesetsSQL-SQL-Injection-RCE-Vulnerability.md b/docs/advisories/20240527003-Ivanti-Endpoint-Manager-GetRulesetsSQL-SQL-Injection-RCE-Vulnerability.md index bc594654..5bf461d4 100644 --- a/docs/advisories/20240527003-Ivanti-Endpoint-Manager-GetRulesetsSQL-SQL-Injection-RCE-Vulnerability.md +++ b/docs/advisories/20240527003-Ivanti-Endpoint-Manager-GetRulesetsSQL-SQL-Injection-RCE-Vulnerability.md @@ -1,4 +1,4 @@ -# Ivanti Endpoint Manager GetRulesetsSQL SQL Injection RCE Vulnerability - 20240527003 +# Ivanti Endpoint Manager SQL Injection RCE Vulnerability - 20240527003 ## Overview From 0ee91368c5f33a1fc66c4ba3455acd7db23ddc53 Mon Sep 17 00:00:00 2001 From: Serki Ashagre <132869385+LSerki@users.noreply.github.com> Date: Wed, 26 Jun 2024 12:56:12 +0800 Subject: [PATCH 54/82] WordPress Plugin Vulnerabilities - 20240626003 --- ...40626003-WordPress-Plugin-Vulnerabilities.md | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) create mode 100644 docs/advisories/20240626003-WordPress-Plugin-Vulnerabilities.md diff --git a/docs/advisories/20240626003-WordPress-Plugin-Vulnerabilities.md b/docs/advisories/20240626003-WordPress-Plugin-Vulnerabilities.md new file mode 100644 index 00000000..856cf5f2 --- /dev/null +++ b/docs/advisories/20240626003-WordPress-Plugin-Vulnerabilities.md @@ -0,0 +1,17 @@ +# WordPress Plugin Vulnerabilities - 20240626003 + +## Overview + +Several plugins for WordPress hosted on WordPress.org have been compromised and injected with malicious PHP scripts. A malicious threat actor compromised the source code of various plugins and injected code that exfiltrates database credentials and is used to create new, malicious, administrator users and send that data back to a server. + +## What is vulnerable? + +| Products Affected. | CVE | CVSS | Severity | +| ------------------- | ----------------------------------------------------------------- | ---- | ------------ | +| **[List of Affected Products](https://www.cve.org/CVERecord?id=CVE-2024-6297)** | [CVE-2024-6297](https://www.cve.org/CVERecord?id=CVE-2024-6297) | 10 | **Critical** | + +## Recommendation + +The WA SOC recommends administrators apply the solutions as per vendor instructions to all affected devices within expected timeframe (refer [Patch Management](../guidelines/patch-management.md)): + +- https://www.wordfence.com/threat-intel/vulnerabilities/detail/several-wordpressorg-plugins-various-versions-injected-backdoor \ No newline at end of file From 1348d134a2d70cf9c22353ab93d1662f71f6e7bb Mon Sep 17 00:00:00 2001 From: LSerki Date: Wed, 26 Jun 2024 04:56:56 +0000 Subject: [PATCH 55/82] Format markdown docs --- .../20240626003-WordPress-Plugin-Vulnerabilities.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/docs/advisories/20240626003-WordPress-Plugin-Vulnerabilities.md b/docs/advisories/20240626003-WordPress-Plugin-Vulnerabilities.md index 856cf5f2..1d91b180 100644 --- a/docs/advisories/20240626003-WordPress-Plugin-Vulnerabilities.md +++ b/docs/advisories/20240626003-WordPress-Plugin-Vulnerabilities.md @@ -6,12 +6,12 @@ Several plugins for WordPress hosted on WordPress.org have been compromised and ## What is vulnerable? -| Products Affected. | CVE | CVSS | Severity | -| ------------------- | ----------------------------------------------------------------- | ---- | ------------ | -| **[List of Affected Products](https://www.cve.org/CVERecord?id=CVE-2024-6297)** | [CVE-2024-6297](https://www.cve.org/CVERecord?id=CVE-2024-6297) | 10 | **Critical** | +| Products Affected. | CVE | CVSS | Severity | +| ------------------------------------------------------------------------------- | --------------------------------------------------------------- | ---- | ------------ | +| **[List of Affected Products](https://www.cve.org/CVERecord?id=CVE-2024-6297)** | [CVE-2024-6297](https://www.cve.org/CVERecord?id=CVE-2024-6297) | 10 | **Critical** | ## Recommendation The WA SOC recommends administrators apply the solutions as per vendor instructions to all affected devices within expected timeframe (refer [Patch Management](../guidelines/patch-management.md)): -- https://www.wordfence.com/threat-intel/vulnerabilities/detail/several-wordpressorg-plugins-various-versions-injected-backdoor \ No newline at end of file +- https://www.wordfence.com/threat-intel/vulnerabilities/detail/several-wordpressorg-plugins-various-versions-injected-backdoor From 21367029266621ae7ce07f7c40fc37e6ee1ba7ef Mon Sep 17 00:00:00 2001 From: Serki Ashagre <132869385+LSerki@users.noreply.github.com> Date: Thu, 4 Jul 2024 10:36:45 +0800 Subject: [PATCH 56/82] GeoServer Urgent Advisory - 20240704002 --- .../20240704002-GeoServer-Urgent-Advisory.md | 20 +++++++++++++++++++ 1 file changed, 20 insertions(+) create mode 100644 docs/advisories/20240704002-GeoServer-Urgent-Advisory.md diff --git a/docs/advisories/20240704002-GeoServer-Urgent-Advisory.md b/docs/advisories/20240704002-GeoServer-Urgent-Advisory.md new file mode 100644 index 00000000..cf0a4468 --- /dev/null +++ b/docs/advisories/20240704002-GeoServer-Urgent-Advisory.md @@ -0,0 +1,20 @@ +# GeoServer Urgent Advisory - 20240704002 + +## Overview + +A severe security flaw has been discovered in GeoServer. This vulnerability could potentially allow attackers to execute arbitrary code on affected servers, putting sensitive mapping and location data at risk. + +## What is vulnerable? + +| Products Affected. | CVE | CVSS | Severity | +| ------------------- | ----------------------------------------------------------------- | ---- | ------------ | +| **GeoServer: All versions before 2.25.2** | [CVE-2024-36401](https://nvd.nist.gov/vuln/detail/CVE-2024-36401) |9.8 | **Critical** | +| **GeoServer: All versions before 2.25.2** | [CVE-2024-24749](https://nvd.nist.gov/vuln/detail/CVE-2024-24749) | 7.5 | **High** | +| **GeoServer: All versions before 2.25.2** | [CVE-2024-34696](https://nvd.nist.gov/vuln/detail/CVE-2024-34696) | 4.9 | **Medium** | +| **GeoServer: All versions before 2.25.2** | [CVE-2024-35230](https://nvd.nist.gov/vuln/detail/CVE-2024-35230) | TBD | **TBD** | + +## Recommendation + +The WA SOC recommends administrators apply the solutions as per vendor instructions to all affected devices within expected timeframe (refer [Patch Management](../guidelines/patch-management.md)): + +- https://geoserver.org/announcements/vulnerability/2024/06/18/geoserver-2-25-2-released.html \ No newline at end of file From 02e2ee903d129aa9c9c1dc7918ed47c1fc38676f Mon Sep 17 00:00:00 2001 From: LSerki Date: Thu, 4 Jul 2024 02:37:39 +0000 Subject: [PATCH 57/82] Format markdown docs --- .../20240704002-GeoServer-Urgent-Advisory.md | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/docs/advisories/20240704002-GeoServer-Urgent-Advisory.md b/docs/advisories/20240704002-GeoServer-Urgent-Advisory.md index cf0a4468..b1900a83 100644 --- a/docs/advisories/20240704002-GeoServer-Urgent-Advisory.md +++ b/docs/advisories/20240704002-GeoServer-Urgent-Advisory.md @@ -6,15 +6,15 @@ A severe security flaw has been discovered in GeoServer. This vulnerability coul ## What is vulnerable? -| Products Affected. | CVE | CVSS | Severity | -| ------------------- | ----------------------------------------------------------------- | ---- | ------------ | -| **GeoServer: All versions before 2.25.2** | [CVE-2024-36401](https://nvd.nist.gov/vuln/detail/CVE-2024-36401) |9.8 | **Critical** | -| **GeoServer: All versions before 2.25.2** | [CVE-2024-24749](https://nvd.nist.gov/vuln/detail/CVE-2024-24749) | 7.5 | **High** | -| **GeoServer: All versions before 2.25.2** | [CVE-2024-34696](https://nvd.nist.gov/vuln/detail/CVE-2024-34696) | 4.9 | **Medium** | -| **GeoServer: All versions before 2.25.2** | [CVE-2024-35230](https://nvd.nist.gov/vuln/detail/CVE-2024-35230) | TBD | **TBD** | +| Products Affected. | CVE | CVSS | Severity | +| ----------------------------------------- | ----------------------------------------------------------------- | ---- | ------------ | +| **GeoServer: All versions before 2.25.2** | [CVE-2024-36401](https://nvd.nist.gov/vuln/detail/CVE-2024-36401) | 9.8 | **Critical** | +| **GeoServer: All versions before 2.25.2** | [CVE-2024-24749](https://nvd.nist.gov/vuln/detail/CVE-2024-24749) | 7.5 | **High** | +| **GeoServer: All versions before 2.25.2** | [CVE-2024-34696](https://nvd.nist.gov/vuln/detail/CVE-2024-34696) | 4.9 | **Medium** | +| **GeoServer: All versions before 2.25.2** | [CVE-2024-35230](https://nvd.nist.gov/vuln/detail/CVE-2024-35230) | TBD | **TBD** | ## Recommendation The WA SOC recommends administrators apply the solutions as per vendor instructions to all affected devices within expected timeframe (refer [Patch Management](../guidelines/patch-management.md)): -- https://geoserver.org/announcements/vulnerability/2024/06/18/geoserver-2-25-2-released.html \ No newline at end of file +- https://geoserver.org/announcements/vulnerability/2024/06/18/geoserver-2-25-2-released.html From 7740c9d3b35fa67289698246bfa53caa9509c48d Mon Sep 17 00:00:00 2001 From: Serki Ashagre <132869385+LSerki@users.noreply.github.com> Date: Thu, 18 Jul 2024 10:28:27 +0800 Subject: [PATCH 58/82] Ivanti Releases New Security Advisories - 20240718004 --- ...Ivanti-Releases-New-Security-Advisories.md | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) create mode 100644 docs/advisories/20240718004-Ivanti-Releases-New-Security-Advisories.md diff --git a/docs/advisories/20240718004-Ivanti-Releases-New-Security-Advisories.md b/docs/advisories/20240718004-Ivanti-Releases-New-Security-Advisories.md new file mode 100644 index 00000000..74359985 --- /dev/null +++ b/docs/advisories/20240718004-Ivanti-Releases-New-Security-Advisories.md @@ -0,0 +1,19 @@ +# Ivanti Releases New Security Advisories - 20240718004 + +## Overview + +Ivanti has issued its July Security Update, which includes fixes for the following solutions: Ivanti Endpoint Manager (EPM), Ivanti Endpoint Manager for Mobile (EPMM) and Ivanti Docs@Work for Android + +## What is vulnerable? + +| Product(s) Affected | Version(s) | CVE | CVSS | Severity | +| ------------------- | ---------- | ----------------------------------------------------------------------------------------------------------------------------------------- | ------------- | ---------------------------------------------------------------- | +| Endpoint Manager (EPM) | all supported versions of EPM 2024 | [CVE-2024-37381](https://nvd.nist.gov/vuln/detail/CVE-2024-37381) | 8.4 | High | +| Endpoint Manager for Mobile (EPMM) | all supported versions of EPMM | [CVE-2024-36130](https://nvd.nist.gov/vuln/detail/CVE-2024-36130)
[CVE-2024-36131](https://nvd.nist.gov/vuln/detail/CVE-2024-36131)
[CVE-2024-36132](https://nvd.nist.gov/vuln/detail/CVE-2024-36132)
[CVE-2024-34788](https://nvd.nist.gov/vuln/detail/CVE-2024-34788)| 8.8
8.8
8.2
5.3 | High
High
High
Medium| +| Docs@Work for Android | all versions before 2.26.0 | [CVE-2024-37403](https://nvd.nist.gov/vuln/detail/CVE-2024-37403) | 5.0 | Medium | + +## Recommendation + +The WA SOC recommends administrators apply the solutions as per vendor instructions to all affected devices within expected timeframe (refer [Patch Management](../guidelines/patch-management.md)): + +- [Ivanti July Security Update](https://www.ivanti.com/blog/july-security-update) From dfaf553d16009b599326f83add93783d1d65b260 Mon Sep 17 00:00:00 2001 From: LSerki Date: Thu, 18 Jul 2024 02:29:12 +0000 Subject: [PATCH 59/82] Format markdown docs --- ...40718004-Ivanti-Releases-New-Security-Advisories.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/docs/advisories/20240718004-Ivanti-Releases-New-Security-Advisories.md b/docs/advisories/20240718004-Ivanti-Releases-New-Security-Advisories.md index 74359985..62449e79 100644 --- a/docs/advisories/20240718004-Ivanti-Releases-New-Security-Advisories.md +++ b/docs/advisories/20240718004-Ivanti-Releases-New-Security-Advisories.md @@ -6,11 +6,11 @@ Ivanti has issued its July Security Update, which includes fixes for the followi ## What is vulnerable? -| Product(s) Affected | Version(s) | CVE | CVSS | Severity | -| ------------------- | ---------- | ----------------------------------------------------------------------------------------------------------------------------------------- | ------------- | ---------------------------------------------------------------- | -| Endpoint Manager (EPM) | all supported versions of EPM 2024 | [CVE-2024-37381](https://nvd.nist.gov/vuln/detail/CVE-2024-37381) | 8.4 | High | -| Endpoint Manager for Mobile (EPMM) | all supported versions of EPMM | [CVE-2024-36130](https://nvd.nist.gov/vuln/detail/CVE-2024-36130)
[CVE-2024-36131](https://nvd.nist.gov/vuln/detail/CVE-2024-36131)
[CVE-2024-36132](https://nvd.nist.gov/vuln/detail/CVE-2024-36132)
[CVE-2024-34788](https://nvd.nist.gov/vuln/detail/CVE-2024-34788)| 8.8
8.8
8.2
5.3 | High
High
High
Medium| -| Docs@Work for Android | all versions before 2.26.0 | [CVE-2024-37403](https://nvd.nist.gov/vuln/detail/CVE-2024-37403) | 5.0 | Medium | +| Product(s) Affected | Version(s) | CVE | CVSS | Severity | +| ---------------------------------- | ---------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------- | ---------------------------------------- | +| Endpoint Manager (EPM) | all supported versions of EPM 2024 | [CVE-2024-37381](https://nvd.nist.gov/vuln/detail/CVE-2024-37381) | 8.4 | High | +| Endpoint Manager for Mobile (EPMM) | all supported versions of EPMM | [CVE-2024-36130](https://nvd.nist.gov/vuln/detail/CVE-2024-36130)
[CVE-2024-36131](https://nvd.nist.gov/vuln/detail/CVE-2024-36131)
[CVE-2024-36132](https://nvd.nist.gov/vuln/detail/CVE-2024-36132)
[CVE-2024-34788](https://nvd.nist.gov/vuln/detail/CVE-2024-34788) | 8.8
8.8
8.2
5.3 | High
High
High
Medium | +| Docs@Work for Android | all versions before 2.26.0 | [CVE-2024-37403](https://nvd.nist.gov/vuln/detail/CVE-2024-37403) | 5.0 | Medium | ## Recommendation From 5837f7c38b4f52d4ee43da5ad37236619933f304 Mon Sep 17 00:00:00 2001 From: Serki Ashagre <132869385+LSerki@users.noreply.github.com> Date: Wed, 31 Jul 2024 14:58:30 +0800 Subject: [PATCH 60/82] Apple Releases Multiple Product Updates - 20240731004 --- ...Apple-Releases-Multiple-Product-Updates.md | 29 +++++++++++++++++++ 1 file changed, 29 insertions(+) create mode 100644 docs/advisories/20240731004-Apple-Releases-Multiple-Product-Updates.md diff --git a/docs/advisories/20240731004-Apple-Releases-Multiple-Product-Updates.md b/docs/advisories/20240731004-Apple-Releases-Multiple-Product-Updates.md new file mode 100644 index 00000000..4600a3b2 --- /dev/null +++ b/docs/advisories/20240731004-Apple-Releases-Multiple-Product-Updates.md @@ -0,0 +1,29 @@ +# Apple Releases Multiple Product Updates - 20240731004 + +## Overview + +Apple released security updates to address vulnerabilities in Safari, iOS, iPadOS, macOS, watchOS, tvOS, and visionOS. A cyber threat actor could exploit some of these vulnerabilities to take control of an affected system. WA SOC encourages users and administrators to review the advisories and apply necessary updates. + +## What is vulnerable? + +| Product(s) Affected | Version(s) | CVE | +| ------------------- | -------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| Safari 17.6 | all versions before 17.6 | [List of CVEs](https://support.apple.com/en-us/HT214121) | +| iOS 17.6 and iPadOS 17.6| all versions before 17.6| [List of CVEs](https://support.apple.com/en-us/HT214117)| +|iOS 16.7.9 and iPadOS 16.7.9|all versions before 16.7.9| [List of CVEs](https://support.apple.com/en-us/HT214116) +|macOS Sonoma 14.6|all versions before 14.6| [List of CVEs](https://support.apple.com/en-us/HT214119) +|macOS Ventura 13.6.8|all versions before 13.6.8| [List of CVEs](https://support.apple.com/en-us/HT214120) +|macOS Monterey 12.7.6|all versions before|[List of CVEs](https://support.apple.com/en-us/HT214118) +|watchOS 10.6 |all versions before 10.6|[List of CVEs](https://support.apple.com/en-us/HT214124) +|tvOS 17.6|all versions before 17.6|[List of CVEs](https://support.apple.com/en-us/HT214122) +|visionOS 1.3|all versions before 1.3|[List of CVEs](https://support.apple.com/en-us/HT214123) + +## Recommendation + +The WA SOC recommends administrators apply the solutions as per vendor instructions to all affected devices within expected timeframe of *1 month* (refer [Patch Management](../guidelines/patch-management.md)): + +- Apple: + +## Reference + +- CISA: From b2679513126f470fc5511ff77cc7fac11eee5050 Mon Sep 17 00:00:00 2001 From: LSerki Date: Wed, 31 Jul 2024 06:59:23 +0000 Subject: [PATCH 61/82] Format markdown docs --- ...Apple-Releases-Multiple-Product-Updates.md | 22 +++++++++---------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/docs/advisories/20240731004-Apple-Releases-Multiple-Product-Updates.md b/docs/advisories/20240731004-Apple-Releases-Multiple-Product-Updates.md index 4600a3b2..3119d5ba 100644 --- a/docs/advisories/20240731004-Apple-Releases-Multiple-Product-Updates.md +++ b/docs/advisories/20240731004-Apple-Releases-Multiple-Product-Updates.md @@ -6,17 +6,17 @@ Apple released security updates to address vulnerabilities in Safari, iOS, iPadO ## What is vulnerable? -| Product(s) Affected | Version(s) | CVE | -| ------------------- | -------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -| Safari 17.6 | all versions before 17.6 | [List of CVEs](https://support.apple.com/en-us/HT214121) | -| iOS 17.6 and iPadOS 17.6| all versions before 17.6| [List of CVEs](https://support.apple.com/en-us/HT214117)| -|iOS 16.7.9 and iPadOS 16.7.9|all versions before 16.7.9| [List of CVEs](https://support.apple.com/en-us/HT214116) -|macOS Sonoma 14.6|all versions before 14.6| [List of CVEs](https://support.apple.com/en-us/HT214119) -|macOS Ventura 13.6.8|all versions before 13.6.8| [List of CVEs](https://support.apple.com/en-us/HT214120) -|macOS Monterey 12.7.6|all versions before|[List of CVEs](https://support.apple.com/en-us/HT214118) -|watchOS 10.6 |all versions before 10.6|[List of CVEs](https://support.apple.com/en-us/HT214124) -|tvOS 17.6|all versions before 17.6|[List of CVEs](https://support.apple.com/en-us/HT214122) -|visionOS 1.3|all versions before 1.3|[List of CVEs](https://support.apple.com/en-us/HT214123) +| Product(s) Affected | Version(s) | CVE | +| ---------------------------- | -------------------------- | -------------------------------------------------------- | +| Safari 17.6 | all versions before 17.6 | [List of CVEs](https://support.apple.com/en-us/HT214121) | +| iOS 17.6 and iPadOS 17.6 | all versions before 17.6 | [List of CVEs](https://support.apple.com/en-us/HT214117) | +| iOS 16.7.9 and iPadOS 16.7.9 | all versions before 16.7.9 | [List of CVEs](https://support.apple.com/en-us/HT214116) | +| macOS Sonoma 14.6 | all versions before 14.6 | [List of CVEs](https://support.apple.com/en-us/HT214119) | +| macOS Ventura 13.6.8 | all versions before 13.6.8 | [List of CVEs](https://support.apple.com/en-us/HT214120) | +| macOS Monterey 12.7.6 | all versions before | [List of CVEs](https://support.apple.com/en-us/HT214118) | +| watchOS 10.6 | all versions before 10.6 | [List of CVEs](https://support.apple.com/en-us/HT214124) | +| tvOS 17.6 | all versions before 17.6 | [List of CVEs](https://support.apple.com/en-us/HT214122) | +| visionOS 1.3 | all versions before 1.3 | [List of CVEs](https://support.apple.com/en-us/HT214123) | ## Recommendation From 1d81bb82f4087eae616b80ef44a5d44c771094df Mon Sep 17 00:00:00 2001 From: JadonWill <117053393+JadonWill@users.noreply.github.com> Date: Wed, 31 Jul 2024 16:09:57 +0800 Subject: [PATCH 62/82] Update 20240731004 --- ...Apple-Releases-Multiple-Product-Updates.md | 24 +++++++++---------- 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/docs/advisories/20240731004-Apple-Releases-Multiple-Product-Updates.md b/docs/advisories/20240731004-Apple-Releases-Multiple-Product-Updates.md index 3119d5ba..72dbd301 100644 --- a/docs/advisories/20240731004-Apple-Releases-Multiple-Product-Updates.md +++ b/docs/advisories/20240731004-Apple-Releases-Multiple-Product-Updates.md @@ -2,28 +2,28 @@ ## Overview -Apple released security updates to address vulnerabilities in Safari, iOS, iPadOS, macOS, watchOS, tvOS, and visionOS. A cyber threat actor could exploit some of these vulnerabilities to take control of an affected system. WA SOC encourages users and administrators to review the advisories and apply necessary updates. +Apple has released security updates to address vulnerabilities in multiple products. A cyber threat actor could exploit some of these vulnerabilities to take control of an affected system. WA SOC encourages users and administrators to review the advisories and apply necessary updates. ## What is vulnerable? | Product(s) Affected | Version(s) | CVE | | ---------------------------- | -------------------------- | -------------------------------------------------------- | -| Safari 17.6 | all versions before 17.6 | [List of CVEs](https://support.apple.com/en-us/HT214121) | -| iOS 17.6 and iPadOS 17.6 | all versions before 17.6 | [List of CVEs](https://support.apple.com/en-us/HT214117) | -| iOS 16.7.9 and iPadOS 16.7.9 | all versions before 16.7.9 | [List of CVEs](https://support.apple.com/en-us/HT214116) | -| macOS Sonoma 14.6 | all versions before 14.6 | [List of CVEs](https://support.apple.com/en-us/HT214119) | -| macOS Ventura 13.6.8 | all versions before 13.6.8 | [List of CVEs](https://support.apple.com/en-us/HT214120) | -| macOS Monterey 12.7.6 | all versions before | [List of CVEs](https://support.apple.com/en-us/HT214118) | -| watchOS 10.6 | all versions before 10.6 | [List of CVEs](https://support.apple.com/en-us/HT214124) | -| tvOS 17.6 | all versions before 17.6 | [List of CVEs](https://support.apple.com/en-us/HT214122) | -| visionOS 1.3 | all versions before 1.3 | [List of CVEs](https://support.apple.com/en-us/HT214123) | +| Safari 17.6 | all versions before 17.6 | [Vendor listed CVEs](https://support.apple.com/en-us/HT214121) | +| iOS 17.6 and iPadOS 17.6 | all versions before 17.6 | [Vendor listed CVEs](https://support.apple.com/en-us/HT214117) | +| iOS 16.7.9 and iPadOS 16.7.9 | all versions before 16.7.9 | [Vendor listed CVEs](https://support.apple.com/en-us/HT214116) | +| macOS Sonoma 14.6 | all versions before 14.6 | [Vendor listed CVEs](https://support.apple.com/en-us/HT214119) | +| macOS Ventura 13.6.8 | all versions before 13.6.8 | [Vendor listed CVEs](https://support.apple.com/en-us/HT214120) | +| macOS Monterey 12.7.6 | all versions before | [Vendor listed CVEs](https://support.apple.com/en-us/HT214118) | +| watchOS 10.6 | all versions before 10.6 | [Vendor listed CVEs](https://support.apple.com/en-us/HT214124) | +| tvOS 17.6 | all versions before 17.6 | [Vendor listed CVEs](https://support.apple.com/en-us/HT214122) | +| visionOS 1.3 | all versions before 1.3 | [Vendor listed CVEs](https://support.apple.com/en-us/HT214123) | ## Recommendation The WA SOC recommends administrators apply the solutions as per vendor instructions to all affected devices within expected timeframe of *1 month* (refer [Patch Management](../guidelines/patch-management.md)): -- Apple: +- Apple security releases: ## Reference -- CISA: +- CISA article: From f543f34356b860fc7101e74c36d95d3bce051c3b Mon Sep 17 00:00:00 2001 From: JadonWill Date: Wed, 31 Jul 2024 08:10:39 +0000 Subject: [PATCH 63/82] Format markdown docs --- .../20240731004-Apple-Releases-Multiple-Product-Updates.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/advisories/20240731004-Apple-Releases-Multiple-Product-Updates.md b/docs/advisories/20240731004-Apple-Releases-Multiple-Product-Updates.md index 72dbd301..e72dcd52 100644 --- a/docs/advisories/20240731004-Apple-Releases-Multiple-Product-Updates.md +++ b/docs/advisories/20240731004-Apple-Releases-Multiple-Product-Updates.md @@ -6,8 +6,8 @@ Apple has released security updates to address vulnerabilities in multiple produ ## What is vulnerable? -| Product(s) Affected | Version(s) | CVE | -| ---------------------------- | -------------------------- | -------------------------------------------------------- | +| Product(s) Affected | Version(s) | CVE | +| ---------------------------- | -------------------------- | -------------------------------------------------------------- | | Safari 17.6 | all versions before 17.6 | [Vendor listed CVEs](https://support.apple.com/en-us/HT214121) | | iOS 17.6 and iPadOS 17.6 | all versions before 17.6 | [Vendor listed CVEs](https://support.apple.com/en-us/HT214117) | | iOS 16.7.9 and iPadOS 16.7.9 | all versions before 16.7.9 | [Vendor listed CVEs](https://support.apple.com/en-us/HT214116) | From ed6d7164d1ac1648641be6ac5d4c3e3c93638cf5 Mon Sep 17 00:00:00 2001 From: Serki Ashagre <132869385+LSerki@users.noreply.github.com> Date: Thu, 22 Aug 2024 10:48:13 +0800 Subject: [PATCH 64/82] Azure Managed Instance for Apache Cassandra Elevation of Privilege Vulnerability - 20240822002 --- ...dra-Elevation-of-Privilege-Vulnerability.md | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) create mode 100644 docs/advisories/20240822002-Azure-Managed-Instance-for-Apache-Cassandra-Elevation-of-Privilege-Vulnerability.md diff --git a/docs/advisories/20240822002-Azure-Managed-Instance-for-Apache-Cassandra-Elevation-of-Privilege-Vulnerability.md b/docs/advisories/20240822002-Azure-Managed-Instance-for-Apache-Cassandra-Elevation-of-Privilege-Vulnerability.md new file mode 100644 index 00000000..b8e665d1 --- /dev/null +++ b/docs/advisories/20240822002-Azure-Managed-Instance-for-Apache-Cassandra-Elevation-of-Privilege-Vulnerability.md @@ -0,0 +1,18 @@ +# Azure Managed Instance for Apache Cassandra Elevation of Privilege Vulnerability - 20240822002 + +## Overview + +Microsoft publishes critical advisory for Azure Managed Instance for Apache Cassandra Elevation of Privilege Vulnerability. An improper access control vulnerability in the Azure Managed Instance for Apache Cassandra allows an authenticated attacker to elevate privileges over a network. + +## What is vulnerable? + +| Product(s) Affected | Version(s) | CVE | CVSS | Severity | +| ------------------- | ---------- | ----------------------------------------------------------------------------------------------------------------------------------------- | ------------- | ---------------------------------------------------------------- | +| Azure Managed Instance for Apache Cassandra | clusters updated before 20th August 2024 | [CVE-2024-38175](https://www.cve.org/CVERecord?id=CVE-2024-38175) | 9.6 | **Critical** | + +## Recommendation + +The WA SOC recommends administrators apply the solutions as per vendor instructions to all affected devices within expected timeframe of *one month...* (refer [Patch Management](../guidelines/patch-management.md)): + +- https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2024-38175 + From d7511a3d9c83fafbd3cff56bc5e3aa5b9bf4cc2a Mon Sep 17 00:00:00 2001 From: LSerki Date: Thu, 22 Aug 2024 02:48:53 +0000 Subject: [PATCH 65/82] Format markdown docs --- ...pache-Cassandra-Elevation-of-Privilege-Vulnerability.md | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/docs/advisories/20240822002-Azure-Managed-Instance-for-Apache-Cassandra-Elevation-of-Privilege-Vulnerability.md b/docs/advisories/20240822002-Azure-Managed-Instance-for-Apache-Cassandra-Elevation-of-Privilege-Vulnerability.md index b8e665d1..aaa9eabd 100644 --- a/docs/advisories/20240822002-Azure-Managed-Instance-for-Apache-Cassandra-Elevation-of-Privilege-Vulnerability.md +++ b/docs/advisories/20240822002-Azure-Managed-Instance-for-Apache-Cassandra-Elevation-of-Privilege-Vulnerability.md @@ -6,13 +6,12 @@ Microsoft publishes critical advisory for Azure Managed Instance for Apache Cass ## What is vulnerable? -| Product(s) Affected | Version(s) | CVE | CVSS | Severity | -| ------------------- | ---------- | ----------------------------------------------------------------------------------------------------------------------------------------- | ------------- | ---------------------------------------------------------------- | -| Azure Managed Instance for Apache Cassandra | clusters updated before 20th August 2024 | [CVE-2024-38175](https://www.cve.org/CVERecord?id=CVE-2024-38175) | 9.6 | **Critical** | +| Product(s) Affected | Version(s) | CVE | CVSS | Severity | +| ------------------------------------------- | ---------------------------------------- | ----------------------------------------------------------------- | ---- | ------------ | +| Azure Managed Instance for Apache Cassandra | clusters updated before 20th August 2024 | [CVE-2024-38175](https://www.cve.org/CVERecord?id=CVE-2024-38175) | 9.6 | **Critical** | ## Recommendation The WA SOC recommends administrators apply the solutions as per vendor instructions to all affected devices within expected timeframe of *one month...* (refer [Patch Management](../guidelines/patch-management.md)): - https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2024-38175 - From 871ac3e2af5dae5ceec6b182d3f4fc44d6281ead Mon Sep 17 00:00:00 2001 From: JadonWill <117053393+JadonWill@users.noreply.github.com> Date: Thu, 22 Aug 2024 11:37:41 +0800 Subject: [PATCH 66/82] Update 20240822002 Renamed page to reduce character count. Updated observations to include vendor knowledge of exploitation. Updated recommendation to "48 hours" in alignment with E8 ML1 Patch Management. --- ...240822002-Microsoft-Publishes-Critical-Advisory.md} | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) rename docs/advisories/{20240822002-Azure-Managed-Instance-for-Apache-Cassandra-Elevation-of-Privilege-Vulnerability.md => 20240822002-Microsoft-Publishes-Critical-Advisory.md} (69%) diff --git a/docs/advisories/20240822002-Azure-Managed-Instance-for-Apache-Cassandra-Elevation-of-Privilege-Vulnerability.md b/docs/advisories/20240822002-Microsoft-Publishes-Critical-Advisory.md similarity index 69% rename from docs/advisories/20240822002-Azure-Managed-Instance-for-Apache-Cassandra-Elevation-of-Privilege-Vulnerability.md rename to docs/advisories/20240822002-Microsoft-Publishes-Critical-Advisory.md index aaa9eabd..012088de 100644 --- a/docs/advisories/20240822002-Azure-Managed-Instance-for-Apache-Cassandra-Elevation-of-Privilege-Vulnerability.md +++ b/docs/advisories/20240822002-Microsoft-Publishes-Critical-Advisory.md @@ -1,4 +1,4 @@ -# Azure Managed Instance for Apache Cassandra Elevation of Privilege Vulnerability - 20240822002 +# Microsoft Publishes Critical CVE Advisory - 20240822002 ## Overview @@ -10,8 +10,12 @@ Microsoft publishes critical advisory for Azure Managed Instance for Apache Cass | ------------------------------------------- | ---------------------------------------- | ----------------------------------------------------------------- | ---- | ------------ | | Azure Managed Instance for Apache Cassandra | clusters updated before 20th August 2024 | [CVE-2024-38175](https://www.cve.org/CVERecord?id=CVE-2024-38175) | 9.6 | **Critical** | +## What has been observed? + +Microsoft is aware of functional exploitation in the wild. There is no evidence of exploitation affecting Western Australian Government networks at the time of publishing. + ## Recommendation -The WA SOC recommends administrators apply the solutions as per vendor instructions to all affected devices within expected timeframe of *one month...* (refer [Patch Management](../guidelines/patch-management.md)): +The WA SOC recommends administrators apply the solutions as per vendor instructions to all affected devices within expected timeframe of *48 hours...* (refer [Patch Management](../guidelines/patch-management.md)): -- https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2024-38175 +- Microsoft CVE article: From 10375eff566e7f9210d6f28a80cf944f48d4ab54 Mon Sep 17 00:00:00 2001 From: Serki Ashagre <132869385+LSerki@users.noreply.github.com> Date: Fri, 6 Sep 2024 10:58:16 +0800 Subject: [PATCH 67/82] Cisco Publishes Critical Update - 20240906003 --- ...0906003-Cisco-Publishes-Critical-Update.md | 27 +++++++++++++++++++ 1 file changed, 27 insertions(+) create mode 100644 docs/advisories/20240906003-Cisco-Publishes-Critical-Update.md diff --git a/docs/advisories/20240906003-Cisco-Publishes-Critical-Update.md b/docs/advisories/20240906003-Cisco-Publishes-Critical-Update.md new file mode 100644 index 00000000..708f7fcc --- /dev/null +++ b/docs/advisories/20240906003-Cisco-Publishes-Critical-Update.md @@ -0,0 +1,27 @@ +# Cisco Publishes Critical Update - 20240906003 + +## Overview + +The WA SOC has been made aware of multiple vulnerabilities in Cisco Smart Licensing Utility that could allow an unauthenticated, remote attacker to collect sensitive information or administer Cisco Smart Licensing Utility services on a system while the software is running. + +## What is vulnerable? + +| Product(s) Affected | Version(s) | CVE | CVSS | Severity | +| ------------------- | ---------- | ----------------------------------------------------------------------------------------------------------------------------------------- | ------------- | ---------------------------------------------------------------- | +| | | [CVE-2024-20439](https://nvd.nist.gov/vuln/detail/CVE-2024-20439) | 9.8 | **Critical** | +| | | [CVE-2024-20440](https://nvd.nist.gov/vuln/detail/CVE-2024-20440) | 7.5 | High | + +## What has been observed? + +There is no evidence of exploitation affecting Western Australian Government networks at the time of publishing. + +## Recommendation + +The WA SOC recommends administrators apply the solutions as per vendor instructions to all affected devices within expected timeframe of *one month...* (refer [Patch Management](../guidelines/patch-management.md)): + +- [Cisco Smart Licensing Utility Vulnerabilities](https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cslu-7gHMzWmw) + +## Additional References + +- [Tenable - CVE-2024-20439](https://www.tenable.com/cve/CVE-2024-20439) +- [Tenable - CVE-2024-20440](https://www.tenable.com/cve/CVE-2024-20440) \ No newline at end of file From 9dfdf1056507d5550e6d11983d90ccdffb1e2a8e Mon Sep 17 00:00:00 2001 From: LSerki Date: Fri, 6 Sep 2024 02:59:00 +0000 Subject: [PATCH 68/82] Format markdown docs --- .../20240906003-Cisco-Publishes-Critical-Update.md | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/docs/advisories/20240906003-Cisco-Publishes-Critical-Update.md b/docs/advisories/20240906003-Cisco-Publishes-Critical-Update.md index 708f7fcc..fbf722b9 100644 --- a/docs/advisories/20240906003-Cisco-Publishes-Critical-Update.md +++ b/docs/advisories/20240906003-Cisco-Publishes-Critical-Update.md @@ -6,10 +6,10 @@ The WA SOC has been made aware of multiple vulnerabilities in Cisco Smart Licens ## What is vulnerable? -| Product(s) Affected | Version(s) | CVE | CVSS | Severity | -| ------------------- | ---------- | ----------------------------------------------------------------------------------------------------------------------------------------- | ------------- | ---------------------------------------------------------------- | -| | | [CVE-2024-20439](https://nvd.nist.gov/vuln/detail/CVE-2024-20439) | 9.8 | **Critical** | -| | | [CVE-2024-20440](https://nvd.nist.gov/vuln/detail/CVE-2024-20440) | 7.5 | High | +| Product(s) Affected | Version(s) | CVE | CVSS | Severity | +| ------------------- | ---------- | ----------------------------------------------------------------- | ---- | ------------ | +| | | [CVE-2024-20439](https://nvd.nist.gov/vuln/detail/CVE-2024-20439) | 9.8 | **Critical** | +| | | [CVE-2024-20440](https://nvd.nist.gov/vuln/detail/CVE-2024-20440) | 7.5 | High | ## What has been observed? @@ -23,5 +23,5 @@ The WA SOC recommends administrators apply the solutions as per vendor instructi ## Additional References -- [Tenable - CVE-2024-20439](https://www.tenable.com/cve/CVE-2024-20439) -- [Tenable - CVE-2024-20440](https://www.tenable.com/cve/CVE-2024-20440) \ No newline at end of file +- [Tenable - CVE-2024-20439](https://www.tenable.com/cve/CVE-2024-20439) +- [Tenable - CVE-2024-20440](https://www.tenable.com/cve/CVE-2024-20440) From ccd0fe4b73e7d7ae699b8a6250c5da1181667465 Mon Sep 17 00:00:00 2001 From: Serki Ashagre <132869385+LSerki@users.noreply.github.com> Date: Fri, 6 Sep 2024 11:22:21 +0800 Subject: [PATCH 69/82] Cisco Publishes Critical Update - 20240906003 --- .../20240906003-Cisco-Publishes-Critical-Update.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/docs/advisories/20240906003-Cisco-Publishes-Critical-Update.md b/docs/advisories/20240906003-Cisco-Publishes-Critical-Update.md index fbf722b9..097c6bca 100644 --- a/docs/advisories/20240906003-Cisco-Publishes-Critical-Update.md +++ b/docs/advisories/20240906003-Cisco-Publishes-Critical-Update.md @@ -6,10 +6,10 @@ The WA SOC has been made aware of multiple vulnerabilities in Cisco Smart Licens ## What is vulnerable? -| Product(s) Affected | Version(s) | CVE | CVSS | Severity | -| ------------------- | ---------- | ----------------------------------------------------------------- | ---- | ------------ | -| | | [CVE-2024-20439](https://nvd.nist.gov/vuln/detail/CVE-2024-20439) | 9.8 | **Critical** | -| | | [CVE-2024-20440](https://nvd.nist.gov/vuln/detail/CVE-2024-20440) | 7.5 | High | +| Product(s) Affected | Version(s) | CVE | CVSS | Severity | +| ------------------- | ---------- | ----------------------------------------------------------------------------------------------------------------------------------------- | ------------- | ---------------------------------------------------------------- | +| Cisco Smart Licensing Utility | versions before 2.3.0 | [CVE-2024-20439](https://nvd.nist.gov/vuln/detail/CVE-2024-20439) | 9.8 | **Critical** | +| Cisco Smart Licensing Utility | versions before 2.3.0 | [CVE-2024-20440](https://nvd.nist.gov/vuln/detail/CVE-2024-20440) | 7.5 | High | ## What has been observed? @@ -17,7 +17,7 @@ There is no evidence of exploitation affecting Western Australian Government net ## Recommendation -The WA SOC recommends administrators apply the solutions as per vendor instructions to all affected devices within expected timeframe of *one month...* (refer [Patch Management](../guidelines/patch-management.md)): +The WA SOC recommends administrators apply the solutions as per vendor instructions to all affected devices within expected timeframe of *48 hours...* (refer [Patch Management](../guidelines/patch-management.md)): - [Cisco Smart Licensing Utility Vulnerabilities](https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cslu-7gHMzWmw) From 21a2f894092e6d17b77ead49fb677e6bd77bc0c5 Mon Sep 17 00:00:00 2001 From: LSerki Date: Fri, 6 Sep 2024 03:23:04 +0000 Subject: [PATCH 70/82] Format markdown docs --- .../20240906003-Cisco-Publishes-Critical-Update.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/docs/advisories/20240906003-Cisco-Publishes-Critical-Update.md b/docs/advisories/20240906003-Cisco-Publishes-Critical-Update.md index 097c6bca..a03d73c1 100644 --- a/docs/advisories/20240906003-Cisco-Publishes-Critical-Update.md +++ b/docs/advisories/20240906003-Cisco-Publishes-Critical-Update.md @@ -6,10 +6,10 @@ The WA SOC has been made aware of multiple vulnerabilities in Cisco Smart Licens ## What is vulnerable? -| Product(s) Affected | Version(s) | CVE | CVSS | Severity | -| ------------------- | ---------- | ----------------------------------------------------------------------------------------------------------------------------------------- | ------------- | ---------------------------------------------------------------- | -| Cisco Smart Licensing Utility | versions before 2.3.0 | [CVE-2024-20439](https://nvd.nist.gov/vuln/detail/CVE-2024-20439) | 9.8 | **Critical** | -| Cisco Smart Licensing Utility | versions before 2.3.0 | [CVE-2024-20440](https://nvd.nist.gov/vuln/detail/CVE-2024-20440) | 7.5 | High | +| Product(s) Affected | Version(s) | CVE | CVSS | Severity | +| ----------------------------- | --------------------- | ----------------------------------------------------------------- | ---- | ------------ | +| Cisco Smart Licensing Utility | versions before 2.3.0 | [CVE-2024-20439](https://nvd.nist.gov/vuln/detail/CVE-2024-20439) | 9.8 | **Critical** | +| Cisco Smart Licensing Utility | versions before 2.3.0 | [CVE-2024-20440](https://nvd.nist.gov/vuln/detail/CVE-2024-20440) | 7.5 | High | ## What has been observed? From 0001152724fdf087ddfbc029af177f50a88cadcc Mon Sep 17 00:00:00 2001 From: JadonWill <117053393+JadonWill@users.noreply.github.com> Date: Fri, 6 Sep 2024 12:04:22 +0800 Subject: [PATCH 71/82] Update 20240906003 Reformatted table to condense same product and versions to a single line with CVEs line separated. --- .../20240906003-Cisco-Publishes-Critical-Update.md | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/docs/advisories/20240906003-Cisco-Publishes-Critical-Update.md b/docs/advisories/20240906003-Cisco-Publishes-Critical-Update.md index a03d73c1..436ba19b 100644 --- a/docs/advisories/20240906003-Cisco-Publishes-Critical-Update.md +++ b/docs/advisories/20240906003-Cisco-Publishes-Critical-Update.md @@ -8,8 +8,7 @@ The WA SOC has been made aware of multiple vulnerabilities in Cisco Smart Licens | Product(s) Affected | Version(s) | CVE | CVSS | Severity | | ----------------------------- | --------------------- | ----------------------------------------------------------------- | ---- | ------------ | -| Cisco Smart Licensing Utility | versions before 2.3.0 | [CVE-2024-20439](https://nvd.nist.gov/vuln/detail/CVE-2024-20439) | 9.8 | **Critical** | -| Cisco Smart Licensing Utility | versions before 2.3.0 | [CVE-2024-20440](https://nvd.nist.gov/vuln/detail/CVE-2024-20440) | 7.5 | High | +| Cisco Smart Licensing Utility | versions before 2.3.0 | [CVE-2024-20439](https://nvd.nist.gov/vuln/detail/CVE-2024-20439)
[CVE-2024-20440](https://nvd.nist.gov/vuln/detail/CVE-2024-20440) | **Critical**
High | 9.8
7.5 | **Critical**
High | ## What has been observed? @@ -19,9 +18,9 @@ There is no evidence of exploitation affecting Western Australian Government net The WA SOC recommends administrators apply the solutions as per vendor instructions to all affected devices within expected timeframe of *48 hours...* (refer [Patch Management](../guidelines/patch-management.md)): -- [Cisco Smart Licensing Utility Vulnerabilities](https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cslu-7gHMzWmw) +- Cisco article: ## Additional References -- [Tenable - CVE-2024-20439](https://www.tenable.com/cve/CVE-2024-20439) -- [Tenable - CVE-2024-20440](https://www.tenable.com/cve/CVE-2024-20440) +- Tenable - CVE-2024-20439: +- Tenable - CVE-2024-20440: From b37ba424a53c5909e0fffde73b81d16e7d16a8b0 Mon Sep 17 00:00:00 2001 From: JadonWill Date: Fri, 6 Sep 2024 04:05:07 +0000 Subject: [PATCH 72/82] Format markdown docs --- .../20240906003-Cisco-Publishes-Critical-Update.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/docs/advisories/20240906003-Cisco-Publishes-Critical-Update.md b/docs/advisories/20240906003-Cisco-Publishes-Critical-Update.md index 436ba19b..967c4fea 100644 --- a/docs/advisories/20240906003-Cisco-Publishes-Critical-Update.md +++ b/docs/advisories/20240906003-Cisco-Publishes-Critical-Update.md @@ -6,9 +6,9 @@ The WA SOC has been made aware of multiple vulnerabilities in Cisco Smart Licens ## What is vulnerable? -| Product(s) Affected | Version(s) | CVE | CVSS | Severity | -| ----------------------------- | --------------------- | ----------------------------------------------------------------- | ---- | ------------ | -| Cisco Smart Licensing Utility | versions before 2.3.0 | [CVE-2024-20439](https://nvd.nist.gov/vuln/detail/CVE-2024-20439)
[CVE-2024-20440](https://nvd.nist.gov/vuln/detail/CVE-2024-20440) | **Critical**
High | 9.8
7.5 | **Critical**
High | +| Product(s) Affected | Version(s) | CVE | CVSS | Severity | +| ----------------------------- | --------------------- | ---------------------------------------------------------------------------------------------------------------------------------------- | ---------------------- | ------------ | +| Cisco Smart Licensing Utility | versions before 2.3.0 | [CVE-2024-20439](https://nvd.nist.gov/vuln/detail/CVE-2024-20439)
[CVE-2024-20440](https://nvd.nist.gov/vuln/detail/CVE-2024-20440) | **Critical**
High | 9.8
7.5 | ## What has been observed? From 503aca108d11dfd917d1fd9c278b62fda594050d Mon Sep 17 00:00:00 2001 From: Serki Ashagre <132869385+LSerki@users.noreply.github.com> Date: Fri, 13 Sep 2024 12:38:43 +0800 Subject: [PATCH 73/82] SolarWinds Critical Update - 20240913001 --- .../20240913001-SolarWinds-Critical-Update.md | 22 +++++++++++++++++++ 1 file changed, 22 insertions(+) create mode 100644 docs/advisories/20240913001-SolarWinds-Critical-Update.md diff --git a/docs/advisories/20240913001-SolarWinds-Critical-Update.md b/docs/advisories/20240913001-SolarWinds-Critical-Update.md new file mode 100644 index 00000000..65b49a62 --- /dev/null +++ b/docs/advisories/20240913001-SolarWinds-Critical-Update.md @@ -0,0 +1,22 @@ +# SolarWinds Critical Update - 20240913001 + +## Overview + +SolarWinds has reported two vulnerabilities affecting their Access Rights Manager (ARM) software. The vulnerabilities have the potential to compromise the security of networks utilising ARM, with impacts ranging from unauthorized access to remote code execution. + +## What is vulnerable? + +| Product(s) Affected | Version(s) | CVE | CVSS | Severity | +| ------------------- | ---------- | ----------------------------------------------------------------------------------------------------------------------------------------- | ------------- | ---------------------------------------------------------------- | +| SolarWinds ARM | Version before 2024.3.1 | [CVE-2024-28991](https://nvd.nist.gov/vuln/detail/CVE-2024-28991)
[CVE-2024-28990](https://nvd.nist.gov/vuln/detail/CVE-2024-28990) | 9.0
6.5 | **Critical**
Medium | + + +## What has been observed? + +There is no evidence of exploitation affecting Western Australian Government networks at the time of publishing. + +## Recommendation + +The WA SOC recommends administrators apply the solutions as per vendor instructions to all affected devices within expected timeframe of *48hrs* (refer [Patch Management](../guidelines/patch-management.md)): + +- Solarwinds ARM Release notes: https://documentation.solarwinds.com/en/success_center/arm/content/release_notes/arm_2024-3-1_release_notes.htm From dfcdf4c7e80c95853a75763fc04b1d3e47421ac2 Mon Sep 17 00:00:00 2001 From: LSerki Date: Fri, 13 Sep 2024 04:39:34 +0000 Subject: [PATCH 74/82] Format markdown docs --- docs/advisories/20240913001-SolarWinds-Critical-Update.md | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/docs/advisories/20240913001-SolarWinds-Critical-Update.md b/docs/advisories/20240913001-SolarWinds-Critical-Update.md index 65b49a62..cd026706 100644 --- a/docs/advisories/20240913001-SolarWinds-Critical-Update.md +++ b/docs/advisories/20240913001-SolarWinds-Critical-Update.md @@ -6,10 +6,9 @@ SolarWinds has reported two vulnerabilities affecting their Access Rights Manage ## What is vulnerable? -| Product(s) Affected | Version(s) | CVE | CVSS | Severity | -| ------------------- | ---------- | ----------------------------------------------------------------------------------------------------------------------------------------- | ------------- | ---------------------------------------------------------------- | -| SolarWinds ARM | Version before 2024.3.1 | [CVE-2024-28991](https://nvd.nist.gov/vuln/detail/CVE-2024-28991)
[CVE-2024-28990](https://nvd.nist.gov/vuln/detail/CVE-2024-28990) | 9.0
6.5 | **Critical**
Medium | - +| Product(s) Affected | Version(s) | CVE | CVSS | Severity | +| ------------------- | ----------------------- | ------------------------------------------------------------------------------------------------------------------------------------------ | -------------- | -------------------------- | +| SolarWinds ARM | Version before 2024.3.1 | [CVE-2024-28991](https://nvd.nist.gov/vuln/detail/CVE-2024-28991)
[CVE-2024-28990](https://nvd.nist.gov/vuln/detail/CVE-2024-28990) | 9.0
6.5 | **Critical**
Medium | ## What has been observed? From facbbf90a482930a408b541ffc63ae94c56b2f8f Mon Sep 17 00:00:00 2001 From: Serki Ashagre <132869385+LSerki@users.noreply.github.com> Date: Fri, 13 Sep 2024 12:44:33 +0800 Subject: [PATCH 75/82] SolarWinds Critical Update - 20240913001 --- docs/advisories/20240913001-SolarWinds-Critical-Update.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/advisories/20240913001-SolarWinds-Critical-Update.md b/docs/advisories/20240913001-SolarWinds-Critical-Update.md index cd026706..1e670f0e 100644 --- a/docs/advisories/20240913001-SolarWinds-Critical-Update.md +++ b/docs/advisories/20240913001-SolarWinds-Critical-Update.md @@ -8,7 +8,7 @@ SolarWinds has reported two vulnerabilities affecting their Access Rights Manage | Product(s) Affected | Version(s) | CVE | CVSS | Severity | | ------------------- | ----------------------- | ------------------------------------------------------------------------------------------------------------------------------------------ | -------------- | -------------------------- | -| SolarWinds ARM | Version before 2024.3.1 | [CVE-2024-28991](https://nvd.nist.gov/vuln/detail/CVE-2024-28991)
[CVE-2024-28990](https://nvd.nist.gov/vuln/detail/CVE-2024-28990) | 9.0
6.5 | **Critical**
Medium | +| SolarWinds ARM | Version before 2024.3.1 | [CVE-2024-28991](https://nvd.nist.gov/vuln/detail/CVE-2024-28991)
[CVE-2024-28990](https://nvd.nist.gov/vuln/detail/CVE-2024-28990) | 9.0
6.3 | **Critical**
Medium | ## What has been observed? From 85d4b0a019562e163209a8baa957f9a8daaf7201 Mon Sep 17 00:00:00 2001 From: Serki Ashagre <132869385+LSerki@users.noreply.github.com> Date: Thu, 26 Sep 2024 12:56:00 +0800 Subject: [PATCH 76/82] CISA Releases OT and ICS Advisory - 20240926002 --- .../20240926002-CISA-OT-and-ICS-Advisory.md | 13 +++++++++++++ 1 file changed, 13 insertions(+) create mode 100644 docs/advisories/20240926002-CISA-OT-and-ICS-Advisory.md diff --git a/docs/advisories/20240926002-CISA-OT-and-ICS-Advisory.md b/docs/advisories/20240926002-CISA-OT-and-ICS-Advisory.md new file mode 100644 index 00000000..63c57f15 --- /dev/null +++ b/docs/advisories/20240926002-CISA-OT-and-ICS-Advisory.md @@ -0,0 +1,13 @@ +# CISA Releases OT and ICS Advisory - 20240926002 + +## Overview + +CISA has issued an advisory urging OT and ICS operators in critical infrastructure sectors to implement recommended measures in response to the ongoing exploitation of internet-accessible operational technology(OT) and industrial control systems(ICS) devices. + +## Recommendation + +The WA SOC recommends administrators review relevant advisories and apply the recommended actions to all affected devices. + +Defending OT Operations Against Ongoing Pro-Russia Hacktivist Activity: + +- CISA : https://www.cisa.gov/news-events/alerts/2024/09/25/threat-actors-continue-exploit-otics-through-unsophisticated-means From ec85a29c759375cf9355d2f70e536b78316b8d76 Mon Sep 17 00:00:00 2001 From: LSerki Date: Thu, 26 Sep 2024 04:56:42 +0000 Subject: [PATCH 77/82] Format markdown docs --- docs/advisories/20240926002-CISA-OT-and-ICS-Advisory.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/advisories/20240926002-CISA-OT-and-ICS-Advisory.md b/docs/advisories/20240926002-CISA-OT-and-ICS-Advisory.md index 63c57f15..a739dfb3 100644 --- a/docs/advisories/20240926002-CISA-OT-and-ICS-Advisory.md +++ b/docs/advisories/20240926002-CISA-OT-and-ICS-Advisory.md @@ -2,7 +2,7 @@ ## Overview -CISA has issued an advisory urging OT and ICS operators in critical infrastructure sectors to implement recommended measures in response to the ongoing exploitation of internet-accessible operational technology(OT) and industrial control systems(ICS) devices. +CISA has issued an advisory urging OT and ICS operators in critical infrastructure sectors to implement recommended measures in response to the ongoing exploitation of internet-accessible operational technology(OT) and industrial control systems(ICS) devices. ## Recommendation From d507c822c3880afd5526db28ac5f5341dbf9da99 Mon Sep 17 00:00:00 2001 From: JadonWill <117053393+JadonWill@users.noreply.github.com> Date: Thu, 26 Sep 2024 13:11:14 +0800 Subject: [PATCH 78/82] Update 20240926002 Removed hyperlinked secondary article as it is referenced in the CISA Advisory page. --- docs/advisories/20240926002-CISA-OT-and-ICS-Advisory.md | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/docs/advisories/20240926002-CISA-OT-and-ICS-Advisory.md b/docs/advisories/20240926002-CISA-OT-and-ICS-Advisory.md index a739dfb3..6c63f1ed 100644 --- a/docs/advisories/20240926002-CISA-OT-and-ICS-Advisory.md +++ b/docs/advisories/20240926002-CISA-OT-and-ICS-Advisory.md @@ -1,13 +1,11 @@ -# CISA Releases OT and ICS Advisory - 20240926002 +# CISA Releases OT and ICS Security Advisory - 20240926002 ## Overview -CISA has issued an advisory urging OT and ICS operators in critical infrastructure sectors to implement recommended measures in response to the ongoing exploitation of internet-accessible operational technology(OT) and industrial control systems(ICS) devices. +CISA has issued an advisory urging OT and ICS operators in critical infrastructure sectors to implement recommended measures in response to the ongoing exploitation of internet-accessible operational technology and industrial control systems devices. ## Recommendation The WA SOC recommends administrators review relevant advisories and apply the recommended actions