[CERT-daily] Tageszusammenfassung - 09.08.2023

Wed Aug 9 18:54:09 CEST 2023

=====================
= End-of-Day report =
=====================

Timeframe:   Dienstag 08-08-2023 18:00 − Mittwoch 09-08-2023 18:00
Handler:     Robert Waldner
Co-Handler:  Michael Schlagenhaufer

=====================
=       News        =
=====================

∗∗∗ Malicious extensions can abuse VS Code flaw to steal auth tokens ∗∗∗
---------------------------------------------
Microsofts Visual Studio Code (VS Code) code editor and development environment contains a flaw that allows malicious extensions to retrieve authentication tokens stored in Windows, Linux, and macOS credential managers.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/malicious-extensions-can-abuse-vs-code-flaw-to-steal-auth-tokens/


∗∗∗ EvilProxy phishing campaign targets 120,000 Microsoft 365 users ∗∗∗
---------------------------------------------
EvilProxy is becoming one of the more popular phishing platforms to target MFA-protected accounts, with researchers seeing 120,000 phishing emails sent to over a hundred organizations to steal Microsoft 365 accounts.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/evilproxy-phishing-campaign-targets-120-000-microsoft-365-users/


∗∗∗ Malicious Campaigns Exploit Weak Kubernetes Clusters for Crypto Mining ∗∗∗
---------------------------------------------
Exposed Kubernetes (K8s) clusters are being exploited by malicious actors to deploy cryptocurrency miners and other backdoors. Cloud security firm Aqua, in a report shared with The Hacker News, said a majority of the clusters belonged to small to medium-sized organizations, with a smaller subset tied to bigger companies, spanning financial, aerospace, automotive, industrial, and security sectors.
---------------------------------------------
https://thehackernews.com/2023/08/malicious-campaigns-exploit-weak.html


∗∗∗ Achtung, Smishing-Welle zu Online-Banking im Umlauf! ∗∗∗
---------------------------------------------
Derzeit melden uns zahlreiche Leser:innen eine SMS, die im Namen von verschiedenen Banken versendet wird. Kriminelle behaupten dabei, dass „Ihre George Registrierung“ oder „Ihre Mein-Elba Registrierung“ abläuft. Die „Legitimation“ könne man mit einem Klick auf einen Link verlängern. Wer auf den mitgeschickten Link klickt, wird aufgefordert Bankdaten und andere persönliche Daten einzugeben. Ignorieren Sie diese SMS und geben Sie keine Daten preis.
---------------------------------------------
https://www.watchlist-internet.at/news/achtung-smishing-welle-zu-online-banking-im-umlauf/


∗∗∗ Ein Deepdive in die ESXiArgs Ransomware Kampagne ∗∗∗
---------------------------------------------
Es war ein schöner Tag dieser Freitag der 03. Februar 2023, aber wie es Freitage im Cybersicherheits-Umfeld leider so an sich haben, sollte sich das schnell ändern. Da dieser Vorfall inzwischen schon etwas weiter in der Vergangenheit liegt, ist Ruhe um ihn eingekehrt. Allerdings gibt es doch so manch interessanten Aspekt, der - zumindest mir bekannt - so noch nicht berichtet wurde.
---------------------------------------------
https://cert.at/de/blog/2023/8/ein-deepdive-in-die-esxiargs-ransomware-kampagne


∗∗∗ Fantastic Rootkits: And Where To Find Them (Part 3) – ARM Edition ∗∗∗
---------------------------------------------
In this blog, we will discuss innovative rootkit techniques on a non-traditional architecture, Windows 11 on ARM64.
---------------------------------------------
https://www.cyberark.com/resources/threat-research-blog/fantastic-rootkits-and-where-to-find-them-part-3-arm-edition


