[CERT-daily] Tageszusammenfassung - 17.02.2022

Thu Feb 17 18:21:42 CET 2022

=====================
= End-of-Day report =
=====================

Timeframe:   Mittwoch 16-02-2022 18:00 − Donnerstag 17-02-2022 18:00
Handler:     Thomas Pribitzer
Co-Handler:  Robert Waldner

=====================
=       News        =
=====================

∗∗∗ Neue Welle von Spam-Mails: "Dein Paket wartet!" ∗∗∗
---------------------------------------------
Die E-Mails enthalten eine Zahlungsaufforderung und geben an, dass ein Paket abgeholt werden kann.
---------------------------------------------
https://futurezone.at/digital-life/spam-e-mail-phishing-betrug-post-lieferung-dein-paket-wartet/401908795


∗∗∗ Researchers Warn of a New Golang-based Botnet Under Continuous Development ∗∗∗
---------------------------------------------
Cybersecurity researchers have unpacked a new Golang-based botnet called Kraken thats under active development and features an array of backdoor capabilities to siphon sensitive information from compromised Windows hosts.
---------------------------------------------
https://thehackernews.com/2022/02/researchers-warn-of-new-golang-based.html


∗∗∗ Tutorial: Kubernetes Vulnerability Scanning & Testing With Open Source ∗∗∗
---------------------------------------------
Kubernetes containers have several security risks, including runtime threats, vulnerabilities, exposures, and failed compliance audits. These insecurities motivated CyberArk to develop two open source tools: Kubesploit and KubiScan. These tools benefit the Kubernetes community by performing deep security operations while simultaneously mimicking a real attack. They allow us to test our resiliency.
---------------------------------------------
https://www.conjur.org/blog/tutorial-kubernetes-vulnerability-scanning-testing-with-open-source/


∗∗∗ Detecting Karakurt – an extortion focused threat actor ∗∗∗
---------------------------------------------
NCC Group’s Cyber Incident Response Team (CIRT) have responded to several extortion cases recently involving the threat actor Karakurt. During these investigations NCC Group CIRT have identified some key indicators that the threat actor has breached an environment and want to share this information to assist the cyber security community.
---------------------------------------------
https://research.nccgroup.com/2022/02/17/detecting-karakurt-an-extortion-focused-threat-actor/


∗∗∗ Bypassing software update package encryption – extracting the Lexmark MC3224i printer firmware (part 1) ∗∗∗
---------------------------------------------
Lexmark encrypts the firmware update packages provided to consumers, making the binary analysis more difficult. With little over a month of research time assigned and few targets to look at, NCC Group decided to remove the flash memory and extract the firmware using a programmer, firmware which we (correctly) assumed would be stored unencrypted. This allowed us to bypass the firmware update package encryption. With the firmware extracted, the binaries could be reverse-engineered to find vulnerabilities that would allow remote code execution.
---------------------------------------------
https://research.nccgroup.com/2022/02/17/bypassing-software-update-package-encryption-extracting-the-lexmark-mc3224i-printer-firmware-part-1/


∗∗∗ Gefahr Datenleaks: Achten Sie auf Passwort-Sicherheit! ∗∗∗
---------------------------------------------
Um sich vor den Gefahren im Netz zu schützen, macht es Sinn, sich regelmäßig über Internetbetrug zu informieren und die Tricks der Kriminellen zu kennen. Doch leider können Sie auch zum Opfer werden, wenn Sie alles richtig machen und sich nicht in Internetfallen locken lassen. Das gilt zum Beispiel, wenn Ihre Daten bei einem sogenannten Datenleak veröffentlicht werden.
---------------------------------------------
https://www.watchlist-internet.at/news/gefahr-datenleaks-achten-sie-auf-passwort-sicherheit/


=====================
=  Vulnerabilities  =
=====================

∗∗∗ Drupal core - Moderately critical - Information disclosure - SA-CORE-2022-004 ∗∗∗
---------------------------------------------
Project: Drupal core
Security risk: Moderately critical
Vulnerability: Information disclosure
CVE IDs: CVE-2022-25270
Description: The Quick Edit module does not properly check entity access in some circumstances.
---------------------------------------------
https://www.drupal.org/sa-core-2022-004


∗∗∗ Drupal core - Moderately critical - Improper input validation - SA-CORE-2022-003 ∗∗∗
---------------------------------------------
Project: Drupal core
Security risk: Moderately critical
Vulnerability: Improper input validation
CVE IDs: CVE-2022-25271
Description: Drupal cores form API has a vulnerability where certain contributed or custom modules forms may be vulnerable to improper input validation. This could allow an attacker to inject disallowed values or overwrite data. Affected forms are uncommon, but in certain cases an attacker could alter critical or sensitive data.
---------------------------------------------
https://www.drupal.org/sa-core-2022-003


∗∗∗ Quick Edit - Moderately critical - Information Disclosure - SA-CONTRIB-2022-025 ∗∗∗
---------------------------------------------
Project: Quick Edit
Security risk: Moderately critical
Vulnerability: Information Disclosure
Description: This advisory addresses a similar issue to Drupal core - Moderately critical - Information disclosure - SA-CORE-2022-004. The Quick Edit module does not properly check entity access in some circumstances.
---------------------------------------------
https://www.drupal.org/sa-contrib-2022-025


∗∗∗ Sicherheitsupdate: Präparierte Mails können Thunderbird aus dem Tritt bringen ∗∗∗
---------------------------------------------
Es ist eine gegen mögliche Schadcode-Attacken abgesicherte Version des Mailclients Thunderbird erschienen.
---------------------------------------------
https://heise.de/-6484606


∗∗∗ VMSA-2022-0005 - VMware NSX Data Center for vSphere (NSX-V) VMware Cloud Foundation (Cloud Foundation) ∗∗∗
---------------------------------------------
CVSSv3 Range: 8.8
CVE(s): CVE-2022-22945
Synopsis: VMware NSX Data Center for vSphere update addresses CLI shell injection vulnerability (CVE-2022-22945)
---------------------------------------------
https://www.vmware.com/security/advisories/VMSA-2022-0005.html


∗∗∗ Reflected Cross-Site Scripting Vulnerability Patched in WordPress Profile Builder Plugin ∗∗∗
---------------------------------------------
On January 4, 2022 the Wordfence Threat Intelligence team initiated the responsible disclosure process for a vulnerability we discovered in “Profile Builder – User Profile & User Registration Forms”, a WordPress plugin that is installed on over 50,000 WordPress websites. [..] We sent the full disclosure details to the developer on January 6, 2022 after the vendor confirmed the inbox for handling the discussion. They were quick to acknowledge the report and released a fix on January 10, 2022.
---------------------------------------------
https://www.wordfence.com/blog/2022/02/reflected-cross-site-scripting-vulnerability-patched-in-wordpress-profile-builder-plugin/


∗∗∗ PostgreSQL JDBC 42.3.3 Released ∗∗∗
---------------------------------------------
A security advisory has been created for the PostgreSQL JDBC Driver. The URL connection string loggerFile property could be mis-used to create an arbitrary file on the system that the driver is loaded. Additionally anything in the connection string will be logged and subsequently written into that file. In an insecure system it would be possible to execute this file through a webserver.
---------------------------------------------
https://www.postgresql.org/about/news/postgresql-jdbc-4233-released-2410/


∗∗∗ SSA-949188: File Parsing Vulnerabilities in Simcenter Femap before V2022.1.1 ∗∗∗
---------------------------------------------
https://cert-portal.siemens.com/productcert/txt/ssa-949188.txt


∗∗∗ Security Bulletin: IBM App Connect for Healthcare is vulnerable to arbitrary code execution due to Apache Log4j (CVE-2022-23307) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-app-connect-for-healthcare-is-vulnerable-to-arbitrary-code-execution-due-to-apache-log4j-cve-2022-23307/


∗∗∗ Security Bulletin: Vulnerability in Polkit affects IBM Cloud Pak for Data System 1.0 ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-polkit-affects-ibm-cloud-pak-for-data-system-1-0/


∗∗∗ Security Bulletin: IBM OpenPages for Cloud Pak for Data is vulnerable to denial of service and arbitrary code execution due to Apache Log4j (CVE-2021-45105 and CVE-2021-45046) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-openpages-for-cloud-pak-for-data-is-vulnerable-to-denial-of-service-and-arbitrary-code-execution-due-to-apache-log4j-cve-2021-45105-and-cve-2021-45046/


∗∗∗ Security Bulletin: IBM Cloud Pak for Data System 1.0 is vulnerable to arbitrary code execution due to Samba (CVE-2021-44142) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-pak-for-data-system-1-0-is-vulnerable-to-arbitrary-code-execution-due-to-samba-cve-2021-44142/


∗∗∗ Security Bulletin: Vulnerability in OpenSSH affects IBM Integrated Analytics System ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-openssh-affects-ibm-integrated-analytics-system-5/


∗∗∗ Security Bulletin: Vulnerability which affects Rational Team Concert (RTC) and IBM Engineering Workflow Management (EWM) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-which-affects-rational-team-concert-rtc-and-ibm-engineering-workflow-management-ewm-2/


∗∗∗ Security Bulletin: IBM Cloud Pak for Data System 2.0 (ICPDS 2.0 ) is vulnerable to arbitrary code execution due to Apache Log4j CVE-2021-4104 ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-pak-for-data-system-2-0-icpds-2-0-is-vulnerable-to-arbitrary-code-execution-due-to-apache-log4j-cve-2021-4104/


∗∗∗ Security Bulletin: IBM Integrated Analytics System is vulnerable to arbitrary code execution due to Samba (CVE-2021-44142) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-integrated-analytics-system-is-vulnerable-to-arbitrary-code-execution-due-to-samba-cve-2021-44142-2/


∗∗∗ Security Bulletin: Financial Transaction Manager is vulnerable to arbitrary code execution (CVE-2021-45046) and denial of service (CVE-2021-45105) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-financial-transaction-manager-is-vulnerable-to-arbitrary-code-execution-cve-2021-45046-and-denial-of-service-cve-2021-45105/


∗∗∗ Security Bulletin: Vulnerability in Polkit affects IBM Integrated Analytics System. ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-polkit-affects-ibm-integrated-analytics-system-2/


∗∗∗ Security Bulletin: IBM MQ is vulnerable to a denial of service attack caused by an issue within the channel process.(CVE-2021-39034) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-is-vulnerable-to-a-denial-of-service-attack-caused-by-an-issue-within-the-channel-process-cve-2021-39034/


∗∗∗ Security Bulletin: Log4j vulnerability affects IBM Integrated Analytics System. ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-log4j-vulnerability-affects-ibm-integrated-analytics-system/

-- 
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily