[CERT-daily] Tageszusammenfassung - 21.11.2023

Tue Nov 21 18:29:01 CET 2023

=====================
= End-of-Day report =
=====================

Timeframe:   Montag 20-11-2023 18:00 − Dienstag 21-11-2023 18:00
Handler:     Robert Waldner
Co-Handler:  n/a

=====================
=       News        =
=====================

∗∗∗ Kinsing Hackers Exploit Apache ActiveMQ Vulnerability to Deploy Linux Rootkits ∗∗∗
---------------------------------------------
The Kinsing threat actors are actively exploiting a critical security flaw in vulnerable Apache ActiveMQ servers to infect Linux systems with cryptocurrency miners and rootkits."Once Kinsing infects a system, it deploys a cryptocurrency mining script that exploits the hosts resources to mine cryptocurrencies like Bitcoin, [..]
---------------------------------------------
https://thehackernews.com/2023/11/kinsing-hackers-exploit-apache-activemq.html


∗∗∗ How Multi-Stage Phishing Attacks Exploit QRs, CAPTCHAs, and Steganography ∗∗∗
---------------------------------------------
Phishing attacks are steadily becoming more sophisticated, with cybercriminals investing in new ways of deceiving victims into revealing sensitive information or installing malicious software. One of the latest trends in phishing is the use of QR codes, CAPTCHAs, and steganography. See how they are carried out and learn to detect them.
---------------------------------------------
https://thehackernews.com/2023/11/how-multi-stage-phishing-attacks.html


∗∗∗ Gefälschte Zeitungsartikel bewerben betrügerische Investment-Angebote ∗∗∗
---------------------------------------------
Kriminelle fälschen Webseiten von Medien wie oe24 und ORF und füllen diese mit Fake-News. In den gefälschten Artikeln wird eine Möglichkeit beworben, wie man schnell reich wird. Angeblich geben Christoph Grissemann, Miriam Weichselbraun oder Armin Assinger Investitionstipps und erklären, dass jeder Mensch mit nur 250 Euro in wenigen Monaten eine Million machen kann.
---------------------------------------------
https://www.watchlist-internet.at/news/gefaelschte-zeitungsartikel-bewerben-betruegerische-investment-angebote/


∗∗∗ CISA, FBI, MS-ISAC, and ASD’s ACSC Release Advisory on LockBit Affiliates Exploiting Citrix Bleed ∗∗∗
---------------------------------------------
Today, the (CISA), (FBI), (MS-ISAC), and Australian (ASD’s ACSC) released a joint Cybersecurity Advisory (CSA), #StopRansomware: LockBit Ransomware Affiliates Exploit CVE 2023-4966 Citrix Bleed Vulnerability (along with an accompanying analysis report MAR-10478915-1.v1 Citrix Bleed), in response to LockBit 3.0 ransomware affiliates and multiple threat actor groups exploiting CVE-2023-4966. Labeled Citrix Bleed, the vulnerability affects Citrix’s NetScaler web application delivery control (ADC) and NetScaler Gateway appliances.
---------------------------------------------
https://www.cisa.gov/news-events/alerts/2023/11/21/cisa-fbi-ms-isac-and-asds-acsc-release-advisory-lockbit-affiliates-exploiting-citrix-bleed


=====================
=  Vulnerabilities  =
=====================

∗∗∗ Technical Advisory: Adobe ColdFusion WDDX Deserialization Gadgets ∗∗∗
---------------------------------------------
Multiple vulnerabilities identified in Adobe ColdFusion allow an unauthenticated attacker to obtain the service account NTLM password hash, verify the existence of a file or directory on the underlying operating system, and configure central config server settings.
CVE Identifiers: CVE-2023-44353, CVE-2023-29300, CVE-2023-38203, CVE-2023-38204
---------------------------------------------
https://research.nccgroup.com/2023/11/21/technical-advisory-adobe-coldfusion-wddx-deserialization-gadgets/


∗∗∗ Security updates for Tuesday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (activemq, strongswan, and wordpress), Mageia (u-boot), SUSE (avahi, frr, libreoffice, nghttp2, openssl, openssl1, postgresql, postgresql15, postgresql16, python-Twisted, ucode-intel, and xen), and Ubuntu (avahi, hibagent, nodejs, strongswan, tang, and webkit2gtk).
---------------------------------------------
https://lwn.net/Articles/952088/


∗∗∗ Synology-SA-23:16 SRM (PWN2OWN 2023) ∗∗∗
---------------------------------------------
The vulnerabilities allow man-in-the-middle attackers to execute arbitrary code or access intranet resources via a susceptible version of Synology Router Manager (SRM).A vulnerability reported by PWN2OWN 2023 has been addressed.
---------------------------------------------
https://www.synology.com/en-global/support/security/Synology_SA_23_16


∗∗∗ [nextcloud]: Server-Side Request Forgery (SSRF) in Mail app ∗∗∗
---------------------------------------------
An attacker can use an unprotected endpoint in the Mail app to perform a SSRF attack.
---------------------------------------------
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-4pp4-m8ph-2999


∗∗∗ [nextcloud]: DNS pin middleware can be tricked into DNS rebinding allowing SSRF ∗∗∗
---------------------------------------------
The DNS pin middleware was vulnerable to DNS rebinding allowing an attacker to perform SSRF as a final result.
---------------------------------------------
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-8f69-f9jg-4x3v


∗∗∗ [nextcloud]: user_ldap app logs user passwords in the log file on level debug ∗∗∗
---------------------------------------------
When the log level was set to debug the user_ldap app logged user passwords in plaintext into the log file. If the log file was then leaked or shared in any way the users' passwords would be leaked.
---------------------------------------------
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-35p6-4992-w5fr


∗∗∗ [nextcloud]: Can enable/disable birthday calendar for any user ∗∗∗
---------------------------------------------
An attacker could enable and disable the birthday calendar for any user on the same server.
---------------------------------------------
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-8jwv-c8c8-9fr3


∗∗∗ [nextcloud]: Admins can change authentication details of user configured external storage ∗∗∗
---------------------------------------------
It is recommended that the Nextcloud Server is upgraded to 22.2.11 or 23.0.11 or 24.0.6
It is recommended that the Nextcloud Enterprise Server is upgraded to 22.2.11 or 23.0.11 or 24.0.6
---------------------------------------------
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-2448-44rp-c7hh


∗∗∗ [nextcloud]: Self XSS when pasting HTML into Text app with Ctrl+Shift+V ∗∗∗
---------------------------------------------
When a user is tricked into copy pasting HTML code without markup (Ctrl+Shift+V) the markup will actually render.
---------------------------------------------
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-p7g9-x25m-4h87


∗∗∗ [nextcloud]: HTML injection in search UI when selecting a circle with HTML in the display name ∗∗∗
---------------------------------------------
An attacker could insert links into circles name that would be opened when clicking the circle name in a search filter.
---------------------------------------------
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-wgpw-qqq2-gwv6


∗∗∗ [nextcloud]: Users can make external storage mount points inaccessible for other users ∗∗∗
---------------------------------------------
A malicious user could update any personal or global external storage, making them inaccessible for everyone else as well.
---------------------------------------------
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-f962-hw26-g267


∗∗∗ Zyxel security advisory for out-of-bounds write vulnerability in SecuExtender SSL VPN Client software ∗∗∗
---------------------------------------------
The out-of-bounds write vulnerability in the Windows-based SecuExtender SSL VPN Client software could allow a local authenticated user to gain a privilege escalation by sending a crafted CREATE message.
---------------------------------------------
https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-out-of-bounds-write-vulnerability-in-secuextender-ssl-vpn-client-software


∗∗∗ WAGO: Remote Code execution vulnerability in managed Switches ∗∗∗
---------------------------------------------
https://cert.vde.com/de/advisories/VDE-2023-037/


∗∗∗ PHOENIX CONTACT: WIBU-SYSTEMS CodeMeter Runtime vulnerabilities in multiple products ∗∗∗
---------------------------------------------
https://cert.vde.com/de/advisories/VDE-2023-062/


∗∗∗ Multiple vulnerabilities on [Bosch Rexroth] ctrlX HMI / WR21 ∗∗∗
---------------------------------------------
https://psirt.bosch.com/security-advisories/bosch-sa-175607.html


∗∗∗ IBM Sterling B2B Integrator is affected by vulnerability in JDOM (CVE-2021-33813) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7080105


∗∗∗ IBM Sterling B2B Integrator dashboard is vulnerable to cross-site request forgery (CVE-2022-35638) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7080104


∗∗∗ IBM Sterling B2B Integrator affected by FasterXML Jackson-data vulnerabilities (CVE-2022-42003, CVE-2022-42004) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7080107


∗∗∗ IBM Sterling B2B Integrator affected by XStream security vulnerabilities ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7080106


∗∗∗ IBM Sterling Connect:Direct Browser User Interface is vulnerable to multiple vulnerabilities due to Jetty. ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7080117


∗∗∗ IBM Sterling Connect:Direct Web Services is vulnerable to multiple vulnerabilities due to Eclipse Jetty ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7080118


∗∗∗ Multiple security vulnerabilities have been identified in DB2 JDBC driver shipped with IBM Tivoli Business Service Manager ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7080122


∗∗∗ There is an Apache vulnerability in Liberty used by the IBM Maximo Manage application in the IBM Maximo Application Suite (CVE-2023-24998) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7080157


∗∗∗ There is a vulnerability in jetty-http-9.4.48.v20220622.jar used by IBM Maximo Manage application in IBM Maximo Application Suite (CVE-2023-26049) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7080156


∗∗∗ There is a vulnerability in jetty-server-9.4.48.v20220622.jar used by IBM Maximo Manage application in IBM Maximo Application Suite (CVE-2023-26049) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7080155


∗∗∗ Multiple security vulnerabilities in Snake YAML affect IBM Sterling B2B Integrator ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7080177


∗∗∗ IBM Sterling B2B Integrator affected by remote code execution due to Snake Yaml (CVE-2022-1471) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7080174


∗∗∗ IBM Sterling B2B Integrator is vulnerable to information disclosure (CVE-2023-25682) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7080172


∗∗∗ IBM Sterling B2B Integrator is affected by sensitive information exposure due to Apache James MIME4J (CVE-2022-45787) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7080175


∗∗∗ IBM Sterling B2B Integrator is vulnerable to denial of service due to Apache Commons FileUpload (CVE-2023-24998) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7080176

-- 
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily