[CERT-daily] Tageszusammenfassung - 12.07.2022

Tue Jul 12 18:42:39 CEST 2022

=====================
= End-of-Day report =
=====================

Timeframe:   Montag 11-07-2022 18:00 − Dienstag 12-07-2022 18:00
Handler:     Michael Schlagenhaufer
Co-Handler:  Stephan Richter

=====================
=       News        =
=====================

∗∗∗ IBM-Middleware: Schwachstelle in MQ kann zu Rechtausweitung führen ∗∗∗
---------------------------------------------
Mehrere Sicherheitslücken in IBM MQ ermöglichen Angreifern, ihre Rechte an betroffenen Systemen auszuweiten oder diese lahmzulegen. Updates stehen bereit.
---------------------------------------------
https://heise.de/-7169603


∗∗∗ Wurm-Infektion: Malware-Kampagne Raspberry Robin befällt Windows und Qnap-NAS ∗∗∗
---------------------------------------------
IT-Forscher von Cybereason haben einen Netzwerkwurm entdeckt, der sich auf Windows- und Qnap-Geräten verbreitet. Sie nennen die Kampagne Raspberry Robin.
---------------------------------------------
https://heise.de/-7170350


∗∗∗ Month of PowerShell: Threat Hunting with PowerShell Differential Analysis ∗∗∗
---------------------------------------------
One of the most powerful techniques for threat hunting on Windows: differential analysis.
---------------------------------------------
https://www.sans.org/blog/threat-hunting-with-powershell-differential-analysis/


∗∗∗ CVE-2022-29593- Authentication Bypass by Capture Replay (Dingtian-DT-R002) ∗∗∗
---------------------------------------------
This blog post describes an authentication bypass within one such device, that allows an attacker with access to the IP network the ability to capture and subsequently replay discrete device commands, which allows for the switching on and off the physical relays on the device.
---------------------------------------------
https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/cve-2022-29593-authentication-bypass-by-capture-replay-dingtian-dt-r002/


∗∗∗ Exploiting Authentication in AWS IAM Authenticator for Kubernetes ∗∗∗
---------------------------------------------
During my research on the AWS IAM Authenticator component, I found several flaws in the authentication process that could bypass the protection against replay attacks or allow an attacker to gain higher permissions in the cluster by impersonating other identities.
---------------------------------------------
https://blog.lightspin.io/exploiting-eks-authentication-vulnerability-in-aws-iam-authenticator


∗∗∗ Scanning for security.txt files ∗∗∗
---------------------------------------------
RFC 9116 was written by E. Foudil and Y. Shafranovich and left draft status in April 2022. This RFC formally defines the unofficial security.txt file that has been an unofficial standard for many years, initially created back in 2017 and documented at https://securitytxt.org/.
---------------------------------------------
https://www.pentestpartners.com/security-blog/scanning-for-security-txt-files/


∗∗∗ ChromeLoader: New Stubborn Malware Campaign ∗∗∗
---------------------------------------------
A malicious browser extension is the payload of the ChromeLoader malware family, serving as adware and an infostealer, leaking users’ search queries.
---------------------------------------------
https://unit42.paloaltonetworks.com/chromeloader-malware/


∗∗∗ Is exploiting a null pointer deref for LPE just a pipe dream? ∗∗∗
---------------------------------------------
A lot of blog posts I have read go over interesting vulnerabilities and exploits but do not typically share the process behind discovery. I want to show how sometimes just manually poking around can quickly uncover vulnerabilities you might miss with other approaches to vulnerability discovery.
---------------------------------------------
https://www.thezdi.com/blog/2022/6/1/is-exploiting-a-null-pointer-deref-for-lpe-just-a-pipe-dream


=====================
=  Vulnerabilities  =
=====================

∗∗∗ ZDI-22-962: Trend Micro Maximum Security Out-Of-Bounds Read Information Disclosure Vulnerability ∗∗∗
---------------------------------------------
This vulnerability allows local attackers to disclose sensitive information on affected installations of Trend Micro Maximum Security. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.
---------------------------------------------
http://www.zerodayinitiative.com/advisories/ZDI-22-962/


∗∗∗ Siemens ProductCERT published 19 and updated 15 advisories/bulletins ∗∗∗
---------------------------------------------
Opcenter Quality, SINAMICS PERFECT HARMONY GH180 Drives, EN100 Ethernet Module, RUGGEDCOM ROS, SIMATIC WinCC, Teamcenter Visualization, JT2Go, Industrial Products, TIA Administrator, Mendix Excel Importer Module, RUGGEDCOM ROX, SIMATIC eaSie Core Package, SCALANCE X Switches, SIMATIC CP Devices, Mendix Applications, SICAM A8000 Devicesm Simcenter Femap, PROFINET Stack, PADS Standard/Plus Viewer, SIMATIC S7-1500, Mendix, SIMATIC MV500 Devices, OPC Foundation Local Discovery Server, OPC-UA, Parasolid, SICAM GridEdge.
---------------------------------------------
https://new.siemens.com/global/en/products/services/cert.html?d=2022-07#SecurityPublications


∗∗∗ SAP-Patchday: 20 neue Sicherheitslücken im Juli abgedichtet ∗∗∗
---------------------------------------------
Mit den Updates zum Juli-Patchday schließt SAP 20 neue Sicherheitslücken. Zudem aktualisiert der Hersteller drei ältere Security-Bulletins.
---------------------------------------------
https://heise.de/-7170698


∗∗∗ Security updates for Tuesday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (chromium), Mageia (openssl and webkit2), Slackware (seamonkey), SUSE (crash, curl, freerdp, ignition, libnbd, and python3), and Ubuntu (dovecot and python-ldap).
---------------------------------------------
https://lwn.net/Articles/900855/


∗∗∗ ICS Patch Tuesday: Siemens, Schneider Electric Address 59 Vulnerabilities ∗∗∗
---------------------------------------------
Industrial giants Siemens and Schneider Electric have released their Patch Tuesday security advisories for July 2022, with a total of 13 advisories describing 59 vulnerabilities.
---------------------------------------------
https://www.securityweek.com/ics-patch-tuesday-siemens-schneider-electric-address-59-vulnerabilities


∗∗∗ TYPO3-EXT-SA-2022-014: SQL Injection in extension "LUX - TYPO3 Marketing Automation" (lux) ∗∗∗
---------------------------------------------
https://typo3.org/security/advisory/typo3-ext-sa-2022-014


∗∗∗ MariaDB: Mehrere Schwachstellen ermöglichen Denial of Service ∗∗∗
---------------------------------------------
https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0641


∗∗∗ Symantec Advanced Secure Gateway: Schwachstelle ermöglicht Manipulation und Offenlegung von Informationen ∗∗∗
---------------------------------------------
https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0638


∗∗∗ Security Bulletin: Vulnerabilities in the Golang language affect IBM Event Streams (CVE-2022-24921) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-the-golang-language-affect-ibm-event-streams-cve-2022-24921/


∗∗∗ Security Bulletin: IBM Security SiteProtector System is affected by multiple vulnerabilities ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-siteprotector-system-is-affected-by-multiple-vulnerabilities/


∗∗∗ Security Bulletin: IBM OpenPages with Watson has addressed Apache Log4j vulnerability (CVE-2022-23305) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-openpages-with-watson-has-addressed-apache-log4j-vulnerability-cve-2022-23305/


∗∗∗ Security Bulletin: IBM Security Verify Governance is vulnerable to multiple security issues due to Node.js ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-verify-governance-is-vulnerable-to-multiple-security-issues-due-to-node-js/


∗∗∗ Security Bulletin: IBM QRadar SIEM is vulnerable to denial of service attack due to CVE-2021-39041 ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-qradar-siem-is-vulnerable-to-denial-of-service-attack-due-to-cve-2021-39041/


∗∗∗ Security Bulletin: IBM Integration Bus is vulnerable to arbitrary code execution due to Node.js ejs module (CVE-2022-29078) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-integration-bus-is-vulnerable-to-arbitrary-code-execution-due-to-node-js-ejs-module-cve-2022-29078/


∗∗∗ Security Bulletin: IBM MQ for HPE NonStop Server is affected by OpenSSL vulnerability CVE-2022-0778 ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-for-hpe-nonstop-server-is-affected-by-openssl-vulnerability-cve-2022-0778-2/


∗∗∗ Security Bulletin: IBM Security Verify Information Queue uses Apache LDAP API with a known vulnerability (CVE-2018-1337) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-verify-information-queue-uses-apache-ldap-api-with-a-known-vulnerability-cve-2018-1337/


∗∗∗ Security Bulletin: IBM i Modernization Engine for Lifecycle Integration is vulnerable to multiple vulnerabilities ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-i-modernization-engine-for-lifecycle-integration-is-vulnerable-to-multiple-vulnerabilities/


∗∗∗ Security Bulletin: A security vulnerability has been identified in Postgresql shipped with IBM Tivoli Netcool Impact (CVE-2022-26520, CVE-2022-21724, WS-2022-0080) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-has-been-identified-in-postgresql-shipped-with-ibm-tivoli-netcool-impact-cve-2022-26520-cve-2022-21724-ws-2022-0080/


∗∗∗ Security Bulletin: Vulnerabilities in the Golang language affect IBM Event Streams (CVE-2022-29526) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-the-golang-language-affect-ibm-event-streams-cve-2022-29526/


∗∗∗ Security Bulletin: IBM WebSphere Application Server Liberty is vulnerable to Identity Spoofing (CVE-2022-22476) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-websphere-application-server-liberty-is-vulnerable-to-identity-spoofing-cve-2022-22476-2/


∗∗∗ Security Bulletin: IBM MQ for HPE NonStop Server is affected by OpenSSL vulnerability CVE-2021-4160 ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-for-hpe-nonstop-server-is-affected-by-openssl-vulnerability-cve-2021-4160-2/


∗∗∗ Security Bulletin: IBM OpenPages with Watson has addressed Apache Log4j vulnerability (CVE-2022-23302) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-openpages-with-watson-has-addressed-apache-log4j-vulnerability-cve-2022-23302/

-- 
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily