Glafkos Charalambous

**Name of the Vulnerable Software and Affected Versions** Intel Ethernet diagnostics driver versions prior to 1.3.1.0 **Description** The Intel Ethernet diagnostics driver contains a flaw due to insufficient input validation when processing IOCTL calls (0x80862013, 0x8086200B, 0x8086200F, 0x80862007). Successful exploitation of this issue could allow an attacker to cause a denial of service or potentially execute arbitrary code with kernel privileges. The Scattered Spider threat actor has been observed attempting to leverage this issue through a Bring Your Own Vulnerable Driver (BYOVD) technique to bypass endpoint security solutions like Microsoft Defender for Endpoint, Palo Alto Networks Cortex XDR, and SentinelOne. This technique involves deploying older, vulnerable versions of the Intel Ethernet driver to gain elevated privileges on compromised systems. The driver used by Scattered Spider is a 64-bit kernel driver with 35 functions, signed with stolen code signing certificates. It decrypts a hardcoded string of target security solutions and patches the target drivers with hardcoded offsets. The driver also repeats loaded kernel modules for the security software component and patches it in memory to avoid detection. **API Endpoints:** The vulnerability is triggered through IOCTL calls, specifically (a) 0x80862013, (b) 0x8086200B, (c) 0x8086200F, and (d) 0x80862007. **Recommendations** Update IQVW32.sys to version 1.3.1.0 or later. Update IQVW64.sys to version 1.3.1.0 or later.

**Name of the Vulnerable Software and Affected Versions** AlienVault Open Source Security Information Management (OSSIM) version 4.1 **Description** The issue allows remote attackers to execute arbitrary SQL commands. This can be achieved through various parameters in different PHP files, including the `sensor` parameter in a Query action to "forensics/base qry main.php", the `tcp flags[]` or `tcp port[0][4]` parameters to "forensics/base stat alerts.php", the `ip addr[1][8]` or `port type` parameters to "forensics/base stat ports.php", or the `sortby` or `rvalue` parameters in a search action to "vulnmeter/index.php". **Recommendations** For AlienVault Open Source Security Information Management (OSSIM) version 4.1, consider disabling the vulnerable parameters `sensor`, `tcp flags[]`, `tcp port[0][4]`, `ip addr[1][8]`, `port type`, `sortby`, and `rvalue` in their respective PHP files until a patch is available. Restrict access to the affected PHP files, such as "forensics/base qry main.php", "forensics/base stat alerts.php", "forensics/base stat ports.php", and "vulnmeter/index.php", to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Adobe On Location CS4 Build 315 **Description** The issue allows local users, and possibly remote attackers, to execute arbitrary code and conduct DLL hijacking attacks via a Trojan horse `ibfs32.dll` that is located in the same folder as an OLPROJ file. **Recommendations** For Adobe On Location CS4 Build 315, consider removing or restricting access to the `ibfs32.dll` file to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Adobe Device Central CS5 version 3.0.0(376) Adobe Device Central CS5 version 3.0.1.0 (3027) Adobe Device Central CS5 (other versions possibly affected) **Description** The issue allows local users, and possibly remote attackers, to execute arbitrary code and conduct DLL hijacking attacks. This is achieved via a Trojan horse `qtcf.dll` located in the same folder as an ADCP file. **Recommendations** For Adobe Device Central CS5 version 3.0.0(376), consider removing or restricting access to the `qtcf.dll` file until a patch is available. For Adobe Device Central CS5 version 3.0.1.0 (3027), avoid using the software with untrusted ADCP files until the issue is resolved. For other possibly affected versions of Adobe Device Central CS5, restrict access to the `qtcf.dll` file and avoid using the software with untrusted ADCP files until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Adobe Illustrator versions 14.0.0 through 15.0.1 and earlier **Description** The issue allows local users, and possibly remote attackers, to execute arbitrary code and conduct DLL hijacking attacks. This can be achieved via a Trojan horse `dwmapi.dll` or `aires.dll` that is located in the same folder as an .ait or .eps file. **Recommendations** For Adobe Illustrator versions 14.0.0 through 15.0.1 and earlier, update to a version later than 15.0.1 to resolve the issue. At the moment, there is no information about other versions that may be affected and how to fix them.

**Name of the Vulnerable Software and Affected Versions** Adobe InDesign CS4 version 6.0 Adobe InDesign CS5 versions 7.0.2 and earlier Adobe InDesign Server CS5 versions 7.0.2 and earlier Adobe InCopy CS5 versions 7.0.2 and earlier **Description** The issue allows local users, and possibly remote attackers, to execute arbitrary code and conduct DLL hijacking attacks. This is achieved via a Trojan horse `ibfs32.dll` located in the same folder as certain file types, including `.indl`, `.indp`, `.indt`, or `.inx` files. **Recommendations** For Adobe InDesign CS4 version 6.0, update to a version later than 6.0. For Adobe InDesign CS5 versions 7.0.2 and earlier, update to a version later than 7.0.2. For Adobe InDesign Server CS5 versions 7.0.2 and earlier, update to a version later than 7.0.2. For Adobe InCopy CS5 versions 7.0.2 and earlier, update to a version later than 7.0.2.

**Name of the Vulnerable Software and Affected Versions** TeamViewer versions 5.0.8703 and earlier **Description** The issue allows local users, and possibly remote attackers, to execute arbitrary code and conduct DLL hijacking attacks. This can be achieved via a Trojan horse dwmapi.dll located in the same folder as a .tvs or .tvc file. **Recommendations** For TeamViewer versions 5.0.8703 and earlier, consider updating to a newer version to mitigate the risk of exploitation. As a temporary workaround, restrict access to the dwmapi.dll file to minimize the risk of DLL hijacking attacks. Avoid executing .tvs or .tvc files from untrusted sources until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Skype versions 4.2.0.169 and earlier **Description** The issue allows local users, and possibly remote attackers, to execute arbitrary code and conduct DLL hijacking attacks via a Trojan horse `wab32.dll` that is located in the same folder as a .skype file. **Recommendations** For Skype versions 4.2.0.169 and earlier, update to a version later than 4.2.0.169 to resolve the issue. As a temporary workaround, consider restricting access to the `wab32.dll` file to minimize the risk of exploitation. Avoid using .skype files from untrusted sources until the issue is resolved.

Name of the Vulnerable Software and Affected Versions: Evenzia CMS (affected versions not specified) Description: The issue is related to a cross-site scripting (XSS) vulnerability. This vulnerability allows remote attackers to inject arbitrary web script or HTML. The vulnerability is located in the includes/send.inc.php file. Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability.