[CERT-daily] Tageszusammenfassung - 06.10.2022

Thu Oct 6 18:32:00 CEST 2022

=====================
= End-of-Day report =
=====================

Timeframe:   Mittwoch 05-10-2022 18:00 − Donnerstag 06-10-2022 18:00
Handler:     Michael Schlagenhaufer
Co-Handler:  Robert Waldner

=====================
=       News        =
=====================

∗∗∗ Ikea Smart Light System Flaw Lets Attackers Turn Bulbs on Full Blast ∗∗∗
---------------------------------------------
With just one malformed Zigbee frame, attackers could take over certain Ikea smart lightbulbs, leaving users unable to turn the lights down.
---------------------------------------------
https://www.darkreading.com/application-security/ikea-smart-light-system-flaw-lets-attackers-turn-bulbs-on-full-blast


∗∗∗ Ransomware: Sicherheitssoftware mit legitimem Treiber deaktiviert ∗∗∗
---------------------------------------------
Die Ransomware Blackbyte nutzt die Angriffstechnik Bring your own vulnerable Driver, um Antivirensoftware zu deaktivieren.
---------------------------------------------
https://www.golem.de/news/ransomware-sicherheitssoftware-mit-legitimem-treiber-deaktiviert-2210-168754.html


∗∗∗ A look at the 2020–2022 ATM/PoS malware landscape ∗∗∗
---------------------------------------------
We looked at the number of affected ATMs and PoS terminals, geography of attacks and threat families used by cybercriminals to target victims in 2020-2022.
---------------------------------------------
https://securelist.com/atm-pos-malware-landscape-2020-2022/107656/


∗∗∗ Detecting and preventing LSASS credential dumping attacks ∗∗∗
---------------------------------------------
In this blog, we share examples of various threat actors that we’ve recently observed using the LSASS credential dumping technique. [..] Finally, we offer additional recommendations to further harden systems and prevent attackers from taking advantage of possible misconfigurations should they fail to leverage credential dumping.
---------------------------------------------
https://www.microsoft.com/security/blog/2022/10/05/detecting-and-preventing-lsass-credential-dumping-attacks/


∗∗∗ MSSQL, meet Maggie ∗∗∗
---------------------------------------------
Continuing our monitoring of signed binaries, DCSO CyTec recently found a novel backdoor malware targeting Microsoft SQL servers. [Keine kompromittierten Systeme in AT angeführt, Anm. d. Red.]
---------------------------------------------
https://medium.com/@DCSO_CyTec/mssql-meet-maggie-898773df3b01


∗∗∗ CVE-2022–36635 — A SQL Injection in ZKSecurityBio to RCE ∗∗∗
---------------------------------------------
This is a write-up of CVE-2022–36635: SQLInjection found in a platform of physical security (access control, elevator control, guest management, patrol and parking management) called ZKSecurity Bio v4.1.3 and how it was used to obtain a RCE.
---------------------------------------------
https://medium.com/stolabs/cve-2022-36635-a-sql-injection-in-zksecuritybio-to-rce-c5bde2962d47


∗∗∗ Exchange Zero-Day: Microsoft bessert Workaround erneut nach ∗∗∗
---------------------------------------------
Nachdem der erste Workaround für eine Exchange Zero-Day-Lücke wirkungslos war und Microsoft nachbesserte, hat der Hersteller abermals eine Korrektur vorgelegt.
---------------------------------------------
https://heise.de/-7285558


∗∗∗ Gratis Entschlüsselungstool: Lücke in Ransomwares der Hades-Familie entdeckt ∗∗∗
---------------------------------------------
Opfer einiger Erpressungstrojan der der Hades-Familie wie MafiaWare666 können unter bestimmten Voraussetzungen wieder auf ihre Daten zugreifen.
---------------------------------------------
https://heise.de/-7285784


∗∗∗ Melting the DNS Iceberg: Taking over your infrastructure Kaminsky style ∗∗∗
---------------------------------------------
Hidden DNS resolvers and how to compromise your infrastructure
---------------------------------------------
https://sec-consult.com/blog/detail/melting-the-dns-iceberg-taking-over-your-infrastructure-kaminsky-style/


∗∗∗ ESET Threat Report T2 2022 ∗∗∗
---------------------------------------------
Ein Blick auf die Bedrohungslandschaft im zweiten Drittel des Jahres 2022 aus Sicht der ESET-Telemetrie und aus der Perspektive der ESET-Experten.
---------------------------------------------
https://www.welivesecurity.com/deutsch/2022/10/05/eset-threat-report-t2-2022-2/


=====================
=  Vulnerabilities  =
=====================

∗∗∗ CVE-2022-41343 - RCE via Phar Deserialisation (Dompdf) ∗∗∗
---------------------------------------------
Dompdf is a popular library in PHP used for rendering PDF files from HTML. Tanto Security disclosed a vulnerability in Dompdf affecting version 2.0.0 and below. The vulnerability was patched in Dompdf v2.0.1. We recommend all Dompdf users update to the latest version as soon as possible.
---------------------------------------------
https://tantosec.com/blog/cve-2022-41343/


∗∗∗ Cisco Security Advisories 2022-10-05 ∗∗∗
---------------------------------------------
Cisco published 9 Security Advisories (2 High, 7 Medium Severity)
---------------------------------------------
https://tools.cisco.com/security/center/Search.x?publicationTypeIDs=1&firstPublishedStartDate=2022%2F10%2F05&firstPublishedEndDate=2022%2F10%2F05


∗∗∗ Security updates for Thursday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (bind9 and nodejs), Red Hat (prometheus-jmx-exporter and squid), Slackware (dhcp), SUSE (pngcheck and sendmail), and Ubuntu (isc-dhcp, kitty, and linux-gcp-5.4).
---------------------------------------------
https://lwn.net/Articles/910492/


∗∗∗ Internet Systems Consortium DHCP: Mehrere Schwachstellen ermöglichen Denial of Service ∗∗∗
---------------------------------------------
Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in Internet Systems Consortium DHCP ausnutzen, um einen Denial of Service Angriff durchzuführen.
---------------------------------------------
https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1634


∗∗∗ Security Bulletin: IBM Cloud Pak for Business Automation is affected but not classified as vulnerable by a remote code execution in Spring Framework [CVE-2022-22965] ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-pak-for-business-automation-is-affected-but-not-classified-as-vulnerable-by-a-remote-code-execution-in-spring-framework-cve-2022-22965/


∗∗∗ Security Bulletin: IBM QRadar DNS Analyzer App for IBM QRadar SIEM is vulnerable to using components with known vulnerabilities (CVE-2022-31129, CVE-2022-24785, CVE-2017-18214) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-qradar-dns-analyzer-app-for-ibm-qradar-siem-is-vulnerable-to-using-components-with-known-vulnerabilities-cve-2022-31129-cve-2022-24785-cve-2017-18214/


∗∗∗ Security Bulletin: IBM Planning Analytics Workspace is affected by multiple vulnerabilities (CVE-2021-40690, CVE-2022-25647, XFID: 233967) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-planning-analytics-workspace-is-affected-by-multiple-vulnerabilities-cve-2021-40690-cve-2022-25647-xfid-233967/


∗∗∗ Security Bulletin: IBM HTTP Server is vulnerable to arbitrary code execution due to Expat (CVE-2022-40674) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-http-server-is-vulnerable-to-arbitrary-code-execution-due-to-expat-cve-2022-40674/


∗∗∗ K10812540: OpenJDK vulnerability CVE-2019-18197 ∗∗∗
---------------------------------------------
https://support.f5.com/csp/article/K10812540?utm_source=f5support&utm_medium=RSS


∗∗∗ Rockwell Automation FactoryTalk VantagePoint ∗∗∗
---------------------------------------------
https://us-cert.cisa.gov/ics/advisories/icsa-22-279-01


∗∗∗ HIWIN Robot System Software (HRSS) ∗∗∗
---------------------------------------------
https://us-cert.cisa.gov/ics/advisories/icsa-22-279-02


∗∗∗ Schwachstelle in SPRECON-V460 Visualisierungssoftware ∗∗∗
---------------------------------------------
https://www.sprecher-automation.com/it-sicherheit/security-alerts

-- 
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily