[CERT-daily] Tageszusammenfassung - 07.10.2021

Thu Oct 7 18:29:47 CEST 2021

=====================
= End-of-Day report =
=====================

Timeframe:   Mittwoch 06-10-2021 18:00 − Donnerstag 07-10-2021 18:00
Handler:     Dimitri Robl
Co-Handler:  Wolfgang Menezes

=====================
=       News        =
=====================

∗∗∗ Air-Gap-Hack: LAN-Kabel als Antenne nutzen, um Daten auszuleiten ∗∗∗
---------------------------------------------
Auch wenn ein Netzwerk nicht mit dem Internet verbunden ist, lassen sich Daten ausleiten. Dazu hat ein Forscher ein LAN-Kabel zur Antenne umfunktioniert.
---------------------------------------------
https://www.golem.de/news/air-gap-hack-lan-kabel-als-antenne-nutzen-um-daten-auszuleiten-2110-160153-rss.html


∗∗∗ Cisco schließt Root-Lücke in Intersight Virtual Appliance ∗∗∗
---------------------------------------------
Der Netzwerkausrüster Cisco hat für verschiedene Software wichtige Sicherheitsupdates veröffentlicht.
---------------------------------------------
https://heise.de/-6211537


∗∗∗ Neue Malware-Familie für Linux entdeckt ∗∗∗
---------------------------------------------
Die von ihren Entdeckern FontOnLake getaufte Malware-Familie aus trojanisierten Programmen, Backdoors und einem Rootkit eignet sich für gezielte Angriffe.
---------------------------------------------
https://heise.de/-6211764


∗∗∗ Tor Browser und Tails: Anonymisierender Browser & OS in abgesicherten Versionen ∗∗∗
---------------------------------------------
Etwas später als geplant ist eine neue Version der Linux-Distribution Tails erschienen. An Bord hat sie den ebenfalls taufrischen Tor Browser 10.5.8.
---------------------------------------------
https://heise.de/-6211744


∗∗∗ Hackers use stealthy ShellClient malware on aerospace, telco firms ∗∗∗
---------------------------------------------
Threat researchers investigating malware used to target companies in the aerospace and telecommunications sectors discovered a new threat actor that has been running cyber espionage campaigns since at least 2018.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/hackers-use-stealthy-shellclient-malware-on-aerospace-telco-firms/


∗∗∗ Unpatched Dahua cams vulnerable to unauthenticated remote access ∗∗∗
---------------------------------------------
Unpatched Dahua cameras are prone to two authentication bypass vulnerabilities, and a proof of concept exploit that came out today makes the case of upgrading pressing.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/unpatched-dahua-cams-vulnerable-to-unauthenticated-remote-access/


∗∗∗ MacOS Security: What Security Teams Should Know ∗∗∗
---------------------------------------------
As more macOS patches emerge and cybercriminals and nation-states take aim at the platform, experts discuss how macOS security has evolved and how businesses can protect employees.
---------------------------------------------
https://www.darkreading.com/edge-articles/mac-attacks-how-secure-are-the-macs-in-your-enterprise


∗∗∗ Ransomware in the CIS ∗∗∗
---------------------------------------------
Statistics on ransomware attacks in the CIS and technical descriptions of Trojans, including BigBobRoss/TheDMR, Crysis/Dharma, Phobos/Eking, Cryakl/CryLock, CryptConsole, Fonix/XINOF, Limbozar/VoidCrypt, Thanos/Hakbit and XMRLocker.
---------------------------------------------
https://securelist.com/cis-ransomware/104452/


∗∗∗ Apache HTTP Server CVE-2021-41773 Exploited in the Wild ∗∗∗
---------------------------------------------
On Monday, October 4, 2021, Apache published an advisory on CVE-2021-41773, an unauthenticated remote file disclosure vulnerability in HTTP Server version 2.4.49 (and only in 2.4.49). The vulnerability arises from the mishandling of URL-encoded path traversal characters in the HTTP GET request. Public proof-of-concept exploit code is widely available, and Apache and others have noted that this vulnerability is being exploited in the wild. While the original advisory indicated that CVE-2021-41773 was merely an information disclosure bug, both Rapid7 and community researchers have verified that the vulnerability can be used for remote code execution when mod_cgi is enabled.
---------------------------------------------
https://www.rapid7.com/blog/post/2021/10/06/apache-http-server-cve-2021-41773-exploited-in-the-wild/


∗∗∗ Medtronics Insulin Pump Controllers Are Vulnerable to Hackers ∗∗∗
---------------------------------------------
The company just expanded its recall of insulin pump remote controllers that can be hijacked to alter insulin amounts. Medical device maker Medtronic has expanded its recall of remote controllers for its MiniMed 508 and MiniMed Paradigm insulin pumps. The reason? The devices are a potential cybersecurity risk. According to the Food and Drug Administration, unauthorized people could hijack the devices to alter how much insulin is delivered to a patient.
---------------------------------------------
https://gizmodo.com/medtronics-insulin-pump-controllers-are-vulnerable-to-h-1847811273


∗∗∗ Life is Pane: Persistence via Preview Handlers ∗∗∗
---------------------------------------------
[...] The preview pane allows users to have a quick peek at the content of a selected file without actually having to open it. This feature is disabled on default Windows 10 builds, but can be enabled in the Explorer menu under View→Preview pane. While this seems relatively simple at face value, it is anything but under the hood. For example, how does Windows know how to display the contents of certain filetypes but not others? Are the previews controlled by Explorer or is it done in another process? Are these handlers abusable? We spent a few days exploring preview handlers to gain a deeper understanding of how they work and answer these questions.
---------------------------------------------
https://posts.specterops.io/life-is-pane-persistence-via-preview-handlers-3c0216c5ef9e


∗∗∗ CVE-2021-26420: Remote Code Execution in SharePoint via Workflow Compilation ∗∗∗
---------------------------------------------
In June of 2021, Microsoft released a patch to correct CVE-2021-26420 - a remote code execution bug in the supported versions of Microsoft SharePoint Server. This bug was reported to the ZDI program by an anonymous researcher and is also known as ZDI-21-755. This blog takes a deeper look at the root cause of this vulnerability.
---------------------------------------------
https://www.thezdi.com/blog/2021/10/5/cve-2021-26420-remote-code-execution-in-sharepoint-via-workflow-compilation


=====================
=  Vulnerabilities  =
=====================

∗∗∗ Cisco Security Advisories ∗∗∗
---------------------------------------------
Cisco hat Security Advisories zu 16 Schwachstellen veröffentlicht. Keine davon wird als "Critical" eingestuft, sechs als "High".
---------------------------------------------
https://tools.cisco.com/security/center/Search.x?publicationTypeIDs=1&firstPublishedStartDate=2021%2F10%2F06&firstPublishedEndDate=2021%2F10%2F07


∗∗∗ IBM Security Bulletins 2021-10-07 ∗∗∗
---------------------------------------------
IBM hat 21 Security Bulletins veröffentlicht.
---------------------------------------------
https://www.ibm.com/blogs/psirt/


∗∗∗ Advisory: Cisco ATA19X Privilege Escalation and RCE ∗∗∗
---------------------------------------------
1. Lack of User Privilege Separation Enforcement in Web Management Interface: The web management interface on the ATA191 does not necessarily prevent the “user” account from performing “admin”-privileged actions. As such, a user who logs in with “user” privileges is able to perform actions that should only be performed by an “admin” user. 2. Post-Authentication Command Injection Remote Code Execution (CVE-2021-34710): The web management interface suffers [...]
---------------------------------------------
https://www.iot-inspector.com/blog/advisory-cisco-ata19x-privilege-escalation-rce/


∗∗∗ CVE-2021-33602: Denial-of-Service (DoS) Vulnerabilty ∗∗∗
---------------------------------------------
A vulnerability affecting the F-Secure antivirus engine was discovered when the engine tries to unpack a zip archive (LZW decompression method), and this can crash the scanning engine. The vulnerability can be exploited remotely by an attacker. A successful attack will result in denial-of-service of the antivirus engine.
---------------------------------------------
https://www.f-secure.com/en/business/support-and-downloads/security-advisories/cve-2021-33602


∗∗∗ Typo3: Neue Version schließt zwei Sicherheitslücken im CMS ∗∗∗
---------------------------------------------
Lücken im Content-Management-System hätten Angreifern schlimmstenfalls Admin-Rechte gewähren können. Die neue Typo3-Version 11.5 bannt die Gefahr.
---------------------------------------------
https://heise.de/-6211486


∗∗∗ High Severity Vulnerability Patched in Access Demo Importer Plugin ∗∗∗
---------------------------------------------
On August 9, 2021, the Wordfence Threat Intelligence team attempted to initiate the responsible disclosure process for a vulnerability that we discovered in Access Demo Importer, a WordPress plugin installed on over 20,000 [...]
---------------------------------------------
https://www.wordfence.com/blog/2021/10/high-severity-vulnerability-patched-in-access-demo-importer-plugin/


∗∗∗ Security updates for Thursday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (firefox-esr), Mageia (cockpit, fail2ban, libcryptopp, libss7, nodejs, opendmarc, and weechat), openSUSE (curl, ffmpeg, git, glibc, go1.16, libcryptopp, and nodejs8), SUSE (apache2, curl, ffmpeg, git, glibc, go1.16, grilo, libcryptopp, nodejs8, transfig, and webkit2gtk3), and Ubuntu (linux-oem-5.10 and python-bottle).
---------------------------------------------
https://lwn.net/Articles/872154/


∗∗∗ Apache OpenOffice: Mehrere Schwachstellen ∗∗∗
---------------------------------------------
https://www.cert-bund.de/advisoryshort/CB-K21-1041

-- 
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily