[CERT-daily] Tageszusammenfassung - 09.08.2021

[Daily end-of-shift report]

=====================
= End-of-Day report =
=====================

Timeframe:   Freitag 06-08-2021 18:00 − Montag 09-08-2021 18:00
Handler:     Dimitri Robl
Co-Handler:  Thomas Pribitzer

=====================
=       News        =
=====================

∗∗∗ Verschlüsselung: Sicherheitsrisiko STARTTLS ∗∗∗
---------------------------------------------
Das STARTTLS-Verfahren hat zahlreiche Sicherheitsrisiken. Überall, wo es möglich ist, hat die direkte Nutzung von TLS nur Vorteile.
---------------------------------------------
https://www.golem.de/news/verschluesselung-sicherheitsrisiko-starttls-2108-158714-rss.html


∗∗∗ Black Hat: DNS-as-a-Service könnte Netzwerkinfrastruktur verraten ∗∗∗
---------------------------------------------
Durch einen Trick konnten Sicherheitsforscher Informationen über die Netzwerkinfrastruktur der Kunden eines DNS-as-a-Service-Anbieters erlangen.
---------------------------------------------
https://heise.de/-6157720


∗∗∗ Exchange ProxyShell-Lücke: Scans suchen nach verwundbaren Servern ∗∗∗
---------------------------------------------
Mehrere tausend Server sind allein in Deutschland für die neue Exchange-Lücke anfällig. Dabei gibt es längst Patches von Microsoft.
---------------------------------------------
https://heise.de/-6158946


∗∗∗ Die Anatomie nativer IIS‑Malware ∗∗∗
---------------------------------------------
ESET-Forscher veröffentlichen ein Whitepaper, das Bedrohungen durch IIS-Webserver genau unter die Lupe nimmt
---------------------------------------------
https://www.welivesecurity.com/deutsch/2021/08/06/die-anatomie-nativer-iis-malware/


∗∗∗ IQ-Test auf offiziell-qi-test.com führt in die Abo-Falle! ∗∗∗
---------------------------------------------
Mit nur 30 Fragen kann man einen zertifizierten IQ-Test durchführen, heißt es auf der Webseite offiziell-qi-test.com. Erst nachdem der Test durchgeführt wurde, wird man erstmals auf Kosten hingewiesen: Um das Ergebnis zu sehen soll man 3,90 Euro zahlen. Doch Achtung: Im Kleingedruckten finden sich weitere Kosten und eine Abo-Falle!
---------------------------------------------
https://www.watchlist-internet.at/news/iq-test-auf-offiziell-qi-testcom-fuehrt-in-die-abo-falle/


∗∗∗ Cisco: Firewall manager RCE bug is a zero-day, patch incoming ∗∗∗
---------------------------------------------
In a Thursday security advisory update, Cisco revealed that a remote code execution (RCE) vulnerability in the Adaptive Security Device Manager (ADSM) Launcher disclosed last month is a zero-day bug that has yet to receive a security update.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/cisco-firewall-manager-rce-bug-is-a-zero-day-patch-incoming/


∗∗∗ Synology warns of malware infecting NAS devices with ransomware ∗∗∗
---------------------------------------------
Taiwan-based NAS maker Synology has warned customers that the StealthWorker botnet is targeting their network-attached storage devices in ongoing brute-force attacks.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/synology-warns-of-malware-infecting-nas-devices-with-ransomware/


∗∗∗ SQL Injection in WordPress Plugins: ORDER and ORDER BY as Overlooked Injection Points ∗∗∗
---------------------------------------------
Trustwave SpiderLabs recently undertook a survey of some 100 popular WordPress plugins for possible SQL Injection vulnerabilities. Some good news is that in the vast majority, no such vulnerabilities were identified. Most plugins were found to be using either prepared statements or suitable sanitization when incorporating user-controlled data in a query. Of the five vulnerable plugins identified, some patterns emerged, [...]
---------------------------------------------
https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/sql-injection-in-wordpress-plugins-order-and-order-by-as-overlooked-injection-points/


∗∗∗ Beware! New Android Malware Hacks Thousands of Facebook Accounts ∗∗∗
---------------------------------------------
A new Android trojan has been found to compromise Facebook accounts of over 10,000 users in at least 144 countries since March 2021 via fraudulent apps distributed through Google Play Store and other third-party app marketplaces. Dubbed "FlyTrap," the previously undocumented malware is believed to be part of a family of trojans that employ social engineering tricks to breach Facebook accounts [...]
---------------------------------------------
https://thehackernews.com/2021/08/beware-new-android-malware-hacks.html


∗∗∗ Phishing Sites Targeting Scammers and Thieves ∗∗∗
---------------------------------------------
I was preparing to knock off work on a recent Friday evening when a curious and annoying email came in via the contact form on this site: “Hello I go by the username Nuclear27 on your site Briansclub[.]com,” wrote “Mitch,” confusing me with the proprietor of perhaps the underground’s largest bazaar for stolen credit and identity data. “I made a deposit to my wallet on the site but nothing has shown up yet and I would like to know why.”
---------------------------------------------
https://krebsonsecurity.com/2021/08/phishing-sites-targeting-scammers-and-thieves/


∗∗∗ Routers and modems running Arcadyan firmware are under attack ∗∗∗
---------------------------------------------
Routers and modems running a version of the Arcadyan firmware, including devices from ASUS, Orange, Vodafone, and Verizon, are currently under attack from a threat actor attempting to ensnare the devices into their DDoS botnet.
---------------------------------------------
https://therecord.media/routers-and-modems-running-arcadyan-firmware-are-under-attack/



=====================
=  Vulnerabilities  =
=====================

∗∗∗ ZDI-21-951: (0Day) Delta Industrial Automation DOPSoft XLS File Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability ∗∗∗
---------------------------------------------
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Delta Industrial Automation DOPSoft. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.
---------------------------------------------
http://www.zerodayinitiative.com/advisories/ZDI-21-951/


∗∗∗ Sicherheitsrelevanter Bug in net-Bibliothek von Go und Rust ∗∗∗
---------------------------------------------
Die Bibliothek net in Go und Rust verhält sich nicht standardkonform und verschluckt führende Nullen. Angreifer könnten so falsche IP-Adressen einschleusen.
---------------------------------------------
https://heise.de/-6157969


∗∗∗ Exchange Server jetzt patchen: Angreifer suchen aktiv nach neuer Lücke ∗∗∗
---------------------------------------------
Admins sollten ihre Exchange Server zügig aktualisieren. Nachdem Forscher einen neuen Angriff vorgestellt haben, probieren Angreifer ihn offenbar gezielt aus.
---------------------------------------------
https://heise.de/-6158190


∗∗∗ Security updates for Monday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (ansible and bluez), Fedora (curl, kernel, mod_auth_openidc, rust-rav1e, and webkit2gtk3), Mageia (kernel and kernel-linus), openSUSE (php7 and python-reportlab), Oracle (ruby:2.7), Red Hat (microcode_ctl), SUSE (fastjar, kvm, mariadb, php7, php72, php74, and python-Pillow), and Ubuntu (docker.io).
---------------------------------------------
https://lwn.net/Articles/865680/


∗∗∗ Apple fixes AWDL bug that could be used to escape air-gapped networks ∗∗∗
---------------------------------------------
Apple has fixed a vulnerability in its Apple Wireless Direct Link (AWDL) technology that could have been abused by threat actors to escape and steal data from air-gapped networks.
---------------------------------------------
https://therecord.media/apple-fixed-awdl-bug-that-could-be-used-to-escape-air-gapped-networks/


∗∗∗ Apache Tomcat vulnerability CVE-2021-33037 ∗∗∗
---------------------------------------------
https://support.f5.com/csp/article/K32469285


∗∗∗ Security Bulletin: Vulnerability in IBM® SDK Java™ Technology Edition, Version 7, Version 8, that is used by IBM Workload Scheduler. ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-ibm-sdk-java-technology-edition-version-7-version-8-that-is-used-by-ibm-workload-scheduler-4/


∗∗∗ Security Bulletin: Vulnerability in IBM® SDK Java™ Technology Edition, Version 7, Version 8, that is used by IBM Workload Scheduler. ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-ibm-sdk-java-technology-edition-version-7-version-8-that-is-used-by-ibm-workload-scheduler-3/


∗∗∗ Security Bulletin: Multiple vulnerabilities in OpenSSL may affect IBM Workload Scheduler ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-openssl-may-affect-ibm-workload-scheduler-2/


∗∗∗ Security Bulletin: CVE-2020-1968 vulnerability in OpenSSL may affect IBM Workload Scheduler ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-cve-2020-1968-vulnerability-in-openssl-may-affect-ibm-workload-scheduler-3/


∗∗∗ Security Bulletin: Multiple vulnerabilities in OpenSSL may affect IBM Workload Scheduler ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-openssl-may-affect-ibm-workload-scheduler/


∗∗∗ Security Bulletin: Multiple vulnerabilities in GNU Binutils affect IBM Netezza Platform Software ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-gnu-binutils-affect-ibm-netezza-platform-software/


∗∗∗ Security Bulletin: ICN Is Vulnerable to Improper Input Validation ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-icn-is-vulnerable-to-improper-input-validation/


∗∗∗ Security Bulletin: Vulnerability in bind (CVE-2021-25215) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-bind-cve-2021-25215-2/


∗∗∗ Security Bulletin: Vulnerabilities in IBM Java included with IBM Tivoli Monitoring ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-ibm-java-included-with-ibm-tivoli-monitoring/


∗∗∗ Security Bulletin: openSSL and Apache Hadoop vulnerability impacting Aspera High-Speed Transfer Server, Aspera High-Speed Transfer Endpoint, Aspera Desktop Client, Aspera On Demand (CVE-2020-1971, CVE-2020-9492) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-openssl-and-apache-hadoop-vulnerability-impacting-aspera-high-speed-transfer-server-aspera-high-speed-transfer-endpoint-aspera-desktop-client-aspera-on-demand-cve-2020-1971-cve/


∗∗∗ Security Bulletin: Vulnerability in Dojo affects WebSphere Application Server (CVE-2020-5258) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-dojo-affects-websphere-application-server-cve-2020-5258-3/


∗∗∗ Security Bulletin: Stack overflow via TIS_CODESET environment variable in IBM Workload Scheduler ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-stack-overflow-via-tis_codeset-environment-variable-in-ibm-workload-scheduler/

-- 
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily