[CERT-daily] Tageszusammenfassung - 18.11.2020

Wed Nov 18 18:11:31 CET 2020

=====================
= End-of-Day report =
=====================

Timeframe:   Dienstag 17-11-2020 18:00 − Mittwoch 18-11-2020 18:00
Handler:     Dimitri Robl
Co-Handler:  Robert Waldner

=====================
=       News        =
=====================


∗∗∗ When Security Controls Lead to Security Issues, (Wed, Nov 18th) ∗∗∗
---------------------------------------------
The job of security professionals is to protect customers assets and, even more, today, customers data. The security landscape is full of solutions that help to improve security by detecting (and blocking) threats knocking on the organizations doors. Sometimes, such solutions have side effects that go to the opposite direction and make customers more vulnerable to attacks.
---------------------------------------------
https://isc.sans.edu/diary/rss/26804


∗∗∗ Evasive Maneuvers in Data Stealing Gateways ∗∗∗
---------------------------------------------
We have already shared examples of many kinds of malware that rely on an external gateway to receive or return data, such as different malware payloads. During a recent investigation, we came across this example of a PHP script that attackers use for many different purposes. What makes the sample interesting is that alongside this PHP, we also found a few data-stealing scripts indicating that the code might have been used to send sensitive data to the attackers. Continue reading Evasive
---------------------------------------------
https://blog.sucuri.net/2020/11/evasive-maneuvers-in-data-stealing-gateways.html


∗∗∗ WebNavigator Chromium browser published by search hijackers ∗∗∗
---------------------------------------------
A mystery Chromium browser recently made a sudden appearance, and is certainly proving popular. But what is it, and where did it come from?
---------------------------------------------
https://blog.malwarebytes.com/pups/2020/11/webnavigator-chromium-browser-published-by-search-hijackers/


∗∗∗ Nibiru ransomware variant decryptor ∗∗∗
---------------------------------------------
The Nibiru ransomware is a .NET-based malware family. It traverses directories in the local disks, encrypts files with Rijndael-256 and gives them a .Nibiru extension. Rijndael-256 is a secure encryption algorithm. However, Nibiru uses a hard-coded string "Nibiru" to compute the 32-byte key and 16-byte IV values. The decryptor program leverages this weakness to decrypt files encrypted by this variant. 
---------------------------------------------
https://blog.talosintelligence.com/2020/11/Nibiru-ransomware.html


∗∗∗ Large-Scale Attacks Target Epsilon Framework Themes ∗∗∗
---------------------------------------------
On November 17, 2020, our Threat Intelligence team noticed a large-scale wave of attacks against recently reported Function Injection vulnerabilities in themes using the Epsilon Framework, which we estimate are installed on over 150,000 sites. So far today, we have seen a surge of more than 7.5 million attacks against more than 1.5 million sites ... For the time being, the vast majority of these attacks appear to be probing attacks, designed to determine whether a site has a vulnerable theme installed rather than to perform an exploit chain, though full Remote Code Execution(RCE) leading to site takeover is possible with these vulnerabilities.
---------------------------------------------
https://www.wordfence.com/blog/2020/11/large-scale-attacks-target-epsilon-framework-themes/


∗∗∗ Vorsicht vor COVID-19-Hilfsfonds: Unterstützungszahlungen in Millionenhöhe sind Betrug! ∗∗∗
---------------------------------------------
Die Corona-Krise ist für viele Menschen auch eine finanzielle Krise. Verschiedene Unterstützungsangebote sollen daher helfen, durch diese Zeit zu kommen. Aber Achtung! Werfen Sie einen genauen Blick darauf, wer Ihnen Geld anbietet. Denn: Derzeit werden betrügerische E-Mails von angeblichen COVID-19 Hilfsfonds versendet, in denen hohe Geldbeträge versprochen werden.
---------------------------------------------
https://www.watchlist-internet.at/news/vorsicht-vor-covid-19-hilfsfonds-unterstuetzungszahlungen-in-millionenhoehe-sind-betrug/


=====================
=  Vulnerabilities  =
=====================

∗∗∗ iTunes 12.11 for Windows ∗∗∗
---------------------------------------------
Foundation
  Impact: A local user may be able to read arbitrary files
ImageIO
  Impact: Processing a maliciously crafted image may lead to arbitrary code execution
libxml2
  Impact: Processing maliciously crafted web content may lead to code execution
libxml2
  Impact: A remote attacker may be able to cause unexpected application termination or arbitrary code execution
WebKit
  Impact: Processing maliciously crafted web content may lead to arbitrary code execution
Windows Security
  Impact: A malicious application may be able to access local users Apple IDs
---------------------------------------------
https://support.apple.com/kb/HT211933


∗∗∗ Tails 4.13: Anonymisierendes Betriebssystem bekommt wichtige Sicherheitsupdates ∗∗∗
---------------------------------------------
Die neue Version des Debian-basierten Live-Systems umfasst ein wenig Feinschliff an der Oberfläche, vor allem aber wichtige Security-Fixes.
---------------------------------------------
https://heise.de/-4963955


∗∗∗ Tor Browser: Desktop-Version 10.0.5 mit Firefox-Sicherheitsupdates verfügbar ∗∗∗
---------------------------------------------
Für Windows, Linux und macOS steht eine neue Version des anonymisierenden Webbrowsers bereit. Die Android-Ausgabe soll bald folgen.
---------------------------------------------
https://heise.de/-4964177


∗∗∗ Cisco Expressway Software Unauthorized Access Information Disclosure Vulnerability ∗∗∗
---------------------------------------------
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-Expressway-8J3yZ7hV


∗∗∗ Cisco Secure Web Appliance Privilege Escalation Vulnerability ∗∗∗
---------------------------------------------
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-wsa-prv-esc-nPzWZrQj


∗∗∗ Cisco Webex Meetings API Cross-Site Scripting Vulnerability ∗∗∗
---------------------------------------------
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-webex-meetings-xss-MX56prER


∗∗∗ Cisco Webex Meetings and Cisco Webex Meetings Server Information Disclosure Vulnerability ∗∗∗
---------------------------------------------
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-webex-infodisc-4tvQzn4


∗∗∗ Cisco Webex Meetings and Cisco Webex Meetings Server Unauthorized Audio Information Exposure Vulnerability ∗∗∗
---------------------------------------------
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-webex-info-leak-PhpzB3sG


∗∗∗ Cisco Webex Meetings and Cisco Webex Meetings Server Ghost Join Vulnerability ∗∗∗
---------------------------------------------
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-webex-auth-token-3vg57A5r


∗∗∗ Cisco Integrated Management Controller Multiple Remote Code Execution Vulnerabilities ∗∗∗
---------------------------------------------
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ucs-api-rce-UXwpeDHd


∗∗∗ Cisco Telepresence CE Software and RoomOS Software Unauthorized Token Generation Vulnerability ∗∗∗
---------------------------------------------
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-tp-uathracc-jWNESUfM


∗∗∗ Cisco DNA Spaces Connector Command Injection Vulnerability ∗∗∗
---------------------------------------------
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-dna-cmd-injection-rrAYzOwc


∗∗∗ Cisco IoT Field Network Director Cross-Site Scripting Vulnerabilities ∗∗∗
---------------------------------------------
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-FND-XSS-NzOPCGEc


∗∗∗ Cisco IoT Field Network Director Improper Domain Access Control Vulnerability ∗∗∗
---------------------------------------------
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-FND-UPWD-dCRPuQ78


∗∗∗ Cisco IoT Field Network Director Information Disclosure Vulnerability ∗∗∗
---------------------------------------------
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-FND-SSI-V2myWX9y


∗∗∗ Cisco IoT Field Network REST API Insufficient Input Validation Vulnerability ∗∗∗
---------------------------------------------
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-FND-SQL-zEkBnL2h


∗∗∗ Cisco IoT Field Network Director Unprotected Storage of Credentials Vulnerability ∗∗∗
---------------------------------------------
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-FND-PWH-yCA6M7p


∗∗∗ Cisco IoT Field Network Director File Overwrite Vulnerability ∗∗∗
---------------------------------------------
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-FND-OVW-SHzOE3Pd


∗∗∗ Cisco IoT Field Network Director Improper Access Control Vulnerability ∗∗∗
---------------------------------------------
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-FND-LV-hE4Rntet


∗∗∗ Cisco IoT Field Network Director Unauthenticated REST API Vulnerability ∗∗∗
---------------------------------------------
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-FND-BCK-GHkPNZ5F


∗∗∗ Cisco IoT Field Network Director SOAP API Authorization Bypass Vulnerability ∗∗∗
---------------------------------------------
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-FND-AUTH-vEypBmmR


∗∗∗ Cisco IoT Field Network Director Missing API Authentication Vulnerability ∗∗∗
---------------------------------------------
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-FND-APIA-xZntFS2V


∗∗∗ Cisco Integrated Management Controller Multiple Remote Code Execution Vulnerabilities ∗∗∗
---------------------------------------------
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ucs-api-rce-UXwpeDHd


∗∗∗ Security Advisory - Privilege Escalation Vulnerability in FusionCompute Product ∗∗∗
---------------------------------------------
http://www.huawei.com/en/psirt/security-advisories/2020/huawei-sa-20201118-01-privilege-en


∗∗∗ Security Bulletin: An unspecified vulnerability in Java SE or Oracle Java SE could allow an unauthenticated attacker ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-an-unspecified-vulnerability-in-java-se-or-oracle-java-se-could-allow-an-unauthenticated-attacker/


∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK and IBM Java Runtime affect IBM Decision Optimization Center (CVE-2020-14577, CVE-2020-14578, CVE-2020-14579, CVE-2020-14621) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-ibm-java-sdk-and-ibm-java-runtime-affect-ibm-decision-optimization-center-cve-2020-14577-cve-2020-14578-cve-2020-14579-cve-2020-14621/


∗∗∗ Security Bulletin: App Connect Enterprise Certified Container Dashboard is vulnerable to (CVE-2020-15168) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-app-connect-enterprise-certified-container-dashboard-is-vulnerable-to-cve-2020-15168/


∗∗∗ Security Bulletin: IBM MQ Appliance is affected by a data corruption vulnerability (CVE-2020-4592) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-appliance-is-affected-by-a-data-corruption-vulnerability-cve-2020-4592/


∗∗∗ Security Bulletin: IBM MQ is affected by a vulnerability in IBM Runtime Environment Java (deferred from Oracle Jan 2020 CPU) CVE-2020-2654 ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-is-affected-by-a-vulnerability-in-ibm-runtime-environment-java-deferred-from-oracle-jan-2020-cpu-cve-2020-2654/

-- 
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily