Daily January 2022

daily@lists.cert.at

1 participants
20 discussions

Tageszusammenfassung - 31.01.2022
by Daily end-of-shift report 31 Jan '22

31 Jan '22

===================== = End-of-Day report = ===================== Timeframe: Freitag 28-01-2022 18:00 − Montag 31-01-2022 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Log4Shell: Eine Bestandsaufnahme ∗∗∗ --------------------------------------------- Nach der Panik wegen der größten Sicherheitslücke aller Zeiten blieb der große Knall aus. Kommt der noch oder haben wir das Gröbste überstanden? --------------------------------------------- https://heise.de/-6342536 ∗∗∗ Unseriöse Umzugsfirmen: Vorsicht bei zu günstigen Angeboten ∗∗∗ --------------------------------------------- Sie ziehen gerade um und sind auf der Suche nach einer Umzugsfirma? Unser Tipp: Lassen Sie sich nicht von Billigangeboten täuschen! Festpreisangebote von „25 Euro pro Stunde für 2 Männer inklusive LKW“ sind vollkommen unrealistisch. Dabei handelt es sich um ein Lockangebot. Bei einer Beauftragung wird Ihnen schlussendlich der 3- bis 4-fache Preis verrechnet! --------------------------------------------- https://www.watchlist-internet.at/news/unserioese-umzugsfirmen-vorsicht-bei… ∗∗∗ 277,000 routers exposed to Eternal Silence attacks via UPnP ∗∗∗ --------------------------------------------- A malicious campaign known as Eternal Silence is abusing Universal Plug and Play (UPnP) turns your router into a proxy server used to launch malicious attacks while hiding the location of the threat actors. --------------------------------------------- https://www.bleepingcomputer.com/news/security/277-000-routers-exposed-to-e… ∗∗∗ Be careful with RPMSG files, (Mon, Jan 31st) ∗∗∗ --------------------------------------------- Not many people are aware of ".rpmsg" files. The file extension means "restricted-permission message". They are used to deliver email messages between people and implement some controls applied at the recipient side. Such permissions are, by example, the right to forward or copy the original email. --------------------------------------------- https://isc.sans.edu/diary/rss/28292 ∗∗∗ Rip Raw - A tool to analyse the memory of compromised Linux systems ∗∗∗ --------------------------------------------- It is similar in purpose to Bulk Extractor, but particularly focused on extracting system Logs from memory dumps from Linux systems. This enables you to analyse systems without needing to generate a profile. This is not a replacement for tools such as Rekall and Volatility which use a profile to perform a more structured analysis of memory. --------------------------------------------- https://github.com/cado-security/rip_raw ∗∗∗ TrendNET AC2600 RCE via WAN ∗∗∗ --------------------------------------------- This blog provides a walkthrough of how to gain RCE on the TrendNET AC2600 (model TEW-827DRU specifically) consumer router via the WAN interface. There is currently no publicly available patch for these issues; therefore only a subset of issues disclosed in TRA-2021–54 will be discussed in this post. --------------------------------------------- https://medium.com/tenable-techblog/trendnet-ac2600-rce-via-wan-8926b29908a4 ∗∗∗ In eigener Sache: CERT.at sucht Verstärkung (Junior IT-Security Analyst:in, IT-Security Analyst:in, Python Entwickler:in) ∗∗∗ --------------------------------------------- Wir suchen derzeit: - Berufsein- oder -umsteiger:in mit ausgeprägtem Interesse an IT-Security zur Unterstützung bei den täglich anfallenden Routineaufgaben - IT/OT-Security Generalist:in oder Spezialist:in im Bereich Windows Security, mit Praxiserfahrung - Python Entwickler:in zur Weiterentwicklung von bestehenden Open-Source-Projekten, insbesondere IntelMQ und Tuency Details finden sich auf unserer Jobs-Seite. --------------------------------------------- https://cert.at/de/blog/2022/1/in-eigener-sache-certat-sucht-verstarkung-ju… ===================== = Vulnerabilities = ===================== ∗∗∗ VU#119678: Samba vfs_fruit module insecurely handles extended file attributes ∗∗∗ --------------------------------------------- The Samba vfs_fruit module allows out-of-bounds heap read and write via extended file attributes (CVE-2021-44142). This vulnerability allows a remote attacker to execute arbitrary code with root privileges. --------------------------------------------- https://kb.cert.org/vuls/id/119678 ∗∗∗ ABB: SECURITY - OPC Server for AC 800M - Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- ABB is aware that OPC Server for AC 800M contains a Remote Code Execution vulnerability. An authenticated remote user with low privileges who successfully exploited this vulnerability could insert and execute arbitrary code in the node running the AC800M OPC Server. --------------------------------------------- https://www02.abb.com/GLOBAL/GAD/GAD01626.NSF/0/B0A9E56BA54C9C3AC12587DB002… ∗∗∗ Lenovo Security Advisory: LEN-78122 - Intel Graphics Drivers Advisory Intel Graphics Drivers Advisory ∗∗∗ --------------------------------------------- Intel reported potential security vulnerabilities in some Intel Graphics Drivers that may allow escalation of privilege or denial of service. --------------------------------------------- https://support.lenovo.com/at/en/product_security/ps500462-intel-graphics-d… ∗∗∗ OpenSSL Security Advisory [28 January 2022] - BN_mod_exp may produce incorrect results on MIPS (CVE-2021-4160) ∗∗∗ --------------------------------------------- There is a carry propagation bug in the MIPS32 and MIPS64 squaring procedure. Many EC algorithms are affected, including some of theTLS 1.3 default curves. Impact was not analyzed in detail, because the pre-requisites for attack are considered unlikely and include reusing private keys. Analysis suggests that attacks against RSA and DSA as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH are considered just feasible (although very difficult) because most of the work necessary to deduce information about a private key may be performed offline. The amount of resources required for such an attack would be significant. However, for an attack on TLS to be meaningful, the server would have to share the DH private key among multiple clients, which is no longer an option since CVE-2016-0701. --------------------------------------------- https://openssl.org/news/secadv/20220128.txt ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (apache-log4j1.2, expat, libraw, prosody, and python-nbxmpp), Fedora (chromium, hiredis, java-11-openjdk, java-latest-openjdk, lua, rust-afterburn, rust-ammonia, rust-askalono-cli, rust-below, rust-cargo-c, rust-cargo-insta, rust-fd-find, rust-insta, rust-lsd, rust-oxipng, rust-python-launcher, rust-ripgrep, rust-ron, rust-ron0.6, rust-similar, rust-similar-asserts, rust-skim, rust-thread_local, rust-tokei, vim, wpa_supplicant, and zola), Gentoo [...] --------------------------------------------- https://lwn.net/Articles/883322/ ∗∗∗ SBA-ADV-20220127-01: Shibboleth Identity Provider OIDC OP Plugin Server-Side Request Forgery ∗∗∗ --------------------------------------------- Shibboleth Identity Provider OIDC OP plugin 3.0.3 or below is prone to a server-side request forgery (SSRF) vulnerability due to an insufficient restriction of the `request_uri` parameter. This allows unauthenticated attackers to interact with arbitrary third-party HTTP services. --------------------------------------------- https://github.com/sbaresearch/advisories/commit/65856734acca54052de34b5206… ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ Multiple Critical Vulnerabilities in Korenix Technology JetWave products ∗∗∗ --------------------------------------------- https://sec-consult.com/vulnerability-lab/advisory/multiple-critical-vulner… ∗∗∗ K54450124: NSS vulnerability CVE-2021-43527 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K54450124 ∗∗∗ K46015513: Polkit pkexec vulnerability CVE-2021-4034 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K46015513 ∗∗∗ WAGO: Vulnerable WIBU-SYSTEMS Codemeter installed through e!COCKPIT and WAGO-I/O-Pro ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2022-002/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 28.01.2022
by Daily end-of-shift report 28 Jan '22

28 Jan '22

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 27-01-2022 18:00 − Freitag 28-01-2022 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Lets Encrypt: Was Admins heute tun müssen ∗∗∗ --------------------------------------------- Heute um 17 Uhr werden bei Lets Encrypt Zertifikate zurückgezogen. Wir beschreiben, wie Admins prüfen können, ob sie betroffen sind. Eine Anleitung von Hanno Böck --------------------------------------------- https://www.golem.de/news/let-s-encrypt-was-admins-heute-tun-muessen-2201-1… ∗∗∗ Fake-Gewinnspiel führt in Abo-Falle: BetrügerInnen geben sich als Ö-Ticket aus! ∗∗∗ --------------------------------------------- Auf Facebook geben sich Kriminelle unter der Seite „Oeticket Österreich“ als Ö-Ticket aus und bewerben das „Gewinnspiel des Jahres“. Zu gewinnen gibt es 2 Tickets für ein Ed Sheeran Konzert. Doch Achtung: Mit dieser Masche versuchen die Kriminellen an Ihre Kreditkartendaten zu kommen und Sie in eine Abo-Falle zu locken. --------------------------------------------- https://www.watchlist-internet.at/news/fake-gewinnspiel-fuehrt-in-abo-falle… ∗∗∗ QNAP probt Zwangsupdate nach 3.600 DeadBolt-Ransomware-Infektionen ∗∗∗ --------------------------------------------- QNAP-Nutzer werden aktuell wohl Opfer der DeadBolt-Ransomware – ich hatte es nicht im Blog, aber binnen einer Woche waren es wohl über 3.600 Opfer. Der NAS-Hersteller greift nun zu drastischen Mitteln und versucht die Firmware betroffener Geräte zwangsweise zu aktualisieren. --------------------------------------------- https://www.borncity.com/blog/2022/01/28/qnap-probt-zwangsupdate-nach-3-600… ∗∗∗ EU to create pan-European cyber incident coordination framework ∗∗∗ --------------------------------------------- The European Systemic Risk Board (ESRB) proposed a new systemic cyber incident coordination framework that would allow EU relevant authorities to better coordinate when having to respond to major cross-border cyber incidents impacting the Unions financial sector. --------------------------------------------- https://www.bleepingcomputer.com/news/security/eu-to-create-pan-european-cy… ∗∗∗ Doctor Web’s December 2021 review of virus activity on mobile devices ∗∗∗ --------------------------------------------- According to detection statistics from Dr.Web for Android anti-virus products, adware trojans remained the most active Android threat in December. Another common threat detected on protected devices was malware that downloaded other apps. At the same time, more threats have been found on Google Play, like fake apps from the Android.FakeApp malware family. These are used in various fraudulent schemes. --------------------------------------------- https://news.drweb.com/show/?i=14408&lng=en&c=9 ∗∗∗ Doctor Web’s December 2021 virus activity review ∗∗∗ --------------------------------------------- Our December analysis of Dr.Web’s statistics revealed a 34% increase in the total number of threats compared to the previous month. The number of unique threats decreased by 15%. Nonetheless, adware still made up the majority of detected threats. These threats manifested with different types of malware. A variety of malware, including backdoors, was most often distributed in mail traffic. --------------------------------------------- https://news.drweb.com/show/?i=14410&lng=en&c=9 ∗∗∗ Why are WordPress Websites Targeted by Hackers? ∗∗∗ --------------------------------------------- If you are wondering why your wordpress site keeps getting hacked, or why you’re being targeted by hackers, we’ve compiled some of the top reasons for you. WordPress is one of the most commonly used Content Management Systems across the modern web. Currently over 445 million websites are utilizing WordPress. With a make up of over 40% of sites on the web utilizing WordPress to some extent, it’s only expected for bad actors to take advantage of its popularity. --------------------------------------------- https://blog.sucuri.net/2022/01/why-are-wordpress-sites-targeted-by-hackers… ∗∗∗ Hackers Using Device Registration Trick to Attack Enterprises with Lateral Phishing ∗∗∗ --------------------------------------------- Microsoft has disclosed details of a large-scale, multi-phase phishing campaign that uses stolen credentials to register devices on a victims network to further propagate spam emails and widen the infection pool. The tech giant said the attacks manifested through accounts that were not secured using multi-factor authentication (MFA), thereby making it possible for the adversary to take advantage of the target's bring-your-own-device (BYOD) policy and introduce their own rogue devices using the pilfered credentials. --------------------------------------------- https://thehackernews.com/2022/01/hackers-using-device-registration-trick.h… ∗∗∗ How to avoid an open source security nightmare ∗∗∗ --------------------------------------------- Just as it would be a mistake to say that all closed source projects are bug-free, its a mistake to say that all open source projects are security risks. Different projects have different focuses; some of them are much more concerned with the security of their releases. --------------------------------------------- https://www.zdnet.com/article/how-to-avoid-an-open-source-security-nightmar… ∗∗∗ Weekly Threat Report 28th January 2022 ∗∗∗ --------------------------------------------- Read about the Mirai-based malware exploiting poor security, CISA updates and New Scanning Made Easy trial service from the NCSC --------------------------------------------- https://www.ncsc.gov.uk/report/weekly-threat-report-28th-january-2022 ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates available in Foxit PDF Reader 11.2.1 and Foxit PDF Editor 11.2.1 ∗∗∗ --------------------------------------------- Foxit has released Foxit PDF Reader 11.2.1 and Foxit PDF Editor 11.2.1, which address potential security and stability issues. CVE-2018-1285, CVE-2021-40420, CVE-2021-44708, CVE-2021-44709, CVE-2021-44740, CVE-2021-44741, CVE-2022-22150 --------------------------------------------- https://www.foxit.com/support/security-bulletins.html ∗∗∗ VMSA-2021-0028 - VMware Response to Apache Log4j Remote Code Execution Vulnerabilities (CVE-2021-44228, CVE-2021-45046) ∗∗∗ --------------------------------------------- 2022-01-27: VMSA-2022-0028.10 - Revised advisory with updates to multiple products, including vCenter Server. --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2021-0028.html ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (java-1.8.0-openjdk), Debian (graphicsmagick), Fedora (grafana), Mageia (aom and roundcubemail), openSUSE (log4j and qemu), Oracle (parfait:0.5), Red Hat (java-1.7.1-ibm and java-1.8.0-openjdk), Slackware (expat), SUSE (containerd, docker, log4j, and strongswan), and Ubuntu (cpio, shadow, and webkit2gtk). --------------------------------------------- https://lwn.net/Articles/883047/ ∗∗∗ Denial of Service in Rexroth ActiveMover using Profinet protocol ∗∗∗ --------------------------------------------- BOSCH-SA-637429: The ActiveMover with Profinet communication module (Rexroth no. 3842 559 445) sold by Bosch Rexroth contains communication technology from Hilscher (PROFINET IO Device V3) in which a vulnerability with high severity has been discovered. A Denial of Service vulnerability may lead to unexpected loss of cyclic communication or interruption of acyclic communication. --------------------------------------------- https://psirt.bosch.com/security-advisories/bosch-sa-637429.html ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 27.01.2022
by Daily end-of-shift report 27 Jan '22

27 Jan '22

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 26-01-2022 18:00 − Donnerstag 27-01-2022 18:00 Handler: Robert Waldner Co-Handler: n/a ===================== = News = ===================== ∗∗∗ CVE-2020-0696 - Microsoft Outlook Security Feature Bypass Vulnerability ∗∗∗ --------------------------------------------- How are the email security systems bypassed with vulnerability on ''Microsoft Outlook for Mac''? Improper hyperlink translation in ''Microsoft Outlook for Mac'' leads to the complete bypassing of email security systems and sending the malicious link to the victim as clickable. [..] The below investigation was performed with trial accounts provided by multiple vendors and reported responsibly to Microsoft, which has taken action to remedy the problem. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/cve-2020-06… ∗∗∗ Update-Reigen: macOS 12.2, watchOS 8.4 und tvOS 15.3 beheben Fehler ∗∗∗ --------------------------------------------- Apple hat neben iOS und iPadOS 15.3 auch alle anderen Betriebssysteme aktualisiert. Zudem gibts ein HomePod-OS-Update. --------------------------------------------- https://heise.de/-6340079 ∗∗∗ Hackers Using New Evasive Technique to Deliver AsyncRAT Malware ∗∗∗ --------------------------------------------- [..] Opening the decoy file redirects the message recipient to a web page prompting the user to save an ISO file. But unlike other attacks that route the victim to a phishing domain set up explicitly for downloading the next-stage malware, the latest RAT campaign cleverly uses JavaScript to locally create the ISO file from a Base64-encoded string and mimic the download process. --------------------------------------------- https://thehackernews.com/2022/01/hackers-using-new-evasive-technique-to.ht… ∗∗∗ Configuring Linux auditd for Threat Detection ∗∗∗ --------------------------------------------- The topics I look to cover in this article are - Quick intro to the Linux Audit System - Tips when writing audit rules - Designing a configuration for security monitoring - What to record with auditd - Tips on managing noise --------------------------------------------- https://izyknows.medium.com/linux-auditd-for-threat-detection-d06c8b941505 ∗∗∗ Financially Motivated Mobile Scamware Exceeds 100M Installations ∗∗∗ --------------------------------------------- In the pursuit of identifying and taking down similar financially motivated scams, zLabs researchers have discovered another premium service abuse campaign with upwards of 105 million victims globally, which we have named Dark Herring. [..] At the time of publishing, the scam services and phishing sites are no longer active, and Google has removed all the malicious applications from Google Play. --------------------------------------------- https://blog.zimperium.com/dark-herring-android-scamware-exceeds-100m-insta… ∗∗∗ Jetzt handeln! Erpressungstrojaner DeadBolt hat es auf Qnap NAS abgesehen ∗∗∗ --------------------------------------------- Der Hersteller von Netzwerkspeichern (NAS) Qnap warnt abermals vor Ransomware-Attacken und gibt wichtige Tipps zur Absicherung. --------------------------------------------- https://heise.de/-6340174 ∗∗∗ Betrug mit nachgebautem Käuferschutz auf ebay-kleinanzeigen.de ∗∗∗ --------------------------------------------- eBay-kleinanzeigen.de stellt eine beliebte Kleinanzeigen-Plattform dar. Wie bei einigen anderen bekannten Marktplätzen wird auch hier eine sichere Bezahlmethode direkt auf der Plattform angeboten. Kriminelle nützen dies aus, indem sie die Kommunikation von offizieller Website und App beispielsweise auf WhatsApp verlagern. Später verweisen sie auf nachgebaute Websites und zweigen Zahlungen direkt in die eigenen Taschen ab! --------------------------------------------- https://www.watchlist-internet.at/news/betrug-mit-nachgebautem-kaeuferschut… ∗∗∗ The January 2022 Security Update Review ∗∗∗ --------------------------------------------- The first patch Tuesday of the year is here, and with it comes the latest security patches from Adobe and Microsoft. Take a break from your regularly scheduled activities and join us as we review the details of their latest security offerings. --------------------------------------------- https://www.thezdi.com/blog/2022/1/11/the-january-2022-security-update-revi… ===================== = Vulnerabilities = ===================== ∗∗∗ Private Taxonomy Terms - Critical - Access bypass, Information Disclosure, Multiple vulnerabilities - SA-CONTRIB-2022-014 ∗∗∗ --------------------------------------------- Project: Private Taxonomy Terms Security risk: Critical Description: This module enables users to create private vocabularies.The module doesnt sufficiently check user access permissions when attempting to view, edit, or add terms to vocabularies, including vocabularies not managed by the module. --------------------------------------------- https://www.drupal.org/sa-contrib-2022-014 ∗∗∗ Navbar - Moderately critical - Cross Site Scripting - SA-CONTRIB-2022-011 ∗∗∗ --------------------------------------------- Project: Navbar Security risk: Moderately critical Description: This module provides a very simple, mobile-friendly navigation toolbar.The module doesnt sufficiently check for user-provided input. --------------------------------------------- https://www.drupal.org/sa-contrib-2022-011 ∗∗∗ Xerox Versalink Denial Of Service ∗∗∗ --------------------------------------------- A specifically crafted TIFF payload may be submitted to the printers job queue (in person or over the network) by unauthenticated/unprivileged users or network or internet attackers by means of a JavaScript payload. The device will panic upon attempting to read the submitted file and a physical reboot will be required. Upon reboot, the device will attempt to resume the last-printed job, triggering the panic once more. The process repeats ad-infinitum. --------------------------------------------- https://cxsecurity.com/issue/WLB-2022010119 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (polkit), Debian (uriparser), Fedora (cryptsetup, flatpak, flatpak-builder, and polkit), Gentoo (polkit), Mageia (virtualbox), Red Hat (httpd24-httpd, httpd:2.4, and parfait:0.5), SUSE (clamav, log4j, python-numpy, and strongswan), and Ubuntu (vim). --------------------------------------------- https://lwn.net/Articles/882882/ ∗∗∗ Synology-SA-22:02 Samba ∗∗∗ --------------------------------------------- A vulnerability allows remote authenticated users to execute arbitrary code via a susceptible version of Synology DiskStation Manager (DSM). --------------------------------------------- https://www.synology.com/en-global/support/security/Synology_SA_22_02 *** Drupal: Bugs in unsupporteten Sub-Projekten *** --------------------------------------------- The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. [..] If you use this project, you should uninstall it. - Printer, email and PDF versions - Critical - Unsupported - SA-CONTRIB-2022-022 https://www.drupal.org/sa-contrib-2022-022 - Image Media Export Import - Critical - Unsupported - SA-CONTRIB-2022-021 https://www.drupal.org/sa-contrib-2022-021 - Remote Stream Wrapper - Critical - Unsupported - SA-CONTRIB-2022-020 https://www.drupal.org/sa-contrib-2022-020 - Vendor Stream Wrapper - Critical - Unsupported - SA-CONTRIB-2022-019 https://www.drupal.org/sa-contrib-2022-019 - Cog - Critical - Unsupported - SA-CONTRIB-2022-018 https://www.drupal.org/sa-contrib-2022-018 - Media Entity Flickr - Critical - Unsupported - SA-CONTRIB-2022-017 https://www.drupal.org/sa-contrib-2022-017 - Vocabulary Permissions Per Role - Critical - Unsupported - SA-CONTRIB-2022-016 https://www.drupal.org/sa-contrib-2022-016 - Exif - Critical - Unsupported - SA-CONTRIB-2022-015 https://www.drupal.org/sa-contrib-2022-015 - Business Responsive Theme - Critical - Unsupported - SA-CONTRIB-2022-013 https://www.drupal.org/sa-contrib-2022-013 - Swiftype integration - Critical - Unsupported - SA-CONTRIB-2022-012 https://www.drupal.org/sa-contrib-2022-012 - Rate - Critical - Unsupported - SA-CONTRIB-2022-010 https://www.drupal.org/sa-contrib-2022-010 - Expire reset password link - Critical - Unsupported - SA-CONTRIB-2022-009 https://www.drupal.org/sa-contrib-2022-009 - Admin Toolbar Search - Critical - Unsupported - SA-CONTRIB-2022-008 https://www.drupal.org/sa-contrib-2022-008 - Colorbox - Critical - Unsupported - SA-CONTRIB-2022-007 https://www.drupal.org/sa-contrib-2022-007 - Prevent anonymous users to access Drupal pages - Critical - Unsupported - SA-CONTRIB-2022-005 https://www.drupal.org/sa-contrib-2022-005 - Taxonomy Access Control Lite - Critical - Unsupported - SA-CONTRIB-2022-006 https://www.drupal.org/sa-contrib-2022-006 --------------------------------------------- https://www.drupal.org/security/contrib ∗∗∗ Security Bulletin:IBM® Db2® On Openshift and IBM® Db2® and Db2 Warehouse® on Cloud Pak for Data is vulnerable to denial of service and arbitrary code execution due to Apache Log4j (CVE-2021-45105 and CVE-2021-45046) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletinibm-db2-on-openshift-and-i… ∗∗∗ Security Bulletin: Vulnerability in Apache Log4j may affect IBM Spectrum Archive Enterprise Edition (CVE-2021-4104) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-l… ∗∗∗ Security Bulletin: Vulnerability in Apache Log4j may affect IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data (CVE-2021-4104) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-l… ∗∗∗ Security Bulletin: Vulnerabilities in Node.js affect IBM Business Automation Workflow and IBM Business Process Manager (BPM) – CVE-2021-22960, CVE-2021-22959 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-node-j… ∗∗∗ Security Bulletin: IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data is vulnerable to denial of service and arbitrary code execution due to Apache Log4j (CVE-2021-45105 and CVE-2021-45046) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-watson-speech-service… ∗∗∗ Security Bulletin: IBM MegaRAID Storage Manager is affected by a vulnerability in Log4j (CVE-2021-4104) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-megaraid-storage-mana… ∗∗∗ Security Bulletin: IBM QRadar hardware appliances are vulnerable to Intel privilege escalation (CVE-2021-0144) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-qradar-hardware-appli… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 26.01.2022
by Daily end-of-shift report 26 Jan '22

26 Jan '22

===================== = End-of-Day report = ===================== Timeframe: Dienstag 25-01-2022 18:00 − Mittwoch 26-01-2022 18:00 Handler: Robert Waldner Co-Handler: n/a ===================== = News = ===================== ∗∗∗ ALPN: Ein Prozent der Lets-Encrypt-Zertifikate wird zurückgezogen ∗∗∗ --------------------------------------------- Lets Encrypt teilt mit, dass es Probleme bei der ALPN-Validierungsmethode gab und damit ausgestellte Zertifikate zurückgezogen werden. --------------------------------------------- https://www.golem.de/news/alpn-ein-prozent-der-let-s-encrypt-zertifikate-wi… ∗∗∗ Over 20 thousand servers have their iLO interfaces exposed to the internet, many with outdated and vulnerable versions of FW, (Wed, Jan 26th) ∗∗∗ --------------------------------------------- Integrated Lights-Out (iLO) is a low-level server management system intended for out-of-band configuration, which is embedded by Hewlett-Packard Enterprise on some of their servers. Besides its use for maintenance, it is often used by administrators for an emergency access to the server when everything "above it" (hypervisor or OS) fails and/or is unreachable. Since these kinds of platforms/interfaces are quite sensitive from the security standpoint, access to them should always be limited to relevant administrator groups only and their firmware should always be kept up to date. --------------------------------------------- https://isc.sans.edu/diary/rss/28276 ∗∗∗ German govt warns of APT27 hackers backdooring business networks ∗∗∗ --------------------------------------------- "It cannot be ruled out that the actors, in addition to stealing business secrets and intellectual property, also try to infiltrate the networks of (corporate) customers or service providers (supply chain attack)." The BfV also published indicators of compromise (IOCs) and YARA rules to help targeted German organizations to check for HyperBro infections and connections to APT27 command-and-control (C2) servers. --------------------------------------------- https://www.bleepingcomputer.com/news/security/german-govt-warns-of-apt27-h… ∗∗∗ Sysdig-Report: Container-Deployments weisen mehrheitlich Schwachstellen auf ∗∗∗ --------------------------------------------- Sysdig beobachtet einen anhaltenden Shift Left bei Container Security, viele Schwachstellen bleiben aber ungepatcht und Rechte-Konfigurationen unzureichend. --------------------------------------------- https://heise.de/-6336816 ∗∗∗ Root-Zugriff unter Linux durch Polkit-Lücke ∗∗∗ --------------------------------------------- Sicherheitsforscher haben eine Schwachstelle in Polkit entdeckt, die Rechteausweitung ermöglicht. Für die viele Distributionen sind bereits Patches verfügbar. --------------------------------------------- https://heise.de/-6338569 ∗∗∗ Fake-Shops geben sich als Shops für Warenhausauflösungen aus ∗∗∗ --------------------------------------------- Derzeit stoßen wir vermehrt auf Fake-Shops, die behaupten auf Warenhausauflösungen spezialisiert zu sein oder Überbestände von Amazon oder von Kaufhäusern zu verkaufen. Damit begründen Sie auch ihre günstigen Preise für Marken-Produkte wie KitchenAid, Weber oder DeLonghi. Doch wer genau hinsieht, erkennt, dass es sich um Fake-Shops handelt. --------------------------------------------- https://www.watchlist-internet.at/news/fake-shops-geben-sich-als-shops-fuer… ∗∗∗ Vidar Exploiting Social Media Platform (Mastodon) ∗∗∗ --------------------------------------------- The ASEC analysis team has recently discovered that Vidar is exploiting a social media platform named Mastodon to create C&C server addresses. Vidar is an info-stealer malware installed through spam emails and PUP, sometimes being disguised as a KMSAuto authenticator tool. It has been consistently distributed since the past, and there was a recent case of it being installed through other types of malware such as Stop ransomware. --------------------------------------------- https://asec.ahnlab.com/en/30875/ ===================== = Vulnerabilities = ===================== ∗∗∗ Multiple vulnerabilities in TransmitMail ∗∗∗ --------------------------------------------- TransmitMail is a PHP based mail form system. TransmitMail contains multiple vulnerabilities listed below. - Directory traversal vulnerability due to the improper validation of external input values (CWE-22) - CVE-2022-22146 - Cross-site scripting (CWE-79) - CVE-2022-21193 --------------------------------------------- https://jvn.jp/en/jp/JVN70100915/ ∗∗∗ Security Update - Fix available for a privilege escalation vulnerability ∗∗∗ --------------------------------------------- This notification is in regard to an elevation of privilege vulnerability (CVE-2022-23863) that was recently identified and fixed in Desktop Central and Desktop Central MSP. [...] A privilege escalation vulnerability that may allow an authenticated user to change passwords of a more privileged account. --------------------------------------------- https://pitstop.manageengine.com/portal/en/community/topic/security-update-… ∗∗∗ Denial of service & User Enumeration in WAGO 750-8xxx PLC ∗∗∗ --------------------------------------------- The Wago PLC models 750-8xxx are prone to multiple security vulnerabilities. These include a Denial-of-Service (DoS) of the connection to the Codesys service and the enumeration of usernames via a timing sidechannel. By exploiting these vulnerabilities, the remote usage of the Codesys services can be prevented and existing usernames on the device can be identified. [..] WAGO's customers should upgrade the firmware to the latest version available. --------------------------------------------- https://sec-consult.com/vulnerability-lab/advisory/denial-of-service-user-e… ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (httpd), Debian (libxfont, lrzsz, nss, openjdk-17, policykit-1, webkit2gtk, and wpewebkit), Mageia (polkit), openSUSE (expat, json-c, kernel, polkit, qemu, rust1.55, rust1.57, thunderbird, unbound, and webkit2gtk3), Oracle (httpd:2.4, java-11-openjdk, and polkit), Red Hat (httpd:2.4, OpenShift Container Platform 3.11.570, polkit, and Red Hat OpenStack Platform 16.1 (etcd)), Scientific Linux (polkit), Slackware (polkit), SUSE (aide, expat, firefox, json-c, kernel, polkit, qemu, rust, rust1.55, rust1.57, thunderbird, unbound, and webkit2gtk3), and Ubuntu (policykit-1 and xorg-server). --------------------------------------------- https://lwn.net/Articles/882724/ ∗∗∗ Security Advisory - Laser Command Injection Vulnerability on Huawei Terminals ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2022/huawei-sa-20220126-… ∗∗∗ Security Bulletin: IBM Security Guardium Insights is affected by multiple vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-ins… ∗∗∗ Security Bulletin: IBM UrbanCode Release is affected by CVE-2021-24122 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-urbancode-release-is-… ∗∗∗ Security Bulletin: IBM UrbanCode Release is affected by CVE-2021-41079 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-urbancode-release-is-… ∗∗∗ Security Bulletin: IBM UrbanCode Release is affected by CVE-2021-30639 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-urbancode-release-is-… ∗∗∗ Security Bulletin: Multiple vulnerabilities affect IBM Cloud Object Storage Systems (Jan 2022 V1) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM Cloud Pak for Automationis vulnerable to denial of service and arbitrary code execution due to Apache Log4j (CVE-2021-45105 and CVE-2021-45046) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-pak-for-automat… ∗∗∗ Security Bulletin: Log4j remote code execution vulnerability in Apache Solr and Logstash shipped with IBM Operations Analytics – Log Analysis (CVE-2021-44228) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-log4j-remote-code-executi… ∗∗∗ Security Bulletin: IBM Observability by Instana and IBM Observability with Instana – Server and Agents are vulnerable to denial of service and arbitrary code execution due to Apache Log4j (CVE-2021-45105, CVE-2021-45046) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-observability-by-inst… ∗∗∗ Security Bulletin: Due to use of Apache Log4j, IBM Db2 Web Query for i is vulnerable to arbitrary code execution (CVE-2021-4104, CVE-2022-23302, and CVE-2022-23307) and SQL injection (CVE-2022-23305) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-due-to-use-of-apache-log4… ∗∗∗ Security Bulletin: Tivoli Network Manager IP Edition is vulnerable to a denial of service vulnerability (CVE-2021-30468) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-tivoli-network-manager-ip… ∗∗∗ Security Bulletin: IBM UrbanCode Release is affected by CVE-2020-17527 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-urbancode-release-is-… ∗∗∗ Security Bulletin: IBM UrbanCode Release is affected by CVE-2020-13935 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-urbancode-release-is-… ∗∗∗ Security Bulletin: IBM UrbanCode Release is affected by CVE-2021-30640 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-urbancode-release-is-… ∗∗∗ Security Bulletin: IBM UrbanCode Release is affected by CVE-2021-33037 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-urbancode-release-is-… ∗∗∗ Security Bulletin: IBM UrbanCode Release is affected by CVE-2021-25122 and CVE-2021-25329 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-urbancode-release-is-… ∗∗∗ GE Gas Power ToolBoxST ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-025-01 ∗∗∗ Injection of arbitrary HTML code in Bosch Video Security Android App ∗∗∗ --------------------------------------------- https://psirt.bosch.com/security-advisories/bosch-sa-844050-bt.html -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 25.01.2022
by Daily end-of-shift report 25 Jan '22

25 Jan '22

===================== = End-of-Day report = ===================== Timeframe: Montag 24-01-2022 18:00 − Dienstag 25-01-2022 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Responsible Disclosure: Vom Finden und Melden von Sicherheitslücken ∗∗∗ --------------------------------------------- Im Auftrag eines ISP habe ich mehrere Sicherheitslücken in einem Cisco-Router gefunden. Hier erkläre ich, wie ich vorgegangen bin. Ein Erfahrungsbericht von Marco Wiorek --------------------------------------------- https://www.golem.de/news/responsible-disclosure-vom-finden-und-melden-von-… ∗∗∗ Analyse: Linux- und ESXi-Varianten der LockBit-Ransomware ∗∗∗ --------------------------------------------- Die Forscher von Trend Micro Research haben das Thema LockBit-Ransomware in einer Analyse aufgegriffen. Denn diese Ransomware bedroht inzwischen nicht mehr nur Windows-Systeme. Es gibt bereits Samples, die auch Linux- und VMware ESXi-Instanzen befallen können. --------------------------------------------- https://www.borncity.com/blog/2022/01/25/analyse-linux-und-esxi-varianten-d… ∗∗∗ Vollzugriff durch Hintertür in WordPress-Erweiterungen ∗∗∗ --------------------------------------------- Bei einem Servereinbruch landete Hintertür-Schadcode in Plugins und Themes von AccessPress. Angreifer könnten dadurch WordPress-Instanzen übernehmen. --------------------------------------------- https://heise.de/-6337344 ∗∗∗ Jetzt patchen! Attacken auf Fernzugrifflösung SMA 100 von Sonicwall ∗∗∗ --------------------------------------------- Sicherheitsforscher warnen davor, dass Angreifer derzeit Sonicwall Secure Mobile Access im Visier haben. Dagegen lässt sich etwas tun. --------------------------------------------- https://heise.de/-6337222 ∗∗∗ Verkaufen auf willhaben, ebay & Co: Zahlung und Versand nicht über „Kurierdienst Post“ oder „ebay Selling“ abwickeln ∗∗∗ --------------------------------------------- Auf ebay, willhaben, Shpock und Co. treiben momentan vermehrt betrügerische KäuferInnen ihr Unwesen. Diese können aber rasch entlarvt werden: Betrügerische KäuferInnen wollen die Zahlung und Versendung Ihres Produktes über spezielle Dienstleistungen abwickeln. Dabei handelt es sich um angebliche Kurierdienste der Post oder ebay. Diese sind aber Fake! --------------------------------------------- https://www.watchlist-internet.at/news/verkaufen-auf-willhaben-ebay-co-zahl… ∗∗∗ BRATA Android Trojan Updated with ‘Kill Switch’ that Wipes Devices ∗∗∗ --------------------------------------------- Researchers identify three new versions of the banking trojan that include various new features, including GPS tracking and novel obfuscation techniques. --------------------------------------------- https://threatpost.com/brata-android-trojan-kill-switch-wipes/177921/ ∗∗∗ TrickBot Malware Using New Techniques to Evade Web Injection Attacks ∗∗∗ --------------------------------------------- The cybercrime operators behind the notorious TrickBot malware have once again upped the ante by fine-tuning its techniques by adding multiple layers of defense to slip past antimalware products. --------------------------------------------- https://thehackernews.com/2022/01/trickbot-malware-using-new-techniques.html ∗∗∗ Hackers Infect macOS with New DazzleSpy Backdoor in Watering-Hole Attacks ∗∗∗ --------------------------------------------- A previously undocumented cyber-espionage malware aimed at Apples macOS operating system leveraged a Safari web browser exploit as part of a watering hole attack targeting politically active, pro-democracy individuals in Hong Kong. Slovak cybersecurity firm ESET attributed the intrusion to an actor with "strong technical capabilities," [...] --------------------------------------------- https://thehackernews.com/2022/01/hackers-infect-macos-with-new-dazzlespy.h… ∗∗∗ Weaponization of Excel Add-Ins Part 1: Malicious XLL Files and Agent Tesla Case Studies ∗∗∗ --------------------------------------------- We observed a new surge of Agent Tesla and Dridex malware samples dropped by malicious Excel add-ins (XLL files). We focus here on Agent Tesla.The post Weaponization of Excel Add-Ins Part 1: Malicious XLL Files and Agent Tesla Case Studies appeared first on Unit42. --------------------------------------------- https://unit42.paloaltonetworks.com/excel-add-ins-malicious-xll-files-agent… ∗∗∗ Microsoft warns about this phishing attack that wants to read your emails ∗∗∗ --------------------------------------------- Attackers have targeted hundreds of organisations, says Microsoft security. --------------------------------------------- https://www.zdnet.com/article/microsoft-warns-about-this-phishing-attack-th… ∗∗∗ Introducing Scanning Made Easy ∗∗∗ --------------------------------------------- A joint effort between the i100 and the NCSC, Scanning Made Easy (SME) will be a collection of NMAP Scripting Engine scripts, designed to help system owners and administrators find systems with specific vulnerabilities. In this blog post I want to give you an idea of the motivation behind the project, and its capabilities. --------------------------------------------- https://www.ncsc.gov.uk/blog-post/introducing-scanning-made-easy ===================== = Vulnerabilities = ===================== ∗∗∗ PHOENIX CONTACT: FL SWITCH 2xxx series incorrect privilege assignment ∗∗∗ --------------------------------------------- CVE ID: CVE-2022-22509; CVSS 3.1: 8.8 In Phoenix Contact FL SWITCH Series 2xxx an incorrect privilege assignment allows an unprivileged user to enable full access to the device configuration. Solution: Upgrade to firmware 3.10 or higher --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2022-001/ ∗∗∗ Kritische Sicherheitslücke in Unisys Messaging Integration Services ∗∗∗ --------------------------------------------- Unbefugte Nutzer könnten aufgrund fehlerhafter Passwort-Prüfungen in den Messaging Integration Services (NTSI) von Unisys Zugang zu Servern erhalten. --------------------------------------------- https://heise.de/-6337226 ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (java-11-openjdk), Debian (aide, apr, ipython, openjdk-11, qt4-x11, and strongswan), Fedora (binaryen and rust), Mageia (expat, htmldoc, libreswan, mysql-connector-c++, phpmyadmin, python-celery, python-numpy, and webkit2), openSUSE (kernel and virtualbox), Red Hat (etcd, libreswan, nodejs:14, OpenJDK 11.0.14, OpenJDK 17.0.2, and rpm), Slackware (expat), SUSE (java-1_7_1-ibm, kernel, and zxing-cpp), and Ubuntu (strongswan). --------------------------------------------- https://lwn.net/Articles/882552/ ∗∗∗ PrinterLogic Patches Code Execution Flaws in Printer Management Suite ∗∗∗ --------------------------------------------- PrinterLogic has released security updates to address a total of nine vulnerabilities in Web Stack and Virtual Appliance, including three security defects that carry "high severity" ratings. --------------------------------------------- https://www.securityweek.com/printerlogic-patches-code-execution-flaws-prin… ∗∗∗ Trend Micro Worry Free Business Security Critical Patch 2380 und der freie Disk-Speicher ∗∗∗ --------------------------------------------- Der Sicherheitsanbieter Trend Micro hat ein kritisches Update 2380 für seine Worry Free Business Security (WFBS) freigegeben. Der Patch soll ein Sicherheitsproblem in einer Komponente beseitigen, die die Virenschutzlösung angreifbar macht. Was aber nicht verraten wird: Um diesen kritischen Patch zu installieren, müssen mindestens 13 Gigabyte Festplattenspeicher auf dem Systemlaufwerk vorhanden sein. --------------------------------------------- https://www.borncity.com/blog/2022/01/25/trend-micro-worry-free-business-se… ∗∗∗ XSA-395 ∗∗∗ --------------------------------------------- Insufficient cleanup of passed-through device IRQs --------------------------------------------- https://xenbits.xen.org/xsa/advisory-395.html ∗∗∗ XSA-394 ∗∗∗ --------------------------------------------- A PV guest could DoS Xen while unmapping a grant --------------------------------------------- https://xenbits.xen.org/xsa/advisory-394.html ∗∗∗ XSA-393 ∗∗∗ --------------------------------------------- arm: guest_physmap_remove_page not removing the p2m mappings --------------------------------------------- https://xenbits.xen.org/xsa/advisory-393.html ∗∗∗ GNU libc: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K22-0097 ∗∗∗ Foxit Reader: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K22-0096 ∗∗∗ Node.js: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K22-0094 ∗∗∗ Mattermost security updates 6.3.1, 6.2.2, 6.1.2, 5.37.7 released ∗∗∗ --------------------------------------------- https://mattermost.com/blog/mattermost-security-updates-6-3-1-6-2-2-6-1-2-5… ∗∗∗ An update on the Apache Log4j 2.x vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/an-update-on-the-apache-log4j-cve-2021-4422… ∗∗∗ Security Bulletin: IBM WebSphere Application Server Liberty is vulnerable to LDAP Injection (CVE-2021-39031) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-websphere-application… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM® Java SDK affect Liberty for Java for IBM Cloud October 2021 CPU ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: A vulnerability in Apache Log4j affects some features of IBM® Db2® (CVE-2021-44832) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-apache… ∗∗∗ Security Bulletin: Vulnerability in Apache Log4j affects IBM Data Studio Client (CVE-2021-4104) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-l… ∗∗∗ Security Bulletin: Log4j remote code execution vulnerability in Apache Solr and Logstash shipped with IBM Operations Analytics – Log Analysis (CVE-2021-44228) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-log4j-remote-code-executi… ∗∗∗ Security Bulletin: Vulnerability in Apache Log4j may affect IBM Spectrum Copy Data Management (CVE-2021-44832) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-l… ∗∗∗ Security Bulletin: IBM OpenPages with Watson has addressed Apache Log4j vulnerability (CVE-2021-4104) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-openpages-with-watson… ∗∗∗ Security Bulletin: IBM Security Guardium Insights is vulnerable to denial of service and arbitrary code execution due to Apache Log4j (CVE-2021-45105, CVE-2021-45046) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-ins… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 24.01.2022
by Daily end-of-shift report 24 Jan '22

24 Jan '22

===================== = End-of-Day report = ===================== Timeframe: Freitag 21-01-2022 18:00 − Montag 24-01-2022 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Erfolgreicher Angriff auf Nutzerkonten bei Thalia ∗∗∗ --------------------------------------------- Um Schaden von den Kunden abzuwenden, wurden die Kennwörter der betroffenen Konten von Thalia geändert. Die entsprechenden Kunden wurden per E-Mail darüber informiert. Der Buchhändler ruft in der E-Mail auch dazu auf, das Thalia-Kennwort bei anderen Diensten zu ändern, falls dieses auch bei anderen Anbietern mit dem gleichen Benutzernamen verwendet wird. --------------------------------------------- https://www.golem.de/news/sicherheit-erfolgreicher-angriff-auf-nutzerkonten… ∗∗∗ Backup-Software: Dell EMC AppSync kompromittierbar ∗∗∗ --------------------------------------------- Durch mehrere Sicherheitslücken in der Backup-Software EMC AppSync von Dell hätten Angreifer in betroffene Systeme eindringen und sie manipulieren können. --------------------------------------------- https://heise.de/-6334745 ∗∗∗ SonicWall explains why firewalls were caught in reboot loops ∗∗∗ --------------------------------------------- In a weekend update, SonicWall said the widespread reboot loops that impacted next-gen firewalls worldwide were caused by signature updates published on Thursday evening not being correctly processed. --------------------------------------------- https://www.bleepingcomputer.com/news/technology/sonicwall-explains-why-fir… ∗∗∗ Mixed VBA & Excel4 Macro In a Targeted Excel Sheet, (Sat, Jan 22nd) ∗∗∗ --------------------------------------------- Yesterday, Nick, one of our readers, shared with us a very interesting Excel sheet and asked us to check if it was malicious. Guess what? Of course, it was and he accepted to be mentioned in a diary. Thanks to him! This time, we also have the context and how the file was used. It was delivered to the victim and this person was called beforehand to make it more confident with the file. A perfect example of social engineering attack. --------------------------------------------- https://isc.sans.edu/diary/rss/28264 ∗∗∗ Microsoft is now disabling Excel 4.0 macros by default ∗∗∗ --------------------------------------------- Microsoft says that all Excel 4.0 (XLM) macros will now be disabled by default. [...] Sometimes good news in the security world comes later than expected. After three decades of macro viruses, and three decades of trying to convince every single Excel user individually to disable macros, Microsoft is making it the default. --------------------------------------------- https://blog.malwarebytes.com/reports/2022/01/microsoft-is-now-disabling-ex… ∗∗∗ Emotet Now Using Unconventional IP Address Formats to Evade Detection ∗∗∗ --------------------------------------------- Social engineering campaigns involving the deployment of the Emotet malware botnet have been observed using "unconventional" IP address formats for the first time in a bid to sidestep detection by security solutions. This involves the use of hexadecimal and octal representations of the IP address that, when processed by the underlying operating systems, get automatically converted "to the dotted decimal quad representation to initiate the request from the remote servers, [...] --------------------------------------------- https://thehackernews.com/2022/01/emotet-now-using-unconventional-ip.html ∗∗∗ GoWard A robust and rapidly-deployable Red Team proxy ∗∗∗ --------------------------------------------- Generally, Red Teams and adversarys redirect their traffic through proxies to protect their backend infrastructure. GoWard proxies HTTP C2 traffic to specified Red Team servers based on the HTTP header of the traffic. GoWards intent is to help obfuscate Red Team traffic and provide some level of resiliency against Blue Team investigation and mitigation. --------------------------------------------- https://github.com/chdav/GoWard ∗∗∗ Crime Shop Sells Hacked Logins to Other Crime Shops ∗∗∗ --------------------------------------------- Up for the "Most Meta Cybercrime Offering" award this year is Accountz Club, a new cybercrime store that sells access to purloined accounts at services built for cybercriminals, including shops peddling stolen payment cards and identities, spamming tools, email and phone bombing services, and those selling authentication cookies for a slew of popular websites. --------------------------------------------- https://krebsonsecurity.com/2022/01/crime-shop-sells-hacked-logins-to-other… ∗∗∗ Dark Souls servers taken offline over hacking fears ∗∗∗ --------------------------------------------- We look at trouble in Dark Souls land after PvP servers were turned off to combat what looked like a nasty exploit. [...] It all begins with a popular streamer playing a Souls game in PvP mode. [...] You’ll also hear the incredibly confused streamer in the background, talking about seeing “powershell.exe” on their screen. This is, it has to be said, not a good sign. --------------------------------------------- https://blog.malwarebytes.com/hacking-2/2022/01/dark-souls-servers-taken-of… ∗∗∗ Cobalt Strike, a Defender’s Guide – Part 2 ∗∗∗ --------------------------------------------- Our previous article on Cobalt Strike focused on the most frequently used capabilities that we had observed. In this post, we will focus on the network traffic it produced, and [...] --------------------------------------------- https://thedfirreport.com/2022/01/24/cobalt-strike-a-defenders-guide-part-2/ ===================== = Vulnerabilities = ===================== ∗∗∗ High-Severity Rust Programming Bug Could Lead to File, Directory Deletion ∗∗∗ --------------------------------------------- The maintainers of the Rust programming language have released a security update for a high-severity vulnerability that could be abused by a malicious party to purge files and directories from a vulnerable system in an unauthorized manner. "An attacker could use this security issue to trick a privileged program into deleting files and directories the attacker couldnt otherwise access or delete, [...] --------------------------------------------- https://thehackernews.com/2022/01/high-severity-rust-programming-bug.html ∗∗∗ Multiple Cisco Products Snort Modbus Denial of Service Vulnerability ∗∗∗ --------------------------------------------- A vulnerability in the Modbus preprocessor of the Snort detection engine could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. This vulnerability is due to an integer overflow while processing Modbus traffic. An attacker could exploit this vulnerability by sending crafted Modbus traffic through an affected device. A successful exploit could allow the attacker to cause the Snort process to hang, causing traffic inspection to stop. --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ CVE-2021-45467: CWP CentOS Web Panel – preauth RCE ∗∗∗ --------------------------------------------- CentOS Web Panel or commonly known as CWP is a popular web hosting management software, used by over 200,000 unique servers, that can be found on Shodan or Census. The vulnerability chain that we used to exploit a full preauth remote command execution as root uses file inclusion (CVE-2021-45467) and file write (CVE-2021-45466) vulnerabilities. In this post we hope to cover our vulnerability research journey, and how we approached this particular target. --------------------------------------------- https://octagon.net/blog/2022/01/22/cve-2021-45467-cwp-centos-web-panel-pre… ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (chromium, golang-1.7, golang-1.8, pillow, qtsvg-opensource-src, util-linux, and wordpress), Fedora (expat, harfbuzz, kernel, qt5-qtsvg, vim, webkit2gtk3, and zabbix), Mageia (glibc, kernel, and kernel-linus), openSUSE (bind, chromium, and zxing-cpp), Oracle (kernel), Red Hat (java-11-openjdk and kpatch-patch), Scientific Linux (java-11-openjdk), SUSE (bind, clamav, zsh, and zxing-cpp), and Ubuntu (aide, dbus, and thunderbird). --------------------------------------------- https://lwn.net/Articles/882396/ ∗∗∗ phpMyAdmin: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K22-0089 ∗∗∗ Security Bulletin: IBM InfoSphere Information Server is vulnerable to denial of service and arbitrary code execution due to Apache Log4j (CVE-2021-45105, CVE-2021-45046) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-infosphere-informatio… ∗∗∗ Security Bulletin: IBM Netcool Agile Service Manager is vulnerable to arbitrary code execution and denial of service due to Apache Log4j (CVE-2021-44832, CVE-2021-45046, CVE-2021-45105) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-netcool-agile-service… ∗∗∗ Security Bulletin: IBM Sterling Control Center is vulnerable to remote code execution due to Apache Log4j (CVE-2021-44832) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-control-cent… ∗∗∗ Security Bulletin: Sensitive information in logs vulnerability affects IBM Sterling Gentran:Server for Windows (CVE-2021-39032) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-sensitive-information-in-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK and IBM Java Runtime affect IBM i ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Vulnerability in Apache Log4j may affect IBM Spectrum Archive Enterprise Edition (CVE-2021-44832) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-l… ∗∗∗ Security Bulletin: IBM QRadar hardware appliances are vulnerable to Intel privilege escalation (CVE-2021-0144) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-qradar-hardware-appli… ∗∗∗ Security Bulletin: Log4j vulnerability CVE-2021-44228 affects IBM Cloud Pak for Data System 1.0 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-log4j-vulnerability-cve-2… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 21.01.2022
by Daily end-of-shift report 21 Jan '22

21 Jan '22

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 20-01-2022 18:00 − Freitag 21-01-2022 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ iOS 15.3 & Co: Wichtige Bugfixes für iPhones, Macs und Watches in Vorbereitung ∗∗∗ --------------------------------------------- Apples anstehende Betriebssystem-Updates schließen ein schweres Datenschutzleck im Browser Safari und sollen Ladeprobleme bei der Apple Watch ausräumen. --------------------------------------------- https://heise.de/-6334675 ∗∗∗ Netzwerkausrüster F5 sichert BIG-IP & Co. gegen mögliche Attacken ab ∗∗∗ --------------------------------------------- Über Schwachstellen in verschiedenen BIG-IP Appliances könnte Schadcode auf Systeme gelangen. --------------------------------------------- https://heise.de/-6334437 ∗∗∗ Vorsicht: Gefälschte Europol-Vorladungen im Umlauf! ∗∗∗ --------------------------------------------- Kriminelle geben sich derzeit als Europol aus und versenden eine „Einberufung“, die für viele EmpfängerInnen sehr bedrohlich wirkt: So behaupten die Kriminellen, dass mehrere Gerichtsverfahren gegen die Betroffenen laufen würden. Konkret ginge es um Kinderpornografie, Pädophile und Ähnliches. Auch wenn die Mail sehr beängstigend klingt, besteht kein Grund zur Sorge! --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-gefaelschte-europol-vorladu… ∗∗∗ SonicWall Gen7 Firewall Inaccessible/ Reboot Loop (20. Jan. 2022) ∗∗∗ --------------------------------------------- Aktuell sieht es so aus, als ob die SonicWall Gen7 Firewalls seit dem 20. Januar 2022 ein Problem verursachen. Es gibt Berichte, dass kein Zugriff mehr möglich ist oder die Gen7 Firewall in eine Neustart-Schleife fallen. Von SonicWall gibt es dazu bereits einen Supportbeitrag mit einem Workaround. --------------------------------------------- https://www.borncity.com/blog/2022/01/21/sonicwall-gen7-firewall-inaccessib… ∗∗∗ Over 90 WordPress themes, plugins backdoored in supply chain attack ∗∗∗ --------------------------------------------- A massive supply chain attack compromised 93 WordPress themes and plugins to contain a backdoor, giving threat-actors full access to websites. --------------------------------------------- https://www.bleepingcomputer.com/news/security/over-90-wordpress-themes-plu… ∗∗∗ Doctor Web’s overview of virus activity on mobile devices in 2021 ∗∗∗ --------------------------------------------- In 2021, making illegal profit remained one of the top cybercriminals’ priorities. That’s why adware trojans, malware that downloaded and installed other software, and trojans capable of downloading and executing arbitrary code, were among the most common threats on Android. Banking trojans also posed a significant threat whilst their activity increased. Moreover, users often encountered various adware apps. --------------------------------------------- https://news.drweb.com/show/?i=14395&lng=en&c=9 ∗∗∗ Doctor Web’s annual virus activity review for 2021 ∗∗∗ --------------------------------------------- Among the most popular threats in 2021 were numerous malware. Among them were trojan droppers destined to distribute malicious malware, and trojan downloader modifications–they download and run executable files with various payloads on the victims computer. Besides that, cybercriminals were actively distributing backdoors. Among the email threats, the most popular were stealers and various backdoor modifications written in VB.NET. --------------------------------------------- https://news.drweb.com/show/?i=14393&lng=en&c=9 ∗∗∗ Spyware Blitzes Compromise, Cannibalize ICS Networks ∗∗∗ --------------------------------------------- The brief spearphishing campaigns spread malware and use compromised networks to steal credentials that can be sold or used to commit financial fraud. --------------------------------------------- https://threatpost.com/spyware-blitzes-compromise-cannibalize-ics-networks/… ∗∗∗ AccessPress Themes Hit With Targeted Supply Chain Attack ∗∗∗ --------------------------------------------- Security researchers at Automattic recently reported that the popular WordPress plugin and theme authors AccessPress were compromised and their software replaced with backdoored versions. The compromise appears to have taken place in September of last year and was only recently made public. Users who used software obtained directly from the AccessPress website unknowingly provided attackers with backdoor access, resulting in an unknown number of compromised websites. --------------------------------------------- https://blog.sucuri.net/2022/01/accesspress-themes-hit-with-targeted-supply… ∗∗∗ A Detailed Analysis of WhisperGate Targeting Ukrainian Organizations ∗∗∗ --------------------------------------------- Microsoft reported evidence of destructive malware targeting organizations in Ukraine starting from January 13 [1]. The LIFARS threat intelligence team have analyzed the malicious samples and provided a detailed analysis of the execution flow. The main objective of this technical brief is to reveal the sophisticated TTPs demonstrated by threat actors. --------------------------------------------- https://lifars.com/2022/01/a-detailed-analysis-of-whispergate-targeting-ukr… ===================== = Vulnerabilities = ===================== ∗∗∗ VU#287178: McAfee Agent for Windows is vulnerable to privilege escalation due to OPENSSLDIR location ∗∗∗ --------------------------------------------- McAfee Agent, which comes with various McAfee products such as McAfee Endpoint Security, includes an OpenSSL component that specifies an OPENSSLDIR variable as a subdirectory that my be controllable by an unprivileged user on Windows. McAfee Agent contains a privileged service that uses this OpenSSL component. A user who can place a specially-crafted openssl.cnf file at an appropriate path may be able to achieve arbitrary code execution with SYSTEM privileges. --------------------------------------------- https://kb.cert.org/vuls/id/287178 ∗∗∗ Plugin "Email Template Designer" reißt Sicherheitslücke in WordPress ∗∗∗ --------------------------------------------- Durch eine Schwachstelle im WordPress-Plugin "WordPress Email Template Designer - WP HTML Mail" könnten Angreifer dem Administrator Schadcode unterschieben. --------------------------------------------- https://heise.de/-6334308 ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (aide, flatpak, kernel, libspf2, and usbview), Fedora (kernel, libreswan, nodejs, texlive-base, and wireshark), openSUSE (aide, cryptsetup, grafana, permissions, rust1.56, and stb), SUSE (aide, apache2, cryptsetup, grafana, permissions, rust1.56, and webkit2gtk3), and Ubuntu (aide, thunderbird, and usbview). --------------------------------------------- https://lwn.net/Articles/882119/ ∗∗∗ WebKitGTK and WPE WebKit Security Advisory WSA-2022-0001 ∗∗∗ --------------------------------------------- Several vulnerabilities were discovered in WebKitGTK and WPE WebKit. --------------------------------------------- https://webkitgtk.org/security/WSA-2022-0001.html ∗∗∗ Lexmark Laser Printers: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K22-0087 ∗∗∗ Security Bulletin: Vulnerability in Apache Log4j affects IBM Operational Decision Manager (CVE-2021-44228) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-l… ∗∗∗ Security Bulletin: IBM Security Guardium is vulnerable to a denial of service vulnerability in Apache log4j2 component (CVE-2021-45105 & CVE-2021-45046) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: Vulnerability in Java Batch affects WebSphere Application Server Liberty (CVE-2021-20492) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-java-bat… ∗∗∗ Security Bulletin: IBM Operations Analytics Predictive Insights is vulnerable to denial of service and arbitrary code execution due to Apache Log4j (CVE-2021-45105, CVE-2021-45046) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-operations-analytics-… ∗∗∗ Security Bulletin: IBM Cognos Controller has addressed multiple vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cognos-controller-has… ∗∗∗ Security Bulletin: IBM MaaS360 Cloud Extender and Modules have various vulnerabilities (CVE-2021-22924, CVE-2021-3712) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-maas360-cloud-extende… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 20.01.2022
by Daily end-of-shift report 20 Jan '22

20 Jan '22

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 19-01-2022 18:00 − Donnerstag 20-01-2022 18:00 Handler: Robert Waldner Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Revamped Community-Based DDoS Defense Tool Improves Filtering ∗∗∗ --------------------------------------------- Team Cymru updates its Unwanted Traffic Removal Service (UTRS), adding more granular controls and greater ranges of both IPv4 and IPv6 addresses. --------------------------------------------- https://www.darkreading.com/perimeter/revamped-community-based-ddos-defense… ∗∗∗ MoonBounce: the dark side of UEFI firmware ∗∗∗ --------------------------------------------- At the end of 2021, we inspected UEFI firmware that was tampered with to embed a malicious code we dub MoonBounce. In this report we describe how the MoonBounce implant works and how it is connected to APT41. --------------------------------------------- https://securelist.com/moonbounce-the-dark-side-of-uefi-firmware/105468/ ∗∗∗ What Should You do if Your WordPress Site was Hacked? ∗∗∗ --------------------------------------------- This article will provide insight on what to do if your website is hacked and how to move forward. WordPress sites can be hacked due to a variety of reasons, which we cover in Why are WordPress sites targeted by hackers? --------------------------------------------- https://blog.sucuri.net/2022/01/what-should-you-do-if-your-wordpress-site-w… ∗∗∗ Microsoft: Hackers Exploiting New SolarWinds Serv-U Bug Related to Log4j Attacks ∗∗∗ --------------------------------------------- Microsoft on Wednesday disclosed details of a new security vulnerability in SolarWinds Serv-U software that it said was being weaponized by threat actors to propagate attacks leveraging the Log4j flaws to compromise targets. Tracked as CVE-2021-35247 (CVSS score: 5.3), the issue is an " input validation vulnerability that could allow attackers to build a query given some input and [..] --------------------------------------------- https://thehackernews.com/2022/01/microsoft-hackers-exploiting-new.html ∗∗∗ New BHUNT Password Stealer Malware Targeting Cryptocurrency Wallets ∗∗∗ --------------------------------------------- "BHUNT is a modular stealer written in .NET, capable of exfiltrating wallet (Exodus, Electrum, Atomic, Jaxx, Ethereum, Bitcoin, Litecoin wallets) contents, passwords stored in the browser, and passphrases captured from the clipboard," Bitdefender researcher said in a technical report on Wednesday. --------------------------------------------- https://thehackernews.com/2022/01/new-bhunt-password-stealer-malware.html ∗∗∗ RedLine Stealer Delivered Through FTP ∗∗∗ --------------------------------------------- Here is a piece of malicious Python script that injects a RedLine stealer into its own process. Process injection is a common attacker’s technique these days (for a long time already). The difference, in this case, is that the payload is delivered through FTP! It’s pretty unusual because FTP is today less and less used for multiple reasons (lack of encryption by default, complex to filter with those passive/active modes). --------------------------------------------- https://blog.rootshell.be/2022/01/20/sans-isc-redline-stealer-delivered-thr… ∗∗∗ Kritische Sicherheitslücke in Google Chrome geschlossen ∗∗∗ --------------------------------------------- In der aktualisierten Version von Google Chrome schließt das Unternehmen zahlreiche Schwachstellen. Mindestens eine davon stuft der Hersteller als kritisch ein. --------------------------------------------- https://heise.de/-6332812 ∗∗∗ Knapp 7 Millionen Passwörter von Open Subtitles entwendet ∗∗∗ --------------------------------------------- Die Webseiten und das Forum von Open Subtitles wurden Opfer von Cyberkriminellen. Die konnten alle Zugangsdaten erbeuten. Nutzer müssen jetzt aktiv werden. --------------------------------------------- https://heise.de/-6332951 ∗∗∗ Zahlreiche Facebook-Seiten bewerben Fernseher um 1,95€ ∗∗∗ --------------------------------------------- Einen QLED-Fernseher um nur 1,95 Euro? Das versprechen derzeit zahlreiche Facebook-Seiten. Alles was Sie dafür machen müssen, ist an einer kurzen Umfrage teilnehmen. Anschließend sollen Sie noch die Kreditkartendaten eingeben, um 1,95 Euro zu bezahlen und schon wird ein hochwertiger Fernseher zu Ihnen nach Hause geliefert. Wie so oft gilt: Das Angebot ist zu gut, um wahr zu sein. Tatsächlich landen Ihre Kreditkartendaten in den Händen von Kriminellen. --------------------------------------------- https://www.watchlist-internet.at/news/zahlreiche-facebook-seiten-bewerben-… ===================== = Vulnerabilities = ===================== ∗∗∗ Drupal core - Moderately critical - Cross site scripting - SA-CORE-2022-002 ∗∗∗ --------------------------------------------- Project: Drupal core Security risk: Moderately critical Vulnerability: Cross site scripting Description: jQuery UI is a third-party library used by Drupal. This library was previously thought to be end-of-life. --------------------------------------------- https://www.drupal.org/sa-core-2022-002 ∗∗∗ Drupal core - Moderately critical - Cross Site Scripting - SA-CORE-2022-001 ∗∗∗ --------------------------------------------- Project: Drupal core Security risk: Moderately critical Vulnerability: Cross Site Scripting Description: jQuery UI is a third-party library used by Drupal. This library was previously thought to be end-of-life. Late in 2021, jQuery UI announced that they would be continuing development, and released a jQuery UI 1.13.0 version. As part of this 1.13.0 update, they disclosed the following security issue that may affect Drupal 9 and 7 --------------------------------------------- https://www.drupal.org/sa-core-2022-001 ∗∗∗ jQuery UI Datepicker - Moderately critical - Cross Site Scripting - SA-CONTRIB-2022-004 ∗∗∗ --------------------------------------------- Project: jQuery UI Datepicker Security risk: Moderately critical Vulnerability: Cross Site Scripting Description: jQuery UI is a third-party library used by Drupal. The jQuery UI Datepicker module provides the jQuery UI Datepicker library, which is not included in Drupal 9 core. --------------------------------------------- https://www.drupal.org/sa-contrib-2022-004 ∗∗∗ Improper copy algorithm and component validation in the project upload mechanism in B&R Automation Studio version >=4.0 may allow an unauthenticated attacker to execute code ∗∗∗ --------------------------------------------- CVE-2021-22282: RCE through Project Upload from Target All versions of Automation Studio 4 are affected. --------------------------------------------- https://www.br-automation.com/downloads_br_productcatalogue/assets/16405293… ∗∗∗ Local file inclusion Schwachstelle in Land Software - FAUST iServer ∗∗∗ --------------------------------------------- Der von Land Software entwickelte Webserver namens FAUST iServer ist anfällig auf eine local file inclusion Schwachstelle. Ein Angreifer kann alle lokalen Dateien des zugrunde liegenden Betriebssystems im Kontext der aktuellen Festplatte lesen. --------------------------------------------- https://sec-consult.com/de/vulnerability-lab/advisory/local-file-inclusion-… ∗∗∗ Rechenfehler im Linux-Kernel erlaubt Rechteausweitung ∗∗∗ --------------------------------------------- Vor allem in Cloud-Systemen problematisch: An Linux-Systemen angemeldete Nutzer könnten aufgrund eines potenziellen Pufferüberlaufs ihre Rechte ausweiten. --------------------------------------------- https://heise.de/-6333365 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (drupal7), Fedora (kernel, libreswan, nodejs, and wireshark), openSUSE (busybox, firefox, kernel, and python-numpy), Oracle (gegl, gegl04, httpd, java-17-openjdk, kernel, kernel-container, and libreswan), Red Hat (kernel, kernel-rt, and libreswan), Slackware (wpa_supplicant), SUSE (busybox, firefox, htmldoc, kernel, kubevirt, virt-api-container, virt-controller-container, virt-handler-container, virt-launcher-container, virt-operator-container, openstack-monasca-agent, spark, spark-kit, zookeeper, python-numpy) and Ubuntu (curl, linux, linux-aws, linux-aws-5.11, linux-aws-5.4, linux-azure, linux-azure-5.11, linux-azure-5.4, linux-bluefield, linux-gcp, linux-gcp-5.11, linux-gcp-5.4, linux-gke, linux-gke-5.4, linux-gkeop, linux-gkeop-5.4, linux-hwe-5.4, linux-ibm, linux-kvm, linux-oem-5.10, linux-oem-5.13, linux-oem-5.14, linux-oracle, linux-oracle-5.11, linux-oracle-5.4, linux-raspi, linux-raspi-5.4, openvswitch, qtsvg-opensource-src). --------------------------------------------- https://lwn.net/Articles/881956/ ∗∗∗ Canon: “Log4j” RCE [CVE-2021-44228], “Log4j” RCE [CVE-2021-45046] and “Log4j” DOS [CVE-2021-45105] vulnerabilities ∗∗∗ --------------------------------------------- We are currently in the process of investigating the impact of the ‘Log4j’ https://logging.apache.org/log4j/2.x/security.html vulnerability on Canon products. As information comes to light, we will update this article. --------------------------------------------- https://www.canon-europe.com/support/product-security-latest-news/ ∗∗∗ Canon: Cross-site scripting vulnerability for laser printers and multifunction devices for small offices ∗∗∗ --------------------------------------------- A cross-site scripting vulnerability has been identified in the Remote UI function of Canon laser printers and multifunction devices for small office – see the affected models below (vulnerability identification number: JVN # 64806328). --------------------------------------------- https://www.canon-europe.com/support/product-security-latest-news/ ∗∗∗ Security Advisory - Release of Invalid Pointer Vulnerability in Some Huawei Products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2022/huawei-sa-20220112-… ∗∗∗ Security Advisory - Apache log4j2 remote code execution vulnerabilities in some Huawei products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2021/huawei-sa-20211215-… ∗∗∗ Security Bulletin: IBM Cloud Pak for Data System 2.0 (ICPDS 2.0 ) is vulnerable to denial of service and arbitrary code execution due to Apache Log4j (CVE-2021-45105, CVE-2021-45046) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-pak-for-data-sy… ∗∗∗ Security Bulletin: Due to the use of Apache Log4j, IBM Spectrum Conductor is vulnerable to arbitrary code execution (CVE-2021-44832 and CVE-2021-45046) and denial of service (CVE-2021-45105) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-due-to-the-use-of-apache-… ∗∗∗ Security Bulletin: Due to the use of Apache Log4j, IBM Spectrum Symphony is vulnerable to arbitrary code execution (CVE-2021-44832 and CVE-2021-45046) and denial of service (CVE-2021-45105) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-due-to-the-use-of-apache-… ∗∗∗ Security Bulletin: IBM® Security SOAR could be vulnerable to a downgrade attack because of missing Strict-Transport-Security headers for some endpoints (CVE-2021-29785). ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-soar-could-b… ∗∗∗ Security Bulletin: Apache Log4j vulnerability impacts IBM Sterling Global Mailbox (CVE-2021-45046) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-apache-log4j-vulnerabilit… ∗∗∗ Security Bulletin: IBM Integrated Analytics System is vulnerable to denial of service and arbitrary code execution due to Apache Log4j (CVE-2021-45105, CVE-2021-45046) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-integrated-analytics-… ∗∗∗ Security Bulletin: Apache log4j Vulnerability Affects IBM Sterling Global Mailbox (CVE-2021-44228) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-apache-log4j-vulnerabilit… ∗∗∗ Security Bulletin: IBM Db2® Warehouse has released a fix in response to multiple vulnerabilities found in IBM Db2® ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-warehouse-has-rel… ∗∗∗ Security Bulletin: IBM® Disconnected Log Collector is vulnerable to denial of service and arbitrary code execution due to Apache Log4j (CVE-2021-45105 and CVE-2021-45046) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-disconnected-log-coll… ∗∗∗ Security Bulletin: API Connect is vulnerable to denial of service and arbitrary code execution due to Apache Log4j (CVE-2021-45105, CVE-2021-45046 and CVE-2021-44832) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-api-connect-is-vulnerable… ∗∗∗ Security Bulletin: Log4j vulnerability affects IBM Cloud Pak for Data System 2.0 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-log4j-vulnerability-affec… ∗∗∗ Endress+Hauser: Multiple products affected by log4net vulnerability ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2021-044/ ∗∗∗ ICONICS and Mitsubishi Electric HMI SCADA ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-020-01 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 19.01.2022
by Daily end-of-shift report 19 Jan '22

19 Jan '22

===================== = End-of-Day report = ===================== Timeframe: Dienstag 18-01-2022 18:00 − Mittwoch 19-01-2022 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ 0.0.0.0 in Emotet Spambot Traffic, (Wed, Jan 19th) ∗∗∗ --------------------------------------------- [..] Emotet uses IP address 0.0.0.0 in spambot traffic, possibly attempting to hide the actual IP address of an Emotet-infected host. This ISC diary reviews the spoofed 0.0.0.0 address used in a recent Emotet infection from Tuesday 2022-01-18. --------------------------------------------- https://isc.sans.edu/diary/rss/28254 ∗∗∗ Project Zero: Zooming in on Zero-click Exploits ∗∗∗ --------------------------------------------- In the past, I hadn’t prioritized reviewing Zoom because I believed that any attack against a Zoom client would require multiple clicks from a user. However, a zero-click attack against the Windows Zoom client was recently revealed at Pwn2Own, showing that it does indeed have a fully remote attack surface. The following post details my investigation into Zoom. --------------------------------------------- https://googleprojectzero.blogspot.com//2022/01/zooming-in-on-zero-click-ex… ∗∗∗ Introducing TREVORproxy and TREVORspray 2.0 - Increasing the Speed and Effectiveness of Password Sprays ∗∗∗ --------------------------------------------- Classically, password spraying has been the single lowest-effort and highest-yield technique for gaining an initial foothold in an organization. [...] But alas, with increasing Multi-Factor coverage and defensive countermeasures like Smart Lockout, password spraying is becoming more and more of a chore. [...] When I set out to write these tools, the biggest problem I wanted to solve was Smart Lockout. Smart Lockout tries to lock out attackers without locking out legitimate users. So basically, --------------------------------------------- https://blog.blacklanternsecurity.com/p/introducing-trevorproxy-and-trevors… ∗∗∗ Betrügerische Geldversprechen auf Instagram ∗∗∗ --------------------------------------------- Kriminelle richten sich mit ihren betrügerischen Anfragen insbesondere an junge Frauen und Männer. Sie versprechen ihnen hohe Geldbeträge für anzügliche Fotos oder spielen vor, an der Finanzierung des Lifestyles der betroffenen Personen interessiert zu sein. Wer solche Angebote bekommt, sollte unbedingt Abstand nehmen. Denn es handelt sich um einen Vorschussbetrug, bei dem vorab Zahlungen verlangt werden. --------------------------------------------- https://www.watchlist-internet.at/news/betruegerische-geldversprechen-auf-i… ∗∗∗ The Perfect Cyber Crime ∗∗∗ --------------------------------------------- [..] what if criminals were able to acquire large amounts of victims’ credentials without infecting any victim, without the need to build or purchase anything, and without the risk of getting caught? We recently set out to explore this topic and validate our theory that this type of “perfect crime” could be a new reality in cyber security. In this blog, we’ll explain how we were able to obtain large amounts of sensitive data using Google’s VirusTotal service in combination with other known malware services and hacker forums. --------------------------------------------- https://safebreach.com/blog/2022/the-perfect-cyber-crime/ ∗∗∗ CVE-2022-21661: Exposing Database Info via WordPress SQL Injection ∗∗∗ --------------------------------------------- In October of this year, we received a report from ngocnb and khuyenn from GiaoHangTietKiem JSC covering a SQL injection vulnerability in WordPress. The bug could allow an attacker to expose data stored in a connected database. This vulnerability was recently addressed as CVE-2022-21661 (ZDI-22-220). This blog covers the root cause of the bug and looks at how the WordPress team chose to address it. --------------------------------------------- https://www.thezdi.com/blog/2022/1/18/cve-2021-21661-exposing-database-info… ===================== = Vulnerabilities = ===================== ∗∗∗ WordPress Plugin WP Visitor Statistics 4.7 SQL Injection ∗∗∗ --------------------------------------------- The plugin does not properly sanitise and escape the refUrl in the refDetails AJAX action, available to any authenticated user, which could allow users with a role as low as subscriber to perform SQL injection attacks CVE: CVE-2021-24750 --------------------------------------------- https://cxsecurity.com/issue/WLB-2022010098 ∗∗∗ Oracle Critical Patch Update Advisory - January 2022 ∗∗∗ --------------------------------------------- This Critical Patch Update contains 497 new security patches across the (Anm.: 165) product families listed below. --------------------------------------------- https://www.oracle.com/security-alerts/cpujan2022.html ∗∗∗ The ace(r) up your sleeve! Privilege Escalation vulnerability in Acer Care Center (CVE-2021-45975) ∗∗∗ --------------------------------------------- Acer ships most of the laptop it sells with a software suite called Care Center Service installed. In versions up to 4.00.3038 included, one of the suite’s programs is an executable named ListCheck.exe, which runs at logon with the highest privilege available and suffers from a phantom DLL hijacking. This can lead to a privilege escalation when an administrator logs in. --------------------------------------------- https://aptw.tf/2022/01/20/acer-care-center-privesc.html ∗∗∗ Sicherheitsupdate: Mediaplayer Nvidia Shield TV für Schadcode-Attacke anfällig ∗∗∗ --------------------------------------------- Die Entwickler haben mehrere Lücken in der Android-Version für Nvidia Shield TV geschlossen. Insgesamt gilt das Risiko als hoch. --------------------------------------------- https://heise.de/-6332144 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (firefox, gegl, kernel, and thunderbird), Debian (nvidia-graphics-drivers), Fedora (btrbk and thefuck), Mageia (clamav, kernel, kernel-linus, vim, and wpa_supplicant), openSUSE (java-1_8_0-ibm, jawn, nodejs12, nodejs14, SDL2, and virglrenderer), Red Hat (gegl, gegl04, java-17-openjdk, and kernel-rt), Scientific Linux (gegl and httpd), SUSE (apache2, firefox, java-1_7_1-ibm, java-1_8_0-ibm, libvirt, nodejs12, nodejs14, openstack-monasca-agent, spark, spark-kit, zookeeper, python-Django, python-Django1, python-numpy, virglrenderer), Ubuntu (byobu, clamav, ruby2.3, ruby2.5, ruby2.7). --------------------------------------------- https://lwn.net/Articles/881810/ ∗∗∗ Cisco Redundancy Configuration Manager for Cisco StarOS Software Multiple Vulnerabilities ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Webex Meetings Cross-Site Scripting Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Multiple Cisco Products Snort Modbus Denial of Service Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Multiple Cisco Products CLI Command Injection Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ ConfD CLI Command Injection Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Security Advisory - Release of Invalid Pointer Vulnerability in OptiX OSN 9800 U32 Product ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2022/huawei-sa-20220112-… ∗∗∗ Security Advisory - Information Exposure Vulnerability on Several Huawei Products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2022/huawei-sa-20220112-… ∗∗∗ Security Bulletin: Vulnerabilities in Apache Log4j affect IBM App Connect Enterprise V11, V12 and IBM Integration Bus V10 (CVE-2021-44832) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-apache… ∗∗∗ Security Bulletin: Oracle Database Server Vulnerability Affects IBM Emptoris Strategic Supply Management Platform (CVE-2021-35619) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-oracle-database-server-vu… ∗∗∗ Security Bulletin: Vulnerability in Apache Log4j affects IBM Cloud Private (CVE-2021-45046) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-l… ∗∗∗ Security Bulletin: Oracle Database Server Vulnerability Affects IBM Emptoris Program Management (CVE-2021-35619) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-oracle-database-server-vu… ∗∗∗ Security Bulletin: Apache Log4j vulnerability may affect IBM Sterling B2B Integrator (CVE-2021-44228) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-apache-log4j-vulnerabilit… ∗∗∗ Security Bulletin: Oracle Database Server Vulnerability Affects IBM Emptoris Contract Management (CVE-2021-35619) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-oracle-database-server-vu… ∗∗∗ Security Bulletin: Apache Log4j Vulnerability Affects IBM Sterling B2B Integrator (CVE-2021-45105, CVE-2021-45046) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-apache-log4j-vulnerabilit… ∗∗∗ Security Bulletin: Apache Log4j vulnerability affects IBM Cloud Pak for Multicloud Management (CVE-2021-44832) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-apache-log4j-vulnerabilit… ∗∗∗ Security Bulletin: Apache Log4j Vulnerability Affects IBM Sterling File Gateway (CVE-2021-44228) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-apache-log4j-vulnerabilit… ∗∗∗ Security Bulletin: Vulnerability in Apache Log4j affects IBM Cloud Private (CVE-2021-45105) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-l… ∗∗∗ Security Bulletin: Oracle Database Server Vulnerability Affects IBM Emptoris Supplier Lifecycle Management (CVE-2021-35619) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-oracle-database-server-vu… ∗∗∗ Security Bulletin: Vulnerability in Apache Log4j affects IBM Cloud Private (CVE-2021-44228) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-l… ∗∗∗ Security Bulletin: IBM TRIRIGA Connector for Esri ArcGIS Indoors a component of IBM TRIRIGA Portfolio Data Manager is vulnerable to denial of service and arbitrary code execution due to Apache Log4j (CVE-2021-45105 and CVE-2021-45046) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-tririga-connector-for… ∗∗∗ Security Bulletin: Due to use of Apache Log4j, IBM Cloud PAK for Watson AI Ops is vulnerable to arbitrary code execution (CVE-2021-45046) and denial of service (CVE-2021-45105) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-due-to-use-of-apache-log4… ∗∗∗ Security Bulletin: IBM WebSphere Application Server Liberty is vulnerable to an Information Disclosure (CVE-2022-22310) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-websphere-application… ∗∗∗ Security Bulletin: Apache Log4j Vulnerability Affects IBM Sterling File Gateway (CVE-2021-45105, CVE-2021-45046) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-apache-log4j-vulnerabilit… ∗∗∗ Security Bulletin: Oracle Database Server Vulnerability Affects IBM Emptoris Sourcing (CVE-2021-35619) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-oracle-database-server-vu… ∗∗∗ Security Bulletin: Log4j vulnerability affects IBM Cloud Pak for Data System 1.0 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-log4j-vulnerability-affec… ∗∗∗ An update on the Apache Log4j 2.x vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/an-update-on-the-apache-log4j-cve-2021-4422… ∗∗∗ K61112120: BIG-IP ASM and Advanced WAF TMUI vulnerability CVE-2022-23031 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K61112120 ∗∗∗ K96924184: F5 HTTP profile vulnerability CVE-2022-23022 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K96924184 ∗∗∗ K82793463: BIG-IP MRF Diameter vulnerability CVE-2022-23019 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K82793463 ∗∗∗ K41503304: Advanced WAF, BIG-IP ASM, and NGINX App Protect attack signature bypass security exposure ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K41503304 ∗∗∗ K53442005: BIG-IP VE vulnerability CVE-2022-23030 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K53442005 ∗∗∗ K16101409: BIG-IP AFM vulnerability CVE-2022-23028 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K16101409 ∗∗∗ K28042514: BIG-IP TMM and DNS profile vulnerability CVE-2022-23017 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K28042514 ∗∗∗ K91013510: SSL Forward Proxy vulnerability CVE-2022-23016 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K91013510 ∗∗∗ K08476614: BIG-IP Client SSL profile vulnerability CVE-2022-23015 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K08476614 ∗∗∗ K17514331: BIG-IP TMM vulnerability CVE-2022-23020 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K17514331 ∗∗∗ K93526903: BIG-IP APM portal access vulnerability CVE-2022-23014 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K93526903 ∗∗∗ K30525503: BIG-IP APM Edge Client proxy vulnerability CVE-2022-23032 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K30525503 ∗∗∗ K54892865: BIG-IP AFM vulnerability CVE-2022-23024 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K54892865 ∗∗∗ K29500533: TMUI XSS vulnerability CVE-2022-23013 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K29500533 ∗∗∗ K50343028: BIG-IP FastL4 profile vulnerability CVE-2022-23029 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K50343028 ∗∗∗ K68755210: BIG-IP SYN Cookie Protection vulnerability CVE-2022-23011 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K68755210 ∗∗∗ K26310765: HTTP/2 profile vulnerability CVE-2022-23012 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K26310765 ∗∗∗ K34360320: BIG-IP FastL4 vulnerability CVE-2022-23010 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K34360320 ∗∗∗ K30911244: Advanced WAF, BIG-IP ASM, and NGINX App Protect attack signature check failure ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K30911244 ∗∗∗ K17514331: BIG-IP TMM vulnerability CVE-2022-23020 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K17514331 ∗∗∗ K41415626: Transparent DNS Cache can consume excessive resources ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K41415626 ∗∗∗ K44110411: BIG-IP SIP ALG vulnerability CVE-2022-23025 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K44110411 ∗∗∗ K08402414: BIG-IP ASM and Advanced WAF REST API endpoint vulnerability CVE-2022-23026 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K08402414 ∗∗∗ K11742742: iControl REST vulnerability CVE-2022-23023 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K11742742 ∗∗∗ K30573026: BIG-IP virtual server with FastL4 profile vulnerability CVE-2022-23027 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K30573026 ∗∗∗ K24358905: BIG-IP AFM virtual server vulnerability CVE-2022-23018 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K24358905 ∗∗∗ Multiple vulnerabilities in Bosch AMC2 (Access Modular Controller) ∗∗∗ --------------------------------------------- https://psirt.bosch.com/security-advisories/bosch-sa-940448-bt.html -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 18.01.2022
by Daily end-of-shift report 18 Jan '22

18 Jan '22

===================== = End-of-Day report = ===================== Timeframe: Montag 17-01-2022 18:00 − Dienstag 18-01-2022 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Microsoft releases emergency fixes for Windows Server, VPN bugs ∗∗∗ --------------------------------------------- Microsoft has released emergency out-of-band (OOB) updates to address multiple issues caused by Windows Updates issued during the January 2022 Patch Tuesday. --------------------------------------------- https://www.bleepingcomputer.com/news/microsoft/microsoft-releases-emergenc… ∗∗∗ Telenot-Schließanlage: Schwacher Zufall sorgt für offene Türen ∗∗∗ --------------------------------------------- Ein Alarmanlagen- und Schließsystem erstellte Zufallszahlen mit einer dafür nicht geeigneten C-Funktion. --------------------------------------------- https://www.golem.de/news/telenot-schliessanlage-schwacher-zufall-sorgt-fue… ∗∗∗ Understanding Website SQL Injections ∗∗∗ --------------------------------------------- SQL injection is one of the most common types of web hacking techniques used today. As data breaches continue to happen to some of the most high-profile corporations and brands, it’s become more important for web users to adapt to these increased breaches with changes in behavior like system generated passwords and 2FA. In this post, we’ll be discussing SQL Injections in further detail, and why, as a website owner, you should care about this kind of attack. --------------------------------------------- https://blog.sucuri.net/2022/01/understanding-website-sql-injections.html ∗∗∗ Zoho Patches Critical Vulnerability in Endpoint Management Solutions ∗∗∗ --------------------------------------------- Zoho Corp on Monday said it has released patches for a critical vulnerability affecting Desktop Central and Desktop Central MSP, the endpoint management solutions from ManageEngine. --------------------------------------------- https://www.securityweek.com/zoho-patches-critical-vulnerability-endpoint-m… ∗∗∗ Kreditbetrug auf globalekredit-fin.com & darlehenexpert.com ∗∗∗ --------------------------------------------- Sie möchten einen Kredit aufnehmen und suchen im Internet nach günstigen Konditionen? Wir raten zur Vorsicht. In den Suchergebnissen lauern auch betrügerische Angebote wie globalekredit-fin.com oder darlehenexpert.com. Wer dort eine Anfrage stellt, läuft Gefahr viel Geld zu verlieren. Und: Kredite gibt es hier keine! --------------------------------------------- https://www.watchlist-internet.at/news/kreditbetrug-auf-globalekredit-finco… ===================== = Vulnerabilities = ===================== ∗∗∗ VMSA-2022-0002 ∗∗∗ --------------------------------------------- VMware Workstation and Horizon Client for Windows updates address a denial-of-service vulnerability (CVE-2022-22938) --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2022-0002.html ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (slurm-llnl), openSUSE (apache2, ghostscript, and watchman), Red Hat (kernel and telnet), SUSE (apache2, ghostscript, and kernel), and Ubuntu (clamav). --------------------------------------------- https://lwn.net/Articles/881648/ ∗∗∗ Security Bulletin: IBM Rational Software Architect RealTime Edition (RSA RT) is is vulnerable to arbitrary code execution and denial of service due to Apache Log4j (CVE-2021-44228, CVE-2021-45046 and CVE-2021-45105) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-rational-software-arc… ∗∗∗ Security Bulletin: IBM Rational Build Forge 8.0.x is affected by Java version used in it.(CVE-2021-2341) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-rational-build-forge-… ∗∗∗ Security Bulletin: IBM Rational Build Forge 8.0.x is affected by Java version used in it.(CVE-2021-2388, CVE-2021-2369, CVE-2021-2432) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-rational-build-forge-… ∗∗∗ Security Bulletin: Automation Assets in IBM Cloud Pak for Integration is vulnerable to denial of service due to Apache Log4j (CVE-2021-44832) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-automation-assets-in-ibm-… ∗∗∗ Security Bulletin: IBM Rational Build Forge 8.0.x is affected by Apache HTTP Server version used in it.(CVE-2021-36160) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-rational-build-forge-… ∗∗∗ Security Bulletin: IBM Rational Build Forge 8.0.x is affected by Apache HTTP Server version used in it. (CVE-2021-34798) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-rational-build-forge-… ∗∗∗ Security Bulletin: Vulnerability in Apache Log4j affects Cloud Pak for Security (CVE-2021-44228) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-l… ∗∗∗ Security Bulletin: Host header injection vulnerability in Business Automation Studio in Cloud Pak for Automation (CVE-2021-29872) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-host-header-injection-vul… ∗∗∗ Security Bulletin: IBM Rational Build Forge 8.0.x is affected by Apache HTTP Server version used in it. (CVE-2021-39275) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-rational-build-forge-… ∗∗∗ Security Bulletin: IBM Rational Build Forge 8.0.x is affected by Apache HTTP Server version used in it. (CVE-2021-42013) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-rational-build-forge-… ∗∗∗ Security Bulletin: Log4j remote code execution vulnerability in Apache Solr and Logstash shipped with IBM Operations Analytics – Log Analysis (CVE-2021-44228) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-log4j-remote-code-executi… ∗∗∗ Security Bulletin: Automation Assets in IBM Cloud Pak for Integration is vulnerable to denial of service due to Apache Log4j (CVE-2021-45105) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-automation-assets-in-ibm-… ∗∗∗ Security Bulletin: IBM Rational Build Forge 8.0.x is affected by Apache HTTP Server version used in it. (CVE-2021-33193) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-rational-build-forge-… ∗∗∗ Security Bulletin: Cloudera Data Platform is vulnerable to arbitrary code execution due to Apache Log4j (CVE-2021-44228) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cloudera-data-platform-is… ∗∗∗ Security Bulletin: A vulnerability in Apache log4j (CVE-2021-45105) affects IBM Operations Analytics Predictive Insights ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-apache… ∗∗∗ Security Bulletin: Automation Assets in IBM Cloud Pak for Integration is vulnerable to denial of service due to Apache Log4j CVE-2021-45046 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-automation-assets-in-ibm-… ∗∗∗ Security Bulletin: Vulnerability in Apache Tomcat affects IBM SAN Volume Controller, IBM Storwize, IBM Spectrum Virtualize and IBM FlashSystem products ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-t… ∗∗∗ Security Bulletin: IBM Rational Build Forge 8.0.x is affected by Apache HTTP Server version used in it. (CVE-2021-44224) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-rational-build-forge-… ∗∗∗ Security Bulletin: Multiple security vulnerabilities fixed in Cloud Pak for Automation components ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-security-vulnera… ∗∗∗ Security Bulletin: IBM App Connect Enterprise Certified Container is vulnerable to arbitrary code execution due to Apache Log4j (CVE-2021-45046) and denial of service due to Apache Log4j (CVE-2021-45105) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-app-connect-enterpris… ∗∗∗ Security Bulletin: IBM Rational Build Forge 8.0.x is affected by Apache HTTP Server version used in it. (CVE-2021-31618, CVE-2020-13950, CVE-2019-17567, CVE-2020-26691, CVE-2021-26690, CVE-2020-13938, CVE-2021-30641, CVE-2020-35452) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-rational-build-forge-… ∗∗∗ Security Bulletin: IBM Rational Build Forge 8.0.x is affected by Apache HTTP Server version used in it.(CVE-2021-40438) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-rational-build-forge-… ∗∗∗ Security Bulletin: IBM Rational Build Forge 8.0.x is affected by Java version used in it.(CVE-2021-2161) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-rational-build-forge-… ∗∗∗ Security Bulletin: IBM Rational Build Forge 8.0.x is affected by Java version used in it.(CVE-2021-35560, CVE-2021-35586, CVE-2021-35578, CVE-2021-35564, CVE-2021-35559, CVE-2021-35556, CVE-2021-35565, CVE-2021-35588, CVE-2021-41035) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-rational-build-forge-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

Daily January 2022