to all affected devices. -Defending OT Operations Against Ongoing Pro-Russia Hacktivist Activity: - -- CISA : https://www.cisa.gov/news-events/alerts/2024/09/25/threat-actors-continue-exploit-otics-through-unsophisticated-means +- CISA Advisory: From 3ed9dafdc265c6dcb613d24a98604efe41a3ec0a Mon Sep 17 00:00:00 2001 From: Serki Ashagre <132869385+LSerki@users.noreply.github.com> Date: Wed, 9 Oct 2024 11:43:51 +0800 Subject: [PATCH 79/82] SAP Critical Vulnerability - 20241009003 --- .../20241009003-SAP-Critical-Vulnerability.md | 21 +++++++++++++++++++ 1 file changed, 21 insertions(+) create mode 100644 docs/advisories/20241009003-SAP-Critical-Vulnerability.md diff --git a/docs/advisories/20241009003-SAP-Critical-Vulnerability.md b/docs/advisories/20241009003-SAP-Critical-Vulnerability.md new file mode 100644 index 00000000..53e5c95a --- /dev/null +++ b/docs/advisories/20241009003-SAP-Critical-Vulnerability.md @@ -0,0 +1,21 @@ +# SAP Critical Vulnerability - 20241009003 + +## Overview + +In SAP BusinessObjects Business Intelligence Platform, if Single Signed On is enabled on Enterprise authentication, an unauthorized user can get a logon token using a REST endpoint. The attacker can fully compromise the system resulting in High impact on confidentiality, integrity and availability. + +## What is vulnerable? + +| Product(s) Affected | Version(s) | CVE | CVSS | Severity | +| ------------------- | ---------- | ----------------------------------------------------------------------------------------------------------------------------------------- | ------------- | ---------------------------------------------------------------- | +| SAP BusinessObjects Business Intelligence Platform | Version: ENTERPRISE 420, 430, 440 | [CVE-2024-41730 ](https://nvd.nist.gov/vuln/detail/CVE-2024-41730) | 9.8 | **Critical** | + +## What has been observed? + +There is no evidence of exploitation affecting Western Australian Government networks at the time of publishing. + +## Recommendation + +The WA SOC recommends administrators apply the solutions as per vendor instructions to all affected devices within expected timeframe of *48 hours...* (refer [Patch Management](../guidelines/patch-management.md)): + +- https://support.sap.com/en/my-support/knowledge-base/security-notes-news/october-2024.html \ No newline at end of file From d7b8a37deeb6b2ee8a7c513362d8aab466c398f3 Mon Sep 17 00:00:00 2001 From: LSerki Date: Wed, 9 Oct 2024 03:44:32 +0000 Subject: [PATCH 80/82] Format markdown docs --- docs/advisories/20241009003-SAP-Critical-Vulnerability.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/docs/advisories/20241009003-SAP-Critical-Vulnerability.md b/docs/advisories/20241009003-SAP-Critical-Vulnerability.md index 53e5c95a..e5c4fe5b 100644 --- a/docs/advisories/20241009003-SAP-Critical-Vulnerability.md +++ b/docs/advisories/20241009003-SAP-Critical-Vulnerability.md @@ -6,9 +6,9 @@ In SAP BusinessObjects Business Intelligence Platform, if Single Signed On is en ## What is vulnerable? -| Product(s) Affected | Version(s) | CVE | CVSS | Severity | -| ------------------- | ---------- | ----------------------------------------------------------------------------------------------------------------------------------------- | ------------- | ---------------------------------------------------------------- | -| SAP BusinessObjects Business Intelligence Platform | Version: ENTERPRISE 420, 430, 440 | [CVE-2024-41730 ](https://nvd.nist.gov/vuln/detail/CVE-2024-41730) | 9.8 | **Critical** | +| Product(s) Affected | Version(s) | CVE | CVSS | Severity | +| -------------------------------------------------- | --------------------------------- | ------------------------------------------------------------------ | ---- | ------------ | +| SAP BusinessObjects Business Intelligence Platform | Version: ENTERPRISE 420, 430, 440 | [CVE-2024-41730 ](https://nvd.nist.gov/vuln/detail/CVE-2024-41730) | 9.8 | **Critical** | ## What has been observed? @@ -18,4 +18,4 @@ There is no evidence of exploitation affecting Western Australian Government net The WA SOC recommends administrators apply the solutions as per vendor instructions to all affected devices within expected timeframe of *48 hours...* (refer [Patch Management](../guidelines/patch-management.md)): -- https://support.sap.com/en/my-support/knowledge-base/security-notes-news/october-2024.html \ No newline at end of file +- https://support.sap.com/en/my-support/knowledge-base/security-notes-news/october-2024.html From 2626ec8cdeb1a86a0a60bb9924fb140f8f35ceb6 Mon Sep 17 00:00:00 2001 From: JadonWill <117053393+JadonWill@users.noreply.github.com> Date: Wed, 9 Oct 2024 15:49:18 +0800 Subject: [PATCH 81/82] Update 20241009003 Corrected hyperlink syntax --- docs/advisories/20241009003-SAP-Critical-Vulnerability.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/advisories/20241009003-SAP-Critical-Vulnerability.md b/docs/advisories/20241009003-SAP-Critical-Vulnerability.md index e5c4fe5b..f041a643 100644 --- a/docs/advisories/20241009003-SAP-Critical-Vulnerability.md +++ b/docs/advisories/20241009003-SAP-Critical-Vulnerability.md @@ -8,7 +8,7 @@ In SAP BusinessObjects Business Intelligence Platform, if Single Signed On is en | Product(s) Affected | Version(s) | CVE | CVSS | Severity | | -------------------------------------------------- | --------------------------------- | ------------------------------------------------------------------ | ---- | ------------ | -| SAP BusinessObjects Business Intelligence Platform | Version: ENTERPRISE 420, 430, 440 | [CVE-2024-41730 ](https://nvd.nist.gov/vuln/detail/CVE-2024-41730) | 9.8 | **Critical** | +| SAP BusinessObjects Business Intelligence Platform | ENTERPRISE 430
ENTERPRISE 440 | [CVE-2024-41730 ](https://nvd.nist.gov/vuln/detail/CVE-2024-41730) | 9.8 | **Critical** | ## What has been observed? @@ -18,4 +18,4 @@ There is no evidence of exploitation affecting Western Australian Government net The WA SOC recommends administrators apply the solutions as per vendor instructions to all affected devices within expected timeframe of *48 hours...* (refer [Patch Management](../guidelines/patch-management.md)): -- https://support.sap.com/en/my-support/knowledge-base/security-notes-news/october-2024.html +- SAP advisory: From b634afc61b65e4067f7dd59af8cdb9f09b8ac055 Mon Sep 17 00:00:00 2001 From: JadonWill Date: Wed, 9 Oct 2024 07:50:04 +0000 Subject: [PATCH 82/82] Format markdown docs --- docs/advisories/20241009003-SAP-Critical-Vulnerability.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/advisories/20241009003-SAP-Critical-Vulnerability.md b/docs/advisories/20241009003-SAP-Critical-Vulnerability.md index f041a643..5e46d9c1 100644 --- a/docs/advisories/20241009003-SAP-Critical-Vulnerability.md +++ b/docs/advisories/20241009003-SAP-Critical-Vulnerability.md @@ -6,8 +6,8 @@ In SAP BusinessObjects Business Intelligence Platform, if Single Signed On is en ## What is vulnerable? -| Product(s) Affected | Version(s) | CVE | CVSS | Severity | -| -------------------------------------------------- | --------------------------------- | ------------------------------------------------------------------ | ---- | ------------ | +| Product(s) Affected | Version(s) | CVE | CVSS | Severity | +| -------------------------------------------------- | ---------------------------------- | ------------------------------------------------------------------ | ---- | ------------ | | SAP BusinessObjects Business Intelligence Platform | ENTERPRISE 430
ENTERPRISE 440 | [CVE-2024-41730 ](https://nvd.nist.gov/vuln/detail/CVE-2024-41730) | 9.8 | **Critical** | ## What has been observed?