Skip to content

Commit

Permalink
Merge branch 'wagov:main' into main
Browse files Browse the repository at this point in the history
  • Loading branch information
@CharlesRN
CharlesRN authored Apr 22, 2024
2 parents 23bb21f + 2f3cbf0 commit 0402bbc
Show file tree
Hide file tree
Showing 6 changed files with 148 additions and 3 deletions.
7 changes: 4 additions & 3 deletions .github/workflows/tlpclear-githubpages.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -41,6 +41,7 @@ jobs:
commit_message: Format markdown docs
deploy:
permissions:
contents: read
pages: write
id-token: write
environment:
Expand Down Expand Up @@ -70,10 +71,10 @@ jobs:
- name: Setup Pages
uses: actions/configure-pages@983d7736d9b0ae728b81ab479565c72886d7745b # v5.0.0
- name: Upload artifact
uses: actions/upload-pages-artifact@84bb4cd4b733d5c320c9c9cfbc354937524f4d64 # v1.0.10
uses: actions/upload-pages-artifact@56afc609e74202658d3ffba0e8f6dda462b719fa # v3.0.1
with:
# Upload main folder
path: "site"
# Upload built site
path: 'site'
- name: Deploy to GitHub Pages
id: deployment
uses: actions/deploy-pages@d6db90164ac5ed86f2b6aed7e0febac5b3c0c03e # v4.0.5
54 changes: 54 additions & 0 deletions docs/advisories/20240418004-Ivanti-Avalanche-Multiple-RCE-Vulnerabilities.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,54 @@
# Ivanti Avalanche Multiple RCE Vulnerabilities - 20240418004

## Overview

The WA SOC has been made aware of 27 fixes released by Ivanti for various reported vulnerabilities in its 2024 first-quarter release. Ivanti has expressed they are not aware of any exploitation of these vulnerabilities at the time of disclosure.

## What is vulnerable?

- Any version of Avalanche ***before version 6.4.3***.

| **CVE** | **Description** | **CVSS** | **Vector** | |
| ----------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------- | ----------------------------------- | --- |
| [CVE-2024-22061](https://nvd.nist.gov/vuln/detail/CVE-2024-22061) | A Heap Overflow vulnerability in WLInfoRailService before 6.4.3 allows a remote unauthenticated attacker to execute arbitrary commands | ***8.1*** | AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H | |
| [CVE-2024-23526](https://nvd.nist.gov/vuln/detail/CVE-2024-23526) | An out-of-bounds read vulnerability in WLAvalancheService component of Ivanti Avalanche before 6.4.3, in certain conditions can allow an unauthenticated remote attacker to read sensitive information in memory. | ***5.3*** | AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N | |
| [CVE-2024-23527](https://nvd.nist.gov/vuln/detail/CVE-2024-23527) | An out-of-bounds read vulnerability in WLAvalancheService component of Ivanti Avalanche before 6.4.3, in certain conditions can allow an unauthenticated remote attacker to read sensitive information in memory. | ***5.3*** | AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N | |
| [CVE-2024-23528](https://nvd.nist.gov/vuln/detail/CVE-2024-23528) | An out-of-bounds read vulnerability in WLAvalancheService component of Ivanti Avalanche before 6.4.3, in certain conditions can allow an unauthenticated remote attacker to read sensitive information in memory. | ***5.3*** | AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N | |
| [CVE-2024-23529](https://nvd.nist.gov/vuln/detail/CVE-2024-23529) | An out-of-bounds read vulnerability in WLAvalancheService component of Ivanti Avalanche before 6.4.3, in certain conditions can allow an unauthenticated remote attacker to read sensitive information in memory. | ***5.3*** | AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N | |
| [CVE-2024-23530](https://nvd.nist.gov/vuln/detail/CVE-2024-23530) | An out-of-bounds read vulnerability in WLAvalancheService component of Ivanti Avalanche before 6.4.3, in certain conditions can allow an unauthenticated remote attacker to read sensitive information in memory. | ***5.3*** | AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N | |
| [CVE-2024-23531](https://nvd.nist.gov/vuln/detail/CVE-2024-23531) | An Integer Overflow vulnerability in WLInfoRailService component of Ivanti Avalanche before 6.4.3 allows an unauthenticated remote attacker to perform denial of service attacks. In certain rare conditions this could also lead to reading content from memory. | ***7.5*** | AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H | |
| [CVE-2024-23533](https://nvd.nist.gov/vuln/detail/CVE-2024-23533) | An out-of-bounds read vulnerability in WLAvalancheService component of Ivanti Avalanche before 6.4.3, in certain conditions can allow an authenticated remote attacker to read sensitive information in memory. | ***4.3*** | AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N | |
| [CVE-2024-23532](https://nvd.nist.gov/vuln/detail/CVE-2024-23532) | An out-of-bounds Read vulnerability in WLAvalancheService component of Ivanti Avalanche before 6.4.3 allows an authenticated remote attacker to perform denial of service attacks. In certain conditions this could also lead to remote code execution. | ***7.5*** | AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H | |
| [CVE-2024-23534](https://nvd.nist.gov/vuln/detail/CVE-2024-23534) | An Unrestricted File-upload vulnerability in web component of Ivanti Avalanche before 6.4.3 allows a remote authenticated attacker to execute arbitrary commands as SYSTEM. | ***8.8*** | AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H | |
| [CVE-2024-23535](https://nvd.nist.gov/vuln/detail/CVE-2024-23535) | A Path Traversal vulnerability in web component of Ivanti Avalanche before 6.4.3 allows a remote authenticated attacker to execute arbitrary commands as SYSTEM. | ***8.8*** | AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H | |
| [CVE-2024-24991](https://nvd.nist.gov/vuln/detail/CVE-2024-24991) | A Null Pointer Dereference vulnerability in WLAvalancheService component of Ivanti Avalanche before 6.4.3 allows an authenticated remote attacker to perform denial of service attacks. | ***6.5*** | AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H | |
| [CVE-2024-24992](https://nvd.nist.gov/vuln/detail/CVE-2024-24992) | A Path Traversal vulnerability in web component of Ivanti Avalanche before 6.4.3 allows a remote authenticated attacker to execute arbitrary commands as SYSTEM. | ***8.8*** | AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H | |
| [CVE-2024-24993](https://nvd.nist.gov/vuln/detail/CVE-2024-24993) | A Race Condition (TOCTOU) vulnerability in web component of Ivanti Avalanche before 6.4.3 allows a remote authenticated attacker to execute arbitrary commands as SYSTEM. | ***8.8*** | AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H | |
| [CVE-2024-24994](https://nvd.nist.gov/vuln/detail/CVE-2024-24994) | A Path Traversal vulnerability in web component of Ivanti Avalanche before 6.4.3 allows a remote authenticated attacker to execute arbitrary commands as SYSTEM. | ***8.8*** | AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H | |
| [CVE-2024-24995](https://nvd.nist.gov/vuln/detail/CVE-2024-24995) | A Race Condition (TOCTOU) vulnerability in web component of Ivanti Avalanche before 6.4.3 allows a remote authenticated attacker to execute arbitrary commands as SYSTEM. | ***8.8*** | AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H | |
| [CVE-2024-24996](https://nvd.nist.gov/vuln/detail/CVE-2024-24996) | A Heap overflow vulnerability in WLInfoRailService component of Ivanti Avalanche before 6.4.3 allows an unauthenticated remote attacker to execute arbitrary commands. | ***9.8*** | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | |
| [CVE-2024-24997](https://nvd.nist.gov/vuln/detail/CVE-2024-24997) | A Path Traversal vulnerability in web component of Ivanti Avalanche before 6.4.3 allows a remote authenticated attacker to execute arbitrary commands as SYSTEM. | ***8.8*** | AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H | |
| [CVE-2024-24998](https://nvd.nist.gov/vuln/detail/CVE-2024-24998) | A Path Traversal vulnerability in web component of Ivanti Avalanche before 6.4.3 allows a remote authenticated attacker to execute arbitrary commands as SYSTEM. | ***8.8*** | AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H | |
| [CVE-2024-24999](https://nvd.nist.gov/vuln/detail/CVE-2024-24999) | A Path Traversal vulnerability in web component of Ivanti Avalanche before 6.4.3 allows a remote authenticated attacker to execute arbitrary commands as SYSTEM. | ***8.8*** | AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H | |
| [CVE-2024-25000](https://nvd.nist.gov/vuln/detail/CVE-2024-25000) | A Path Traversal vulnerability in web component of Ivanti Avalanche before 6.4.3 allows a remote authenticated attacker to execute arbitrary commands as SYSTEM. | ***8.8*** | AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H | |
| [CVE-2024-27975](https://nvd.nist.gov/vuln/detail/CVE-2024-27975) | An Use-after-free vulnerability in WLAvalancheService component of Ivanti Avalanche before 6.4.3 allows a remote authenticated attacker to execute arbitrary commands as SYSTEM. | ***8.8*** | AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H | |
| [CVE-2024-27976](https://nvd.nist.gov/vuln/detail/CVE-2024-27976) | A Path Traversal vulnerability in web component of Ivanti Avalanche before 6.4.3 allows a remote authenticated attacker to execute arbitrary commands as SYSTEM. | ***8.8*** | AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H | |
| [CVE-2024-27977](https://nvd.nist.gov/vuln/detail/CVE-2024-27977) | A Path Traversal vulnerability in web component of Ivanti Avalanche before 6.4.3 allows a remote authenticated attacker to delete arbitrary files, thereby leading to Denial-of-Service. | ***7.1*** | AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H | |
| [CVE-2024-27978](https://nvd.nist.gov/vuln/detail/CVE-2024-27978) | A Null Pointer Dereference vulnerability in WLAvalancheService component of Ivanti Avalanche before 6.4.3 allows an authenticated remote attacker to perform denial of service attacks. | ***6.5*** | AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H | |
| [CVE-2024-27984](https://nvd.nist.gov/vuln/detail/CVE-2024-27984) | A Path Traversal vulnerability in web component of Ivanti Avalanche before 6.4.3 allows a remote authenticated attacker to delete specific type of files and/or cause denial of service. | ***7.1*** | AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H | |
| [CVE-2024-29204](https://nvd.nist.gov/vuln/detail/CVE-2024-29204) | A Heap Overflow vulnerability in WLAvalancheService component of Ivanti Avalanche before 6.4.3 allows a remote unauthenticated attacker to execute arbitrary commands | ***9.8*** | AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H | |

## What has been observed?

There is no evidence of exploitation affecting Western Australian Government networks at the time of publishing.

## Recommendation

The WA SOC recommends administrators apply the solutions as per vendor instructions to all affected devices within expected timeframe of *one month...* (refer [Patch Management](../guidelines/patch-management.md)):

- It is highly recommended to update to Avalanche version 6.4.3 or later: [Download](https://www.wavelink.com/download/Downloads.aspx?DownloadFile=27687&returnUrl=/Download-Avalanche_Mobile-Device-Management-Software/)

## Additional References

- [Avalanche 6.4.3 Security Hardening and CVEs addressed (ivanti.com)](https://forums.ivanti.com/s/article/Avalanche-6-4-3-Security-Hardening-and-CVEs-addressed?language=en_US)
- [Ivanti Releases Fixes for More Than 2 Dozen Vulnerabilities (darkreading.com)](https://www.darkreading.com/vulnerabilities-threats/ivanti-releases-fixes-for-more-than-2-dozen-vulnerabilities)
26 changes: 26 additions & 0 deletions ...0240419001-Cisco-Patches-Vulnerabilities-in-Integrated-Management-Controller.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,26 @@
# Cisco Patches Vulnerabilities in Integrated Management Controller - 20240419001

## Overview

A vulnerability in the CLI of the Cisco Integrated Management Controller (IMC) could allow an authenticated, local attacker to perform command injection attacks on the underlying operating system and elevate privileges to root. To exploit this vulnerability, the attacker must have read-only or higher privileges on an affected device.

## What is vulnerable?

| CVE | Severity | CVSS | Product(s) Affected |
| ----------------------------------------------------------------- | -------- | ---- | --------------------------------- |
| [CVE-2024-20295](https://nvd.nist.gov/vuln/detail/CVE-2024-20295) | **High** | 8.8 | See vendor link in Recommendation |

## What has been observed?

There is no evidence of exploitation affecting Western Australian Government networks at the time of publishing.

## Recommendation

The WA SOC recommends administrators apply the solutions as per vendor instructions to all affected devices (refer [Patch Management](../guidelines/patch-management.md)):

- [CISCO Security Advisory](https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cimc-cmd-inj-mUx4c5AJ)

## Additional References

- [Tenable-CVE-2024-20295](https://www.tenable.com/cve/CVE-2024-20295)
- [Bleeping Computer - Cisco discloses root escalation flaw with public exploit code](https://www.bleepingcomputer.com/news/security/cisco-discloses-root-escalation-flaw-with-public-exploit-code/)
22 changes: 22 additions & 0 deletions docs/advisories/20240419002-Oracle-Critical-Patch-Update-for-April-2024.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,22 @@
# Oracle Critical Patch Update for April 2024 - 20240419002

## Overview

Oracle released its quarterly Critical Patch Update Advisory for April 2024 to address vulnerabilities in multiple products. A cyber threat actor could exploit some of these vulnerabilities to take control of an affected system.

## What is vulnerable?

| Product(s) Affected | Summary | Dated |
| -------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------- | -------------- |
| [List of Products](https://www.oracle.com/security-alerts/cpuapr2024.html) | These patches address vulnerabilities in Oracle code and in third party components included in Oracle products. | 18 April, 2024 |

## What has been observed?

There is no evidence of exploitation affecting Western Australian Government networks at the time of publishing.

## Recommendation

The WA SOC recommends administrators apply the solutions as per vendor instructions to all affected devices within expected timeframe of *one month.* (refer [Patch Management](../guidelines/patch-management.md)):

- [Oracle Patch](https://www.oracle.com/security-alerts/cpuapr2024.html)
- [CISA](https://www.cisa.gov/news-events/alerts/2024/04/18/oracle-releases-critical-patch-update-advisory-april-2024)
25 changes: 25 additions & 0 deletions docs/advisories/20240419003-PuTTY-vulnerability.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,25 @@
# Critical PuTTY Vulnerability Exposes Private Keys - 20240419003

## Overview

A severe security flaw has been discovered in the popular SSH client PuTTY (versions 0.68 to 0.80), impacting a wide range of software including FileZilla, WinSCP, TortoiseGit, and TortoiseSVN. This defect drastically weakens private keys used in the ECDSA algorithm with the NIST P-521 curve, leaving them easily recoverable by attackers.

## What is vulnerable?

| CVE | Severity | CVSS | Product(s) Affected | Summary | Dated |
| ----------------------------------------------------------------- | ---------- | ---- | ------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------- |
| [CVE-2024-31497](https://nvd.nist.gov/vuln/detail/CVE-2024-31497) | **Medium** | 5.9 | **versions 0.68 through 0.80, before 0.81** | PuTTY generates random values (nonces) used within the ECDSA signature process. In the NIST P-251 configuration, the randomness is heavily biased. Attackers can exploit this bias to reconstruct the private key after collecting just 60 or so signatures created with the compromised key. | 15/04/2024 |

## What has been observed?

There is no evidence of exploitation affecting Western Australian Government networks at the time of publishing.

## Recommendation

The WA SOC recommends administrators apply the solutions as per vendor instructions to all affected devices within expected timeframe of *one month...* (refer [Patch Management](../guidelines/patch-management.md)):

- https://www.tenable.com/cve/CVE-2024-31497

## Additional References

- https://securityonline.info/cve-2024-31497-critical-putty-vulnerability-exposes-private-keys-immediate-action-required/
17 changes: 17 additions & 0 deletions docs/advisories/20240419004-Libreswan-Popular-VPN-Software-Vulnerability.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,17 @@
# Libreswan Popular VPN Software Vulnerability - 20240419004

## Overview

The Libreswan Project was notified of an issue causing libreswan to restart when using IKEv1 without specifying an esp= line. When the peer requests AES-GMAC, libreswan's default proposal handler causes an assertion failure and crashes and restarts.

## What is vulnerable?

| CVE | Severity | CVSS | Product(s) Affected |
| --------------------------------------------------------------- | -------- | ---- | ------------------------- |
| [CVE-2024-3652](https://nvd.nist.gov/vuln/detail/CVE-2024-3652) | **High** | 7.5 | **Libreswan 3.22 - 4.14** |

## Recommendation

The WA SOC recommends administrators apply the solutions as per vendor instructions to all affected devices within expected timeframe (refer [Patch Management](../guidelines/patch-management.md)):

- https://libreswan.org/security/CVE-2024-3652/

0 comments on commit 0402bbc

Please sign in to comment.