Windows Kerberos Elevation of Privilege Vulnerability

CVE-2022-35756

IBM QRadar WinCollect Agent 10.0 though 10.1.3 could allow a local user to execute commands on the system due to execution with unnecessary privileges.  IBM X-Force ID:  248156.

  

**Summary**

IBM QRadar WinCollect Agent is vulnerable to execution with unnecessary privileges. IBM has addressed the relevant vulnerability

**Vulnerability Details**

**CVEID:**   CVE-2023-26277  
**DESCRIPTION:**   IBM QRadar WinCollect Agent could allow a local user to execute commands on the system due to execution with unnecessary privileges.  
CVSS Base score: 7.8  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/248156 for the current score.  
CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H)

**Affected Products and Versions**

**Affected Product(s)**

**Version(s)**

QRadar WinCollect Agent

10.0 - 10.1.3

  

**Remediation/Fixes**

**IBM recommends customers upgrade their systems promptly.**

There is a new upgrade for the WinCollect standalone agent. The following WinCollect standalone agent versions can be used to upgrade the affected versions to resolve the vulnerability. For information on how to upgrade your WinCollect version, see the WinCollect 10.1.4 release notes: https://www.ibm.com/support/pages/node/6987783

Download and install the WinCollect standalone agent version 10.1.4 for your version of QRadar:

**Workarounds and Mitigations**

None

**References**

Off

**Acknowledgement**

John Zuccato, Rodney Ryan, Chris Shepherd, Nathan Roane, Vince Dragnea, Troy Fisher, Gabor Minyo, Geoffrey Owden, and Ben Goodspeed from the IBM Security Ethical Hacking Team.

**Change History**

08 May 2023: Initial Publication

\*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

**Disclaimer**

According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. In addition to other efforts to address potential vulnerabilities, IBM periodically updates the record of components contained in our product offerings. As part of that effort, if IBM identifies previously unidentified packages in a product/service inventory, we address relevant vulnerabilities regardless of CVE date. Inclusion of an older CVEID does not demonstrate that the referenced product has been used by IBM since that date, nor that IBM was aware of a vulnerability as of that date. We are making clients aware of relevant vulnerabilities as we become aware of them. "Affected Products and Versions" referenced in IBM Security Bulletins are intended to be only products and versions that are supported by IBM and have not passed their end-of-support or warranty date. Thus, failure to reference unsupported or extended-support products and versions in this Security Bulletin does not constitute a determination by IBM that they are unaffected by the vulnerability. Reference to one or more unsupported versions in this Security Bulletin shall not create an obligation for IBM to provide fixes for any unsupported or extended-support products or versions.

**Document Location**

Worldwide

\[{"Business Unit":{"code":"BU059","label":"IBM Software w\\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"Component":"","Platform":\[{"code":"PF033","label":"Windows"}\],"Version":"10","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}\]

CVE-2023-26277: Security Bulletin: IBM QRadar WinCollect Agent is vulnerable to execution with unnecessary privileges (CVE-2023-26277)

Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability

CVE-2022-35757

Windows Local Security Authority (LSA) Denial of Service Vulnerability

CVE-2022-35759

Windows Kernel Memory Information Disclosure Vulnerability

CVE-2022-35758

Plus: Microsoft patches two zero-day flaws, Google’s Android and Chrome get some much-needed updates, and more.

Apple, Google, and Microsoft have released major patches this month to fix multiple security flaws already being used in attacks. May was also a critical month for enterprise software, with GitLab, SAP, and Cisco releasing fixes for multiple bugs in their products.

Here’s everything you need to know about the security updates released in May.

Apple iOS and iPadOS 16.5

Apple has released its long-awaited point update iOS 16.5, addressing 39 issues, three of which are already being exploited in real-life attacks. The iOS upgrade patches vulnerabilities in the Kernel at the heart of the operating system and in WebKit, the engine that powers the Safari browser. The three already exploited flaws are among five fixed in WebKit—tracked as CVE-2023-32409, CVE-2023-28204, and CVE-2023-32373.

CVE-2023-32409 is an issue that could allow an attacker to break out of the Web Content sandbox remotely, reported by Clément Lecigne of Google's Threat Analysis Group and Donncha Ó Cearbhaill of Amnesty International’s Security Lab. CVE-2023-28204 is a flaw that risks a user disclosing sensitive information. Finally, CVE-2023-32373 is a use-after-free bug that could enable arbitrary code execution.

Earlier in the month, Apple released iOS 16.4.1 (a) and iPadOS 16.4.1 (a)—the iPhone maker’s first-ever Rapid Security Response update—fixing the latter two exploited WebKit vulnerabilities also patched in iOS 16.5.

Apple iOS and iPadOS 16.5 were issued alongside iOS 15.7.6 and iPadOS 15.7.6 for older iPhones, as well as iTunes 12.12.9 for Windows, Safari 16.5, macOS Big Sur 11.7.7, macOS Ventura 13.4, and macOS Monterey 12.6.6.

Apple also released its first security update for Beats and AirPods headphones.

Microsoft

Microsoft’s mid-month Patch Tuesday fixed 40 security issues, two of which were zero-day flaws already being used in attacks. The first zero-day vulnerability, CVE-2023-29336, is an elevation-of-privilege bug in the Win32k driver that could allow an attacker to gain System privileges.

The second serious flaw, CVE-2023-24932, is a Secure Boot security feature bypass issue that could allow a privileged attacker to execute code. “An attacker who successfully exploited this vulnerability could bypass Secure Boot,” Microsoft said, adding that the flaw is difficult to exploit: “Successful exploitation of this vulnerability requires an attacker to compromise admin credentials on the device.”

The security update is not a full fix: It addresses the vulnerability by updating the Windows Boot Manager, which could cause issues, the company warned. Additional steps are required at this time to mitigate the vulnerability, Microsoft said, pointing to steps affected users can take to mitigate the issue.

Google Android

Google has released its latest Android security patches, fixing 40 flaws, including an already exploited Kernel vulnerability. The updates also include fixes for issues in the Android Framework, System, Kernel, MediaTek, Unisoc, and Qualcomm components.

The most severe of these issues is a high-severity security vulnerability in the Framework component that could lead to local escalation of privilege, Google said, adding that user interaction is needed for exploitation.

Previously linked to commercial spyware vendors, CVE-2023-0266 is a Kernel issue that could lead to local escalation of privilege. User interaction is not needed for exploitation.

Apple's iOS 16.5 Fixes 3 Security Bugs Already Used in Attacks

Microsoft GamingServicesNet version 12.77.3001.0 suffers from an unquoted service path vulnerability.

    # Exploit Title: Microsoft GamingServicesNet 12.77.3001.0 -'GamingServicesNet' Unquoted Service Path# Exploit Author: tmrswrr# Exploit Date: 2023-05.17# Vendor : https://www.microsoft.com/store/productId/9MWPM2CQNLHN# Version : 12.77.3001.0# Tested on OS: Windows 10 Enterprise# Step to discover Unquoted Service Path:==============>> wmic service get name,displayname,pathname,startmode |findstr /i "auto"|findstr /i /v "c:\windows\\" |findstr /i /v """Gaming Services GamingServicesNetC:\ProgramFiles\WindowsApps\Microsoft.GamingServices_12.77.3001.0_x64__8wekyb3d8bbwe\GamingServicesNet.exe                                                              AutoC:\>sc qc GamingServicesNet[SC] QueryServiceConfig SUCCESSSERVICE_NAME: GamingServicesNet        TYPE               : 210  WIN32_PACKAGED_PROCESS        START_TYPE         : 2   AUTO_START        ERROR_CONTROL      : 0   IGNORE        BINARY_PATH_NAME   : C:\ProgramFiles\WindowsApps\Microsoft.GamingServices_12.77.3001.0_x64__8wekyb3d8bbwe\GamingServicesNet.exe        LOAD_ORDER_GROUP   :        TAG                : 0        DISPLAY_NAME       : Gaming Services        DEPENDENCIES       : staterepository        SERVICE_START_NAME : NT AUTHORITY\LocalServiceC:\>systeminfoHost Name:                 DESKTOP-JAN8AJHOS Name:                   Microsoft Windows 10 Enterprise EvaluationOS Version:                10.0.19045 N/A Build 19045

Microsoft GamingServicesNet 12.77.3001.0 Unquoted Service Path

Apple Zeed ALL YOUR STYLE CMS version 2.0 suffers from a remote SQL injection vulnerability.

    ========================================================================================| # Title     : Apple Zeed ALL YOUR STYLE CMS 2.0 SQL injection Vulnerability          || # Author    : indoushka                                                              || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 109.0(64-bit)  | | # Vendor    : https://www.applezeed.com/web-creative-package-all-your-style.php      |  | # Dork      : Power BY applezeed.com                                                 |    ========================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Use payload : tour-detail.php?id=4435[+] https://127.0.0.1/https/biggestjoy.com/tour-detail.php?id=4435 <==== inject here Greetings to :=============================================================================jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm*|        ===========================================================================================

Apple Zeed ALL YOUR STYLE CMS 2.0 SQL Injection

Vaskar Courier version 3.2.0 appears to leave default credentials installed after installation.

    ================================================================================| # Title     : Vaskar Courier Version 3.2.0 Insecure Settings Vulnerability   || # Author    : indoushka                                                      || # Tested on : windows 10 Fr(Pro) / browser : firefox 113.0.1(64 bits)        | | # Vendor    : https://www.vaskar.in/                                         |  | # Dork      : "Designed and Developed by Vaskar Web"                         |================================================================================poc :[+] The vulnerability is about leaves a default set of administrative credentials installed post installation.[+] Dorking İn Google Or Other Search Enggine.[+] Use Payload : user = admin & pass= 123 [+] https://127.0.0.1/geetanjalicourier.com/admin/Greetings to :=====================================================================================jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm* moncet |===================================================================================================

Vaskar Courier 3.2.0 Insecure Settings

Cybersecurity researchers have found "backdoor-like behavior" within Gigabyte systems, which they say enables the UEFI firmware of the devices to drop a Windows executable and retrieve updates in an unsecure format.
Firmware security firm Eclypsium said it first detected the anomaly in April 2023. Gigabyte has since acknowledged and addressed the issue.
"Most Gigabyte firmware includes a Windows

Firmware Security / Vulnerability

Cybersecurity researchers have found "backdoor-like behavior" within Gigabyte systems, which they say enables the UEFI firmware of the devices to drop a Windows executable and retrieve updates in an unsecure format.

Firmware security firm Eclypsium said it first detected the anomaly in April 2023. Gigabyte has since acknowledged and addressed the issue.

"Most Gigabyte firmware includes a Windows Native Binary executable embedded inside of the UEFI firmware," John Loucaides, senior vice president of strategy at Eclypsium, told The Hacker News.

"The detected Windows executable is dropped to disk and executed as part of the Windows startup process, similar to the LoJack double agent attack. This executable then downloads and runs additional binaries via insecure methods."

"Only the intention of the author can distinguish this sort of vulnerability from a malicious backdoor," Loucaides added.

The executable, per Eclypsium, is embedded into UEFI firmware and written to disk by firmware as part of the system boot process and subsequently launched as an update service.

The .NET-based application, for its part, is configured to download and execute a payload from Gigabyte update servers over plain HTTP, thereby exposing the process to adversary-in-the-middle (AitM) attacks via a compromised router.

Loucaides said the software “seems to have been intended as a legitimate update application,” noting the issue potentially impacts “around 364 Gigabyte systems with a rough estimate of 7 million devices.”

With threat actors constantly on the lookout for ways to remain undetected and leave a minimal intrusion footprint, vulnerabilities in the privileged firmware update mechanism could pave the way for stealthy firmware implants that can subvert all security controls running in the operating system plane.

UPCOMING WEBINAR

Zero Trust + Deception: Learn How to Outsmart Attackers!

Discover how Deception can detect advanced threats, stop lateral movement, and enhance your Zero Trust strategy. Join our insightful webinar!

Save My Seat!

To make matters worse, since the UEFI code resides on the motherboard, malware injected to the firmware can persist even if drives are wiped and the operating system is reinstalled.

Organizations are advised to apply the latest firmware updates to minimize potential risks. It's also advised to inspect and disable the "APP Center Download & Install" feature in UEFI/BIOS Setup and set a BIOS password to deter malicious changes.

"Firmware updates have notoriously low uptake with end users," Loucaides said. "Therefore, it is easy to understand thinking that an update application in firmware may help."

"However, the irony of a highly insecure update application, backed into firmware to automatically download and run a payload, is not lost."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Tag

#windows