[CERT-daily] Tageszusammenfassung - 31.01.2022

Mon Jan 31 18:34:30 CET 2022

=====================
= End-of-Day report =
=====================

Timeframe:   Freitag 28-01-2022 18:00 − Montag 31-01-2022 18:00
Handler:     Robert Waldner
Co-Handler:  Stephan Richter

=====================
=       News        =
=====================

∗∗∗ Log4Shell: Eine Bestandsaufnahme ∗∗∗
---------------------------------------------
Nach der Panik wegen der größten Sicherheitslücke aller Zeiten blieb der große Knall aus. Kommt der noch oder haben wir das Gröbste überstanden?
---------------------------------------------
https://heise.de/-6342536


∗∗∗ Unseriöse Umzugsfirmen: Vorsicht bei zu günstigen Angeboten ∗∗∗
---------------------------------------------
Sie ziehen gerade um und sind auf der Suche nach einer Umzugsfirma? Unser Tipp: Lassen Sie sich nicht von Billigangeboten täuschen! Festpreisangebote von „25 Euro pro Stunde für 2 Männer inklusive LKW“ sind vollkommen unrealistisch. Dabei handelt es sich um ein Lockangebot. Bei einer Beauftragung wird Ihnen schlussendlich der 3- bis 4-fache Preis verrechnet!
---------------------------------------------
https://www.watchlist-internet.at/news/unserioese-umzugsfirmen-vorsicht-bei-zu-guenstigen-angeboten/


∗∗∗ 277,000 routers exposed to Eternal Silence attacks via UPnP ∗∗∗
---------------------------------------------
A malicious campaign known as Eternal Silence is abusing Universal Plug and Play (UPnP) turns your router into a proxy server used to launch malicious attacks while hiding the location of the threat actors.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/277-000-routers-exposed-to-eternal-silence-attacks-via-upnp/


∗∗∗ Be careful with RPMSG files, (Mon, Jan 31st) ∗∗∗
---------------------------------------------
Not many people are aware of ".rpmsg" files. The file extension means "restricted-permission message". They are used to deliver email messages between people and implement some controls applied at the recipient side. Such permissions are, by example, the right to forward or copy the original email.
---------------------------------------------
https://isc.sans.edu/diary/rss/28292


∗∗∗ Rip Raw - A tool to analyse the memory of compromised Linux systems ∗∗∗
---------------------------------------------
It is similar in purpose to Bulk Extractor, but particularly focused on extracting system Logs from memory dumps from Linux systems. This enables you to analyse systems without needing to generate a profile. This is not a replacement for tools such as Rekall and Volatility which use a profile to perform a more structured analysis of memory.
---------------------------------------------
https://github.com/cado-security/rip_raw


∗∗∗ TrendNET AC2600 RCE via WAN ∗∗∗
---------------------------------------------
This blog provides a walkthrough of how to gain RCE on the TrendNET AC2600 (model TEW-827DRU specifically) consumer router via the WAN interface. There is currently no publicly available patch for these issues; therefore only a subset of issues disclosed in TRA-2021–54 will be discussed in this post.
---------------------------------------------
https://medium.com/tenable-techblog/trendnet-ac2600-rce-via-wan-8926b29908a4


∗∗∗ In eigener Sache: CERT.at sucht Verstärkung (Junior IT-Security Analyst:in, IT-Security Analyst:in, Python Entwickler:in) ∗∗∗
---------------------------------------------
Wir suchen derzeit: 
- Berufsein- oder -umsteiger:in mit ausgeprägtem Interesse an IT-Security zur Unterstützung bei den täglich anfallenden Routineaufgaben 
- IT/OT-Security Generalist:in oder Spezialist:in im Bereich Windows Security, mit Praxiserfahrung 
- Python Entwickler:in zur Weiterentwicklung von bestehenden Open-Source-Projekten, insbesondere IntelMQ und Tuency 
Details finden sich auf unserer Jobs-Seite.
---------------------------------------------
https://cert.at/de/blog/2022/1/in-eigener-sache-certat-sucht-verstarkung-junior-it-security-analystin-it-security-analystin-python-entwicklerin


=====================
=  Vulnerabilities  =
=====================

∗∗∗ VU#119678: Samba vfs_fruit module insecurely handles extended file attributes ∗∗∗
---------------------------------------------
The Samba vfs_fruit module allows out-of-bounds heap read and write via extended file attributes (CVE-2021-44142). This vulnerability allows a remote attacker to execute arbitrary code with root privileges.
---------------------------------------------
https://kb.cert.org/vuls/id/119678


∗∗∗ ABB: SECURITY - OPC Server for AC 800M - Remote Code Execution Vulnerability ∗∗∗
---------------------------------------------
ABB is aware that OPC Server for AC 800M contains a Remote Code Execution vulnerability. An authenticated remote user with low privileges who successfully exploited this vulnerability could insert and execute arbitrary code in the node running the AC800M OPC Server.
---------------------------------------------
https://www02.abb.com/GLOBAL/GAD/GAD01626.NSF/0/B0A9E56BA54C9C3AC12587DB00224447?OpenDocument


∗∗∗ Lenovo Security Advisory: LEN-78122 - Intel Graphics Drivers Advisory Intel Graphics Drivers Advisory ∗∗∗
---------------------------------------------
Intel reported potential security vulnerabilities in some Intel Graphics Drivers that may allow escalation of privilege or denial of service.
---------------------------------------------
https://support.lenovo.com/at/en/product_security/ps500462-intel-graphics-drivers-advisory


∗∗∗ OpenSSL Security Advisory [28 January 2022] - BN_mod_exp may produce incorrect results on MIPS (CVE-2021-4160) ∗∗∗
---------------------------------------------
There is a carry propagation bug in the MIPS32 and MIPS64 squaring procedure. Many EC algorithms are affected, including some of theTLS 1.3 default curves. Impact was not analyzed in detail, because the pre-requisites for attack are considered unlikely and include reusing private keys. Analysis suggests that attacks against RSA and DSA as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH are considered just feasible (although very difficult) because most of the work necessary to deduce information about a private key may be performed offline. The amount of resources required for such an attack would be significant. However, for an attack on TLS to be meaningful, the server would have to share the DH private key among multiple clients, which is no longer an option since CVE-2016-0701.
---------------------------------------------
https://openssl.org/news/secadv/20220128.txt


∗∗∗ Security updates for Monday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (apache-log4j1.2, expat, libraw, prosody, and python-nbxmpp), Fedora (chromium, hiredis, java-11-openjdk, java-latest-openjdk, lua, rust-afterburn, rust-ammonia, rust-askalono-cli, rust-below, rust-cargo-c, rust-cargo-insta, rust-fd-find, rust-insta, rust-lsd, rust-oxipng, rust-python-launcher, rust-ripgrep, rust-ron, rust-ron0.6, rust-similar, rust-similar-asserts, rust-skim, rust-thread_local, rust-tokei, vim, wpa_supplicant, and zola), Gentoo [...]
---------------------------------------------
https://lwn.net/Articles/883322/


∗∗∗ SBA-ADV-20220127-01: Shibboleth Identity Provider OIDC OP Plugin Server-Side Request Forgery ∗∗∗
---------------------------------------------
Shibboleth Identity Provider OIDC OP plugin 3.0.3 or below is prone to a server-side request forgery (SSRF) vulnerability due to an insufficient restriction of the `request_uri` parameter. This allows unauthenticated attackers to interact with arbitrary third-party HTTP services.
---------------------------------------------
https://github.com/sbaresearch/advisories/commit/65856734acca54052de34b520602c351e9707b0c


∗∗∗ IBM Security Bulletins ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/


∗∗∗ Multiple Critical Vulnerabilities in Korenix Technology JetWave products ∗∗∗
---------------------------------------------
https://sec-consult.com/vulnerability-lab/advisory/multiple-critical-vulnerabilities-in-korenix-technology-jetwave-products/


∗∗∗ K54450124: NSS vulnerability CVE-2021-43527 ∗∗∗
---------------------------------------------
https://support.f5.com/csp/article/K54450124


∗∗∗ K46015513: Polkit pkexec vulnerability CVE-2021-4034 ∗∗∗
---------------------------------------------
https://support.f5.com/csp/article/K46015513


∗∗∗ WAGO: Vulnerable WIBU-SYSTEMS Codemeter installed through e!COCKPIT and WAGO-I/O-Pro ∗∗∗
---------------------------------------------
https://cert.vde.com/de/advisories/VDE-2022-002/

-- 
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily