Daily March 2023

daily@lists.cert.at

1 participants
23 discussions

Tageszusammenfassung - 31.03.2023
by Daily end-of-shift report 31 Mar '23

31 Mar '23

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 30-03-2023 18:00 − Freitag 31-03-2023 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ 10-year-old Windows bug with opt-in fix exploited in 3CX attack ∗∗∗ --------------------------------------------- A 10-year-old Windows vulnerability is still being exploited in attacks to make it appear that executables are legitimately signed, with the fix from Microsoft still "opt-in" after all these years. Even worse, the fix is removed after upgrading to Windows 11. --------------------------------------------- https://www.bleepingcomputer.com/news/microsoft/10-year-old-windows-bug-wit… ∗∗∗ Realtek and Cacti flaws now actively exploited by malware botnets ∗∗∗ --------------------------------------------- Multiple malware botnets actively target Cacti and Realtek vulnerabilities in campaigns detected between January and March 2023, spreading ShellBot and Moobot malware. --------------------------------------------- https://www.bleepingcomputer.com/news/security/realtek-and-cacti-flaws-now-… ∗∗∗ Hackers exploit bug in Elementor Pro WordPress plugin with 11M installs ∗∗∗ --------------------------------------------- Hackers are actively exploiting a high-severity vulnerability in the popular Elementor Pro WordPress plugin used by over eleven million websites. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hackers-exploit-bug-in-eleme… ∗∗∗ Use of X-Frame-Options and CSP frame-ancestors security headers on 1 million most popular domains, (Fri, Mar 31st) ∗∗∗ --------------------------------------------- In my last Diary[1], I shortly mentioned the need for correctly set Content Security Policy and/or the obsolete[2] X-Frame-Options HTTP security headers (not just) in order to prevent phishing pages, which overlay a fake login prompt over a legitimate website, from functioning correctly. Or, to be more specific, to prevent them from dynamically loading a legitimate page in an iframe under the fake login prompt, since this makes such phishing websites look much less like a legitimate login page and thus much less effective. --------------------------------------------- https://isc.sans.edu/diary/rss/29698 ∗∗∗ WordPress Vulnerability & Patch Roundup March 2023 ∗∗∗ --------------------------------------------- Vulnerability reports and responsible disclosures are essential for website security awareness and education. Automated attacks targeting known software vulnerabilities are one of the leading causes of website compromises. To help educate website owners on emerging threats to their environments, we’ve compiled a list of important security updates and patches for the WordPress ecosystem this past month. --------------------------------------------- https://blog.sucuri.net/2023/03/wordpress-vulnerability-patch-roundup-march… ∗∗∗ Booby Trapping IBM i ∗∗∗ --------------------------------------------- In our first post about IBM i we noted that the operating system includes a database engine, Db2. This level of integration means that practically all objects of the system are accessible via SQL, a powerful tool to discover and analyze system configuration, and also to identify potential vulnerabilities. However, the “database view” of the operating system not only allows us to read data, but lets us insert additional data that can affect the behavior of the system too. --------------------------------------------- https://blog.silentsignal.eu/2023/03/30/booby-trapping-ibm-i/ ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (joblib, json-smart, libmicrohttpd, and xrdp), Fedora (thunderbird and xorg-x11-server-Xwayland), Mageia (dino, perl-Cpanel-JSON-XS, perl-Net-Server, snort, tigervnc/x11-server, and xapian), SUSE (curl, kernel, openssl-1_0_0, and shim), and Ubuntu (glusterfs, linux-gcp-4.15, musl, and xcftools). --------------------------------------------- https://lwn.net/Articles/928013/ ∗∗∗ Samba Releases Security Updates for Multiple Versions of Samba ∗∗∗ --------------------------------------------- The Samba Team has released security updates addressing vulnerabilities in multiple versions of Samba. An attacker could exploit these vulnerabilities to take control of an affected system. CISA encourages users and administrators to review the following announcements and apply the necessary updates: CVE-2023-0225 CVE-2023-0922 CVE-2023-0614 --------------------------------------------- https://www.cisa.gov/news-events/alerts/2023/03/31/samba-releases-security-… ∗∗∗ Vulnerability Spotlight: Specially crafted files could lead to denial of service, information disclosure in OpenImageIO parser ∗∗∗ --------------------------------------------- OpenImageIO is a library that converts, compares and processes various image files. Blender and AliceVision, two often used computer imaging services, utilize the library, among other software offerings. --------------------------------------------- https://blog.talosintelligence.com/vulnerability-spotlight-specially-crafte… ∗∗∗ Xcode 14.3 ∗∗∗ --------------------------------------------- https://support.apple.com/kb/HT213679 ∗∗∗ [webapps] WooCommerce v7.1.0 - Remote Code Execution(RCE) ∗∗∗ --------------------------------------------- https://www.exploit-db.com/exploits/51156 ∗∗∗ IBM Security Bulletins 2023-03-31 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 30.03.2023
by Daily end-of-shift report 30 Mar '23

30 Mar '23

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 29-03-2023 18:00 − Donnerstag 30-03-2023 18:00 Handler: Robert Waldner Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Cyberkriminelle versenden Schadsoftware im Namen von DocuSign ∗∗∗ --------------------------------------------- Elektronische Signaturdienste wie DocuSign sind spätestens seit der Covid19-Pandemie beliebt, um Verträge oder andere Dokumente zeitsparend und unkompliziert zu unterzeichnen. Ein Trend, der auch von Betrüger:innen aufgegriffen wird: So geben sich Cyberkriminelle per E-Mail als DocuSign aus, um Schadsoftware zu verbreiten. --------------------------------------------- https://www.watchlist-internet.at/news/cyberkriminelle-versenden-schadsoftw… ∗∗∗ Internationaler Monat zur Betrugsbekämpfung: Vorsicht vor Dark Patterns ∗∗∗ --------------------------------------------- Im März 2023 jährt sich der internationale Monat zur Betrugsbekämpfung („ICPEN Fraud Prevention Month"). Das diesjährige Schwerpunktthema ist Dark Patterns. Dark Patterns sind irreführende Designelemente und Webseiten-Gestaltungen, die versuchen User:innen zu verleiten Entscheidungen zu treffen, die nicht in Ihrem besten Interesse liegen. Was Dark Patterns sind, wie Sie diese erkennen und sich am besten schützen, erfahren Sie hier! --------------------------------------------- https://www.watchlist-internet.at/news/fraud-prevention-month-vorsicht-vor-… ∗∗∗ EDR Product Analysis of an Infostealer ∗∗∗ --------------------------------------------- As mentioned in the report, an Infostealer is being distributed through various platforms, and the leaked information is causing both direct and indirect harm to users. Understanding what information has been stolen and where it is being sent is crucial in order to minimize the damage caused by an Infostealer --------------------------------------------- https://asec.ahnlab.com/en/50685/ ===================== = Vulnerabilities = ===================== ∗∗∗ QNAP warns customers to patch Linux Sudo flaw in NAS devices ∗∗∗ --------------------------------------------- Taiwanese hardware vendor QNAP warns customers to secure their Linux-powered network-attached storage (NAS) devices against a high-severity Sudo privilege escalation vulnerability. --------------------------------------------- https://www.bleepingcomputer.com/news/security/qnap-warns-customers-to-patc… ∗∗∗ Xray Audit - Moderately critical - Cross site scripting - SA-CONTRIB-2023-012 ∗∗∗ --------------------------------------------- Security risk: Moderately critical Description: This module is a tool for developers, analysts, and administrators that allows them to generate reports on a given Drupal installation.The module does not sufficiently sanitize some data presented in its reports. --------------------------------------------- https://www.drupal.org/sa-contrib-2023-012 ∗∗∗ CVE-2022-37734: graphql-java Denial-of-Service ∗∗∗ --------------------------------------------- graphql-java is the most popular GraphQL server written in Java. It was found to be vulnerable to DoS attacks through the directive overload. [..] The vulnerability was fixed in two stages. The first fix introduced a security control, whereas the second one targeted the root cause. The first fix is presented in the versions of graphql-java 19.0 and later, 18.3, and 17.4. The second fix has been applied in the version 20.1 [..] --------------------------------------------- https://checkmarx.com/blog/cve-2022-37734-graphql-java-denial-of-service/ ∗∗∗ Vulnerability Spotlight: SNIProxy contains remote code execution vulnerability (CVE-2023-25076) ∗∗∗ --------------------------------------------- Talos discovered a remote code execution vulnerability that exists if the user is utilizing wildcard backend hosts when configuring SNIProxy. An attacker could exploit this vulnerability by sending a specially crafted HTTP, TLS or DTLS packet to the target machine, potentially causing a denial of service or gaining the ability to execute remote code. Cisco Talos worked with the managers of SNIProxy to ensure that these issues are resolved and an update is available [..] --------------------------------------------- https://blog.talosintelligence.com/vulnerability-spotlight-sniproxy-contain… ∗∗∗ X.org vulnerability and releases (CVE-2023-1393) ∗∗∗ --------------------------------------------- The X.Org project has announced a vulnerability in its X server and Xwayland. This issue can lead to local privileges elevation on systems where the X server is running privileged and remote code execution for ssh X forwarding sessions. [..] That has led to the release of xorg-server 21.1.8, xwayland 22.1.9, and xwayland 23.1.1. --------------------------------------------- https://lwn.net/Articles/927887/ ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (xorg-server and xrdp), Fedora (mingw-python-certifi, mingw-python3, mingw-zstd, moodle, python-cairosvg, python-markdown-it-py, redis, xorg-x11-server, and yarnpkg), Slackware (mozilla and xorg), SUSE (grub2, ldb, samba, libmicrohttpd, python-Werkzeug, rubygem-rack, samba, sudo, testng, tomcat, webkit2gtk3, xorg-x11-server, xstream, and zstd), and Ubuntu (linux, linux-aws, linux-dell300x, linux-kvm, linux-oracle, linux-raspi2, linux-aws-5.4, linux-azure-5.4, linux-gcp- linux-ibm-5.4, linux-oracle-5.4, linux-raspi-5.4, linux-gke, linux-gke-5.15, linux-ibm, linux-kvm, php-nette, and xorg-server, xorg-server-hwe-18.04, xwayland). --------------------------------------------- https://lwn.net/Articles/927855/ ∗∗∗ Synology-SA-23:02 Sudo ∗∗∗ --------------------------------------------- A vulnerability allows local users to conduct privilege escalation attacks via a susceptible version of Synology DiskStation Manager (DSM) and Synology Router Manager (SRM). --------------------------------------------- https://www.synology.com/en-global/support/security/Synology_SA_23_02 ∗∗∗ Popular PABX platform, 3CX Desktop App suffers supply chain attack ∗∗∗ --------------------------------------------- CrowdStrike and SentinelOne cybersecurity researchers identified an unusual spike in malicious activity from a single, legitimate binary, 3CX Voice Over Internet Protocol (VOIP) desktop App (3CX Desktop App). --------------------------------------------- https://www.hackread.com/3cx-desktop-app-supply-chain-attack/ ∗∗∗ Cisco Application Policy Infrastructure Controller and Cisco Cloud Network Controller Cross-Site Request Forgery Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Hitachi Energy IEC 61850 MMS-Server ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-089-01 ∗∗∗ Multiple vulnerabilities in the mongo-tools utility affect IBM WebSphere Automation ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6966998 ∗∗∗ IBM Maximo Asset Management is vulnerable to stored cross-site scripting (CVE-2022-35645) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6959353 ∗∗∗ IBM Maximo Manage application in IBM Maximo Application Suite is vulnerable to stored cross-site scripting (CVE-2022-35645) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6959355 ∗∗∗ IBM QRadar SIEM is vulnerable to using components with known vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6967016 ∗∗∗ Multiple Vulnerabilities in CloudPak for Watson AIOPs ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6967012 ∗∗∗ CVE-2022-27664, CVE-2022-21698, CVE-2021-43565 and CVE-2022-27191 may affect IBM CICS TX Standard ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6967018 ∗∗∗ CVE-2022-41723 may affect IBM CICS TX Advanced ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6967026 ∗∗∗ CVE-2022-41723 may affect IBM CICS TX Standard ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6967022 ∗∗∗ Multiple vulnerabilities may affect IBM SDK, Java Technology Edition ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6967213 ∗∗∗ CVE-2022-21426 may affect IBM SDK, Java Technology Edition ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6967221 ∗∗∗ Multiple Vulnerabilities in CloudPak for Watson AIOPs ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6967243 ∗∗∗ IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data is vulnerable to an information exposure in WebSphere Application Server Liberty (CVE-2016-0378 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6967241 ∗∗∗ IBM QRadar User Behavior Analytics is vulnerable to components with known vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6967283 ∗∗∗ Vulnerabilities in PostgreSQL may affect IBM Spectrum Protect Plus (CVE-2022-2625, CVE-2022-1552, CVE-2021-3677) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6967285 ∗∗∗ A vulnerability in GNU Tar affects IBM MQ Operator and Queue manager container images (CVE-2022-48303) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6966198 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 29.03.2023
by Daily end-of-shift report 29 Mar '23

29 Mar '23

===================== = End-of-Day report = ===================== Timeframe: Dienstag 28-03-2023 18:00 − Mittwoch 29-03-2023 18:00 Handler: Michael Schlagenhaufer Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ WiFi protocol flaw allows attackers to hijack network traffic ∗∗∗ --------------------------------------------- Cybersecurity researchers have discovered a fundamental security flaw in the design of the IEEE 802.11 WiFi protocol standard, allowing attackers to trick access points into leaking network frames in plaintext form. --------------------------------------------- https://www.bleepingcomputer.com/news/security/wifi-protocol-flaw-allows-at… ∗∗∗ H26Forge: Mehrheit der Video-Decoder wohl systematisch angreifbar ∗∗∗ --------------------------------------------- Immer wieder sorgen Bugs in Video-Decodern für Sicherheitslücken bis hin zu Zero Days. Wissenschaftler zeigen nun eine riesige Angriffsfläche. --------------------------------------------- https://www.golem.de/news/h26forge-mehrheit-der-video-decoder-wohl-systemat… ∗∗∗ Network Data Collector Placement Makes a Difference, (Tue, Mar 28th) ∗∗∗ --------------------------------------------- A previous diary [1] described processing some local PCAP data with Zeek. This data was collected using tcpdump on a DShield Honeypot. When looking at the Zeek connection logs, the connection state information was unexpected. To help understand why, we will compare data from different locations on the network and process the data in a similar way. This will help narrow down where the discrepancies might be coming from, or at least where they are not coming from. --------------------------------------------- https://isc.sans.edu/diary/rss/29664 ∗∗∗ MacStealer: Mac-Malware will Passwörter und Krypto-Wallets klauen ∗∗∗ --------------------------------------------- Eine im Dark Web günstig angebotene Malware soll sensible Daten von Macs extrahieren und über den Messenger Telegram an Angreifer übermitteln. --------------------------------------------- https://heise.de/-8153293 ∗∗∗ Remote PowerShell: Einfallstor bei Exchange Online jetzt mit Gnadenfrist ∗∗∗ --------------------------------------------- Ein halbes Jahr länger bleibt Administratoren, bis sie sich von ihren unsicheren PowerShell-cmdlets für Exchange Online verabschieden müssen. --------------------------------------------- https://heise.de/-8186790 ∗∗∗ Kriminelle erfinden Behörden wie „finanzaufsichtsbehoerde.com“ für Authority-Scams ∗∗∗ --------------------------------------------- Um ihren Opfern das Geld aus der Tasche zu ziehen, greifen Kriminelle häufig zu kreativen Methoden. Aktuell erfinden sie Behörden wie zum Beispiel auf „finanzaufsichtsbehoerde.com“ und „betrugsdezernat.com“ oder imitieren echte Behörden und Institutionen. Egal, was man Ihnen hier verspricht, übermitteln Sie keine Daten und bezahlen Sie kein Geld an derartige Plattformen! --------------------------------------------- https://www.watchlist-internet.at/news/kriminelle-erfinden-behoerden-wie-fi… ∗∗∗ Spyware vendors use 0-days and n-days against popular platforms ∗∗∗ --------------------------------------------- [...] In this blog, we’re sharing details about two distinct campaigns we’ve recently discovered which used various 0-day exploits against Android, iOS and Chrome and were both limited and highly targeted. The 0-day exploits were used alongside n-day exploits and took advantage of the large time gap between the fix release and when it was fully deployed on end-user devices. Our findings underscore the extent to which commercial surveillance vendors have proliferated capabilities historically only used by governments with the technical expertise to develop and operationalize exploits. --------------------------------------------- https://blog.google/threat-analysis-group/spyware-vendors-use-0-days-and-n-… ∗∗∗ Active Exploitation of IBM Aspera Faspex CVE-2022-47986 ∗∗∗ --------------------------------------------- Rapid7 is aware of at least one incident where a customer was compromised via CVE-2022-47986. We strongly recommend patching on an emergency basis. --------------------------------------------- https://www.rapid7.com/blog/post/2023/03/28/etr-active-exploitation-of-ibm-… ∗∗∗ New OpcJacker Malware Distributed via Fake VPN Malvertising ∗∗∗ --------------------------------------------- We discovered a new malware, which we named “OpcJacker” (due to its opcode configuration design and its cryptocurrency hijacking ability), that has been distributed in the wild since the second half of 2022. --------------------------------------------- https://www.trendmicro.com/en_us/research/23/c/new-opcjacker-malware-distri… ∗∗∗ In eigener Sache: CERT.at sucht Verstärkung ∗∗∗ --------------------------------------------- Für unsere täglichen Routineaufgaben suchen wir derzeit 1 Berufsein- oder -umsteiger:in mit ausgeprägtem Interesse an IT-Security, welche:r uns bei den täglich anfallenden Standard-Aufgaben unterstützt. Details finden sich auf unserer Jobs-Seite. --------------------------------------------- https://cert.at/de/blog/2023/3/in-eigener-sache-certat-sucht-verstarkung-20… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (unbound and xorg-server), Fedora (stellarium), Oracle (kernel), SUSE (apache2, oracleasm, python-Werkzeug, rubygem-loofah, sudo, and tomcat), and Ubuntu (git, kernel, and linux-hwe-5.19). --------------------------------------------- https://lwn.net/Articles/927666/ ∗∗∗ Multiple Vulnerabilities in Rocket Software UniRPC server (Fixed) ∗∗∗ --------------------------------------------- In early 2023, Rapid7 discovered several vulnerabilities in Rocket Software UniData UniRPC. We worked with the company to fix issues and coordinate this disclosure. --------------------------------------------- https://www.rapid7.com/blog/post/2023/03/29/multiple-vulnerabilities-in-roc… ∗∗∗ [R1] Stand-alone Security Patches Available for Tenable.sc versions 5.22.0, 5.23.1, and 6.0.0: SC-202303.2 ∗∗∗ --------------------------------------------- [R1] Stand-alone Security Patches Available for Tenable.sc versions 5.22.0, 5.23.1, and 6.0.0: SC-202303.2Arnie CabralTue, 03/28/2023 - 11:10 Tenable.sc leverages third-party software to help provide underlying functionality. One of the third-party components in use (Apache) was found to contain vulnerabilities, and updated versions have been made available by the providers. --------------------------------------------- https://www.tenable.com/security/tns-2023-17 ∗∗∗ Security Advisory 2023-02 for PowerDNS Recursor up to and including 4.6.5, 4.7.4 and 4.8.3 ∗∗∗ --------------------------------------------- Hello, Today we have released PowerDNS Recursor 4.6.6, 4.7.5 and 4.8.4 due to a low severity security issue found. Please find the full text of the advisory below. The 4.6, 4.7 and 4.8 changelogs are available. The 4.6.6 (signature), 4.7.5 (signature) and 4.8.4 (signature) tarballs are available from our download server. Patches are available at patches. --------------------------------------------- https://blog.powerdns.com/2023/03/29/security-advisory-2023-02-for-powerdns… ∗∗∗ IBM Security Bulletins 2023-03-29 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ K000133135: NGINX Agent vulnerability CVE-2023-1550 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000133135 ∗∗∗ Security Vulnerabilities fixed in Thunderbird 102.9.1 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2023-12/ ∗∗∗ Buffer Overflow Vulnerabilities in Samba ∗∗∗ --------------------------------------------- https://www.qnap.com/en-us/security-advisory/QSA-23-02 ∗∗∗ Buffer Overflow Vulnerability in Samba ∗∗∗ --------------------------------------------- https://www.qnap.com/en-us/security-advisory/QSA-23-03 ∗∗∗ Vulnerabilities in QTS, QuTS hero, QuTScloud, and QVP ∗∗∗ --------------------------------------------- https://www.qnap.com/en-us/security-advisory/QSA-23-06 ∗∗∗ Vulnerability in QTS, QuTS hero, QuTScloud, QVP, and QVR ∗∗∗ --------------------------------------------- https://www.qnap.com/en-us/security-advisory/QSA-23-10 ∗∗∗ Vulnerability in sudo ∗∗∗ --------------------------------------------- https://www.qnap.com/en-us/security-advisory/QSA-23-11 ∗∗∗ Multiple Vulnerabilities in OpenSSL ∗∗∗ --------------------------------------------- https://www.qnap.com/en-us/security-advisory/QSA-23-15 ∗∗∗ Sielco Analog FM Transmitter 2.12 id Cookie Brute Force Session Hijacking ∗∗∗ --------------------------------------------- https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5758.php ∗∗∗ Sielco Analog FM Transmitter 2.12 Cross-Site Request Forgery ∗∗∗ --------------------------------------------- https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5757.php ∗∗∗ Sielco Analog FM Transmitter 2.12 Improper Access Control Change Admin Password ∗∗∗ --------------------------------------------- https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5756.php ∗∗∗ Sielco Analog FM Transmitter 2.12 Remote Privilege Escalation ∗∗∗ --------------------------------------------- https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5755.php -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 28.03.2023
by Daily end-of-shift report 28 Mar '23

28 Mar '23

===================== = End-of-Day report = ===================== Timeframe: Montag 27-03-2023 18:00 − Dienstag 28-03-2023 18:00 Handler: Robert Waldner Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ New MacStealer macOS malware steals passwords from iCloud Keychain ∗∗∗ --------------------------------------------- A new info-stealing malware named MacStealer is targeting Mac users, stealing their credentials stored in the iCloud KeyChain and web browsers, cryptocurrency wallets, and potentially sensitive files. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-macstealer-macos-malware… ∗∗∗ Exchange Online to block emails from vulnerable on-prem servers ∗∗∗ --------------------------------------------- Microsoft is introducing a new Exchange Online security feature that will automatically start throttling and eventually block all emails sent from "persistently vulnerable Exchange servers" 90 days after the admins are pinged to secure them. --------------------------------------------- https://www.bleepingcomputer.com/news/security/exchange-online-to-block-ema… ∗∗∗ Cybersecurity Challenges of Power Transformers ∗∗∗ --------------------------------------------- To the best of our knowledge, there is no study in the literature that systematically investigate the cybersecurity challenges against the newly emerged smart transformers. This paper addresses this shortcoming by exploring the vulnerabilities and the attack vectors of power transformers within electricity networks, the possible attack scenarios and the risks associated with these attacks. --------------------------------------------- https://arxiv.org/abs/2302.13161 ∗∗∗ OpenSSL 1.1.1 End of Life ∗∗∗ --------------------------------------------- We are now less than 6 months away from the End Of Life (EOL) date for the OpenSSL 1.1.1 series. Users of OpenSSL 1.1.1 should consider their options and plan any actions they might need to take. [..] OpenSSL 1.1.1 was released on 11th September 2018, and so it will be considered EOL on 11th September 2023. It will no longer be receiving publicly available security fixes after that date. --------------------------------------------- https://www.openssl.org/blog/blog/2023/03/28/1.1.1-EOL/ ∗∗∗ The curl quirk that exposed Burp Suite & Google Chrome ∗∗∗ --------------------------------------------- Although this feature took us (and Chrome) by surprise, it is fully documented so we dont consider it to be a vulnerability in curl itself. It reminds me of server-side template injection, where a sandbox escape can be as easy as reading a manual page everyone else overlooked. --------------------------------------------- https://portswigger.net/research/the-curl-quirk-that-exposed-burp-suite-amp… ∗∗∗ Abo-Falle auf produkttester-werden.org ∗∗∗ --------------------------------------------- Produkttester-werden.org wirbt mit der Möglichkeit, regelmäßig und gratis Produkte testen zu können und dafür bis zu 25 Euro Aufwandsentschädigung zu erhalten. Schon bei der Erstregistrierung werden aber persönliche Daten inklusive IBAN abgefragt, eine Einzugsermächtigung verlangt und ein kostenpflichtiges Abonnement über einen versteckten Kostenhinweis abgeschlossen. Wir raten zu Abstand! --------------------------------------------- https://www.watchlist-internet.at/news/abo-falle-auf-produkttester-werdenor… ∗∗∗ Emotet Being Distributed via OneNote ∗∗∗ --------------------------------------------- AhnLab Security Emergency response Center (ASEC) has recently discovered the distribution of Emotet being distributed via OneNote. A spear phishing email as below attached with a OneNote file prompts the reader to open the attachment which contains a malicious script file (JS file). Upon running the OneNote file, it directs the user to click the button to connect to the cloud to open the document. --------------------------------------------- https://asec.ahnlab.com/en/50564/ ===================== = Vulnerabilities = ===================== ∗∗∗ Apple patches everything, including a zero-day fix for iOS 15 users ∗∗∗ --------------------------------------------- Got an older iPhone that cant run iOS 16? Youve got a zero-day to deal with! That super-cool Studio Display monitor needs patching, too. --------------------------------------------- https://nakedsecurity.sophos.com/2023/03/28/apple-patches-everything-includ… ∗∗∗ FortiOS / FortiProxy - Unauthenticated access to static files containing logging information (CVE-2022-41329) ∗∗∗ --------------------------------------------- An exposure of sensitive information to an unauthorized actor vulnerability in FortiOS and FortiProxy administrative interface may allow an unauthenticated attacker to obtain sensitive logging information on the device via crafted HTTP or HTTPs GET requests. --------------------------------------------- https://fortiguard.fortinet.com/psirt/FG-IR-22-364 ∗∗∗ OpenSSL Security Advisory: Invalid certificate policies in leaf certificates are silently ignored (CVE-2023-0465) ∗∗∗ --------------------------------------------- Severity: Low Applications that use a non-default option when verifying certificates may be vulnerable to an attack from a malicious CA to circumvent certain checks. nvalid certificate policies in leaf certificates are silently ignored by OpenSSL and other certificate policy checks are skipped for that certificate. [..] Policy processing is disabled by default --------------------------------------------- https://www.openssl.org/news/secadv/20230328.txt ∗∗∗ [webapps] Moodle LMS 4.0 - Cross-Site Scripting (XSS) ∗∗∗ --------------------------------------------- A Cross Site Scripting (XSS) vulnerability exists in Moodle is a free and open-source Learning Management System (LMS) written in PHP [..] --------------------------------------------- https://www.exploit-db.com/exploits/51115 ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (dino-im and runc), Fedora (qemu), Red Hat (firefox), SUSE (chromium, containerd, docker, kernel, and systemd), and Ubuntu (graphicsmagick, linux-azure, linux-gcp, linux-oem-5.14, linux-oem-5.17, linux-oem-6.0, linux-oem-6.1, and node-url-parse). --------------------------------------------- https://lwn.net/Articles/927548/ ∗∗∗ Cisco SD-WAN vManage Software Cluster Mode Cross-Site Request Forgery Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ IBM Engineering Workflow Management (EWM) vulnerabilities CVE-2021-41182, CVE-2022-31160, CVE-2021-41184, CVE-2021-41183 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6966410 ∗∗∗ IBM Engineering Workflow Management (EWM) vulnerability CVE-2021-43138 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6966400 ∗∗∗ IBM Engineering Workflow Management (EWM) vulnerabilities CVE-2022-31129, CVE-2022-24785 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6966418 ∗∗∗ IBM Engineering Workflow Management (EWM) vulnerability CVE-2021-21252 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6966412 ∗∗∗ IBM Engineering Workflow Management (EWM) vulnerabilities CVE-2020-28500, CVE-2021-23337, CVE-2020-8203 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6966416 ∗∗∗ IBM Engineering Workflow Management (EWM) vulnerability CVE-2022-24999 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6966420 ∗∗∗ IBM WebSphere Application Server is vulnerable to cross-site scripting in the Admin Console (CVE-2023-26283) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6964836 ∗∗∗ A security vulnerability has been identified in IBM WebSphere Application Server Liberty shipped with IBM Tivoli Netcool Impact(CVE-2022-3509, CVE-2022-3171) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6966436 ∗∗∗ There is a vulnerability in jQuery UI used by IBM Maximo Asset Management (CVE-2022-31160) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6966428 ∗∗∗ Maximo Application Suite is vulnerable to CVE-2022-40897 per setuptools dependency ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6966084 ∗∗∗ Maximo Application Suite uses jsonwebtoken package which is vulnerable to CVE-2022-23541, CVE-2022-23539, CVE-2022-23529 and CVE-2022-23540 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6966434 ∗∗∗ IBM Tivoli Netcool Impact is vulnerable to remote code execution from Apache Commons Net (CVE-2021-37533) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6966438 ∗∗∗ IBM Tivoli Netcool Impact is vulnerable to denial of service attack due to Apache Commons FileUpload (CVE-2023-24998) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6966440 ∗∗∗ There is a vulnerability in jQuery UI used by IBM Maximo Manage application in IBM Maximo Application Suite (CVE-2022-31160) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6966442 ∗∗∗ IBM Aspera Cargo 4.2.5 and IBM Aspera Connect 4.2.5 have addressed multiple buffer overflow vulnerabilities (CVE-2023-27286, CVE-2023-27284) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6966588 ∗∗∗ A security vulnerability has been identified in IBM HTTP Server shipped with IBM Rational ClearCase [CVE-2023-26281] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6966600 ∗∗∗ A security vulnerability has been identified in IBM HTTP Server shipped with IBM Rational ClearCase [CVE-2023-25690] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6966602 ∗∗∗ A security vulnerability has been identified in IBM WebSphere Application Server shipped with IBM Rational ClearCase (CVE-2023-26283) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6966604 ∗∗∗ IBM App Connect Enterprise Certified Container images may be vulnerable to denial of service due to libarchive [CVE-2017-14166] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6966610 ∗∗∗ IBM App Connect Enterprise Certified Container DesignerAuthoring operands that use mapping assistance may be vulnerable to denial of service due to [X-Force 247595] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6966612 ∗∗∗ IBM Cloud Pak for Data System (CPDS) is vulnerable to arbitrary code execution due to Apache Log4j [CVE-2022-23307] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6966636 ∗∗∗ There is a security vulnerability in snakeYAML used by IBM Maximo Data Loader (CVE-2022-41854) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6966646 ∗∗∗ There is a security vulnerability in TinyMCE used by IBM Maximo for Civil Infrastructure in Maximo Application Suite (CVE-2022-23494) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6966644 ∗∗∗ Vulnerability in jetty-http affects IBM Cloud Pak for Data System 2.0(CPDS 2.0) [CVE-2022-2047] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6966652 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 27.03.2023
by Daily end-of-shift report 27 Mar '23

27 Mar '23

===================== = End-of-Day report = ===================== Timeframe: Freitag 24-03-2023 18:00 − Montag 27-03-2023 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Guidance for investigating attacks using CVE-2023-23397 ∗∗∗ --------------------------------------------- This guide provides steps organizations can take to assess whether users have been targeted or compromised by threat actors exploiting CVE-2023-23397. A successful exploit of this vulnerability can result in unauthorized access to an organization’s environment by triggering a Net-NTLMv2 hash leak. Understanding the vulnerability and how it has been leveraged by threat actors can help guide the overall investigative process. --------------------------------------------- https://www.microsoft.com/en-us/security/blog/2023/03/24/guidance-for-inves… ∗∗∗ WooCommerce Credit Card Skimmer Reveals Tampered Plugin ∗∗∗ --------------------------------------------- Disclaimer: The malware infection described in this article does not affect the software plugin as a whole and does not indicate any vulnerabilities or security flaws within WooCommerce or any associated WooCommerce plugin extensions. Overall they are both robust and secure payment platforms that are perfectly safe to use. Instead, this article highlights the importance of maintaining good security posture and keeping environments locked down to prevent tampering from threat actors. --------------------------------------------- https://blog.sucuri.net/2023/03/woocommerce-skimmer-reveals-tampered-plugin… ∗∗∗ Framing Frames: Bypassing Wi-Fi Encryption by Manipulating Transmit Queues Affecting Multiple Cisco Products ∗∗∗ --------------------------------------------- On March 27, 2023, the research paper Framing Frames: Bypassing Wi-Fi Encryption by Manipulating Transmit Queues was made public. This paper discusses vulnerabilities in the 802.11 standard that could allow an attacker to spoof a targeted wireless client and redirect frames that are present in the transmit queues in an access point to an attacker-controlled device. This attack is seen as an opportunistic attack and the information gained by the attacker would be of minimal value in a securely configured network. --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Visual Signature Spoofing in PDFs ∗∗∗ --------------------------------------------- Visual Signature Spoofing was partially successful in forging signed documents. Due to the limited support of JavaScript in the other PDF applications, it was only possible to create visual signature spoofs for Adobe Acrobat Reader DC. Other PDF applications may also become vulnerable in the future if they add support for the necessary JavaScript functions. --------------------------------------------- https://sec-consult.com/blog/detail/visual-signature-spoofing-in-pdfs/ ∗∗∗ Using an Undocumented Amplify API to Leak AWS Account IDs ∗∗∗ --------------------------------------------- In a previous blog post I mentioned that I was getting back into AWS vulnerability research in my free time. I’ve been taking a closer look at undocumented AWS APIs, trying to find hidden functionality that may be useful for an attacker or cross tenant boundaries. [...] I reported this API to AWS who responded that it did not “represent a security issue”, however, 3 days later, the API was disabled. --------------------------------------------- https://frichetten.com/blog/undocumented-amplify-api-leak-account-id/ ∗∗∗ Microsoft verteilt Sicherheitsupdate für Windows Snipping Tool ∗∗∗ --------------------------------------------- Microsoft hat ein außerplanmäßiges Sicherheitsupdate veröffentlicht. Es soll eine Schwachstelle im Windows Snipping Tool beseitigen – der in Windows 10 und Windows 11 integrierten Screenshot-App. Ähnlich wie zuletzt auch unter Android entfernt das Tool „gelöschte“ Bereiche von zugeschnittenen Screenshots nicht vollständig, sodass sie nachträglich wiederhergestellt werden können. --------------------------------------------- https://www.zdnet.de/88408044/microsoft-verteilt-sicherheitsupdate-fuer-win… ∗∗∗ Deprecation of Remote PowerShell in Exchange Online – Re-enabling or Extending RPS support ∗∗∗ --------------------------------------------- PowerShell (PS) cmdlets in Exchange Online use Remote PowerShell (RPS) for client to server communication. Unfortunately, RPS is legacy technology that is outdated and can pose security risks. As such, we recommend all customers move to the new more secure REST-based v3 PowerShell module, which will help us improve security – together. --------------------------------------------- https://techcommunity.microsoft.com/t5/exchange-team-blog/deprecation-of-re… ∗∗∗ OneNote Embedded URL Abuse ∗∗∗ --------------------------------------------- Whilst Microsoft is fixing the embedded files feature in OneNote I decided to abuse a whole other feature. Embedded URLs. Turns out this is something they may also have to fix. --------------------------------------------- https://blog.nviso.eu/2023/03/27/onenote-embedded-url-abuse/ ∗∗∗ Rhadamanthys: The “Everything Bagel” Infostealer ∗∗∗ --------------------------------------------- Key Takeaways: * Rhadamanthys is an advanced infostealer which debuted on the dark web in September of last year to a warm critical reception by cybercriminals. * A maximalist approach to features: functionality is added for its own sake, never mind the effort required or expected payoff. * Campaigns by default target countries indiscriminately, excluding the commonwealth of independent states. This is typical of this kind of malware. * Multiple-stage loader/shellcode execution has been researched in prior publications and has made it difficult to reach a proper interactive disassembly workflow with the actual information-stealing logic. --------------------------------------------- https://research.checkpoint.com/2023/rhadamanthys-the-everything-bagel-info… ===================== = Vulnerabilities = ===================== ∗∗∗ Cisco IOS XE Software Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- A vulnerability in the Cloud Management for Catalyst migration feature of Cisco IOS XE Software could allow an authenticated, local attacker to gain root-level privileges on an affected device. This vulnerability is due to insufficient memory protection in the Cisco IOS XE Meraki migration feature of an affected device. An attacker could exploit this vulnerability by modifying the Meraki registration parameters. A successful exploit could allow the attacker to elevate privileges to root. --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ ABB RCCMD – Use of default password (CVE-2022-4126) ∗∗∗ --------------------------------------------- A software update is available that resolves a privately reported vulnerability [...] An attacker who successfully exploited this vulnerability could take control of the computer the software runs on and possibly insert and run arbitrary code. --------------------------------------------- https://search.abb.com/library/Download.aspx?Action=Launch&DocumentID=2CMT0… ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (libreoffice and xen), Fedora (chromium, curl, and xen), Red Hat (kernel, kernel-rt, kpatch-patch, and thunderbird), Scientific Linux (thunderbird), Slackware (tar), SUSE (apache2, ceph, curl, dpdk, helm, libgit2, and php7), and Ubuntu (firefox and thunderbird). --------------------------------------------- https://lwn.net/Articles/927451/ ∗∗∗ baserCMS vulnerable to arbitrary file uploads ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN61105618/ ∗∗∗ IBM Security Bulletins 2023-03-25 - 2023-03-27 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 24.03.2023
by Daily end-of-shift report 24 Mar '23

24 Mar '23

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 23-03-2023 18:00 − Freitag 24-03-2023 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Critical WooCommerce Payments Plugin Flaw Patched for 500,000+ WordPress Sites ∗∗∗ --------------------------------------------- Patches have been released for a critical security flaw impacting the WooCommerce Payments plugin for WordPress, which is installed on over 500,000 websites. The flaw, if left unresolved, could enable a bad actor to gain unauthorized admin access to impacted stores, the company said in an advisory on March 23, 2023. It impacts versions 4.8.0 through 5.6.1. --------------------------------------------- https://thehackernews.com/2023/03/critical-woocommerce-payments-plugin.html ∗∗∗ GitHub publishes RSA SSH host keys by mistake, issues update ∗∗∗ --------------------------------------------- Getting connection failures? Dont panic. Get new keys GitHub has updated its SSH keys after accidentally publishing the private part to the world. Whoops. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2023/03/24/github_chang… ∗∗∗ ChinaZ DDoS Bot Malware Distributed to Linux SSH Servers ∗∗∗ --------------------------------------------- AhnLab Security Emergency response Center (ASEC) has recently discovered the ChinaZ DDoS Bot malware being installed on inadequately managed Linux SSH servers. [..] The threat group most likely scanned port 22, the area where SSH services operate, before finding an active SSH service and performing a dictionary attack using commonly used SSH account credentials. --------------------------------------------- https://asec.ahnlab.com/en/50316/ ∗∗∗ Hacking AI: System and Cloud Takeover via MLflow Exploit ∗∗∗ --------------------------------------------- Protect AI tested the security of MLflow and found a combined Local File Inclusion/Remote File Inclusion vulnerability which can lead to a complete system or cloud provider takeover. Organizations running an MLflow server are urged to update to the latest release immediately. --------------------------------------------- https://protectai.com/blog/hacking-ai-system-takeover-exploit-in-mlflow ∗∗∗ JavaScript-Runtime: Deno 1.32 schließt kritische Sicherheitslücke ∗∗∗ --------------------------------------------- Die JS-Runtime Deno 1.32 liefert weitere Verbesserungen für die Kompatibilität mit Node.js und neue Funktionen für den Befehl deno compile. --------------------------------------------- https://heise.de/-7971810 ∗∗∗ CISA Ships ‘Untitled Goose Tool’ to Hunt for Microsoft Azure Cloud Infections ∗∗∗ --------------------------------------------- The U.S. government’s cybersecurity agency ships a new tool to help network defenders hunt for signs of compromise in Microsoft’s Azure and M365 cloud deployments. --------------------------------------------- https://www.securityweek.com/cisa-ships-untitled-goose-tool-to-hunt-for-mic… ∗∗∗ APT attacks on industrial organizations in H2 2022 ∗∗∗ --------------------------------------------- This summary provides an overview of APT attacks on industrial enterprises and activity of groups that have been observed attacking industrial organizations and critical infrastructure facilities. --------------------------------------------- https://ics-cert.kaspersky.com/publications/apt-attacks-on-industrial-organ… ∗∗∗ Outlook-Schwachstelle CVE-2023-23397 nicht vollständig gepatcht – Absicherung erforderlich ∗∗∗ --------------------------------------------- Noch ein kurzer Nachtrag zum März 2023-Patchday. Microsoft hat zum 14. März 2023 die kritische RCE-Schwachstelle CVE-2023-23397 in Outlook zwar mit einem Sicherheitsupdate versehen. Aber der Patch ist unvollständig, der Angriff kann weiterhin mit etwas modifizierten E-Mails immer noch ausgelöst werden. Und inzwischen ist ein Proof of Concept öffentlich, was demonstriert, wie die Schwachstelle ausgenutzt wird. --------------------------------------------- https://www.borncity.com/blog/2023/03/24/outlook-schwachstelle-cve-2023-233… ===================== = Vulnerabilities = ===================== ∗∗∗ Cisco DNA Center Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- A vulnerability in the implementation of the Cisco Network Plug-and-Play (PnP) agent of Cisco DNA Center could allow an authenticated, remote attacker to view sensitive information in clear text. The attacker must have valid low-privileged user credentials. This vulnerability is due to improper role-based access control (RBAC) with the integration of PnP. An attacker could exploit this vulnerability by authenticating to the device and sending a query to an internal API. --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (chromium, libdatetime-timezone-perl, and tzdata), Fedora (flatpak and gmailctl), Mageia (firefox, flatpak, golang, gssntlmssp, libmicrohttpd, libtiff, python-flask-security, python-owslib, ruby-rack, thunderbird, unarj, and vim), Red Hat (firefox, kpatch-patch, nss, openssl, and thunderbird), SUSE (containerd, hdf5, qt6-base, and squirrel), and Ubuntu (amanda, gif2apng, graphviz, and linux, linux-aws, linux-azure, linux-gcp, linux-ibm, linux-kvm, linux-lowlatency, linux-oracle, linux-raspi). --------------------------------------------- https://lwn.net/Articles/927198/ ∗∗∗ Drupal core - Moderately critical - Information Disclosure - SA-CORE-2023-003 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-core-2023-003 ∗∗∗ ELECOM WAB-MAT registers its windows service executable with an unquoted file path ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN35246979/ ∗∗∗ TADDM is vulnerable to a denial of service vulnerability in Apache-Log4j (CVE-2023-26464) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6965790 ∗∗∗ IBM Tivoli Application Dependency Discovery Manager is vulnerable to a bypass vulnerability due to the use of Python (CVE-2023-24329) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6965792 ∗∗∗ IBM API Connect is impacted by an improper access control vulnerability (CVE-2023-28522) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6965612 ∗∗∗ Vulnerabilities in Node.js, libcurl, Golang Go, Jetty, Guava, Netty, OpenSSL, Linux kernel may affect IBM Spectrum Protect Plus ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6965816 ∗∗∗ Stored SMB credentials may allow access to vSnap after oracle backup in IBM Spectrum Protect Plus for Db2 and Oracle (CVE-2023-27863) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6965812 ∗∗∗ A security vulnerability has been identified in IBM WebSphere Application Server shipped with IBM WebSphere Remote Server (CVE-2023-26283) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6965822 ∗∗∗ Multiple vulnerabilies in Java affect IBM Robotic Process Automation for Cloud Pak which may result in a denial of service (CVE-2023-21830, CVE-2023-21835, CVE-2023-21843) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6965846 ∗∗∗ A vulnerability in Luxon may affect IBM Robotic Process Automation and result in a denial of service (CVE-2023-22467) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6965848 ∗∗∗ Multiple vulnerabilities in IBM Content Navigator may affect IBM Business Automation Workflow ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6965908 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 23.03.2023
by Daily end-of-shift report 23 Mar '23

23 Mar '23

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 22-03-2023 18:00 − Donnerstag 23-03-2023 18:00 Handler: Robert Waldner Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Developing an incident response playbook ∗∗∗ --------------------------------------------- Incident response playbooks help optimize the SOC processes, and are a major step forward to SOC maturity, but can be challenging for a company to develop. In this article, I want to share some insights on how to create the (almost) perfect playbook. --------------------------------------------- https://securelist.com/developing-an-incident-response-playbook/109145/ ∗∗∗ Cropping and Redacting Images Safely, (Thu, Mar 23rd) ∗∗∗ --------------------------------------------- The recent "acropalypse" vulnerabilities in Android and Windows 11 showed yet again the dangers of relying on image processing tools to redact images. [..] Here are some approaches to make image redaction safer. But please use them with caution. --------------------------------------------- https://isc.sans.edu/diary/rss/29666 ∗∗∗ German and South Korean Agencies Warn of Kimsukys Expanding Cyber Attack Tactics ∗∗∗ --------------------------------------------- German and South Korean government agencies have warned about cyber attacks mounted by a threat actor tracked as Kimsuky using rogue browser extensions to steal users Gmail inboxes. --------------------------------------------- https://thehackernews.com/2023/03/german-and-south-korean-agencies-warn.html ∗∗∗ AIIPot: Adaptive Intelligent-Interaction Honeypot for IoT Devices ∗∗∗ --------------------------------------------- In this paper, we propose a honeypot for IoT devices that uses machine learning techniques to learn and interact with attackers automatically. The evaluation of the proposed model indicates that our system can improve the session length with attackers and capture more attacks on the IoT network. --------------------------------------------- https://arxiv.org/abs/2303.12367 ∗∗∗ Memory Forensics R&D Illustrated: Detecting Hidden Windows Services ∗∗∗ --------------------------------------------- To begin the series, this post discusses a new detection technique for hidden services on Windows 7 through 11. Since not all readers will be familiar with hidden services and the danger they pose on live systems, we will start with some brief background. --------------------------------------------- https://volatility-labs.blogspot.com/2023/03/memory-forensics-r-d-illustrat… ∗∗∗ Malicious Actors Use Unicode Support in Python to Evade Detection ∗∗∗ --------------------------------------------- Phylum’s automated platform recently detected the onyxproxy package on PyPI, a malicious package that harvests and exfiltrates credentials and other sensitive data. In many ways, this package typifies other token stealers that we have found prevalent in PyPI. However, one feature of this particular package caught our eye: an obfuscation technique that was foreseen in 2007 during a discussion about Python’s support for Unicode [..] --------------------------------------------- https://blog.phylum.io/malicious-actors-use-unicode-support-in-python-to-ev… ∗∗∗ Joomla! CVE-2023-23752 to Code Execution ∗∗∗ --------------------------------------------- On February 16, 2023, Joomla! published a security advisory for CVE-2023-23752. [..] disclosure was followed by a stream of exploits hitting GitHub, and multiple indicators of exploitation in the wild. The public exploits focus on leaking the victim’s MySQL database credentials – an unexciting prospect (we thought), because exposing the database to the internet is a dangerous misconfiguration. Nonetheless, attackers seemed interested in the vulnerability, so we sought to find out why. --------------------------------------------- https://vulncheck.com/blog/joomla-for-rce ∗∗∗ Fehlalarm: Microsoft-Defender-Warnung vor deaktiviertem Schutz führt in die Irre ∗∗∗ --------------------------------------------- Unter Windows 11 zeigt Microsoft Defender auf vielen Systemen einen deaktivieren Schutz durch "die lokalen Sicherheitsautorität". Das ist ein Fehlalarm. --------------------------------------------- https://heise.de/-7659972 ∗∗∗ Technische Richtlinie zu Public Key Infrastrukturen für Technische Sicherheitseinrichtungen veröffentlicht ∗∗∗ --------------------------------------------- Das BSI hat am 23. März 2023 die neue Technische Richtlinie BSI TR-03145-5 für den sicheren Betrieb einer Public Key Infrastruktur für Technische Sicherheitseinrichtungen veröffentlicht. --------------------------------------------- https://www.bsi.bund.de/DE/Service-Navi/Presse/Alle-Meldungen-News/Meldunge… ∗∗∗ Wordfence Intelligence Weekly WordPress Vulnerability Report (Mar 13, 2023 to Mar 19, 2023) ∗∗∗ --------------------------------------------- Last week, there were 92 vulnerabilities disclosed in 76 WordPress Plugins and 7 WordPress themes that have been added to the Wordfence Intelligence Vulnerability Database [..] --------------------------------------------- https://www.wordfence.com/blog/2023/03/wordfence-intelligence-weekly-wordpr… ∗∗∗ Pack it Secretly: Earth Preta’s Updated Stealthy Strategies ∗∗∗ --------------------------------------------- After months of investigation, we found that several undisclosed malware and interesting tools used for exfiltration purposes were being used by Earth Preta. We also observed that the threat actors were actively changing their tools, tactics, and procedures (TTPs) to bypass security solutions. In this blog entry, we will introduce and analyze the other tools and malware used by the threat actor. --------------------------------------------- https://www.trendmicro.com/en_us/research/23/c/earth-preta-updated-stealthy… ===================== = Vulnerabilities = ===================== ∗∗∗ Virenschutz: Malwarebytes ermöglicht Rechteausweitung ∗∗∗ --------------------------------------------- Der Virenschutz von Malwarebytes ermöglicht Angreifern, beliebige Dateien zu löschen oder ihre Rechte im System auszuweiten. Ein Update schließt die Lücke. --------------------------------------------- https://heise.de/-7674565 ∗∗∗ Sicherheitslücke: Angreifer könnten Switches von Aruba kompromittieren (CVE-2023-1168) ∗∗∗ --------------------------------------------- Aufgrund einer Schwachstelle sind bestimmte Switches von Aruba verwundbar. Admins sollten Geräte jetzt absichern. Die Lücke betrifft die Network Analytics Engine. Dort könnte ein authentifizierter Angreifer für eine Schadcode-Attacke ansetzen, um Geräte vollständig zu kompromittieren. Wie eine Attacke ablaufen könnte, ist bislang nicht bekannt. --------------------------------------------- https://heise.de/-7658264 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (firefox, nss, and openssl), Fedora (firefox, liferea, python-cairosvg, and tar), Oracle (openssl and thunderbird), Scientific Linux (firefox, nss, and openssl), SUSE (container-suseconnect, grub2, libplist, and qemu), and Ubuntu (amanda, apache2, node-object-path, and python-git). --------------------------------------------- https://lwn.net/Articles/926972/ ∗∗∗ VARTA: Multiple devices prone to hard-coded credentials (CVE-2022-22512) ∗∗∗ --------------------------------------------- VARTA energy storage systems have a web user interface via which users and installers can access live data measurements and configure the system to their needs. It has been discovered that the corresponding credentials are hard-coded within the frontend and thus potentially exploitable. --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2022-061/ ∗∗∗ Warning for Asset Management Program (TCO!Stream) Vulnerability and Update Recommendation ∗∗∗ --------------------------------------------- Solution: Users must check their program version by following the steps below and update their program to the latest version (versions 8.0.23.215 or above). – Service operator: Replace with the latest version through MLsoft – Service user: Updated automatically when the operator switches to the latest version --------------------------------------------- https://asec.ahnlab.com/en/50213/ ∗∗∗ SAUTER EY-modulo 5 Building Automation Stations ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-082-03 ∗∗∗ RoboDK ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-082-01 ∗∗∗ Schneider Electric IGSS ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-082-04 ∗∗∗ CP Plus KVMS Pro ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-082-02 ∗∗∗ ABB Pulsar Plus Controller ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-082-05 ∗∗∗ ProPump and Controls Osprey Pump Controller ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-082-06 ∗∗∗ IBM Integration Bus is vulnerable to a remote attack & denial of service due to Apache Thrift & Apache Commons Codec (CVE-2018-1320, CVE-2019-0205, IBM X-Force ID: 177835) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6965298 ∗∗∗ IBM Watson CloudPak for Data Data Stores are vulnerable to web pages stored locally which can be read by another user on the system ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6965446 ∗∗∗ IBM Watson CloudPak for Data Data Stores is vulnerable to allowing a user with physical access and specific knowledge of the system to modify files or data on the system.(CVE-2023-26282) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6965452 ∗∗∗ IBM Watson CloudPak for Data Data Stores is vulnerable to an attacker with specific knowledge about the system to manipulate data due to improper input validation(CVE-2023-28512) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6965456 ∗∗∗ Security Bulletin: Watson CP4D Data Stores for Cloud Pak for Data does not encypt sensitive information before storage or transmission (CVE-2023-27291) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6965458 ∗∗∗ IBM API Connect is impacted by an improper access control vulnerability (CVE-2023-28522) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6965612 ∗∗∗ Vulnerabilities found within Java collectors used by IBM Tivoli Network Manager (ITNM) IP Edition. ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6965698 ∗∗∗ WebSphere Application Server traditional is vulnerable to a remote code execution vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6965702 ∗∗∗ A vulnerability has been identified in IBM Spectrum Scale Data Access Services (DAS) which can cause denial of service. ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6964532 ∗∗∗ A security vulnerability has been identified in IBM WebSphere Application Server shipped with Asset and Service Management (CVE-2023-26283) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6965732 ∗∗∗ Vulnerabilites in OpenSSL may affect IBM Spectrum Protect Backup-Archive Client NetApp Services (CVE-2022-4304, CVE-2023-0215, CVE-2023-0286) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6963786 ∗∗∗ Stored cross-site vulnerability when performing a document upload using Responsive Document Explorer affect IBM Business Automation Workflow - CVE-2023-24957 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6965776 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 22.03.2023
by Daily end-of-shift report 22 Mar '23

22 Mar '23

===================== = End-of-Day report = ===================== Timeframe: Dienstag 21-03-2023 18:00 − Mittwoch 22-03-2023 18:00 Handler: Michael Schlagenhaufer Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ PoC exploits released for Netgear Orbi router vulnerabilities ∗∗∗ --------------------------------------------- Proof-of-concept exploits for vulnerabilities in Netgears Orbi 750 series router and extender satellites have been released, with one flaw a critical severity remote command execution bug. --------------------------------------------- https://www.bleepingcomputer.com/news/security/poc-exploits-released-for-ne… ∗∗∗ Windows Snipping-Tool anfällig für "Acropalypse" ∗∗∗ --------------------------------------------- Anfang der Woche wurde eine "Acropalypse" genannte Lücke im Screenshot-Tool von Google Pixel-Phones bekannt. Das Windows 11 Snipping-Tool verhält sich ebenso. --------------------------------------------- https://heise.de/-7619561 ∗∗∗ Cyber-Sicherheit für das Management ∗∗∗ --------------------------------------------- Das international erscheinende Handbuch „Management von Cyber-Risiken“, das durch das BSI in Zusammenarbeit mit der Internet Security Alliance entwickelt wurde, erhält ein weitreichendes Update --------------------------------------------- https://www.bsi.bund.de/DE/Service-Navi/Presse/Pressemitteilungen/Presse202… ∗∗∗ Blackmail Roulette: The Risks of Electronic Shelf Labels for Retail and Critical Infrastructure ∗∗∗ --------------------------------------------- During our research, we analyzed the unknown micro-controller (MCU) of the SUNY ESL tag, which is a common Chinese ESL tag vendor, gained debug access and reverse engineered the proprietary 433 MHz radio-frequency (RF) protocol. As no authentication is used, we were able to update any ESL tag within RF range with arbitrary content. --------------------------------------------- https://sec-consult.com/blog/detail/blackmail-roulette-the-risks-of-electro… ∗∗∗ Erpressungsmail: „Ich weiß von Ihrem sexuellen Interesse an kleinen Kindern“ ∗∗∗ --------------------------------------------- Aktuell wird uns vermehrt ein Erpressungsmail gemeldet, in dem Empfänger:innen beschuldigt werden, sexuelle Interessen an Kindern zu haben. Angeblich wurde beim Pornoschauen ein Programm heruntergeladen, welches die Kamera aktivierte und die Person beim Masturbieren filmte. Dieses Video wird verbreitet, wenn nicht innerhalb einer Woche Bitcoins überwiesen werden. Alles frei erfunden! Löschen Sie dieses E-Mail, es handelt sich um Fake. --------------------------------------------- https://www.watchlist-internet.at/news/erpressungsmail-ich-weiss-von-ihrem-… ===================== = Vulnerabilities = ===================== ∗∗∗ TYPO3-EXT-SA-2023-003: Cross-Site Scripting in extension "Fluid Components" (fluid_components) ∗∗∗ --------------------------------------------- The extension is vulnerable to cross-site scripting if user-controlled data is used as a component argument parameter. A detailed description of the issue as well as some examples are provided in the extension documentation. --------------------------------------------- https://typo3.org/security/advisory/typo3-ext-sa-2023-003 ∗∗∗ Java-Plattform: Kritische Lücke in VMware Tanzu Spring Framework geschlossen ∗∗∗ --------------------------------------------- Zwei Schwachstellen bedrohen das Spring Framework. Eine Lücke gilt als kritisch. Updates zum Schließen des Sicherheitslecks stehen bereit. --------------------------------------------- https://heise.de/-7614914 ∗∗∗ Webbrowser: Chrome-Update dichtet acht Sicherheitslücken ab ∗∗∗ --------------------------------------------- Der Webbrowser Chrome schließt acht Sicherheitslücken mit Updates. Angreifer können durch sie etwa mit manipulierten Webseiten Schadcode einschmuggeln. --------------------------------------------- https://heise.de/-7611326 ∗∗∗ OpenSSL Security Advisory: Excessive Resource Usage Verifying X.509 Policy Constraints (CVE-2023-0464) ∗∗∗ --------------------------------------------- Severity: Low A security vulnerability has been identified in all supported versions of OpenSSL related to the verification of X.509 certificate chains that include policy constraints. [..] Policy processing is disabled by default --------------------------------------------- https://www.openssl.org/news/secadv/20230322.txt ∗∗∗ Multiple Reflected Cross-Site Scripting Vulnerabilities in Three WordPress Plugins Patched ∗∗∗ --------------------------------------------- The Wordfence Threat Intelligence Team recently disclosed several Reflected Cross-Site Scripting vulnerabilities that we discovered in three different plugins – Watu Quiz (installed on 5,000 sites), GN-Publisher (installed on 40,000 sites), and Japanized For WooCommerce (installed on 10,000 sites). --------------------------------------------- https://www.wordfence.com/blog/2023/03/multiple-reflected-cross-site-script… ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (firefox), Oracle (kernel, kernel-container, and nss), and SUSE (curl, dpdk, drbd, go1.18, kernel, openstack-cinder, openstack-glance, openstack-neutron-gbp, openstack-nova, python-oslo.utils, oracleasm, python3, slirp4netns, and xen). --------------------------------------------- https://lwn.net/Articles/926843/ ∗∗∗ [R1] Tenable.sc Version 6.1.0 Fixes Multiple Vulnerabilities ∗∗∗ --------------------------------------------- Tenable.sc 6.1.0 updates Apache to version 2.4.56 and PHP to 8.1.16 to address the identified vulnerabilities. --------------------------------------------- https://www.tenable.com/security/tns-2023-16 ∗∗∗ CVE-2023-0391: MGT-COMMERCE CloudPanel Shared Certificate Vulnerability and Weak Installation Procedures ∗∗∗ --------------------------------------------- Rapid7 has discovered three security concerns in CloudPanel from MGT-COMMERCE, a self-hosted web administration solution. --------------------------------------------- https://www.rapid7.com/blog/post/2023/03/21/cve-2023-0391-mgt-commerce-clou… ∗∗∗ Cisco Access Point Software Command Injection Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco IOS XE Software Web UI Path Traversal Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco SD-WAN vManage Software Cross-Site Request Forgery Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco IOS XE Software Virtual Fragmentation Reassembly Denial of Service Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco IOS XE Software IOx Application Hosting Environment Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco IOS XE Software Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco IOS XE SD-WAN Software Command Injection Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco IOS XE Software Fragmented Tunnel Protocol Packet Denial of Service Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco IOS and IOS XE Software IPv6 DHCP (DHCPv6) Relay and Server Denial of Service Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco IOS XE Software for Wireless LAN Controllers HTTP Client Profiling Denial of Service Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco DNA Center Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco DNA Center Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco IOS XE Software for Wireless LAN Controllers CAPWAP Join Denial of Service Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco IOS XE Software for Cisco Catalyst 9300 Series Switches Secure Boot Bypass Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco Adaptive Security Appliance Software, Firepower Threat Defense Software, IOS Software, and IOS XE Software IPv6 DHCP (DHCPv6) Client Denial of Service Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software Low-Entropy Keys Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco Access Point Software Denial of Service Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco Access Point Software Association Request Denial of Service Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Security vulnerabilities have been identified in IBM DB2 used by IBM Security Verify Governance, Identity Manager virtual appliance component ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6964832 ∗∗∗ Multiple vulnerabilities in IBM WebSphere eXtreme Scale Liberty Deployment. ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6964844 ∗∗∗ IBM WebSphere Application Server is vulnerable to cross-site scripting in the Admin Console (CVE-2023-26283) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6964836 ∗∗∗ Multiple vulnerabilities in OpenSSL affect AIX ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6964854 ∗∗∗ IBM QRadar SIEM is vulnerable to privilege escalation (CVE-2022-43863) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6964862 ∗∗∗ Multiple vulnerabilities in Golang Go affect Cloud Pak System ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6612805 ∗∗∗ IBM Workload Scheduler is vulnerable to XML External Entity Injection (XXE) attack ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6890697 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 21.03.2023
by Daily end-of-shift report 21 Mar '23

21 Mar '23

===================== = End-of-Day report = ===================== Timeframe: Montag 20-03-2023 18:00 − Dienstag 21-03-2023 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Windows 11 bug warns Local Security Authority protection is off ∗∗∗ --------------------------------------------- Windows 11 users report seeing widespread Windows Security warnings that Local Security Authority (LSA) Protection has been disabled even though it shows as being toggled on. --------------------------------------------- https://www.bleepingcomputer.com/news/microsoft/windows-11-bug-warns-local-… ∗∗∗ From Phishing Kit To Telegram... or Not!, (Mon, Mar 20th) ∗∗∗ --------------------------------------------- Today, I spotted a phishing campaign that stores collected credentials via a Telegram bot! Telegram bots are common in malicious Python scripts but less common in Phishing campaigns! --------------------------------------------- https://isc.sans.edu/diary/rss/29650 ∗∗∗ Google Cloud Log Extraction ∗∗∗ --------------------------------------------- In this blog post, we review the methods through which we can extract logs from Google Cloud. --------------------------------------------- https://www.sans.org/blog/google-cloud-log-extraction/ ∗∗∗ Find Threats in Event Logs with Hayabusa ∗∗∗ --------------------------------------------- Hayabusa is a Windows event log fast forensics timeline generator and threat hunting tool created by the Yamato Security group in Japan. Hayabusa means "peregrine falcon" in Japanese and was chosen as peregrine falcons are the fastest animal in the world, great at hunting and highly trainable. --------------------------------------------- https://blog.ecapuano.com/p/find-threats-in-event-logs-with-hayabusa ∗∗∗ Black Angel Rootkit ∗∗∗ --------------------------------------------- Black Angel is a Windows 11/10 x64 kernel mode rootkit. Rootkit can be loaded with enabled DSE while maintaining its full functionality. Designed for Red Teams. --------------------------------------------- https://github.com/XaFF-XaFF/Black-Angel-Rootkit ∗∗∗ Linux auditd for Threat Detection [Final] ∗∗∗ --------------------------------------------- The focus of this article will be to describe what behaviors allow for which events to be recorded by auditd. Additionally, you will see where auditd is not capable of recording certain events, despite verbose settings. --------------------------------------------- https://izyknows.medium.com/linux-auditd-for-threat-detection-final-9d51737… ∗∗∗ Nexus: a new Android botnet? ∗∗∗ --------------------------------------------- On January 2023, a new Android banking trojan appeared on multiple hacking forums under the name of Nexus. However, Cleafy’s Threat Intelligence & Response Team traced the first Nexus infections way before the public announcement in June 2022. --------------------------------------------- https://www.cleafy.com/cleafy-labs/nexus-a-new-android-botnet ∗∗∗ Mitigating SSRF in 2023 ∗∗∗ --------------------------------------------- Server-Side Request Forgery (SSRF) is a vulnerability that allows an attacker to trick a server-side application to make a request to an unintended location. SSRF, unlike most other specific vulnerabilities, has gained its own spot on the OWASP Top 10 2021. This reflects both how common and how impactful this type of vulnerability has become. --------------------------------------------- https://blog.includesecurity.com/2023/03/mitigating-ssrf-in-2023/ ∗∗∗ Malicious NuGet Packages Used to Target .NET Developers ∗∗∗ --------------------------------------------- Software developers have been targeted in a new attack via malicious packages in the NuGet repository. --------------------------------------------- https://www.securityweek.com/malicious-nuget-packages-used-to-target-net-de… ∗∗∗ Achtung: Betrügerische Anrufe zu Eurojackpot-Gewinn! ∗∗∗ --------------------------------------------- Nehmen Sie sich vor angeblichen Gewinnbenachrichtigungen per Anruf, E-Mail, Post und Social Media im Namen von Eurojackpot in Acht. Kriminelle geben sich als die Lotterie aus und behaupten, dass Sie Geld gewonnen haben. Im weiteren Verlauf sollen Sie vorab Geld bezahlen, um die Auszahlung zu erhalten. --------------------------------------------- https://www.watchlist-internet.at/news/achtung-betruegerische-anrufe-zu-eur… ∗∗∗ Patch CVE-2023-23397 Immediately: What You Need To Know and Do ∗∗∗ --------------------------------------------- We break down the basic information of CVE-2023-23397, the zero-day, zero-touch vulnerability that was rated 9.8 on the Common Vulnerability Scoring System (CVSS) scale. --------------------------------------------- https://www.trendmicro.com/en_us/research/23/c/patch-cve-2023-23397-immedia… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (apache2), Oracle (firefox, nss, and openssl), Slackware (curl and vim), SUSE (dpdk, firefox, grafana, oracleasm, python-cffi, python-Django, and qemu), and Ubuntu (ruby2.7, sox, and tigervnc). --------------------------------------------- https://lwn.net/Articles/926759/ ∗∗∗ XSA-429 ∗∗∗ --------------------------------------------- https://xenbits.xen.org/xsa/advisory-429.html ∗∗∗ XSA-428 ∗∗∗ --------------------------------------------- https://xenbits.xen.org/xsa/advisory-428.html ∗∗∗ XSA-427 ∗∗∗ --------------------------------------------- https://xenbits.xen.org/xsa/advisory-427.html ∗∗∗ Keysight N6845A Geolocation Server ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-080-01 ∗∗∗ Delta Electronics InfraSuite Device Master ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-080-02 ∗∗∗ VISAM VBASE Automation Base ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-080-05 ∗∗∗ Siemens RUGGEDCOM APE1808 Product Family ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-080-03 ∗∗∗ Rockwell Automation ThinManager ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-22-080-06 ∗∗∗ Vulnerability Spotlight: WellinTech ICS platform vulnerable to information disclosure, buffer overflow vulnerabilities ∗∗∗ --------------------------------------------- https://blog.talosintelligence.com/vulnerability-spotlight-wellintech-ics-p… ∗∗∗ Spring Vault 3.0.2 and 2.3.3 fix CVE-2023-20859 ∗∗∗ --------------------------------------------- https://spring.io/blog/2023/03/20/spring-vault-3-0-2-and-2-3-3-fix-cve-2023… ∗∗∗ Automation Assets in IBM Cloud Pak for Integration is vulnerable to denial of service due to Moment CVE-2023-22467 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6964588 ∗∗∗ A vulnerability in protobuf may affect IBM Robotic Process Automation and result in a denial of service (CVE-2022-1941) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6852651 ∗∗∗ IBM Aspera Faspex 4.4.2 PL3 has addressed multiple vulnerabilities (CVE-2023-27871, CVE-2023-27873, CVE-2023-27874) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6964694 ∗∗∗ IBM Aspera Faspex 5.0.4 can be vulnerable to improperly unauthorized password changes ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6963662 ∗∗∗ Vulnerability in Apache Commons FileUpload library affect Tivoli Netcool\/OMNIbus WebGUI (CVE-2023-24998) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6964742 ∗∗∗ Multiple vulnerabilities in IBM HTTP Server used by WebSphere Application Server affect IBM Business Automation Workflow (CVE-2023-25690) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6964752 ∗∗∗ Multiple vulnerabilities of Mozilla Firefox ESR have affected APM Synthetic Playback Agent ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6964754 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 20.03.2023
by Daily end-of-shift report 20 Mar '23

20 Mar '23

===================== = End-of-Day report = ===================== Timeframe: Freitag 17-03-2023 18:00 − Montag 20-03-2023 18:00 Handler: Michael Schlagenhaufer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ New ‘HinataBot’ botnet could launch massive 3.3 Tbps DDoS attacks ∗∗∗ --------------------------------------------- A new malware botnet was discovered targeting Realtek SDK, Huawei routers, and Hadoop YARN servers to recruit devices into DDoS (distributed denial of service) swarm with the potential for massive attacks. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-hinatabot-botnet-could-l… ∗∗∗ Google: Bearbeitete Pixel-Screenshots lassen sich wiederherstellen ∗∗∗ --------------------------------------------- Wer Teile von Screenshots unkenntlich macht, verlässt sich darauf, dass dies auch so bleibt. Bei Pixel-Smartphones war das bisher nicht so. --------------------------------------------- https://www.golem.de/news/google-bearbeitete-pixel-screenshots-lassen-sich-… ∗∗∗ Ransomware: Emotet kehrt zurück – als OneNote-E-Mail-Anhang ∗∗∗ --------------------------------------------- Die hochentwickelte Schadsoftware Emotet ist wieder aktiv. Sie findet in Form von bösartigen OneNote-Dateien ihren Weg in den E-Mail-Eingang potenzieller Opfer. --------------------------------------------- https://heise.de/-7551285 ∗∗∗ Malware-Masche: Acrobat Sign-Dienst zum Unterschieben von Malware missbraucht ∗∗∗ --------------------------------------------- Avast hat eine neue Masche beobachtet, mit der Cyberkriminelle Opfern Malware unterjubeln wollten. Sie missbrauchen dazu den Adobe-Sign-Dienst. --------------------------------------------- https://heise.de/-7557288 ∗∗∗ Researchers Shed Light on CatB Ransomwares Evasion Techniques ∗∗∗ --------------------------------------------- The threat actors behind the CatB ransomware operation have been observed using a technique called DLL search order hijacking to evade detection and launch the payload. CatB, also referred to as CatB99 and Baxtoy, emerged late last year and is said to be an "evolution or direct rebrand" of another ransomware strain known as Pandora based on code-level similarities. --------------------------------------------- https://thehackernews.com/2023/03/researchers-shed-light-on-catb.html ∗∗∗ Bypassing CloudTrail in AWS Service Catalog, and Other Logging Research ∗∗∗ --------------------------------------------- In this blog post, we’ll share some of our latest research into bypassing CloudTrail. We’ll cover a method that allowed CloudTrail bypass with both read and write API actions for the Service Catalog service. This now-fixed vulnerability is noteworthy, because it was the first publicly known CloudTrail bypass that could permit an attacker to alter an AWS environment. --------------------------------------------- https://securitylabs.datadoghq.com/articles/bypass-cloudtrail-aws-service-c… ∗∗∗ IcedID’s VNC Backdoors: Dark Cat, Anubis & Keyhole ∗∗∗ --------------------------------------------- In this post we introduce Dark Cat, Anubis and Keyhole, three IcedID VNC backdoor variants NVISO observed. Well follow by exposing common TTPs before revealing information leaked through the attackers clipboard data. --------------------------------------------- https://blog.nviso.eu/2023/03/20/icedids-vnc-backdoors-dark-cat-anubis-keyh… ===================== = Vulnerabilities = ===================== ∗∗∗ Drupal-Sicherheitslücke könnte Angreifern die Systemübernahme ermöglichen ∗∗∗ --------------------------------------------- Die US-Cyber-Sicherheitsbehörde CISA warnt vor einer Sicherheitslücke im Content-Management-System Drupal. Angreifer könnten verwundbare Systeme kapern. --------------------------------------------- https://heise.de/-7550599 ∗∗∗ OpenSSH 9.3 dichtet Sicherheitslecks ab ∗∗∗ --------------------------------------------- Die Entwickler von OpenSSH haben Version 9.3 der Verschlüsselungssuite veröffentlicht. Sie schließt Sicherheitslücken und behebt kleinere Fehler. --------------------------------------------- https://heise.de/-7550738 ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (firefox-esr, imagemagick, sox, thunderbird, and xapian-core), Fedora (chromium, containernetworking-plugins, guile-gnutls, mingw-python-OWSLib, pack, pypy3.7, sudo, thunderbird, tigervnc, and vim), Mageia (apache, epiphany, heimdal, jasper, libde265, libtpms, liferea, mysql-connector-c++, perl-HTML-StripScripts, protobuf, ruby-git, sqlite3, woodstox-core, and xfig), Oracle (kernel), Red Hat (firefox, nss, and openssl), SUSE (apache2, docker, drbd, kernel, and oracleasm), and Ubuntu (curl, python2.7, python3.10, python3.5, python3.6, python3.8, and vim). --------------------------------------------- https://lwn.net/Articles/926636/ ∗∗∗ IBM Security Bulletins 2023-03-20 ∗∗∗ --------------------------------------------- * Vulnerabilities in IBM Db2, IBM Java Runtime, and Golang Go may affect IBM Spectrum Protect Server (CVE-2022-21626, CVE-2022-41717, CVE-2022-43929, CVE-2022-43927, CVE-2022-43930) * Watson AI Gateway for Cloud Pak for Data is vulnerable to an OpenSSL denial of service caused by a type confusion error (CVE-2023-0286) * IBM Aspera Faspex 5.0.4 can be vulnerable to improperly authorized password changes * Watson AI Gateway for Cloud Pak for Data is vulnerable to Ansible Runner code execution and could allow a local authenticated attacker to execute arbitrary code on the system, caused by improper shell escaping of the shell command. * IBM Aspera Faspex can be vulnerable to improperly authorized password changes * Vulnerability in EFS affects AIX (CVE-2021-29861) * Vulnerability in libc affects AIX (CVE-2021-29860) * Vulnerabilites in OpenSSL may affect IBM Spectrum Protect Backup-Archive Client (CVE-2022-4304, CVE-2023-0215, CVE-2023-0286) * Vulnerabilites in OpenSSL may affect IBM Spectrum Protect Backup-Archive Client (CVE-2022-4450, CVE-2023-0216, CVE-2023-0401, CVE-2022-4203, CVE-2023-0217) * A denial of service vulnerability in JDOM affects IBM Spectrum Protect Backup-Archive Client, IBM Spectrum Protect for Virtual Environments and IBM Spectrum Protect for Space Management (CVE CVE-2021-33813) * Vulnerabilites in Java SE affect IBM Spectrum Protect Backup-Archive Client, IBM Spectrum Protect for Virtual Environments and IBM Spectrum Protect for Space Management (CVE-2022-21628, CVE-2022-21626, CVE-2022-21624, CVE-2022-21619) * Vulnerability in IBM WebSphere Application Server (CVE-2023-23477) shipped with IBM Workload Scheduler 9.4 * Vulnerability in Node.js affects IBM Voice Gateway * IBM Aspera Faspex 5.0.4 can be vulnerable to improperly unauthorized password changes * Multiple Vulnerabilities in IBM Security Guardium Key Lifecycle Manager (CVE-2023-25921, CVE-2023-25926, CVE-2023-25685, CVE-2023-25922, CVE-2023-25925) * Multiple vulnerabilities in IBM SDK Java Technology Edition affect IBM Workload Scheduler. * IBM Jazz for Service Management is vulnerable to commons-fileupload-1.4.jar (Publicly disclosed vulnerability found by Mend) (CVE-2023-24998) --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ Spring Framework 5.2.23 fixes cve-2023-20861 ∗∗∗ --------------------------------------------- https://spring.io/blog/2023/03/20/spring-framework-5-2-23-fixes-cve-2023-20… ∗∗∗ Spring Framework 6.0.7 and 5.3.26 fix cve-2023-20860 and cve-2023-20861 ∗∗∗ --------------------------------------------- https://spring.io/blog/2023/03/20/spring-framework-6-0-7-and-5-3-26-fix-cve… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

Daily March 2023