=====================
=  Vulnerabilities  =
=====================

∗∗∗ FortiOS - Buffer overflow in execute extender command (CVE-2023-29182) ∗∗∗
---------------------------------------------
A stack-based buffer overflow vulnerability [CWE-121] in FortiOS may allow a privileged attacker to execute arbitrary code via specially crafted CLI commands, provided the attacker were able to evade FortiOS stack protections.
---------------------------------------------
https://fortiguard.fortinet.com/psirt/FG-IR-23-149


∗∗∗ Lenovo: Multi-vendor BIOS Security Vulnerabilities (August 2023) ∗∗∗
---------------------------------------------
The following list of vulnerabilities were reported by suppliers and researchers or were found during our regular internal testing. CVE Identifier: CVE-2022-24351, CVE-2022-27879, CVE-2022-37343, CVE-2022-38083, CVE-2022-40982, CVE-2022-41804, CVE-2022-43505, CVE-2022-44611, CVE-2022-46897, CVE-2023-2004, CVE-2023-20555, CVE-2023-20569, CVE-2023-23908, CVE-2023-26090, CVE-2023-27471, CVE-2023-28468, CVE-2023-31041, CVE-2023-34419, CVE-2023-4028, CVE-2023-4029, CVE-2023-4030
---------------------------------------------
https://support.lenovo.com/at/en/product_security/ps500572-multi-vendor-bios-security-vulnerabilities-august-2023


∗∗∗ Lenovo: AMD Graphics OpenSSL Vulnerabilities ∗∗∗
---------------------------------------------
CVE Identifier: CVE-2022-3602, CVE-2022-3786 Summary Description: AMD reported two high severity OpenSSL vulnerabilities affecting certain versions of their product. Mitigation Strategy for Customers (what you should do to protect yourself): Update AMD Graphics Driver to the version (or newer) indicated for your model in the Product Impact section.
---------------------------------------------
https://support.lenovo.com/at/en/product_security/ps500575-amd-graphics-openssl-vulnerabilities


∗∗∗ Lenovo: Intel PROSet Wireless WiFi and Killer WiFi Advisory ∗∗∗
---------------------------------------------
CVE Identifier: CVE-2022-27635, CVE-2022-46329, CVE-2022-40964, CVE-2022-36351, CVE-2022-38076 Summary Description: Intel reported potential security vulnerabilities in some Intel PROSet/Wireless WiFi and Killer WiFi products that may allow escalation of privilege or denial of service. Mitigation Strategy for Customers (what you should do to protect yourself): Update to the firmware or software version (or higher) as recommended in the Product Impact section below.
---------------------------------------------
https://support.lenovo.com/at/en/product_security/ps500574-intel-proset-wireless-wifi-and-killer-wifi-advisory


∗∗∗ Lenovo: Intel Chipset Firmware Advisory ∗∗∗
---------------------------------------------
CVE Identifier: CVE-2022-36392, CVE-2022-38102, CVE-2022-29871 Summary Description: Intel reported potential security vulnerabilities in the Intel Converged Security Management Engine (CSME) that may allow escalation of privilege and Denial of Service. Mitigation Strategy for Customers (what you should do to protect yourself): Update to the firmware or software version (or higher) as recommended in the Product Impact section below.
---------------------------------------------
https://support.lenovo.com/at/en/product_security/ps500573-intel-chipset-firmware-advisory


∗∗∗ Xen XSA-432: Linux: buffer overrun in netback due to unusual packet (CVE-2023-34319) ∗∗∗
---------------------------------------------
The fix for XSA-423 added logic to Linuxes netback driver to deal with a frontend splitting a packet in a way such that not all of the headers would come in one piece. Unfortunately the logic introduced there didnt account for the extreme case of the entire packet being split into as many pieces as permitted by the protocol, yet still being smaller than the area thats specially dealt with to keep all (possible) headers together.
---------------------------------------------
https://xenbits.xen.org/xsa/advisory-432.html


∗∗∗ Xen XSA-434 x86/AMD: Speculative Return Stack Overflow (CVE-2023-20569) ∗∗∗
---------------------------------------------
It is possible to poison the branch type and target predictions such that, at a point of the attackers choosing, the branch predictor predicts enough CALLs back-to-back to wrap around the entire RAS and overwrite a correct return prediction with one of the attackers choosing. This allows the attacker to control RET speculation in a victim context, and leak arbitrary data as a result.
---------------------------------------------
https://xenbits.xen.org/xsa/advisory-434.html


∗∗∗ Xen XSA-435 x86/Intel: Gather Data Sampling ∗∗∗
---------------------------------------------
A researcher has discovered Gather Data Sampling, a transient execution side-channel whereby the AVX GATHER instructions can forward the content of stale vector registers to dependent instructions. The physical register file is a structure competitively shared between sibling threads. Therefore an attacker can infer data from the sibling thread, or from a more privileged context.
---------------------------------------------
https://xenbits.xen.org/xsa/advisory-435.html


∗∗∗ Citrix Hypervisor Security Bulletin for CVE-2023-20569, CVE-2023-34319 and CVE-2022-40982 ∗∗∗
---------------------------------------------
- An issue has been discovered in Citrix Hypervisor 8.2 CU1 LTSR that may allow malicious, privileged code in a guest VM to cause the host to crash. (CVE-2023-34319) - In addition, Intel has disclosed a security issue affecting certain Intel CPUs [..] (CVE-2022-40982) - In addition, AMD has disclosed a security issue affecting AMD CPUs [..] (CVE-2023-20569)
---------------------------------------------
https://support.citrix.com/article/CTX569353/citrix-hypervisor-security-bulletin-for-cve202320569-cve202334319-and-cve202240982


∗∗∗ LibreSwan: CVE-2023-38710: Invalid IKEv2 REKEY proposal causes restart ∗∗∗
---------------------------------------------
When an IKEv2 Child SA REKEY packet contains an invalid IPsec protocol ID number of 0 or 1, an error notify INVALID_SPI is sent back. The notify payloads protocol ID is copied from the incoming packet, but the code that verifies outgoing packets fails an assertion that the protocol ID must be ESP (2) or AH(3) and causes the pluto daemon to crash and restart.
---------------------------------------------
https://libreswan.org/security/CVE-2023-38710/CVE-2023-38710.txt


∗∗∗ LibreSwan: CVE-2023-38711: Invalid IKEv1 Quick Mode ID causes restart ∗∗∗
---------------------------------------------
When an IKEv1 Quick Mode connection configured with ID_IPV4_ADDR or ID_IPV6_ADDR, receives an IDcr payload with ID_FQDN, a null pointer dereference causes a crash and restart of the pluto daemon.
---------------------------------------------
https://libreswan.org/security/CVE-2023-38711/CVE-2023-38711.txt


∗∗∗ LibreSwan: CVE-2023-38712: Invalid IKEv1 repeat IKE SA delete causes crash and restart ∗∗∗
---------------------------------------------
When an IKEv1 ISAKMP SA Informational Exchange packet contains a Delete/Notify payload followed by further Notifies that act on the ISAKMP SA, such as a duplicated Delete/Notify message, a null pointer dereference on the deleted state causes the pluto daemon to crash and restart.
---------------------------------------------
https://libreswan.org/security/CVE-2023-38712/CVE-2023-38712.txt


∗∗∗ LWN: Stable kernels with security fixes ∗∗∗
---------------------------------------------
The 6.4.9, 6.1.44, 5.15.125, 5.10.189, 5.4.252, 4.19.290, and 4.14.321 stable kernel updates have all been released; they are dominated by fixes for the latest round of speculative-execution vulnerabilities. Do note the warning attached to each of these releases
---------------------------------------------
https://lwn.net/Articles/940798/


∗∗∗ Neue Sicherheitslücken in AMD- und Intel-Prozessoren entdeckt ∗∗∗
---------------------------------------------
Die Security-Konferenz Black Hat ist für AMD und Intel kein Spaß. Beide Hersteller müssen sich mit zahlreichen Sicherheitslücken befassen – BIOS-Updates kommen.
---------------------------------------------
https://heise.de/-9239339


∗∗∗ Security updates for Wednesday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (cjose, hdf5, and orthanc), Fedora (java-17-openjdk and seamonkey), Red Hat (curl, dbus, iperf3, kernel, kpatch-patch, libcap, libxml2, nodejs:16, nodejs:18, postgresql:10, postgresql:12, postgresql:13, and python-requests), SUSE (bluez, cjose, gstreamer-plugins-bad, gstreamer-plugins-base, gstreamer-plugins-good, gstreamer-plugins-ugly, keylime, openssl-1_1, openssl-3, pipewire, poppler, qemu, rubygem-actionpack-4_2, rubygem-actionpack-5_1, rust1.71, tomcat, webkit2gtk3, and wireshark), and Ubuntu (binutils, dotnet6, dotnet7, openssh, php-dompdf, and unixodbc).
---------------------------------------------
https://lwn.net/Articles/940912/


∗∗∗ SAP Patches Critical Vulnerability in PowerDesigner Product ∗∗∗
---------------------------------------------
SAP has fixed over a dozen new vulnerabilities with its Patch Tuesday updates, including a critical flaw in its PowerDesigner product.
---------------------------------------------
https://www.securityweek.com/sap-patches-critical-vulnerability-in-powerdesigner-product/


∗∗∗ Microsoft Releases August 2023 Security Updates ∗∗∗
---------------------------------------------
Microsoft has released updates to address multiple vulnerabilities in Microsoft software. An attacker can exploit some of these vulnerabilities to take control of an affected system.
---------------------------------------------
https://www.cisa.gov/news-events/alerts/2023/08/08/microsoft-releases-august-2023-security-updates


∗∗∗ Released: August 2023 Exchange Server Security Updates ∗∗∗
---------------------------------------------
We are aware of Setup issues on non-English servers and have temporarily removed August SU from Windows / Microsoft update. If you are using a non-English language server, we recommend you wait with deployment of August SU until we provide more information.
---------------------------------------------
https://techcommunity.microsoft.com/t5/exchange-team-blog/released-august-2023-exchange-server-security-updates/ba-p/3892811


∗∗∗ Adobe Releases Security Updates for Multiple Products ∗∗∗
---------------------------------------------
Adobe has released security updates to address multiple vulnerabilities in Adobe software. An attacker can exploit some of these vulnerabilities to take control of an affected system.
---------------------------------------------
https://www.cisa.gov/news-events/alerts/2023/08/08/adobe-releases-security-updates-multiple-products


∗∗∗ Certifi component is vulnerable to CVE-2022-23491 used by IBM Maximo Application Suite ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7023647


∗∗∗ protobuf-java component is vulnerable to CVE-2022-3510 and CVE-2022-3509 is used by IBM Maximo Application Suite ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7023656


∗∗∗ A vulnerability has been identified in IBM WebSphere Application Server shipped with IBM Buinses Automation Workflow (CVE-2022-40609) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7024675


∗∗∗ Multiple Vulnerabilities in IBM\u00ae Java SDK affect IBM WebSphere Application Server shipped with IBM Business Automation Workflow containers - April 2023 CPU ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7024729


∗∗∗ Multiple security vulnerabilities have been identified in IBM Db2 shipped with IBM Security Guardium Key Lifecycle Manager ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7016660


∗∗∗ IBM Facsimile Support for i is vulnerable to local privilege escalation (CVE-2023-38721) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7023423


∗∗∗ IBM App Connect Enterprise toolkit and IBM Integration Bus toolkit are vulnerable to a local authenticated attacker and a denial of service due to Guava and JDOM (CVE-2023-2976, CVE-2021-33813). ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7024862


∗∗∗ IBM MQ is affected by multiple Angular JS vulnerabilities. ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7023212


∗∗∗ IBM MQ Appliance is affected by multiple AngularJS vulnerabilities ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7013499

-- 
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily