[CERT-daily] Tageszusammenfassung - 26.11.2024

[Daily end-of-shift report]

=====================
= End-of-Day report =
=====================

Timeframe:   Montag 25-11-2024 18:00 − Dienstag 26-11-2024 18:00
Handler:     Michael Schlagenhaufer
Co-Handler:  n/a

=====================
=       News        =
=====================

∗∗∗ Hackers exploit critical bug in Array Networks SSL VPN products ∗∗∗
---------------------------------------------
Americas Cyber Defense Agency has received evidence of hackers actively exploiting a remote code execution vulnerability in SSL VPN products Array Networks AG and vxAG ArrayOS.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/hackers-exploit-critical-bug-in-array-networks-ssl-vpn-products/


∗∗∗ Matrix Unleashes A New Widespread DDoS Campaign ∗∗∗
---------------------------------------------
Aqua Nautilus researchers uncovered a new and widespread Distributed Denial-of-Service (DDoS) campaign orchestrated by a threat actor named Matrix. Triggered by activities detected on our honeypots, this investigation dives deep into Matrix’s methods, targets, tools, and overall goals.
---------------------------------------------
https://blog.aquasec.com/matrix-unleashes-a-new-widespread-ddos-campaign


∗∗∗ Wake up and Smell the BitLocker Keys ∗∗∗
---------------------------------------------
>From this demonstration we can see that with a minimal set of tools and a small-time investment it is quite practical to access a drive encrypted with BitLocker. [..] This type of attack can be avoided by implementing a second factor for pre-boot authentication, either a user PIN and/or USB Startup Key.
---------------------------------------------
https://blog.nviso.eu/2024/11/26/wake-up-and-smell-the-bitlocker-keys/


∗∗∗ Detection Opportunities — EDR Silencer, EDRSandblast, Kill AV… ∗∗∗
---------------------------------------------
There are many ways to disable or modify security solutions which you can for. e.g test with at least 53 different Atomic Red Team as starting point, but today I would like to limit myself to a few tools that successful ransomware groups use within the top 20 ransomware groups for October 2024.
---------------------------------------------
https://detect.fyi/detection-opportunities-edr-silencer-edrsandblast-kill-av-d882c290a393?source=rss----d5fd8f494f6a---4


∗∗∗ Web-Security: Mit Content Security Policy gegen Cross-Site Scripting, Teil 2 ∗∗∗
---------------------------------------------
Erweiterte CSP-Direktiven helfen dabei, Anwendungen effizient gegen Cross-Site Scripting zu schützen.
---------------------------------------------
https://heise.de/-10175246


∗∗∗ Graykey: Entschlüsselungswerkzeug kann teilweise iOS 18 aufsperren ∗∗∗
---------------------------------------------
Im Zusammenhang mit Apples neuem Reboot-Schutz vor Entsperrung sind Informationen aufgetaucht, was Forensikunternehmen mit aktuellen iPhones tun können.
---------------------------------------------
https://heise.de/-10175639



=====================
=  Vulnerabilities  =
=====================

∗∗∗ Dell Wyse Management Suite: Angreifer können Sicherheitsmechanismen umgehen ∗∗∗
---------------------------------------------
Einer Warnmeldung zufolge sind unter anderem DoS-Attacken (CVE-2024-49595 "hoch") denkbar, außerdem können Angreifer nicht näher beschriebene Sicherheitsmechanismen umgehen (CVE-2024-49597 "hoch"). In beiden Fällen sind Attacken aus der Ferne möglich, Angreifer benötigen aber bereits hohe Nutzerrechte.
---------------------------------------------
https://www.heise.de/-10176009


∗∗∗ Trellix: Update dichtet Sicherheitslücken in Enterprise Security Manager ab ∗∗∗
---------------------------------------------
Auf konkrete Sicherheitslücken geht Trellix nicht weiter ein. Jedoch aktualisiert Trellix ESM 11.6.13 etwa Azul Java und geht damit mehrere nicht aufgelistete CVEs an. Ebenso bessert die mitgelieferte libcurl-Bibliothek zwei Sicherheitslücken aus (CVE-2023-38545, CVSS 9.8, Risiko "kritisch"; CVE-2023-38546, CVSS 3.7, niedrig). Auch im "Snow Service" lauerten zuvor zwei "Reverse Shell"-Schwachstellen (CVE-2024-1148, CVSS 9.8, kritisch; CVE-2024-11482 [noch nicht öffentlich]).
---------------------------------------------
https://www.heise.de/-10176250


∗∗∗ Wordpress-Plug-in Anti-Spam by Cleantalk gefährdet 200.000 Seiten ∗∗∗
---------------------------------------------
Nicht authentifizierte Angreifer können dadurch auf angreifbaren Wordpress-Instanzen beliebige Plug-ins installieren und aktivieren und somit am Ende beliebigen Code ausführen (CVE-2024-10542, CVSS 9.8, Risiko "kritisch").
---------------------------------------------
https://heise.de/-10175993


∗∗∗ Security updates for Tuesday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (pypy3), Fedora (chromium, cobbler, and libsoup3), Oracle (kernel), SUSE (glib2, govulncheck-vulndb, javapackages-tools, xmlgraphics-batik, xmlgraphics- commons, xmlgraphics-fop, libblkid-devel, opentofu, php8, postgresql, postgresql16, postgresql17, thunderbird, traefik, and ucode-intel), and Ubuntu (needrestart and rapidjson).
---------------------------------------------
https://lwn.net/Articles/999744/


∗∗∗ WordPress Plugin "WP Admin UI Customize" vulnerable to cross-site scripting ∗∗∗
---------------------------------------------
https://jvn.jp/en/jp/JVN87182660/


∗∗∗ VMware: VMSA-2024-0022: VMware Aria Operations updates address multiple vulnerabilities(CVE-2024-38830, CVE-2024-38831, CVE-2024-38832, CVE-2024-38833, CVE-2024-38834) ∗∗∗
---------------------------------------------
https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/25199


∗∗∗ Mozilla Security Advisories November 26, 2024 ∗∗∗
---------------------------------------------
https://www.mozilla.org/en-US/security/advisories/


∗∗∗ Splunk: SVD-2024-1102: Third-Party Package Updates in Splunk Machine Learning Toolkit - November 2024 ∗∗∗
---------------------------------------------
https://advisory.splunk.com//advisories/SVD-2024-1102


∗∗∗ Splunk: SVD-2024-1101: Third-Party Package Updates in Python for Scientific Computing - November 2024 ∗∗∗
---------------------------------------------
https://advisory.splunk.com//advisories/SVD-2024-1101


∗∗∗ Synology-SA-24:25 Surveillance Station ∗∗∗
---------------------------------------------
https://www.synology.com/en-global/support/security/Synology_SA_24_25


∗∗∗ Synology-SA-24:15 BeeFiles ∗∗∗
---------------------------------------------
https://www.synology.com/en-global/support/security/Synology_SA_24_15


∗∗∗ Hitachi Energy RTU500 Scripting Interface ∗∗∗
---------------------------------------------
https://www.cisa.gov/news-events/ics-advisories/icsa-24-331-05


∗∗∗ Hitachi Energy MicroSCADA Pro/X SYS600 ∗∗∗
---------------------------------------------
https://www.cisa.gov/news-events/ics-advisories/icsa-24-331-04


∗∗∗ F5: K000148713: libssh2 vulnerabilities CVE-2019-3858 and CVE-2019-3862 ∗∗∗
---------------------------------------------
https://my.f5.com/manage/s/article/K000148713


∗∗∗ PHP Patches Multiple Vulnerabilities Including CVE-2024-8932 ∗∗∗
---------------------------------------------
https://thecyberthrone.in/2024/11/26/php-patches-multiple-vulnerabilities-including-cve-2024-8932/

-- 
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily