[CERT-daily] Tageszusammenfassung - 24.08.2023

Thu Aug 24 18:39:00 CEST 2023

=====================
= End-of-Day report =
=====================

Timeframe:   Mittwoch 23-08-2023 18:00 − Donnerstag 24-08-2023 18:00
Handler:     Robert Waldner
Co-Handler:  Michael Schlagenhaufer

=====================
=       News        =
=====================

∗∗∗ New "Whiffy Recon" Malware Triangulates Infected Device Location via Wi-Fi Every Minute ∗∗∗
---------------------------------------------
The SmokeLoader malware is being used to deliver a new Wi-Fi scanning malware strain called Whiffy Recon on compromised Windows machines. "The new malware strain has only one operation. Every 60 seconds it triangulates the infected systems positions by scanning nearby Wi-Fi access points as a data point for Googles geolocation API," [...]
---------------------------------------------
https://thehackernews.com/2023/08/new-whiffy-recon-malware-triangulates.html


∗∗∗ Using LLMs to reverse JavaScript variable name minification ∗∗∗
---------------------------------------------
This blog introduces a novel way to reverse minified Javascript using large language models (LLMs) like ChatGPT and llama2 while keeping the code semantically intact. The code is open source and available at Github
---------------------------------------------
https://thejunkland.com/blog/using-llms-to-reverse-javascript-minification


∗∗∗ Microsoft: Windows-Update-Vorschauen schützen vor Downfall-CPU-Lücke ∗∗∗
---------------------------------------------
Microsoft hat die Vorschauen auf die Windows-Updates im September veröffentlicht. Sie bringen Gegenmaßnahmen für die Downfall-Intel-CPU-Lücke mit.
---------------------------------------------
https://heise.de/-9283485


∗∗∗ FBI: Patches for Recent Barracuda ESG Zero-Day Ineffective ∗∗∗
---------------------------------------------
The Federal Bureau of Investigation says that the patches released for a recent Barracuda Email Security Gateway (ESG) vulnerability were not effective, advising organizations to “remove all ESG appliances immediately”.
---------------------------------------------
https://www.securityweek.com/fbi-patches-for-recent-barracuda-esg-zero-day-ineffective/


∗∗∗ Lazarus Group exploits ManageEngine vulnerability to deploy QuiteRAT ∗∗∗
---------------------------------------------
This is the third documented campaign attributed to this actor in less than a year, with the actor reusing the same infrastructure throughout these operations.
---------------------------------------------
https://blog.talosintelligence.com/lazarus-quiterat/


∗∗∗ Tunnel Warfare: Exposing DNS Tunneling Campaigns using Generative Models – CoinLoader Case Study ∗∗∗
---------------------------------------------
In this blog post, we provide a deep dive into Check Point’s ongoing use of such a model to sweep across this haystack, and routinely thwart malicious campaigns abusing the DNS protocol to communicate with C&C servers. We focus on one such campaign, of CoinLoader, and lay out its infrastructure as well as an in-depth technical analysis of its DNS tunnelling functionality.
---------------------------------------------
https://research.checkpoint.com/2023/tunnel-warfare-exposing-dns-tunneling-campaigns-using-generative-models-coinloader-case-study/


=====================
=  Vulnerabilities  =
=====================

∗∗∗ Sicherheitsupdates: DoS-Attacken auf Firewalls und Switches von Cisco möglich ∗∗∗
---------------------------------------------
Angreifer können Geräte von Cisco via DoS-Attacken lahmlegen. Der Netzwerkausrüster hat Sicherheitspatches veröffentlicht.
---------------------------------------------
https://heise.de/-9283445


∗∗∗ Security Advisories for Drupal contributed projects ∗∗∗
---------------------------------------------
* Config Pages - Moderately critical - Information Disclosure * Shorthand - Critical - Access bypass * SafeDelete - Moderately critical - Access bypass * Data field - Moderately critical - Access bypass * ACL - Critical - Arbitrary PHP code execution * Forum Access - Critical - Arbitrary PHP code execution * Flexi Access - Critical - Arbitrary PHP code execution
---------------------------------------------
https://www.drupal.org/security/contrib


∗∗∗ CVE-2023-35150: Arbitrary Code Injection in XWiki.org XWiki ∗∗∗
---------------------------------------------
[..] detail a recently patched remote code execution vulnerability in the XWiki free wiki software platform. This bug was originally discovered by Michael Hamann with public Proof-of-Concept (PoC) code provided by Manuel Leduc. Successful exploitation of this vulnerability would allow an authenticated attacker to perform an arbitrary code injection on affected systems.
---------------------------------------------
https://www.zerodayinitiative.com/blog/2023/8/22/cve-2023-35150-arbitrary-code-injection-in-xwikiorg-xwiki


∗∗∗ Security updates for Thursday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (w3m), Fedora (libqb), Mageia (docker-containerd, kernel, kernel-linus, microcode, php, redis, and samba), Oracle (kernel, kernel-container, and openssh), Scientific Linux (subscription-manager), SUSE (ca-certificates-mozilla, erlang, gawk, gstreamer-plugins-base, indent, java-1_8_0-ibm, kernel, kernel-firmware, krb5, libcares2, nodejs14, nodejs16, openssl-1_1, openssl-3, poppler, postfix, redis, webkit2gtk3, and xen), and Ubuntu (php8.1).
---------------------------------------------
https://lwn.net/Articles/942654/


∗∗∗ Synology-SA-23:12 Synology SSL VPN Client ∗∗∗
---------------------------------------------
https://www.synology.com/en-global/support/security/Synology_SA_23_12


∗∗∗ MISP 2.4.175 released with various bugs fixed, improvements and security fixes. ∗∗∗
---------------------------------------------
https://www.misp-project.org/2023/08/24/MISP.2.4.175.released.html/


∗∗∗ OPTO 22 SNAP PAC S1 ∗∗∗
---------------------------------------------
https://www.cisa.gov/news-events/ics-advisories/icsa-23-236-02


∗∗∗ CODESYS Development System ∗∗∗
---------------------------------------------
https://www.cisa.gov/news-events/ics-advisories/icsa-23-236-03


∗∗∗ CODESYS Development System ∗∗∗
---------------------------------------------
https://www.cisa.gov/news-events/ics-advisories/icsa-23-236-04


∗∗∗ CODESYS Development System ∗∗∗
---------------------------------------------
https://www.cisa.gov/news-events/ics-advisories/icsa-23-236-05


∗∗∗ Rockwell Automation Input/Output Modules ∗∗∗
---------------------------------------------
https://www.cisa.gov/news-events/ics-advisories/icsa-23-236-06


∗∗∗ KNX Protocol ∗∗∗
---------------------------------------------
https://www.cisa.gov/news-events/ics-advisories/icsa-23-236-01


∗∗∗ Multiple Vulnerabilities in IBM Java SDK affect IBM WebSphere Application Server and IBM WebSphere Application Server Liberty due to July 2023 CPU ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7028350


∗∗∗ IBM Security Guardium is affected by multiple vulnerabilities ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7028511


∗∗∗ IBM Security Guardium is affected by multiple vulnerabilities (CVE-2023-30435, CVE-2023-30436, CVE-2023-30437) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7028506


∗∗∗ IBM Security Guardium is affected by an Improper Restriction of Excessive Authentication Attempts vulnerability (CVE-2022-43904) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7028509


∗∗∗ IBM Security Guardium is affected by an SQL Injection vulnerability (CVE-2023-33852) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7028514


∗∗∗ IBM Security Verify Access OpenID Connect Provider container has fixed multiple vulnerabilities (CVE-2022-43868, CVE-2022-43739, CVE-2022-43740) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7028513


∗∗∗ AIX is affected by security restrictions bypass (CVE-2023-24329) due to Python ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7028095


∗∗∗ IBM Elastic Storage System is affected by a vulnerability in OpenSSL (CVE-2022-4304) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7028709


∗∗∗ IBM Data Risk Manager is affected by multiple vulnerabilities ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7028713


∗∗∗ IBM App Connect Enterprise Certified Container DesignerAuthoring operands are vulnerable to loss of confidentiality due to [CVE-2023-26268] ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7028728


∗∗∗ IBM App Connect Enterprise Certified Container operands that use the Box or Snowflake connectors are vulnerable to arbitrary code execution due to [CVE-2023-37466], [CVE-2023-37903] ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7028727

-- 
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily