[CERT-daily] Tageszusammenfassung - 18.01.2021

Mon Jan 18 18:16:29 CET 2021

=====================
= End-of-Day report =
=====================

Timeframe:   Freitag 15-01-2021 18:00 − Montag 18-01-2021 18:00
Handler:     Dimitri Robl
Co-Handler:  Thomas Pribitzer

=====================
=       News        =
=====================

∗∗∗ Antivirus: Das Jahr der unsicheren Sicherheitssoftware ∗∗∗
---------------------------------------------
Sicherheitssoftware soll uns eigentlich schützen, doch das vergangene Jahr hat erneut gezeigt: Statt Schutz gibt es Sicherheitsprobleme frei Haus.
---------------------------------------------
https://www.golem.de/news/antivirus-das-jahr-der-unsicheren-sicherheitssoftware-2101-153432-rss.html


∗∗∗ Medical Device Security: Diagnosis Critical ∗∗∗
---------------------------------------------
Medical-device security has long been a challenge, suffering the same uphill management battle that the entire sprawling mess of IoT gadgets has faced.
---------------------------------------------
https://threatpost.com/medical-device-security/163127/


∗∗∗ Obfuscated DNS Queries, (Fri, Jan 15th) ∗∗∗
---------------------------------------------
This week I started seeing some URL with /dns-query?dns in my honeypot. The queries obviously did not look like a standard DNS queries, this got me curious and then proceeded to investigate to determine what these DNS query were trying to resolve.
---------------------------------------------
https://isc.sans.edu/diary/rss/26992


∗∗∗ New Release of Sysmon Adding Detection for Process Tampering, (Sun, Jan 17th) ∗∗∗
---------------------------------------------
Version 13.01 of Sysmon was released, a Windows Sysinternals tool to monitor and log system activity.
---------------------------------------------
https://isc.sans.edu/diary/rss/26994


∗∗∗ Doc & RTF Malicious Document, (Mon, Jan 18th) ∗∗∗
---------------------------------------------
A reader pointed us to a malicious Word document.
---------------------------------------------
https://isc.sans.edu/diary/rss/26996


∗∗∗ NSA Releases Guidance on Encrypted DNS in Enterprise Environments ∗∗∗
---------------------------------------------
Original release date: January 15, 2021The National Security Agency (NSA) has released an information sheet with guidance on adopting encrypted Domain Name System (DNS) over Hypertext Transfer Protocol over Transport Layer Security (HTTPS), referred to as DNS over HTTPS (DoH). When configured appropriately, strong enterprise DNS controls can help prevent many initial access, command and control, and exfiltration techniques used by threat actors.
---------------------------------------------
https://us-cert.cisa.gov/ncas/current-activity/2021/01/15/nsa-releases-guidance-encrypted-dns-enterprise-environments


∗∗∗ Skimming: Schaden durch Datenklau an Geldautomaten auf Rekordtief ∗∗∗
---------------------------------------------
Experten halten den Datenklau an Geldautomaten in Deutschland für ein Auslaufmodell. Sowohl Zahl der Angriffe als auch Schäden sanken 2020 auf Rekordtief.
---------------------------------------------
https://heise.de/-5026975


=====================
=  Vulnerabilities  =
=====================

∗∗∗ ZDI-21-072: NETGEAR R7450 SOAP API RecoverAdminPassword Improper Access Control Information Disclosure Vulnerability ∗∗∗
---------------------------------------------
This vulnerability allows network-adjacent attackers to disclose sensitive information on affected installations of NETGEAR R7450 routers. Authentication is not required to exploit this vulnerability.
---------------------------------------------
http://www.zerodayinitiative.com/advisories/ZDI-21-072/


∗∗∗ ZDI-21-071: NETGEAR R7450 Password Recovery External Control of Critical State Data Authentication Bypass Vulnerability ∗∗∗
---------------------------------------------
This vulnerability allows network-adjacent attackers to bypass authentication on affected installations of NETGEAR R7450 routers. Authentication is not required to exploit this vulnerability.
---------------------------------------------
http://www.zerodayinitiative.com/advisories/ZDI-21-071/


∗∗∗ ZDI-21-070: Apple macOS CoreGraphics Image Parsing Out-Of-Bounds Read Information Disclosure Vulnerability ∗∗∗
---------------------------------------------
This vulnerability allows remote attackers to disclose sensitive information on affected installations of Apple macOS. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.
---------------------------------------------
http://www.zerodayinitiative.com/advisories/ZDI-21-070/


∗∗∗ ZDI-21-069: Apple macOS process_token_BlitLibSetup2D Out-Of-Bounds Write Privilege Escalation Vulnerability ∗∗∗
---------------------------------------------
This vulnerability allows local attackers to escalate privileges on affected installations of Apple macOS. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.
---------------------------------------------
http://www.zerodayinitiative.com/advisories/ZDI-21-069/


∗∗∗ Kritische Admin-Lücke in Wordpress-Plug-in Orbit Fox ∗∗∗
---------------------------------------------
Es gibt ein wichtiges Sicherheitsupdate für das Wordpress-Plug-in Orbit Fox.
---------------------------------------------
https://heise.de/-5027252


∗∗∗ Security updates for Friday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (flatpak, ruby-redcarpet, and wavpack), Fedora (dia, mingw-openjpeg2, and openjpeg2), Mageia (awstats, bison, cairo, kernel, kernel-linus, krb5, nvidia-current, nvidia390, php, and thunderbird), openSUSE (cobbler, firefox, kernel, libzypp, zypper, nodejs10, nodejs12, and nodejs14), Scientific Linux (thunderbird), Slackware (wavpack), SUSE (kernel, nodejs8, open-iscsi, openldap2, php7, php72, php74, slurm_20_02, and thunderbird), and Ubuntu (ampache,[...]
---------------------------------------------
https://lwn.net/Articles/842834/


∗∗∗ Security updates for Monday ∗∗∗
---------------------------------------------
Security updates have been issued by Arch Linux (atftp, coturn, gitlab, mdbook, mediawiki, nodejs, nodejs-lts-dubnium, nodejs-lts-erbium, nodejs-lts-fermium, nvidia-utils, opensmtpd, php, python-cairosvg, python-pillow, thunderbird, vivaldi, and wavpack), CentOS (firefox and thunderbird), Debian (chromium and snapd), Fedora (chromium, flatpak, glibc, kernel, kernel-headers, nodejs, php, and python-cairosvg), Mageia (bind, caribou, chromium-browser-stable, dom4j, edk2, opensc, p11-kit,[...]
---------------------------------------------
https://lwn.net/Articles/843054/


∗∗∗ Security Bulletin: Vulnerabilities in IBM Java Runtime affect IBM Integration Bus and IBM App Connect Enterpise v11 (CVE-2020-2590) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-ibm-java-runtime-affect-ibm-integration-bus-and-ibm-app-connect-enterpise-v11-cve-2020-2590/


∗∗∗ Security Bulletin: Websphere Hibernate Validator Vulnerability Affects IBM Control Center (CVE-2020-10693) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-websphere-hibernate-validator-vulnerability-affects-ibm-control-center-cve-2020-10693/


∗∗∗ Security Bulletin: IBM Integration Bus & IBM App Connect Enterprise are affected by a Websphere Application Server Vulnerability (CVE-2020-4576) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-integration-bus-ibm-app-connect-enterprise-are-affected-by-a-websphere-application-server-vulnerability-cve-2020-4576/


∗∗∗ Security Bulletin: Apache ActiveMQ Vulnerability Affects IBM Control Center (CVE-2020-13920) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-apache-activemq-vulnerability-affects-ibm-control-center-cve-2020-13920/

-- 
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily