[CERT-daily] Tageszusammenfassung - 27.07.2023

Thu Jul 27 18:07:49 CEST 2023

=====================
= End-of-Day report =
=====================

Timeframe:   Mittwoch 26-07-2023 18:00 − Donnerstag 27-07-2023 18:00
Handler:     Robert Waldner
Co-Handler:  n/a

=====================
=       News        =
=====================

∗∗∗ Windows 10 KB5028244 update released with 19 fixes, improved security ∗∗∗
---------------------------------------------
Microsoft has released the optional KB5028244 Preview cumulative update for Windows 10 22H2 with 19 fixes or changes, including an update to the Vulnerable Driver Blocklist to block BYOVD attacks.
---------------------------------------------
https://www.bleepingcomputer.com/news/microsoft/windows-10-kb5028244-update-released-with-19-fixes-improved-security/


∗∗∗ APT trends report Q2 2023 ∗∗∗
---------------------------------------------
This is our latest summary of the significant events and findings, focusing on activities that we observed during Q2 2023.
---------------------------------------------
https://securelist.com/apt-trends-report-q2-2023/110231/


∗∗∗ Hackers Target Apache Tomcat Servers for Mirai Botnet and Crypto Mining ∗∗∗
---------------------------------------------
Misconfigured and poorly secured Apache Tomcat servers are being targeted as part of a new campaign designed to deliver the Mirai botnet malware and cryptocurrency miners.The findings come courtesy of Aqua, which detected more than 800 attacks against its Tomcat server honeypots over a two-year time period, with 96% of the attacks linked to the Mirai botnet.
---------------------------------------------
https://thehackernews.com/2023/07/hackers-target-apache-tomcat-servers.html


∗∗∗ Android Güncelleme – dissecting a malicious update installer ∗∗∗
---------------------------------------------
Recently, during one of F-Secure Android’s routine tests, we came across one such fake Android update sample – Android Güncelleme, that proved to be evasive and exhibited interesting exfiltration characteristics. Although the sample is not novel (some features have already been covered in other articles on the Internet), it nevertheless combines several malicious actions together, such as anti-analysis and anti-uninstallation, making it a more potent threat.
---------------------------------------------
https://blog.f-secure.com/android-guncelleme-dissecting-a-malicious-update-installer/


∗∗∗ Fruity trojan downloader performs multi-stage infection of Windows computers ∗∗∗
---------------------------------------------
For about a year, Doctor Web has been registering support requests from users complaining about Windows-based computers getting infected with the Remcos RAT (Trojan.Inject4.57973) spyware trojan. While investigating these incidents, our specialists uncovered an attack in which Trojan.Fruity.1, a multi-component trojan downloader, played a major role. To distribute it, threat actors create malicious websites and specifically crafted software installers.
---------------------------------------------
https://news.drweb.com/show/?i=14728&lng=en&c=9


∗∗∗ SySS Proof of Concept-Video: "Reversing the Irreversible, again: Unlocking locked Omnis Studio classes" (CVE-2023-38334) ∗∗∗
---------------------------------------------
Das Softwareentwicklungstool unterstützt eine nach eigenen Angaben irreversible Funktion, mit der sich Programmklassen in Omnis-Bibliotheken sperren lassen (locked classes).[..] Aufgrund von Implementierungsfehlern, die während eines Sicherheitstests entdeckt wurden, ist es jedoch möglich, gesperrte Omnis-Klassen zu entsperren, um diese im Omnis Studio-Browser weiter analysieren oder auch modifizieren zu können. Dieser Sachverhalt erfüllt nicht die Erwartungen an eine irreversible Funktion.
---------------------------------------------
https://www.syss.de/pentest-blog/syss-proof-of-concept-video-reversing-the-irreversible-again-unlocking-locked-omnis-studio-classes


∗∗∗ Vorsicht bei "fehlgeschlagenen Zahlungen" auf Booking ∗∗∗
---------------------------------------------
Sie haben eine Nachricht des Hotels bekommen, das Sie über Booking.com gebucht haben und werden zur Bestätigung Ihrer Kreditkarte aufgefordert? Achtung – hierbei handelt es sich um eine ausgeklügelte Phishing-Masche! Die Kriminellen stehlen Ihre Daten und Sie bezahlen Ihr Hotel doppelt!
---------------------------------------------
https://www.watchlist-internet.at/news/vorsicht-bei-fehlgeschlagenen-zahlungen-auf-booking/


∗∗∗ Online-Banking: Vorsicht vor Suchmaschinen-Phishing ∗∗∗
---------------------------------------------
Cyberkriminelle bewerben ihre betrügerischen Bank-Webseiten auch bei populären Suchmaschinen wie Google, Yahoo oder Bing.
---------------------------------------------
https://www.zdnet.de/88410826/online-banking-vorsicht-vor-suchmaschinen-phishing/


=====================
=  Vulnerabilities  =
=====================

∗∗∗ VU#813349: Software driver for D-Link Wi-Fi USB Adapter vulnerable to service path privilege escalation ∗∗∗
---------------------------------------------
The software driver for D-Link DWA-117 AC600 MU-MIMO Wi-Fi USB Adapter contains a unquoted service path privilege escalation vulnerability. In certain conditions, this flaw can lead to a local privilege escalation.
---------------------------------------------
https://kb.cert.org/vuls/id/813349


∗∗∗ Schwachstellen entdeckt: 40 Prozent aller Ubuntu-Systeme erlauben Rechteausweitung ∗∗∗
---------------------------------------------
Zwei Schwachstellen im OverlayFS-Modul von Ubuntu gefährden zahllose Server-Systeme. Admins sollten die Kernel-Module zeitnah aktualisieren. (Sicherheitslücke, Ubuntu)
---------------------------------------------
https://www.golem.de/news/schwachstellen-entdeckt-40-prozent-aller-ubuntu-systeme-erlauben-rechteausweitung-2307-176205.html


∗∗∗ ZDI-23-1002: SolarWinds Network Configuration Manager VulnDownloader Directory Traversal Remote Code Execution Vulnerability ∗∗∗
---------------------------------------------
This vulnerability allows remote attackers to execute arbitrary code on affected installations of SolarWinds Network Configuration Manager. Authentication is required to exploit this vulnerability.
---------------------------------------------
http://www.zerodayinitiative.com/advisories/ZDI-23-1002/


∗∗∗ Minify Source HTML - Moderately critical - Cross site scripting - SA-CONTRIB-2023-032 ∗∗∗
---------------------------------------------
Carefully crafted input by an attacker will not be sanitized by this module, which can result in a script injection. Solution: Install the latest version
---------------------------------------------
https://www.drupal.org/sa-contrib-2023-032


∗∗∗ Drupal Symfony Mailer - Moderately critical - Cross site request forgery - SA-CONTRIB-2023-031 ∗∗∗
---------------------------------------------
The module doesn’t sufficiently protect against malicious links, which means an attacker can trick an administrator into performing unwanted actions. This vulnerability is mitigated by the fact that the set of unwanted actions is limited to specific configurations. Solution: Originally the solution was listed as just updating the module, however, a cache rebuild will be necessary for the solution to take effect.
---------------------------------------------
https://www.drupal.org/sa-contrib-2023-031


∗∗∗ Sitefinity Security Advisory for Addressing Security Vulnerability, July 2023 ∗∗∗
---------------------------------------------
The Progress Sitefinity team recently discovered a potential security vulnerability in the Progress Sitefinity .NET Core Renderer Application. It has since been addressed. [..] For optimal security, we recommend an upgrade to the latest Sitefinity .NET Core Renderer version, which currently is 14.4.8127. A product update is also available for older supported Sitefinity versions
---------------------------------------------
https://community.progress.com/s/article/Sitefinity-Security-Advisory-for-Addressing-Security-Vulnerability-July-2023


∗∗∗ SolarWinds Platform Security Advisories ∗∗∗
---------------------------------------------
- Access Control Bypass Vulnerability CVE-2023-3622
- Incorrect Behavior Order Vulnerability CVE-2023-33224
- Incorrect Input Neutralization Vulnerability CVE-2023-33229
- Deserialization of Untrusted Data Vulnerability CVE-2023-33225
- Incomplete List of Disallowed Inputs Vulnerability CVE-2023-23844 - Incorrect Comparison Vulnerability CVE-2023-23843
---------------------------------------------
https://www.solarwinds.com/trust-center/security-advisories


∗∗∗ SECURITY BULLETIN: July 2023 Security Bulletin for Trend Micro Apex Central ∗∗∗
---------------------------------------------
CVE Identifier(s): CVE-2023-38624, CVE-2023-38625, CVE-2023-38626, CVE-2023-38627
CVSS 3.0 Score(s): 4.2
Post-authenticated server-side request forgery (SSRF) vulnerabilities in Trend Micro Apex Central 2019 could allow an attacker to interact with internal or local services directly. Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.
---------------------------------------------
https://success.trendmicro.com/dcx/s/solution/000294176?language=en_US


∗∗∗ Security updates available in Foxit PDF Editor for Mac 12.1.1 and Foxit PDF Reader for Mac 12.1.1 ∗∗∗
---------------------------------------------
Platform: macOS
Summary: Foxit has released Foxit PDF Editor for Mac 12.1.1 and Foxit PDF Reader for Mac 12.1.1, which address potential security and stability issues.
CVE-2023-28744, CVE-2023-38111, CVE-2023-38107, CVE-2023-38109, CVE-2023-38113, CVE-2023-38112, CVE-2023-38110, CVE-2023-38117
---------------------------------------------
https://www.foxit.com/support/security-bulletins.html


∗∗∗ Sicherheitsupdates: Angreifer können Access Points von Aruba übernehmen ∗∗∗
---------------------------------------------
Wenn die Netzwerkbetriebssysteme ArubaOS 10 oder InstantOS zum Einsatz kommen, sind Access Points von Aruba verwundbar.
---------------------------------------------
https://heise.de/-9227914


∗∗∗ Jetzt patchen! Root-Sicherheitslücke gefährdet Mikrotik-Router ∗∗∗
---------------------------------------------
Stimmten die Voraussetzungen, können sich Angreifer in Routern von Mikrotik zum Super-Admin hochstufen.
---------------------------------------------
https://heise.de/-9226696


∗∗∗ Sicherheitsupdate: Angreifer können Sicherheitslösung Sophos UTM attackieren ∗∗∗
---------------------------------------------
Sophos Unified Threat Management ist verwundbar. Aktuelle Software schafft Abhilfe.
---------------------------------------------
https://heise.de/-9228570


∗∗∗ Synology-SA-23:10 SRM ∗∗∗
---------------------------------------------
Multiple vulnerabilities allow remote attackers to read specific files, obtain sensitive information, and inject arbitrary web script or HTML, man-in-the-middle attackers to bypass security constraint, and remote authenticated users to execute arbitrary commands and conduct denial-of-service attacks via a susceptible version of Synology Router Manager (SRM).
---------------------------------------------
https://www.synology.com/en-global/support/security/Synology_SA_23_10


∗∗∗ CISA Releases Five Industrial Control Systems Advisories ∗∗∗
---------------------------------------------
- ICSA-23-208-01 ETIC Telecom RAS Authentication
- ICSA-23-208-02 PTC KEPServerEX
- ICSA-23-208-03 Mitsubishi Electric CNC Series
- ICSA-22-307-01 ETIC RAS (Update A)
- ICSA-22-172-01 Mitsubishi Electric MELSEC iQ-R, Q, L Series and MELIPC Series (Update B)

---------------------------------------------
https://www.cisa.gov/news-events/alerts/2023/07/27/cisa-releases-five-industrial-control-systems-advisories


∗∗∗ WAGO: Multiple vulnerabilities in web-based management of multiple products ∗∗∗
---------------------------------------------
https://cert.vde.com/de/advisories/VDE-2022-060/


∗∗∗ IBM Watson Discovery Cartridge for IBM Cloud Pak for Data affected by vulnerability in Node.js ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7012005


∗∗∗ IBM Watson Discovery Cartridge for IBM Cloud Pak for Data affected by vulnerability in Angular ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7012009


∗∗∗ IBM Watson Discovery Cartridge for IBM Cloud Pak for Data affected by vulnerability in Python ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7012001


∗∗∗ IBM Watson Discovery Cartridge for IBM Cloud Pak for Data affected by vulnerability in LibTIFF ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7012033


∗∗∗ IBM Watson Discovery Cartridge for IBM Cloud Pak for Data affected by multiple vulnerabilities in Golang Go ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7014267


∗∗∗ IBM Watson Discovery Cartridge for IBM Cloud Pak for Data affected by vulnerability in Bouncy Castle ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7012003


∗∗∗ IBM Watson Discovery Cartridge for IBM Cloud Pak for Data affected by vulnerability in Java ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7012037


∗∗∗ IBM Sterling Connect:Direct Browser User Interface is vulnerable to multiple vulnerabilities due to Jetty. ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7014905


∗∗∗ IBM B2B Advanced Communication is vulnerable to cross-site scripting (CVE-2023-22595) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7014929


∗∗∗ IBM B2B Advanced Communications is vulnerable to denial of service (CVE-2023-24971) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7014933


∗∗∗ Multiple Vulnerabilities in CloudPak for Watson AIOps ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7014939


∗∗∗ IBM\u00ae Db2\u00ae has multiple denial of service vulnerabilities with a specially crafted query ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7010557


∗∗∗ Watson CP4D Data Stores is vulnerable to Golang Go denial of service vulnerability ( CVE-2022-41724) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7014981


∗∗∗ IBM App Connect Enterprise Certified Container operands are vulnerable to denial of service and security restriction bypass due to [CVE-2023-2283], [CVE-2023-1667] ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7014991


∗∗∗ IBM App Connect Enterprise Certified Container operands are vulnerable to denial of service due to [CVE-2020-24736] ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7014993


∗∗∗ IBM App Connect Enterprise Certified Container operands are vulnerable to security restriction bypass due to [CVE-2023-24329] ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7014995


∗∗∗ IBM App Connect Enterprise Certified Container operands are vulnerable to privilege elevation due to [CVE-2023-26604] ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7014997


∗∗∗ IBM App Connect Enterprise Certified Container DesignerAuthoring operands that use mapping assistance are vulnerable to denial of service and loss of confidentiality due to multiple vulnerabilities in libtiff ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7014999


∗∗∗ IBM App Connect Enterprise Certified Container operands are vulnerable to server-side request forgery due to [CVE-2023-28155] ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7015003


∗∗∗ IBM App Connect Enterprise Certified Container operator and operands are vulnerable to privilege escalation due to [CVE-2023-29403] ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7015007


∗∗∗ IBM App Connect Enterprise Certified Container IntegrationServer and IntegrationRuntime operands that use Kafka nodes are vulnerable to denial of service due to [CVE-2023-34453], [CVE-2023-34454], [CVE-2023-34455] ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7015009


∗∗∗ IBM Event Streams is affected by multiple vulnerabilities in Golang Go ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7014405

-- 
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily