13 Oct 2023

Week in review

Greetings,

This week was an eventful one for AUSCERT as part of our team journeyed to Melbourne to connect with our members and participate in the prestigious Women in Security Awards ceremony. The 2023 Australian Women in Security Awards was a night filled with grace and charm, as it embraced an enchanting masquerade theme this year. This event served as a wonderful occasion for members of the industry to come together and celebrate the achievements and contributions of both men and women who have played pivotal roles in this field.

AUSCERT is a proud sponsor of the Women in Security Awards, endorsing their initiatives to foster greater diversity and break down gender-related barriers. These awards honour champions who are committed to dismantling gender discrimination in their workplace while advocating for equality within the cyber security industry. Additionally, they acknowledge organisations that are dedicated to fostering a more inclusive and empowering workplace culture. The Women in Security Awards does a great job of shining a spotlight on those who go above and beyond to create an environment that genuinely celebrates all voices and contributes to shaping a brighter and more equitable future for all.

In recent developments, the National Security Agency (NSA) and Cybersecurity and Infrastructure Security Agency (CISA) have jointly released a cyber security advisory (CSA) that highlights the most common misconfigurations found in large organisations, detailing the tactics, techniques, and procedures (TTPs) employed by malicious actors to exploit these misconfigurations. The CSA outlines the top 10 misconfigurations which reveal a prevailing trend of systemic vulnerabilities within many organisations, even those with well-established cyber security practices. They also provide mitigation advice to reduce vulnerabilities, including the importance of secure-by-design principles in the software supply chain. This proactive approach can alleviate the strain on defenders, making it essential in the ongoing effort to enhance cyber security resilience.

In conclusion, if you’re seeking something engaging to listen to during your commute, be sure to tune in to our newest episode of our Share Today, Save Tomorrow podcast – Episode 27, Celebrating Neurodiversity! Anthony sits down with Shelly and Trinity to discuss neurodiversity and share their advice and experience on creating the best work environment for people who might see and feel the world differently. Bek and our Principal Analyst Mark Carey-Smith, sit down in the second half of the episode to discuss our new Cyber Resilience for Executives course and preparations for AUSCERT2024.


HTTP/2 Rapid Reset Zero-Day Vulnerability Exploited to Launch Record DDoS Attacks
Date: 2023-10-10
Author: The Hacker News

[Please see AUSCERT bulletin: ASB-2023.0189]
Amazon Web Services (AWS), Cloudflare, and Google on Tuesday said they took steps to mitigate record-breaking distributed denial-of-service (DDoS) attacks that relied on a novel technique called HTTP/2 Rapid Reset.
The layer 7 attacks were detected in late August 2023, the companies said in a coordinated disclosure. The cumulative susceptibility to this attack is being tracked as CVE-2023-44487, and carries a CVSS score of 7.5 out of a maximum of 10.

New critical Citrix NetScaler flaw exposes 'sensitive' data
Date: 2023-10-10
Author: Bleeping Computer

[Please see AUSCERT bulletin: ESB-2023.5826]
[AUSCERT has also identified the impacted members (where possible) and contacted them via email]
Citrix NetScaler ADC and NetScaler Gateway are impacted by a critical severity flaw that allows the disclosure of sensitive information from vulnerable appliances.
The flaw is tracked as CVE-2023-4966 and has received a CVSS rating of 9.4, being remotely exploitable without requiring high privileges, user interaction, or high complexity.
However, there's the prerequisite of the appliance to be configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or an AAA virtual server for it to be vulnerable to attacks.

curl vulnerabilities ironed out with patches after week-long tease
Date: 2023-10-11
Author: The Register

[See AUSCERT bulletin: ASB-2023.0190]
Updated After a week of rampant speculation about the nature of the security issues in curl, the latest version of the command line transfer tool was finally released today.
Described by curl project founder and lead developer Daniel Stenberg as "probably the worst curl security flaw in a long time," the patches address two separate vulnerabilities: CVE-2023-38545 and CVE-2023-38546.
We now know the first vulnerability, CVE-2023-38545, is a heap-based buffer overflow flaw that affects both libcurl and the curl tool, carrying a severity rating of "high."

Australia’s home affairs department hit by DDoS attack claimed by pro-Russia hackers
Date: 2023-10-06
Author: The Guardian

The department responsible for Australia’s cybersecurity, national security and immigration has confirmed it was hit with a distributed denial-of-service attack on Thursday night that took its website offline for five hours, after a pro-Russia hacker group said it would target the site over Australia’s support for Ukraine.
The group posted on Telegram on Thursday night that it was targeting the home affairs department with a distributed denial-of-service (DDoS) attack after Australia announced this week that Slinger technology aimed at combating drones would be sent to Ukraine in the push back against the Russian invasion.

GNOME Linux systems exposed to RCE attacks via file downloads
Date: 2023-10-09
Author: Bleeping Computer

A memory corruption vulnerability in the open-source libcue library can let attackers execute arbitrary code on Linux systems running the GNOME desktop environment.
libcue, a library designed for parsing cue sheet files, is integrated into the Tracker Miners file metadata indexer, which is included by default in the latest GNOME versions.
Cue sheets (or CUE files) are plain text files containing the layout of audio tracks on a CD, such as length, name of song, and musician, and are also typically paired with the FLAC audio file format.

Thousands of WordPress sites have been hacked through tagDiv plugin vulnerability
Date: 2023-10-10
Author: Ars Technica

Thousands of sites running the WordPress content management system have been hacked by a prolific threat actor that exploited a recently patched vulnerability in a widely used plugin.
The vulnerable plugin, known as tagDiv Composer, is a mandatory requirement for using two WordPress themes: Newspaper and Newsmag. The themes are available through the Theme Forest and Envato marketplaces and have more than 155,000 downloads.


ASB-2023.0187 – ALERT Microsoft Office, Office Services and Web Apps: CVSS (Max): 8.4

Microsoft's most recent security patch update resolves vulnerabilities across Microsoft Office, Office Services and Web Apps.

ASB-2023.0182 – ALERT Microsoft Windows: CVSS (Max): 9.8*

Microsoft patched 80 vulnerabilities in Windows and Windows Server in its October 2023 Patch Tuesday release.

ESB-2023.5866 – ALERT BIG-IP Configuration utility: CVSS (Max): 9.9

F5 Networks has introduced fixes to resolve a directory traversal vulnerability found in BIG-IP. These fixes are designed to address and mitigate the potential risks associated with this vulnerability.

ESB-2023.5861 – ALERT FortiWLM: CVSS (Max): 9.6

Fortinet has issued patches to address a critical vulnerability in FortiWLM, related to unauthenticated command injection.

ESB-2023.5878 – Adobe Photoshop: CVSS (Max): 7.8

Adobe has recently launched an update for Photoshop for both Windows and macOS operating systems. This update specifically addresses a critical vulnerability that, if exploited successfully, could potentially result in the execution of arbitrary code.

ESB-2023.5917 – IBM Security QRadar SIEM: CVSS (Max): 9.8

IBM QRadar SIEM contains components that have been identified as vulnerable and can potentially be exploited using automated tools. However, IBM QRadar SIEM has taken the necessary steps to address the relevant CVEs.


Stay safe, stay patched and have a good weekend!

The AUSCERT team