[CERT-daily] Tageszusammenfassung - 09.06.2021

[Daily end-of-shift report]

=====================
= End-of-Day report =
=====================

Timeframe:   Dienstag 08-06-2021 18:00 − Mittwoch 09-06-2021 18:00
Handler:     Dimitri Robl
Co-Handler:  Robert Waldner

=====================
=       News        =
=====================

∗∗∗ Intel fixes 73 vulnerabilities in June 2021 Platform Update ∗∗∗
---------------------------------------------
Intel has addressed 73 security vulnerabilities as part of the June 2021 Patch Tuesday, including high severity ones impacting some versions of Intels Security Library and the BIOS firmware for Intel processors. [...]
---------------------------------------------
https://www.bleepingcomputer.com/news/security/intel-fixes-73-vulnerabilities-in-june-2021-platform-update/


∗∗∗ PuzzleMaker attacks with Chrome zero-day exploit chain ∗∗∗
---------------------------------------------
We detected a wave of highly targeted attacks against multiple companies. Closer analysis revealed that all these attacks exploited a chain of Google Chrome and Microsoft Windows zero-day exploits.
---------------------------------------------
https://securelist.com/puzzlemaker-chrome-zero-day-exploit-chain/102771/


∗∗∗ Alpaca-Attacke: Angreifer könnten mit TLS gesicherte Verbindungen attackieren ∗∗∗
---------------------------------------------
Sicherheitsforscher zeigen theoretische Attacken auf TLS-Verbindungen. Angreifer könnten beispielsweise Sessions kapern.
---------------------------------------------
https://heise.de/-6066915


∗∗∗ Nameless Malware Discovered by NordLocker is Now in Have I Been Pwned ∗∗∗
---------------------------------------------
[...] they're sitting on a bunch of compromised personal info, now what? As with the two law enforcement agencies, NordLocker's goal is to inform impacted parties which is where HIBP comes in so as of now, all 1,121,484 compromised email addresses are searchable.
---------------------------------------------
https://www.troyhunt.com/nameless-malware-discovered-by-nordlocker-is-now-in-have-i-been-pwned/


∗∗∗ Cisco Smart Install Protocol Still Abused in Attacks, 5 Years After First Warning ∗∗∗
---------------------------------------------
Cisco’s Smart Install protocol is still being abused in attacks — five years after the networking giant issued its first warning — and there are still roughly 18,000 internet-exposed devices that could be targeted by hackers. 
---------------------------------------------
https://www.securityweek.com/cisco-smart-install-protocol-still-abused-attacks-5-years-after-first-warning


∗∗∗ Kleinanzeigen-Betrug: Potenzielle KäuferInnen wollen Zahlung über DHL abwickeln ∗∗∗
---------------------------------------------
Aktuell wenden Kriminelle in Kleinanzeigenplattformen wie willhaben, shpock und Co vermehrt den DHL-Trick an, um VerkäuferInnen Geld zu stehlen. Dabei geben sich Kriminelle als KäuferInnen aus und schlagen vor, die Zahlung über DHL abzuwickeln. Sie behaupten, DHL verwalte nun Zahlungen, um KäuferInnen und VerkäuferInnen eine sichere Abwicklung zu ermöglichen. In Wahrheit stecken die Kriminellen hinter den DHL-Nachrichten und versuchen so an Ihr Geld zu kommen.
---------------------------------------------
https://www.watchlist-internet.at/news/kleinanzeigen-betrug-potenzielle-kaeuferinnen-wollen-zahlung-ueber-dhl-abwickeln/


∗∗∗ The Sysrv-hello Cryptojacking Botnet: Here’s What’s New ∗∗∗
---------------------------------------------
The Sysrv-hello botnet is deployed on both Windows and Linux systems by exploiting multiple vulnerabilities and deployed via shell scripts.  Like many of the threat actor tools weve covered, it continuously evolves to fit the needs of its operators and stay ahead of security researchers and law enforcement.  Over time, there have been several slight changes in the shell scripts that install the Sysrv-hello implant on machines. 
---------------------------------------------
https://www.riskiq.com/blog/external-threat-management/sysrv-hello-cryptojacking-botnet/



=====================
=  Vulnerabilities  =
=====================

∗∗∗ Unsachgemäße Authentifizierung in SAP NetWeaver ABAP Server und ABAP Platform ∗∗∗
---------------------------------------------
Im Rahmen des Patchdays Juni 2021 veröffentlichte die SAP SE den Sicherheitshinweis 3007182, der einen schwerwiegenden Design-Fehler adressiert,…
---------------------------------------------
https://sec-consult.com/de/blog/detail/unsachgemaesse-authentifizierung-in-sap-netweaver-abap-server-und-abap-platform/


∗∗∗ Updates verfügbar: Schwachstellen in Message-Brokern RabbitMQ, EMQ X und VerneMQ ∗∗∗
---------------------------------------------
Die Message-Broker sind für Denial-of-Service-Angriffe über das IoT-Protokoll MQTT anfällig. Aktuelle Patches sind verfügbar, Sie sollten sie schnell anwenden.
---------------------------------------------
https://heise.de/-6065996


∗∗∗ XSA-375 - Speculative Code Store Bypass ∗∗∗
---------------------------------------------
Impact: An attacker might be able to infer the contents of arbitrary host memory, including memory assigned to other guests.
Resolution: Applying the appropriate attached patch resolves this issue.
---------------------------------------------
https://xenbits.xen.org/xsa/advisory-375.html


∗∗∗ Security updates for Wednesday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (eterm, mrxvt, and rxvt), Mageia (cgal, curl, exiv2, polkit, squid, thunderbird, and upx), openSUSE (firefox and libX11), Oracle (libwebp, nginx:1.18, and thunderbird), Red Hat (.NET 5.0, .NET Core 3.1, 389-ds-base, dhcp, gupnp, hivex, kernel, kernel-rt, libldb, libwebp, microcode_ctl, nettle, postgresql:10, postgresql:9.6, qemu-kvm, qt5-qtimageformats, rh-dotnet50-dotnet, and samba), SUSE (apache2-mod_auth_openidc, firefox, gstreamer-plugins-bad, kernel, libX11, pam_radius, qemu, runc, spice, and spice-gtk), and Ubuntu (intel-microcode and rpcbind).
---------------------------------------------
https://lwn.net/Articles/858832/


∗∗∗ Dell PowerEdge: Mehrere Schwachstellen ∗∗∗
---------------------------------------------
DSA-2021-078: Dell PowerEdge Server Security Advisory for a Trusted Platform Module (TPM) 1.2 Firmware Vulnerability
DSA-2021-103: Dell PowerEdge Server Security Update for BIOS Vulnerabilities
---------------------------------------------
http://www.cert-bund.de/advisoryshort/CB-K21-0628


∗∗∗ Xen: Mehrere Schwachstellen ∗∗∗
---------------------------------------------
Ein lokaler Angreifer kann mehrere Schwachstellen in Xen ausnutzen, um Informationen offenzulegen, seine Privilegien zu erhöhen oder einen Denial of Service Zustand herbeizuführen.
 * XSA-377: x86: TSX Async Abort protections not restored after S3
 * XSA-374: Guest triggered use-after-free in Linux xen-netback
 * XSA-373: inappropriate x86 IOMMU timeout detection / handling
 * XSA-372: xen/arm: Boot modules are not scrubbed
---------------------------------------------
http://www.cert-bund.de/advisoryshort/CB-K21-0627


∗∗∗ Multiple vulnerabilities in Bosch IP cameras ∗∗∗
---------------------------------------------
BOSCH-SA-478243-BT: Multiple vulnerabilities for Bosch IP cameras have been discovered in a Penetration Test from Kaspersky ICS CERT during a certification effort from Bosch. Bosch rates these vulnerabilities with CVSSv3.1 base scores from 9.8 (Critical) to 4.9 (Medium), where the actual rating depends on the individual vulnerability and the final rating on the customer’s environment.Customers are strongly advised to upgrade to the fixed versions.
---------------------------------------------
https://psirt.bosch.com/security-advisories/bosch-sa-478243-bt.html


∗∗∗ Adobe Releases Security Updates for Multiple Products ∗∗∗
---------------------------------------------
Adobe has released security updates to address vulnerabilities in multiple Adobe products. An attacker could exploit some of these vulnerabilities to take control of an affected system. CISA encourages users and administrators to review Adobe’s Security Bulletins and apply the necessary updates.
 * APSB21-36 Security update available for Adobe Connect
 * APSB21-37 Security update available for Adobe Acrobat and Reader
 * APSB21-38 Security update available for Adobe Photoshop
 * APSB21-39 Security update available for Adobe Experience Manager
 * APSB21-41 Security update available for Adobe Creative Cloud Desktop Application
 * APSB21-44 Security update available for Adobe RoboHelp Server
 * APSB21-46 Security update available for Adobe Photoshop Elements
 * APSB21-47 Security update available for Adobe Premiere Elements
 * APSB21-49 Security update available for Adobe After Effects
 * APSB21-50 Security update available for Adobe Animate
---------------------------------------------
https://us-cert.cisa.gov/ncas/current-activity/2021/06/08/adobe-releases-security-updates-multiple-products


∗∗∗ Security Bulletin: IBM Event Streams is affected by potential data integrity issue (CVE-2020-25649) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-event-streams-is-affected-by-potential-data-integrity-issue-cve-2020-25649/


∗∗∗ Security Bulletin: IBM UrbanCode Deploy (UCD) stores keystore passwords in plain after a manuel edit, which can be read by a local user. ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-urbancode-deploy-ucd-stores-keystore-passwords-in-plain-after-a-manuel-edit-which-can-be-read-by-a-local-user-2/


∗∗∗ Nettle cryptography library vulnerability CVE-2021-20305 ∗∗∗
---------------------------------------------
https://support.f5.com/csp/article/K33101555?utm_source=f5support&utm_medium=RSS


∗∗∗ Linux kernel vulnerability CVE-2019-11811 ∗∗∗
---------------------------------------------
https://support.f5.com/csp/article/K01512680?utm_source=f5support&utm_medium=RSS


∗∗∗ Johnson Controls Metasys ∗∗∗
---------------------------------------------
https://us-cert.cisa.gov/ics/advisories/icsa-21-159-01


∗∗∗ Open Design Alliance Drawings SDK ∗∗∗
---------------------------------------------
https://us-cert.cisa.gov/ics/advisories/icsa-21-159-02


∗∗∗ AVEVA InTouch ∗∗∗
---------------------------------------------
https://us-cert.cisa.gov/ics/advisories/icsa-21-159-03


∗∗∗ Schneider Electric IGSS ∗∗∗
---------------------------------------------
https://us-cert.cisa.gov/ics/advisories/icsa-21-159-04


∗∗∗ Schneider Electric Modicon X80 ∗∗∗
---------------------------------------------
https://us-cert.cisa.gov/ics/advisories/icsa-21-159-05


∗∗∗ Thales Sentinel LDK Run-Time Environment ∗∗∗
---------------------------------------------
https://us-cert.cisa.gov/ics/advisories/icsa-21-159-06

-- 
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily