[CERT-daily] Tageszusammenfassung - 12.04.2022

Tue Apr 12 18:21:43 CEST 2022

=====================
= End-of-Day report =
=====================

Timeframe:   Montag 11-04-2022 18:00 − Dienstag 12-04-2022 18:00
Handler:     Thomas Pribitzer
Co-Handler:  Stephan Richter

=====================
=       News        =
=====================

∗∗∗ Qbot malware switches to new Windows Installer infection vector ∗∗∗
---------------------------------------------
The Qbot botnet is now pushing malware payloads via phishing emails with password-protected ZIP archive attachments containing malicious MSI Windows Installer packages.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/qbot-malware-switches-to-new-windows-installer-infection-vector/


∗∗∗ Discord-Konten im Visier von Cyberkriminellen ∗∗∗
---------------------------------------------
Seit Jahresanfang sehen GDatas Sicherheitsforscher einen Anstieg an Malware, die Zugangstoken zu Discord stehlen will. Nutzer sollten Maßnahmen ergreifen.
---------------------------------------------
https://heise.de/-6669765


∗∗∗ Terrible cloud security is leaving the door open for hackers. Heres what youre doing wrong ∗∗∗
---------------------------------------------
A rise in hybrid work and a shift to cloud platforms has changed how businesses operate - but its also leaving them vulnerable to cyberattacks.
---------------------------------------------
https://www.zdnet.com/article/terrible-cloud-security-is-leaving-the-door-open-for-hackers-heres-what-youre-doing-wrong/


∗∗∗ Industroyer2: Industroyer reloaded ∗∗∗
---------------------------------------------
This ICS-capable malware targets a Ukrainian energy company
---------------------------------------------
https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/


∗∗∗ F5 investigating reports of NGINX zero day ∗∗∗
---------------------------------------------
UPDATE 4/12: On Monday evening, NGINX released a blog about the issue, writing that it only affects reference implementations and does not affect NGINX Open Source or NGINX Plus. The company said deployments of the LDAP reference implementation are affected by the vulnerabilities if command-line parameters are used to configure the Python daemon, if there are unused, optional configuration parameters and if LDAP authentication depends on specific group membership.
---------------------------------------------
https://therecord.media/f5-investigating-reports-of-nginx-zero-day/


∗∗∗ SystemBC Being Used by Various Attackers ∗∗∗
---------------------------------------------
SystemBC is a proxy malware that has been used by various attackers for the last few years. While it is recently distributed through SmokeLoader or Emotet, this malware has steadily been used in various ransomware attacks in the past. When an attacker attempts to access a certain address with malicious intent, the system can be used as a passage if the infected system utilizes SystemBC, which acts as a Proxy Bot.
---------------------------------------------
https://asec.ahnlab.com/en/33600/


=====================
=  Vulnerabilities  =
=====================

∗∗∗ Critical LFI Vulnerability Reported in Hashnode Blogging Platform ∗∗∗
---------------------------------------------
Researchers have disclosed a previously undocumented local file inclusion (LFI) vulnerability in Hashnode, a developer-oriented blogging platform, that could be abused to access sensitive data such as SSH keys, servers IP address, and other network information.
---------------------------------------------
https://thehackernews.com/2022/04/critical-lfi-vulnerability-reported-in.html


∗∗∗ Security updates for Tuesday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (thunderbird and usbguard), Fedora (containerd, firefox, golang-github-containerd-imgcrypt, nss, and vim), Oracle (firefox, kernel, kernel-container, and thunderbird), Red Hat (thunderbird), Scientific Linux (thunderbird), SUSE (libexif, mozilla-nss, mysql-connector-java, and qemu), and Ubuntu (libarchive and python-django).
---------------------------------------------
https://lwn.net/Articles/891048/


∗∗∗ Amazon RDS Vulnerability Led to Exposure of Credentials ∗∗∗
---------------------------------------------
Amazon Web Services (AWS) on Monday announced that it recently addressed a vulnerability in Amazon Relational Database Service (RDS) that could lead to the exposure of internal credentials.
---------------------------------------------
https://www.securityweek.com/amazon-rds-vulnerability-led-exposure-credentials


∗∗∗ SSA-350757 V1.0: Improper Access Control Vulnerability in TIA Portal Affecting S7-1200 and S7-1500 CPUs Web Server (Incl. Related ET200 CPUs and SIPLUS variants) ∗∗∗
---------------------------------------------
An attacker could achieve privilege escalation on the web server of certain devices configured by SIMATIC STEP 7 (TIA Portal) due to incorrect handling of the webserverâ€™s user management configuration during downloading. This only affects the S7-1200 and S7-1500 CPUsâ€™ (incl.Â related ET200 CPUs and SIPLUS variants) web server, when activated. Siemens has released updates for several affected products and recommends to update to the latest versions.
---------------------------------------------
https://cert-portal.siemens.com/productcert/txt/ssa-350757.txt


∗∗∗ SSA-392912 V1.0: Multiple Denial Of Service Vulnerabilities in SCALANCE W1700 Devices ∗∗∗
---------------------------------------------
Vulnerabilities have been identified in devices of the SCALANCE W-1700 (11ac) family that could allow an attacker to cause various denial of service conditions. Siemens has released updates for the affected products and recommends to update to the latest versions.
---------------------------------------------
https://cert-portal.siemens.com/productcert/txt/ssa-392912.txt


∗∗∗ SSA-414513 V1.0: Information Disclosure Vulnerability in Mendix ∗∗∗
---------------------------------------------
An information disclosure vulnerability in Mendix applications was discovered. The vulnerability could allow to read sensitive data. Siemens has released an update for the Mendix Applications using Mendix 9 and recommends to update to the latest version. Siemens recommends countermeasures for products where updates are not, or not yet available.
---------------------------------------------
https://cert-portal.siemens.com/productcert/txt/ssa-414513.txt


∗∗∗ SSA-446448 V1.0: Denial of Service Vulnerability in PROFINET Stack Integrated on Interniche Stack ∗∗∗
---------------------------------------------
The PROFINET (PNIO) stack, when integrated with the Interniche IP stack, contains a vulnerability that could allow an attacker to cause a denial of service condition on affected industrial products. Siemens has released updates for several affected products and recommends to update to the latest versions. Siemens is preparing further updates and recommends specific countermeasures for products where updates are not, or not yet available.
---------------------------------------------
https://cert-portal.siemens.com/productcert/txt/ssa-446448.txt


∗∗∗ SSA-557541 V1.0: Denial-of-Service Vulnerability in SIMATIC S7-400 CPUs ∗∗∗
---------------------------------------------
SIMATIC S7-400 CPU devices contain an input validation vulnerability that could allow an attacker to create a Denial-of-Service condition. A restart is needed to restore normal operations. Siemens has released an update for SIMATIC S7-410 V10 CPU family and SIMATIC S7-400 H V6 CPU family (incl.Â SIPLUS variants for both) and recommends to update to the latest version. Siemens is preparing further updates and recommends specific countermeasures for products where updates are not yet
---------------------------------------------
https://cert-portal.siemens.com/productcert/txt/ssa-557541.txt


∗∗∗ SSA-655554 V1.0: Multiple Vulnerabilities in SIMATIC Energy Manager before V7.3 Update 1 ∗∗∗
---------------------------------------------
SIMATIC Energy Manager is affected by multiple vulnerabilities that could allow an attacker to gain local privilege escalation, local code execution or remote code execution. Siemens has released updates for the affected products and recommends to update to the latest versions.
---------------------------------------------
https://cert-portal.siemens.com/productcert/txt/ssa-655554.txt


∗∗∗ SSA-711829 V1.0: Denial of Service Vulnerability in TIA Administrator ∗∗∗
---------------------------------------------
In conjunction with the installation of the affected products listed in the table below, a vulnerability in TIA Administrator occurs that could allow an unauthenticated attacker to perform a denial of service attack. Siemens has released a first update for one of the affected products and recommends to update to the latest version. Siemens is preparing further updates and recommends specific countermeasures.
---------------------------------------------
https://cert-portal.siemens.com/productcert/txt/ssa-711829.txt


∗∗∗ SSA-836527 V1.0: Multiple Vulnerabilities in SCALANCE X-300 Switch Family Devices ∗∗∗
---------------------------------------------
Several SCALANCE X-300 switches contain multiple vulnerabilities. An unauthenticated attacker could reboot, cause denial of service conditions and potentially impact the system by other means through heap and buffer overflow vulnerabilities. Siemens has released updates for the affected products and recommends to update to the latest versions.
---------------------------------------------
https://cert-portal.siemens.com/productcert/txt/ssa-836527.txt


∗∗∗ SSA-870917 V1.0: Improper Access Control Vulnerability in Mendix ∗∗∗
---------------------------------------------
When querying the database, it is possible to sort the results using a protected field. With this an authenticated attacker could extract information about the contents of a protected field. Siemens has released updates for the affected products and recommends to update to the latest versions.
---------------------------------------------
https://cert-portal.siemens.com/productcert/txt/ssa-870917.txt


∗∗∗ SSA-998762 V1.0: File Parsing Vulnerabilities in Simcenter Femap before V2022.1.2 ∗∗∗
---------------------------------------------
Siemens Simcenter Femap versions before V2022.1.2 are affected by vulnerabilities that could be triggered when the application reads files in .NEU format. If a user is tricked to open a malicious file with the affected application, an attacker could leverage the vulnerability to leak information or potentially perform remote code execution in the context of the current process. Siemens recommends to update to the latest version line of Simcenter Femap and to avoid opening of untrusted files
---------------------------------------------
https://cert-portal.siemens.com/productcert/txt/ssa-998762.txt


∗∗∗ SSA-316850: Unauthenticated File Access in SICAM A8000 Devices ∗∗∗
---------------------------------------------
SICAM A8000 CP-8050 and CP-8031 devices contain vulnerabilities that could allow an attacker to access files without authentication.
---------------------------------------------
https://cert-portal.siemens.com/productcert/txt/ssa-316850.txt


∗∗∗ SAP Patchday April 2022 ∗∗∗
---------------------------------------------
https://www.cert-bund.de/advisoryshort/CB-K22-0414


∗∗∗ Citrix SD-WAN Security Bulletin for CVE-2022-27505 and CVE-2022-27506 ∗∗∗
---------------------------------------------
https://support.citrix.com/article/CTX370550


∗∗∗ Citrix StoreFront Security Bulletin for CVE-2022-27503 ∗∗∗
---------------------------------------------
https://support.citrix.com/article/CTX377814


∗∗∗ Citrix Gateway Plug-in for Windows Security Bulletin for CVE-2022-21827 ∗∗∗
---------------------------------------------
https://support.citrix.com/article/CTX341455


∗∗∗ PHOENIX CONTACT: Multiple Linux component vulnerabilities fixed in latest AXC F x152 LTS release ∗∗∗
---------------------------------------------
https://cert.vde.com/de/advisories/VDE-2022-010/


∗∗∗ PHOENIX CONTACT: mGuard Device Manager affected by HTTP Request Smuggling of Apache Webserver ∗∗∗
---------------------------------------------
https://cert.vde.com/de/advisories/VDE-2022-014/


∗∗∗ PHOENIX CONTACT: Multiple products affected by possible infinite loop within OpenSSL library ∗∗∗
---------------------------------------------
https://cert.vde.com/de/advisories/VDE-2022-013/


∗∗∗ Security Bulletin: IBM Sterling B2B Integrator vulnerable to multiple vulnerabilities due to Spring Framework ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-b2b-integrator-vulnerable-to-multiple-vulnerabilities-due-to-spring-framework/


∗∗∗ Security Bulletin: IBM Sterling B2B Integrator is affected by a remote code execution in Spring Framework (CVE-2022-22965) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-b2b-integrator-is-affected-by-a-remote-code-execution-in-spring-framework-cve-2022-22965/


∗∗∗ Security Bulletin: IBM Maximo For Civil infrastructure is vulnerable to a remote code execution in Spring Framework (CVE-2022-22965) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-maximo-for-civil-infrastructure-is-vulnerable-to-a-remote-code-execution-in-spring-framework-cve-2022-22965/


∗∗∗ Security Bulletin: Vulnerability which affects Rational Team Concert (RTC) and IBM Engineering Workflow Management (EWM) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-which-affects-rational-team-concert-rtc-and-ibm-engineering-workflow-management-ewm-4/


∗∗∗ Security Bulletin: IBM Process Mining is vulnerable to Prototype Pollution due to json-schema CVE-2021-3918 ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-process-mining-is-vulnerable-to-prototype-pollution-due-to-json-schema-cve-2021-3918/


∗∗∗ Security Bulletin: Vulnerabilities in Dojo and dom4j libraries affect Tivoli Netcool/OMNIbus WebGUI (CVE-2020-10683, CVE-2021-23450) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-dojo-and-dom4j-libraries-affect-tivoli-netcool-omnibus-webgui-cve-2020-10683-cve-2021-23450/


∗∗∗ Security Bulletin: A vulnerability in IBM WebSphere Application Server Liberty affects IBM Performance Management products (CVE-2021-23450) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-websphere-application-server-liberty-affects-ibm-performance-management-products-cve-2021-23450/


∗∗∗ Security Bulletin: IBM Data Risk Manager is affected by multiple vulnerabilities including a remote code execution in Spring Framework (CVE-2022-22965) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-data-risk-manager-is-affected-by-multiple-vulnerabilities-including-a-remote-code-execution-in-spring-framework-cve-2022-22965/


∗∗∗ Security Bulletin: IBM App Connect Enterprise Certified Container IntegrationServers that use the Box connector may be vulnerable to arbitrary code execution due to CVE-2021-23555 ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-app-connect-enterprise-certified-container-integrationservers-that-use-the-box-connector-may-be-vulnerable-to-arbitrary-code-execution-due-to-cve-2021-23555/


∗∗∗ Security Bulletin: Multiple Vulnerabilities affect IBM® Db2® On Openshift and IBM® Db2® and Db2 Warehouse® on Cloud Pak for Data ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-affect-ibm-db2-on-openshift-and-ibm-db2-and-db2-warehouse-on-cloud-pak-for-data/


∗∗∗ Security Bulletin: IBM Sterling B2B Integrator vulnerable to multiple vulnerabilities due to CKEditor ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-b2b-integrator-vulnerable-to-multiple-vulnerabilities-due-to-ckeditor/

-- 
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily