[CERT-daily] Tageszusammenfassung - 05.04.2022

Daily end-of-shift report team at cert.at
Tue Apr 5 18:25:37 CEST 2022 

=====================
= End-of-Day report =
=====================

Timeframe:   Montag 04-04-2022 18:00 − Dienstag 05-04-2022 18:00
Handler:     Thomas Pribitzer
Co-Handler:  Robert Waldner

=====================
=       News        =
=====================

∗∗∗ WhatsApp voice message phishing emails push info-stealing malware ∗∗∗
---------------------------------------------
A new WhatsApp phishing campaign impersonating WhatsApps voice message feature has been discovered, attempting to spread information-stealing malware to at least 27,655 email addresses.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/whatsapp-voice-message-phishing-emails-push-info-stealing-malware/


∗∗∗ SpringShell RCE vulnerability: Guidance for protecting against and detecting CVE-2022-22965 ∗∗∗
---------------------------------------------
Microsoft provides guidance for customers looking for protection against exploitation and ways to detect vulnerable installations on their network of the critical vulnerability CVE-2022-22965, also known as SpringShell or Spring4Shell.
---------------------------------------------
https://www.microsoft.com/security/blog/2022/04/04/springshell-rce-vulnerability-guidance-for-protecting-against-and-detecting-cve-2022-22965/


∗∗∗ WebLogic Crypto Miner Malware Disabling Alibaba Cloud Monitoring Tools, (Tue, Apr 5th) ∗∗∗
---------------------------------------------
Looking through my honeypot logs for some Spring4Shell exploits (I didn't find anything interesting), I came across this attempt to exploit an older WebLogic vulnerability (likely %%cve:2020-14882%% or %%cve:2020-14883%%). The exploit itself is "run of the mill," but the script downloaded is going through an excessively long list of competitors to disable and disabled cloud monitoring tools, likely to make detecting and response more difficult.
---------------------------------------------
https://isc.sans.edu/diary/rss/28520


∗∗∗ ZDI-22-547: (0Day) (Pwn2Own) Samsung Galaxy S21 Exposed Dangerous Method Local Privilege Escalation Vulnerability ∗∗∗
---------------------------------------------
This vulnerability allows local attackers to execute arbitrary code on affected installations of Samsung Galaxy S21 phones. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.
---------------------------------------------
http://www.zerodayinitiative.com/advisories/ZDI-22-547/


∗∗∗ Phishing-Angriffe auf Kryptowährungssektor nach Einbruch bei MailChimp ∗∗∗
---------------------------------------------
Nach einem Einbruch beim Marketing-Mail-Anbieter MailChimp haben Cyberkriminelle versucht, per Phishing an Kryptowährungen von Krypto-Wallet-Kunden zu gelangen.
---------------------------------------------
https://heise.de/-6662971


∗∗∗ CISA advises D-Link users to take vulnerable routers offline ∗∗∗
---------------------------------------------
CISA has advised users to take certain vulnerable D-Link routers offline since the existing vulnerabilities are know to be actively exploited and the models have reached EOL and will not get patched.
---------------------------------------------
https://blog.malwarebytes.com/exploits-and-vulnerabilities/2022/04/cisa-advises-d-link-users-to-take-vulnerable-routers-offline/


∗∗∗ Threat Spotlight: AsyncRAT campaigns feature new version of 3LOSH crypter ∗∗∗
---------------------------------------------
Ongoing malware distribution campaigns are using ISO disk images to deliver AsyncRAT, LimeRAT and other commodity malware to victims.The infections leverage process injection to evade detection by endpoint security software.
---------------------------------------------
http://blog.talosintelligence.com/2022/04/asyncrat-3losh-update.html



=====================
=  Vulnerabilities  =
=====================

∗∗∗ Android Security Bulletin—April 2022 ∗∗∗
---------------------------------------------
The Android Security Bulletin contains details of security vulnerabilities affecting Android devices. Security patch levels of 2022-04-05 or later address all of these issues.
---------------------------------------------
https://source.android.com/security/bulletin/2022-04-01


∗∗∗ Xen Security Advisory CVE-2022-26358,CVE-2022-26359,CVE-2022-26360,CVE-2022-26361 / XSA-400 ∗∗∗
---------------------------------------------
IOMMU: RMRR (VT-d) and unity map (AMD-Vi) handling issues.
The precise impact is system specific, but would likely be a Denial of
Service (DoS) affecting the entire host.  Privilege escalation and
information leaks cannot be ruled out.
---------------------------------------------
https://xenbits.xen.org/xsa/advisory-400.html


∗∗∗ Xen Security Advisory CVE-2022-26357 / XSA-399 ∗∗∗
---------------------------------------------
race in VT-d domain ID cleanup.
The precise impact is system specific, but would typically be a Denial
of Service (DoS) affecting the entire host.  Privilege escalation and
information leaks cannot be ruled out.
---------------------------------------------
https://xenbits.xen.org/xsa/advisory-399.html


∗∗∗ Xen Security Advisory CVE-2022-26356 / XSA-397 ∗∗∗
---------------------------------------------
Racy interactions between dirty vram tracking and paging log dirty hypercalls.
An attacker can cause Xen to leak memory, eventually leading to a Denial of
Service (DoS) affecting the entire host.
---------------------------------------------
https://xenbits.xen.org/xsa/advisory-397.html


∗∗∗ Security updates for Tuesday ∗∗∗
---------------------------------------------
Security updates have been issued by Arch Linux (polkit, postgresql, and zlib), openSUSE (389-ds and opera), Red Hat (kpatch-patch), SUSE (389-ds and util-linux), and Ubuntu (waitress).
---------------------------------------------
https://lwn.net/Articles/890258/


∗∗∗ Kyocera Printer: Schwachstelle ermöglicht Offenlegung von Informationen ∗∗∗
---------------------------------------------
Ein entfernter, anonymer Angreifer kann eine Schwachstelle in Kyocera Printer ausnutzen, um Informationen offenzulegen.
---------------------------------------------
http://www.cert-bund.de/advisoryshort/CB-K22-0391


∗∗∗ Citrix Hypervisor Security Update ∗∗∗
---------------------------------------------
This issue may allow privileged code in a guest VM to cause the host to crash or become unresponsive.  The issue only affects systems with Intel CPUs where the malicious guest VM has had a physical PCI device assigned to it by the host administrator using the PCI passthrough feature.
The issue has the following identifier: CVE-2022-26357
Customers who have not assigned a physical PCI device to a guest VM are not affected by this issue. Customers who are running on systems with only AMD CPUs are also not affected by this issue.
---------------------------------------------
https://support.citrix.com/article/CTX390511


∗∗∗ Sicherheitsupdate für Webbrowser Google Chrome ∗∗∗
---------------------------------------------
https://heise.de/-6662814


∗∗∗ Security Bulletin: IBM MQ Operator and Queue manager container images are vulnerable to multiple issues within Red Hat UBI packages and the IBM WebSphere Application Server Liberty shipped with IBM MQ Operator v1.7 CD Release ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-operator-and-queue-manager-container-images-are-vulnerable-to-multiple-issues-within-red-hat-ubi-packages-and-the-ibm-websphere-application-server-liberty-shipped-with-ibm-mq/


∗∗∗ Security Bulletin: A security vulnerability has been identified in Dojo Toolkil shipped with IBM Tivoli Netcool Impact (CVE-2021-23450) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-has-been-identified-in-dojo-toolkil-shipped-with-ibm-tivoli-netcool-impact-cve-2021-23450/


∗∗∗ Security Bulletin: IBM Tivoli Netcool Impact is affected by an Apache Log4j vulnerability (CVE-2022-23302) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-tivoli-netcool-impact-is-affected-by-an-apache-log4j-vulnerability-cve-2022-23302/


∗∗∗ Security Bulletin: A vulnerability has been identified in IBM WebSphere Application Server Liberty shipped with IBM Tivoli Netcool Impact (CVE-2021-39031) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-has-been-identified-in-ibm-websphere-application-server-liberty-shipped-with-ibm-tivoli-netcool-impact-cve-2021-39031/


∗∗∗ Security Bulletin: A vulnerability has been identified in IBM WebSphere Application Server Liberty shipped with IBM Tivoli Netcool Impact (CVE-2022-22310) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-has-been-identified-in-ibm-websphere-application-server-liberty-shipped-with-ibm-tivoli-netcool-impact-cve-2022-22310/


∗∗∗ Security Bulletin: IBM Maximo Asset Management may be vulnerable to arbitrary code execution due to Apache Log4j 1.2 (CVE-2021-4104) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-maximo-asset-management-may-be-vulnerable-to-arbitrary-code-execution-due-to-apache-log4j-1-2-cve-2021-4104/


∗∗∗ Security Bulletin: IBM Tivoli Netcool Impact is affected by an Apache Log4j vulnerability (CVE-2022-23305) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-tivoli-netcool-impact-is-affected-by-an-apache-log4j-vulnerability-cve-2022-23305/


∗∗∗ Security Bulletin: IBM MQ Appliance affected by account enumeration and denial of service vulnerabilities (CVE-2022-22356 and CVE-2022-22355) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-appliance-affected-by-account-enumeration-and-denial-of-service-vulnerabilities-cve-2022-22356-and-cve-2022-22355/


∗∗∗ Security Bulletin: One or more security vulnerabilities has been identified in IBM® DB2® shipped with IBM PureData System for Operational Analytics ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-one-or-more-security-vulnerabilities-has-been-identified-in-ibm-db2-shipped-with-ibm-puredata-system-for-operational-analytics-cve-2018-1980cve-2019-4094cve-2018-1922/


∗∗∗ Security Bulletin: IBM Tivoli Netcool Impact is affected by gson vulnerability (C2021-0419) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-tivoli-netcool-impact-is-affected-by-gson-vulnerability-c2021-0419/


∗∗∗ K29855410: Vim vulnerabilities CVE-2022-0261, CVE-2022-0318, CVE-2022-0361, CVE-2022-0392, and CVE-2022-0413 ∗∗∗
---------------------------------------------
https://support.f5.com/csp/article/K29855410?utm_source=f5support&utm_medium=RSS


∗∗∗ K08827426: Vim vulnerability CVE-2022-0359 ∗∗∗
---------------------------------------------
https://support.f5.com/csp/article/K08827426?utm_source=f5support&utm_medium=RSS


∗∗∗ Security Vulnerabilities fixed in Firefox ESR 91.8 ∗∗∗
---------------------------------------------
https://www.mozilla.org/en-US/security/advisories/mfsa2022-14/


∗∗∗ Security Vulnerabilities fixed in Firefox 99 ∗∗∗
---------------------------------------------
https://www.mozilla.org/en-US/security/advisories/mfsa2022-13/

-- 
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

More information about the Daily mailing list