July 2023 - Daily

Tageszusammenfassung - 31.07.2023
by Daily end-of-shift report 31 Jul '23

31 Jul '23

===================== = End-of-Day report = ===================== Timeframe: Freitag 28-07-2023 18:00 − Montag 31-07-2023 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Linux version of Abyss Locker ransomware targets VMware ESXi servers ∗∗∗ --------------------------------------------- The Abyss Locker operation is the latest to develop a Linux encryptor to target VMwares ESXi virtual machines platform in attacks on the enterprise. --------------------------------------------- https://www.bleepingcomputer.com/news/security/linux-version-of-abyss-locke… ∗∗∗ Hackers exploit BleedingPipe RCE to target Minecraft servers, players ∗∗∗ --------------------------------------------- Hackers are actively exploiting a BleedingPipe remote code execution vulnerability in Minecraft mods to run malicious commands on servers and clients, allowing them to take control of the devices. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hackers-exploit-bleedingpipe… ∗∗∗ P2PInfect server botnet spreads using Redis replication feature ∗∗∗ --------------------------------------------- Threat actors are actively targeting exposed instances of the Redis open-source data store with a peer-to-peer self-replicating worm with versions for both Windows and Linux that the malware authors named P2Pinfect. --------------------------------------------- https://www.bleepingcomputer.com/news/security/p2pinfect-server-botnet-spre… ∗∗∗ Automatically Finding Prompt Injection Attacks ∗∗∗ --------------------------------------------- Researchers have just published a paper showing how to automate the discovery of prompt injection attacks. --------------------------------------------- https://www.schneier.com/blog/archives/2023/07/automatically-finding-prompt… ∗∗∗ WordPress Vulnerability & Patch Roundup July 2023 ∗∗∗ --------------------------------------------- Vulnerability reports and responsible disclosures are essential for website security awareness and education. Automated attacks targeting known software vulnerabilities are one of the leading causes of website compromises. To help educate website owners on emerging threats to their environments, we’ve compiled a list of important security updates and vulnerability patches for the WordPress ecosystem this past month. --------------------------------------------- https://blog.sucuri.net/2023/07/wordpress-vulnerability-patch-roundup-july-… ∗∗∗ AVRecon Botnet Leveraging Compromised Routers to Fuel Illegal Proxy Service ∗∗∗ --------------------------------------------- More details have emerged about a botnet called AVRecon, which has been observed making use of compromised small office/home office (SOHO) routers as part of a multi-year campaign active since at least May 2021. --------------------------------------------- https://thehackernews.com/2023/07/avrecon-botnet-leveraging-compromised.html ∗∗∗ Apple iOS, Google Android Patch Zero-Days in July Security Updates ∗∗∗ --------------------------------------------- Plus: Mozilla fixes two high-severity bugs in Firefox, Citrix fixes a flaw that was used to attack a US-based critical infrastructure organization, and Oracle patches over 500 vulnerabilities. --------------------------------------------- https://www.wired.com/story/apple-google-microsoft-zero-day-fix-july-2023/ ∗∗∗ Exploiting the StackRot vulnerability ∗∗∗ --------------------------------------------- For those who are interested in the gory details of how the StackRot vulnerability works, Ruihan Li hasposted a detailedwriteup of the bug and how it can be exploited. As StackRot is a Linux kernel vulnerability found in the memory management subsystem, it affects almost all kernel configurations and requires minimal capabilities to trigger. However, it should be noted that maple nodes are freed using RCU callbacks, delaying the actual memory deallocation until after the RCU grace period. --------------------------------------------- https://lwn.net/Articles/939542/ ∗∗∗ Sie verkaufen Ihr Auto? Vorsicht bei Abwicklung über Kurierdiensten oder Speditionen ∗∗∗ --------------------------------------------- Auf allen gängigen Verkaufsplattformen gibt es sie: betrügerische Anfragen. Die Person will Ihr Auto ohne Besichtigung und Preisverhandlung kaufen, schickt ungefragt eine Ausweiskopie und wirkt unkompliziert. Da die Person aber im Ausland ist und das Auto nicht abholen kann, beauftragt sie einen Kurierdienst. Spätestens jetzt sollten die Alarmglocken schrillen, denn es handelt sich um eine Betrugsmasche! --------------------------------------------- https://www.watchlist-internet.at/news/sie-verkaufen-ihr-auto-vorsicht-bei-… ∗∗∗ Windows UAC aushebeln ∗∗∗ --------------------------------------------- Gerade auf Twitter auf ein Projekt mit dem Namen Defeating Windows User Account Control gestoßen, wo jemand über Wege nachdenkt, die Benutzerkontensteuerung von Windows auszuhebeln. Er hat ein kleines Tool entwickelt, mit dem sich die Windows-Benutzerkontensteuerung durch Missbrauch der integrierten [...] --------------------------------------------- https://www.borncity.com/blog/2023/07/29/windows-uac-aushebeln/ ∗∗∗ CISA Releases Malware Analysis Reports on Barracuda Backdoors ∗∗∗ --------------------------------------------- CISA has published three malware analysis reports on malware variants associated with exploitation of CVE-2023-2868. CVE-2023-2868 is a remote command injection vulnerability affecting Barracuda Email Security Gateway (ESG) Appliance, versions 5.1.3.001-9.2.0.006. It was exploited as a zero day as early as October 2022 to gain access to ESG appliances. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2023/07/28/cisa-releases-malware-an… ===================== = Vulnerabilities = ===================== ∗∗∗ CVE-2023-35081 - New Ivanti EPMM Vulnerability ∗∗∗ --------------------------------------------- During our thorough investigation of Ivanti Endpoint Manager Mobile (EPMM) vulnerability CVE-2023-35078 announced 23 July 2023, we have discovered additional vulnerabilities. We are reporting these vulnerabilities as CVE-2023-35081. As was the case with CVE-2023-35078, CVE-2023-35081 impacts all supported versions – Version 11.4 releases 11.10, 11.9 and 11.8. Older versions/releases are also at risk. --------------------------------------------- https://www.ivanti.com/blog/cve-2023-35081-new-ivanti-epmm-vulnerability ∗∗∗ WAGO: Bluetooth LE vulnerability in WLAN-ETHERNET-Gateway ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2023-014/ ∗∗∗ WAGO: Multiple products prone to multiple vulnerabilities in e!Runtime / CODESYS V3 Runtime ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2023-026/ ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 28.07.2023
by Daily end-of-shift report 28 Jul '23

28 Jul '23

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 27-07-2023 18:00 − Freitag 28-07-2023 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ New Android malware uses OCR to steal credentials from images ∗∗∗ --------------------------------------------- Two new Android malware families named CherryBlos and FakeTrade were discovered on Google Play, aiming to steal cryptocurrency credentials and funds or conduct scams. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-android-malware-uses-ocr… ∗∗∗ Nutzerdaten in Gefahr: Hunderttausende von Wordpress-Seiten anfällig für Datenklau ∗∗∗ --------------------------------------------- Drei Schwachstellen im Wordpress-Plugin Ninja Forms können mitunter massive Datenlecks zur Folge haben. Admins sollten zeitnah updaten. --------------------------------------------- https://www.golem.de/news/nutzerdaten-in-gefahr-hunderttausende-von-wordpre… ∗∗∗ ShellCode Hidden with Steganography, (Fri, Jul 28th) ∗∗∗ --------------------------------------------- When hunting, I'm often surprised by the interesting pieces of code that you may discover... Attackers (or pentesters/redteamers) like to share scripts on VT to evaluate the detection rates against many antivirus products. Sometimes, you find something cool stuffs. --------------------------------------------- https://isc.sans.edu/diary/rss/30074 ∗∗∗ Hackers Abusing Windows Search Feature to Install Remote Access Trojans ∗∗∗ --------------------------------------------- A legitimate Windows search feature is being exploited by malicious actors to download arbitrary payloads from remote servers and compromise targeted systems with remote access trojans such as AsyncRAT and Remcos RAT. The novel attack technique, per Trellix, takes advantage of the "search-ms:" URI protocol handler, which offers the ability for applications and HTML links to launch custom local searches on a device, and the "search:" application protocol, a mechanism for calling the desktop search application on Windows. --------------------------------------------- https://thehackernews.com/2023/07/hackers-abusing-windows-search-feature.ht… ∗∗∗ IcedID Malware Adapts and Expands Threat with Updated BackConnect Module ∗∗∗ --------------------------------------------- The threat actors linked to the malware loader known as IcedID have made updates to the BackConnect (BC) module thats used for post-compromise activity on hacked systems, new findings from Team Cymru reveal. --------------------------------------------- https://thehackernews.com/2023/07/icedid-malware-adapts-and-expands.html ∗∗∗ Hackers are infecting Call of Duty (Modern Warfare 2 (2009)) players with a self-spreading malware ∗∗∗ --------------------------------------------- Hackers are infecting players of an old Call of Duty game with a worm that spreads automatically in online lobbies, according to two analyses of the malware. [..] Activision spokesperson Neil Wood referred to a tweet posted by the company on an official Call of Duty updates Twitter account, which vaguely acknowledges the malware. “Multiplayer for Call of Duty: Modern Warfare 2 (2009) on Steam was brought offline while we investigate reports of an issue,” the tweet read. --------------------------------------------- https://techcrunch.com/2023/07/27/hackers-are-infecting-call-of-duty-player… ∗∗∗ Angreifer können NAS- und IP-Videoüberwachungssysteme von Qnap lahmlegen ∗∗∗ --------------------------------------------- Mehrere Netzwerkprodukte von Qnap sind für eine DoS-Attacken anfällig. Dagegen abgesicherte Software schafft Abhilfe. --------------------------------------------- https://heise.de/-9229575 ∗∗∗ The Ups and Downs of 0-days: A Year in Review of 0-days Exploited In-the-Wild in 2022 ∗∗∗ --------------------------------------------- This is Google’s fourth annual year-in-review of 0-days exploited in-the-wild [2021, 2020, 2019] and builds off of the mid-year 2022 review. The goal of this report is not to detail each individual exploit, but instead to analyze the exploits from the year as a whole, looking for trends, gaps, lessons learned, and successes. --------------------------------------------- https://security.googleblog.com/2023/07/the-ups-and-downs-of-0-days-year-in… ∗∗∗ Zimbra Patches Exploited Zero-Day Vulnerability ∗∗∗ --------------------------------------------- Zimbra has released patches for a cross-site scripting (XSS) vulnerability that has been exploited in malicious attacks. --------------------------------------------- https://www.securityweek.com/zimbra-patches-exploited-zero-day-vulnerabilit… ∗∗∗ CISA and Partners Release Joint Cybersecurity Advisory on Preventing Web Application Access Control Abuse ∗∗∗ --------------------------------------------- The Australian Signals Directorate’s Australian Cyber Security Centre (ACSC), the Cybersecurity and Infrastructure Security Agency (CISA), and the National Security Agency (NSA) are releasing a joint Cybersecurity Advisory (CSA), Preventing Web Application Access Control Abuse, to warn vendors, designers, developers, and end-user organizations of web applications about insecure direct object reference (IDOR) vulnerabilities. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2023/07/27/cisa-and-partners-releas… ===================== = Vulnerabilities = ===================== ∗∗∗ Major Security Flaw Discovered in Metabase BI Software – Urgent Update Required ∗∗∗ --------------------------------------------- Users of Metabase, a popular business intelligence and data visualization software package, are being advised to update to the latest version following the discovery of an "extremely severe" flaw that could result in pre-authenticated remote code execution on affected installations. --------------------------------------------- https://thehackernews.com/2023/07/major-security-flaw-discovered-in.html ∗∗∗ ZDI-23-1010: Adtran SR400ac ping Command Injection Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows remote attackers to execute arbitrary code on affected installations of Adtran SR400ac routers. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. --------------------------------------------- https://www.zerodayinitiative.com/advisories/ZDI-23-1010/ ∗∗∗ Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software ACLs Not Installed upon Reload ∗∗∗ --------------------------------------------- An issue with the boot-time programming of access control lists (ACLs) for Cisco Adaptive Security Appliance (ASA) Software and Firepower Threat Defense (FTD) Software could allow a device to boot without all of its ACLs being correctly installed. This issue is due to a logic error that occurs when ACLs are programmed at boot time. If object groups are not in sequential order in the startup configuration, some access control entries (ACEs) may not be installed. --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (curl), Fedora (kitty, mingw-qt5-qtbase, and mingw-qt6-qtbase), Mageia (cri-o, kernel, kernel-linus, mediawiki, and microcode), SUSE (chromium, conmon, go1.20-openssl, iperf, java-11-openjdk, kernel-firmware, and mariadb), and Ubuntu (libvirt, linux, linux-aws, linux-aws-5.4, linux-azure, linux-azure-5.4, linux-gcp, linux-gcp-5.4, linux-gke, linux-gkeop, linux-hwe-5.4, linux-ibm, linux-ibm-5.4, linux-kvm, linux-oracle, linux-oracle-5.4, linux-raspi, linux-raspi-5.4, linux-xilinx-zynqmp, linux, linux-aws, linux-aws-hwe, linux-azure, linux-azure-4.15, linux-dell300x, linux-gcp, linux-gcp-4.15, linux-hwe, linux-kvm, linux-oracle, linux-snapdragon, linux, linux-aws, linux-kvm, linux-lts-xenial, linux-aws-5.19, linux-gcp-5.19, linux-hwe-5.19, linux-intel-iotg-5.15, linux-iot, llvm-toolchain-13, llvm-toolchain-14, llvm-toolchain-15, open-iscsi, open-vm-tools, and xorg-server-hwe-16.04). --------------------------------------------- https://lwn.net/Articles/939445/ ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (kernel and libmail-dkim-perl), Fedora (openssh), and SUSE (kernel). --------------------------------------------- https://lwn.net/Articles/939519/ ∗∗∗ Vulnerability in QVPN Device Client for Windows ∗∗∗ --------------------------------------------- An insecure library loading vulnerability has been reported to affect devices running QVPN Device Client for Windows. --------------------------------------------- https://www.qnap.com/en-us/security-advisory/QSA-23-04 ∗∗∗ Vulnerability in QTS, QuTS hero, QuTScloud, and QVP (QVR Pro appliances) ∗∗∗ --------------------------------------------- An uncontrolled resource consumption vulnerability has been reported to affect multiple QNAP operating systems. --------------------------------------------- https://www.qnap.com/en-us/security-advisory/QSA-23-09 ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 27.07.2023
by Daily end-of-shift report 27 Jul '23

27 Jul '23

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 26-07-2023 18:00 − Donnerstag 27-07-2023 18:00 Handler: Robert Waldner Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Windows 10 KB5028244 update released with 19 fixes, improved security ∗∗∗ --------------------------------------------- Microsoft has released the optional KB5028244 Preview cumulative update for Windows 10 22H2 with 19 fixes or changes, including an update to the Vulnerable Driver Blocklist to block BYOVD attacks. --------------------------------------------- https://www.bleepingcomputer.com/news/microsoft/windows-10-kb5028244-update… ∗∗∗ APT trends report Q2 2023 ∗∗∗ --------------------------------------------- This is our latest summary of the significant events and findings, focusing on activities that we observed during Q2 2023. --------------------------------------------- https://securelist.com/apt-trends-report-q2-2023/110231/ ∗∗∗ Hackers Target Apache Tomcat Servers for Mirai Botnet and Crypto Mining ∗∗∗ --------------------------------------------- Misconfigured and poorly secured Apache Tomcat servers are being targeted as part of a new campaign designed to deliver the Mirai botnet malware and cryptocurrency miners.The findings come courtesy of Aqua, which detected more than 800 attacks against its Tomcat server honeypots over a two-year time period, with 96% of the attacks linked to the Mirai botnet. --------------------------------------------- https://thehackernews.com/2023/07/hackers-target-apache-tomcat-servers.html ∗∗∗ Android Güncelleme – dissecting a malicious update installer ∗∗∗ --------------------------------------------- Recently, during one of F-Secure Android’s routine tests, we came across one such fake Android update sample – Android Güncelleme, that proved to be evasive and exhibited interesting exfiltration characteristics. Although the sample is not novel (some features have already been covered in other articles on the Internet), it nevertheless combines several malicious actions together, such as anti-analysis and anti-uninstallation, making it a more potent threat. --------------------------------------------- https://blog.f-secure.com/android-guncelleme-dissecting-a-malicious-update-… ∗∗∗ Fruity trojan downloader performs multi-stage infection of Windows computers ∗∗∗ --------------------------------------------- For about a year, Doctor Web has been registering support requests from users complaining about Windows-based computers getting infected with the Remcos RAT (Trojan.Inject4.57973) spyware trojan. While investigating these incidents, our specialists uncovered an attack in which Trojan.Fruity.1, a multi-component trojan downloader, played a major role. To distribute it, threat actors create malicious websites and specifically crafted software installers. --------------------------------------------- https://news.drweb.com/show/?i=14728&lng=en&c=9 ∗∗∗ SySS Proof of Concept-Video: "Reversing the Irreversible, again: Unlocking locked Omnis Studio classes" (CVE-2023-38334) ∗∗∗ --------------------------------------------- Das Softwareentwicklungstool unterstützt eine nach eigenen Angaben irreversible Funktion, mit der sich Programmklassen in Omnis-Bibliotheken sperren lassen (locked classes).[..] Aufgrund von Implementierungsfehlern, die während eines Sicherheitstests entdeckt wurden, ist es jedoch möglich, gesperrte Omnis-Klassen zu entsperren, um diese im Omnis Studio-Browser weiter analysieren oder auch modifizieren zu können. Dieser Sachverhalt erfüllt nicht die Erwartungen an eine irreversible Funktion. --------------------------------------------- https://www.syss.de/pentest-blog/syss-proof-of-concept-video-reversing-the-… ∗∗∗ Vorsicht bei "fehlgeschlagenen Zahlungen" auf Booking ∗∗∗ --------------------------------------------- Sie haben eine Nachricht des Hotels bekommen, das Sie über Booking.com gebucht haben und werden zur Bestätigung Ihrer Kreditkarte aufgefordert? Achtung – hierbei handelt es sich um eine ausgeklügelte Phishing-Masche! Die Kriminellen stehlen Ihre Daten und Sie bezahlen Ihr Hotel doppelt! --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-bei-fehlgeschlagenen-zahlun… ∗∗∗ Online-Banking: Vorsicht vor Suchmaschinen-Phishing ∗∗∗ --------------------------------------------- Cyberkriminelle bewerben ihre betrügerischen Bank-Webseiten auch bei populären Suchmaschinen wie Google, Yahoo oder Bing. --------------------------------------------- https://www.zdnet.de/88410826/online-banking-vorsicht-vor-suchmaschinen-phi… ===================== = Vulnerabilities = ===================== ∗∗∗ VU#813349: Software driver for D-Link Wi-Fi USB Adapter vulnerable to service path privilege escalation ∗∗∗ --------------------------------------------- The software driver for D-Link DWA-117 AC600 MU-MIMO Wi-Fi USB Adapter contains a unquoted service path privilege escalation vulnerability. In certain conditions, this flaw can lead to a local privilege escalation. --------------------------------------------- https://kb.cert.org/vuls/id/813349 ∗∗∗ Schwachstellen entdeckt: 40 Prozent aller Ubuntu-Systeme erlauben Rechteausweitung ∗∗∗ --------------------------------------------- Zwei Schwachstellen im OverlayFS-Modul von Ubuntu gefährden zahllose Server-Systeme. Admins sollten die Kernel-Module zeitnah aktualisieren. (Sicherheitslücke, Ubuntu) --------------------------------------------- https://www.golem.de/news/schwachstellen-entdeckt-40-prozent-aller-ubuntu-s… ∗∗∗ ZDI-23-1002: SolarWinds Network Configuration Manager VulnDownloader Directory Traversal Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows remote attackers to execute arbitrary code on affected installations of SolarWinds Network Configuration Manager. Authentication is required to exploit this vulnerability. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-23-1002/ ∗∗∗ Minify Source HTML - Moderately critical - Cross site scripting - SA-CONTRIB-2023-032 ∗∗∗ --------------------------------------------- Carefully crafted input by an attacker will not be sanitized by this module, which can result in a script injection. Solution: Install the latest version --------------------------------------------- https://www.drupal.org/sa-contrib-2023-032 ∗∗∗ Drupal Symfony Mailer - Moderately critical - Cross site request forgery - SA-CONTRIB-2023-031 ∗∗∗ --------------------------------------------- The module doesn’t sufficiently protect against malicious links, which means an attacker can trick an administrator into performing unwanted actions. This vulnerability is mitigated by the fact that the set of unwanted actions is limited to specific configurations. Solution: Originally the solution was listed as just updating the module, however, a cache rebuild will be necessary for the solution to take effect. --------------------------------------------- https://www.drupal.org/sa-contrib-2023-031 ∗∗∗ Sitefinity Security Advisory for Addressing Security Vulnerability, July 2023 ∗∗∗ --------------------------------------------- The Progress Sitefinity team recently discovered a potential security vulnerability in the Progress Sitefinity .NET Core Renderer Application. It has since been addressed. [..] For optimal security, we recommend an upgrade to the latest Sitefinity .NET Core Renderer version, which currently is 14.4.8127. A product update is also available for older supported Sitefinity versions --------------------------------------------- https://community.progress.com/s/article/Sitefinity-Security-Advisory-for-A… ∗∗∗ SolarWinds Platform Security Advisories ∗∗∗ --------------------------------------------- - Access Control Bypass Vulnerability CVE-2023-3622 - Incorrect Behavior Order Vulnerability CVE-2023-33224 - Incorrect Input Neutralization Vulnerability CVE-2023-33229 - Deserialization of Untrusted Data Vulnerability CVE-2023-33225 - Incomplete List of Disallowed Inputs Vulnerability CVE-2023-23844 - Incorrect Comparison Vulnerability CVE-2023-23843 --------------------------------------------- https://www.solarwinds.com/trust-center/security-advisories ∗∗∗ SECURITY BULLETIN: July 2023 Security Bulletin for Trend Micro Apex Central ∗∗∗ --------------------------------------------- CVE Identifier(s): CVE-2023-38624, CVE-2023-38625, CVE-2023-38626, CVE-2023-38627 CVSS 3.0 Score(s): 4.2 Post-authenticated server-side request forgery (SSRF) vulnerabilities in Trend Micro Apex Central 2019 could allow an attacker to interact with internal or local services directly. Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. --------------------------------------------- https://success.trendmicro.com/dcx/s/solution/000294176?language=en_US ∗∗∗ Security updates available in Foxit PDF Editor for Mac 12.1.1 and Foxit PDF Reader for Mac 12.1.1 ∗∗∗ --------------------------------------------- Platform: macOS Summary: Foxit has released Foxit PDF Editor for Mac 12.1.1 and Foxit PDF Reader for Mac 12.1.1, which address potential security and stability issues. CVE-2023-28744, CVE-2023-38111, CVE-2023-38107, CVE-2023-38109, CVE-2023-38113, CVE-2023-38112, CVE-2023-38110, CVE-2023-38117 --------------------------------------------- https://www.foxit.com/support/security-bulletins.html ∗∗∗ Sicherheitsupdates: Angreifer können Access Points von Aruba übernehmen ∗∗∗ --------------------------------------------- Wenn die Netzwerkbetriebssysteme ArubaOS 10 oder InstantOS zum Einsatz kommen, sind Access Points von Aruba verwundbar. --------------------------------------------- https://heise.de/-9227914 ∗∗∗ Jetzt patchen! Root-Sicherheitslücke gefährdet Mikrotik-Router ∗∗∗ --------------------------------------------- Stimmten die Voraussetzungen, können sich Angreifer in Routern von Mikrotik zum Super-Admin hochstufen. --------------------------------------------- https://heise.de/-9226696 ∗∗∗ Sicherheitsupdate: Angreifer können Sicherheitslösung Sophos UTM attackieren ∗∗∗ --------------------------------------------- Sophos Unified Threat Management ist verwundbar. Aktuelle Software schafft Abhilfe. --------------------------------------------- https://heise.de/-9228570 ∗∗∗ Synology-SA-23:10 SRM ∗∗∗ --------------------------------------------- Multiple vulnerabilities allow remote attackers to read specific files, obtain sensitive information, and inject arbitrary web script or HTML, man-in-the-middle attackers to bypass security constraint, and remote authenticated users to execute arbitrary commands and conduct denial-of-service attacks via a susceptible version of Synology Router Manager (SRM). --------------------------------------------- https://www.synology.com/en-global/support/security/Synology_SA_23_10 ∗∗∗ CISA Releases Five Industrial Control Systems Advisories ∗∗∗ --------------------------------------------- - ICSA-23-208-01 ETIC Telecom RAS Authentication - ICSA-23-208-02 PTC KEPServerEX - ICSA-23-208-03 Mitsubishi Electric CNC Series - ICSA-22-307-01 ETIC RAS (Update A) - ICSA-22-172-01 Mitsubishi Electric MELSEC iQ-R, Q, L Series and MELIPC Series (Update B) --------------------------------------------- https://www.cisa.gov/news-events/alerts/2023/07/27/cisa-releases-five-indus… ∗∗∗ WAGO: Multiple vulnerabilities in web-based management of multiple products ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2022-060/ ∗∗∗ IBM Watson Discovery Cartridge for IBM Cloud Pak for Data affected by vulnerability in Node.js ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7012005 ∗∗∗ IBM Watson Discovery Cartridge for IBM Cloud Pak for Data affected by vulnerability in Angular ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7012009 ∗∗∗ IBM Watson Discovery Cartridge for IBM Cloud Pak for Data affected by vulnerability in Python ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7012001 ∗∗∗ IBM Watson Discovery Cartridge for IBM Cloud Pak for Data affected by vulnerability in LibTIFF ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7012033 ∗∗∗ IBM Watson Discovery Cartridge for IBM Cloud Pak for Data affected by multiple vulnerabilities in Golang Go ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7014267 ∗∗∗ IBM Watson Discovery Cartridge for IBM Cloud Pak for Data affected by vulnerability in Bouncy Castle ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7012003 ∗∗∗ IBM Watson Discovery Cartridge for IBM Cloud Pak for Data affected by vulnerability in Java ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7012037 ∗∗∗ IBM Sterling Connect:Direct Browser User Interface is vulnerable to multiple vulnerabilities due to Jetty. ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7014905 ∗∗∗ IBM B2B Advanced Communication is vulnerable to cross-site scripting (CVE-2023-22595) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7014929 ∗∗∗ IBM B2B Advanced Communications is vulnerable to denial of service (CVE-2023-24971) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7014933 ∗∗∗ Multiple Vulnerabilities in CloudPak for Watson AIOps ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7014939 ∗∗∗ IBM\u00ae Db2\u00ae has multiple denial of service vulnerabilities with a specially crafted query ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7010557 ∗∗∗ Watson CP4D Data Stores is vulnerable to Golang Go denial of service vulnerability ( CVE-2022-41724) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7014981 ∗∗∗ IBM App Connect Enterprise Certified Container operands are vulnerable to denial of service and security restriction bypass due to [CVE-2023-2283], [CVE-2023-1667] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7014991 ∗∗∗ IBM App Connect Enterprise Certified Container operands are vulnerable to denial of service due to [CVE-2020-24736] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7014993 ∗∗∗ IBM App Connect Enterprise Certified Container operands are vulnerable to security restriction bypass due to [CVE-2023-24329] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7014995 ∗∗∗ IBM App Connect Enterprise Certified Container operands are vulnerable to privilege elevation due to [CVE-2023-26604] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7014997 ∗∗∗ IBM App Connect Enterprise Certified Container DesignerAuthoring operands that use mapping assistance are vulnerable to denial of service and loss of confidentiality due to multiple vulnerabilities in libtiff ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7014999 ∗∗∗ IBM App Connect Enterprise Certified Container operands are vulnerable to server-side request forgery due to [CVE-2023-28155] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7015003 ∗∗∗ IBM App Connect Enterprise Certified Container operator and operands are vulnerable to privilege escalation due to [CVE-2023-29403] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7015007 ∗∗∗ IBM App Connect Enterprise Certified Container IntegrationServer and IntegrationRuntime operands that use Kafka nodes are vulnerable to denial of service due to [CVE-2023-34453], [CVE-2023-34454], [CVE-2023-34455] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7015009 ∗∗∗ IBM Event Streams is affected by multiple vulnerabilities in Golang Go ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7014405 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 26.07.2023
by Daily end-of-shift report 26 Jul '23

26 Jul '23

===================== = End-of-Day report = ===================== Timeframe: Dienstag 25-07-2023 18:00 − Mittwoch 26-07-2023 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Mysterious Decoy Dog malware toolkit still lurks in DNS shadows ∗∗∗ --------------------------------------------- New details have emerged about Decoy Dog, a largely undetected sophisticated toolkit likely used for at least a year in cyber intelligence operations, relying on the domain name system (DNS) for command and control activity. --------------------------------------------- https://www.bleepingcomputer.com/news/security/mysterious-decoy-dog-malware… ∗∗∗ New Nitrogen malware pushed via Google Ads for ransomware attacks ∗∗∗ --------------------------------------------- A new Nitrogen initial access malware campaign uses Google and Bing search ads to promote fake software sites that infect unsuspecting users with Cobalt Strike and ransomware payloads. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-nitrogen-malware-pushed-… ∗∗∗ How to Scan A Website for Vulnerabilities ∗∗∗ --------------------------------------------- Even the most diligent site owners should consider when they had their last website security check. As our own research indicates, infections resulting from known website vulnerabilities continue to plague website owners. According to our 2022 Hacked Website Report, last year alone WordPress accounted for 96.2% of infected websites due to its market share and popularity. Statistics like these highlight why it’s so important that you regularly scan your website for vulnerabilities. --------------------------------------------- https://blog.sucuri.net/2023/07/how-to-scan-website-for-vulnerabilities.html ∗∗∗ Sneaky Python package security fixes help no one – except miscreants ∗∗∗ --------------------------------------------- Good thing these eggheads have created a database of patches - Python security fixes often happen through "silent" code commits, without an associated Common Vulnerabilities and Exposures (CVE) identifier, according to a group of computer security researchers. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2023/07/26/python_silen… ∗∗∗ Tool Release: Cartographer ∗∗∗ --------------------------------------------- Cartographer is a Ghidra plugin that creates a visual "map" of code coverage data, enabling researchers to easily see what parts of a program are executed. It has a wide range of uses, such as better understanding a program, honing in on target functionality, or even discovering unused content in video games. --------------------------------------------- https://research.nccgroup.com/2023/07/20/tool-release-cartographer/ ∗∗∗ New Realst Mac malware, disguised as blockchain games, steals cryptocurrency wallets ∗∗∗ --------------------------------------------- Fake blockchain games, that are being actively promoted by cybercriminals on social media, are actually designed to infect the computers of unsuspecting Mac users with cryptocurrency-stealing malware. --------------------------------------------- https://grahamcluley.com/new-realst-mac-malware-disguised-as-blockchain-gam… ∗∗∗ Introducing CVE-2023-24489: A Critical Citrix ShareFile RCE Vulnerability ∗∗∗ --------------------------------------------- GreyNoise researchers have identified active exploitation for a remote code execution (RCE) vulnerability in Citrix ShareFile (CVE-2023-24489) --------------------------------------------- https://www.greynoise.io/blog/introducing-cve-2023-24489-a-critical-citrix-… ===================== = Vulnerabilities = ===================== ∗∗∗ ModSecurity v3: DoS Vulnerability in Four Transformations (CVE-2023-38285) ∗∗∗ --------------------------------------------- ModSecurity is an open-source Web Application Firewall (WAF) engine maintained by Trustwave. This blog post discusses an issue with four transformation actions that could enable a Denial of Service (DoS) attack by a malicious actor. The issue has been addressed with fixes in v3.0.10. ModSecurity v2 is not affected. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/modsecurity… ∗∗∗ B&R Automation Runtime SYN Flooding Vulnerability in Portmapper ∗∗∗ --------------------------------------------- CVE-2023-3242, CVSS v3.1 Base Score: 8.6 The Portmapper service used in Automation Runtime versions <G4.93 is vulnerable to SYN flooding attacks. An unauthenticated network-based attacker may use this vulnerability to cause several services running on B&R Automation Runtime to become permanently inaccessible. --------------------------------------------- https://www.br-automation.com/downloads_br_productcatalogue/assets/16897876… ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (amd64-microcode, gst-plugins-bad1.0, gst-plugins-base1.0, gst-plugins-good1.0, iperf3, openjdk-17, and pandoc), Fedora (389-ds-base, kitty, and thunderbird), SUSE (libqt5-qtbase, libqt5-qtsvg, mysql-connector-java, netty, netty-tcnative, openssl, openssl-1_1, openssl1, php7, python-scipy, and xmltooling), and Ubuntu (amd64-microcode, avahi, libxpm, linux, linux-aws, linux-aws-5.15, linux-azure, linux-azure-5.15, linux-azure-fde, linux-azure-fde-5.15, linux-gcp, linux-gcp-5.15, linux-gke, linux-gke-5.15, linux-gkeop, linux-gkeop-5.15, linux-hwe-5.15, linux-ibm, linux-intel-iotg, linux-kvm, linux-lowlatency, linux-lowlatency-hwe-5.15, linux-nvidia, linux-oracle, linux-oracle-5.15, linux-raspi, linux, linux-aws, linux-azure, linux-gcp, linux-ibm, linux-kvm, linux-lowlatency, linux-oracle, linux-raspi, linux-oem-5.17, linux-oem-6.0, linux-oem-6.1, openstack-trove, and python-django). --------------------------------------------- https://lwn.net/Articles/939305/ ∗∗∗ Mattermost security updates 8.0.1 / 7.10.5 / 7.8.9 (ESR) released ∗∗∗ --------------------------------------------- We’re informing you about a Mattermost security update, which addresses medium-level severity vulnerabilities. We highly recommend that you apply the update. The security update is available for Mattermost dot releases 8.0.1, 7.10.5, and 7.8.9 (Extended Support Release), for both Team Edition and Enterprise Edition. --------------------------------------------- https://mattermost.com/blog/mattermost-security-updates-8-0-1-7-10-5-7-8-9-… ∗∗∗ Multiple Vulnerabilities PRA-ES8P2S Ethernet-Switch ∗∗∗ --------------------------------------------- BOSCH-SA-247054-BT: Multiple vulnerabilities were found in the PRA-ES8P2S Ethernet-Switch. Customers are advised to upgrade to version 1.01.10 since it solves all vulnerabilities listed. Customers are advised to isolate the switch from the Internet if upgrading is not possible. The PRA-ES8P2S switch contains technology from the Advantech EKI-7710G series switches. --------------------------------------------- https://psirt.bosch.com/security-advisories/bosch-sa-247054-bt.html ∗∗∗ CISA Adds One Known Exploited Vulnerability to Catalog ∗∗∗ --------------------------------------------- CISA has added one new vulnerability to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation. CVE-2023-37580 Zimbra Collaboration (ZCS) Cross-Site Scripting (XSS) Vulnerability - These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2023/07/26/cisa-adds-one-known-expl… ∗∗∗ Fujitsu Real-time Video Transmission Gear "IP series" uses a hard-coded credentials ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN95727578/ ∗∗∗ AIX is vulnerable to denial of service due to zlib (CVE-2022-37434) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7014483 ∗∗∗ AIX is vulnerable to a denial of service due to libxml2 (CVE-2023-29469 and CVE-2023-28484) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7014485 ∗∗∗ IBM Security Directory Suite has multiple vulnerabilities [CVE-2022-33163 and CVE-2022-33168] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7001885 ∗∗∗ A security vulnerability has been identified in IBM WebSphere Application Server used by IBM Rational ClearQuest (CVE-2023-35890) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7014649 ∗∗∗ A security vulnerability has been identified in IBM HTTP Server used by IBM Rational ClearQuest (CVE-2023-32342) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7014651 ∗∗∗ IBM Cloud Transformation Advisor is vulnerable to multiple vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7014659 ∗∗∗ CVE-2023-0465 may affect IBM CICS TX Advanced 10.1 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7014675 ∗∗∗ IBM Db2 has multiple denial of service vulnerabilities with a specially crafted query ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7010557 ∗∗∗ IBM Operational Decision Manager July 2023 - Multiple CVEs ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7014699 ∗∗∗ IBM Sterling Connect:Direct for UNIX is vulnerable to remote sensitive information exposure due to IBM GSKit (CVE-2023-32342) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7014693 ∗∗∗ IBM Watson Assistant for IBM Cloud Pak for Data is vulnerable to TensorFlow denial of service vulnerabilitiy [CVE-2023-25661] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7014695 ∗∗∗ IBM Watson Assistant for IBM Cloud Pak for Data is vulnerable to YAML denial of service vulnerabilitiy [CVE-2023-2251] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7014697 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 25.07.2023
by Daily end-of-shift report 25 Jul '23

25 Jul '23

===================== = End-of-Day report = ===================== Timeframe: Montag 24-07-2023 18:00 − Dienstag 25-07-2023 18:00 Handler: Robert Waldner Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Casbaneiro Banking Malware Goes Under the Radar with UAC Bypass Technique ∗∗∗ --------------------------------------------- The financially motivated threat actors behind the Casbaneiro banking malware family have been observed making use of a User Account Control (UAC) bypass technique to gain full administrative privileges on a machine, a sign that the threat actor is evolving their tactics to avoid detection and execute malicious code on compromised assets. --------------------------------------------- https://thehackernews.com/2023/07/casbaneiro-banking-malware-goes-under.html ∗∗∗ Rooting the Amazon Echo Dot ∗∗∗ --------------------------------------------- Thanks to a debug feature implemented by Lab126 (Amazons hardware development company) it is now possible to obtain a tethered root on the device. Thanks to strong security practices enforced by the company such as a chain of trust from the beginning of the boot process, this should not be a major issue. --------------------------------------------- https://dragon863.github.io/blog/echoroot.html ∗∗∗ Will the real Citrix CVE-2023-3519 please stand up? ∗∗∗ --------------------------------------------- While the most recent Citrix Security Advisory identifies CVE-2023-3519 as the only vulnerability resulting in unauthenticated remote code execution, there are at least two vulnerabilities that were patched during the most recent version upgrade. --------------------------------------------- https://www.greynoise.io/blog/will-the-real-citrix-cve-2023-3519-please-sta… ∗∗∗ Forthcoming OpenSSL Releases ∗∗∗ --------------------------------------------- The OpenSSL project team would like to announce the forthcoming release of OpenSSL versions 3.1.2, 3.0.10 and 1.1.1v. These releases will be made available on Tuesday 1st August 2023 between 1300-1700 UTC. These are security-fix releases. The highest severity issue fixed in each of these three releases is Low --------------------------------------------- https://mta.openssl.org/pipermail/openssl-announce/2023-July/000266.html ∗∗∗ Phishing-Alarm: Unsere Liste mit aktuellen Phishing-Nachrichten ∗∗∗ --------------------------------------------- In Phishing-Nachrichten fordern Kriminelle per E-Mail oder SMS dazu auf, Links zu folgen oder Dateianhänge zu öffnen. So versuchen Kriminelle an Ihre Login-, Bank- oder Kreditkartendaten zu kommen. Jeden Tag werden uns zahlreiche Phishing-Nachrichten gemeldet. Sobald wir neue Phishing-Nachrichten entdecken, ergänzen wir sie in unserem Phishing-Alarm! --------------------------------------------- https://www.watchlist-internet.at/news/phishing-alarm-unsere-liste-mit-aktu… ===================== = Vulnerabilities = ===================== ∗∗∗ Atlassian Releases Patches for Critical Flaws in Confluence and Bamboo ∗∗∗ --------------------------------------------- Atlassian has released updates to address three security flaws impacting its Confluence Server, Data Center, and Bamboo Data Center products that, if successfully exploited, could result in remote code execution on susceptible systems. - CVE-2023-22505 (CVSS score: 8.0) - RCE (Remote Code Execution) in Confluence Data Center and Server (Fixed in versions 8.3.2 and 8.4.0) - CVE-2023-22508 (CVSS score: 8.5) - RCE (Remote Code Execution) in Confluence Data Center and Server (Fixed in versions 7.19.8 and 8.2.0) - CVE-2023-22506 (CVSS score: 7.5) - Injection, RCE (Remote Code Execution) in Bamboo (Fixed in versions 9.2.3 and 9.3.1) --------------------------------------------- https://thehackernews.com/2023/07/atlassian-releases-patches-for-critical.h… ∗∗∗ CVE-2023-35078 - Remote Unauthenticated API Access Vulnerability (CVSS: 10.0) ∗∗∗ --------------------------------------------- A vulnerability has been discovered in Ivanti Endpoint Manager Mobile (EPMM), formerly known as MobileIron Core. This vulnerability impacts all supported versions – Version 11.4 releases 11.10, 11.9 and 11.8. Older versions/releases are also at risk. [..] Upon learning of the vulnerability, we immediately mobilized resources to fix the problem and have a patch available now. --------------------------------------------- https://forums.ivanti.com/s/article/CVE-2023-35078-Remote-unauthenticated-A… ∗∗∗ F5 Security Advisory K000135555: Java vulnerabilities CVE-2020-2756 and CVE-2020-2757 ∗∗∗ --------------------------------------------- This vulnerability may allow an attacker with network access to compromise the affected component. Successful exploit can result in unauthorized ability to cause a partial denial-of-service (DoS) of the affected component. BIG-IP and BIG-IQ Versions known to be vulnerable: BIG-IP (all modules) 13.x-17.x, BIG-IQ Centralized Management 8.0.0-8.3.0 --------------------------------------------- https://my.f5.com/manage/s/article/K000135555 ∗∗∗ Citrix Hypervisor Security Update for CVE-2023-20593 ∗∗∗ --------------------------------------------- AMD has released updated microcode to address an issue with certain AMD CPUs. Although this is not an issue in the Citrix Hypervisor product itself, we have released a hotfix that includes this microcode to mitigate this CPU hardware issue. --------------------------------------------- https://support.citrix.com/article/CTX566835/citrix-hypervisor-security-upd… ∗∗∗ Xen Security Advisory XSA-433 x86/AMD: Zenbleed ∗∗∗ --------------------------------------------- This issue can be mitigated by disabling AVX, either by booting Xen with `cpuid=no-avx` on the command line, or by specifying `cpuid="host:avx=0"` in the vm.cfg file of all untrusted VMs. However, this will come with a significant impact on the system and is not recommended for anyone able to deploy the microcode or patch described below. [..] In cases where microcode is not available, the appropriate attached patch updates Xen to use a control register to avoid the issue. --------------------------------------------- https://xenbits.xen.org/xsa/advisory-433.html ∗∗∗ VMWare VMSA-2023-0016 (CVE-2023-20891) ∗∗∗ --------------------------------------------- CVSSv3 Range: 6.5 Synopsis: VMware Tanzu Application Service for VMs and Isolation Segment updates address information disclosure vulnerability Known Attack Vectors: A malicious non-admin user who has access to the platform system audit logs can access hex encoded CF API admin credentials and can push new malicious versions of an application. In a default deployment non-admin users do not have access to the platform system audit logs. --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2023-0016.html ∗∗∗ TYPO3 12.4.4 and 11.5.30 security releases published ∗∗∗ --------------------------------------------- All versions are security releases and contain important security fixes - read the corresponding security advisories: - TYPO3-CORE-SA-2023-002: By-passing Cross-Site Scripting Protection in HTML Sanitizer (CVE-2023-38500) - TYPO3-CORE-SA-2023-003: Information Disclosure due to Out-of-scope Site Resolution (CVE-2023-38499) - TYPO3-CORE-SA-2023-004: Cross-Site Scripting in CKEditor4 WordCount Plugin (CVE-2023-37905) --------------------------------------------- https://typo3.org/article/typo3-1244-and-11530-security-releases-published ∗∗∗ Lücken gestopft: Apple bringt iOS 16.6, macOS 13.5, watchOS 9.6 und tvOS 16.6 ∗∗∗ --------------------------------------------- Fehlerbehebungen und vor allem sicherheitsrelevante Fixes liefern frische Apple-Updates vom Montagabend. Es gab auch Zero-Day-Löcher. --------------------------------------------- https://heise.de/-9225677 ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (python-git and renderdoc), Red Hat (edk2, kernel, kernel-rt, and kpatch-patch), Slackware (kernel), SUSE (firefox, libcap, openssh, openssl-1_1, python39, and zabbix), and Ubuntu (cinder, ironic, nova, python-glance-store, python-os-brick, frr, graphite-web, and openssh). --------------------------------------------- https://lwn.net/Articles/939179/ ∗∗∗ Security Vulnerabilities fixed in Thunderbird 102.13.1 ∗∗∗ --------------------------------------------- CVE-2023-3417: File Extension Spoofing using the Text Direction Override Character ilenames. An email attachment could be incorrectly shown as being a document file, while in fact it was an executable file. Newer versions of Thunderbird will strip the character and show the correct file extension. --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2023-28/ ∗∗∗ Spring Security 5.6.12, 5.7.10, 5.8.5, 6.0.5, and 6.1.2 are available now, including fixes for CVE-2023-34034 and CVE-2023-34035 ∗∗∗ --------------------------------------------- Those versions fix the following CVEs: - CVE-2023-34034: WebFlux Security Bypass With Un-Prefixed Double Wildcard Pattern - CVE-2023-34035: Authorization rules can be misconfigured when using multiple servlets --------------------------------------------- https://spring.io/blog/2023/07/24/spring-security-5-6-12-5-7-10-5-8-5-6-0-5… ∗∗∗ CISA Releases Four Industrial Control Systems Advisories ∗∗∗ --------------------------------------------- CISA released four Industrial Control Systems (ICS) advisories on July 25, 2023. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS. - ICSA-23-206-01 AXIS A1001 - ICSA-23-206-02 Rockwell Automation ThinManager ThinServer - ICSA-23-206-03 Emerson ROC800 Series RTU and DL8000 Preset Controller - ICSA-23-206-04 Johnson Controls IQ Wifi 6 --------------------------------------------- https://www.cisa.gov/news-events/alerts/2023/07/25/cisa-releases-four-indus… ∗∗∗ 2023-07-24: Cyber Security Advisory - ABB Ability Zenon directory permission and internal issues ∗∗∗ --------------------------------------------- https://search.abb.com/library/Download.aspx?DocumentID=2NGA001801&Language… ∗∗∗ AMD Cross-Process Information Leak ∗∗∗ --------------------------------------------- http://support.lenovo.com/product_security/PS500571-AMD-CROSS-PROCESS-INFOR… ∗∗∗ [R1] Stand-alone Security Patch Available for Security Center versions 6.0.0, 6.1.0 and 6.1.1: SC-202307.1-6.x ∗∗∗ --------------------------------------------- https://www.tenable.com/security/tns-2023-26 ∗∗∗ [R1] Stand-alone Security Patch Available for Security Center version 5.23.1: SC-202307.1-5.23.1 ∗∗∗ --------------------------------------------- https://www.tenable.com/security/tns-2023-25 ∗∗∗ OAuthlib is vulnerable to CVE-2022-36087 used in IBM Maximo Application Suite - Monitor Component ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7014235 ∗∗∗ SnakeYaml is vulnerable to security CVEs used in IBM Maximo Application Suite - Monitor Component ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7014243 ∗∗∗ Node.js http-cache-semantics module is vulnerable to CVE-2022-25881 used in IBM Maximo Application Suite - Monitor Component ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7014237 ∗∗∗ Wekzeug is vulnerable to CVE-2023-25577 and CVE-2023-23934 used in IBM Maximo Application Suite - Monitor Component ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7014239 ∗∗∗ Cisco node-jose is vulnerable to CVE-2023-25653 used in IBM Maximo Application Suite - Monitor Component ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7014241 ∗∗∗ Apache Commons FileUpload and Tomcat are vulnerable to CVE-2023-24998 used in IBM Maximo Application Suite - Monitor Component ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7014245 ∗∗∗ Xml2js is vulnerable to CVE-2023-0842 used in IBM Maximo Application Suite - Monitor Component ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7014247 ∗∗∗ Flask is vulnerable to CVE-2023-30861 used in IBM Maximo Application Suite - Monitor Component ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7014251 ∗∗∗ Apache Commons Codec is vulnerable to PRISMA-2021-0055 used in IBM Maximo Application Suite - Monitor Component ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7014255 ∗∗∗ IBM QRadar Wincollect is vulnerable to using components with known vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7014253 ∗∗∗ IBM GSKit as shipped with IBM Security Verify Access has fixed a reported vulnerability (CVE-2023-32342) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7014259 ∗∗∗ IBM Security Verify Access product is vulnerable to Open Redirects (AAC module ) (CVE-2023-30433) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7012613 ∗∗∗ Postgresql JDBC drivers shipped with IBM Security Verify Access have a vulnerability (CVE-2022-41946) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7014261 ∗∗∗ json-20220320.jar is vulnerable to CVE-2022-45688 used in IBM Maximo Application Suite ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7014269 ∗∗∗ Apache Kafka is vulnerable to CVE-2022-34917 and CVE-2023-25194 used in IBM Maximo Application Suite - Monitor Component ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7014273 ∗∗∗ Netplex json-smart-v2 is vulnerable to CVE-2023-1370 used in IBM Maximo Application Suite - Monitor Component ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7014271 ∗∗∗ Netty is vulnerable to CVE-2022-41915 used in IBM Maximo Application Suite - Monitor Component ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7014281 ∗∗∗ VMware Tanzu Spring Security is vulnerable to CVE-2022-31692 and CVE-2023-20862 used in IBM Maximo Application Suite - Monitor Component ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7014361 ∗∗∗ VMware Tanzu Spring Framework is vulnerable to CVE-2023-20861 and CVE-2023-20863 used in IBM Maximo Application Suite - Monitor Component ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7014353 ∗∗∗ Netty is vulnerable to CVE-2023-34462 used in IBM Maximo Application Suite - Monitor Component ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7014357 ∗∗∗ VMware Tanzu Spring Framework is vulnerable to CVE-2023-20860 used in IBM Maximo Application Suite - Monitor Component ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7014363 ∗∗∗ Apache Commons FileUpload and Apache Tomcat are vulnerable to CVE-2023-24998, CVE-2022-45143, and CVE-2023-28708 used in IBM Maximo Application Suite - Monitor Component ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7014365 ∗∗∗ VMware Tanzu Spring Boot is vulnerable to CVE-2023-20883 used in IBM Maximo Application Suite - Monitor Component ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7014369 ∗∗∗ Vulnerabilities in Node.js affects IBM Voice Gateway ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7013909 ∗∗∗ Python-requests is vulnerable to CVE-2023-32681 used in IBM Maximo Application Suite - Monitor Component ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7014371 ∗∗∗ Google Guava is vulnerable to CVE-2023-2976 used in IBM Maximo Application Suite - Monitor Component ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7014373 ∗∗∗ Snappy-java is vulnerable to security CVEs used in IBM Maximo Application Suite - Monitor Component ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7014375 ∗∗∗ The Bouncy Castle Crypto Package For Java is vulnerable to CVE-2023-33201 used in IBM Maximo Application Suite - Monitor Component ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7014377 ∗∗∗ Multiple vulnerabilities affect IBM Data Virtualization on Cloud Pak for Data ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7014379 ∗∗∗ Vulnerabilities in Python, OpenSSH, Golang Go, Minio and Redis may affect IBM Spectrum Protect Plus Container backup and restore for Kubernetes and OpenShift ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7011697 ∗∗∗ Multiple vulnerabilities in Apache Log4j affects IBM Security Access Manager for Enterprise Single Sign-On ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7014395 ∗∗∗ IBM Event Streams is affected by multiple Golang Go vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7014403 ∗∗∗ IBM WebSphere Application Server, used in IBM Security Verify Governance Identity Manager, could provide weaker than expected security (CVE-2023-35890) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7014401 ∗∗∗ The IBM\u00ae Engineering System Design Rhapsody products on IBM Jazz Technology contains additional security fixes for X-Force ID 220800 and CVE-2017-12626 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7014413 ∗∗∗ A security vulnerability has been identified in IBM DB2 shipped with IBM Intelligent Operations Center(CVEs - Remediation\/Fixes) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7014429 ∗∗∗ Multiple vulnerabilities affect IBM Data Virtualization on Cloud Pak for Data ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7014379 ∗∗∗ IBM App Connect Enterprise Certified Container Dashboard operands are vulnerable to arbitrary code execution due to [CVE-2022-28805] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7014459 ∗∗∗ IBM App Connect Enterprise Certified Container Dashboard operands are vulnerable to denial of service due to [CVE-2021-27212] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7014457 ∗∗∗ IBM App Connect Enterprise Certified Container IntegrationServer operands are vulnerable to denial of service due to [CVE-2022-21349] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7014455 ∗∗∗ IBM App Connect Enterprise Certified Container Dashboard operands are vulnerable to denial of service and loss of confidentiality due to multiple vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7014451 ∗∗∗ IBM App Connect Enterprise Certified Container operands are vulnerable to denial of service due to [CVE-2022-40897] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7014453 ∗∗∗ A security vulnerability has been identified in IBM WebSphere Application Server shipped with IBM Tivoli System Automation Application Manager (CVE-2023-24966) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7014473 ∗∗∗ IBM WebSphere Application Server traditional is vulnerable to spoofing when using Web Server Plug-ins (CVE-2022-39161) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7014475 ∗∗∗ Multiple vulnerabilities in IBM Java SDK affect IBM Decision Optimization for IBM Cloud Private for Data (ICP4Data) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/876830 ∗∗∗ Watson Query potentially exposes adminstrators key under some conditions due to CVE-2022-22410 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6569235 ∗∗∗ Security Vulnerabilities affect IBM Cloud Pak for Data - OpenSSL ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6453431 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 24.07.2023
by Daily end-of-shift report 24 Jul '23

24 Jul '23

===================== = End-of-Day report = ===================== Timeframe: Freitag 21-07-2023 18:00 − Montag 24-07-2023 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Eine einfache Aktion beugt Telefonbetrug vor ∗∗∗ --------------------------------------------- Betrüger*innen nutzen gezielt Telefonbücher, um ihre Opfer zu identifizieren. In Visier rücken dabei vor allem ältere Menschen. --------------------------------------------- https://futurezone.at/digital-life/telefonbetrug-vorbeugen-spam-sperren-blo… ∗∗∗ Security baseline for Microsoft Edge version 115 ∗∗∗ --------------------------------------------- We are pleased to announce the security review for Microsoft Edge, version 115! We have reviewed the new settings in Microsoft Edge version 115 and determined that there are no additional security settings that require enforcement. The Microsoft Edge version 114 security baseline continues to be our recommended configuration which can be downloaded from the Microsoft Security Compliance Toolkit. --------------------------------------------- https://techcommunity.microsoft.com/t5/microsoft-security-baselines/securit… ∗∗∗ Critical Zero-Days in Atera Windows Installers Expose Users to Privilege Escalation Attacks ∗∗∗ --------------------------------------------- Zero-day vulnerabilities in Windows Installers for the Atera remote monitoring and management software could act as a springboard to launch privilege escalation attacks. The flaws, discovered by Mandiant on February 28, 2023, have been assigned the identifiers CVE-2023-26077 and CVE-2023-26078, with the issues remediated in versions 1.8.3.7 and 1.8.4.9 released by Atera on April 17, 2023, [...] --------------------------------------------- https://thehackernews.com/2023/07/critical-zero-days-in-atera-windows.html ∗∗∗ TETRA Radio Code Encryption Has a Flaw: A Backdoor ∗∗∗ --------------------------------------------- A secret encryption cipher baked into radio systems used by critical infrastructure workers, police, and others around the world is finally seeing sunlight. Researchers say it isn’t pretty. --------------------------------------------- https://www.wired.com/story/tetra-radio-encryption-backdoor/ ∗∗∗ Microsofts gestohlener Schlüssel mächtiger als vermutet ∗∗∗ --------------------------------------------- Ein gestohlener Schlüssel funktionierte möglicherweise nicht nur bei Exchange Online, sondern war eine Art Masterkey für große Teile der Mircrosoft-Cloud. --------------------------------------------- https://heise.de/-9224640 ∗∗∗ Achtung Fake-Shop: vailia-parfuemerie.com ∗∗∗ --------------------------------------------- Bei Vailia Parfümerie finden Sie günstige Kosmetikprodukte und Parfüms. Der Online-Shop macht zwar einen professionellen Eindruck, liefert aber keine Ware. Wenn Sie Ihre Kreditkartendaten als Zahlungsmethode angegeben haben, kommt es entweder zu nicht genehmigten Abbuchungen oder Ihre Daten werden für einen Betrugsversuch zu einem späteren Zeitpunkt missbraucht. --------------------------------------------- https://www.watchlist-internet.at/news/achtung-fake-shop-vailia-parfuemerie… ∗∗∗ Palo Alto Networks warnt vor P2P-Wurm für Cloud-Container-Umgebungen ∗∗∗ --------------------------------------------- Die neue Malware ist mindestens seit rund zwei Wochen im Umlauf. Sie nimmt eine bekannte Schwachstelle in der Datenbankanwendung Redis ins Visier. --------------------------------------------- https://www.zdnet.de/88410715/palo-alto-networks-warnt-vor-p2p-wurm-fuer-cl… ∗∗∗ Sicherheit: Die AES 128/128 Cipher Suite sollte am IIS deaktiviert werden ∗∗∗ --------------------------------------------- Kurzer Informationssplitter aus dem Bereich der Sicherheit, der Administratoren eines Internet Information-Server (IIS) im Windows-Umfeld interessieren könnte. --------------------------------------------- https://www.borncity.com/blog/2023/07/22/sicherheit-die-aes-128-128-cipher-… ===================== = Vulnerabilities = ===================== ∗∗∗ Zenbleed (CVE-2023-20593) - If you remove the first word from the string "hello world", what should the result be? ∗∗∗ --------------------------------------------- This is the story of how we discovered that the answer could be your root password! [..] AMD have released an microcode update for affected processors. Your BIOS or Operating System vendor may already have an update available that includes it. Workaround: It is highly recommended to use the microcode update. If you can’t apply the update for some reason, there is a software workaround: you can set the chicken bit DE_CFG. This may have some performance cost. --------------------------------------------- https://lock.cmpxchg8b.com/zenbleed.html ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (webkit2gtk), Fedora (curl, dotnet6.0, dotnet7.0, ghostscript, kernel-headers, kernel-tools, libopenmpt, openssh, and samba), Mageia (virtualbox), Red Hat (java-1.8.0-openjdk and java-11-openjdk), and Scientific Linux (java-1.8.0-openjdk and java-11-openjdk). --------------------------------------------- https://lwn.net/Articles/939059/ ∗∗∗ Atlassian Patches Remote Code Execution Vulnerabilities in Confluence, Bamboo ∗∗∗ --------------------------------------------- Atlassian patches high-severity remote code execution vulnerabilities in Confluence and Bamboo products. --------------------------------------------- https://www.securityweek.com/atlassian-patches-remote-code-execution-vulner… ∗∗∗ AMI MegaRAC SP-X BMC Redfish Vulnerabilities ∗∗∗ --------------------------------------------- https://support.lenovo.com/product_security/PS500570-AMI-MEGARAC-SP-X-BMC-R… ∗∗∗ Multiple vulnerabilities affect the embedded Content Navigator in Business Automation Workflow - CVE-2023-24998, 254437 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7013897 ∗∗∗ Vulnerability in IBM Java Runtime affects Host On-Demand ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7014039 ∗∗∗ Vulnerability in IBM Java Runtime affects Host On-Demand ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7014057 ∗∗∗ IBM App Connect for Manufacturing is vulnerable to a denial of service due to FasterXML jackson-databind (CVE-2022-42004, CVE-2022-42003) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7014181 ∗∗∗ IBM App Connect Enterprise is vulnerable to a remote authenticated attacker due to Node.js (CVE-2023-23920) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7014193 ∗∗∗ IBM Sterling Connect:Direct File Agent is vulnerable to a buffer overflow and unspecified vulnerabilities in IBM Runtime Environment Java Technology Edition (CVE-2023-21930, CVE-2023-21939, CVE-2023-21967, CVE-2023-21968) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7009987 ∗∗∗ Multiple security vulnerabilities have been identified in IBM WebSphere Application Server which is a component of IBM Operations Analytics Predictive Insights ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7013889 ∗∗∗ IBM Storage Protect Server is vulnerable to denial of service due to Golang Go ( CVE-2023-24534 ) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7014223 ∗∗∗ IBM Storage Protect Server is vulnerable to sensitive information disclosure due to IBM GSKit ( CVE-2023-32342 ) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7014225 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 21.07.2023
by Daily end-of-shift report 21 Jul '23

21 Jul '23

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 20-07-2023 18:00 − Freitag 21-07-2023 18:00 Handler: Robert Waldner Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ GitHub warns of Lazarus hackers targeting devs with malicious projects ∗∗∗ --------------------------------------------- GitHub is warning of a social engineering campaign targeting the accounts of developers in the blockchain, cryptocurrency, online gambling, and cybersecurity sectors to infect their devices with malware. --------------------------------------------- https://www.bleepingcomputer.com/news/security/github-warns-of-lazarus-hack… ∗∗∗ Sophisticated BundleBot Malware Disguised as Google AI Chatbot and Utilities ∗∗∗ --------------------------------------------- A new malware strain known as BundleBot has been stealthily operating under the radar by taking advantage of .NET single-file deployment techniques, enabling threat actors to capture sensitive information from compromised hosts. --------------------------------------------- https://thehackernews.com/2023/07/sophisticated-bundlebot-malware.html ∗∗∗ Supply chain security for Go, Part 3: Shifting left ∗∗∗ --------------------------------------------- Previously in our Supply chain security for Go series, we covered dependency and vulnerability management tools and how Go ensures package integrity and availability as part of the commitment to countering the rise in supply chain attacks in recent years. In this final installment, we’ll discuss how “shift left” security can help make sure you have the security information you need, when you need it, to avoid unwelcome surprises. --------------------------------------------- http://security.googleblog.com/2023/07/supply-chain-security-for-go-part-3.… ===================== = Vulnerabilities = ===================== ∗∗∗ VU#653767: Perimeter81 macOS Application Multiple Vulnerabilities ∗∗∗ --------------------------------------------- At the time, the latest Perimeter81 MacOS application (10.0.0.19) suffers from local privilege escalation vulnerability inside its com.perimeter81.osx.HelperTool. This HelperTool allows main application to setup things which require administrative privileges such as VPN connection, changing routing table, etc. --------------------------------------------- https://kb.cert.org/vuls/id/653767 ∗∗∗ Schwachstellen in AMI-Firmware: Gigabyte-Hack gefährdet unzählige Serversysteme ∗∗∗ --------------------------------------------- Nach einem Hackerangriff auf Gigabyte ist unter anderem eine AMI-Firmware geleakt, in der Forscher nun äußerst brisante Schwachstellen fanden. --------------------------------------------- https://www.golem.de/news/schwachstellen-in-ami-firmware-gigabyte-hack-gefa… ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (golang, nodejs16, nodejs18, and R-jsonlite), Red Hat (java-1.8.0-openjdk and java-17-openjdk), SUSE (container-suseconnect, redis, and redis7), and Ubuntu (wkhtmltopdf). --------------------------------------------- https://lwn.net/Articles/938878/ ∗∗∗ WebKitGTK and WPE WebKit Security Advisory WSA-2023-0006 ∗∗∗ --------------------------------------------- Several vulnerabilities were discovered in WebKitGTK and WPE WebKit. CVE identifiers: CVE-2023-37450, CVE-2023-32393. --------------------------------------------- https://webkitgtk.org/security/WSA-2023-0006.html ∗∗∗ Foxit PDF Reader und PDF Editor 12.1.3 als Sicherheitsupdates ∗∗∗ --------------------------------------------- Kurze Information für Leute, die noch den Foxit PDF Reader und/oder den PDF Editor einsetzen sollten. In älteren Versionen gibt es Sicherheitslücken, die durch ein Sicherheitsupdate auf die Version 12.1.3.15356 beseitigt werden [...] --------------------------------------------- https://www.borncity.com/blog/2023/07/20/foxit-pdf-reader-und-pdf-editor-12… ∗∗∗ GBrowse vulnerable to unrestricted upload of files with dangerous types ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN35897618/ ∗∗∗ Security Vulnerabilities fixed in Thunderbird 115.0.1 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2023-27/ ∗∗∗ Multiple vulnerabilities in IBM Java SDK and IBM Java Runtime affect Rational Business Developer ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7013595 ∗∗∗ IBM Sterling Connect:Direct for Microsoft Windows is vulnerable to unspecified vulnerabilities in IBM Runtime Environment Java Technology Edition ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7010095 ∗∗∗ IBM Sterling Global Mailbox is vulnerable to arbitrary command execution due to com.ibm.ws.org.apache.commons.collections (CVE-2015-7501) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6963962 ∗∗∗ IBM App Connect Enterprise and IBM Integration Bus are vulnerable to SOAPAction spoofing when processing JAX-WS Web Services requests (CVE-2022-38712) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6855661 ∗∗∗ IBM Sterling Global Mailbox is vulnerable to denial of service due to WebSphere Liberty Server ( CVE-2022-3509, CVE-2022-3171) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6963956 ∗∗∗ IBM Sterling Global Mailbox is vulnerable to arbitrary code execution due to Apache Commons Collections [CVE-2015-6420, CVE-2017-15708] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6957392 ∗∗∗ IBM Sterling Global Mailbox is vulnerable to server-side request forgery due to Apache CXF (CVE-2022-46364) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6963958 ∗∗∗ IBM Sterling Global Mailbox is vulnerable to sensitive data exposure due to Apache CXF (CVE-2022-46363) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6963960 ∗∗∗ IBM Sterling Global Mailbox is vulnerable to HTTP header injection due WebSphere Liberty Server (CVE-2022-34165) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6954401 ∗∗∗ IBM Sterling Global Mailbox is vulnerable to denial of service due to FasterXML jackson-databind (CVE-2022-42003) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6954403 ∗∗∗ IBM Global Mailbox is vulnerable to remote code execution due to Apache Cassandra (CVE-2021-44521) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6852565 ∗∗∗ IBM Sterling Global Mailbox is vulnerable to security bypass due to Apache HttpClient (CVE-2020-13956) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6954405 ∗∗∗ IBM App Connect Enterprise and IBM Integration Bus are vulnerable to a denial of service due to IBM MQ (CVE-2023-26285, CVE-2023-28950) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7011767 ∗∗∗ Multiple vulnerabilities in IBM SDK, Java Technology Edition affect IBM Operations Analytics Predictive Insights ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7013887 ∗∗∗ Vulnerability in Google gson 2.2.4 libraries (CVE-2022-25647) affects IBM Operations Analytics Predictive Insights ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7013881 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 20.07.2023
by Daily end-of-shift report 20 Jul '23

20 Jul '23

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 19-07-2023 18:00 − Donnerstag 20-07-2023 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Citrix-Zero-Days: Angriffsspuren auf Netscaler ADC und Gateway aufspüren ∗∗∗ --------------------------------------------- Vor der Verfügbarkeit von Updates wurden CItrix-Lücken bereits in freier Wildbahn angegriffen. Daher ist eine Überprüfung auf Angriffsspuren sinnvoll. --------------------------------------------- https://heise.de/-9221655 ∗∗∗ Microsoft Relents, Offers Free Critical Logging to All 365 Customers ∗∗∗ --------------------------------------------- Industry pushback prompts Microsoft to drop premium pricing for access to cloud logging data. --------------------------------------------- https://www.darkreading.com/application-security/microsoft-relents-offers-f… ∗∗∗ Docker Hub images found to expose secrets and private keys ∗∗∗ --------------------------------------------- Numerous Docker images shared on Docker Hub are exposing sensitive data, according to a study conducted by researchers at the German university RWTH Aachen. Needless to say, this poses a significant security risk. --------------------------------------------- https://www.malwarebytes.com/blog/news/2023/07/docker-hub-images-found-to-e… ∗∗∗ Vorab bezahlen, um arbeiten zu können? Finger weg von Jobs der Nice Tech GmbH ∗∗∗ --------------------------------------------- Auf nice102.com, nice02.com, unice688.com, nicetechmax.com und vermutlich zahlreichen weiteren Domains betreibt die Nice Tech GmbH ein undurchsichtiges Pyramidensystem, bei dem Sie angeblich Geld von zu Hause aus verdienen können. Die Aufgabenbeschreibungen sind aber äußerst vage, um loslegen zu können, sollen Sie vorab Geld bezahlen und das meiste Geld gibt es für die Anwerbung neuer Mitglieder. --------------------------------------------- https://www.watchlist-internet.at/news/vorab-bezahlen-um-arbeiten-zu-koenne… ∗∗∗ P2PInfect: The Rusty Peer-to-Peer Self-Replicating Worm ∗∗∗ --------------------------------------------- A novel peer-to-peer worm written in Rust is uniquely scalable. It targets open-source database Redis and can infect multiple platforms. --------------------------------------------- https://unit42.paloaltonetworks.com/peer-to-peer-worm-p2pinfect/ ∗∗∗ Announcing New DMARC Policy Handling Defaults for Enhanced Email Security ∗∗∗ --------------------------------------------- For our consumer service (live.com / outlook.com / hotmail.com), we have changed our DMARC policy handling to honor the sender’s DMARC policy. If an email fails DMARC validation and the sender’s policy is set to p=reject or p=quarantine, we will reject the email. --------------------------------------------- https://techcommunity.microsoft.com/t5/exchange-team-blog/announcing-new-dm… ∗∗∗ The SOC Toolbox: Analyzing AutoHotKey compiled executables ∗∗∗ --------------------------------------------- A quick post on how to extract AutoHotKey scripts from an AutoHotKey script compiled executable. --------------------------------------------- https://blog.nviso.eu/2023/07/20/the-soc-toolbox-analyzing-autohotkey-compi… ∗∗∗ Escalating Privileges via Third-Party Windows Installers ∗∗∗ --------------------------------------------- In this blog post, we will share how Mandiant’s red team researches and exploits zero-day vulnerabilities in third-party Windows Installers, what software developers should do to reduce risk of exploitation, and introduce a new tool to simplify enumeration of cached Microsoft Software Installer (MSI). --------------------------------------------- https://www.mandiant.com/resources/blog/privileges-third-party-windows-inst… ===================== = Vulnerabilities = ===================== ∗∗∗ VMware Tanzu Spring: Update schließt kritische Lücke ∗∗∗ --------------------------------------------- Aktualisierte Versionen von VMware Tanzu Spring schließen Sicherheitslücken. Eine davon gilt als kritisch. --------------------------------------------- https://heise.de/-9221869 ∗∗∗ CVE-2023-38205: Adobe ColdFusion Access Control Bypass [FIXED] ∗∗∗ --------------------------------------------- Rapid7 discovered that the initial patch for CVE-2023-29298 (Adobe ColdFusion access control bypass vulnerability) did not successfully remediate the issue. --------------------------------------------- https://www.rapid7.com/blog/post/2023/07/19/cve-2023-38205-adobe-coldfusion… ∗∗∗ Wordfence Intelligence Weekly WordPress Vulnerability Report (July 10, 2023 to July 16, 2023) ∗∗∗ --------------------------------------------- Last week, there were 69 vulnerabilities disclosed in 68 WordPress Plugins and 1 WordPress themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 29 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected. --------------------------------------------- https://www.wordfence.com/blog/2023/07/wordfence-intelligence-weekly-wordpr… ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (chromium), Fedora (sysstat), Gentoo (openssh), Mageia (firefox/nss, kernel, kernel-linus, maven, mingw-nsis, mutt/neomutt, php, qt4/qtsvg5, and texlive), Red Hat (java-1.8.0-openjdk, java-11-openjdk, java-17-openjdk, and kpatch-patch), Slackware (curl and openssh), SUSE (curl, grafana, kernel, mariadb, MozillaFirefox, MozillaFirefox-branding-SLE, poppler, python-Flask, python310, samba, SUSE Manager Client Tools, and texlive), and Ubuntu (curl, ecdsautils, and samba). --------------------------------------------- https://lwn.net/Articles/938711/ ∗∗∗ Apache OpenMeetings Wide Open to Account Takeover, Code Execution ∗∗∗ --------------------------------------------- Researcher discovers vulnerabilities in the open source Web application, which were fixed in the latest Apache OpenMeeting update. --------------------------------------------- https://www.darkreading.com/remote-workforce/apache-openmeetings-account-ta… ∗∗∗ CVE-2023-38408: Remote Code Execution in OpenSSH's forwarded ssh-agent ∗∗∗ --------------------------------------------- In this advisory, we present our research, experiments, reproducible results, and further ideas to exploit this "dlopen() then dlclose()" primitive. We will also publish the source code of our crude fuzzer at https://www.qualys.com/research/security-advisories/. --------------------------------------------- https://www.qualys.com/2023/07/19/cve-2023-38408/rce-openssh-forwarded-ssh-… ∗∗∗ Sicherheitsschwachstellen in Omnis Studio (SYSS-2023-005/-006) ∗∗∗ --------------------------------------------- Implementierungsfehler erlauben Angreifern, private Omnis-Bibliotheken und gesperrte Klassen im Omnis Studio Browser zu öffnen und zu bearbeiten. --------------------------------------------- https://www.syss.de/pentest-blog/sicherheitsschwachstellen-in-omnis-studio-… ∗∗∗ TP-LINK TL-WR840N: Schwachstelle ermöglicht Stack Buffer Overflow DOS ∗∗∗ --------------------------------------------- In der Firmware des TP-Link Routers TP-LINK TL-WR840N gibt es eine Schwachstelle, die es einem Remote-Angreifer ermöglicht, einen Stack Buffer Overflow DOS-Angriff durchzuführen. TP-Link will keinen Sicherheitshinweis dazu veröffentlichen, hat aber eine neue Firmware (TL-WR840N(KR)_V6.2_230702) auf dieser Webseite bereitgestellt. --------------------------------------------- https://www.borncity.com/blog/2023/07/20/tp-link-tl-wr84-schwachstelle-ermg… ∗∗∗ Cisco BroadWorks Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco Small Business SPA500 Series IP Phones Web UI Vulnerabilities ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ IBM Security Guardium is affected by several vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7007815 ∗∗∗ IBM Db2 Web Query for i is vulnerable to arbitrary code execution due to SnakeYaml [CVE-2022-1471] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7013297 ∗∗∗ IBM Cognos Analytics has addressed multiple vulnerabilities (CVE-2023-28530, XFID: 212233, CVE-2022-24999, CVE-2023-28530, CVE-2023-25929) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7012621 ∗∗∗ IBM Workload Scheduler is potentially affected by multiple vulnerabilities in OpenSSL (CVE-2022-4304, CVE-2023-0215, CVE-2023-0286) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7003501 ∗∗∗ IBM App Connect Enterprise Certified Container Dashboard operands are vulnerable to security restrictions bypass due to [CVE-2022-32221], [CVE-2023-27533], [CVE-2023-28322] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7013517 ∗∗∗ Security Vulnerabilities in hazelcast client affect IBM Voice Gateway ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7013527 ∗∗∗ IBM InfoSphere Information Server is affected by a vulnerability in VMware Tanzu Spring Framework (CVE-2023-20863) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7003899 ∗∗∗ IBM InfoSphere Information Server is affected by a vulnerability in VMware Tanzu Spring Security (CVE-2023-20862) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7003901 ∗∗∗ IBM Watson Assistant for IBM Cloud Pak for Data is vulnerable to VMware Tanzu Spring Framework denial of service vulnerabilitiy [CVE-2023-20863] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7012251 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 19.07.2023
by Daily end-of-shift report 19 Jul '23

19 Jul '23

===================== = End-of-Day report = ===================== Timeframe: Dienstag 18-07-2023 18:00 − Mittwoch 19-07-2023 18:00 Handler: Robert Waldner Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Neue Ransomware: Kriminelle verschlüsseln Systeme im Namen von Sophos ∗∗∗ --------------------------------------------- Eine vermeintliche Verschlüsselungssoftware von Sophos entpuppt sich als Bitcoin einspielender Ransomware-Dienst für kriminelle Akteure. --------------------------------------------- https://www.golem.de/news/neue-ransomware-kriminelle-verschluesseln-systeme… ∗∗∗ Comprehensive analysis of initial attack samples exploiting CVE-2023-23397 vulnerability ∗∗∗ --------------------------------------------- On March 14, 2023, Microsoft published a blogpost describing an Outlook Client Elevation of Privilege Vulnerability (CVSS: 9.8 CRITICAL). The publication generated a lot of activity among white, grey and black hat researchers, as well as lots of publications and tweets about the vulnerability and its exploitation. Below, we will highlight the key points and then focus on the initial use of this vulnerability by attackers before it became public. --------------------------------------------- https://securelist.com/analysis-of-attack-samples-exploiting-cve-2023-23397… ∗∗∗ Massive Google Colaboratory Abuse: Gambling and Subscription Scam ∗∗∗ --------------------------------------------- While Google’s free and open tools are undeniably valuable for collaboration (and innovation), it’s evident that complications arise when they become a haven for bad actors. Millions of documents with spam content on the Google Colab platform reveal that spammers have found yet another method to host doorways that they actively promote via spam link injections on compromised websites. --------------------------------------------- https://blog.sucuri.net/2023/07/massive-google-colaboratory-abuse-gambling-… ∗∗∗ LKA Niedersachsen warnt vor Phishing und Abofallen mit iCloud- und Google-Mails ∗∗∗ --------------------------------------------- Derzeit versenden Betrüger Mails, laut denen Apple iCloud- oder Google-Speicherplatz volllaufe. Davor warnt das LKA Niedersachsen. --------------------------------------------- https://heise.de/-9220688 ∗∗∗ Network and Information Systems Security (NIS2): recommendations for NRENs ∗∗∗ --------------------------------------------- GÉANT worked with Stratix, an independent consultancy firm specialised in communication infrastructures and services, to go through the steps that NRENs need to follow and the questions that need to be answered during the NIS2 implementation phase. --------------------------------------------- https://connect.geant.org/2023/07/19/network-and-information-systems-securi… ∗∗∗ HotRat: The Risks of Illegal Software Downloads and Hidden AutoHotkey Script Within ∗∗∗ --------------------------------------------- Despite risks to their own data and devices, some users continue to be lured into downloading illegal versions of popular paid-for software, disregarding the potentially more severe repercussions than legitimate alternatives. We have analyzed how cybercriminals deploy HotRat, a remote access trojan (RAT), through an AutoHotkey script attached to cracked software. --------------------------------------------- https://decoded.avast.io/martinchlumecky/hotrat-the-risks-of-illegal-softwa… ===================== = Vulnerabilities = ===================== ∗∗∗ OpenSSL Security Advisory: Excessive time spent checking DH keys and parameters (CVE-2023-3446) ∗∗∗ --------------------------------------------- Severity: Low Impact summary: Applications that use the functions DH_check(), DH_check_ex() or EVP_PKEY_param_check() to check a DH key or DH parameters may experience long delays. Where the key or parameters that are being checked have been obtained from an untrusted source this may lead to a Denial of Service. --------------------------------------------- https://www.openssl.org/news/secadv/20230714.txt ∗∗∗ Webbrowser: Google stopft 20 Sicherheitslecks in Chrome 115 ∗∗∗ --------------------------------------------- Google hat den Webbrowser Chrome in Version 115 vorgelegt. Darin bessern die Entwickler 20 Schwachstellen aus. --------------------------------------------- https://heise.de/-9220438 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (bind9, libapache2-mod-auth-openidc, and python-django), Fedora (nodejs18 and redis), Red Hat (python3.9 and webkit2gtk3), Scientific Linux (bind and kernel), SUSE (cni, cni-plugins, cups-filters, curl, dbus-1, ImageMagick, kernel, libheif, and python-requests), and Ubuntu (bind9, connman, curl, libwebp, and yajl). --------------------------------------------- https://lwn.net/Articles/938596/ ∗∗∗ Session Token Enumeration in RWS WorldServer ∗∗∗ --------------------------------------------- Session tokens in RWS WorldServer have a low entropy and can be enumerated, leading to unauthorised access to user sessions. --------------------------------------------- https://www.redteam-pentesting.de/en/advisories/rt-sa-2023-001/ ∗∗∗ Oracle Releases Security Updates ∗∗∗ --------------------------------------------- Oracle has released its Critical Patch Update Advisory, Solaris Third Party Bulletin, and Linux Bulletin for July 2023 to address vulnerabilities affecting multiple products. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2023/07/18/oracle-releases-security… ∗∗∗ Vulnerability with guava (CVE-2023-2976) affect IBM Cloud Object Storage Systems (July 2023) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7012815 ∗∗∗ IBM WebSphere Application Server shipped with Jazz for Service Management (JazzSM) is vulnerable to spoofing when using Web Server Plug-ins (CVE-2022-39161) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7010311 ∗∗∗ IBM WebSphere Application Server shipped with Jazz for Service Management (JazzSM) is vulnerable to cross-site scripting in the Admin Console (CVE-2023-24966) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7010313 ∗∗∗ Multiple Vulnerabilities have been identified in IBM Db2 shipped with IBM WebSphere Remote Server ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7012979 ∗∗∗ IBM WebSphere Application Server is vulnerable to an XML External Entity (XXE) Injection vulnerability (CVE-2023-27554) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6989451 ∗∗∗ IBM Edge Application Manager 4.5.1 addresses security vulnerability listed in CVE below. ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7013037 ∗∗∗ IBM Edge Application Manager 4.5.1 addresses security vulnerability listed in CVE below. ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7013035 ∗∗∗ IBM WebSphere Application Server shipped with Jazz for Service Management (JazzSM) is vulnerable to SOAPAction spoofing (CVE-2022-38712) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6855613 ∗∗∗ WebSphere Application Server shipped with Jazz for Service Management (JazzSM) is vulnerable to a server-side request forgery vulnerability(CVE-2022-35282). ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6827807 ∗∗∗ IBM WebSphere Application Server shipped with Jazz for Service Management (JazzSM) is vulnerable to a remote code execution vulnerability (CVE-2023-23477) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6953111 ∗∗∗ IBM Jazz for Service Management is vulnerable to commons-fileupload-1.4.jar (Publicly disclosed vulnerability found by Mend) (CVE-2023-24998) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6964530 ∗∗∗ IBM WebSphere Application Server shipped with Jazz for Service Management (JazzSM) is vulnerable to cross-site scripting in the Admin Console (CVE-2023-26283) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6983186 ∗∗∗ IBM WebSphere Application Server shipped with Jazz for Service Management (JazzSM) is vulnerable to a denial of service due to Apache Commons FileUpload (CVE-2023-24998) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6983188 ∗∗∗ CVE-2023-32342 may affect GSKit shipped with IBM CICS TX Standard ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7013135 ∗∗∗ CVE-2023-32342 may affect GSKit shipped with IBM CICS TX Advanced ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7013139 ∗∗∗ IBM MQ as used by IBM QRadar SIEM contains multiple vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7013143 ∗∗∗ Weintek Weincloud ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-199-04 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 18.07.2023
by Daily end-of-shift report 18 Jul '23

18 Jul '23

===================== = End-of-Day report = ===================== Timeframe: Montag 17-07-2023 18:00 − Dienstag 18-07-2023 18:00 Handler: Robert Waldner Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ FIN8 Group Using Modified Sardonic Backdoor for BlackCat Ransomware Attacks ∗∗∗ --------------------------------------------- The financially motivated threat actor known as FIN8 has been observed using a "revamped" version of a backdoor called Sardonic to deliver the BlackCat ransomware. According to the Symantec Threat Hunter Team, part of Broadcom, the development is an attempt on the part of the e-crime group to diversify its focus and maximize profits from infected entities. --------------------------------------------- https://thehackernews.com/2023/07/fin8-group-using-modified-sardonic.html ∗∗∗ Uncovering drIBAN fraud operations. Chapter 3: Exploring the drIBAN web inject kit ∗∗∗ --------------------------------------------- So far, we have discussed the malspam campaign that started spreading sLoad. Then, we discovered that sLoad is a dropper for Ramnit [..] After that, we also described Ramnit’s capabilities, focusing mainly on its injection and persistence techniques. As a final step, we will discuss drIBAN, a sophisticated and modular web-inject kit that can hide resources, masquerade its presence, and perform large-scale ATS attacks. --------------------------------------------- https://www.cleafy.com/cleafy-labs/uncovering-driban-fraud-operations-chapt… ∗∗∗ Wordpress: Angriffswelle auf Woocommerce Payments läuft derzeit ∗∗∗ --------------------------------------------- Die IT-Forscher von Wordfence beobachten eine Angriffswelle auf das Woocommerce Payments-Plug-in. Es ist auf mehr als 600.000 Websites installiert. --------------------------------------------- https://heise.de/-9219114 ∗∗∗ JavaScript-Sandbox vm2: Neue kritische Schwachstelle, kein Update mehr ∗∗∗ --------------------------------------------- Für die jüngste kritische Sicherheitslücke im Open-Source-Projekt vm2 gibt es keinen Bugfix, sondern der Betreiber rät zum Umstieg auf isolated-vm. --------------------------------------------- https://heise.de/-9219087 ∗∗∗ Verkaufen auf Shpock: Vorsicht, wenn Sie den Kaufbetrag in Ihrer Banking-App "bestätigen" müssen ∗∗∗ --------------------------------------------- Sie verkaufen etwas auf Shpock. Sofort meldet sich jemand und möchte es kaufen. Zeitgleich erhalten Sie ein E-Mail von „TeamShpock“ mit der Information, dass die Ware bezahlt wurde und Sie das Geld anfordern können. Sie werden auf eine "Auszahlungsseite" verlinkt. Vorsicht, diese Vorgehensweise ist Betrug. Wir zeigen Ihnen, wie die Betrugsmasche abläuft und wie Sie sicher auf Shpock verkaufen! --------------------------------------------- https://www.watchlist-internet.at/news/verkaufen-auf-shpock-vorsicht-wenn-s… ∗∗∗ NSA, CISA Release Guidance on Security Considerations for 5G Network Slicing ∗∗∗ --------------------------------------------- This guidance—created by the Enduring Security Framework (ESF), a public-private cross-sector working group led by the NSA and CISA—presents recommendations to address some identified threats to 5G standalone network slicing, and provides industry recognized practices for the design, deployment, operation, and maintenance of a hardened 5G standalone network slice(s). --------------------------------------------- https://www.cisa.gov/news-events/alerts/2023/07/17/nsa-cisa-release-guidanc… ===================== = Vulnerabilities = ===================== ∗∗∗ Role-based Access Control and Privilege Management in OpenEdge Management (OEM) and in OpenEdge Explorer (OEE) (CVE-2023-34203) ∗∗∗ --------------------------------------------- Using a local or remote admin service, a logged-in OpenEdge Management (OEM) or OpenEdge Explorer (OEE) user could perform a URL injection attack to change identity or role membership. Only users that are already authorized members of OEM or OEE user roles were able to perform this exploit. Non-admin role members were able to obtain unauthorized escalation to admin role privileges where unrestricted OEM and OEE capabilities were available to the user. --------------------------------------------- https://community.progress.com/s/article/Role-based-Access-Control-and-Priv… ∗∗∗ Bad.Build: A Critical Privilege Escalation Design Flaw in Google Cloud Build Enables a Supply Chain Attack ∗∗∗ --------------------------------------------- The flaw presents a significant supply chain risk since it allows attackers to maliciously tamper with application images, which can then infect users and customers when they install the application. [..] Orca Security immediately reported the findings to the Google Security Team, who investigated the issue and deployed a partial fix. However, Google’s fix doesn’t revoke the discovered Privilege Escalation (PE) vector. It only limits it – turning it into a design flaw that still leaves organizations vulnerable to the larger supply chain risk. --------------------------------------------- https://orca.security/resources/blog/bad-build-google-cloud-build-potential… ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (java-1.8.0-openjdk), Red Hat (bind, bind9.16, curl, edk2, java-1.8.0-ibm, kernel, kernel-rt, and kpatch-patch), SUSE (iniparser, installation-images, java-1_8_0-ibm, kernel, libqt5-qtbase, nodejs16, openvswitch, and ucode-intel), and Ubuntu (linux-oem-6.0 and linux-xilinx-zynqmp). --------------------------------------------- https://lwn.net/Articles/938488/ ∗∗∗ Sicherheitslücken, teils kritisch, in Citrix/Netscaler ADC und Gateway - aktiv ausgenützt - Updates verfügbar ∗∗∗ --------------------------------------------- Eine kritische Schwachstelle in Citrix/Netscaler ADC und Citrix Gateway erlaubt es unauthentisierten Angreifenden, beliebigen Code auszuführen. Diese Schwachstelle wird auch bereits aktiv ausgenützt. Weitere mit diesen Updates geschlossene Sicherheitslücken betreffen Reflected Cross Site Scripting (XSS) sowie Privilege Escalation. --------------------------------------------- https://cert.at/de/warnungen/2023/7/sicherheitslucken-teil-kritisch-in-citr… ∗∗∗ Zyxel security advisory for multiple vulnerabilities in firewalls and WLAN controllers ∗∗∗ --------------------------------------------- Zyxel has released patches addressing multiple vulnerabilities in some firewall and WLAN controller versions. Users are advised to install the patches for optimal protection. --------------------------------------------- https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-… ∗∗∗ IBM Security Verify Access product is vulnerable to Open Redirects (AAC module ) (CVE-2023-30433) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7012613 ∗∗∗ Vulnerability in bottle-0.12.16 affects IBM Cloud Pak for Data System 1.0(CPDS 1.0) [CVE-2020-28473] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7012387 ∗∗∗ IBM Security Verify Governance has multiple vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7012649 ∗∗∗ IBM Security Verify Governance has multiple vulnerabilities (CVE-2022-41946, CVE-2022-46364, CVE-2023-24998) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7012647 ∗∗∗ Vulnerabilities in httpclient library affects IBM Engineering Test Management (ETM) (CVE-2020-13956) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7012659 ∗∗∗ Vulnerabilities in Commons Codec library affects IBM Engineering Test Management (ETM) (IBM X-Force ID:177835) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7012657 ∗∗∗ Vulberability in Apache commons io library affects IBM Engineering Test Management (ETM) (CVE-2021-29425) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7012661 ∗∗∗ Vulnerability in Junit library affects IBM Engineering Test Management (ETM) ( CVE-2020-15250) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7012663 ∗∗∗ IBM App Connect Enterprise and IBM Integration Bus are vulnerable to a denial of service due to IBM MQ (CVE-2023-26285, CVE-2023-28950) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7011767 ∗∗∗ Netcool Operations Insights 1.6.9 addresses multiple security vulnerabilities. ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7012675 ∗∗∗ AIX is vulnerable to denial of service due to ISC BIND (CVE-2022-3094, CVE-2022-3736, CVE-2022-3924) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7012711 ∗∗∗ Daeja ViewONE may be affected by Bouncy Castle Vulnerability (CVE-2023-33201) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7012809 ∗∗∗ Rockwell Automation Kinetix 5700 DC Bus Power Supply ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-199-01 ∗∗∗ Weintek Weincloud ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-199-04 ∗∗∗ Keysight N6845A Geolocation Server ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-199-02 ∗∗∗ GeoVision GV-ADR2701 ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-199-05 ∗∗∗ WellinTech KingHistorian ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-199-07 ∗∗∗ Iagona ScrutisWeb ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-199-03 ∗∗∗ GE Digital CIMPLICITY ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-199-06 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 17.07.2023
by Daily end-of-shift report 17 Jul '23

17 Jul '23

===================== = End-of-Day report = ===================== Timeframe: Freitag 14-07-2023 18:00 − Montag 17-07-2023 18:00 Handler: Michael Schlagenhaufer Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Meet NoEscape: Avaddon ransomware gangs likely successor ∗∗∗ --------------------------------------------- The new NoEscape ransomware operation is believed to be a rebrand of Avaddon, a ransomware gang that shut down and released its decryption keys in 2021. --------------------------------------------- https://www.bleepingcomputer.com/news/security/meet-noescape-avaddon-ransom… ∗∗∗ Analysis of Storm-0558 techniques for unauthorized email access ∗∗∗ --------------------------------------------- Analysis of the techniques used by the threat actor tracked as Storm-0558 for obtaining unauthorized access to email data, tools, and unique infrastructure characteristics. --------------------------------------------- https://www.microsoft.com/en-us/security/blog/2023/07/14/analysis-of-storm-… ∗∗∗ Xen Security Notice 1: winpvdrvbuild.xenproject.org potentially compromised ∗∗∗ --------------------------------------------- Software running on the Xen Project hosted subdomain winpvdrvbuild.xenproject.org is outdated and vulnerable to several CVEs. Some of the reported issues include remote code execution. [..] Since the list of CVEs reported include remote code execution we no longer have confidence that binaries previously available at https://xenbits.xen.org/pvdrivers/win/ are trustworthy. [..] A new set of drivers based on the current master branch and built on a trusted environment have been uploaded --------------------------------------------- https://seclists.org/oss-sec/2023/q3/37 ∗∗∗ Exploitation of ColdFusion Vulnerability Reported as Adobe Patches Another Critical Flaw ∗∗∗ --------------------------------------------- Adobe patches critical code execution vulnerability in ColdFusion for which a proof-of-concept (PoC) blog exists. --------------------------------------------- https://www.securityweek.com/exploitation-of-coldfusion-vulnerability-repor… ∗∗∗ Last Minute Bikini-Shopping: Nicht in diesen Shops ∗∗∗ --------------------------------------------- Sind Sie auf der Suche nach Bademode? Dann werden Ihnen möglicherweise auch auf Facebook und Instagram Werbeanzeigen angezeigt. Wir sehen aktuell viele Werbeanzeigen von unseriösen Shops, die auf der Webseite zwar schöne Bademode präsentieren, aber minderwertige Ware versenden. Wir zeigen Ihnen, wo Sie lieber nicht bestellen sollen. --------------------------------------------- https://www.watchlist-internet.at/news/last-minute-bikini-shopping-nicht-in… ===================== = Vulnerabilities = ===================== ∗∗∗ AIOS WordPress Plugin Faces Backlash for Storing User Passwords in Plaintext ∗∗∗ --------------------------------------------- All-In-One Security (AIOS), a WordPress plugin installed on over one million sites, has issued a security update after a bug introduced in version 5.1.9 of the software caused users passwords being added to the database in plaintext format."A malicious site administrator (i.e. a user already logged into the site as an admin) could then have read them," --------------------------------------------- https://thehackernews.com/2023/07/aios-wordpress-plugin-faces-backlash.html ∗∗∗ Wireshark 4.0.7 Released, (Sat, Jul 15th) ∗∗∗ --------------------------------------------- Wireshark version 4.0.7 was released with 2 vulnerabilities and 22 bugs fixed. --------------------------------------------- https://isc.sans.edu/diary/rss/30030 ∗∗∗ PoC-Exploit verfügbar: Adobe legt Patch für Coldfusion nach ∗∗∗ --------------------------------------------- Kurz nach dem Juli-Patchday legt Adobe weitere Updates nach, um eine kritische Schwachstelle in Coldfusion abzudichten. PoC-Exploitcode wurde entdeckt. --------------------------------------------- https://heise.de/-9217427 ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (gpac, iperf3, kanboard, kernel, and pypdf2), Fedora (ghostscript), SUSE (bind, bouncycastle, ghostscript, go1.19, go1.20, installation-images, kernel, mariadb, MozillaFirefox, MozillaFirefox-branding-SLE, php74, poppler, and python-Django), and Ubuntu (cups, linux-oem-6.1, and ruby2.3, ruby2.5, ruby2.7, ruby3.0, ruby3.1). --------------------------------------------- https://lwn.net/Articles/938375/ ∗∗∗ IBM InfoSphere Information Server is affected but not vulnerable to multiple vulnerabilities in Undertow ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7007051 ∗∗∗ IBM InfoSphere Information Server is affected but not classified as vulnerable to multiple vulnerabilities in snakeYAML ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6988677 ∗∗∗ IBM InfoSphere Information Server is affected by multiple vulnerabilities in VMware Tanzu Spring Framework [CVE-2023-2861, CVE-2023-20860] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6988683 ∗∗∗ IBM Watson Assistant for IBM Cloud Pak for Data is vulnerable to RubyGems commonmarker gem denial of service vulnerabilitiy [IBM X-Force ID: 252809] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7012231 ∗∗∗ IBM Watson Assistant for IBM Cloud Pak for Data is vulnerable to VMware Tanzu Spring Framework denial of service vulnerabilitiy [CVE-2023-20863] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7012235 ∗∗∗ IBM InfoSphere Information Server is affected by a denial of service vulnerability in netplex json-smart-v2 (CVE-2023-1370) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6988679 ∗∗∗ IBM InfoSphere Information Server is affected by a denial of service vulnerability in Apache Commons FileUpload and Tomcat (CVE-2023-24998) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7008447 ∗∗∗ Watson CP4D Data Stores is vulnerable to SAP NetWeaver AS Java for Deploy Service information disclosure vulnerability ( CVE-2023-24527) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7012297 ∗∗∗ IBM i is vulnerable to an attacker executing CL commands due to an exploitation of DDM architecture (CVE-2023-30990) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7008573 ∗∗∗ IBM InfoSphere Information Server is affected but not vulnerable to a vulnerability in jose.4j ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7007055 ∗∗∗ IBM InfoSphere Information Server is affected by multiple vulnerabilities in VMware Tanzu Spring Boot ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7008437 ∗∗∗ IBM InfoSphere Information Server is affected by a vulnerability in Apache Cassandra (CVE-2023-30601) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7003915 ∗∗∗ IBM InfoSphere Information Server is affected by multiple vulnerabilities in Apache Tomcat (CVE-2023-28708, CVE-2023-24998) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7007057 ∗∗∗ IBM InfoSphere Information Server is affected by an information disclosure vulnerability (CVE-2023-33857) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7007059 ∗∗∗ IBM InfoSphere Information Server is affected by a vulnerability in Google Guava (CVE-2023-2976) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7012025 ∗∗∗ IBM InfoSphere Information Server is affected by multiple vulnerabilities in snappy-java ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7011483 ∗∗∗ IBM Robotic Process Automation is vulnerable to client side validation bypass (CVE-2023-35901) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7012317 ∗∗∗ IBM Performance Tools for i is vulnerable to local privilege escalation (CVE-2023-30989) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7012353 ∗∗∗ IBM Facsimile Support for i is vulnerable to local privilege escalation (CVE-2023-30988) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7012355 ∗∗∗ IBM InfoSphere Information Server is affected by an information disclosure vulnerability (CVE-2023-35898) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7009205 ∗∗∗ IBM InfoSphere Information Server is affected by a vulnerability in Eclipse Jetty (CVE-2023-26048) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7008445 ∗∗∗ Multiple vulnerabilities of Apache common collections (commons-collections-3.2.jar) have affected APM WebSphere Application Server Agent ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7012397 ∗∗∗ Multiple Vulnerabilities in IBM Sterling Connect:Direct Browser User Interface due to Java and Eclipse ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7012395 ∗∗∗ Security vulnerabilities have been identified in IBM DB2 shipped with IBM License Metric Tool v9. ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7012409 ∗∗∗ A vulnerability in OpenStack Swift affects IBM Storage Scale environments with the S3 capability of Object protocol enabled (CVE-2022-47950) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7012419 ∗∗∗ Mulitple vulnerabilities in Dojo dojox repo may affect IBM Storage Scale ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7012427 ∗∗∗ Vulnerability in bottle-0.12.16 affects IBM Cloud Pak for Data System 1.0(CPDS 1.0) [CVE-2020-28473] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7012387 ∗∗∗ Vulnerability in paramiko-2.4.2-py2.py3 affects IBM Cloud Pak for Data System 1.0(CPDS 1.0) [CVE-2022-24302] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7012433 ∗∗∗ IBM i Modernization Engine for Lifecycle Integration is vulnerable to execution of arbitrary code on the system (CVE-2022-1471) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7012437 ∗∗∗ IBM Performance Tools for i is vulnerable to local privilege escalation (CVE-2023-30989) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7012353 ∗∗∗ IBM Facsimile Support for i is vulnerable to local privilege escalation (CVE-2023-30988) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7012355 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 14.07.2023
by Daily end-of-shift report 14 Jul '23

14 Jul '23

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 13-07-2023 18:00 − Freitag 14-07-2023 18:00 Handler: Michael Schlagenhaufer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ AVrecon malware infects 70,000 Linux routers to build botnet ∗∗∗ --------------------------------------------- Since at least May 2021, stealthy Linux malware called AVrecon was used to infect over 70,000 Linux-based small office/home office (SOHO) routers and add them to a botnet designed to steal bandwidth and provide a hidden residential proxy service. --------------------------------------------- https://www.bleepingcomputer.com/news/security/avrecon-malware-infects-70-0… ∗∗∗ WormGPT Cybercrime Tool Heralds an Era of AI Malware vs. AI Defenses ∗∗∗ --------------------------------------------- A black-hat alternative to GPT models specifically designed for malicious activities like BEC, malware, and phishing attacks is here, and will push organizations to level up with generative AI themselves. --------------------------------------------- https://www.darkreading.com/attacks-breaches/wormgpt-heralds-an-era-of-usin… ∗∗∗ Security: Schwachstellen-Scanner für Google Go geht an den Start ∗∗∗ --------------------------------------------- Das Tool Govulncheck untersucht Go-Projekte auf bekannte Schwachstellen in den Dependencies. Eine Extension integriert die Überprüfung in Visual Studio Code. --------------------------------------------- https://heise.de/-9216187 ∗∗∗ Hackers Target Reddit Alternative Lemmy via Zero-Day Vulnerability ∗∗∗ --------------------------------------------- Several instances of the Reddit alternative Lemmy were hacked in recent days by attackers who had exploited a zero-day vulnerability. --------------------------------------------- https://www.securityweek.com/hackers-target-reddit-alternative-lemmy-via-ze… ∗∗∗ Meta-Werbekonto gehackt? So handeln Sie richtig! ∗∗∗ --------------------------------------------- Ob Fake-Shop, betrügerische Trading-Plattform oder unseriöse Coaching-Angebote: Kriminelle nutzen Social Media, um unterschiedliche Betrugsmaschen zu bewerben. Häufig werden solche Anzeigen von Unternehmensseiten geschaltet, die mit dem beworbenen Produkt nichts zu tun haben. Manchmal sind es auch private Profile, von denen aus betrügerische Anzeigen verbreitet werden. --------------------------------------------- https://www.watchlist-internet.at/news/meta-werbekonto-gehackt-so-handeln-s… ∗∗∗ The danger within: 5 steps you can take to combat insider threats ∗∗∗ --------------------------------------------- Some threats may be closer than you think. Are security risks that originate from your own trusted employees on your radar? --------------------------------------------- https://www.welivesecurity.com/2023/07/13/danger-within-5-steps-combat-insi… ∗∗∗ What is session hijacking and how do you prevent it? ∗∗∗ --------------------------------------------- Attackers use session hijacking to take control of your sessions and impersonate you online. Discover how session hijacking works and how to protect yourself. --------------------------------------------- https://www.emsisoft.com/en/blog/44071/what-is-session-hijacking-and-how-do… ∗∗∗ Attack Surface Management (ASM) – What You Need to Know ∗∗∗ --------------------------------------------- This is the third post in our series on technologies to test your organization’s resilience to cyberattacks. In this installment, we dive into attack surface management (ASM). --------------------------------------------- https://www.safebreach.com/blog/attack-surface-management-asm-what-you-need… ∗∗∗ Old Blackmoon Trojan, NEW Monetization Approach ∗∗∗ --------------------------------------------- Rapid7 is tracking a new, more sophisticated and staged campaign using the Blackmoon trojan, which appears to have originated in November 2022. --------------------------------------------- https://www.rapid7.com/blog/post/2023/07/13/old-blackmoon-trojan-new-moneti… ∗∗∗ PenTales: Old Vulns, New Tricks ∗∗∗ --------------------------------------------- At Rapid7 we love a good pentest story. So often they show the cleverness, skill, resilience, and dedication to our customer’s security that can only come from actively trying to break it! In this series, we’re going to share some of our favorite tales from the pen test desk and hopefully highlight some ways you can improve your own organization’s security. --------------------------------------------- https://www.rapid7.com/blog/post/2023/07/13/pentales-old-vulns-new-tricks/ ===================== = Vulnerabilities = ===================== ∗∗∗ Groupware Zimbra: Zero-Day-Lücke macht manuelles Patchen nötig ∗∗∗ --------------------------------------------- Zimbra hat einen manuell anzuwendenden Patch veröffentlicht, der eine Zero-Day-Sicherheitslücke in der Groupware schließt. --------------------------------------------- https://heise.de/-9216179 ∗∗∗ ZDI-23-970: (0Day) Sante DICOM Viewer Pro DCM File Parsing Use-After-Free Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows remote attackers to disclose sensitive information on affected installations of Sante DICOM Viewer Pro. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. --------------------------------------------- https://www.zerodayinitiative.com/advisories/ZDI-23-970/ ∗∗∗ Security Advisory for Multiple Vulnerabilities on the ProSAFE® Network Management System, PSV-2023-0024 & PSV-2023-0025 ∗∗∗ --------------------------------------------- NETGEAR is aware of multiple security vulnerabilities on the NMS300. NETGEAR strongly recommends that you download the latest version as soon as possible. --------------------------------------------- https://kb.netgear.com/000065707/Security-Advisory-for-Multiple-Vulnerabili… ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (lemonldap-ng and php-dompdf), Red Hat (.NET 6.0, .NET 7.0, firefox, and thunderbird), Scientific Linux (firefox and thunderbird), SUSE (ghostscript, installation-images, kernel, php7, python, and python-Django), and Ubuntu (linux-azure, linux-gcp, linux-ibm, linux-oracle, mozjs102, postgresql-9.5, and tiff). --------------------------------------------- https://lwn.net/Articles/938233/ ∗∗∗ CVE-2023-24936 .NET, .NET Framework, and Visual Studio Elevation of Privilege Vulnerability ∗∗∗ --------------------------------------------- In the Security Updates table, added all supported versions of all supported versions of .NET Framework, Visual Studio 2022 version 17.0, Visual Studio 2022 version 17.2, and Visual Studio 2022 version 17.4 because these products are also affected by this vulnerability. --------------------------------------------- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-24936 ∗∗∗ CVE-2023-36883 Microsoft Edge for iOS Spoofing Vulnerability ∗∗∗ --------------------------------------------- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36883 ∗∗∗ CVE-2023-36887 Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36887 ∗∗∗ CVE-2023-36888 Microsoft Edge for Android (Chromium-based) Tampering Vulnerability ∗∗∗ --------------------------------------------- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36888 ∗∗∗ There is a vulnerability in Apache Commons Net used by IBM Maximo Asset Management (CVE-2021-37533) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7009539 ∗∗∗ IBM InfoSphere Information Server is affected by multiple vulnerabilities in Progress DataDirect Connect for ODBC ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7010743 ∗∗∗ Multiple vulnerabilities in IBM Java SDK (April 2023) affect IBM InfoSphere Information Server ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7007675 ∗∗∗ Enterprise Content Management System Monitor is affected by a vulnerability in Oracle Java SE ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7011963 ∗∗∗ IBM Security SOAR is using a component with multiple known vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7011965 ∗∗∗ CVE-2023-28867 may affect IBM WebSphere Application Server Liberty shipped with IBM CICS TX Advanced ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7011975 ∗∗∗ CVE-2023-28867 may affect IBM WebSphere Application Server Liberty shipped with IBM CICS TX Standard ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7011979 ∗∗∗ Timing Oracle in RSA Decryption vulnerability might affect GSKit supplied with IBM TXSeries for Multiplatforms. ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7010369 ∗∗∗ CVE-2023-28867 may affect IBM WebSphere Application Server Liberty shipped with IBM TXSeries for Multiplatforms ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7011977 ∗∗∗ Vulnerability of Apache Thrift (libthrift-0.12.0.jar ) have affected APM WebSphere Application Server Agent , APM SAP NetWeaver Agent and APM WebLogic Agent ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7003479 ∗∗∗ Vulnerability of Google Gson (gson-2.8.2.jar ) have affected APM WebSphere Application Server Agent , APM SAP NetWeaver Agent and APM WebLogic Agent ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7003477 ∗∗∗ TADDM affected by multiple vulnerabilities due to IBM Java and its runtime ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7009499 ∗∗∗ InfoSphere Identity Insight is vulnerable to a denial of service due to Apache Commons FileUpload (CVE-2023-24998) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7012011 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 13.07.2023
by Daily end-of-shift report 13 Jul '23

13 Jul '23

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 12-07-2023 18:00 − Donnerstag 13-07-2023 18:00 Handler: Stephan Richter Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Update fürs Update: Apple überholt letzte "Rapid Security Response" ∗∗∗ --------------------------------------------- Eigentlich sollte ein schneller Fix für den Safari-Browser für mehr Sicherheit sorgen. Aufgrund eines Fehlers musste Apple diesen nun neu auflegen. --------------------------------------------- https://heise.de/-9214819 ∗∗∗ Source code for BlackLotus Windows UEFI malware leaked on GitHub ∗∗∗ --------------------------------------------- The source code for the BlackLotus UEFI bootkit has leaked online, allowing greater insight into a malware that has caused great concern among the enterprise, governments, and the cybersecurity community. --------------------------------------------- https://www.bleepingcomputer.com/news/security/source-code-for-blacklotus-w… ∗∗∗ Fake PoC for Linux Kernel Vulnerability on GitHub Exposes Researchers to Malware ∗∗∗ --------------------------------------------- In a sign that cybersecurity researchers continue to be under the radar of malicious actors, a proof-of-concept (PoC) has been discovered on GitHub, concealing a backdoor with a "crafty" persistence method. --------------------------------------------- https://thehackernews.com/2023/07/blog-post.html ∗∗∗ An introduction to the benefits and risks of Packet Sniffing ∗∗∗ --------------------------------------------- Packet sniffing is both a very beneficial and, sadly, a malicious technique used to capture and analyze data packets. It serves as a useful tool for network administrators to identify network issues and fix them. Meanwhile, threat actors use it for malicious purposes such as data theft and to distribute malware. Organizations need to be aware of the benefits and uses of packet sniffing while also implementing security controls to prevent malicious sniffing activity. --------------------------------------------- https://www.tripwire.com/state-of-security/introduction-benefits-and-risks-… ∗∗∗ Popular WordPress Security Plugin Caught Logging Plaintext Passwords ∗∗∗ --------------------------------------------- The All-In-One Security (AIOS) WordPress plugin was found to be writing plaintext passwords to log files. --------------------------------------------- https://www.securityweek.com/popular-wordpress-security-plugin-caught-loggi… ∗∗∗ CISA warns of dangerous Rockwell industrial bug being exploited by gov’t group ∗∗∗ --------------------------------------------- The Cybersecurity and Infrastructure Security Agency (CISA) warned on Wednesday of a vulnerability affecting industrial technology from Rockwell Automation that is being exploited by government hackers. --------------------------------------------- https://therecord.media/cisa-warns-of-bug-affecting-rockwell ∗∗∗ Detecting BPFDoor Backdoor Variants Abusing BPF Filters ∗∗∗ --------------------------------------------- An analysis of advanced persistent threat (APT) group Red Menshen’s different variants of backdoor BPFDoor as it evolves since it was first documented in 2021. --------------------------------------------- https://www.trendmicro.com/en_us/research/23/g/detecting-bpfdoor-backdoor-v… ∗∗∗ A Deep Dive into Penetration Testing of macOS Applications (Part 1) ∗∗∗ --------------------------------------------- We created this blog to share our experience and provide a valuable resource for other security researchers and penetration testers facing similar challenges when testing macOS applications. This blog is the first part of an “A Deep Dive into Penetration Testing of macOS Applications” series. Part 1 is intended for penetration testers who may not have prior experience working with macOS. --------------------------------------------- https://www.cyberark.com/resources/threat-research-blog/a-deep-dive-into-pe… ∗∗∗ TeamTNT Reemerged with New Aggressive Cloud Campaign ∗∗∗ --------------------------------------------- In part one of this two-part blog series, titled "The Anatomy of Silentbobs Cloud Attack," we provided an overview of the preliminary stages of an aggressive botnet campaign that aimed at cloud native environments. This post will dive into the full extent of the campaign and provide a more comprehensive exploration of an extensive botnet infestation campaign. --------------------------------------------- https://blog.aquasec.com/teamtnt-reemerged-with-new-aggressive-cloud-campai… ===================== = Vulnerabilities = ===================== ∗∗∗ Ghostscript: Sicherheitslücke plagt Libreoffice, Gimp, Inkscape und Linux ∗∗∗ --------------------------------------------- Durch eine kritische Sicherheitslücke in Ghostscript können Angreifer auf unzähligen Rechnern schadhaften Code ausführen. --------------------------------------------- https://www.golem.de/news/ghostscript-sicherheitsluecke-plagt-libreoffice-g… ∗∗∗ Cisco SD-WAN vManage Unauthenticated REST API Access Vulnerability ∗∗∗ --------------------------------------------- A vulnerability in the request authentication validation for the REST API of Cisco SD-WAN vManage software could allow an unauthenticated, remote attacker to gain read permissions or limited write permissions to the configuration of an affected Cisco SD-WAN vManage instance. --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Urgent Security Notice: SonicWall GMS/Analytics Impacted by suite of vulnerabilities ∗∗∗ --------------------------------------------- GMS/Analytics is remediating a suite of 15 security vulnerabilities, disclosed in a Coordinated Vulnerability Disclosure (CVD) report in conjunction with NCCGroup. This suite of vulnerabililtes, which was responsibility disclosed, includes four (4) vulnerabilities with a CVSSv3 rating of CRITICAL, that allows an attacker to bypass authentication and could potentially result in exposure of sensitive information to an unauthorized actor. SonicWall PSIRT is not aware of active exploitation [...] --------------------------------------------- https://www.sonicwall.com/support/knowledge-base/urgent-security-notice-son… ∗∗∗ Webkonferenzen: Zoom schließt mehrere Sicherheitslücken ∗∗∗ --------------------------------------------- Vor allem in Zoom Rooms und im Zoom Desktop-Client für Windows schlummern hochriskante Sicherheitslücken. Updates stehen bereit. --------------------------------------------- https://heise.de/-9214929 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (ruby-doorkeeper), Fedora (mingw-nsis and thunderbird), Red Hat (bind9.16, nodejs, nodejs:16, nodejs:18, python38:3.8 and python38-devel:3.8, and rh-nodejs14-nodejs), Slackware (krb5), SUSE (geoipupdate, installation-images, libqt5-qtbase, python-Django1, and skopeo), and Ubuntu (knot-resolver, lib3mf, linux, linux-aws, linux-kvm, linux-lowlatency, linux-raspi, linux, linux-aws, linux-kvm, linux-lts-xenial, linux-azure, linux-gcp, linux-ibm, linux-oracle, linux-azure-fde, linux-xilinx-zynqmp, and scipy). --------------------------------------------- https://lwn.net/Articles/938108/ ∗∗∗ Juniper Networks Patches High-Severity Vulnerabilities in Junos OS ∗∗∗ --------------------------------------------- Juniper Networks has patched multiple high-severity vulnerabilities in Junos OS, Junos OS Evolved, and Junos Space. --------------------------------------------- https://www.securityweek.com/juniper-networks-patches-high-severity-vulnera… ∗∗∗ Microsoft Office Updates (11. Juli 2023) ∗∗∗ --------------------------------------------- Am 11. Juli 2023 (zweiter Dienstag im Monat, Microsoft Patchday) hat Microsoft mehrere sicherheitsrelevante Updates für noch unterstützte Microsoft Office Versionen und andere Produkte veröffentlicht. Mit dem April 2023-Patchday endete der Support für Office 2013 – aber es wurden auch im Juli noch Schwachstellen geschlossen. Nachfolgend finden Sie eine Übersicht über die verfügbaren Updates. --------------------------------------------- https://www.borncity.com/blog/2023/07/13/microsoft-office-updates-11-juli-2… *** IBM Security Bulletins *** --------------------------------------------- IBM SDK, IBM Db2, IBM Match 360, IBM Wattson, IBM Jazz Technology, IBM, Storage Protect, IBM WebSphere, IBM Storage Protect, IBM App Connect Enterprise, IBM Integration Bus, IBM i, IBM Event Streams and IBM Security Directory Integrator. --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ *** ZDI: Dassault Systèmes SolidWorks (CVE-2023-2763) *** --------------------------------------------- ZDI-23-908 bis ZDI-23911 --------------------------------------------- https://www.zerodayinitiative.com/advisories/published/ ∗∗∗ Drupal: Two-factor Authentication (TFA) - Critical - Access bypass - SA-CONTRIB-2023-030 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2023-030 ∗∗∗ Rockwell Automation PowerMonitor 1000 ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-194-05 ∗∗∗ Honeywell Experion PKS, LX and PlantCruise ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-194-06 ∗∗∗ Case update: DIVD-2021-00020 - OSNexsus QuantaStor limited disclosure and product warning ∗∗∗ --------------------------------------------- https://csirt.divd.nl/cases/DIVD-2021-00020/ ∗∗∗ CVE-2023-38046 PAN-OS: Read System Files and Resources During Configuration Commit (Severity: MEDIUM) ∗∗∗ --------------------------------------------- https://security.paloaltonetworks.com/CVE-2023-38046 ∗∗∗ CISA Adds Two Known Vulnerabilities to Catalog ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/alerts/2023/07/13/cisa-adds-two-known-vuln… ∗∗∗ BD Alaris System with Guardrails Suite MX ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-medical-advisories/icsma-23-194-01 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 12.07.2023
by Daily end-of-shift report 12 Jul '23

12 Jul '23

===================== = End-of-Day report = ===================== Timeframe: Dienstag 11-07-2023 18:00 − Mittwoch 12-07-2023 18:00 Handler: Michael Schlagenhaufer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Patchday: Microsoft meldet fünf Zero-Days, teils ohne Update ∗∗∗ --------------------------------------------- Der Juli-Patchday von Microsoft liefert viele Updates: 130 Lücken behandelt das Unternehmen. Darunter fünf Zero-Days. Eine Sicherheitslücke bleibt aber offen. --------------------------------------------- https://heise.de/-9213685 ∗∗∗ Teils kritische Sicherheitslücken in Citrix Secure Access Clients ∗∗∗ --------------------------------------------- Citrix hat Aktualisierungen für die Secure Access Clients veröffentlicht, die teils kritische Schwachstellen ausbessern. --------------------------------------------- https://heise.de/-9214076 ∗∗∗ Update gegen kritische Lücke in FortiOS/FortiProxy ∗∗∗ --------------------------------------------- Fortinet verteilt Sicherheitsupdates für FortiOS/FortiProxy. Sie schließen eine kritische Sicherheitslücke. --------------------------------------------- https://heise.de/-9214207 ∗∗∗ Patchday: Kritische Schwachstellen in Adobe Indesign und Coldfusion abgedichtet ∗∗∗ --------------------------------------------- Der Juli-Patchday von Adobe bringt Sicherheitsupdates für Indesign und Coldfusion. Sie schließen Lücken, die der Hersteller als kritisches Risiko einstuft. --------------------------------------------- https://heise.de/-9213920 ∗∗∗ Kernel-Treiber: Hacker überlisten Windows-Richtlinie durch alte Zertifikate ∗∗∗ --------------------------------------------- Indem sie ihre böswilligen Kerneltreiber mit alten Zertifikaten signierten, konnten Angreifer auf Windows-Systemen Vollzugriff erlangen. --------------------------------------------- https://www.golem.de/news/kernel-treiber-hacker-ueberlisten-windows-richtli… ∗∗∗ vm2 Project Discontinued ∗∗∗ --------------------------------------------- TL;DR The library contains critical security issues and should not be used for production! The maintenance of the project has been discontinued. Consider migrating your code to isolated-vm. --------------------------------------------- https://github.com/patriksimek/vm2/blob/master/README.md ∗∗∗ How to Harden WordPress With WP-Config & Avoid Data Exposure ∗∗∗ --------------------------------------------- What is wp-config.php?The wp-config.php file is a powerful core WordPress file that is vital for running your website. It contains important configuration settings for WordPress, including details on where to find the database, login credentials, name and host. This config file is also used to define advanced options for database elements, security keys, and developer options. In this post, we’ll outline some important website hardening recommendations for your wp-config file [...] --------------------------------------------- https://blog.sucuri.net/2023/07/tips-for-wp-config-how-to-avoid-sensitive-d… ∗∗∗ Python-Based PyLoose Fileless Attack Targets Cloud Workloads for Cryptocurrency Mining ∗∗∗ --------------------------------------------- A new fileless attack dubbed PyLoose has been observed striking cloud workloads with the goal of delivering a cryptocurrency miner, new findings from Wiz reveal. "The attack consists of Python code that loads an XMRig Miner directly into memory using memfd, a known Linux fileless technique," security researchers Avigayil Mechtinger, Oren Ofer, and Itamar Gilad said. --------------------------------------------- https://thehackernews.com/2023/07/python-based-pyloose-fileless-attack.html ∗∗∗ Dissecting a Clever Malware Sample for Optimized Detection and Protection ∗∗∗ --------------------------------------------- As part of our product lineup, we offer security monitoring and malware removal services to our Wordfence Care and Response customers. In case of a security incident, our incident response team will investigate the root cause, find and remove malware from your site, and help with other complications that may arise as a result of [...] --------------------------------------------- https://www.wordfence.com/blog/2023/07/dissecting-a-clever-malware-sample-f… ∗∗∗ Qbot, Guloader und SpinOk führen Mobile Malware-Ranking an ∗∗∗ --------------------------------------------- Bedrohungsindex von Checkpoint für Juni 2023 zeigt: Qbot ist noch immer die am meisten verbreitete Malware in Deutschland. --------------------------------------------- https://www.zdnet.de/88410517/qbot-guloader-und-spinok-fuehren-mobile-malwa… ∗∗∗ Security Flaws unraveled in Popular QuickBlox Chat and Video Framework could exposed sensitive data of millions ∗∗∗ --------------------------------------------- Check Point Research (CPR) in collaboration with Claroty Team82 uncovered major security vulnerabilities in the popular QuickBlox platform, used for telemedicine, finance and smart IoT devices If exploited, the vulnerabilities could allow threat actors to access applications’ user databases and expose sensitive data of millions. QuickBlox worked closely with Team82 and CPR to address our disclosure and has fixed the vulnerabilities via a new secure architecture design [...] --------------------------------------------- https://blog.checkpoint.com/security/security-flaws-unraveled-in-popular-qu… ∗∗∗ The Spies Who Loved You: Infected USB Drives to Steal Secrets ∗∗∗ --------------------------------------------- In the first half of 2023, Mandiant Managed Defense has observed a threefold increase in the number of attacks using infected USB drives to steal secrets. Mandiant tracked all of the cases and found that the majority of the incidents could be attributed to several active USB-based operation campaigns affecting both the public and private sectors globally. --------------------------------------------- https://www.mandiant.com/resources/blog/infected-usb-steal-secrets ∗∗∗ CISA and FBI Release Cybersecurity Advisory on Enhanced Monitoring to Detect APT Activity Targeting Outlook Online ∗∗∗ --------------------------------------------- The Cybersecurity and Infrastructure Security Agency (CISA) and Federal Bureau of Investigation (FBI) have released a joint Cybersecurity Advisory (CSA), Enhanced Monitoring to Detect APT Activity Targeting Outlook Online, to provide guidance to agencies and critical infrastructure organizations on enhancing monitoring in Microsoft Exchange Online environments. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2023/07/12/cisa-and-fbi-release-cyb… ===================== = Vulnerabilities = ===================== ∗∗∗ FortiOS/FortiProxy - Proxy mode with deep inspection - Stack-based buffer overflow ∗∗∗ --------------------------------------------- A stack-based overflow vulnerability [CWE-124] in FortiOS & FortiProxy may allow a remote attacker to execute arbitrary code or command via crafted packets reaching proxy policies or firewall policies with proxy mode alongside SSL deep packet inspection. Workaround: Disable deep inspection on proxy policies or firewall policies with proxy mode. --------------------------------------------- https://fortiguard.fortinet.com/psirt/FG-IR-23-183 ∗∗∗ FortiAnalyzer & FortiManager - Path traversal in history downloadzip ∗∗∗ --------------------------------------------- An improper limitation of a pathname to a restricted directory (Path Traversal) vulnerability [CWE-23] in FortiAnalyzer and FortiManager management interface may allow a remote and authenticated attacker to retrieve arbitrary files from the underlying filesystem via specially crafted web requests. --------------------------------------------- https://fortiguard.fortinet.com/psirt/FG-IR-22-471 ∗∗∗ FortiExtender - Path Traversal vulnerability ∗∗∗ --------------------------------------------- An improper limitation of a pathname to a restricted directory (Path Traversal) vulnerability [CWE-22] in FortiExtender management interface may allow an unauthenticated and remote attacker to retrieve arbitrary files from the underlying filesystem via specially crafted web requests. --------------------------------------------- https://fortiguard.fortinet.com/psirt/FG-IR-22-039 ∗∗∗ FortiOS - Existing websocket connection persists after deleting API admin ∗∗∗ --------------------------------------------- An insufficient session expiration [CWE-613] vulnerability in FortiOS REST API may allow an attacker to reuse the session of a deleted user, should the attacker manage to obtain the API token. --------------------------------------------- https://fortiguard.fortinet.com/psirt/FG-IR-23-028 ∗∗∗ Interesting Arbitrary File Upload Vulnerability Patched in User Registration WordPress Plugin ∗∗∗ --------------------------------------------- On June 19, 2023, the Wordfence Threat Intelligence team identified and began the responsible disclosure process for an Arbitrary File Upload vulnerability in WPEverest’s User Registration plugin, which is actively installed on more than 60,000 WordPress websites. This vulnerability makes it possible for an authenticated attacker with minimal permissions, such as a subscriber, to upload [...] --------------------------------------------- https://www.wordfence.com/blog/2023/07/interesting-arbitrary-file-upload-vu… ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (erlang, symfony, thunderbird, and yajl), Fedora (cutter-re, kernel, rizin, and yt-dlp), Red Hat (grafana), SUSE (kernel and python-Django), and Ubuntu (dotnet6, dotnet7 and firefox). --------------------------------------------- https://lwn.net/Articles/937972/ ∗∗∗ ICS Patch Tuesday: Siemens, Schneider Electric Fix 50 Vulnerabilities ∗∗∗ --------------------------------------------- ICS Patch Tuesday: Siemens and Schneider Electric release nine new security advisories and fix 50 vulnerabilities in their industrial products. --------------------------------------------- https://www.securityweek.com/ics-patch-tuesday-siemens-schneider-electric-f… ∗∗∗ Mattermost security updates 7.10.4 / 7.9.6 / 7.8.8 (ESR) released ∗∗∗ --------------------------------------------- We’re informing you about a Mattermost security update, which addresses medium-level severity vulnerabilities. We highly recommend that you apply the update. The security update is available for Mattermost dot releases 7.10.4, 7.9.6 and 7.8.8 (Extended Support Release), for both Team Edition and Enterprise Edition. --------------------------------------------- https://mattermost.com/blog/mattermost-security-updates-7-10-4-7-9-6-7-8-8-… ∗∗∗ Windows 7/Server 2008 R2; Server 2012 R2: Updates (11. Juli 2023) ∗∗∗ --------------------------------------------- Zum 11. Juli 2023 wurden diverse Sicherheitsupdates für Windows Server 2008 R2 (im 4. ESU Jahr) sowie für Windows Server 2012/R2 veröffentlicht (die Updates lassen sich ggf. auch noch unter Windows 7 SP1 installieren). Hier ein Überblick über diese Updates --------------------------------------------- https://www.borncity.com/blog/2023/07/12/windows-7-server-2008-r2-server-20… ∗∗∗ Sandbox Escape ∗∗∗ --------------------------------------------- In vm2 for versions up to 3.9.19, Node.js custom inspect function allows attackers to escape the sandbox and run arbitrary code. --------------------------------------------- https://github.com//patriksimek/vm2/security/advisories/GHSA-g644-9gfx-q4q4 ∗∗∗ Sandbox Escape ∗∗∗ --------------------------------------------- In vm2 for versions up to 3.9.19, Promise handler sanitization can be bypassed, allowing attackers to escape the sandbox and run arbitrary code. --------------------------------------------- https://github.com//patriksimek/vm2/security/advisories/GHSA-cchq-frgv-rjh5 ∗∗∗ Citrix Secure Access client for Ubuntu Security Bulletin for CVE-2023-24492 ∗∗∗ --------------------------------------------- https://support.citrix.com/article/CTX564169/citrix-secure-access-client-fo… ∗∗∗ Citrix Secure Access client for Windows Security Bulletin for CVE-2023-24491 ∗∗∗ --------------------------------------------- https://support.citrix.com/article/CTX561480/citrix-secure-access-client-fo… ∗∗∗ Lenovo UDC Vulnerability ∗∗∗ --------------------------------------------- https://support.lenovo.com/product_security/PS500567-LENOVO-UDC-VULNERABILI… ∗∗∗ AMD SEV VM Power Side Channel Security Notice ∗∗∗ --------------------------------------------- https://support.lenovo.com/product_security/PS500569-AMD-SEV-VM-POWER-SIDE-… ∗∗∗ AMI MegaRAC SP-X BMC Vulnerabilities ∗∗∗ --------------------------------------------- https://support.lenovo.com/product_security/PS500568-AMI-MEGARAC-SP-X-BMC-V… ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ Rockwell Automation Select Communication Modules ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-193-01 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 11.07.2023
by Daily end-of-shift report 11 Jul '23

11 Jul '23

===================== = End-of-Day report = ===================== Timeframe: Montag 10-07-2023 18:00 − Dienstag 11-07-2023 18:00 Handler: Stephan Richter Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Exploit für Root-Lücke in VMware Aria Operations for Logs aufgetaucht ∗∗∗ --------------------------------------------- Teils kritische Sicherheitslücken in VMware Aria Operations for Logs stopfen Updates aus dem April. Jetzt ist Exploit-Code aufgetaucht, der eine Lücke angreift. --------------------------------------------- https://heise.de/-9212276 ∗∗∗ Fake-E-Mail einer EU-Förderung über 850.000 Euro im Umlauf ∗∗∗ --------------------------------------------- Aktuell kursiert ein gefälschtes E-Mail über eine EU-Förderung von 850.000 Euro. Der Zuschuss wurde angeblich für Unternehmen, Start-ups und Einzelpersonen mit innovativen Ideen entwickelt. Wer das Geld beantragen will, muss persönliche Daten an eine E-Mail-Adresse senden. Das Angebot ist aber Fake, antworten Sie nicht und verschieben Sie das E-Mail in Ihren Spam-Ordner. --------------------------------------------- https://www.watchlist-internet.at/news/fake-e-mail-einer-eu-foerderung-uebe… ∗∗∗ Roots of Trust are difficult ∗∗∗ --------------------------------------------- The phrase "Root of Trust" turns up at various points in discussions about verified boot and measured boot, and to a first approximation nobody is able to give you a coherent explanation of what it means[1]. The Trusted Computing Group has a fairly wordy definition, but (a) its a lot of words and (b) I dont like it, so instead Im going to start by defining a root of trust as "A thing that has to be trustworthy for anything else on your computer to be trustworthy". --------------------------------------------- https://mjg59.dreamwidth.org/66907.html ∗∗∗ It’s Raining Phish and Scams – How Cloudflare Pages.dev and Workers.dev Domains Get Abused ∗∗∗ --------------------------------------------- As they say, when it rains, it pours. Recently, we observed more than 3,000 phishing emails containing phishing URLs abusing services at workers.dev and pages.dev domains. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/its-raining… ∗∗∗ Critical Foswiki Vulnerablities: A Logic Error Turned Remote Code Execution ∗∗∗ --------------------------------------------- We love open-source software. In context of our mission #moresecurity, Christian Pöschl, security consultant and penetration tester at usd HeroLab had a look at Foswiki as a research project. In this blog post, we summarize the journey to discover the functionality of Foswiki and identify multiple vulnerabilities, which ultimately allowed us to elevate privileges from a freshly registered user to full remote code execution on the server. All vulnerabilities were reported to the developers according to our Responsible Disclosure Policy. --------------------------------------------- https://herolab.usd.de/en/critical-foswiki-vulnerablities-a-logic-error-tur… ∗∗∗ Cybercriminals Evolve Antidetect Tooling for Mobile OS-Based Fraud ∗∗∗ --------------------------------------------- Cybercriminals continue to evolve their tactics, techniques, and procedures (TTPs) to defraud the customers of online banking, payment systems, advertising networks, and online marketplaces worldwide. Resecurity has observed a rising trend involving threat actors increased use of specialized mobile Android OS device spoofing tools. These tools enable fraudsters to impersonate compromised account holders and bypass anti-fraud controls effectively. --------------------------------------------- https://www.resecurity.com/blog/article/cybercriminals-evolve-antidetect-to… ∗∗∗ Lowering the Bar(d)? Check Point Research’s security analysis spurs concerns over Google Bard’s limitations ∗∗∗ --------------------------------------------- Check Point Research (CPR) releases an analysis of Google’s generative AI platform ‘Bard’, surfacing several scenarios where the platform permits cybercriminals’ malicious efforts. Check Point Researchers were able to generate phishing emails, malware keyloggers and basic ransomware code. --------------------------------------------- https://blog.checkpoint.com/security/lowering-the-bard-check-point-research… ∗∗∗ MISP 2.4.173 released with various bugfixes and improvements ∗∗∗ --------------------------------------------- We have added a new functionality allowing administrators to enable user self-service for forgotten passwords. When enabled, users will have an additional link below the login screen, allowing them to enter their e-mails and receive a token that can be used to reset their passwords. --------------------------------------------- https://github.com/MISP/MISP/releases/tag/v2.4.173 ∗∗∗ Unveiling the secrets: Exploring whitespace steganography for secure communication ∗∗∗ --------------------------------------------- In the realm of data security, there exists a captivating technique known as whitespace steganography. Unlike traditional methods of encryption, whitespace steganography allows for the hiding of sensitive information within whitespace characters, such as spaces, tabs, and line breaks. --------------------------------------------- https://cybersecurity.att.com/blogs/security-essentials/unveiling-the-secre… ∗∗∗ Defend Against the Latest Active Directory Certificate Services Threats ∗∗∗ --------------------------------------------- To help security professionals understand the complexities of AD CS and how to mitigate its abuse, Mandiant has published a hardening guide that focuses on the most impactful AD CS attack techniques and abuse scenarios we are seeing on the frontlines of the latest breaches and attacks. --------------------------------------------- https://www.mandiant.com/blog/resources/defend-ad-cs-threats ===================== = Vulnerabilities = ===================== ∗∗∗ Zero-Day für Safari geschlossen - Update: Zurückgezogen ∗∗∗ --------------------------------------------- Apple hat Montagabend eine schnelle Aktualisierung für seinen Browser ausgespielt. Betroffen von der offenbar bereits ausgenutzten Lücke: Macs und Mobilgeräte. [...] Apple hat die RSR-Updates für Mac, iPhone und iPad mittlerweile zurückgezogen. Grund ist offenbar, dass es verschiedene Websites gab, die nach dem Update Warnmeldungen ausspucken, dass der aktualisierte Safari-Browser "nicht mehr" unterstützt werde. Apple hat im User-Agent-String ein --------------------------------------------- https://heise.de/-9212228 ∗∗∗ Patchday: SAP warnt vor 16 Sicherheitslücken in der Business-Software ∗∗∗ --------------------------------------------- Am Juli-Patchday hat SAP 16 Sicherheitsmeldungen zur Geschäfts-Software aus dem Unternehmen veröffentlicht. Updates dichten auch eine kritische Lücke ab. --------------------------------------------- https://heise.de/-9213319 ∗∗∗ ABB: 2023-02-10 (**Updated 2023-07-10**) - Cyber Security Advisory - Drive Composer multiple vulnerabilities ∗∗∗ --------------------------------------------- Updated to reflect the latest version 2.8.2 of Drive Composer (both Entry and pro) where vulnerability CVE-2022-35737 has been resolved. Originally this vulnerability had not been resolved when this advisory was published alongside Drive Composer 2.8.1. --------------------------------------------- https://search.abb.com/library/Download.aspx?DocumentID=9AKK108467A7957 ∗∗∗ Siemens Security Advisories ∗∗∗ --------------------------------------------- Siemens has released 5 new and 12 updated Security Advisories. (CVSS Scores ranging from 5.3 to 10) --------------------------------------------- https://new.siemens.com/global/en/products/services/cert.html?d=2023-07 ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (mediawiki and node-tough-cookie), Red Hat (bind, kernel, kpatch-patch, and python38:3.8, python38-devel:3.8), SUSE (kernel, nextcloud-desktop, and python-tornado), and Ubuntu (dwarves-dfsg and thunderbird). --------------------------------------------- https://lwn.net/Articles/937879/ ∗∗∗ CVE-2023-29298: Adobe ColdFusion Access Control Bypass ∗∗∗ --------------------------------------------- Rapid7 discovered an access control bypass vulnerability affecting Adobe ColdFusion that allows an attacker to access the administration endpoints. --------------------------------------------- https://www.rapid7.com/blog/post/2023/07/11/cve-2023-29298-adobe-coldfusion… ∗∗∗ Technicolor: VU#913565: Hard-coded credentials in Technicolor TG670 DSL gateway router ∗∗∗ --------------------------------------------- https://kb.cert.org/vuls/id/913565 ∗∗∗ Mozilla: Security Vulnerabilities fixed in Firefox 115.0.2 and Firefox ESR 115.0.2 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2023-26/ ∗∗∗ Lenovo: NVIDIA Display Driver Advisory - June 2023 ∗∗∗ --------------------------------------------- http://support.lenovo.com/product_security/PS500566-NVIDIA-DISPLAY-DRIVER-A… ∗∗∗ Panasonic Control FPWin Pro7 ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-192-03 ∗∗∗ Rockwell Automation Enhanced HIM ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-192-01 ∗∗∗ Sensormatic Electronics iSTAR ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-192-02 ∗∗∗ TADDM affected by multiple vulnerabilities due to IBM Java and its runtime ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7009499 ∗∗∗ IBM Db2 with Federated configuration is vulnerable to arbitrary code execution. (CVE-2023-35012) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7010747 ∗∗∗ IBM Robotic Process Automation is vulnerable to disclosure of server version information (CVE-2023-35900) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7010895 ∗∗∗ IBM Sterling Connect:Express for UNIX browser UI is vulnerable to attacks that rely on the use of cookies without the SameSite attribute ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7010921 ∗∗∗ IBM Sterling Connect:Express for UNIX is vulnerable to server-side request forgery (SSRF) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7010923 ∗∗∗ IBM Sterling Connect:Express uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7010925 ∗∗∗ Vulnerability of System.Text.Encodings.Web.4.5.0 .dll has afftected to .NET Agent ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7010945 ∗∗∗ IBM Watson Assistant for IBM Cloud Pak for Data is vulnerable to multiple vulnerabilities in Python ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7011035 ∗∗∗ IBM Watson Assistant for IBM Cloud Pak for Data is vulnerable to multiple vulnerabilities in Perl ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7011033 ∗∗∗ IBM Watson Assistant for IBM Cloud Pak for Data is vulnerable to GNU Libtasn1 information disclosure vulnerability [CVE-2021-46848] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7011037 ∗∗∗ Vulnerabilities have been identified in OpenSSL, Apache HTTP Server and other system libraries shipped with the DS8000 Hardware Management Console (HMC) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7006449 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 10.07.2023
by Daily end-of-shift report 10 Jul '23

10 Jul '23

===================== = End-of-Day report = ===================== Timeframe: Freitag 07-07-2023 18:00 − Montag 10-07-2023 18:00 Handler: Michael Schlagenhaufer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ 1,5 Millionen Installationen: Android-Malware im Google-Play-Store entdeckt ∗∗∗ --------------------------------------------- IT-Sicherheitsforscher haben zwei vermeintliche Dateimanager mit mehr als 1,5 Millionen Downloads im Google Play Store entdeckt. Es handelt sich um Spyware. --------------------------------------------- https://heise.de/-9211287 ∗∗∗ ARM-Grafikeinheit: Warnung vor Angriffen auf Sicherheitslücle in Treibern ∗∗∗ --------------------------------------------- Cyberkriminelle missbrauchen eine Sicherheitslücke in Treibern für ARMs Mali-Grafikeinheiten, um ihre Rechte auszuweiten oder Informationen abzugreifen. --------------------------------------------- https://heise.de/-9211310 ∗∗∗ BSI veröffentlicht Positionspapier zu Secured Applications for Mobile ∗∗∗ --------------------------------------------- Das Bundesamt für Sicherheit in der Informationstechnik (BSI) veröffentlicht ein aktuelles Positionspapier zum Thema „Secured Applications for Mobile“ (SAM). --------------------------------------------- https://www.bsi.bund.de/DE/Service-Navi/Presse/Alle-Meldungen-News/Meldunge… ∗∗∗ PoC Exploit Published for Recent Ubiquiti EdgeRouter Vulnerability ∗∗∗ --------------------------------------------- PoC exploit has been published for a recently patched Ubiquiti EdgeRouter vulnerability leading to arbitrary code execution. --------------------------------------------- https://www.securityweek.com/poc-exploit-published-for-recent-ubiquiti-edge… ∗∗∗ Was tun, wenn Sie bei einem problematischen Online-Shop bestellt haben? ∗∗∗ --------------------------------------------- Ihre Bestellung entspricht nicht Ihren Erwartungen? Die Qualität ist minderwertig, das Produkt etwas vollkommen anderes oder einfach Schrott? Eine Rücksendung ist teuer und nur nach China möglich? Dann haben Sie in einem problematischen bzw. unseriösen Online-Shop bestellt. Wir zeigen Ihnen, was Sie tun können. --------------------------------------------- https://www.watchlist-internet.at/news/was-tun-wenn-sie-bei-einem-problemat… ∗∗∗ Vorsicht: ‘Big Head’ Ransomware zeigt "Windows Update"-Benachrichtigung an ∗∗∗ --------------------------------------------- Ich nehme das Thema mal hier zur Vorsicht im Blog mit auf, vielleicht bewahrt es Einzelne aus der Leserschaft vor einem fatalen Fehler. Eine Big Head genannte Ransomware-Familie nutzt einen neuen Trick, um potentielle Opfer zu übertölpeln. --------------------------------------------- https://www.borncity.com/blog/2023/07/10/vorsicht-big-head-ransomware-zeigt… ∗∗∗ Advanced Vishing Attack Campaign “LetsCall” Targets Andriod Users ∗∗∗ --------------------------------------------- In a newly detected muli-stage vishing campaign attackers are using an advanced toolset dubbed LetsCall, featuring strong evasion tactics. --------------------------------------------- https://www.hackread.com/advanced-vishing-attack-letscall-andriod-users/ ===================== = Vulnerabilities = ===================== ∗∗∗ Ateme TITAN File 3.9 Job Callbacks SSRF File Enumeration ∗∗∗ --------------------------------------------- Authenticated Server-Side Request Forgery (SSRF) vulnerability exists in the Titan File video transcoding software. The application parses user supplied data in the job callback url GET parameter. Since no validation is carried out on the parameter, an attacker can specify an external domain and force the application to make an HTTP/DNS/File request to an arbitrary destination. --------------------------------------------- https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5781.php ∗∗∗ SSD Advisory – EdgeRouters and AirCube miniupnpd Heap Overflow ∗∗∗ --------------------------------------------- A vulnerability in EdgeRouters’s and AirCube’s miniupnpd allows LAN attackers to cause the service to overflow an internal heap and potentially execute arbitrary code. --------------------------------------------- https://ssd-disclosure.com/ssd-advisory-edgerouters-and-aircube-miniupnpd-h… ∗∗∗ Codeschmuggel möglich: Hochriskante Sicherheitslücken in ArubaOS-Firmware ∗∗∗ --------------------------------------------- Die HPE-Tochter Aruba hat Aktualisierungen für die ArubaOS-Firmware veröffentlicht. Sie schließen hochriskante Sicherheitslücken, die Codeschmuggel erlauben. --------------------------------------------- https://heise.de/-9211464 ∗∗∗ Minecraft: Virtuelle Computer reißen Sicherheitslücken auf ∗∗∗ --------------------------------------------- In zwei Minecraft-Mods, die tatsächlich programmierbare Computer oder Roboter für das Spiel bereitstellen, klaffen kritische Sicherheitslücken. --------------------------------------------- https://heise.de/-9211864 ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (firefox-esr, fusiondirectory, ocsinventory-server, php-cas, and thunderbird), Fedora (dav1d, perl-CPAN, and yt-dlp), Red Hat (python39:3.9 and python39-devel:3.9), Slackware (mozilla), SUSE (prometheus-ha_cluster_exporter and prometheus-sap_host_exporter), and Ubuntu (ghostscript, linux-azure, linux-intel-iotg, linux-intel-iotg-5.15, and ruby-doorkeeper). --------------------------------------------- https://lwn.net/Articles/937803/ ∗∗∗ Limited disclosure of 6 vulnerabilities in OSNexus Quantastor ∗∗∗ --------------------------------------------- The story of DIVD case DIVD-2021-00020 is a story that started more then 1.5 years ago, when DIVD researcher Wietse Boondsta discovered six vulnerabilities ( CVE-2021-42079, CVE-2021-42080, CVE-2021-42080, CVE-2021-42080, CVE-2021-42080, and CVE-2021-4066 ) in OSNexus Quantastor. As per our CNA policy we tried to contact the vendor and this was not a smooth ride. We started the process in November 2021 and it took us a lot of effort, and help from NCSC-NL and its US partners [...] --------------------------------------------- https://csirt.divd.nl/2023/07/10/Limited-disclosure-OSNexus-vulnerabilities/ ∗∗∗ Festo: Several vulnerabilities in FactoryViews ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2023-013/ ∗∗∗ IBM Db2 JDBC driver is vulnerable to remote code execution. (CVE-2023-27869, CVE-2023-27867, CVE-2023-27868) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7010029 ∗∗∗ IBM Db2 has multiple denial of service vulnerablities with a specially crafted query ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7010557 ∗∗∗ IBM Db2 federated server is vulnerable to a denial of service when using a specially crafted wrapper using certain options. (CVE-2023-30442) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7010561 ∗∗∗ IBM Db2 db2set is vulnerable to arbitrary code execution. (CVE-2023-30431) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7010565 ∗∗∗ IBM Db2 is vulnerable to insufficient audit logging. (CVE-2023-23487) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7010567 ∗∗∗ IBM Db2 on Windows is vulnerable to privilege escalation. (CVE-2023-27558) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7010571 ∗∗∗ IBM Db2 is vulnerable to information disclosure due to improper privilege management when certain federation features are used. (CVE-2023-29256) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7010573 ∗∗∗ A security vulnerability has been identified in IBM WebSphere Application Server shipped with IBM WebSphere Remote Server (CVE-2023-35890) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7010577 ∗∗∗ Multiple Vulnerabilities in IBM Runtime Environment Java Technology Edition affects WebSphere eXtreme Scale ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7010585 ∗∗∗ The IBM Engineering Lifecycle Engineering product using IBM WebSphere Application Server Liberty is vulnerable to GraphQL - CVE-2023-28867 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7010655 ∗∗∗ The IBM Engineering Lifecycle Engineering product using IBM WebSphere Application Server Liberty is vulnerable to spoofing - CVE-2022-39161 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7010659 ∗∗∗ The IBM Engineering Lifecycle Engineering product using IBM WebSphere Application Server Liberty is vulnerable to spoofing - CVE-2022-39161 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7010665 ∗∗∗ IBM App Connect Enterprise Certified Container DesignerAuthoring operands that use mapping assistance are vulnerable to denial of service due to [CVE-2023-25399] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7010711 ∗∗∗ A vulnerability in Apache Commons Code affects IBM Robotic Process Automation and may result in a disclosure of sensitive information. (IBM X-Force ID: 177834) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7010725 ∗∗∗ IBM Db2 JDBC driver is vulnerable to remote code execution. (CVE-2023-27869, CVE-2023-27867, CVE-2023-27868) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7010029 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 07.07.2023
by Daily end-of-shift report 07 Jul '23

07 Jul '23

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 06-07-2023 18:00 − Freitag 07-07-2023 18:00 Handler: Robert Waldner Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Google Play apps with 1.5 million installs send your data to China ∗∗∗ --------------------------------------------- Security researchers discovered two malicious file management applications on Google Play with a collective installation count of over 1.5 million that collected excessive user data that goes well beyond whats needed to offer the promised functionality. [..] File Recovery and Data Recovery, identified as "com.spot.music.filedate" on devices, has at least 1 million installs. The install count for File Manager reads at least 500,000 and it can be identified on devices as "com.file.box.master.gkd." --------------------------------------------- https://www.bleepingcomputer.com/news/security/google-play-apps-with-15-mil… ∗∗∗ Iranian Hackers Sophisticated Malware Targets Windows and macOS Users ∗∗∗ --------------------------------------------- The Iranian nation-state actor known as TA453 has been linked to a new set of spear-phishing attacks that infect both Windows and macOS operating systems with malware."TA453 eventually used a variety of cloud hosting providers to deliver a novel infection chain that deploys the newly identified PowerShell backdoor GorjolEcho," Proofpoint said in a new report. --------------------------------------------- https://thehackernews.com/2023/07/iranian-hackers-sophisticated-malware.html ∗∗∗ BlackByte 2.0 Ransomware: Infiltrate, Encrypt, and Extort in Just 5 Days ∗∗∗ --------------------------------------------- Recently, Microsoft's Incident Response team investigated the BlackByte 2.0 ransomware attacks and exposed these cyber strikes' terrifying velocity and damaging nature. The findings indicate that hackers can complete the entire attack process, from gaining initial access to causing significant damage, in just five days. They waste no time infiltrating systems, encrypting important data, and demanding a ransom to release it. --------------------------------------------- https://thehackernews.com/2023/07/blackbyte-20-ransomware-infiltrate.html ∗∗∗ StackRot (CVE-2023-3269): Linux kernel privilege escalation vulnerability ∗∗∗ --------------------------------------------- A flaw was found in the handling of stack expansion in the Linux kernel 6.1 through 6.4, aka "Stack Rot". The maple tree, responsible for managing virtual memory areas, can undergo node replacement without properly acquiring the MM write lock, leading to use-after-free issues. An unprivileged local user could use this flaw to compromise the kernel and escalate their privileges. --------------------------------------------- https://github.com/lrh2000/StackRot ∗∗∗ Sie sollen eine „Erstattung aus dem Sozialfonds erhalten“? Ignorieren Sie diese SMS! ∗∗∗ --------------------------------------------- Unsere Leser:innen melden uns aktuell SMS, die im Namen des „Staates“ verschickt werden. Angeblich sollen Sie eine „Erstattung aus dem Sozialfonds“ erhalten. Achtung, Phishing-Alarm! Löschen Sie die SMS und geben Sie auf keinen Fall Ihre Kontodaten an. --------------------------------------------- https://www.watchlist-internet.at/news/sie-sollen-eine-erstattung-aus-dem-s… ∗∗∗ A Network of SOCs? ∗∗∗ --------------------------------------------- I wrote most of this text quickly in January 2021 when the European Commission asked me to apply my lessons learned from the CSIRTs Network to a potential European Network of SOCs. During 2022, the plans for SOC collaboration have been toned down a bit, the DIGITAL Europe funding scheme proposes multiple platforms where SOCs can work together. In 2023, the newly proposed “Cyber Solidarity Act” builds upon this and codifies the concept of a “national SOC” and “cross-border SOC platforms” into an EU regulation. --------------------------------------------- https://cert.at/en/blog/2023/7/a-network-of-socs ∗∗∗ Cybererpresser: Ransomware-Gruppe BianLian verzichtet auf Verschlüsselung ∗∗∗ --------------------------------------------- Die Hintermänner konzentrieren sich auf die Exfiltration von Daten. Sie reagieren auf die Veröffentlichung eines kostenlosen Entschlüsselungstools für die Ransomware BianLian. --------------------------------------------- https://www.zdnet.de/88410380/cybererpresser-ransomware-gruppe-bianlian-ver… ∗∗∗ CISA and Partners Release Joint Cybersecurity Advisory on Newly Identified Truebot Malware Variants ∗∗∗ --------------------------------------------- Today, the Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigations (FBI), the Multi-State Information Sharing and Analysis Center (MS-ISAC), and the Canadian Centre for Cyber Security (CCCS) released a joint Cybersecurity Advisory (CSA), Increased Truebot Activity Infects U.S. and Canada Based Networks, to help organizations detect and protect against newly identified Truebot malware variants. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2023/07/06/cisa-and-partners-releas… ===================== = Vulnerabilities = ===================== ∗∗∗ Google Releases Android Patch Update for 3 Actively Exploited Vulnerabilities ∗∗∗ --------------------------------------------- Google has released its monthly security updates for the Android operating system, addressing 46 new software vulnerabilities. Among these, three vulnerabilities have been identified as actively exploited in targeted attacks. --------------------------------------------- https://thehackernews.com/2023/07/google-releases-android-patch-update.html ∗∗∗ Mastodon Social Network Patches Critical Flaws Allowing Server Takeover ∗∗∗ --------------------------------------------- Mastodon, a popular decentralized social network, has released a security update to fix critical vulnerabilities that could expose millions of users to potential attacks.Mastodon is known for its federated model, consisting of thousands of separate servers called "instances," and it has over 14 million users across more than 20,000 instances. The most critical vulnerability, CVE-2023-36460, [..] --------------------------------------------- https://thehackernews.com/2023/07/mastodon-social-network-patches.html ∗∗∗ CISA Releases Three Industrial Control Systems Advisories ∗∗∗ --------------------------------------------- * ICSA-23-187-01 PiiGAB M-Bus * ICSA-23-187-02 ABUS TVIP * ICSA-23-143-03 Mitsubishi Electric MELSEC Series CPU module (Update A) --------------------------------------------- https://www.cisa.gov/news-events/alerts/2023/07/06/cisa-releases-three-indu… ∗∗∗ VMSA-2023-0015 ∗∗∗ --------------------------------------------- CVSSv3 Range: 5.3 CVE(s): CVE-2023-20899 VMware SD-WAN contains a bypass authentication vulnerability. VMware has evaluated the severity of this issue to be in the moderate severity range with a maximum CVSSv3 base score of 5.3. Known Attack Vectors: An unauthenticated attacker can download the Diagnostic bundle of the application under VMware SD-WAN Management. --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2023-0015.html ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (debian-archive-keyring, libusrsctp, nsis, ruby-redcloth, and webkit2gtk), Fedora (firefox), Mageia (apache-ivy, cups, curaengine, glances, golang, keepass, libreoffice, minidlna, nodejs, opensc, perl-DBD-SQLite, python-setuptools, python-wheel, skopeo/buildah/podman, systemd, testng, and webkit2), SUSE (bind), and Ubuntu (Gerbv, golang-websocket, linux-gke, linux-intel-iotg, and linux-oem-5.17). --------------------------------------------- https://lwn.net/Articles/937616/ ∗∗∗ [R1] Nessus Agent Version 10.4.1 Fixes Multiple Vulnerabilities ∗∗∗ --------------------------------------------- Nessus Agent leverages third-party software to help provide underlying functionality. One of the third-party components (OpenSSL) was found to contain vulnerabilities, and updated versions have been made available by the provider.Out of caution and in line with best practice, Tenable has opted to upgrade these components to address the potential impact of the issues. --------------------------------------------- https://www.tenable.com/security/tns-2023-24 ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 06.07.2023
by Daily end-of-shift report 06 Jul '23

06 Jul '23

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 05-07-2023 18:00 − Donnerstag 06-07-2023 18:00 Handler: Michael Schlagenhaufer Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Silentbob Campaign: Cloud-Native Environments Under Attack ∗∗∗ --------------------------------------------- The activity, dubbed Silentbob in reference to an AnonDNS domain set up by the attacker, is said to be linked to the infamous cryptojacking group tracked as TeamTNT, citing overlaps in tactics, techniques, and procedures (TTPs). Alternatively, it could be the work of an "advanced copycat." --------------------------------------------- https://thehackernews.com/2023/07/silentbob-campaign-cloud-native.html ∗∗∗ Flutter Restrictions Bypass ∗∗∗ --------------------------------------------- This article investigates the Flutter framework (Google, n.d.) and the methods for bypassing its detections on iOS. CyberCX have also published the scripts used for this bypass for other mobile application security researchers to use in their workflow on our GitHub. --------------------------------------------- https://blog.cybercx.co.nz/flutter-restrictions-bypass ∗∗∗ TeamsPhisher: Tool automatisiert Angriffe auf Teams-Schwachstelle ∗∗∗ --------------------------------------------- Über eine Schwachstelle in Teams können Angreifer Malware unterjubeln. Ein jetzt veröffentlichtes Tool macht diese Attacken noch einfacher. --------------------------------------------- https://heise.de/-9208677 ∗∗∗ Wie steht’s eigentlich um Emotet? ∗∗∗ --------------------------------------------- Eine kurze Zusammenfassung zur aktuellen Situation um Emotet seit dessen "Comeback". --------------------------------------------- https://www.welivesecurity.com/deutsch/2023/07/06/wie-stehts-eigentlich-um-… ∗∗∗ How to delete saved addresses and credit cards in Firefox for improved security and privacy ∗∗∗ --------------------------------------------- If youre looking to get the most out of Firefox security and privacy, you might consider not only deleting all saved addresses and credit cards but also disabling the autofill option. --------------------------------------------- https://www.zdnet.com/article/how-to-delete-saved-addresses-and-credit-card… ===================== = Vulnerabilities = ===================== ∗∗∗ MOVEit Transfer: Service Pack schließt weitere kritische Lücke ∗∗∗ --------------------------------------------- Mit dem Service Pack für MOVEit Transfer im Juli schließt Progress weitere Sicherheitslücken. Eine davon stuft der Hersteller als kritisch ein. (CVE-2023-36932, CVE-2023-36933, CVE-2023-36934) --------------------------------------------- https://heise.de/-9208451 ∗∗∗ MOVEit Transfer 2020.1 (12.1) Service Pack (July 2023) ∗∗∗ --------------------------------------------- CVE-2023-36934 (CRITICAL): SQL Injection CVE-2023-36932 (HIGH): multiple SQL injections CVE-2023-36933 (HIGH): unhandled exception --------------------------------------------- https://community.progress.com/s/article/MOVEit-Transfer-2020-1-Service-Pac… ∗∗∗ Stackrot: Kernel-Schwachstelle ermöglicht Rechteausweitung unter Linux ∗∗∗ --------------------------------------------- Durch eine Sicherheitslücke im Speichermanagement-Subsystem des Linux-Kernels können Angreifer potenziell erweiterte Rechte erlangen. --------------------------------------------- https://www.golem.de/news/stackrot-kernel-schwachstelle-erlaubt-rechteauswe… ∗∗∗ Patchday: Vielfältige Attacken auf Android 11, 12 und 13 möglich ∗∗∗ --------------------------------------------- Es gibt wichtige Sicherheitsupdates für verschiedene Android-Versionen. Im schlimmsten Fall könnte Schadcode auf Geräte gelangen. --------------------------------------------- https://heise.de/-9208524 ∗∗∗ Taking over Milesight UR32L routers behind a VPN: 22 vulnerabilities and a full chain ∗∗∗ --------------------------------------------- In all, Cisco Talos is releasing 22 security advisories today, nine of which have a CVSS score greater than 8, associated with 69 CVEs. --------------------------------------------- https://blog.talosintelligence.com/talos-discovers-17-vulnerabilities-in-mi… ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (golang-yaml.v2, kernel, and mediawiki), Fedora (kernel and picocli), SUSE (bind and python-sqlparse), and Ubuntu (cpdb-libs). --------------------------------------------- https://lwn.net/Articles/937481/ *** IBM Security Bulletins *** --------------------------------------------- IBM i, IBM Rational Functional Tester, IBM Security Verify Access, IBM Cloud Pak, IBM Match 360, IBM Watson, IBM Integration Designer, IBM Sterling Connect:Direct File Agent, IBM Operations Analytics and TADDM. --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ Vulnerability in Cisco Enterprise Switches Allows Attackers to Modify Encrypted Traffic ∗∗∗ --------------------------------------------- Cisco says a high-severity vulnerability in Nexus 9000 series switches could allow attackers to intercept and modify encrypted traffic. Tracked as CVE-2023-20185, the issue impacts the ACI multi-site CloudSec encryption feature of the Nexus 9000 switches that are configured in application centric infrastructure (ACI) mode – typically used in data centers for controlling physical and virtual networks. --------------------------------------------- https://www.securityweek.com/vulnerability-in-cisco-enterprise-switches-all… ∗∗∗ Cisco ACI Multi-Site CloudSec Encryption Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco Webex Meetings Web UI Vulnerabilities ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco Duo Authentication Proxy Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco BroadWorks Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ ZDI-23-896: D-Link DAP-2622 DDP Change ID Password Auth Password Stack-based Buffer Overflow Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-23-896/ ∗∗∗ Wordfence Intelligence Weekly WordPress Vulnerability Report (June 26, 2023 to July 2, 2023) ∗∗∗ --------------------------------------------- https://www.wordfence.com/blog/2023/07/wordfence-intelligence-weekly-wordpr… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 05.07.2023
by Daily end-of-shift report 05 Jul '23

05 Jul '23

===================== = End-of-Day report = ===================== Timeframe: Dienstag 04-07-2023 18:00 − Mittwoch 05-07-2023 18:00 Handler: Michael Schlagenhaufer Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Email crypto phishing scams: stealing from hot and cold crypto wallets ∗∗∗ --------------------------------------------- Here is how email phishing scams targeting hot and cold crypto wallets, such as Trezor and Ledger, work. --------------------------------------------- https://securelist.com/hot-and-cold-cryptowallet-phishing/110136/ ∗∗∗ Jetzt patchen! Über 335.000 SSL-VPN-Interfaces von Fortinet attackierbar ∗∗∗ --------------------------------------------- Sicherheitsforscher warnen vor weiteren Attacken auf eine kritische Lücke in FortiOS. Patches zum Schließen der Schwachstelle sind seit Wochen verfügbar. --------------------------------------------- https://heise.de/-9206478 ∗∗∗ Verbaucherzentralen warnen vor personalisiertem Phishing ∗∗∗ --------------------------------------------- Seit Anfang der Woche landen viele Phishingmails mit persönlicher Anrede betreffend der ING in Postfächern von Internetnutzern, warnen die Verbraucherzentralen. --------------------------------------------- https://heise.de/-9207386 ∗∗∗ TEMU Shopping App und temu.com: Problematische Angebote aus China ∗∗∗ --------------------------------------------- Wer sich aktuell durch Social Media bewegt, kommt kaum an Werbeschaltungen für die Shopping App TEMU vorbei. Die Plattform mit Sitz in Dublin und ihrem Ursprung in China startet aktuell eine Offensive auf den österreichischen und deutschen Markt. Die Produkte bei TEMU sind teils unfassbar günstig und für viele verlockend. Möglich ist das aber vor allem durch fragwürdige Geschäftspraktiken, teils mangelhafte Produkte und Nicht-Einhaltung rechtlicher Vorgaben. --------------------------------------------- https://www.watchlist-internet.at/news/temu-shopping-app-und-temucom-proble… ===================== = Vulnerabilities = ===================== ∗∗∗ Path traversal bypass & Denial of service in Kyocera TASKalfa 4053ci printer ∗∗∗ --------------------------------------------- CVE Number: CVE-2023-34259, CVE-2023-34260, CVE-2023-34261 Kyocera TASKalfa 4053ci printers are vulnerable to multiple vulnerabilities. The path traversal vulnerability can be used to access arbitrary files on the filesystem, even files that require root privileges. Also, the path traversal vulnerability can be used to conduct a denial-of-service (DoS). Due the username enumeration vulnerability, it is possible to identify valid user accounts. --------------------------------------------- https://sec-consult.com/vulnerability-lab/advisory/path-traversal-bypass-de… ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (firefox and python-reportlab), Slackware (mozilla), SUSE (dnsdist, grpc, protobuf, python-Deprecated, python-PyGithub, python-aiocontextvars, python-avro, python-bcrypt, python-cryptography, python- cryptography-vectors, python-google-api-core, pyt, kernel, kubernetes1.18, libdwarf, python311, qt6-base, rmt-server, and virtualbox), and Ubuntu (containerd, firefox, and python-django). --------------------------------------------- https://lwn.net/Articles/937368/ ∗∗∗ The "StackRot" kernel vulnerability ∗∗∗ --------------------------------------------- Ruihan Li has discloseda significant vulnerability introduced into the 6.1 kernel: A flaw was found in the handling of stack expansion in the Linux kernel 6.1 through 6.4, aka "Stack Rot". The maple tree, responsible for managing virtual memory areas, can undergo node replacement without properly acquiring the MM write lock, leading to use-after-free issues. An unprivileged local user could use this flaw to compromise the kernel and escalate their privileges. --------------------------------------------- https://lwn.net/Articles/937377/ ∗∗∗ Frauscher: Diagnostic System FDS001 for FAdC/FAdCi Path Traversal vulnerability ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2023-011/ ∗∗∗ IBM App Connect Enterprise and IBM Integration Bus are vulnerable to a remote attacker and denial of service due to Guava (CVE-2020-8908, CVE-2018-10237). ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7009535 ∗∗∗ A security vulnerability has been identified in IBM WebSphere Application Server shipped with Asset and Service Management (CVE-2023-35890) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7009537 ∗∗∗ IBM Watson Assistant for IBM Cloud Pak for Data is vulnerable to xml2js abitrary code execution vulnerability(CVE-2023-0842) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7009049 ∗∗∗ A security vulnerability has been identified in IBM WebSphere Application Server shipped with Tivoli Netcool\/OMNIbus WebGUI (CVE-2023-35890) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7009625 ∗∗∗ Multiple security vulnerabilities has been identified in IBM WebSphere Application Server shipped with Tivoli Netcool\/OMNIbus WebGUI - April 2023 CPU ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7009627 ∗∗∗ A security vulnerability has been identified in WebSphere Application Server traditional shipped with IBM Intelligent Operations Center(CVE-2023-35890) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7009635 ∗∗∗ IBM App Connect Enterprise and IBM Integration Bus are vulnerable to a remote attacker and denial of service due to Guava (CVE-2020-8908, CVE-2018-10237). ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7009535 ∗∗∗ IBM WebSphere Application Server could provide weaker than expected security (CVE-2023-35890) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7007857 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 04.07.2023
by Daily end-of-shift report 04 Jul '23

04 Jul '23

===================== = End-of-Day report = ===================== Timeframe: Montag 03-07-2023 18:00 − Dienstag 04-07-2023 18:00 Handler: Robert Waldner Co-Handler: n/a ===================== = News = ===================== ∗∗∗ DDoSia Attack Tool Evolves with Encryption, Targeting Multiple Sectors ∗∗∗ --------------------------------------------- The threat actors behind the DDoSia attack tool have come up with a new version that incorporates a new mechanism to retrieve the list of targets to be bombarded with junk HTTP requests in an attempt to bring them down.The updated variant, written in Golang, "implements an additional security mechanism to conceal the list of targets, which is transmitted from the [command-and-control] to the users," cybersecurity company Sekoia said in a technical write-up. --------------------------------------------- https://thehackernews.com/2023/07/ddosia-attack-tool-evolves-with.html ∗∗∗ Hunting for Bitwarden master passwords stored in memory ∗∗∗ --------------------------------------------- A blog post on how I was able to identify unknown master passwords stored in the memory of the Bitwarden web extension and desktop client, after a vault has been locked. I also cover the decisions made for developing a proof of concept to automate the process of extracting potential passwords. --------------------------------------------- https://redmaple.tech/blogs/2023/extract-bitwarden-vault-passwords/ ∗∗∗ Achtung Fake-Shop: sharkos.de ∗∗∗ --------------------------------------------- Sharkos – „Ihr Experte für Garten, Pools und Haushalt“. Das sehen wir anders. Der Online-Shop sieht zwar vielversprechend aus, wenn Sie dort bestellen, bekommen Sie aber trotz Zahlung keine Ware. Wir zeigen Ihnen, wie Sie Fake-Shops erkennen. --------------------------------------------- https://www.watchlist-internet.at/news/achtung-fake-shop-sharkosde/ ===================== = Vulnerabilities = ===================== ∗∗∗ Geräteverwaltung: hochriskante Schwachstelle in Ivanti Endpoint Manager ∗∗∗ --------------------------------------------- Eine Sicherheitslücke in der Geräte- und Softwareverwaltung von Ivanti für ChromeOS, Linux, macOS und Windows ermöglicht Angreifern aus dem Netz Codeschmuggel. --------------------------------------------- https://heise.de/-9206574 ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (ghostscript), Fedora (apache-ivy, chromium, golang-github-schollz-croc, golang-github-schollz-mnemonicode, and webkitgtk), SUSE (amazon-ecs-init, dnsdist, libcap, python-tornado, terraform, and xmltooling), and Ubuntu (imagemagick, openldap, php7.4, php8.1, and screen). --------------------------------------------- https://lwn.net/Articles/937292/ ∗∗∗ CISA issues warning for cardiac device system vulnerability ∗∗∗ --------------------------------------------- The Cybersecurity and Infrastructure Security Agency (CISA) warned of a severe vulnerability in a cardiac device from medical device company Medtronic. The issue – tracked as CVE-2023-31222 – carries a “critical” CVSS score of 9.8 out of 10 and affects the company’s Paceart Optima software that runs on a healthcare organization’s Windows server. --------------------------------------------- https://therecord.media/cisa-warning-for-cardiac-device-system-vulnerability ∗∗∗ Zyxel security advisory for buffer overflow vulnerability in 4G LTE and 5G NR outdoor routers ∗∗∗ --------------------------------------------- A buffer overflow vulnerability in the CGI program of some Zyxel 4G LTE and 5G NR outdoor routers could allow a remote authenticated attacker to cause denial of service (DoS) conditions by sending a crafted HTTP request to a vulnerable device. (CVE: CVE-2023-27989) --------------------------------------------- https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-… ∗∗∗ Security Vulnerabilities fixed in Thunderbird 102.13 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2023-24/ ∗∗∗ Security Vulnerabilities fixed in Firefox ESR 102.13 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2023-23/ ∗∗∗ Security Vulnerabilities fixed in Firefox 115 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2023-22/ ∗∗∗ Vulnerability in the interface module SLC-0-GPNT00300 ∗∗∗ --------------------------------------------- https://psirt.bosch.com/security-advisories/bosch-sa-894143.html ∗∗∗ Security Advisory for the FL MGUARD family of devices ∗∗∗ --------------------------------------------- https://psirt.bosch.com/security-advisories/bosch-sa-833074.html ∗∗∗ IBM Integration Bus is vulnerable to a remote attack due to Apache Jena (CVE-2021-39239, CVE-2022-28890, CVE-2023-22665). ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7009371 ∗∗∗ Vulnerability in Spring Framework affects IBM Process Mining [CVE-2016-1000027] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7009383 ∗∗∗ IBM Content Navigator is vulnerable to DoS due to Apache Commons FileUpload (CVE-2023-24998) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7002807 ∗∗∗ Vulnerability in IBM SDK Java Technology affects IBM Cloud Pak System (CVE-2021-35561) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7009441 ∗∗∗ Vulnerabilities in OpenSSL affect Cloud Pak System (CVE-2021-23840, CVE-2021-23841) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7005857 ∗∗∗ Multiple vulnerabilities in IBM Java SDK affect IBM License Metric Tool v9. ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7009457 ∗∗∗ Vulnerability of Newtonsoft.Json-12.0.1.22727.dll has afftected to .NET Agent ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7009459 ∗∗∗ Multiple CVEs may affect IBM\u00ae SDK, Java\u2122 Technology Edition shipped with IBM CICS TX Standard ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7009483 ∗∗∗ Multiple CVEs may affect IBM\u00ae SDK, Java\u2122 Technology Edition shipped with IBM CICS TX Advanced ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7009485 ∗∗∗ Multiple CVEs may affect IBM\u00ae SDK, Java\u2122 Technology Edition shipped with IBM TXSeries for Multiplatforms ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7009487 ∗∗∗ Vulnerabilities in Apache Struts affect IBM Tivoli Application Dependency Discovery Manager. (CVE-2023-34396, CVE-2023-34149) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7009497 ∗∗∗ TADDM affected by multiple vulnerabilities due to IBM Java and its runtime ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7009499 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 03.07.2023
by Daily end-of-shift report 03 Jul '23

03 Jul '23

===================== = End-of-Day report = ===================== Timeframe: Freitag 30-06-2023 18:00 − Montag 03-07-2023 18:00 Handler: Robert Waldner Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Beware: New RustBucket Malware Variant Targeting macOS Users ∗∗∗ --------------------------------------------- "This variant of RustBucket, a malware family that targets macOS systems, adds persistence capabilities not previously observed," Elastic Security Labs researchers said in a report published this week, adding it's "leveraging a dynamic network infrastructure methodology for command-and-control." --------------------------------------------- https://thehackernews.com/2023/07/beware-new-rustbucket-malware-variant.html ∗∗∗ Entschlüsselungstool: Sicherheitsforscher knacken Akira-Ransomware ∗∗∗ --------------------------------------------- Stimmten die Voraussetzungen, können Opfer des Erpressungstrojaner Akira ohne Lösegeld zu zahlen auf ihre Daten zugreifen. --------------------------------------------- https://heise.de/-9204932 ∗∗∗ Vorsicht vor Malvertising: Fake-WinSCP-Tool verbreitet BackCat-Ransomware ∗∗∗ --------------------------------------------- Die Hintermänner des Verschlüsselungstrojaners BlackCat (aka ALPHV) setzen auf einen weiteren Verbreitungsweg. --------------------------------------------- https://heise.de/-9204958 ∗∗∗ Vorsicht vor gefälschten Polizei-Mails ∗∗∗ --------------------------------------------- Aktuell geben sich Kriminelle per E-Mail als Polizei aus. Im Mail steht, dass Sie in der Anlage Ihre Einberufung finden und innerhalb von 48 Stunden antworten müssen. Ansonsten droht Ihnen eine Festnahme. Ignorieren Sie dieses E-Mail, es handelt sich um Betrug! --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-gefaelschten-polizei-ma… ∗∗∗ CVE-2023-20864: Remote Code Execution in VMware Aria Operations for Logs ∗∗∗ --------------------------------------------- In this excerpt of a Trend Micro Vulnerability Research Service vulnerability report, Jonathan Lein and Dusan Stevanovic of the Trend Micro Research Team detail a recently patched remote code execution vulnerability in VMware Aria Operations for Logs (formerly vRealize). --------------------------------------------- https://www.zerodayinitiative.com/blog/2023/6/29/cve-2023-20864-remote-code… ===================== = Vulnerabilities = ===================== ∗∗∗ Sicherheitsupdates: Schadcode-Attacken auf HP-LaserJet-Pro-Drucker möglich ∗∗∗ --------------------------------------------- Mehrere LaserJet-Pro-Modelle von HP sind verwundbar. Sicherheitsupdates schaffen Abhilfe. --------------------------------------------- https://heise.de/-9205846 ∗∗∗ WP AutoComplete 1.0.4 - Unauthenticated SQLi ∗∗∗ --------------------------------------------- The WP AutoComplete Search WordPress plugin through 1.0.4 does not sanitise and escape a parameter before using it in a SQL statement via an AJAX available to unauthenticated users, leading to an unauthenticated SQL injection. --------------------------------------------- https://www.exploit-db.com/exploits/51560 ∗∗∗ Sicherheitsupdate: Attacken auf WordPress-Plug-in Ultimate Member ∗∗∗ --------------------------------------------- Derzeit nutzen Angreifer eine kritische Lücke im WordPress-Plug-in Ultimate Member aus. Der Anbieter rät zu einem zügigen Update. --------------------------------------------- https://heise.de/-9204916 ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (cups, gst-plugins-bad1.0, gst-plugins-base1.0, gst-plugins-good1.0, python3.7, and yajl), Fedora (chromium, kubernetes, pcs, and webkitgtk), Scientific Linux (open-vm-tools), SUSE (iniparser, keepass, libvirt, prometheus-ha_cluster_exporter, prometheus-sap_host_exporter, rekor, terraform-provider-aws, terraform-provider-helm, and terraform-provider-null), and Ubuntu (python-reportlab and vim). --------------------------------------------- https://lwn.net/Articles/937189/ ∗∗∗ Root-Zugang zu Smarthome-Server Loxone Miniserver Go Gen. 2 (SySS-2023-004/-012/-013) ∗∗∗ --------------------------------------------- Durch verschiedene Schwachstellen kann ein Administrator Betriebssystemzugriff auf dem Loxone Miniserver Go im Kontext des root-Benutzers erreichen. --------------------------------------------- https://www.syss.de/pentest-blog/root-zugang-zu-smarthome-server-loxone-min… ∗∗∗ Multiple Vulnerabilities including Unauthenticated Remote Code Execution in Siemens A8000 ∗∗∗ --------------------------------------------- The vendor provides a patch which should be installed immediately. Customers should update to CPCI85 V05 or later version (https://support.industry.siemens.com/cs/ww/en/view/109804985/). - Unauthenticated Remote Code Execution (CVE-2023-28489) - Authenticated Command Injection (CVE-2023-33919) - Hard-coded Root Password (CVE-2023-33920) - Console Login via UART (CVE-2023-33921) --------------------------------------------- https://sec-consult.com/vulnerability-lab/advisory/multiple-vulnerabilities… ∗∗∗ Multiple vulnerabilities in SoftEther VPN and PacketiX VPN ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN64316789/ ∗∗∗ ZDI-23-894: NETGEAR RAX30 UPnP Command Injection Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-23-894/ ∗∗∗ ZDI-23-893: NETGEAR Multiple Routers curl_post Improper Certificate Validation Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-23-893/ ∗∗∗ WordPress Social Login and Register (Discord, Google, Twitter, LinkedIn) <= 7.6.4 – Authentication Bypass ∗∗∗ --------------------------------------------- https://cxsecurity.com/issue/WLB-2023070002 ∗∗∗ Watson CP4D Data Stores is vulnerable to Golang Go to a denial of service (CVE-2022-1962) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7009053 ∗∗∗ Watson CP4D Data Stores is vulnerable to Golang Go is vulnerable to HTTP request smuggling(CVE-2022-1705) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7009055 ∗∗∗ Watson AI Gateway for Cloud Pak for Data is vulnerable to an Ajv (aka Another JSON Schema Validator) could allow a remote attacker to execute arbitrary code on the system (CVE-2020-15366) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7009061 ∗∗∗ IBM Watson Assistant for IBM Cloud Pak for Data is vulnerable to xml2js abitrary code execution vulnerability(CVE-2023-0842) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7009049 ∗∗∗ IBM Watson Assistant for IBM Cloud Pak for Data is vulnerable to Node.js http-cache-semantics module denial of service ( CVE-2022-25881) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7009051 ∗∗∗ IBM Watson Assistant for IBM Cloud Pak for Data is vulnerable to Envoy security bypass ( CVE-2023-27488) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7009057 ∗∗∗ IBM Watson Assistant for IBM Cloud Pak for Data is vulnerable ConfigObj denial of service ( CVE-2023-26112) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7009059 ∗∗∗ IBM Connect:Direct Web Services vulnerable to sensitive information exposure due to PostgreSQL (CVE-2023-2455) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7009293 ∗∗∗ IBM Connect:Direct Web Services vulnerable to sensitive information exposure due to PostgreSQL (CVE-2022-41862) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7009295 ∗∗∗ IBM Security Key Lifecycle Manager is vulnerable to Incorrect Permission Assignment for Critical Resource (CVE-2018-1750) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/733311 ∗∗∗ Multiple Vulnerabilities in CloudPak for Watson AIOPs ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7007837 ∗∗∗ Multiple vulnerabilities of Apache Groovy (groovy-all-2.3.11.jar) have affected APM JBoss and APM WebLogic Agent [CVE-202-17521, CVE-2016-6814, CVE-2015-3253] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7009323 ∗∗∗ Multiple vulnerabilities of Apache Ant (ant-1.7.0.jar, ant-1.8.4.jar) have affected APM JBoss, APM WebLogic and APM SAP NetWeaver Java Stack Agents. ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7009321 ∗∗∗ Multiple vulnerabilities in the IBM SDK, Java Technology Edition affects APM Agents for Monitoring ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7009327 ∗∗∗ Security Bulletin: IBM App Connect Enterprise Certified Container DesignerAuthoring operand is vulnerable to DOS/loss of integrity/confidentiality [CVE-2023-21930 CVE-2023-21937 CVE-2023-21938 CVE-2023-21939 CVE-2023-21954 CVE-2023-21967 CVE-2023-21968] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7009333 ∗∗∗ Watson CP4D Data Stores is vulnerable to Golang Go to a denial of service (CVE-2022-1962) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7009053 ∗∗∗ Multiple vulnerabilities in IBM Java SDK affects IBM WebSphere Application Server April 2023 CPU that is bundled with IBM WebSphere Application Server Patterns ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7009353 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

Daily July 2023