Windows CryptoAPI  Denial of Service Vulnerability

CVE-2023-24938

Windows Group Policy Elevation of Privilege Vulnerability

CVE-2023-29351

Windows GDI Elevation of Privilege Vulnerability

CVE-2023-29358

Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability

CVE-2023-29361

Mandiant's ongoing investigation of UNC3886 has uncovered new details of threat actors' TTPs.

A Chinese cyber-espionage group that researchers previously have spotted targeting VMware ESXi hosts has quietly been exploiting a zero-day authentication bypass flaw in the virtualization technology to execute privileged commands on guest virtual machines (VMs).

Researchers from Mandiant discovered the vulnerability during ongoing investigations of UNC3886, a Chinese threat actor they have been following for some time and whom they reported on last year. They disclosed the vulnerability to VMware, which released a patch addressing the flaw on Tuesday.

**Authentication Bypass Zero-Day**

The zero-day vulnerability (CVE-2023-208670) is present in VMware Tools, a set of services and modules for enhanced management of guest operating systems.

The bug gives attackers a way to use a compromised ESXi host to transfer files to and from Windows, Linux, and vCenter guest virtual machines without the need for guest credentials — and without any default logging of the activity happening. VMware assessed the flaw as being of medium severity because to exploit it an attacker already needs to have root access over an ESXi host.

Mandiant found UNC3886 using CVE-2023-208670 as part of a larger and sophisticated attack chain that its researchers have been unraveling over the past several months.

In September 2022, Mandiant reported uncovering UNC3886 using poisoned vSphere Installation Bundles, or VIBs, to install multiple backdoors — collectively dubbed VirtualPITA and VirtualPIE — on ESXi hypervisors. The backdoors enabled the attackers to maintain persistent administrative access to the hypervisor, to route commands through the hypervisor for execution on guest VMs, and for transferring files between the hypervisor and guest machines. The malware bundle also allowed UNC3886 actor to tamper with the hypervisor's logging service and to execute arbitrary commend between guest VMs on the same hypervisor.

Mandiant's analysis at the time showed the threat actor required admin-level privileges on the ESXi hypervisor to deploy the backdoors. But it found no evidence of UNC3886 actors leveraging any zero-day vulnerability to break into the ESXi environment or to deploy the weaponized VIBs.

**New Details on Threat Actor's Tactics and Methods**

The security vendor's continuing investigation of UNC3886's campaign — summarized in a technical report this week — uncovered new details on the threat actor's tactics and methods. They found, for instance, the threat actor harvesting credentials for connected ESXi service accounts from vCenter Server appliance and exploiting CVE-2023-20867 to execute privileged commands across guest virtual machines. Mandiant's research also showed UNC3886 actors deploying backdoors — including VirtualPITA and another called VirtualGATE — using the Virtual Machine Communication Interface (VMCI) socket for lateral movement and additional persistence. "This … enabled direct reconnection from any guest VM to the compromised ESXi host’s backdoor regardless of network segmentation or firewall rules in place," Mandiant said.

Mandiant's report this week goes into the technical details on the entire attack chain beginning with the threat actor gaining privileged access to an organization's vCenter server and retrieving service account credentials for all connected ESXi hosts. The report goes on to describe how UNC3886 actors used the credentials to connect to ESXi hosts, deploy VirtualPITA and VirtualPIE backdoors on them using VIBs and then exploiting CVE-2023-208670 to execute commands for transferring files to and from guess VMs.

The threat actor targeted ESXi hosts belonging to defense, technology and telecommunications companies, Mandiant said.

"To enable connections to many ESXi hosts at once, UNC3886 targeted vCenter servers, each \[of which\] administrate multiple ESXi hosts," says Alex Marvi, a consultant at Google Cloud's Mandiant. "Each ESXi host creates a service account called the 'vpxuser' when it is initially connected to a vCenter server. UNC3886 was seen harvesting this vpxuser account on vCenter servers so they could connect with administrative rights to all connected ESXi hosts." Once connected to the ESXi hosts, the threat actor leveraged CVE-2023-20867 to run commands and transfer files on running guest machines without the need for the guest’s credentials, he says.

**Previously Unseen Techniques**

The harvesting of connected ESXi service account credentials on vCenter servers and the capabilities of the VMCI socket backdoor are two new techniques that Mandiant has not seen utilized by other attackers in the past, Marvi says. "This should help organizations detect and respond to this attack path, regardless of the exact malware being deployed or commands being used."

Mandiant has assessed UNC3886 as a threat actor that is particularly adept at targeting and exploiting zero-day bugs in firewall and virtualization technologies that do not support endpoint detection and response technologies. Its primary targets have been in the US and on organizations in the Asia-Pacific region and Japan. According to Marvi, UNC3886 has demonstrated the ability to switch up attacker paths and tactics when needed. He points to a novel set of malware tools the threat actor deployed on Fortinet devices as evidence of its abilities and access to resources needed to carry out highly sophisticated attacks.

"UNC3886 has shown itself to be a flexible, yet highly capable threat actor, which will modify open source projects to complete their mission," he says. "I would argue that this group’s TTPs are more dynamic than unique, built around the exact needs to either regain access or persist in an environment with whatever they are given access to."

Chinese Threat Actor Abused ESXi Zero-Day to Pilfer Files From Guest VMs

ProLogin version 1.9 suffers from an insecure direct object reference vulnerability.

    ====================================================================================================================================| # Title     : ProLogin V1.9 Insecure Direct Object Reference Vulnerability                                                       || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 66.0.3(32-bit)                                             | | # Vendor    : https://codecanyon.net/item/pro-login-advanced-secure-php-user-management-system/12388905?s_rank=169               |  | # Dork      : "Login - ProLogin"                                                                                                 |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Use payload : /index.php/user_settings[-] When you add value (user_settings) after the index.php/,     an error page appears At the same time, it shows you the panel & limited control .[+] http://127.0.0.1/support.ihorizon.sa/index.php/user_settingsGreetings to :=============================================================================jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm*|===========================================================================================

ProLogin 1.9 Insecure Direct Object Reference

Microsoft Corp. today released software updates to fix dozens of security vulnerabilities in its Windows operating systems and other software. This month's relatively light patch load has another added bonus for system administrators everywhere: It appears to be the first Patch Tuesday since March 2022 that isn't marred by the active exploitation of a zero-day vulnerability in Microsoft's products.

**Microsoft Corp.** today released software updates to fix dozens of security vulnerabilities in its **Windows** operating systems and other software. This month’s relatively light patch load has another added bonus for system administrators everywhere: It appears to be the first Patch Tuesday since March 2022 that isn’t marred by the active exploitation of a zero-day vulnerability in Microsoft’s products.

June’s Patch Tuesday features updates to plug at least 70 security holes, and while none of these are reported by Microsoft as exploited in-the-wild yet, Redmond has flagged several in particular as “more likely to be exploited.”

Top of the list on that front is CVE-2023-29357, which is a “critical” bug in **Microsoft SharePoint Server** that can be exploited by an unauthenticated attacker on the same network. This SharePoint flaw earned a CVSS rating of 9.8 (10.0 is the most dangerous).

“An attacker able to gain admin access to an internal SharePoint server could do a lot of harm to an organization,” said **Kevin Breen**, director of cyber threat research at **Immersive Labs**. “Gaining access to sensitive and privileged documents, stealing and deleting documents as part of a ransomware attack or replacing real documents with malicious copies to further infect users in the organization.”

There are at least three other vulnerabilities fixed this month that earned a collective 9.8 CVSS score, and they all concern a widely-deployed component called the **Windows Pragmatic General Multicast** (PGM), which is used for delivering multicast data — such as video streaming or online gaming.

Security firm **Action1** says all three bugs (CVE-2023-32015, CVE-2023-32014, and CVE-2023-29363) can be exploited over the network without requiring any privileges or user interaction, and affected systems include all versions of Windows Server 2008 and later, as well as Windows 10 and later.

It wouldn’t be a proper Patch Tuesday if we also didn’t also have scary security updates for organizations still using **Microsoft Exchange** for email. Breen said this month’s Exchange bugs (CVE-2023-32031 and CVE-2023-28310) closely mirror the vulnerabilities identified as part of ProxyNotShell exploits, where an authenticated user in the network could exploit a vulnerability in the Exchange to gain code execution on the server.

Breen said while Microsoft’s patch notes indicate that an attacker must already have gained access to a vulnerable host in the network, this is typically achieved through social engineering attacks with spear phishing to gain initial access to a host before searching for other internal targets.

“Just because your Exchange server doesn’t have internet-facing authentication doesn’t mean it’s protected,” Breen said, noting that Microsoft says the Exchange flaws are not difficult for attackers to exploit.

For a closer look at the patches released by Microsoft today and indexed by severity and other metrics, check out the always-useful Patch Tuesday roundup from the **SANS Internet Storm Center**. And it’s not a bad idea to hold off updating for a few days until Microsoft works out any kinks in the updates: AskWoody.com usually has the lowdown on any patches that may be causing problems for Windows users.

As always, please consider backing up your system or at least your important documents and data before applying system updates. And if you run into any problems with these updates, please drop a note about it here in the comments.

Microsoft Patch Tuesday, June 2023 Edition

Piyanas version 0.1 suffers from a cross site request forgery vulnerability.

    ====================================================================================================================================| # Title     : Piyanas v0.1 User Login Page CSRF Vulnerability                                                                    || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 69.0(32-bit)                                               | | # Vendor    : http://www.piyanassystem.com/                                                                                      |  | # Dork      :                                                                                                                    |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] infected file : /add_user.php[+] Use Payload : /admin/add_user.php[+]  http://127.0.0.1/piyanassystemcom/piyanasmember/admin/add_user.phpGreetings to :=========================================================================================================================                                                                                                                                      |jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm* moncet                                     |                                                                                                                                              |=======================================================================================================================================

Piyanas 0.1 Cross Site Request Forgery

The Alaris Infusion Central software, versions 1.1 to 1.3.2, may contain a recoverable password after the installation. No patient health data is stored in the database, although some site installations may choose to store personal data.

BD communicates with our customers about cybersecurity vulnerabilities to enable healthcare providers to manage potential risks through awareness and guidance.  

This notification provides product security information and recommendations related to a security vulnerability found within specified versions of Alaris™ Infusion Central, **which is not sold in the U.S.**

Alaris™ Infusion Central is a standalone software, separate from the pumps, that allows healthcare providers to monitor infusion data sent from BD Alaris™ Plus and BD Alaris™ neXus pumps on a computer.

As a routine practice, BD has voluntarily shared this vulnerability with the U.S. Food and Drug Administration (FDA), the U.S. Department of Homeland Security Cybersecurity and Infrastructure Security Agency (CISA) and Information Sharing and Analysis Organizations (ISAOs) where BD participates. Read Coordinated Vulnerability Disclosure to learn more about our disclosure process.

This notification applies to the following Alaris™ Infusion Central products:

*   Alaris™ Infusion Central, versions 1.1 to 1.3.2

**Please note: The product listed above is not sold in the U.S. This vulnerability does not impact customers who use BD Alaris™ PCU 8015 or BD Alaris™ Systems Manager.**

*    **CVE-2022-47376** – The Alaris™ Infusion Central software, versions 1.1 to 1.3.2, may contain a recoverable password after the installation. No patient health data is stored in the database, although some site installations may choose to store personal data. 

BD is authorized as a Common Vulnerability and Exposures (CVE) Numbering Authority (CNA) by the CVE® Program. As a CNA, BD is authorized to assign CVE identification numbers to newly discovered vulnerabilities in its software-enabled products, which includes using the Common Weakness Enumeration (CWE™) system to classify vulnerability types and applying the Common Vulnerability Scoring System (CVSS) to communicate vulnerability characteristics and severity. BD assigned the following CVSS score to this vulnerability:

**CVSS: 7.3 (High)** CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L

**Rationale:** A threat actor requires local access to the Alaris™ Infusion Central server which limits the attack surface. A successful attack would require the threat actor to have access to the Windows operating system on the Alaris™ Infusion Central server where the password remains recoverable. Any such attack would have high impact to confidentiality and integrity; and partial impact to availability of data, as obtaining access to the password could result in disclosure and tampering of resident personal data. 

BD assessed this vulnerability for potential patient safety impact and determined that there is a low probability of harm occurring. Alaris™ Infusion Central collects and displays medical device data and has no access to control or configure either the BD Alaris™ Plus or the BD Alaris™ neXus pump configuration or operation. 

BD is directly reaching out to the small group of customers who may be impacted by this vulnerability to initiate remediation. BD is providing this information to increase awareness. Additionally, the installation procedure has been revised to prevent this vulnerability in future installations.

BD recommends the following mitigations and compensating controls to reduce risk associated with this vulnerability:

*   Change passwords periodically per best security practice.
*   Ensure physical access controls are in place and only authorized administrators have access to the Alaris™ Infusion Central server.

For product, or site-specific concerns, contact your BD service representative.

CVE-2022-47376: Alaris™ Infusion Central – Recoverable Password Vulnerability

For the first time in four months, none of the vulnerabilities Microsoft disclosed this Patch Tuesday have been exploited in the wild.

Tuesday, June 13, 2023 14:06

Microsoft released its monthly security update Tuesday, disclosing 69 vulnerabilities across its suite of products and software. Five of these vulnerabilities are considered to be critical, 45 of them are listed as being high severity, 17 of them are medium severity and two are of low severity.

For the first time in four months, none of the vulnerabilities Microsoft disclosed this Patch Tuesday have been exploited in the wild. June is also closer to an average month for Microsoft’s security update after only disclosing 40 vulnerabilities last month, which was nearly a three-year low.

Cisco Talos discovered two vulnerabilities in Microsoft Excel that the company patched Tuesday. These are important-severity remote code execution vulnerabilities that are triggered if the targeted user opens an attacker-created file.

Three critical vulnerabilities — CVE-2023-29363, CVE-2023-32014 and CVE-2023-32015 — in the Windows Pragmatic General Multicast (PGM) server environment with a severity score of 9.8 could lead to remote code execution. In a Windows Pragmatic General Multicast (PGM)  server environment where the Windows message queuing service is running, an attacker could send a specially crafted file over the network to achieve remote code execution and attempt to trigger malicious code. Microsoft has advised users to refer to a setting, standard configuration, or general best practice existing in a default state that could reduce the severity of exploitation of this vulnerability.

CVE-2023-29357 is an elevation of privilege vulnerability in Microsoft SharePoint Server that also has a severity score of 9.8. An attacker who successfully exploits this vulnerability could gain administrator-level privileges. They could have access to spoof the JSON Web Token \[JWT\] authentication tokens and use them to execute a network attack that bypasses the authentication and allows them to gain access to the privileges of an authenticated user. The attacker requires no user interaction to exploit this vulnerability. Microsoft has advised that customers should apply all updates offered for the SharePoint Enterprise server. On-premises customers can enable the AMSI feature, which protects them from this vulnerability.

Talos would also like to highlight a few high-severity vulnerabilities that Microsoft considers “more likely” to be exploited.

A high-severity remote code execution vulnerability, CVE-2023-28310, exists in Microsoft Exchange Server. An authenticated attacker on the same intranet as the Exchange Server can achieve remote code execution via a PowerShell remote session.

CVE-2023-29358, an elevation of privilege vulnerability in the Windows graphics device interface (GDI), is a use-after-free vulnerability in the Win32k kernel driver. An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.

CVE-2023-29361 could also allow an attacker to gain SYSTEM privileges if they exploit a use-after-free issue in the Windows Cloud Files Mini Filter Driver.

Microsoft Exchange server contains a high-severity remote code execution vulnerability, CVE-2023-32031, with a severity score of 8.8. An attacker successfully exploiting this vulnerability could target the server accounts in an arbitrary or remote code execution. As an authenticated user, the attacker could attempt to trigger malicious code in the context of the server's account through a network call.

Another elevation of privilege vulnerability, though only considered "important," CVE-2023-29371, exists in the Windows Win32k kernel driver. An attacker could modify a curve without updating the cCurves values, which leads to an out-of-bounds write in win32kfull when the curves’ edges get processed, ultimately giving them system privileges.

One medium-severity worth noting is CVE-2023-29352, a security feature bypass vulnerability in Windows Remote Desktop. An attacker who successfully exploited this vulnerability could bypass certificate validation during a remote desktop connection by creating a validly signed “.RDP” file to bypass warning prompts when executed.

A complete list of all the vulnerabilities Microsoft disclosed this month is available on its update page.

In response to these vulnerability disclosures, Talos is releasing a new Snort rule set that detects attempts to exploit some of them. Please note that additional rules may be released at a future date, and current rules are subject to change pending additional information. Cisco Secure Firewall customers should use the latest update to their rule set by updating their SRU. Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.

The rules included in this release that protect against the exploitation of many of these vulnerabilities are 61907 - 61911, 61915, 61916, 61933  - 61935 and 61937 - 61939. The Snort 3 rules released for these vulnerabilities are 300592, 300593, 300595 and 300600.

Tag

#windows