[CERT-daily] Tageszusammenfassung - 14.03.2022

Daily end-of-shift report team at cert.at
Mon Mar 14 18:20:43 CET 2022


=====================
= End-of-Day report =
=====================

Timeframe:   Freitag 11-03-2022 18:00 − Montag 14-03-2022 18:00
Handler:     Thomas Pribitzer
Co-Handler:  Robert Waldner

=====================
=       News        =
=====================

∗∗∗ Android malware Escobar steals your Google Authenticator MFA codes ∗∗∗
---------------------------------------------
The Aberebot banking trojan appears to have returned, as its author is actively promoting a new version of the tool on dark web markets and forums.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/android-malware-escobar-steals-your-google-authenticator-mfa-codes/


∗∗∗ Curl on Windows, (Mon, Mar 14th) ∗∗∗
---------------------------------------------
It's about 2 years ago that Xavier wrote a diary entry ("Keep an Eye on Command-Line Browsers") mentioning that curl was now build into Windows. [...] So with this particular malicious script, it's rather easy to detect (especially if you are in a network environment without Linux machines): search for curl UAS. If you are in a corporate environment, there's something else to know about curl on Windows. 
---------------------------------------------
https://isc.sans.edu/diary/rss/28436


∗∗∗ New Linux Bug in Netfilter Firewall Module Lets Attackers Gain Root Access ∗∗∗
---------------------------------------------
Tracked as CVE-2022-25636 (CVSS score: 7.8), the vulnerability impacts Linux kernel versions 5.4 through 5.6.10 and is a result of a heap out-of-bounds write in the netfilter subcomponent in the kernel. [..] "This flaw allows a local attacker with a user account on the system to gain access to out-of-bounds memory, leading to a system crash or a privilege escalation threat," Red Hat said in an advisory published on February 22, 2022. Similar alerts have been released by Debian, Oracle Linux, SUSE, and Ubuntu.
---------------------------------------------
https://thehackernews.com/2022/03/new-linux-bug-in-netfilter-firewall.html


∗∗∗ Reverse Engineering a Netgear Nday ∗∗∗
---------------------------------------------
This post will detail how I went about developing a proof of concept for a Netgear Nday vulnerability.
---------------------------------------------
https://nstarke.github.io/netgear/nday/2022/03/13/reverse-engineering-a-netgear-nday.html


∗∗∗ Making Sense of the Dirty Pipe Vulnerability (CVE-2022-0847) ∗∗∗
---------------------------------------------
[..] the flaw could allow anyone with read access on a system to write arbitrary data into arbitrary files. In this blog post, we analyze the vulnerability details in-depth and demonstrate how the exploit works to successfully escalate privileges.
---------------------------------------------
https://redhuntlabs.com/blog/the-dirty-pipe-vulnerability.html


∗∗∗ Multiple Security Flaws Discovered in Popular Software Package Managers ∗∗∗
---------------------------------------------
Following responsible disclosure on September 9, 2021, fixes have been released to address the issues in Composer, Bundler, Bower, Poetry, Yarn, and Pnpm. But Composer, Pip, and Pipenv, all three of which are affected by the untrusted search path flaw, have opted not to address the bug.
---------------------------------------------
https://thehackernews.com/2022/03/multiple-security-flaws-discovered-in.html


∗∗∗ Shodan: Introducing the InternetDB API ∗∗∗
---------------------------------------------
The major differences between the InternetDB API and the main Shodan API are:
- No API key required
- Much higher rate limit
- Weekly updates
- Minimal port/ service information
- Non-commercial use only
---------------------------------------------
https://blog.shodan.io/introducing-the-internetdb-api/


∗∗∗ Diskrepanz zwischen erwarteten und tatsächlichen Cyberattacken im Ukraine-Krieg ∗∗∗
---------------------------------------------
c’t: Ukrainische Behörden haben Freiwillige in aller Welt aufgerufen, sich an Cyberattacken gegen Russland zu beteiligen. Halten Sie es für sinnvoll, dabei mitzumachen?
Dr. Sven Herpig: Nein. Natürlich könnten Freiwillige irgendwelche Ziele in Russland ärgern, aber das wird weit weg sein von kriegsentscheidend. Gleichzeitig ist es aus drei Gründen ziemlich gefährlich.
---------------------------------------------
https://heise.de/-6540223


∗∗∗ Gefälschte Otto-Shops werben auf Facebook ∗∗∗
---------------------------------------------
ottot.shop, otto.us.com und ghrh.shop sind betrügerische Online-Shops. Diese Shops imitieren das deutsche Handelsunternehmen „OTTO“ und bieten Produkte zu sehr günstigen Preisen an. Aber: Ware, die dort bestellt und bezahlt wird, wird nicht geliefert. Geschädigte können versuchen ihr Geld über den Käuferschutz von PayPal zurückzubekommen.
---------------------------------------------
https://www.watchlist-internet.at/news/gefaelschte-otto-shops-werben-auf-facebook/



=====================
=  Vulnerabilities  =
=====================

∗∗∗ Veeam Backup & Replication - CVE-2022-26500 | CVE-2022-26501 ∗∗∗
---------------------------------------------
Multiple vulnerabilities in Veeam Backup & Replication allow executing malicious code remotely without authentication. This may lead to gaining control over the target system. CVSS v3 score: 9.8
---------------------------------------------
https://www.veeam.com/kb4288


∗∗∗ High-Severity Vulnerabilities Patched in Omron PLC Programming Software ∗∗∗
---------------------------------------------
Several high-severity vulnerabilities that can be exploited for remote code execution were patched recently in the CX-Programmer software of Japanese electronics giant Omron. An advisory released earlier this month by Japan’s JPCERT/CC revealed that the product is affected by five use-after-free and out-of-bounds vulnerabilities, all with a CVSS score of 7.8.
---------------------------------------------
https://www.securityweek.com/high-severity-vulnerabilities-patched-omron-plc-programming-software


∗∗∗ Riverbed spinoff Aternity ships emergency software patch ∗∗∗
---------------------------------------------
Riverbed’s performance monitoring spinoff Aternity has published seven security advisories describing now-patched vulnerabilities in its AppInternals monitoring agent software. The most serious of the bugs gave attackers remote code execution with system-level privilege. [..] Riverbed has shipped AppInternals Agent versions 11.8.8 and 12.14.0, which include patches for the bugs.
---------------------------------------------
https://www.itnews.com.au/news/riverbed-spinoff-aternity-ships-emergency-software-patch-577305


∗∗∗ Security updates for Monday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (expat, haproxy, libphp-adodb, nbd, and vim), Fedora (chromium, cobbler, firefox, gnutls, linux-firmware, radare2, thunderbird, and usbguard), Mageia (gnutls), Oracle (.NET 5.0, .NET 6.0, .NET Core 3.1, firefox, and kernel), SUSE (firefox, tomcat, and webkit2gtk3), and Ubuntu (libxml2 and nbd).
---------------------------------------------
https://lwn.net/Articles/887807/


∗∗∗ Dell BIOS: Mehrere Schwachstellen ermöglichen Codeausführung ∗∗∗
---------------------------------------------
CVE Liste: CVE-2022-24415, CVE-2022-24416, CVE-2022-24419, CVE-2022-24420, CVE-2022-24421
Ein lokaler Angreifer kann mehrere Schwachstellen in Dell BIOS und Dell Computer ausnutzen, um beliebigen Programmcode auszuführen.
---------------------------------------------
http://www.cert-bund.de/advisoryshort/CB-K22-0308


∗∗∗ Apache HTTP Server: Mehrere Schwachstellen ∗∗∗
---------------------------------------------
CVE Liste: CVE-2022-22719, CVE-2022-22720, CVE-2022-22721, CVE-2022-23943
Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in Apache HTTP Server ausnutzen, um beliebigen Programmcode auszuführen, Informationen offenzulegen, Dateien zu manipulieren oder einen Denial of Service Zustand herbeizuführen.
---------------------------------------------
http://www.cert-bund.de/advisoryshort/CB-K22-0306


∗∗∗ Security Bulletin: Data masking rules are not enforced when CREATE TABLE AS SELECT statement is executed in IBM Data Virtualization on Cloud Pak for Data ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-data-masking-rules-are-not-enforced-when-create-table-as-select-statement-is-executed-in-ibm-data-virtualization-on-cloud-pak-for-data/


∗∗∗ Security Bulletin: WebSphere Application Server is vulnerable to a Privilege Escalation vulnerability and affects Content Collector for Email ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-websphere-application-server-is-vulnerable-to-a-privilege-escalation-vulnerability-and-affects-content-collector-for-email-2/


∗∗∗ Security Bulletin: IBM Spectrum Protect Plus is vulnerable to PostgreSQL Man-in-the-Middle and Slowloris Denial of Service attacks (CVE-2021-23222, CVE-2022-22354) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-spectrum-protect-plus-is-vulnerable-to-postgresql-man-in-the-middle-and-slowloris-denial-of-service-attacks-cve-2021-23222-cve-2022-22354/


∗∗∗ Security Bulletin: Vulnerability in Apache Log4j affects IBM Analytical Decision Management (CVE-2021-4104) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-log4j-affects-ibm-analytical-decision-management-cve-2021-4104/


∗∗∗ Security Bulletin: Vulnerability in Apache Log4j affects SPSS Collaboration and Deployment Services (CVE-2021-4104) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-log4j-affects-spss-collaboration-and-deployment-services-cve-2021-4104/


∗∗∗ Security Bulletin: Vulnerabilities in IBM Db2 affect IBM Spectrum Protect Server (CVE-2021-38931, CVE-2021-29678, CVE-2021-20373, CVE-2021-39002, CVE-2021-38926) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-ibm-db2-affect-ibm-spectrum-protect-server-cve-2021-38931-cve-2021-29678-cve-2021-20373-cve-2021-39002-cve-2021-38926/


∗∗∗ Security Bulletin: Data masking rules are not enforced when CREATE TABLE AS SELECT statement is executed in IBM Big SQL ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-data-masking-rules-are-not-enforced-when-create-table-as-select-statement-is-executed-in-ibm-big-sql/


∗∗∗ Security Bulletin: Vulnerabilities in IBM Java Runtime and Golang Go affect IBM Spectrum Protect Server (CVE-2021-35578, CVE-2021-44716, CVE-2021-44717) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-ibm-java-runtime-and-golang-go-affect-ibm-spectrum-protect-server-cve-2021-35578-cve-2021-44716-cve-2021-44717/


∗∗∗ Security Bulletin: IBM WebSphere Application Server Liberty vulnerabilities affect IBM Spectrum Protect Backup-Archive Client, IBM Spectrum Protect for Virtual Environments, and IBM Spectrum Protect for Space Management (CVE-2021-35517, ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-websphere-application-server-liberty-vulnerabilities-affect-ibm-spectrum-protect-backup-archive-client-ibm-spectrum-protect-for-virtual-environments-and-ibm-spectrum-protect-f/


∗∗∗ Security Bulletin: IBM Integration Designer is vulnerable to arbitrary code execution because of Apache Log4j (CVE-2021-4104) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-integration-designer-is-vulnerable-to-arbitrary-code-execution-because-of-apache-log4j-cve-2021-4104/


∗∗∗ Security Bulletin: Vulnerabilities in the Linux Kernel, Samba, Sudo, Python, and tcmu-runner affect IBM Spectrum Protect Plus ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-the-linux-kernel-samba-sudo-python-and-tcmu-runner-affect-ibm-spectrum-protect-plus-3/


∗∗∗ Security Bulletin: IBM Spectrum Copy Data Management is vulnerable to Slowloris, HTTP header injection, XSS, and CSRF (CVE-2022-22354, CVE-2022-22344, CVE-2021-39055, CVE-2021-39051) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-spectrum-copy-data-management-is-vulnerable-to-slowloris-http-header-injection-xss-and-csrf-cve-2022-22354-cve-2022-22344-cve-2021-39055-cve-2021-39051/


∗∗∗ Security Bulletin: Vulnerabilities in Celery, Golang Go, and Python affect IBM Spectrum Protect Plus Container Backup and Restore for Kubernetes and Red Hat OpenShift ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-celery-golang-go-and-python-affect-ibm-spectrum-protect-plus-container-backup-and-restore-for-kubernetes-and-red-hat-openshift/


∗∗∗ Security Bulletin: Vulnerability in Flask and Python affects IBM Spectrum Protect Plus Microsoft File Systems Backup and Restore (CVE-2021-33026, CVE-2022-0391) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-flask-and-python-affects-ibm-spectrum-protect-plus-microsoft-file-systems-backup-and-restore-cve-2021-33026-cve-2022-0391/


∗∗∗ Security Bulletin: Vulnerabilities in IBM Java Runtime and Golang Go affect IBM Spectrum Protect Server (CVE-2021-35578, CVE-2021-44716, CVE-2021-44717) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-ibm-java-runtime-and-golang-go-affect-ibm-spectrum-protect-server-cve-2021-35578-cve-2021-44716-cve-2021-44717-2/


∗∗∗ Security Bulletin: Vulnerabilities in Polkit, PostgreSQL, OpenSSL, OpenSSH, and jQuery affect IBM Spectrum Copy Data Management ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-polkit-postgresql-openssl-openssh-and-jquery-affect-ibm-spectrum-copy-data-management/


∗∗∗ Security Bulletin: Vulnerabilities in IBM Java Runtime and IBM WebSphere Application Server Liberty affect IBM Operations Center and Client Management Service (CVE-2021-35578, CVE-2021-35517, CVE-2021-36090) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-ibm-java-runtime-and-ibm-websphere-application-server-liberty-affect-ibm-operations-center-and-client-management-service-cve-2021-35578-cve-2021-35517-cve-202/


∗∗∗ Security Bulletin: Vulnerabilities in Polkit, Node.js, OpenSSH, and Golang Go affect IBM Spectrum Protect Plus (CVE-2021-4034, CVE-2022-21681, CVE-2022-21680, CVE-2022-0235, CVE-2021-41617, CVE-2021-44716, CVE-2021-44717, 218243) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-polkit-node-js-openssh-and-golang-go-affect-ibm-spectrum-protect-plus-cve-2021-4034-cve-2022-21681-cve-2022-21680-cve-2022-0235-cve-2021-41617-cve-2021/


∗∗∗ Security Bulletin: Reverse Tabnabbing and Cross-Site Request Forgery vulnerabilities in IBM Spectrum Protect Operations Center (CVE-2020-22348, CVE-2020-22346) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-reverse-tabnabbing-and-cross-site-request-forgery-vulnerabilities-in-ibm-spectrum-protect-operations-center-cve-2020-22348-cve-2020-22346/


∗∗∗ K63603485: Linux kernel vulnerability CVE-2022-0847 ∗∗∗
---------------------------------------------
https://support.f5.com/csp/article/K63603485

-- 
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily




More information about the Daily mailing list