UserGate Intrusion Detection System (IDS)

2023

Add 4 signatures to detect attempts to exploit dangerous vulnerabilities

UserGate on June 14, 2023 announced the update of the intrusion detection system with new signatures.

UserGate added four signatures to the intrusion detection system. They will effectively detect and prevent exploitation attempts, ensuring increased user safety.

One of the signatures is for CVE-2022-47939, a vulnerability in remote code execution on an SMB (Linux) server when using the ksmd kernel module. The flaw allows an unauthorized user to execute arbitrary code on the system with root rights using specially crafted packets.

Another signature is for CVE-2023-27997. This is also an RCE vulnerability, but affecting Fortinet VPN SSL. The hole allows an attacker to execute arbitrary code on the target system with root rights using a specially crafted POST request.

The third signature, for CVE-2023-20887, is related to the Command Injection bug in VMware vRealize Network Insight. Also leads to RCE.

Finally, the fourth added signature (CVE-2023-34362) refers to SQL injection in MOVEit Transfer. An attacker could exploit this vulnerability to read any files and download the web shell to the server.

Adding a signature to detect an attempt to exploit the "QueueJumper" vulnerability in the Message Queuing service for Windows

The Monitoring and Response Center UserGate has added a signature to the UserGate Intrusion Detection System (IDPS) to detect an attempt to exploit vulnerabilities the QueueJumper CVE-2023-21554 on the Message Queuing service in. OS Windows The company announced on April 17, 2023.

Microsoft Message Queuing (MSMQ) is a technology for asynchronous communication between applications. By default, the service is not installed. MSMQ is used in the development of applications that work in heterogeneous networks or autonomously. MSMQ is used as a middleware component in enterprise applications and is fully integrated into the Microsoft.NET Framework. The vulnerability can be exploited both for primary penetration into the network and for horizontal movement.

Rating according to CVSSv3.1 - 9.8 The vulnerability is assigned an identifier CVE-2023-21554

Affected versions:

• Windows 10 for 32-bit Systems
• Windows 10 for x64-based Systems
• Windows 10 Version 1607 for 32-bit Systems
• Windows 10 Version 1607 for x64-based Systems
• Windows 10 Version 1809 for 32-bit Systems
• Windows 10 Version 1809 for ARM64-based Systems
• Windows 10 Version 1809 for x64-based Systems
• Windows 10 Version 20H2 for 32-bit System
• Windows 10 Version 20H2 for x64-based Systems
• Windows 10 Version 21H2 for 32-bit Systems
• Windows 10 Version 21H2 for ARM64-based Systems
• Windows 10 Version 21H2 for x64-based Systems
• Windows 10 Version 22H2 for 32-bit Systems
• Windows 10 Version 22H2 for ARM64-based Systems
• Windows 10 Version 22H2 for x64-based Systems
• Windows 11 version 21H2 for ARM64-based Systems
• Windows 11 version 21H2 for x64-based Systems
• Windows 11 Version 22H2 for ARM64-based Systems
• Windows 11 Version 22H2 for x64-based Systems
• Windows Server 2008 for 32-bit Systems Service Pack 2
• Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)
• Windows Server 2008 for x64-based Systems Service Pack 2
• Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)
• Windows Server 2008 R2 for x64-based Systems Service Pack 1
• Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)
• Windows Server 2012
• Windows Server 2012 (Server Core installation)
• Windows Server 2012 R2
• Windows Server 2012 R2 (Server Core installation)
• Windows Server 2016
• Windows Server 2016 (Server Core installation)
• Windows Server 2019
• Windows Server 2019 (Server Core installation)
• Windows Server 2022
• WindowsServer 2022 (Server Core installation)

Protection Recommendations:

• Install the latest updates from the OS manufacturer's website.
• Audit information systems for software using this service (processes.name = "mqsvc.exe," cmd.exe/c sc query mqsvc). On servers on the internal network where the service is used, it is necessary to strengthen event monitoring before installing patches. Verify that TCP port 1801 is not accessible from an external network (for example, by scanning "nmap -Pn -p 1801 -open -n -vvv 192.168.0.0/24").
• Check whether your Security Updates subscription is up-to-date. When you use the UserGate signature profile, all signatures start working automatically.
• Create a RMS rule with the signature "Windows QueueJumper RCE" if you are using your own signature profile.

2022: Add signatures to detect buffer overflow vulnerability

The UserGate Monitoring and Response Center has added two signatures to the UserGate Intrusion Detection System (IDS) to detect attacks using CVE-2022-3602 and CVE-2022-3786 vulnerabilities.

This vulnerability lies in a buffer overflow in the tls fields id-ce-subjectAltName and id-ce-nameConstraints when using Punycode encoding, which could potentially lead to remote code execution. An attacker can execute a tls request with authentication on a specially created certificate, leading to a buffer overflow.

According to the vulnerability CVSSv3.1, a rating has not yet been assigned, but the OpenSSL Project Team has assigned a CRITICAL rating. Subsequently, a twin vulnerability (CVE-2022-3786) was found, and their rating was reduced to HIGH.

UserGate products are not affected by this vulnerability.

Affected versions of OpenSSL:

• OpenSSL - versions 3.0.0 to 3.0.6.

Affected Products: - Ubuntu 22.04 «Kinetic Kudu» и «Jammie»; - Debian 12 «Bookword»; - CentOS; - Fedora Linux 36/37; - Linux Mint 21 Vanessa;

• Kali 2022.3;

- OpenSUSE; - Oracle Linux; - Red Hat Universal Base Images;

• SUSE Enterprise Linux Server.

The UserGate Cyber Threat Monitoring and Response Center recommends that users:

• Make sure that the hardware does not use the vulnerable version of OpenSSL and, if a vulnerable version is found, update it;
• Check the relevance of the subscription to the Security Updates module;
• Add signatures "Possible OpenSSL X.509 Email Address 4-byte Buffer Overflow" and "Possible OpenSSL X.509 Email Address Variable Length Buffer Overflow" to the IDPS blocking rule.