[CERT-daily] Tageszusammenfassung - 26.07.2023

[Daily end-of-shift report]

=====================
= End-of-Day report =
=====================

Timeframe:   Dienstag 25-07-2023 18:00 − Mittwoch 26-07-2023 18:00
Handler:     Robert Waldner
Co-Handler:  Stephan Richter

=====================
=       News        =
=====================

∗∗∗ Mysterious Decoy Dog malware toolkit still lurks in DNS shadows ∗∗∗
---------------------------------------------
New details have emerged about Decoy Dog, a largely undetected sophisticated toolkit likely used for at least a year in cyber intelligence operations, relying on the domain name system (DNS) for command and control activity.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/mysterious-decoy-dog-malware-toolkit-still-lurks-in-dns-shadows/


∗∗∗ New Nitrogen malware pushed via Google Ads for ransomware attacks ∗∗∗
---------------------------------------------
A new Nitrogen initial access malware campaign uses Google and Bing search ads to promote fake software sites that infect unsuspecting users with Cobalt Strike and ransomware payloads.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/new-nitrogen-malware-pushed-via-google-ads-for-ransomware-attacks/


∗∗∗ How to Scan A Website for Vulnerabilities ∗∗∗
---------------------------------------------
Even the most diligent site owners should consider when they had their last website security check. As our own research indicates, infections resulting from known website vulnerabilities continue to plague website owners. According to our 2022 Hacked Website Report, last year alone WordPress accounted for 96.2% of infected websites due to its market share and popularity. Statistics like these highlight why it’s so important that you regularly scan your website for vulnerabilities.
---------------------------------------------
https://blog.sucuri.net/2023/07/how-to-scan-website-for-vulnerabilities.html


∗∗∗ Sneaky Python package security fixes help no one – except miscreants ∗∗∗
---------------------------------------------
Good thing these eggheads have created a database of patches - Python security fixes often happen through "silent" code commits, without an associated Common Vulnerabilities and Exposures (CVE) identifier, according to a group of computer security researchers.
---------------------------------------------
https://go.theregister.com/feed/www.theregister.com/2023/07/26/python_silent_security_fixes/


∗∗∗ Tool Release: Cartographer ∗∗∗
---------------------------------------------
Cartographer is a Ghidra plugin that creates a visual "map" of code coverage data, enabling researchers to easily see what parts of a program are executed. It has a wide range of uses, such as better understanding a program, honing in on target functionality, or even discovering unused content in video games.
---------------------------------------------
https://research.nccgroup.com/2023/07/20/tool-release-cartographer/


∗∗∗ New Realst Mac malware, disguised as blockchain games, steals cryptocurrency wallets ∗∗∗
---------------------------------------------
Fake blockchain games, that are being actively promoted by cybercriminals on social media, are actually designed to infect the computers of unsuspecting Mac users with cryptocurrency-stealing malware.
---------------------------------------------
https://grahamcluley.com/new-realst-mac-malware-disguised-as-blockchain-games-steals-cryptocurrency-wallets/


∗∗∗ Introducing CVE-2023-24489: A Critical Citrix ShareFile RCE Vulnerability ∗∗∗
---------------------------------------------
GreyNoise researchers have identified active exploitation for a remote code execution (RCE) vulnerability in Citrix ShareFile (CVE-2023-24489)
---------------------------------------------
https://www.greynoise.io/blog/introducing-cve-2023-24489-a-critical-citrix-sharefile-rce-vulnerability



=====================
=  Vulnerabilities  =
=====================

∗∗∗ ModSecurity v3: DoS Vulnerability in Four Transformations (CVE-2023-38285) ∗∗∗
---------------------------------------------
ModSecurity is an open-source Web Application Firewall (WAF) engine maintained by Trustwave. This blog post discusses an issue with four transformation actions that could enable a Denial of Service (DoS) attack by a malicious actor. The issue has been addressed with fixes in v3.0.10. ModSecurity v2 is not affected.
---------------------------------------------
https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/modsecurity-v3-dos-vulnerability-in-four-transformations-cve-2023-38285/


∗∗∗ B&R Automation Runtime SYN Flooding Vulnerability in Portmapper ∗∗∗
---------------------------------------------
CVE-2023-3242, CVSS v3.1 Base Score: 8.6 The Portmapper service used in Automation Runtime versions <G4.93 is vulnerable to SYN flooding attacks. An unauthenticated network-based attacker may use this vulnerability to cause several services running on B&R Automation Runtime to become permanently inaccessible.
---------------------------------------------
https://www.br-automation.com/downloads_br_productcatalogue/assets/1689787619746-en-original-1.0.pdf


∗∗∗ Security updates for Wednesday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (amd64-microcode, gst-plugins-bad1.0, gst-plugins-base1.0, gst-plugins-good1.0, iperf3, openjdk-17, and pandoc), Fedora (389-ds-base, kitty, and thunderbird), SUSE (libqt5-qtbase, libqt5-qtsvg, mysql-connector-java, netty, netty-tcnative, openssl, openssl-1_1, openssl1, php7, python-scipy, and xmltooling), and Ubuntu (amd64-microcode, avahi, libxpm, linux, linux-aws, linux-aws-5.15, linux-azure, linux-azure-5.15, linux-azure-fde, linux-azure-fde-5.15, linux-gcp, linux-gcp-5.15, linux-gke, linux-gke-5.15, linux-gkeop, linux-gkeop-5.15, linux-hwe-5.15, linux-ibm, linux-intel-iotg, linux-kvm, linux-lowlatency, linux-lowlatency-hwe-5.15, linux-nvidia, linux-oracle, linux-oracle-5.15, linux-raspi, linux, linux-aws, linux-azure, linux-gcp, linux-ibm, linux-kvm, linux-lowlatency, linux-oracle, linux-raspi, linux-oem-5.17, linux-oem-6.0, linux-oem-6.1, openstack-trove, and python-django).
---------------------------------------------
https://lwn.net/Articles/939305/


∗∗∗ Mattermost security updates 8.0.1 / 7.10.5 / 7.8.9 (ESR) released ∗∗∗
---------------------------------------------
We’re informing you about a Mattermost security update, which addresses medium-level severity vulnerabilities. We highly recommend that you apply the update. The security update is available for Mattermost dot releases 8.0.1, 7.10.5, and 7.8.9 (Extended Support Release), for both Team Edition and Enterprise Edition.
---------------------------------------------
https://mattermost.com/blog/mattermost-security-updates-8-0-1-7-10-5-7-8-9-esr-released/


∗∗∗ Multiple Vulnerabilities PRA-ES8P2S Ethernet-Switch ∗∗∗
---------------------------------------------
BOSCH-SA-247054-BT: Multiple vulnerabilities were found in the PRA-ES8P2S Ethernet-Switch. Customers are advised to upgrade to version 1.01.10 since it solves all vulnerabilities listed. Customers are advised to isolate the switch from the Internet if upgrading is not possible. The PRA-ES8P2S switch contains technology from the Advantech EKI-7710G series switches.
---------------------------------------------
https://psirt.bosch.com/security-advisories/bosch-sa-247054-bt.html


∗∗∗ CISA Adds One Known Exploited Vulnerability to Catalog ∗∗∗
---------------------------------------------
CISA has added one new vulnerability to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation. CVE-2023-37580 Zimbra Collaboration (ZCS) Cross-Site Scripting (XSS) Vulnerability - These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise.
---------------------------------------------
https://www.cisa.gov/news-events/alerts/2023/07/26/cisa-adds-one-known-exploited-vulnerability-catalog-0


∗∗∗ Fujitsu Real-time Video Transmission Gear "IP series" uses a hard-coded credentials ∗∗∗
---------------------------------------------
https://jvn.jp/en/jp/JVN95727578/


∗∗∗ AIX is vulnerable to denial of service due to zlib (CVE-2022-37434) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7014483


∗∗∗ AIX is vulnerable to a denial of service due to libxml2 (CVE-2023-29469 and CVE-2023-28484) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7014485


∗∗∗ IBM Security Directory Suite has multiple vulnerabilities [CVE-2022-33163 and CVE-2022-33168] ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7001885


∗∗∗ A security vulnerability has been identified in IBM WebSphere Application Server used by IBM Rational ClearQuest (CVE-2023-35890) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7014649


∗∗∗ A security vulnerability has been identified in IBM HTTP Server used by IBM Rational ClearQuest (CVE-2023-32342) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7014651


∗∗∗ IBM Cloud Transformation Advisor is vulnerable to multiple vulnerabilities ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7014659


∗∗∗ CVE-2023-0465 may affect IBM CICS TX Advanced 10.1 ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7014675


∗∗∗ IBM Db2 has multiple denial of service vulnerabilities with a specially crafted query ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7010557


∗∗∗ IBM Operational Decision Manager July 2023 - Multiple CVEs ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7014699


∗∗∗ IBM Sterling Connect:Direct for UNIX is vulnerable to remote sensitive information exposure due to IBM GSKit (CVE-2023-32342) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7014693


∗∗∗ IBM Watson Assistant for IBM Cloud Pak for Data is vulnerable to TensorFlow denial of service vulnerabilitiy [CVE-2023-25661] ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7014695


∗∗∗ IBM Watson Assistant for IBM Cloud Pak for Data is vulnerable to YAML denial of service vulnerabilitiy [CVE-2023-2251] ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7014697

-- 
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily