[CERT-daily] Tageszusammenfassung - 08.03.2022

Tue Mar 8 19:20:40 CET 2022

=====================
= End-of-Day report =
=====================

Timeframe:   Montag 07-03-2022 18:00 − Dienstag 08-03-2022 18:00
Handler:     Robert Waldner
Co-Handler:  Thomas Pribitzer

=====================
=       News        =
=====================

∗∗∗ Fernverwaltung mit Sicherheitslücke gefährdet medizinische Geräte ∗∗∗
---------------------------------------------
Viele medizinische IoT-Geräte enthalten Fernverwaltungssoftware von Axeda/PTC. Sicherheitslücken ermöglichen Angreifern das Einschleusen von Schadcode.
---------------------------------------------
https://heise.de/-6542436


∗∗∗ Stecker zum Stromsparen auf „getecotex.com“ ist Betrug ∗∗∗
---------------------------------------------
Auf getecotex.com wird ein Stecker zum Stromsparen angeboten. Für 59 Euro kann angeblich der Stromfluss stabilisiert, hochfrequenter Strom entfernt und die Energierechnung reduziert werden. Vorsicht: Diese Versprechen sind frei erfunden - ein solches Gerät existiert nicht. Sie werden betrogen und verlieren Ihr Geld!
---------------------------------------------
https://www.watchlist-internet.at/news/stecker-zum-stromsparen-auf-getecotexcom-ist-betrug/


∗∗∗ CVE-2022-26143: TP240PhoneHome Reflection/Amplification DDoS Attack Vector ∗∗∗
---------------------------------------------
A new reflection/amplification distributed denial of service (DDoS) vector with a record-breaking potential amplification ratio of 4,294,967,296:1 has been abused by attackers in the wild to launch multiple high-impact DDoS attacks. Attacks have been observed on broadband access ISPs, financial institutions, logistics companies, gaming companies, and organizations in other vertical markets. Security researchers, network operators, and security vendors observed these attacks and formed a task force to investigate the new DDoS vector and provide mitigation guidance. Approximately 2,600 Mitel MiCollab and MiVoice Business Express collaboration systems acting as PBX-to-Internet gateways were incorrectly deployed with an abusable system test facility exposed to the public Internet.
---------------------------------------------
https://www.shadowserver.org/news/cve-2022-26143-tp240phonehome-reflection-amplification-ddos-attack-vector/


∗∗∗ Emotet growing slowly but steadily since November resurgence ∗∗∗
---------------------------------------------
The notorious Emotet botnet is still being distributed steadily in the wild, having now infected 92,000 systems in 172 countries.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/emotet-growing-slowly-but-steadily-since-november-resurgence/


∗∗∗ An attackers toolchest: Living off the land ∗∗∗
---------------------------------------------
If you’ve been keeping up with the information security world, you’ve certainly heard that recent ransomware attacks and other advanced persistent threats are sometimes using special kind of tools. But for the most part, the tools will be very familiar to you.
---------------------------------------------
https://www.gdatasoftware.com/blog/2022/02/37248-living-off-the-land


∗∗∗ Androids March 2022 Security Updates Patch 39 Vulnerabilities ∗∗∗
---------------------------------------------
Google this week announced the release of patches for 39 vulnerabilities as part of the March 2022 security update for Android. The most serious vulnerability is CVE-2021-39708, a remotely exploitable elevation of privilege issue identified in the System component.
---------------------------------------------
https://www.securityweek.com/androids-march-2022-security-updates-patch-39-vulnerabilities


∗∗∗ Container Escape to Shadow Admin: GKE Autopilot Vulnerabilities ∗∗∗
---------------------------------------------
We disclosed several GKE Autopilot vulnerabilities and attack techniques to Google. The issues are now fixed - we provide a technical analysis.
---------------------------------------------
https://unit42.paloaltonetworks.com/gke-autopilot-vulnerabilities/


∗∗∗ Phishing attempts from FancyBear and Ghostwriter stepping up says Google ∗∗∗
---------------------------------------------
Google TAG also sees Chinese Mustang Panda going after Europeans and DDoS attempts against Ukrainian targets.
---------------------------------------------
https://www.zdnet.com/article/phishing-attempts-from-fancybear-and-ghostwriter-stepping-up-says-google/


∗∗∗ Daxin Backdoor: In-Depth Analysis, Part One ∗∗∗
---------------------------------------------
In the first of a two-part series of blogs, we will delve deeper into Daxin, examining the driver initialization, networking, key exchange, and backdoor functionality of the malware.
---------------------------------------------
https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/daxin-malware-espionage-analysis


∗∗∗ FBI Releases Indicators of Compromise for RagnarLocker Ransomware ∗∗∗
---------------------------------------------
The Federal Bureau of Investigation (FBI) has released a Flash report detailing indicators of compromise (IOCs) associated with ransomware attacks by RagnarLocker, a group of a ransomware actors targeting critical infrastructure sectors. CISA encourages users and administrators to review the IOCs and technical details in FBI Flash CU-000163-MW and apply the recommended mitigations.
---------------------------------------------
https://us-cert.cisa.gov/ncas/current-activity/2022/03/08/fbi-releases-indicators-compromise-ragnarlocker-ransomware


∗∗∗ Ukraine-Krise - Aktuelle Informationen ∗∗∗
---------------------------------------------
08.03.2022 16:40  Bereich "Indirekte Angriffsfläche" erweitert
---------------------------------------------
https://cert.at/de/aktuelles/2022/3/ukraine-krise-aktuelle-informationen


=====================
=  Vulnerabilities  =
=====================

∗∗∗ Jetzt patchen! Kritische Sicherheitslecks in APC Smart-UPS ∗∗∗
---------------------------------------------
In den APC Smart-UPS von Schneider Electric könnten Angreifer Sicherheitslücken ausnutzen, um Schadcode einzuschleusen oder die Geräte außer Funktion zu setzen.
---------------------------------------------
https://heise.de/-6542950


∗∗∗ Security updates for Tuesday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (gif2apng and twisted), Mageia (golang, kernel, and webmin), openSUSE (chromium, cyrus-sasl, and opera), Red Hat (virt:rhel and virt-devel:rhel), Slackware (mozilla), SUSE (cyrus-sasl), and Ubuntu (glibc and redis).
---------------------------------------------
https://lwn.net/Articles/887159/


∗∗∗ AVEVA System Platform ∗∗∗
---------------------------------------------
This advisory contains mitigations for a Cleartext Storage of Sensitive Information in Memory vulnerability in the AVEVA System Platform, a software management product.
---------------------------------------------
https://us-cert.cisa.gov/ics/advisories/icsa-22-067-02


∗∗∗ Sensormatic PowerManage (Update A) ∗∗∗
---------------------------------------------
This update advisory is a follow-up to the original advisory titled ICSA-22-034-01 Sensormatic PowerManage that was published February 3, 2022, on the ICS webpage on www.cisa.gov/uscert. This advisory contains mitigations for an Improper Input Validation vulnerability in the Sensormatic PowerManage operating platform. 
Update A (Part 1 of 1): Upgrade PowerManage to Version 4.10 
---------------------------------------------
https://us-cert.cisa.gov/ics/advisories/icsa-22-034-01


∗∗∗ D-LINK Router: Schwachstelle ermöglicht Denial of Service ∗∗∗
---------------------------------------------
https://www.cert-bund.de/advisoryshort/CB-K22-0268


∗∗∗ Citrix Federated Authentication Service (FAS) Security Update ∗∗∗
---------------------------------------------
https://support.citrix.com/article/CTX341587


∗∗∗ Security Bulletin: Vulnerability in IBM Guardium Data Encryption (GDE) (CVE-2021-20414) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-ibm-guardium-data-encryption-gde-cve-2021-20414-2/


∗∗∗ Security Bulletin: Multiple security vulnerability are addressed in monthly security fix for IBM Cloud Pak for Business Automation February 2022 ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-security-vulnerability-are-addressed-in-monthly-security-fix-for-ibm-cloud-pak-for-business-automation-february-2022-2/


∗∗∗ Security Bulletin: IBM Maximo Asset Management is vulnerable to weak password requirements ( CVE-2021-38935 ) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-maximo-asset-management-is-vulnerable-to-weak-password-requirements-cve-2021-38935-2/


∗∗∗ Security Bulletin: IBM Cloud Pak System is vulnerable to arbitrary code execution due to Apache Log4j (CVE-2021-45046, CVE-2021-44228) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-pak-system-is-vulnerable-to-arbitrary-code-execution-due-to-apache-log4j-cve-2021-45046-cve-2021-44228-2/


∗∗∗ Security Bulletin: IBM Security Directory Integrator has upgraded log4j ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-directory-integrator-has-upgraded-log4j/


∗∗∗ Security Bulletin: Multiple Vulnerabilities in WebSphere Application Server Liberty affect IBM Virtualization Engine TS7700 (CVE-2021-35517, CVE-2021-36090) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-websphere-application-server-liberty-affect-ibm-virtualization-engine-ts7700-cve-2021-35517-cve-2021-36090-2/


∗∗∗ Security Bulletin: A vulnerability has been identified in IBM WebSphere Liberty shipped with IBM Tivoli Netcool Impact (CVE-2021-29842) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-has-been-identified-in-ibm-websphere-liberty-shipped-with-ibm-tivoli-netcool-impact-cve-2021-29842/


∗∗∗ Security Bulletin: IBM Spectrum Control is vulnerable to multiple weaknesses related to IBM Dojo (CVE-2021-234550), Java SE (CVE-2021-35578), IBM WebSphere Application Server – Liberty (CVE-2021-39031), Apache Log4j (CVE-2021-44832) and Gson ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-spectrum-control-is-vulnerable-to-multiple-weaknesses-related-to-ibm-dojo-cve-2021-234550-java-se-cve-2021-35578-ibm-websphere-application-server-liberty-cve-2021-39031-2/


∗∗∗ SSA-250085: Multiple Vulnerabilities in SINEC NMS ∗∗∗
---------------------------------------------
https://cert-portal.siemens.com/productcert/txt/ssa-250085.txt


∗∗∗ SSA-223353: Multiple Vulnerabilities in Nucleus RTOS based SIMOTICS CONNECT 400 ∗∗∗
---------------------------------------------
https://cert-portal.siemens.com/productcert/txt/ssa-223353.txt


∗∗∗ SSA-166747: Scene File Parsing Vulnerability in Simcenter STAR-CCM+ Viewer before V2022.1 ∗∗∗
---------------------------------------------
https://cert-portal.siemens.com/productcert/txt/ssa-166747.txt


∗∗∗ SSA-155599: File Parsing Vulnerabilities in COMOS ∗∗∗
---------------------------------------------
https://cert-portal.siemens.com/productcert/txt/ssa-155599.txt


∗∗∗ SSA-148641: XPath Constraint Vulnerability in Mendix Runtime ∗∗∗
---------------------------------------------
https://cert-portal.siemens.com/productcert/txt/ssa-148641.txt


∗∗∗ SSA-134279: Vulnerability in Mendix Forgot Password Appstore module ∗∗∗
---------------------------------------------
https://cert-portal.siemens.com/productcert/txt/ssa-134279.txt


∗∗∗ SSA-764417: Multiple Vulnerabilities in RUGGEDCOM Devices ∗∗∗
---------------------------------------------
https://cert-portal.siemens.com/productcert/txt/ssa-764417.txt


∗∗∗ SSA-594438: Remote Code Execution and Denial-of-Service Vulnerability in multiple RUGGEDCOM ROX products ∗∗∗
---------------------------------------------
https://cert-portal.siemens.com/productcert/txt/ssa-594438.txt


∗∗∗ SSA-562051: Cross-Site Scripting Vulnerability in Polarion ALM ∗∗∗
---------------------------------------------
https://cert-portal.siemens.com/productcert/txt/ssa-562051.txt


∗∗∗ SSA-415938: Improper Access Control Vulnerability in Mendix ∗∗∗
---------------------------------------------
https://cert-portal.siemens.com/productcert/txt/ssa-415938.txt


∗∗∗ SSA-406691: Buffer Vulnerabilities in DHCP function of RUGGEDCOM ROX products ∗∗∗
---------------------------------------------
https://cert-portal.siemens.com/productcert/txt/ssa-406691.txt


∗∗∗ SSA-389290: Third-Party Component Vulnerabilities in SINEC INS ∗∗∗
---------------------------------------------
https://cert-portal.siemens.com/productcert/txt/ssa-389290.txt


∗∗∗ SSA-337210: Privilege Escalation Vulnerability in SINUMERIK MC ∗∗∗
---------------------------------------------
https://cert-portal.siemens.com/productcert/txt/ssa-337210.txt


∗∗∗ SSA-256353: Third-Party Component Vulnerabilities in RUGGEDCOM ROS ∗∗∗
---------------------------------------------
https://cert-portal.siemens.com/productcert/txt/ssa-256353.txt


∗∗∗ SSA-252466: Multiple Vulnerabilities in Climatix POL909 (AWM and AWB) ∗∗∗
---------------------------------------------
https://cert-portal.siemens.com/productcert/txt/ssa-252466.txt

-- 
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily