- Daily - CERT.at

Tageszusammenfassung - 07.02.2022
by Daily end-of-shift report 07 Feb '22

07 Feb '22

===================== = End-of-Day report = ===================== Timeframe: Freitag 04-02-2022 18:00 − Montag 07-02-2022 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Medusa malware ramps up Android SMS phishing attacks ∗∗∗ --------------------------------------------- The Medusa Android banking Trojan is seeing increased infection rates as it targets more geographic regions to steal online credentials and perform financial fraud. --------------------------------------------- https://www.bleepingcomputer.com/news/security/medusa-malware-ramps-up-andr… ∗∗∗ An Insidious Mac Malware Is Growing More Sophisticated ∗∗∗ --------------------------------------------- When UpdateAgent emerged in late 2020, it utilized basic infiltration techniques. Its developers have since expanded it in dangerous ways. --------------------------------------------- https://www.wired.com/story/mac-malware-growing-more-sophisticated ∗∗∗ Shadow Credentials ∗∗∗ --------------------------------------------- During Black Hat Europe 2019 Michael Grafnetter discussed several attacks towards Windows Hello for Business including a domain persistence technique which involves the modification of the msDS-KeyCredentialLink attribute of a target computer or user account. [..] The following diagram visualize the steps of the technique Shadow Credentials in practice. --------------------------------------------- https://pentestlab.blog/2022/02/07/shadow-credentials/ ∗∗∗ web3 phishing via self-customizing landing pages ∗∗∗ --------------------------------------------- You may not quite understand what "web3" is all about (I do not claim to do so), but it appears phishers may already use it. [..] the JavaScript used to implement the phishing page is interesting. Not only does it customize the login dialog with the company logo, but it also replaces the entire page with a screenshot of the domain homepage. --------------------------------------------- https://isc.sans.edu/diary/rss/28312 ∗∗∗ Sextortion: Wenn ein harmloser Flirt in Erpressung endet ∗∗∗ --------------------------------------------- Sextortion ist eine Betrugsmasche, bei der meist männliche Opfer von Online-Bekanntschaften aufgefordert werden, sexuelles Bild- und Videomaterial von sich zu versenden oder sich nackt vor der Webcam zu zeigen. Mit diesen Bildern und Videos werden die Opfer dann erpresst: Zahlen oder das Material wird im Internet veröffentlicht! --------------------------------------------- https://www.watchlist-internet.at/news/sextortion-wenn-ein-harmloser-flirt-… ∗∗∗ FBI Releases Indicators of Compromise Associated with LockBit 2.0 Ransomware ∗∗∗ --------------------------------------------- The Federal Bureau of Investigation (FBI) has released a Flash report detailing indicators of compromise (IOCs) associated with attacks, using LockBit 2.0, a Ransomware-as-a-Service that employs a wide variety of tactics, techniques, and procedures, creating significant challenges for defense and mitigation. CISA encourages users and administrators to review the IOCs and technical details in FBI Flash CU-000162-MW and apply the recommend mitigations. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2022/02/07/fbi-releases-indi… ∗∗∗ Microsoft deaktiviert wegen Emotet & Co. MSIX ms-appinstaller Protokoll-Handler in Windows (Feb. 2022) ∗∗∗ --------------------------------------------- Nachdem Ransomware wie Emotet oder BazarLoader den MSIX ms-appinstaller Protokoll-Handler missbrauchten, hat Microsoft nun erneut reagiert. Der komplette MSIX ms-appinstaller Protokoll-Handler wurde vorerst in Windows – quasi als Schutz vor Emotet, BazarLoader oder ähnlicher Malware – deaktiviert. --------------------------------------------- https://www.borncity.com/blog/2022/02/05/microsoft-deaktiviert-msix-ms-appi… ∗∗∗ Vorsicht: audacity.de und keepass.de verbreiten Malware (Feb. 2022) ∗∗∗ --------------------------------------------- Kleiner Hinweis an Leute, die sich gerne Software aus dem Internet herunterladen. Es sieht so aus, als ob die Domains audacity.de und keepass.de in die Hände von Leuten gekommen sind, die damit Schindluder treiben. Statt ein Audio-Tool oder einen Passwort-Manager zu bekommen, wird über die betreffenden Seiten Malware verteilt. --------------------------------------------- https://www.borncity.com/blog/2022/02/07/vorsicht-audacity-de-und-keepass-d… ===================== = Vulnerabilities = ===================== ∗∗∗ Cisco DNA Center Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- A vulnerability in the audit log of Cisco DNA Center could allow an authenticated, local attacker to view sensitive information in clear text. This vulnerability is due to the unsecured logging of sensitive information on an affected system. An attacker with administrative privileges could exploit this vulnerability by accessing the audit logs through the CLI. A successful exploit could allow the attacker to retrieve sensitive information that includes user credentials. --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (ldns and libphp-adodb), Fedora (kernel, kernel-headers, kernel-tools, mingw-binutils, mingw-openexr, mingw-python3, mingw-qt5-qtsvg, scap-security-guide, stratisd, util-linux, and webkit2gtk3), Mageia (lrzsz, qtwebengine5, and xterm), openSUSE (chromium), and Ubuntu (python-django). --------------------------------------------- https://lwn.net/Articles/884015/ ∗∗∗ OTRS: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K22-0143 ∗∗∗ Multiple ESET products for macOS vulnerable to improper server certificate verification ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN95898697/ ∗∗∗ Security Bulletin: IBM App Connect for Healthcare is vulnerable to arbitrary code execution due to Apache Log4j (CVE-2022-23302) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-app-connect-for-healt… ∗∗∗ Security Bulletin: IBM Security Guardium Insights is affected by multipe vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-ins… ∗∗∗ Security Bulletin: IBM App Connect for Healthcare is vulnerable to arbitrary code execution due to Apache Log4j (CVE-2022-23305) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-app-connect-for-healt… ∗∗∗ Security Bulletin: IBM InfoSphere Information Server is vulnerable to arbitrary code execution due to Apache Log4j (CVE-2021-44832) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-infosphere-informatio… ∗∗∗ Security Bulletin: Liberty for Java for IBM Cloud is vulnerable to LDAP Injection (CVE-2021-39031) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-liberty-for-java-for-ibm-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in Apache Log4j affect IBM Tivoli Netcool Impact (CVE-2021-45105, CVE-2021-45046) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Liberty for Java for IBM Cloud is vulnerable to an Information Disclosure (CVE-2022-22310) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-liberty-for-java-for-ibm-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 04.02.2022
by Daily end-of-shift report 04 Feb '22

04 Feb '22

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 03-02-2022 18:00 − Freitag 04-02-2022 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Schwachstelle in GitOps-Tool: Argo CD über Path Traversal angreifbar ∗∗∗ --------------------------------------------- Angriffe mit manipulierten Helm-Charts ermöglichen Zugriff auf beliebige Verzeichnisse im Repository des Continuous-Delivery-Werkzeugs für Kubernetes. --------------------------------------------- https://heise.de/-6349810 ∗∗∗ Operation EmailThief: Active Exploitation of Zero-day XSS Vulnerability in Zimbra ∗∗∗ --------------------------------------------- - Volexity discovers XSS zero-day vulnerability against Zimbra - Targeted sectors include European government and media - Successful exploitation results in theft of email data from users --------------------------------------------- https://www.volexity.com/blog/2022/02/03/operation-emailthief-active-exploi… ∗∗∗ Cybersecurity for Industrial Control Systems: Part 1 ∗∗∗ --------------------------------------------- In this two-part series, we look into various cybersecurity threats that affected industrial control systems endpoints. We also discuss several insights and recommendations to mitigate such threats. --------------------------------------------- https://www.iiot-world.com/ics-security/cybersecurity/cybersecurity-for-ind… ∗∗∗ Vulnerabilities that aren’t. ETag headers ∗∗∗ --------------------------------------------- This time we’re looking at the ETag (Entity Tag) header. I take some of the blame for this one as I first added a dissector of the header to Nikto’s headers plugin back in 2008, then other scanners added it. --------------------------------------------- https://www.pentestpartners.com/security-blog/vulnerabilities-that-arent-et… ∗∗∗ Target open-sources its web skimmer detector ∗∗∗ --------------------------------------------- Targets cybersecurity team has open-sourced the code of Merry Maker, the companys internal application that it has used since 2018 to detect if any of its own websites have been compromised with malicious code that can steal payment card details from buyers. --------------------------------------------- https://therecord.media/target-open-sources-its-web-skimmer-detector/ ∗∗∗ An ALPHV (BlackCat) representative discusses the group’s plans for a ransomware ‘meta-universe’ ∗∗∗ --------------------------------------------- Late last year, cybersecurity researchers began to notice a ransomware strain called ALPHV that stood out for being particularly sophisticated and coded in the Rust programming language—a first for ransomware used in real-world attacks. --------------------------------------------- https://therecord.media/an-alphv-blackcat-representative-discusses-the-grou… ∗∗∗ Special Report: Die Tücken von Active Directory Certificate Services (AD CS) ∗∗∗ --------------------------------------------- Active Directory Certificate Services (ADCS) ist anfällig für Fehlkonfigurationen, mit denen eine komplette Kompromittierung des Netzes trivial möglich ist. Publiziert wurde das Problem im Sommer 2021, jetzt wird diese Methode bei APT-Angriffen benutzt. Kontrollieren Sie mit den bereitgestellten Tools ihr Setup. Stellen Sie mit den angeführten Präventiv-Maßnahmen höhere Sichtbarkeit her. Überprüfen Sie mit den vorgestellen Tools, ob eine Fehlkonfiguration bereits ausgenutzt wurde. --------------------------------------------- https://cert.at/de/spezielles/2022/2/special-report-die-tucken-von-active-d… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (apng2gif, ruby2.5, ruby2.7, and strongswan), Fedora (389-ds-base, glibc, java-latest-openjdk, keylime, mingw-python-pillow, perl-Image-ExifTool, python-pillow, rust-afterburn, rust-askalono-cli, rust-below, rust-cargo-c, rust-cargo-insta, rust-fd-find, rust-lsd, rust-oxipng, rust-python-launcher, rust-ripgrep, rust-skim, rust-thread_local, rust-tokei, strongswan, vim, xen, and zola), Mageia (cryptsetup and expat), openSUSE (containerd, docker, glibc, [...] --------------------------------------------- https://lwn.net/Articles/883828/ ∗∗∗ Mattermost security updates 6.3.3, 6.2.3, 6.1.3, 5.37.8 released ∗∗∗ --------------------------------------------- We’re informing you about a Mattermost security update, which addresses medium-level severity vulnerabilities. We highly recommend that you apply the update. The security update is available for Mattermost dot releases 6.3.3 (Extended Support Release), 6.2.3, 6.1.3, 5.37.8 (Extended Support Release) for both Team Edition and Enterprise Edition. --------------------------------------------- https://mattermost.com/blog/mattermost-security-updates-6-3-3-6-2-3-6-1-3-5… ∗∗∗ CISA Adds One Known Exploited Vulnerability to Catalog ∗∗∗ --------------------------------------------- CISA has added one new vulnerability to its Known Exploited Vulnerabilities Catalog, based on evidence that threat actors are actively exploiting the vulnerabilities listed in the table below. These types of vulnerabilities are a frequent attack vector for malicious cyber actors of all types and pose significant risk to the federal enterprise. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2022/02/04/cisa-adds-one-kno… ∗∗∗ CSV+ vulnerable to cross-site scripting ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN67396225/ ∗∗∗ K40508224: Perl vulnerability CVE-2020-10878 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K40508224 ∗∗∗ K05295469: Expat vulnerability CVE-2019-15903 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K05295469 ∗∗∗ Security Bulletin: Log4j Vulnerability ( CVE-2021-44228 ) in IBM Informix Dynamic Server in Cloud Pak for Data ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-log4j-vulnerability-cve-2… ∗∗∗ Security Bulletin: Vulnerablity in Apache Log4j may affect IBM Tivoli Monitoring installed WebSphere Application Server (CVE-2021-44228) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerablity-in-apache-lo… ∗∗∗ Security Bulletin: IBM Planning Analytics and IBM Planning Analytics Workspace are affected by security vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-planning-analytics-an… ∗∗∗ Security Bulletin: IBM Informix Dynamic Server is vulnerable to arbitrary code execution due to Apache Log4j (CVE-2021-44228) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-informix-dynamic-serv… ∗∗∗ Security Bulletin: Multiple vulnerabilities in Apache Log4j affect IBM Tivoli Netcool Impact (CVE-2021-45105, CVE-2021-45046) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK (October 2021) affects IBM InfoSphere Information Server (CVE-2021-35578 CVE-2021-35564) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 03.02.2022
by Daily end-of-shift report 03 Feb '22

03 Feb '22

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 02-02-2022 18:00 − Donnerstag 03-02-2022 18:00 Handler: Robert Waldner Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Spam-Anrufe von Wiener Nummer: “This is the police” ∗∗∗ --------------------------------------------- Bei solchen Anrufen gilt es generell, sofort aufzulegen. Ist man sich unsicher, ob der Anruf echt war (im Falle eines englischsprachigen Tonbands ist er das jedenfalls nicht), kann man eigenständig die Polizei (133) anrufen. Die Polizei warnt, dass man nie eine "Polizei"-Telefonnummern zurückrufen soll, wenn das in solchen Anrufen gefordert wird. Hat man bereits mit der Person gesprochen und Daten herausgegeben, soll man umgehend Anzeige bei der Polizei erstatten. --------------------------------------------- https://futurezone.at/digital-life/spam-anrufe-wiener-nummer-federal-police… ∗∗∗ WooCommerce Skimmer Uses Fake Fonts and Favicon to Steal CC Details ∗∗∗ --------------------------------------------- Today’s investigation starts out much like many others, with our client reporting an antivirus warning appearing only on their checkout page, of course at the worst possible time right around the end of December. What first seemed to be a routine case of credit card theft turned out to be a much more interesting infection that leveraged both font, favicon and other less-commonly used files to pilfer credit card details. --------------------------------------------- https://blog.sucuri.net/2022/02/woocommerce-skimmer-uses-fake-fonts-and-fav… ∗∗∗ A comprehensive guide on [NTLM] relaying anno 2022 ∗∗∗ --------------------------------------------- For years now, Internal Penetration Testing teams have been successful in obtaining a foothold or even compromising entire domains through a technique called NTLM relaying. [..] This blog post aims to be a comprehensive resource that will walk through the attack primitives that continue to work today. While most will be well known techniques, some techniques involving Active Directory Certificate Services might be lesser known. --------------------------------------------- https://www.trustedsec.com/blog/a-comprehensive-guide-on-relaying-anno-2022/ ∗∗∗ Tattoo-Giveaways auf Instagram führen in eine Abo-Falle ∗∗∗ --------------------------------------------- Kriminelle versenden Nachrichten von Fake-Accounts und behaupten, dass Instagram-User bei einem Gewinnspiel gewonnen hätten. Doch der angebliche Gewinn führt nicht zu einem neuen Tattoo, sondern in eine gut getarnte Abo-Falle. --------------------------------------------- https://www.watchlist-internet.at/news/tattoo-giveaways-auf-instagram-fuehr… ===================== = Vulnerabilities = ===================== ∗∗∗ Multiple Vulnerabilities in Sante DICOM Viewer Pro ∗∗∗ --------------------------------------------- * J2K File Parsing Out-Of-Bounds Write Remote Code Execution Vulnerability * DCM File Parsing Out-Of-Bounds Write Remote Code Execution Vulnerability * DCM File ParsingOut-Of-Bounds Read Information Disclosure Vulnerability * DCM File Parsing Use-After-Free Information Disclosure Vulnerability * JP2 File Parsing Use-After-Free Remote Code Execution Vulnerability * JP2 File Parsing Memory Corruption Remote Code Execution Vulnerability * J2K File Parsing Out-Of-Bounds Write Remote Code Execution Vulnerability --------------------------------------------- https://www.zerodayinitiative.com/advisories/ ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (librecad), Fedora (flatpak, flatpak-builder, and glibc), Mageia (chromium-browser-stable, connman, libtiff, and rust), openSUSE (lighttpd), Oracle (cryptsetup, nodejs:14, and rpm), Red Hat (varnish:6), SUSE (kernel and unbound), and Ubuntu (linux, linux-aws, linux-aws-5.11, linux-aws-5.13, linux-gcp, linux-gcp-5.11, linux-hwe-5.13, linux-kvm, linux-oem-5.13, linux-oracle, linux-oracle-5.11, linux-raspi, linux, linux-aws, linux-aws-5.4, linux-bluefield, linux-gcp, linux-gcp-5.4, linux-gkeop, linux-gkeop-5.4, linux-hwe-5.4, linux-ibm, linux-kvm, linux-oracle, linux-oracle-5.4, linux, linux-aws, linux-aws-hwe, linux-azure, linux-dell300x, linux-gcp-4.15, linux-hwe, linux-kvm, linux-oracle, linux-raspi2, linux-snapdragon, linux-gke, linux-gke-5.4, mysql-5.7, mysql-8.0, python-django, samba). --------------------------------------------- https://lwn.net/Articles/883676/ ∗∗∗ Sensormatic PowerManage ∗∗∗ --------------------------------------------- This advisory contains mitigations for an Improper Input Validation vulnerability in the Sensormatic PowerManage operating platform. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-034-01 ∗∗∗ Airspan Networks Mimosa ∗∗∗ --------------------------------------------- This advisory contains mitigations for Improper Authorization, Incorrect Authorization, Server-side Request Forgery, SQL Injection, Deserialization of Untrusted Data, OS Command Injection, and Use of a Broken or Risky Cryptographic Algorithm vulnerabilities in Airspan Networks Mimosa network management software. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-034-02 ∗∗∗ Zwei Schwachstellen in AudioCodes Session Border Controller (SYSS-2021-068/-075) ∗∗∗ --------------------------------------------- In AudioCodes Session Border Controller (SBC) kann Telefonbetrug begangen werden. Auch wurde eine Rechteeskalation in der Web Management-Konsole gefunden. --------------------------------------------- https://www.syss.de/pentest-blog/multiple-schwachstellen-im-coins-construct… ∗∗∗ InsydeH2O UEFI System Management Mode (SMM) Vulnerabilities ∗∗∗ --------------------------------------------- Mitigation Strategy for Customers (what you should do to protect yourself): Update system firmware to the version (or newer) indicated for your model in the Product Impact section. --------------------------------------------- http://support.lenovo.com/product_security/PS500463-INSYDEH2O-UEFI-SYSTEM-M… ∗∗∗ Cisco Content Security Management Appliance and Cisco Web Security Appliance Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Security Bulletin: A vulnerability in Apache Log4j affects some features of IBM® Db2® (CVE-2021-44832) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-apache… ∗∗∗ Security Bulletin: IBM Security Guardium Insights is affected by JWT-Go vulnerability (CVE-2020-26160) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-ins… ∗∗∗ Security Bulletin: IBM Data Management Platform for EDB Postgres Standard is vulnerable to denial of service and arbitrary code execution due to Apache Log4j (CVE-2021-45105, CVE-2021-45046) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-data-management-platf… ∗∗∗ Security Bulletin: This Power System update is being released to address CVE 2021-38960 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-this-power-system-update-… ∗∗∗ Security Bulletin: IBM Data Management Platform for EDB Postgres Enterprise is vulnerable to arbitrary code execution due to Apache Log4j (CVE-2021-45105, CVE-2021-45046) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-data-management-platf… ∗∗∗ K67416037: Linux kernel vulnerability CVE-2021-23133 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K67416037?utm_source=f5support&utm_mediu… ∗∗∗ Weidmueller: Remote I/O fieldbus couplers (IP20) affected by INFRA:HALT vulnerabilities ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2021-042/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 02.02.2022
by Daily end-of-shift report 02 Feb '22

02 Feb '22

===================== = End-of-Day report = ===================== Timeframe: Dienstag 01-02-2022 18:00 − Mittwoch 02-02-2022 18:00 Handler: Robert Waldner Co-Handler: n/a ===================== = News = ===================== ∗∗∗ VU#796611: InsydeH2O UEFI software impacted by multiple vulnerabilities in SMM ∗∗∗ --------------------------------------------- The InsydeH2O Hardware-2-Operating System (H2O) UEFI firmware contains multiple vulnerabilities related to memory management in System Management Mode (SMM). UEFI software provides an extensible interface between an operating system and platform firmware. UEFI software uses a highly privileged processor execution mode called System Management Mode (SMM) for handling system-wide functions like power management, system hardware control, or proprietary OEM-designed code. --------------------------------------------- https://kb.cert.org/vuls/id/796611 ∗∗∗ CISA Releases Securing Industrial Control Systems: A Unified Initiative ∗∗∗ --------------------------------------------- The Cybersecurity and Infrastructure Security Agency (CISA) has released its five-year industrial control systems (ICS) strategy: Securing Industrial Control Systems: A Unified Initiative. The strategy—developed in collaboration with industry and government partners—lays out CISA's plan to improve, unify, and focus the effort to secure ICS and protect critical infrastructure. --------------------------------------------- https://us-cert.cisa.gov/ics/cisa-releases-securing-industrial-control-syst… ∗∗∗ Kasper: a tool for finding speculative-execution vulnerabilities ∗∗∗ --------------------------------------------- The Systems and Network Security Group at Vrije Universiteit Amsterdam hasannounced a tool calledKasper that is able to scan the kernel source and locatespeculative-execution vulnerabilities: Namely, it models an attacker capable of controlling data (e.g., via memory massaging or value injection a la LVI), accessing secrets (e.g., via out-of-bounds or use-after-free accesses), and leaking these secrets (e.g., via cache-based, MDS-based, or port contention-based covert channels). --------------------------------------------- https://lwn.net/Articles/883448/ ∗∗∗ Post E-Mail „Dein Paket wartet !“ ist fake! ∗∗∗ --------------------------------------------- Kriminelle versenden gehäuft E-Mails im Namen der Post mit dem Betreff „Dein Paket wartet !“. Eine Liefergebühr über 1,69 Euro sei ausständig. Achtung: Die E-Mails sind frei erfunden. Die Kriminellen wenden Spoofing an, um die Mail-Adresse echt aussehen zu lassen und verlinken auf eine nachgebaute Post-Website. --------------------------------------------- https://www.watchlist-internet.at/news/post-e-mail-dein-paket-wartet-ist-fa… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (samba), Debian (apache2 and python-django), Fedora (kernel and phpMyAdmin), Mageia (kernel and kernel-linus), openSUSE (samba), Oracle (nginx:1.20 and samba), Red Hat (cryptsetup, java-1.8.0-ibm, kernel, nodejs:14, rpm, and vim), SUSE (kernel, python-Django, python-Django1, and samba), and Ubuntu (cron). --------------------------------------------- https://lwn.net/Articles/883541/ ∗∗∗ Google Releases Security Updates for Chrome ∗∗∗ --------------------------------------------- Google has released Chrome versions 98.0.4758.80/81/82 for Windows and 98.0.4758.80 for Mac and Linux. These versions address vulnerabilities that an attacker could exploit to take control of an affected system. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2022/02/02/google-releases-s… ∗∗∗ Vulnerability Spotlight: Multiple vulnerabilities in Sealevel SeaConnect ∗∗∗ --------------------------------------------- Cisco Talos recently discovered several vulnerabilities in Sealevel Systems Inc.’s SeaConnect internet-of-things edge device — many of which could allow an attacker to conduct a man-in-the-middle attack or execute remote code on the targeted device. The SeaConnect 370W is a WiFi-connected edge device commonly used in industrial control system (ICS) environments that allow users to remotely monitor and control the status of real-world I/O processes. This device offers remote control via MQTT, Modbus TCP and a manufacturer-specific interface referred to as the "SeaMAX API." --------------------------------------------- http://blog.talosintelligence.com/2022/02/vuln-spotlight-sea-level-connect.… ∗∗∗ Cisco Prime Service Catalog Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Umbrella Secure Web Gateway File Inspection Bypass Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Small Business RV Series Routers Vulnerabilities ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco DNA Center Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ FortiAuthenticator - Improper access control in HA service ∗∗∗ --------------------------------------------- https://fortiguard.fortinet.com/psirt/FG-IR-20-217 ∗∗∗ FortiMail - reflected cross-site scripting vulnerability in FortiGuard URI protection ∗∗∗ --------------------------------------------- https://fortiguard.fortinet.com/psirt/FG-IR-21-185 ∗∗∗ FortiExtender - Arbitrary command execution because of missing CLI input sanitization ∗∗∗ --------------------------------------------- https://fortiguard.fortinet.com/psirt/FG-IR-21-148 ∗∗∗ FortiWeb - OS command injection due to unsafe input validation function ∗∗∗ --------------------------------------------- https://fortiguard.fortinet.com/psirt/FG-IR-21-166 ∗∗∗ FortiWeb - Stack-based buffer overflow in command line interpreter ∗∗∗ --------------------------------------------- https://fortiguard.fortinet.com/psirt/FG-IR-21-132 ∗∗∗ FortiWeb - OS command injection due to direct input interpolation in API controllers ∗∗∗ --------------------------------------------- https://fortiguard.fortinet.com/psirt/FG-IR-21-180 ∗∗∗ FortiWeb - arbitrary file/directory deletion ∗∗∗ --------------------------------------------- https://fortiguard.fortinet.com/psirt/FG-IR-21-158 ∗∗∗ Security Bulletin: IBM App Connect Enterprise Certified Container operands may be vulnerable to leaking sensitive information due to CVE-2021-3712 in OpenSSL ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-app-connect-enterpris… ∗∗∗ K74013101: Binutils vulnerability CVE-2021-42574 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K74013101?utm_source=f5support&utm_mediu… ∗∗∗ K28622040: Python vulnerability CVE-2019-9948 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K28622040?utm_source=f5support&utm_mediu… ∗∗∗ Advantech ADAM-3600 ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-032-02 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 01.02.2022
by Daily end-of-shift report 01 Feb '22

01 Feb '22

===================== = End-of-Day report = ===================== Timeframe: Montag 31-01-2022 18:00 − Dienstag 01-02-2022 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ BSI-Grundschutz-Kompendium 2022: Neue Bausteine, schlankere Struktur ∗∗∗ --------------------------------------------- Das IT-Grundschutzkompendium in der Edition 2022 wartet mit einigen neuen Bausteinen, aber auch mit strukturellen Änderungen auf. --------------------------------------------- https://heise.de/-6344956 ∗∗∗ SMS der „Bawag“ mit „Ihr Konto wurde gesperrt!“ ist Fake ∗∗∗ --------------------------------------------- Vorsicht: Momentan kursiert ein betrügerisches SMS – angeblich von der Bawag. In der Nachricht werden Sie darüber informiert, dass Ihr Konto gesperrt wurde. Sie werden aufgefordert, auf einen Link zu klicken. Tun Sie das keinesfalls. Der Link führt auf eine gefälschte BAWAG-Login-Seite. --------------------------------------------- https://www.watchlist-internet.at/news/sms-der-bawag-mit-ihr-konto-wurde-ge… ∗∗∗ Domain Escalation – Machine Accounts ∗∗∗ --------------------------------------------- The pass the hash technique is not new and it was usually used for lateral movement on the network in scenarios where the administrator password hash could not be cracked due to complexity or assessment time constraints. However, performing pass the hash with machine accounts instead of local administrators accounts is not very common even though it has been described in an article by Adam Chester years ago and could be used in scenarios where the host is part of an elevated group such as the domain admins. --------------------------------------------- https://pentestlab.blog/2022/02/01/machine-accounts/ ∗∗∗ Updates released for multiple vulnerabilities found in 42 Gears SureMDM products ∗∗∗ --------------------------------------------- 42 Gears released an initial set of updates in November and more earlier this month. --------------------------------------------- https://www.zdnet.com/article/multiple-vulnerabilities-found-in-42-gears-su… ===================== = Vulnerabilities = ===================== ∗∗∗ ZDI-22-146: Esri ArcReader PMF File Parsing Use-After-Free Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows remote attackers to execute arbitrary code on affected installations of Esri ArcReader. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-22-146/ ∗∗∗ ZDI-22-148: ESET Endpoint Antivirus Unnecessary Privileges Local Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows local attackers to escalate privileges on affected installations of ESET Endpoint Antivirus. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-22-148/ ∗∗∗ Rate - Critical - Unsupported - SA-CONTRIB-2022-010 ∗∗∗ --------------------------------------------- 2022-01-31 a new maintainer has step forward and this module has been updated. The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: [...] --------------------------------------------- https://www.drupal.org/sa-contrib-2022-010 ∗∗∗ WordPress-Plug-in Essential Addons for Elementor als Schadcode-Schleuder ∗∗∗ --------------------------------------------- In der aktuellen Version von Essential Addons for Elementor haben die Entwickler eine Sicherheitslücke geschlossen. --------------------------------------------- https://heise.de/-6344583 ∗∗∗ VMSA-2022-0003 ∗∗∗ --------------------------------------------- VMware Cloud Foundation contains an information disclosure vulnerability due to the logging of plaintext credentials within some log files. --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2022-0003.html ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (ipython), Fedora (kernel and usbview), Gentoo (webkit-gtk), Oracle (java-1.8.0-openjdk), Red Hat (kpatch-patch and samba), Scientific Linux (samba), Slackware (kernel), SUSE (kernel and samba), and Ubuntu (samba). --------------------------------------------- https://lwn.net/Articles/883423/ ∗∗∗ Ricon Mobile Industrial Cellular Router ∗∗∗ --------------------------------------------- This advisory contains mitigations for an OS Command Injection vulnerability in the Ricon Mobile Industrial Cellular Router mobile network router. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-032-01 ∗∗∗ Advantech ADAM-3600 ∗∗∗ --------------------------------------------- This advisory contains mitigations for a Use of Hard-coded Cryptographic Key vulnerability in Advantech ADAM-3600 remote terminal units. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-032-02 ∗∗∗ January 31, 2022 TNS-2022-04 [R1] Nessus 10.1.0 Fixes One Third-Party Vulnerability ∗∗∗ --------------------------------------------- http://www.tenable.com/security/tns-2022-04 ∗∗∗ K59563964: Apache Log4j Remote Code Execution vulnerability CVE-2022-23302 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K59563964 ∗∗∗ K97120268: Apache Log4j SQL injection vulnerability CVE-2022-23305 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K97120268 ∗∗∗ K00322972: Apache Log4j Chainsaw vulnerability CVE-2022-23307 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K00322972 ∗∗∗ An update on the Apache Log4j 2.x vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/an-update-on-the-apache-log4j-cve-2021-4422… ∗∗∗ Security Bulletin: Publicly disclosed vulnerability (CVE-2021-4034) in Polkit affects IBM Netezza PDA OS Security ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-publicly-disclosed-vulner… ∗∗∗ Security Bulletin: Vulnerabilities in PostgreSQL, Node.js, and Data Tables from Spry Media may affect IBM Spectrum Protect Plus ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-postgr… ∗∗∗ Security Bulletin: Vulnerability in Apache Log4j may affect IBM Spectrum Protect Plus Container Backup and Restore for Kubernetes and OpenShift (CVE-2021-44832) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-l… ∗∗∗ Security Bulletin: Vulnerabilities in Golang Go, MinIO, and Python may affect IBM Spectrum Protect Plus Container Backup and Restore for Kubernetes and OpenShift ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-golang… ∗∗∗ Security Bulletin: Vulnerablity in Apache Log4j may affect IBM Tivoli Monitoring (CVE-2021-4104) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerablity-in-apache-lo… ∗∗∗ Security Bulletin: Vulnerability in Apache Log4j affects some features of IBM® Db2® (CVE-2021-4104) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-l… ∗∗∗ Security Bulletin: Vulnerability in Apache Log4j may impact IBM Spectrum Protect Plus (CVE-2021-44832) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-l… ∗∗∗ Security Bulletin: IBM App Connect for Healthcare is vulnerable to arbitrary code execution due to Apache Log4j (CVE-2021-4104) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-app-connect-for-healt… ∗∗∗ Security Bulletin: IBM App Connect Enterprise Certified Container Designer Authoring operands and Integration Server operands that use the JDBC connector may be vulnerable to remote code execution due to CVE-2021-44228 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-app-connect-enterpris… ∗∗∗ Security Bulletin: IBM App Connect Enterprise Certified Container is vulnerable to arbitrary code execution due to Apache Log4j (CVE-2021-45046) and denial of service due to Apache Log4j (CVE-2021-45105) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-app-connect-enterpris… ∗∗∗ Security Bulletin: IBM Security Verify Access fixed a security vulnerability in the product. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-verify-acces… ∗∗∗ Security Bulletin: IBM TRIRIGA Indoor Maps, a component of IBM TRIRIGA Portfolio Data Manager is vulnerable to arbitrary code execution due to Apache Log4j library vulnerability (CVE-2021-44228) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-tririga-indoor-maps-a… ∗∗∗ Security Bulletin: Cross-site scripting and session fixation vulnerability in IBM Financial Transaction Manager for SWIFT Services ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cross-site-scripting-and-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 31.01.2022
by Daily end-of-shift report 31 Jan '22

31 Jan '22

===================== = End-of-Day report = ===================== Timeframe: Freitag 28-01-2022 18:00 − Montag 31-01-2022 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Log4Shell: Eine Bestandsaufnahme ∗∗∗ --------------------------------------------- Nach der Panik wegen der größten Sicherheitslücke aller Zeiten blieb der große Knall aus. Kommt der noch oder haben wir das Gröbste überstanden? --------------------------------------------- https://heise.de/-6342536 ∗∗∗ Unseriöse Umzugsfirmen: Vorsicht bei zu günstigen Angeboten ∗∗∗ --------------------------------------------- Sie ziehen gerade um und sind auf der Suche nach einer Umzugsfirma? Unser Tipp: Lassen Sie sich nicht von Billigangeboten täuschen! Festpreisangebote von „25 Euro pro Stunde für 2 Männer inklusive LKW“ sind vollkommen unrealistisch. Dabei handelt es sich um ein Lockangebot. Bei einer Beauftragung wird Ihnen schlussendlich der 3- bis 4-fache Preis verrechnet! --------------------------------------------- https://www.watchlist-internet.at/news/unserioese-umzugsfirmen-vorsicht-bei… ∗∗∗ 277,000 routers exposed to Eternal Silence attacks via UPnP ∗∗∗ --------------------------------------------- A malicious campaign known as Eternal Silence is abusing Universal Plug and Play (UPnP) turns your router into a proxy server used to launch malicious attacks while hiding the location of the threat actors. --------------------------------------------- https://www.bleepingcomputer.com/news/security/277-000-routers-exposed-to-e… ∗∗∗ Be careful with RPMSG files, (Mon, Jan 31st) ∗∗∗ --------------------------------------------- Not many people are aware of ".rpmsg" files. The file extension means "restricted-permission message". They are used to deliver email messages between people and implement some controls applied at the recipient side. Such permissions are, by example, the right to forward or copy the original email. --------------------------------------------- https://isc.sans.edu/diary/rss/28292 ∗∗∗ Rip Raw - A tool to analyse the memory of compromised Linux systems ∗∗∗ --------------------------------------------- It is similar in purpose to Bulk Extractor, but particularly focused on extracting system Logs from memory dumps from Linux systems. This enables you to analyse systems without needing to generate a profile. This is not a replacement for tools such as Rekall and Volatility which use a profile to perform a more structured analysis of memory. --------------------------------------------- https://github.com/cado-security/rip_raw ∗∗∗ TrendNET AC2600 RCE via WAN ∗∗∗ --------------------------------------------- This blog provides a walkthrough of how to gain RCE on the TrendNET AC2600 (model TEW-827DRU specifically) consumer router via the WAN interface. There is currently no publicly available patch for these issues; therefore only a subset of issues disclosed in TRA-2021–54 will be discussed in this post. --------------------------------------------- https://medium.com/tenable-techblog/trendnet-ac2600-rce-via-wan-8926b29908a4 ∗∗∗ In eigener Sache: CERT.at sucht Verstärkung (Junior IT-Security Analyst:in, IT-Security Analyst:in, Python Entwickler:in) ∗∗∗ --------------------------------------------- Wir suchen derzeit: - Berufsein- oder -umsteiger:in mit ausgeprägtem Interesse an IT-Security zur Unterstützung bei den täglich anfallenden Routineaufgaben - IT/OT-Security Generalist:in oder Spezialist:in im Bereich Windows Security, mit Praxiserfahrung - Python Entwickler:in zur Weiterentwicklung von bestehenden Open-Source-Projekten, insbesondere IntelMQ und Tuency Details finden sich auf unserer Jobs-Seite. --------------------------------------------- https://cert.at/de/blog/2022/1/in-eigener-sache-certat-sucht-verstarkung-ju… ===================== = Vulnerabilities = ===================== ∗∗∗ VU#119678: Samba vfs_fruit module insecurely handles extended file attributes ∗∗∗ --------------------------------------------- The Samba vfs_fruit module allows out-of-bounds heap read and write via extended file attributes (CVE-2021-44142). This vulnerability allows a remote attacker to execute arbitrary code with root privileges. --------------------------------------------- https://kb.cert.org/vuls/id/119678 ∗∗∗ ABB: SECURITY - OPC Server for AC 800M - Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- ABB is aware that OPC Server for AC 800M contains a Remote Code Execution vulnerability. An authenticated remote user with low privileges who successfully exploited this vulnerability could insert and execute arbitrary code in the node running the AC800M OPC Server. --------------------------------------------- https://www02.abb.com/GLOBAL/GAD/GAD01626.NSF/0/B0A9E56BA54C9C3AC12587DB002… ∗∗∗ Lenovo Security Advisory: LEN-78122 - Intel Graphics Drivers Advisory Intel Graphics Drivers Advisory ∗∗∗ --------------------------------------------- Intel reported potential security vulnerabilities in some Intel Graphics Drivers that may allow escalation of privilege or denial of service. --------------------------------------------- https://support.lenovo.com/at/en/product_security/ps500462-intel-graphics-d… ∗∗∗ OpenSSL Security Advisory [28 January 2022] - BN_mod_exp may produce incorrect results on MIPS (CVE-2021-4160) ∗∗∗ --------------------------------------------- There is a carry propagation bug in the MIPS32 and MIPS64 squaring procedure. Many EC algorithms are affected, including some of theTLS 1.3 default curves. Impact was not analyzed in detail, because the pre-requisites for attack are considered unlikely and include reusing private keys. Analysis suggests that attacks against RSA and DSA as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH are considered just feasible (although very difficult) because most of the work necessary to deduce information about a private key may be performed offline. The amount of resources required for such an attack would be significant. However, for an attack on TLS to be meaningful, the server would have to share the DH private key among multiple clients, which is no longer an option since CVE-2016-0701. --------------------------------------------- https://openssl.org/news/secadv/20220128.txt ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (apache-log4j1.2, expat, libraw, prosody, and python-nbxmpp), Fedora (chromium, hiredis, java-11-openjdk, java-latest-openjdk, lua, rust-afterburn, rust-ammonia, rust-askalono-cli, rust-below, rust-cargo-c, rust-cargo-insta, rust-fd-find, rust-insta, rust-lsd, rust-oxipng, rust-python-launcher, rust-ripgrep, rust-ron, rust-ron0.6, rust-similar, rust-similar-asserts, rust-skim, rust-thread_local, rust-tokei, vim, wpa_supplicant, and zola), Gentoo [...] --------------------------------------------- https://lwn.net/Articles/883322/ ∗∗∗ SBA-ADV-20220127-01: Shibboleth Identity Provider OIDC OP Plugin Server-Side Request Forgery ∗∗∗ --------------------------------------------- Shibboleth Identity Provider OIDC OP plugin 3.0.3 or below is prone to a server-side request forgery (SSRF) vulnerability due to an insufficient restriction of the `request_uri` parameter. This allows unauthenticated attackers to interact with arbitrary third-party HTTP services. --------------------------------------------- https://github.com/sbaresearch/advisories/commit/65856734acca54052de34b5206… ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ Multiple Critical Vulnerabilities in Korenix Technology JetWave products ∗∗∗ --------------------------------------------- https://sec-consult.com/vulnerability-lab/advisory/multiple-critical-vulner… ∗∗∗ K54450124: NSS vulnerability CVE-2021-43527 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K54450124 ∗∗∗ K46015513: Polkit pkexec vulnerability CVE-2021-4034 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K46015513 ∗∗∗ WAGO: Vulnerable WIBU-SYSTEMS Codemeter installed through e!COCKPIT and WAGO-I/O-Pro ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2022-002/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 28.01.2022
by Daily end-of-shift report 28 Jan '22

28 Jan '22

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 27-01-2022 18:00 − Freitag 28-01-2022 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Lets Encrypt: Was Admins heute tun müssen ∗∗∗ --------------------------------------------- Heute um 17 Uhr werden bei Lets Encrypt Zertifikate zurückgezogen. Wir beschreiben, wie Admins prüfen können, ob sie betroffen sind. Eine Anleitung von Hanno Böck --------------------------------------------- https://www.golem.de/news/let-s-encrypt-was-admins-heute-tun-muessen-2201-1… ∗∗∗ Fake-Gewinnspiel führt in Abo-Falle: BetrügerInnen geben sich als Ö-Ticket aus! ∗∗∗ --------------------------------------------- Auf Facebook geben sich Kriminelle unter der Seite „Oeticket Österreich“ als Ö-Ticket aus und bewerben das „Gewinnspiel des Jahres“. Zu gewinnen gibt es 2 Tickets für ein Ed Sheeran Konzert. Doch Achtung: Mit dieser Masche versuchen die Kriminellen an Ihre Kreditkartendaten zu kommen und Sie in eine Abo-Falle zu locken. --------------------------------------------- https://www.watchlist-internet.at/news/fake-gewinnspiel-fuehrt-in-abo-falle… ∗∗∗ QNAP probt Zwangsupdate nach 3.600 DeadBolt-Ransomware-Infektionen ∗∗∗ --------------------------------------------- QNAP-Nutzer werden aktuell wohl Opfer der DeadBolt-Ransomware – ich hatte es nicht im Blog, aber binnen einer Woche waren es wohl über 3.600 Opfer. Der NAS-Hersteller greift nun zu drastischen Mitteln und versucht die Firmware betroffener Geräte zwangsweise zu aktualisieren. --------------------------------------------- https://www.borncity.com/blog/2022/01/28/qnap-probt-zwangsupdate-nach-3-600… ∗∗∗ EU to create pan-European cyber incident coordination framework ∗∗∗ --------------------------------------------- The European Systemic Risk Board (ESRB) proposed a new systemic cyber incident coordination framework that would allow EU relevant authorities to better coordinate when having to respond to major cross-border cyber incidents impacting the Unions financial sector. --------------------------------------------- https://www.bleepingcomputer.com/news/security/eu-to-create-pan-european-cy… ∗∗∗ Doctor Web’s December 2021 review of virus activity on mobile devices ∗∗∗ --------------------------------------------- According to detection statistics from Dr.Web for Android anti-virus products, adware trojans remained the most active Android threat in December. Another common threat detected on protected devices was malware that downloaded other apps. At the same time, more threats have been found on Google Play, like fake apps from the Android.FakeApp malware family. These are used in various fraudulent schemes. --------------------------------------------- https://news.drweb.com/show/?i=14408&lng=en&c=9 ∗∗∗ Doctor Web’s December 2021 virus activity review ∗∗∗ --------------------------------------------- Our December analysis of Dr.Web’s statistics revealed a 34% increase in the total number of threats compared to the previous month. The number of unique threats decreased by 15%. Nonetheless, adware still made up the majority of detected threats. These threats manifested with different types of malware. A variety of malware, including backdoors, was most often distributed in mail traffic. --------------------------------------------- https://news.drweb.com/show/?i=14410&lng=en&c=9 ∗∗∗ Why are WordPress Websites Targeted by Hackers? ∗∗∗ --------------------------------------------- If you are wondering why your wordpress site keeps getting hacked, or why you’re being targeted by hackers, we’ve compiled some of the top reasons for you. WordPress is one of the most commonly used Content Management Systems across the modern web. Currently over 445 million websites are utilizing WordPress. With a make up of over 40% of sites on the web utilizing WordPress to some extent, it’s only expected for bad actors to take advantage of its popularity. --------------------------------------------- https://blog.sucuri.net/2022/01/why-are-wordpress-sites-targeted-by-hackers… ∗∗∗ Hackers Using Device Registration Trick to Attack Enterprises with Lateral Phishing ∗∗∗ --------------------------------------------- Microsoft has disclosed details of a large-scale, multi-phase phishing campaign that uses stolen credentials to register devices on a victims network to further propagate spam emails and widen the infection pool. The tech giant said the attacks manifested through accounts that were not secured using multi-factor authentication (MFA), thereby making it possible for the adversary to take advantage of the target's bring-your-own-device (BYOD) policy and introduce their own rogue devices using the pilfered credentials. --------------------------------------------- https://thehackernews.com/2022/01/hackers-using-device-registration-trick.h… ∗∗∗ How to avoid an open source security nightmare ∗∗∗ --------------------------------------------- Just as it would be a mistake to say that all closed source projects are bug-free, its a mistake to say that all open source projects are security risks. Different projects have different focuses; some of them are much more concerned with the security of their releases. --------------------------------------------- https://www.zdnet.com/article/how-to-avoid-an-open-source-security-nightmar… ∗∗∗ Weekly Threat Report 28th January 2022 ∗∗∗ --------------------------------------------- Read about the Mirai-based malware exploiting poor security, CISA updates and New Scanning Made Easy trial service from the NCSC --------------------------------------------- https://www.ncsc.gov.uk/report/weekly-threat-report-28th-january-2022 ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates available in Foxit PDF Reader 11.2.1 and Foxit PDF Editor 11.2.1 ∗∗∗ --------------------------------------------- Foxit has released Foxit PDF Reader 11.2.1 and Foxit PDF Editor 11.2.1, which address potential security and stability issues. CVE-2018-1285, CVE-2021-40420, CVE-2021-44708, CVE-2021-44709, CVE-2021-44740, CVE-2021-44741, CVE-2022-22150 --------------------------------------------- https://www.foxit.com/support/security-bulletins.html ∗∗∗ VMSA-2021-0028 - VMware Response to Apache Log4j Remote Code Execution Vulnerabilities (CVE-2021-44228, CVE-2021-45046) ∗∗∗ --------------------------------------------- 2022-01-27: VMSA-2022-0028.10 - Revised advisory with updates to multiple products, including vCenter Server. --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2021-0028.html ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (java-1.8.0-openjdk), Debian (graphicsmagick), Fedora (grafana), Mageia (aom and roundcubemail), openSUSE (log4j and qemu), Oracle (parfait:0.5), Red Hat (java-1.7.1-ibm and java-1.8.0-openjdk), Slackware (expat), SUSE (containerd, docker, log4j, and strongswan), and Ubuntu (cpio, shadow, and webkit2gtk). --------------------------------------------- https://lwn.net/Articles/883047/ ∗∗∗ Denial of Service in Rexroth ActiveMover using Profinet protocol ∗∗∗ --------------------------------------------- BOSCH-SA-637429: The ActiveMover with Profinet communication module (Rexroth no. 3842 559 445) sold by Bosch Rexroth contains communication technology from Hilscher (PROFINET IO Device V3) in which a vulnerability with high severity has been discovered. A Denial of Service vulnerability may lead to unexpected loss of cyclic communication or interruption of acyclic communication. --------------------------------------------- https://psirt.bosch.com/security-advisories/bosch-sa-637429.html ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 27.01.2022
by Daily end-of-shift report 27 Jan '22

27 Jan '22

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 26-01-2022 18:00 − Donnerstag 27-01-2022 18:00 Handler: Robert Waldner Co-Handler: n/a ===================== = News = ===================== ∗∗∗ CVE-2020-0696 - Microsoft Outlook Security Feature Bypass Vulnerability ∗∗∗ --------------------------------------------- How are the email security systems bypassed with vulnerability on ''Microsoft Outlook for Mac''? Improper hyperlink translation in ''Microsoft Outlook for Mac'' leads to the complete bypassing of email security systems and sending the malicious link to the victim as clickable. [..] The below investigation was performed with trial accounts provided by multiple vendors and reported responsibly to Microsoft, which has taken action to remedy the problem. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/cve-2020-06… ∗∗∗ Update-Reigen: macOS 12.2, watchOS 8.4 und tvOS 15.3 beheben Fehler ∗∗∗ --------------------------------------------- Apple hat neben iOS und iPadOS 15.3 auch alle anderen Betriebssysteme aktualisiert. Zudem gibts ein HomePod-OS-Update. --------------------------------------------- https://heise.de/-6340079 ∗∗∗ Hackers Using New Evasive Technique to Deliver AsyncRAT Malware ∗∗∗ --------------------------------------------- [..] Opening the decoy file redirects the message recipient to a web page prompting the user to save an ISO file. But unlike other attacks that route the victim to a phishing domain set up explicitly for downloading the next-stage malware, the latest RAT campaign cleverly uses JavaScript to locally create the ISO file from a Base64-encoded string and mimic the download process. --------------------------------------------- https://thehackernews.com/2022/01/hackers-using-new-evasive-technique-to.ht… ∗∗∗ Configuring Linux auditd for Threat Detection ∗∗∗ --------------------------------------------- The topics I look to cover in this article are - Quick intro to the Linux Audit System - Tips when writing audit rules - Designing a configuration for security monitoring - What to record with auditd - Tips on managing noise --------------------------------------------- https://izyknows.medium.com/linux-auditd-for-threat-detection-d06c8b941505 ∗∗∗ Financially Motivated Mobile Scamware Exceeds 100M Installations ∗∗∗ --------------------------------------------- In the pursuit of identifying and taking down similar financially motivated scams, zLabs researchers have discovered another premium service abuse campaign with upwards of 105 million victims globally, which we have named Dark Herring. [..] At the time of publishing, the scam services and phishing sites are no longer active, and Google has removed all the malicious applications from Google Play. --------------------------------------------- https://blog.zimperium.com/dark-herring-android-scamware-exceeds-100m-insta… ∗∗∗ Jetzt handeln! Erpressungstrojaner DeadBolt hat es auf Qnap NAS abgesehen ∗∗∗ --------------------------------------------- Der Hersteller von Netzwerkspeichern (NAS) Qnap warnt abermals vor Ransomware-Attacken und gibt wichtige Tipps zur Absicherung. --------------------------------------------- https://heise.de/-6340174 ∗∗∗ Betrug mit nachgebautem Käuferschutz auf ebay-kleinanzeigen.de ∗∗∗ --------------------------------------------- eBay-kleinanzeigen.de stellt eine beliebte Kleinanzeigen-Plattform dar. Wie bei einigen anderen bekannten Marktplätzen wird auch hier eine sichere Bezahlmethode direkt auf der Plattform angeboten. Kriminelle nützen dies aus, indem sie die Kommunikation von offizieller Website und App beispielsweise auf WhatsApp verlagern. Später verweisen sie auf nachgebaute Websites und zweigen Zahlungen direkt in die eigenen Taschen ab! --------------------------------------------- https://www.watchlist-internet.at/news/betrug-mit-nachgebautem-kaeuferschut… ∗∗∗ The January 2022 Security Update Review ∗∗∗ --------------------------------------------- The first patch Tuesday of the year is here, and with it comes the latest security patches from Adobe and Microsoft. Take a break from your regularly scheduled activities and join us as we review the details of their latest security offerings. --------------------------------------------- https://www.thezdi.com/blog/2022/1/11/the-january-2022-security-update-revi… ===================== = Vulnerabilities = ===================== ∗∗∗ Private Taxonomy Terms - Critical - Access bypass, Information Disclosure, Multiple vulnerabilities - SA-CONTRIB-2022-014 ∗∗∗ --------------------------------------------- Project: Private Taxonomy Terms Security risk: Critical Description: This module enables users to create private vocabularies.The module doesnt sufficiently check user access permissions when attempting to view, edit, or add terms to vocabularies, including vocabularies not managed by the module. --------------------------------------------- https://www.drupal.org/sa-contrib-2022-014 ∗∗∗ Navbar - Moderately critical - Cross Site Scripting - SA-CONTRIB-2022-011 ∗∗∗ --------------------------------------------- Project: Navbar Security risk: Moderately critical Description: This module provides a very simple, mobile-friendly navigation toolbar.The module doesnt sufficiently check for user-provided input. --------------------------------------------- https://www.drupal.org/sa-contrib-2022-011 ∗∗∗ Xerox Versalink Denial Of Service ∗∗∗ --------------------------------------------- A specifically crafted TIFF payload may be submitted to the printers job queue (in person or over the network) by unauthenticated/unprivileged users or network or internet attackers by means of a JavaScript payload. The device will panic upon attempting to read the submitted file and a physical reboot will be required. Upon reboot, the device will attempt to resume the last-printed job, triggering the panic once more. The process repeats ad-infinitum. --------------------------------------------- https://cxsecurity.com/issue/WLB-2022010119 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (polkit), Debian (uriparser), Fedora (cryptsetup, flatpak, flatpak-builder, and polkit), Gentoo (polkit), Mageia (virtualbox), Red Hat (httpd24-httpd, httpd:2.4, and parfait:0.5), SUSE (clamav, log4j, python-numpy, and strongswan), and Ubuntu (vim). --------------------------------------------- https://lwn.net/Articles/882882/ ∗∗∗ Synology-SA-22:02 Samba ∗∗∗ --------------------------------------------- A vulnerability allows remote authenticated users to execute arbitrary code via a susceptible version of Synology DiskStation Manager (DSM). --------------------------------------------- https://www.synology.com/en-global/support/security/Synology_SA_22_02 *** Drupal: Bugs in unsupporteten Sub-Projekten *** --------------------------------------------- The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. [..] If you use this project, you should uninstall it. - Printer, email and PDF versions - Critical - Unsupported - SA-CONTRIB-2022-022 https://www.drupal.org/sa-contrib-2022-022 - Image Media Export Import - Critical - Unsupported - SA-CONTRIB-2022-021 https://www.drupal.org/sa-contrib-2022-021 - Remote Stream Wrapper - Critical - Unsupported - SA-CONTRIB-2022-020 https://www.drupal.org/sa-contrib-2022-020 - Vendor Stream Wrapper - Critical - Unsupported - SA-CONTRIB-2022-019 https://www.drupal.org/sa-contrib-2022-019 - Cog - Critical - Unsupported - SA-CONTRIB-2022-018 https://www.drupal.org/sa-contrib-2022-018 - Media Entity Flickr - Critical - Unsupported - SA-CONTRIB-2022-017 https://www.drupal.org/sa-contrib-2022-017 - Vocabulary Permissions Per Role - Critical - Unsupported - SA-CONTRIB-2022-016 https://www.drupal.org/sa-contrib-2022-016 - Exif - Critical - Unsupported - SA-CONTRIB-2022-015 https://www.drupal.org/sa-contrib-2022-015 - Business Responsive Theme - Critical - Unsupported - SA-CONTRIB-2022-013 https://www.drupal.org/sa-contrib-2022-013 - Swiftype integration - Critical - Unsupported - SA-CONTRIB-2022-012 https://www.drupal.org/sa-contrib-2022-012 - Rate - Critical - Unsupported - SA-CONTRIB-2022-010 https://www.drupal.org/sa-contrib-2022-010 - Expire reset password link - Critical - Unsupported - SA-CONTRIB-2022-009 https://www.drupal.org/sa-contrib-2022-009 - Admin Toolbar Search - Critical - Unsupported - SA-CONTRIB-2022-008 https://www.drupal.org/sa-contrib-2022-008 - Colorbox - Critical - Unsupported - SA-CONTRIB-2022-007 https://www.drupal.org/sa-contrib-2022-007 - Prevent anonymous users to access Drupal pages - Critical - Unsupported - SA-CONTRIB-2022-005 https://www.drupal.org/sa-contrib-2022-005 - Taxonomy Access Control Lite - Critical - Unsupported - SA-CONTRIB-2022-006 https://www.drupal.org/sa-contrib-2022-006 --------------------------------------------- https://www.drupal.org/security/contrib ∗∗∗ Security Bulletin:IBM® Db2® On Openshift and IBM® Db2® and Db2 Warehouse® on Cloud Pak for Data is vulnerable to denial of service and arbitrary code execution due to Apache Log4j (CVE-2021-45105 and CVE-2021-45046) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletinibm-db2-on-openshift-and-i… ∗∗∗ Security Bulletin: Vulnerability in Apache Log4j may affect IBM Spectrum Archive Enterprise Edition (CVE-2021-4104) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-l… ∗∗∗ Security Bulletin: Vulnerability in Apache Log4j may affect IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data (CVE-2021-4104) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-l… ∗∗∗ Security Bulletin: Vulnerabilities in Node.js affect IBM Business Automation Workflow and IBM Business Process Manager (BPM) – CVE-2021-22960, CVE-2021-22959 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-node-j… ∗∗∗ Security Bulletin: IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data is vulnerable to denial of service and arbitrary code execution due to Apache Log4j (CVE-2021-45105 and CVE-2021-45046) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-watson-speech-service… ∗∗∗ Security Bulletin: IBM MegaRAID Storage Manager is affected by a vulnerability in Log4j (CVE-2021-4104) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-megaraid-storage-mana… ∗∗∗ Security Bulletin: IBM QRadar hardware appliances are vulnerable to Intel privilege escalation (CVE-2021-0144) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-qradar-hardware-appli… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 26.01.2022
by Daily end-of-shift report 26 Jan '22

26 Jan '22

===================== = End-of-Day report = ===================== Timeframe: Dienstag 25-01-2022 18:00 − Mittwoch 26-01-2022 18:00 Handler: Robert Waldner Co-Handler: n/a ===================== = News = ===================== ∗∗∗ ALPN: Ein Prozent der Lets-Encrypt-Zertifikate wird zurückgezogen ∗∗∗ --------------------------------------------- Lets Encrypt teilt mit, dass es Probleme bei der ALPN-Validierungsmethode gab und damit ausgestellte Zertifikate zurückgezogen werden. --------------------------------------------- https://www.golem.de/news/alpn-ein-prozent-der-let-s-encrypt-zertifikate-wi… ∗∗∗ Over 20 thousand servers have their iLO interfaces exposed to the internet, many with outdated and vulnerable versions of FW, (Wed, Jan 26th) ∗∗∗ --------------------------------------------- Integrated Lights-Out (iLO) is a low-level server management system intended for out-of-band configuration, which is embedded by Hewlett-Packard Enterprise on some of their servers. Besides its use for maintenance, it is often used by administrators for an emergency access to the server when everything "above it" (hypervisor or OS) fails and/or is unreachable. Since these kinds of platforms/interfaces are quite sensitive from the security standpoint, access to them should always be limited to relevant administrator groups only and their firmware should always be kept up to date. --------------------------------------------- https://isc.sans.edu/diary/rss/28276 ∗∗∗ German govt warns of APT27 hackers backdooring business networks ∗∗∗ --------------------------------------------- "It cannot be ruled out that the actors, in addition to stealing business secrets and intellectual property, also try to infiltrate the networks of (corporate) customers or service providers (supply chain attack)." The BfV also published indicators of compromise (IOCs) and YARA rules to help targeted German organizations to check for HyperBro infections and connections to APT27 command-and-control (C2) servers. --------------------------------------------- https://www.bleepingcomputer.com/news/security/german-govt-warns-of-apt27-h… ∗∗∗ Sysdig-Report: Container-Deployments weisen mehrheitlich Schwachstellen auf ∗∗∗ --------------------------------------------- Sysdig beobachtet einen anhaltenden Shift Left bei Container Security, viele Schwachstellen bleiben aber ungepatcht und Rechte-Konfigurationen unzureichend. --------------------------------------------- https://heise.de/-6336816 ∗∗∗ Root-Zugriff unter Linux durch Polkit-Lücke ∗∗∗ --------------------------------------------- Sicherheitsforscher haben eine Schwachstelle in Polkit entdeckt, die Rechteausweitung ermöglicht. Für die viele Distributionen sind bereits Patches verfügbar. --------------------------------------------- https://heise.de/-6338569 ∗∗∗ Fake-Shops geben sich als Shops für Warenhausauflösungen aus ∗∗∗ --------------------------------------------- Derzeit stoßen wir vermehrt auf Fake-Shops, die behaupten auf Warenhausauflösungen spezialisiert zu sein oder Überbestände von Amazon oder von Kaufhäusern zu verkaufen. Damit begründen Sie auch ihre günstigen Preise für Marken-Produkte wie KitchenAid, Weber oder DeLonghi. Doch wer genau hinsieht, erkennt, dass es sich um Fake-Shops handelt. --------------------------------------------- https://www.watchlist-internet.at/news/fake-shops-geben-sich-als-shops-fuer… ∗∗∗ Vidar Exploiting Social Media Platform (Mastodon) ∗∗∗ --------------------------------------------- The ASEC analysis team has recently discovered that Vidar is exploiting a social media platform named Mastodon to create C&C server addresses. Vidar is an info-stealer malware installed through spam emails and PUP, sometimes being disguised as a KMSAuto authenticator tool. It has been consistently distributed since the past, and there was a recent case of it being installed through other types of malware such as Stop ransomware. --------------------------------------------- https://asec.ahnlab.com/en/30875/ ===================== = Vulnerabilities = ===================== ∗∗∗ Multiple vulnerabilities in TransmitMail ∗∗∗ --------------------------------------------- TransmitMail is a PHP based mail form system. TransmitMail contains multiple vulnerabilities listed below. - Directory traversal vulnerability due to the improper validation of external input values (CWE-22) - CVE-2022-22146 - Cross-site scripting (CWE-79) - CVE-2022-21193 --------------------------------------------- https://jvn.jp/en/jp/JVN70100915/ ∗∗∗ Security Update - Fix available for a privilege escalation vulnerability ∗∗∗ --------------------------------------------- This notification is in regard to an elevation of privilege vulnerability (CVE-2022-23863) that was recently identified and fixed in Desktop Central and Desktop Central MSP. [...] A privilege escalation vulnerability that may allow an authenticated user to change passwords of a more privileged account. --------------------------------------------- https://pitstop.manageengine.com/portal/en/community/topic/security-update-… ∗∗∗ Denial of service & User Enumeration in WAGO 750-8xxx PLC ∗∗∗ --------------------------------------------- The Wago PLC models 750-8xxx are prone to multiple security vulnerabilities. These include a Denial-of-Service (DoS) of the connection to the Codesys service and the enumeration of usernames via a timing sidechannel. By exploiting these vulnerabilities, the remote usage of the Codesys services can be prevented and existing usernames on the device can be identified. [..] WAGO's customers should upgrade the firmware to the latest version available. --------------------------------------------- https://sec-consult.com/vulnerability-lab/advisory/denial-of-service-user-e… ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (httpd), Debian (libxfont, lrzsz, nss, openjdk-17, policykit-1, webkit2gtk, and wpewebkit), Mageia (polkit), openSUSE (expat, json-c, kernel, polkit, qemu, rust1.55, rust1.57, thunderbird, unbound, and webkit2gtk3), Oracle (httpd:2.4, java-11-openjdk, and polkit), Red Hat (httpd:2.4, OpenShift Container Platform 3.11.570, polkit, and Red Hat OpenStack Platform 16.1 (etcd)), Scientific Linux (polkit), Slackware (polkit), SUSE (aide, expat, firefox, json-c, kernel, polkit, qemu, rust, rust1.55, rust1.57, thunderbird, unbound, and webkit2gtk3), and Ubuntu (policykit-1 and xorg-server). --------------------------------------------- https://lwn.net/Articles/882724/ ∗∗∗ Security Advisory - Laser Command Injection Vulnerability on Huawei Terminals ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2022/huawei-sa-20220126-… ∗∗∗ Security Bulletin: IBM Security Guardium Insights is affected by multiple vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-ins… ∗∗∗ Security Bulletin: IBM UrbanCode Release is affected by CVE-2021-24122 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-urbancode-release-is-… ∗∗∗ Security Bulletin: IBM UrbanCode Release is affected by CVE-2021-41079 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-urbancode-release-is-… ∗∗∗ Security Bulletin: IBM UrbanCode Release is affected by CVE-2021-30639 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-urbancode-release-is-… ∗∗∗ Security Bulletin: Multiple vulnerabilities affect IBM Cloud Object Storage Systems (Jan 2022 V1) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM Cloud Pak for Automationis vulnerable to denial of service and arbitrary code execution due to Apache Log4j (CVE-2021-45105 and CVE-2021-45046) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-pak-for-automat… ∗∗∗ Security Bulletin: Log4j remote code execution vulnerability in Apache Solr and Logstash shipped with IBM Operations Analytics – Log Analysis (CVE-2021-44228) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-log4j-remote-code-executi… ∗∗∗ Security Bulletin: IBM Observability by Instana and IBM Observability with Instana – Server and Agents are vulnerable to denial of service and arbitrary code execution due to Apache Log4j (CVE-2021-45105, CVE-2021-45046) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-observability-by-inst… ∗∗∗ Security Bulletin: Due to use of Apache Log4j, IBM Db2 Web Query for i is vulnerable to arbitrary code execution (CVE-2021-4104, CVE-2022-23302, and CVE-2022-23307) and SQL injection (CVE-2022-23305) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-due-to-use-of-apache-log4… ∗∗∗ Security Bulletin: Tivoli Network Manager IP Edition is vulnerable to a denial of service vulnerability (CVE-2021-30468) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-tivoli-network-manager-ip… ∗∗∗ Security Bulletin: IBM UrbanCode Release is affected by CVE-2020-17527 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-urbancode-release-is-… ∗∗∗ Security Bulletin: IBM UrbanCode Release is affected by CVE-2020-13935 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-urbancode-release-is-… ∗∗∗ Security Bulletin: IBM UrbanCode Release is affected by CVE-2021-30640 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-urbancode-release-is-… ∗∗∗ Security Bulletin: IBM UrbanCode Release is affected by CVE-2021-33037 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-urbancode-release-is-… ∗∗∗ Security Bulletin: IBM UrbanCode Release is affected by CVE-2021-25122 and CVE-2021-25329 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-urbancode-release-is-… ∗∗∗ GE Gas Power ToolBoxST ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-025-01 ∗∗∗ Injection of arbitrary HTML code in Bosch Video Security Android App ∗∗∗ --------------------------------------------- https://psirt.bosch.com/security-advisories/bosch-sa-844050-bt.html -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 25.01.2022
by Daily end-of-shift report 25 Jan '22

25 Jan '22

===================== = End-of-Day report = ===================== Timeframe: Montag 24-01-2022 18:00 − Dienstag 25-01-2022 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Responsible Disclosure: Vom Finden und Melden von Sicherheitslücken ∗∗∗ --------------------------------------------- Im Auftrag eines ISP habe ich mehrere Sicherheitslücken in einem Cisco-Router gefunden. Hier erkläre ich, wie ich vorgegangen bin. Ein Erfahrungsbericht von Marco Wiorek --------------------------------------------- https://www.golem.de/news/responsible-disclosure-vom-finden-und-melden-von-… ∗∗∗ Analyse: Linux- und ESXi-Varianten der LockBit-Ransomware ∗∗∗ --------------------------------------------- Die Forscher von Trend Micro Research haben das Thema LockBit-Ransomware in einer Analyse aufgegriffen. Denn diese Ransomware bedroht inzwischen nicht mehr nur Windows-Systeme. Es gibt bereits Samples, die auch Linux- und VMware ESXi-Instanzen befallen können. --------------------------------------------- https://www.borncity.com/blog/2022/01/25/analyse-linux-und-esxi-varianten-d… ∗∗∗ Vollzugriff durch Hintertür in WordPress-Erweiterungen ∗∗∗ --------------------------------------------- Bei einem Servereinbruch landete Hintertür-Schadcode in Plugins und Themes von AccessPress. Angreifer könnten dadurch WordPress-Instanzen übernehmen. --------------------------------------------- https://heise.de/-6337344 ∗∗∗ Jetzt patchen! Attacken auf Fernzugrifflösung SMA 100 von Sonicwall ∗∗∗ --------------------------------------------- Sicherheitsforscher warnen davor, dass Angreifer derzeit Sonicwall Secure Mobile Access im Visier haben. Dagegen lässt sich etwas tun. --------------------------------------------- https://heise.de/-6337222 ∗∗∗ Verkaufen auf willhaben, ebay & Co: Zahlung und Versand nicht über „Kurierdienst Post“ oder „ebay Selling“ abwickeln ∗∗∗ --------------------------------------------- Auf ebay, willhaben, Shpock und Co. treiben momentan vermehrt betrügerische KäuferInnen ihr Unwesen. Diese können aber rasch entlarvt werden: Betrügerische KäuferInnen wollen die Zahlung und Versendung Ihres Produktes über spezielle Dienstleistungen abwickeln. Dabei handelt es sich um angebliche Kurierdienste der Post oder ebay. Diese sind aber Fake! --------------------------------------------- https://www.watchlist-internet.at/news/verkaufen-auf-willhaben-ebay-co-zahl… ∗∗∗ BRATA Android Trojan Updated with ‘Kill Switch’ that Wipes Devices ∗∗∗ --------------------------------------------- Researchers identify three new versions of the banking trojan that include various new features, including GPS tracking and novel obfuscation techniques. --------------------------------------------- https://threatpost.com/brata-android-trojan-kill-switch-wipes/177921/ ∗∗∗ TrickBot Malware Using New Techniques to Evade Web Injection Attacks ∗∗∗ --------------------------------------------- The cybercrime operators behind the notorious TrickBot malware have once again upped the ante by fine-tuning its techniques by adding multiple layers of defense to slip past antimalware products. --------------------------------------------- https://thehackernews.com/2022/01/trickbot-malware-using-new-techniques.html ∗∗∗ Hackers Infect macOS with New DazzleSpy Backdoor in Watering-Hole Attacks ∗∗∗ --------------------------------------------- A previously undocumented cyber-espionage malware aimed at Apples macOS operating system leveraged a Safari web browser exploit as part of a watering hole attack targeting politically active, pro-democracy individuals in Hong Kong. Slovak cybersecurity firm ESET attributed the intrusion to an actor with "strong technical capabilities," [...] --------------------------------------------- https://thehackernews.com/2022/01/hackers-infect-macos-with-new-dazzlespy.h… ∗∗∗ Weaponization of Excel Add-Ins Part 1: Malicious XLL Files and Agent Tesla Case Studies ∗∗∗ --------------------------------------------- We observed a new surge of Agent Tesla and Dridex malware samples dropped by malicious Excel add-ins (XLL files). We focus here on Agent Tesla.The post Weaponization of Excel Add-Ins Part 1: Malicious XLL Files and Agent Tesla Case Studies appeared first on Unit42. --------------------------------------------- https://unit42.paloaltonetworks.com/excel-add-ins-malicious-xll-files-agent… ∗∗∗ Microsoft warns about this phishing attack that wants to read your emails ∗∗∗ --------------------------------------------- Attackers have targeted hundreds of organisations, says Microsoft security. --------------------------------------------- https://www.zdnet.com/article/microsoft-warns-about-this-phishing-attack-th… ∗∗∗ Introducing Scanning Made Easy ∗∗∗ --------------------------------------------- A joint effort between the i100 and the NCSC, Scanning Made Easy (SME) will be a collection of NMAP Scripting Engine scripts, designed to help system owners and administrators find systems with specific vulnerabilities. In this blog post I want to give you an idea of the motivation behind the project, and its capabilities. --------------------------------------------- https://www.ncsc.gov.uk/blog-post/introducing-scanning-made-easy ===================== = Vulnerabilities = ===================== ∗∗∗ PHOENIX CONTACT: FL SWITCH 2xxx series incorrect privilege assignment ∗∗∗ --------------------------------------------- CVE ID: CVE-2022-22509; CVSS 3.1: 8.8 In Phoenix Contact FL SWITCH Series 2xxx an incorrect privilege assignment allows an unprivileged user to enable full access to the device configuration. Solution: Upgrade to firmware 3.10 or higher --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2022-001/ ∗∗∗ Kritische Sicherheitslücke in Unisys Messaging Integration Services ∗∗∗ --------------------------------------------- Unbefugte Nutzer könnten aufgrund fehlerhafter Passwort-Prüfungen in den Messaging Integration Services (NTSI) von Unisys Zugang zu Servern erhalten. --------------------------------------------- https://heise.de/-6337226 ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (java-11-openjdk), Debian (aide, apr, ipython, openjdk-11, qt4-x11, and strongswan), Fedora (binaryen and rust), Mageia (expat, htmldoc, libreswan, mysql-connector-c++, phpmyadmin, python-celery, python-numpy, and webkit2), openSUSE (kernel and virtualbox), Red Hat (etcd, libreswan, nodejs:14, OpenJDK 11.0.14, OpenJDK 17.0.2, and rpm), Slackware (expat), SUSE (java-1_7_1-ibm, kernel, and zxing-cpp), and Ubuntu (strongswan). --------------------------------------------- https://lwn.net/Articles/882552/ ∗∗∗ PrinterLogic Patches Code Execution Flaws in Printer Management Suite ∗∗∗ --------------------------------------------- PrinterLogic has released security updates to address a total of nine vulnerabilities in Web Stack and Virtual Appliance, including three security defects that carry "high severity" ratings. --------------------------------------------- https://www.securityweek.com/printerlogic-patches-code-execution-flaws-prin… ∗∗∗ Trend Micro Worry Free Business Security Critical Patch 2380 und der freie Disk-Speicher ∗∗∗ --------------------------------------------- Der Sicherheitsanbieter Trend Micro hat ein kritisches Update 2380 für seine Worry Free Business Security (WFBS) freigegeben. Der Patch soll ein Sicherheitsproblem in einer Komponente beseitigen, die die Virenschutzlösung angreifbar macht. Was aber nicht verraten wird: Um diesen kritischen Patch zu installieren, müssen mindestens 13 Gigabyte Festplattenspeicher auf dem Systemlaufwerk vorhanden sein. --------------------------------------------- https://www.borncity.com/blog/2022/01/25/trend-micro-worry-free-business-se… ∗∗∗ XSA-395 ∗∗∗ --------------------------------------------- Insufficient cleanup of passed-through device IRQs --------------------------------------------- https://xenbits.xen.org/xsa/advisory-395.html ∗∗∗ XSA-394 ∗∗∗ --------------------------------------------- A PV guest could DoS Xen while unmapping a grant --------------------------------------------- https://xenbits.xen.org/xsa/advisory-394.html ∗∗∗ XSA-393 ∗∗∗ --------------------------------------------- arm: guest_physmap_remove_page not removing the p2m mappings --------------------------------------------- https://xenbits.xen.org/xsa/advisory-393.html ∗∗∗ GNU libc: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K22-0097 ∗∗∗ Foxit Reader: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K22-0096 ∗∗∗ Node.js: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K22-0094 ∗∗∗ Mattermost security updates 6.3.1, 6.2.2, 6.1.2, 5.37.7 released ∗∗∗ --------------------------------------------- https://mattermost.com/blog/mattermost-security-updates-6-3-1-6-2-2-6-1-2-5… ∗∗∗ An update on the Apache Log4j 2.x vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/an-update-on-the-apache-log4j-cve-2021-4422… ∗∗∗ Security Bulletin: IBM WebSphere Application Server Liberty is vulnerable to LDAP Injection (CVE-2021-39031) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-websphere-application… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM® Java SDK affect Liberty for Java for IBM Cloud October 2021 CPU ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: A vulnerability in Apache Log4j affects some features of IBM® Db2® (CVE-2021-44832) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-apache… ∗∗∗ Security Bulletin: Vulnerability in Apache Log4j affects IBM Data Studio Client (CVE-2021-4104) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-l… ∗∗∗ Security Bulletin: Log4j remote code execution vulnerability in Apache Solr and Logstash shipped with IBM Operations Analytics – Log Analysis (CVE-2021-44228) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-log4j-remote-code-executi… ∗∗∗ Security Bulletin: Vulnerability in Apache Log4j may affect IBM Spectrum Copy Data Management (CVE-2021-44832) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-l… ∗∗∗ Security Bulletin: IBM OpenPages with Watson has addressed Apache Log4j vulnerability (CVE-2021-4104) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-openpages-with-watson… ∗∗∗ Security Bulletin: IBM Security Guardium Insights is vulnerable to denial of service and arbitrary code execution due to Apache Log4j (CVE-2021-45105, CVE-2021-45046) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-ins… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 24.01.2022
by Daily end-of-shift report 24 Jan '22

24 Jan '22

===================== = End-of-Day report = ===================== Timeframe: Freitag 21-01-2022 18:00 − Montag 24-01-2022 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Erfolgreicher Angriff auf Nutzerkonten bei Thalia ∗∗∗ --------------------------------------------- Um Schaden von den Kunden abzuwenden, wurden die Kennwörter der betroffenen Konten von Thalia geändert. Die entsprechenden Kunden wurden per E-Mail darüber informiert. Der Buchhändler ruft in der E-Mail auch dazu auf, das Thalia-Kennwort bei anderen Diensten zu ändern, falls dieses auch bei anderen Anbietern mit dem gleichen Benutzernamen verwendet wird. --------------------------------------------- https://www.golem.de/news/sicherheit-erfolgreicher-angriff-auf-nutzerkonten… ∗∗∗ Backup-Software: Dell EMC AppSync kompromittierbar ∗∗∗ --------------------------------------------- Durch mehrere Sicherheitslücken in der Backup-Software EMC AppSync von Dell hätten Angreifer in betroffene Systeme eindringen und sie manipulieren können. --------------------------------------------- https://heise.de/-6334745 ∗∗∗ SonicWall explains why firewalls were caught in reboot loops ∗∗∗ --------------------------------------------- In a weekend update, SonicWall said the widespread reboot loops that impacted next-gen firewalls worldwide were caused by signature updates published on Thursday evening not being correctly processed. --------------------------------------------- https://www.bleepingcomputer.com/news/technology/sonicwall-explains-why-fir… ∗∗∗ Mixed VBA & Excel4 Macro In a Targeted Excel Sheet, (Sat, Jan 22nd) ∗∗∗ --------------------------------------------- Yesterday, Nick, one of our readers, shared with us a very interesting Excel sheet and asked us to check if it was malicious. Guess what? Of course, it was and he accepted to be mentioned in a diary. Thanks to him! This time, we also have the context and how the file was used. It was delivered to the victim and this person was called beforehand to make it more confident with the file. A perfect example of social engineering attack. --------------------------------------------- https://isc.sans.edu/diary/rss/28264 ∗∗∗ Microsoft is now disabling Excel 4.0 macros by default ∗∗∗ --------------------------------------------- Microsoft says that all Excel 4.0 (XLM) macros will now be disabled by default. [...] Sometimes good news in the security world comes later than expected. After three decades of macro viruses, and three decades of trying to convince every single Excel user individually to disable macros, Microsoft is making it the default. --------------------------------------------- https://blog.malwarebytes.com/reports/2022/01/microsoft-is-now-disabling-ex… ∗∗∗ Emotet Now Using Unconventional IP Address Formats to Evade Detection ∗∗∗ --------------------------------------------- Social engineering campaigns involving the deployment of the Emotet malware botnet have been observed using "unconventional" IP address formats for the first time in a bid to sidestep detection by security solutions. This involves the use of hexadecimal and octal representations of the IP address that, when processed by the underlying operating systems, get automatically converted "to the dotted decimal quad representation to initiate the request from the remote servers, [...] --------------------------------------------- https://thehackernews.com/2022/01/emotet-now-using-unconventional-ip.html ∗∗∗ GoWard A robust and rapidly-deployable Red Team proxy ∗∗∗ --------------------------------------------- Generally, Red Teams and adversarys redirect their traffic through proxies to protect their backend infrastructure. GoWard proxies HTTP C2 traffic to specified Red Team servers based on the HTTP header of the traffic. GoWards intent is to help obfuscate Red Team traffic and provide some level of resiliency against Blue Team investigation and mitigation. --------------------------------------------- https://github.com/chdav/GoWard ∗∗∗ Crime Shop Sells Hacked Logins to Other Crime Shops ∗∗∗ --------------------------------------------- Up for the "Most Meta Cybercrime Offering" award this year is Accountz Club, a new cybercrime store that sells access to purloined accounts at services built for cybercriminals, including shops peddling stolen payment cards and identities, spamming tools, email and phone bombing services, and those selling authentication cookies for a slew of popular websites. --------------------------------------------- https://krebsonsecurity.com/2022/01/crime-shop-sells-hacked-logins-to-other… ∗∗∗ Dark Souls servers taken offline over hacking fears ∗∗∗ --------------------------------------------- We look at trouble in Dark Souls land after PvP servers were turned off to combat what looked like a nasty exploit. [...] It all begins with a popular streamer playing a Souls game in PvP mode. [...] You’ll also hear the incredibly confused streamer in the background, talking about seeing “powershell.exe” on their screen. This is, it has to be said, not a good sign. --------------------------------------------- https://blog.malwarebytes.com/hacking-2/2022/01/dark-souls-servers-taken-of… ∗∗∗ Cobalt Strike, a Defender’s Guide – Part 2 ∗∗∗ --------------------------------------------- Our previous article on Cobalt Strike focused on the most frequently used capabilities that we had observed. In this post, we will focus on the network traffic it produced, and [...] --------------------------------------------- https://thedfirreport.com/2022/01/24/cobalt-strike-a-defenders-guide-part-2/ ===================== = Vulnerabilities = ===================== ∗∗∗ High-Severity Rust Programming Bug Could Lead to File, Directory Deletion ∗∗∗ --------------------------------------------- The maintainers of the Rust programming language have released a security update for a high-severity vulnerability that could be abused by a malicious party to purge files and directories from a vulnerable system in an unauthorized manner. "An attacker could use this security issue to trick a privileged program into deleting files and directories the attacker couldnt otherwise access or delete, [...] --------------------------------------------- https://thehackernews.com/2022/01/high-severity-rust-programming-bug.html ∗∗∗ Multiple Cisco Products Snort Modbus Denial of Service Vulnerability ∗∗∗ --------------------------------------------- A vulnerability in the Modbus preprocessor of the Snort detection engine could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. This vulnerability is due to an integer overflow while processing Modbus traffic. An attacker could exploit this vulnerability by sending crafted Modbus traffic through an affected device. A successful exploit could allow the attacker to cause the Snort process to hang, causing traffic inspection to stop. --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ CVE-2021-45467: CWP CentOS Web Panel – preauth RCE ∗∗∗ --------------------------------------------- CentOS Web Panel or commonly known as CWP is a popular web hosting management software, used by over 200,000 unique servers, that can be found on Shodan or Census. The vulnerability chain that we used to exploit a full preauth remote command execution as root uses file inclusion (CVE-2021-45467) and file write (CVE-2021-45466) vulnerabilities. In this post we hope to cover our vulnerability research journey, and how we approached this particular target. --------------------------------------------- https://octagon.net/blog/2022/01/22/cve-2021-45467-cwp-centos-web-panel-pre… ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (chromium, golang-1.7, golang-1.8, pillow, qtsvg-opensource-src, util-linux, and wordpress), Fedora (expat, harfbuzz, kernel, qt5-qtsvg, vim, webkit2gtk3, and zabbix), Mageia (glibc, kernel, and kernel-linus), openSUSE (bind, chromium, and zxing-cpp), Oracle (kernel), Red Hat (java-11-openjdk and kpatch-patch), Scientific Linux (java-11-openjdk), SUSE (bind, clamav, zsh, and zxing-cpp), and Ubuntu (aide, dbus, and thunderbird). --------------------------------------------- https://lwn.net/Articles/882396/ ∗∗∗ phpMyAdmin: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K22-0089 ∗∗∗ Security Bulletin: IBM InfoSphere Information Server is vulnerable to denial of service and arbitrary code execution due to Apache Log4j (CVE-2021-45105, CVE-2021-45046) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-infosphere-informatio… ∗∗∗ Security Bulletin: IBM Netcool Agile Service Manager is vulnerable to arbitrary code execution and denial of service due to Apache Log4j (CVE-2021-44832, CVE-2021-45046, CVE-2021-45105) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-netcool-agile-service… ∗∗∗ Security Bulletin: IBM Sterling Control Center is vulnerable to remote code execution due to Apache Log4j (CVE-2021-44832) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-control-cent… ∗∗∗ Security Bulletin: Sensitive information in logs vulnerability affects IBM Sterling Gentran:Server for Windows (CVE-2021-39032) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-sensitive-information-in-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK and IBM Java Runtime affect IBM i ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Vulnerability in Apache Log4j may affect IBM Spectrum Archive Enterprise Edition (CVE-2021-44832) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-l… ∗∗∗ Security Bulletin: IBM QRadar hardware appliances are vulnerable to Intel privilege escalation (CVE-2021-0144) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-qradar-hardware-appli… ∗∗∗ Security Bulletin: Log4j vulnerability CVE-2021-44228 affects IBM Cloud Pak for Data System 1.0 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-log4j-vulnerability-cve-2… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 21.01.2022
by Daily end-of-shift report 21 Jan '22

21 Jan '22

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 20-01-2022 18:00 − Freitag 21-01-2022 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ iOS 15.3 & Co: Wichtige Bugfixes für iPhones, Macs und Watches in Vorbereitung ∗∗∗ --------------------------------------------- Apples anstehende Betriebssystem-Updates schließen ein schweres Datenschutzleck im Browser Safari und sollen Ladeprobleme bei der Apple Watch ausräumen. --------------------------------------------- https://heise.de/-6334675 ∗∗∗ Netzwerkausrüster F5 sichert BIG-IP & Co. gegen mögliche Attacken ab ∗∗∗ --------------------------------------------- Über Schwachstellen in verschiedenen BIG-IP Appliances könnte Schadcode auf Systeme gelangen. --------------------------------------------- https://heise.de/-6334437 ∗∗∗ Vorsicht: Gefälschte Europol-Vorladungen im Umlauf! ∗∗∗ --------------------------------------------- Kriminelle geben sich derzeit als Europol aus und versenden eine „Einberufung“, die für viele EmpfängerInnen sehr bedrohlich wirkt: So behaupten die Kriminellen, dass mehrere Gerichtsverfahren gegen die Betroffenen laufen würden. Konkret ginge es um Kinderpornografie, Pädophile und Ähnliches. Auch wenn die Mail sehr beängstigend klingt, besteht kein Grund zur Sorge! --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-gefaelschte-europol-vorladu… ∗∗∗ SonicWall Gen7 Firewall Inaccessible/ Reboot Loop (20. Jan. 2022) ∗∗∗ --------------------------------------------- Aktuell sieht es so aus, als ob die SonicWall Gen7 Firewalls seit dem 20. Januar 2022 ein Problem verursachen. Es gibt Berichte, dass kein Zugriff mehr möglich ist oder die Gen7 Firewall in eine Neustart-Schleife fallen. Von SonicWall gibt es dazu bereits einen Supportbeitrag mit einem Workaround. --------------------------------------------- https://www.borncity.com/blog/2022/01/21/sonicwall-gen7-firewall-inaccessib… ∗∗∗ Over 90 WordPress themes, plugins backdoored in supply chain attack ∗∗∗ --------------------------------------------- A massive supply chain attack compromised 93 WordPress themes and plugins to contain a backdoor, giving threat-actors full access to websites. --------------------------------------------- https://www.bleepingcomputer.com/news/security/over-90-wordpress-themes-plu… ∗∗∗ Doctor Web’s overview of virus activity on mobile devices in 2021 ∗∗∗ --------------------------------------------- In 2021, making illegal profit remained one of the top cybercriminals’ priorities. That’s why adware trojans, malware that downloaded and installed other software, and trojans capable of downloading and executing arbitrary code, were among the most common threats on Android. Banking trojans also posed a significant threat whilst their activity increased. Moreover, users often encountered various adware apps. --------------------------------------------- https://news.drweb.com/show/?i=14395&lng=en&c=9 ∗∗∗ Doctor Web’s annual virus activity review for 2021 ∗∗∗ --------------------------------------------- Among the most popular threats in 2021 were numerous malware. Among them were trojan droppers destined to distribute malicious malware, and trojan downloader modifications–they download and run executable files with various payloads on the victims computer. Besides that, cybercriminals were actively distributing backdoors. Among the email threats, the most popular were stealers and various backdoor modifications written in VB.NET. --------------------------------------------- https://news.drweb.com/show/?i=14393&lng=en&c=9 ∗∗∗ Spyware Blitzes Compromise, Cannibalize ICS Networks ∗∗∗ --------------------------------------------- The brief spearphishing campaigns spread malware and use compromised networks to steal credentials that can be sold or used to commit financial fraud. --------------------------------------------- https://threatpost.com/spyware-blitzes-compromise-cannibalize-ics-networks/… ∗∗∗ AccessPress Themes Hit With Targeted Supply Chain Attack ∗∗∗ --------------------------------------------- Security researchers at Automattic recently reported that the popular WordPress plugin and theme authors AccessPress were compromised and their software replaced with backdoored versions. The compromise appears to have taken place in September of last year and was only recently made public. Users who used software obtained directly from the AccessPress website unknowingly provided attackers with backdoor access, resulting in an unknown number of compromised websites. --------------------------------------------- https://blog.sucuri.net/2022/01/accesspress-themes-hit-with-targeted-supply… ∗∗∗ A Detailed Analysis of WhisperGate Targeting Ukrainian Organizations ∗∗∗ --------------------------------------------- Microsoft reported evidence of destructive malware targeting organizations in Ukraine starting from January 13 [1]. The LIFARS threat intelligence team have analyzed the malicious samples and provided a detailed analysis of the execution flow. The main objective of this technical brief is to reveal the sophisticated TTPs demonstrated by threat actors. --------------------------------------------- https://lifars.com/2022/01/a-detailed-analysis-of-whispergate-targeting-ukr… ===================== = Vulnerabilities = ===================== ∗∗∗ VU#287178: McAfee Agent for Windows is vulnerable to privilege escalation due to OPENSSLDIR location ∗∗∗ --------------------------------------------- McAfee Agent, which comes with various McAfee products such as McAfee Endpoint Security, includes an OpenSSL component that specifies an OPENSSLDIR variable as a subdirectory that my be controllable by an unprivileged user on Windows. McAfee Agent contains a privileged service that uses this OpenSSL component. A user who can place a specially-crafted openssl.cnf file at an appropriate path may be able to achieve arbitrary code execution with SYSTEM privileges. --------------------------------------------- https://kb.cert.org/vuls/id/287178 ∗∗∗ Plugin "Email Template Designer" reißt Sicherheitslücke in WordPress ∗∗∗ --------------------------------------------- Durch eine Schwachstelle im WordPress-Plugin "WordPress Email Template Designer - WP HTML Mail" könnten Angreifer dem Administrator Schadcode unterschieben. --------------------------------------------- https://heise.de/-6334308 ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (aide, flatpak, kernel, libspf2, and usbview), Fedora (kernel, libreswan, nodejs, texlive-base, and wireshark), openSUSE (aide, cryptsetup, grafana, permissions, rust1.56, and stb), SUSE (aide, apache2, cryptsetup, grafana, permissions, rust1.56, and webkit2gtk3), and Ubuntu (aide, thunderbird, and usbview). --------------------------------------------- https://lwn.net/Articles/882119/ ∗∗∗ WebKitGTK and WPE WebKit Security Advisory WSA-2022-0001 ∗∗∗ --------------------------------------------- Several vulnerabilities were discovered in WebKitGTK and WPE WebKit. --------------------------------------------- https://webkitgtk.org/security/WSA-2022-0001.html ∗∗∗ Lexmark Laser Printers: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K22-0087 ∗∗∗ Security Bulletin: Vulnerability in Apache Log4j affects IBM Operational Decision Manager (CVE-2021-44228) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-l… ∗∗∗ Security Bulletin: IBM Security Guardium is vulnerable to a denial of service vulnerability in Apache log4j2 component (CVE-2021-45105 & CVE-2021-45046) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: Vulnerability in Java Batch affects WebSphere Application Server Liberty (CVE-2021-20492) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-java-bat… ∗∗∗ Security Bulletin: IBM Operations Analytics Predictive Insights is vulnerable to denial of service and arbitrary code execution due to Apache Log4j (CVE-2021-45105, CVE-2021-45046) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-operations-analytics-… ∗∗∗ Security Bulletin: IBM Cognos Controller has addressed multiple vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cognos-controller-has… ∗∗∗ Security Bulletin: IBM MaaS360 Cloud Extender and Modules have various vulnerabilities (CVE-2021-22924, CVE-2021-3712) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-maas360-cloud-extende… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 20.01.2022
by Daily end-of-shift report 20 Jan '22

20 Jan '22

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 19-01-2022 18:00 − Donnerstag 20-01-2022 18:00 Handler: Robert Waldner Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Revamped Community-Based DDoS Defense Tool Improves Filtering ∗∗∗ --------------------------------------------- Team Cymru updates its Unwanted Traffic Removal Service (UTRS), adding more granular controls and greater ranges of both IPv4 and IPv6 addresses. --------------------------------------------- https://www.darkreading.com/perimeter/revamped-community-based-ddos-defense… ∗∗∗ MoonBounce: the dark side of UEFI firmware ∗∗∗ --------------------------------------------- At the end of 2021, we inspected UEFI firmware that was tampered with to embed a malicious code we dub MoonBounce. In this report we describe how the MoonBounce implant works and how it is connected to APT41. --------------------------------------------- https://securelist.com/moonbounce-the-dark-side-of-uefi-firmware/105468/ ∗∗∗ What Should You do if Your WordPress Site was Hacked? ∗∗∗ --------------------------------------------- This article will provide insight on what to do if your website is hacked and how to move forward. WordPress sites can be hacked due to a variety of reasons, which we cover in Why are WordPress sites targeted by hackers? --------------------------------------------- https://blog.sucuri.net/2022/01/what-should-you-do-if-your-wordpress-site-w… ∗∗∗ Microsoft: Hackers Exploiting New SolarWinds Serv-U Bug Related to Log4j Attacks ∗∗∗ --------------------------------------------- Microsoft on Wednesday disclosed details of a new security vulnerability in SolarWinds Serv-U software that it said was being weaponized by threat actors to propagate attacks leveraging the Log4j flaws to compromise targets. Tracked as CVE-2021-35247 (CVSS score: 5.3), the issue is an " input validation vulnerability that could allow attackers to build a query given some input and [..] --------------------------------------------- https://thehackernews.com/2022/01/microsoft-hackers-exploiting-new.html ∗∗∗ New BHUNT Password Stealer Malware Targeting Cryptocurrency Wallets ∗∗∗ --------------------------------------------- "BHUNT is a modular stealer written in .NET, capable of exfiltrating wallet (Exodus, Electrum, Atomic, Jaxx, Ethereum, Bitcoin, Litecoin wallets) contents, passwords stored in the browser, and passphrases captured from the clipboard," Bitdefender researcher said in a technical report on Wednesday. --------------------------------------------- https://thehackernews.com/2022/01/new-bhunt-password-stealer-malware.html ∗∗∗ RedLine Stealer Delivered Through FTP ∗∗∗ --------------------------------------------- Here is a piece of malicious Python script that injects a RedLine stealer into its own process. Process injection is a common attacker’s technique these days (for a long time already). The difference, in this case, is that the payload is delivered through FTP! It’s pretty unusual because FTP is today less and less used for multiple reasons (lack of encryption by default, complex to filter with those passive/active modes). --------------------------------------------- https://blog.rootshell.be/2022/01/20/sans-isc-redline-stealer-delivered-thr… ∗∗∗ Kritische Sicherheitslücke in Google Chrome geschlossen ∗∗∗ --------------------------------------------- In der aktualisierten Version von Google Chrome schließt das Unternehmen zahlreiche Schwachstellen. Mindestens eine davon stuft der Hersteller als kritisch ein. --------------------------------------------- https://heise.de/-6332812 ∗∗∗ Knapp 7 Millionen Passwörter von Open Subtitles entwendet ∗∗∗ --------------------------------------------- Die Webseiten und das Forum von Open Subtitles wurden Opfer von Cyberkriminellen. Die konnten alle Zugangsdaten erbeuten. Nutzer müssen jetzt aktiv werden. --------------------------------------------- https://heise.de/-6332951 ∗∗∗ Zahlreiche Facebook-Seiten bewerben Fernseher um 1,95€ ∗∗∗ --------------------------------------------- Einen QLED-Fernseher um nur 1,95 Euro? Das versprechen derzeit zahlreiche Facebook-Seiten. Alles was Sie dafür machen müssen, ist an einer kurzen Umfrage teilnehmen. Anschließend sollen Sie noch die Kreditkartendaten eingeben, um 1,95 Euro zu bezahlen und schon wird ein hochwertiger Fernseher zu Ihnen nach Hause geliefert. Wie so oft gilt: Das Angebot ist zu gut, um wahr zu sein. Tatsächlich landen Ihre Kreditkartendaten in den Händen von Kriminellen. --------------------------------------------- https://www.watchlist-internet.at/news/zahlreiche-facebook-seiten-bewerben-… ===================== = Vulnerabilities = ===================== ∗∗∗ Drupal core - Moderately critical - Cross site scripting - SA-CORE-2022-002 ∗∗∗ --------------------------------------------- Project: Drupal core Security risk: Moderately critical Vulnerability: Cross site scripting Description: jQuery UI is a third-party library used by Drupal. This library was previously thought to be end-of-life. --------------------------------------------- https://www.drupal.org/sa-core-2022-002 ∗∗∗ Drupal core - Moderately critical - Cross Site Scripting - SA-CORE-2022-001 ∗∗∗ --------------------------------------------- Project: Drupal core Security risk: Moderately critical Vulnerability: Cross Site Scripting Description: jQuery UI is a third-party library used by Drupal. This library was previously thought to be end-of-life. Late in 2021, jQuery UI announced that they would be continuing development, and released a jQuery UI 1.13.0 version. As part of this 1.13.0 update, they disclosed the following security issue that may affect Drupal 9 and 7 --------------------------------------------- https://www.drupal.org/sa-core-2022-001 ∗∗∗ jQuery UI Datepicker - Moderately critical - Cross Site Scripting - SA-CONTRIB-2022-004 ∗∗∗ --------------------------------------------- Project: jQuery UI Datepicker Security risk: Moderately critical Vulnerability: Cross Site Scripting Description: jQuery UI is a third-party library used by Drupal. The jQuery UI Datepicker module provides the jQuery UI Datepicker library, which is not included in Drupal 9 core. --------------------------------------------- https://www.drupal.org/sa-contrib-2022-004 ∗∗∗ Improper copy algorithm and component validation in the project upload mechanism in B&R Automation Studio version >=4.0 may allow an unauthenticated attacker to execute code ∗∗∗ --------------------------------------------- CVE-2021-22282: RCE through Project Upload from Target All versions of Automation Studio 4 are affected. --------------------------------------------- https://www.br-automation.com/downloads_br_productcatalogue/assets/16405293… ∗∗∗ Local file inclusion Schwachstelle in Land Software - FAUST iServer ∗∗∗ --------------------------------------------- Der von Land Software entwickelte Webserver namens FAUST iServer ist anfällig auf eine local file inclusion Schwachstelle. Ein Angreifer kann alle lokalen Dateien des zugrunde liegenden Betriebssystems im Kontext der aktuellen Festplatte lesen. --------------------------------------------- https://sec-consult.com/de/vulnerability-lab/advisory/local-file-inclusion-… ∗∗∗ Rechenfehler im Linux-Kernel erlaubt Rechteausweitung ∗∗∗ --------------------------------------------- Vor allem in Cloud-Systemen problematisch: An Linux-Systemen angemeldete Nutzer könnten aufgrund eines potenziellen Pufferüberlaufs ihre Rechte ausweiten. --------------------------------------------- https://heise.de/-6333365 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (drupal7), Fedora (kernel, libreswan, nodejs, and wireshark), openSUSE (busybox, firefox, kernel, and python-numpy), Oracle (gegl, gegl04, httpd, java-17-openjdk, kernel, kernel-container, and libreswan), Red Hat (kernel, kernel-rt, and libreswan), Slackware (wpa_supplicant), SUSE (busybox, firefox, htmldoc, kernel, kubevirt, virt-api-container, virt-controller-container, virt-handler-container, virt-launcher-container, virt-operator-container, openstack-monasca-agent, spark, spark-kit, zookeeper, python-numpy) and Ubuntu (curl, linux, linux-aws, linux-aws-5.11, linux-aws-5.4, linux-azure, linux-azure-5.11, linux-azure-5.4, linux-bluefield, linux-gcp, linux-gcp-5.11, linux-gcp-5.4, linux-gke, linux-gke-5.4, linux-gkeop, linux-gkeop-5.4, linux-hwe-5.4, linux-ibm, linux-kvm, linux-oem-5.10, linux-oem-5.13, linux-oem-5.14, linux-oracle, linux-oracle-5.11, linux-oracle-5.4, linux-raspi, linux-raspi-5.4, openvswitch, qtsvg-opensource-src). --------------------------------------------- https://lwn.net/Articles/881956/ ∗∗∗ Canon: “Log4j” RCE [CVE-2021-44228], “Log4j” RCE [CVE-2021-45046] and “Log4j” DOS [CVE-2021-45105] vulnerabilities ∗∗∗ --------------------------------------------- We are currently in the process of investigating the impact of the ‘Log4j’ https://logging.apache.org/log4j/2.x/security.html vulnerability on Canon products. As information comes to light, we will update this article. --------------------------------------------- https://www.canon-europe.com/support/product-security-latest-news/ ∗∗∗ Canon: Cross-site scripting vulnerability for laser printers and multifunction devices for small offices ∗∗∗ --------------------------------------------- A cross-site scripting vulnerability has been identified in the Remote UI function of Canon laser printers and multifunction devices for small office – see the affected models below (vulnerability identification number: JVN # 64806328). --------------------------------------------- https://www.canon-europe.com/support/product-security-latest-news/ ∗∗∗ Security Advisory - Release of Invalid Pointer Vulnerability in Some Huawei Products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2022/huawei-sa-20220112-… ∗∗∗ Security Advisory - Apache log4j2 remote code execution vulnerabilities in some Huawei products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2021/huawei-sa-20211215-… ∗∗∗ Security Bulletin: IBM Cloud Pak for Data System 2.0 (ICPDS 2.0 ) is vulnerable to denial of service and arbitrary code execution due to Apache Log4j (CVE-2021-45105, CVE-2021-45046) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-pak-for-data-sy… ∗∗∗ Security Bulletin: Due to the use of Apache Log4j, IBM Spectrum Conductor is vulnerable to arbitrary code execution (CVE-2021-44832 and CVE-2021-45046) and denial of service (CVE-2021-45105) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-due-to-the-use-of-apache-… ∗∗∗ Security Bulletin: Due to the use of Apache Log4j, IBM Spectrum Symphony is vulnerable to arbitrary code execution (CVE-2021-44832 and CVE-2021-45046) and denial of service (CVE-2021-45105) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-due-to-the-use-of-apache-… ∗∗∗ Security Bulletin: IBM® Security SOAR could be vulnerable to a downgrade attack because of missing Strict-Transport-Security headers for some endpoints (CVE-2021-29785). ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-soar-could-b… ∗∗∗ Security Bulletin: Apache Log4j vulnerability impacts IBM Sterling Global Mailbox (CVE-2021-45046) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-apache-log4j-vulnerabilit… ∗∗∗ Security Bulletin: IBM Integrated Analytics System is vulnerable to denial of service and arbitrary code execution due to Apache Log4j (CVE-2021-45105, CVE-2021-45046) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-integrated-analytics-… ∗∗∗ Security Bulletin: Apache log4j Vulnerability Affects IBM Sterling Global Mailbox (CVE-2021-44228) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-apache-log4j-vulnerabilit… ∗∗∗ Security Bulletin: IBM Db2® Warehouse has released a fix in response to multiple vulnerabilities found in IBM Db2® ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-warehouse-has-rel… ∗∗∗ Security Bulletin: IBM® Disconnected Log Collector is vulnerable to denial of service and arbitrary code execution due to Apache Log4j (CVE-2021-45105 and CVE-2021-45046) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-disconnected-log-coll… ∗∗∗ Security Bulletin: API Connect is vulnerable to denial of service and arbitrary code execution due to Apache Log4j (CVE-2021-45105, CVE-2021-45046 and CVE-2021-44832) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-api-connect-is-vulnerable… ∗∗∗ Security Bulletin: Log4j vulnerability affects IBM Cloud Pak for Data System 2.0 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-log4j-vulnerability-affec… ∗∗∗ Endress+Hauser: Multiple products affected by log4net vulnerability ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2021-044/ ∗∗∗ ICONICS and Mitsubishi Electric HMI SCADA ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-020-01 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 19.01.2022
by Daily end-of-shift report 19 Jan '22

19 Jan '22

===================== = End-of-Day report = ===================== Timeframe: Dienstag 18-01-2022 18:00 − Mittwoch 19-01-2022 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ 0.0.0.0 in Emotet Spambot Traffic, (Wed, Jan 19th) ∗∗∗ --------------------------------------------- [..] Emotet uses IP address 0.0.0.0 in spambot traffic, possibly attempting to hide the actual IP address of an Emotet-infected host. This ISC diary reviews the spoofed 0.0.0.0 address used in a recent Emotet infection from Tuesday 2022-01-18. --------------------------------------------- https://isc.sans.edu/diary/rss/28254 ∗∗∗ Project Zero: Zooming in on Zero-click Exploits ∗∗∗ --------------------------------------------- In the past, I hadn’t prioritized reviewing Zoom because I believed that any attack against a Zoom client would require multiple clicks from a user. However, a zero-click attack against the Windows Zoom client was recently revealed at Pwn2Own, showing that it does indeed have a fully remote attack surface. The following post details my investigation into Zoom. --------------------------------------------- https://googleprojectzero.blogspot.com//2022/01/zooming-in-on-zero-click-ex… ∗∗∗ Introducing TREVORproxy and TREVORspray 2.0 - Increasing the Speed and Effectiveness of Password Sprays ∗∗∗ --------------------------------------------- Classically, password spraying has been the single lowest-effort and highest-yield technique for gaining an initial foothold in an organization. [...] But alas, with increasing Multi-Factor coverage and defensive countermeasures like Smart Lockout, password spraying is becoming more and more of a chore. [...] When I set out to write these tools, the biggest problem I wanted to solve was Smart Lockout. Smart Lockout tries to lock out attackers without locking out legitimate users. So basically, --------------------------------------------- https://blog.blacklanternsecurity.com/p/introducing-trevorproxy-and-trevors… ∗∗∗ Betrügerische Geldversprechen auf Instagram ∗∗∗ --------------------------------------------- Kriminelle richten sich mit ihren betrügerischen Anfragen insbesondere an junge Frauen und Männer. Sie versprechen ihnen hohe Geldbeträge für anzügliche Fotos oder spielen vor, an der Finanzierung des Lifestyles der betroffenen Personen interessiert zu sein. Wer solche Angebote bekommt, sollte unbedingt Abstand nehmen. Denn es handelt sich um einen Vorschussbetrug, bei dem vorab Zahlungen verlangt werden. --------------------------------------------- https://www.watchlist-internet.at/news/betruegerische-geldversprechen-auf-i… ∗∗∗ The Perfect Cyber Crime ∗∗∗ --------------------------------------------- [..] what if criminals were able to acquire large amounts of victims’ credentials without infecting any victim, without the need to build or purchase anything, and without the risk of getting caught? We recently set out to explore this topic and validate our theory that this type of “perfect crime” could be a new reality in cyber security. In this blog, we’ll explain how we were able to obtain large amounts of sensitive data using Google’s VirusTotal service in combination with other known malware services and hacker forums. --------------------------------------------- https://safebreach.com/blog/2022/the-perfect-cyber-crime/ ∗∗∗ CVE-2022-21661: Exposing Database Info via WordPress SQL Injection ∗∗∗ --------------------------------------------- In October of this year, we received a report from ngocnb and khuyenn from GiaoHangTietKiem JSC covering a SQL injection vulnerability in WordPress. The bug could allow an attacker to expose data stored in a connected database. This vulnerability was recently addressed as CVE-2022-21661 (ZDI-22-220). This blog covers the root cause of the bug and looks at how the WordPress team chose to address it. --------------------------------------------- https://www.thezdi.com/blog/2022/1/18/cve-2021-21661-exposing-database-info… ===================== = Vulnerabilities = ===================== ∗∗∗ WordPress Plugin WP Visitor Statistics 4.7 SQL Injection ∗∗∗ --------------------------------------------- The plugin does not properly sanitise and escape the refUrl in the refDetails AJAX action, available to any authenticated user, which could allow users with a role as low as subscriber to perform SQL injection attacks CVE: CVE-2021-24750 --------------------------------------------- https://cxsecurity.com/issue/WLB-2022010098 ∗∗∗ Oracle Critical Patch Update Advisory - January 2022 ∗∗∗ --------------------------------------------- This Critical Patch Update contains 497 new security patches across the (Anm.: 165) product families listed below. --------------------------------------------- https://www.oracle.com/security-alerts/cpujan2022.html ∗∗∗ The ace(r) up your sleeve! Privilege Escalation vulnerability in Acer Care Center (CVE-2021-45975) ∗∗∗ --------------------------------------------- Acer ships most of the laptop it sells with a software suite called Care Center Service installed. In versions up to 4.00.3038 included, one of the suite’s programs is an executable named ListCheck.exe, which runs at logon with the highest privilege available and suffers from a phantom DLL hijacking. This can lead to a privilege escalation when an administrator logs in. --------------------------------------------- https://aptw.tf/2022/01/20/acer-care-center-privesc.html ∗∗∗ Sicherheitsupdate: Mediaplayer Nvidia Shield TV für Schadcode-Attacke anfällig ∗∗∗ --------------------------------------------- Die Entwickler haben mehrere Lücken in der Android-Version für Nvidia Shield TV geschlossen. Insgesamt gilt das Risiko als hoch. --------------------------------------------- https://heise.de/-6332144 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (firefox, gegl, kernel, and thunderbird), Debian (nvidia-graphics-drivers), Fedora (btrbk and thefuck), Mageia (clamav, kernel, kernel-linus, vim, and wpa_supplicant), openSUSE (java-1_8_0-ibm, jawn, nodejs12, nodejs14, SDL2, and virglrenderer), Red Hat (gegl, gegl04, java-17-openjdk, and kernel-rt), Scientific Linux (gegl and httpd), SUSE (apache2, firefox, java-1_7_1-ibm, java-1_8_0-ibm, libvirt, nodejs12, nodejs14, openstack-monasca-agent, spark, spark-kit, zookeeper, python-Django, python-Django1, python-numpy, virglrenderer), Ubuntu (byobu, clamav, ruby2.3, ruby2.5, ruby2.7). --------------------------------------------- https://lwn.net/Articles/881810/ ∗∗∗ Cisco Redundancy Configuration Manager for Cisco StarOS Software Multiple Vulnerabilities ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Webex Meetings Cross-Site Scripting Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Multiple Cisco Products Snort Modbus Denial of Service Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Multiple Cisco Products CLI Command Injection Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ ConfD CLI Command Injection Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Security Advisory - Release of Invalid Pointer Vulnerability in OptiX OSN 9800 U32 Product ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2022/huawei-sa-20220112-… ∗∗∗ Security Advisory - Information Exposure Vulnerability on Several Huawei Products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2022/huawei-sa-20220112-… ∗∗∗ Security Bulletin: Vulnerabilities in Apache Log4j affect IBM App Connect Enterprise V11, V12 and IBM Integration Bus V10 (CVE-2021-44832) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-apache… ∗∗∗ Security Bulletin: Oracle Database Server Vulnerability Affects IBM Emptoris Strategic Supply Management Platform (CVE-2021-35619) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-oracle-database-server-vu… ∗∗∗ Security Bulletin: Vulnerability in Apache Log4j affects IBM Cloud Private (CVE-2021-45046) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-l… ∗∗∗ Security Bulletin: Oracle Database Server Vulnerability Affects IBM Emptoris Program Management (CVE-2021-35619) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-oracle-database-server-vu… ∗∗∗ Security Bulletin: Apache Log4j vulnerability may affect IBM Sterling B2B Integrator (CVE-2021-44228) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-apache-log4j-vulnerabilit… ∗∗∗ Security Bulletin: Oracle Database Server Vulnerability Affects IBM Emptoris Contract Management (CVE-2021-35619) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-oracle-database-server-vu… ∗∗∗ Security Bulletin: Apache Log4j Vulnerability Affects IBM Sterling B2B Integrator (CVE-2021-45105, CVE-2021-45046) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-apache-log4j-vulnerabilit… ∗∗∗ Security Bulletin: Apache Log4j vulnerability affects IBM Cloud Pak for Multicloud Management (CVE-2021-44832) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-apache-log4j-vulnerabilit… ∗∗∗ Security Bulletin: Apache Log4j Vulnerability Affects IBM Sterling File Gateway (CVE-2021-44228) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-apache-log4j-vulnerabilit… ∗∗∗ Security Bulletin: Vulnerability in Apache Log4j affects IBM Cloud Private (CVE-2021-45105) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-l… ∗∗∗ Security Bulletin: Oracle Database Server Vulnerability Affects IBM Emptoris Supplier Lifecycle Management (CVE-2021-35619) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-oracle-database-server-vu… ∗∗∗ Security Bulletin: Vulnerability in Apache Log4j affects IBM Cloud Private (CVE-2021-44228) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-l… ∗∗∗ Security Bulletin: IBM TRIRIGA Connector for Esri ArcGIS Indoors a component of IBM TRIRIGA Portfolio Data Manager is vulnerable to denial of service and arbitrary code execution due to Apache Log4j (CVE-2021-45105 and CVE-2021-45046) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-tririga-connector-for… ∗∗∗ Security Bulletin: Due to use of Apache Log4j, IBM Cloud PAK for Watson AI Ops is vulnerable to arbitrary code execution (CVE-2021-45046) and denial of service (CVE-2021-45105) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-due-to-use-of-apache-log4… ∗∗∗ Security Bulletin: IBM WebSphere Application Server Liberty is vulnerable to an Information Disclosure (CVE-2022-22310) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-websphere-application… ∗∗∗ Security Bulletin: Apache Log4j Vulnerability Affects IBM Sterling File Gateway (CVE-2021-45105, CVE-2021-45046) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-apache-log4j-vulnerabilit… ∗∗∗ Security Bulletin: Oracle Database Server Vulnerability Affects IBM Emptoris Sourcing (CVE-2021-35619) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-oracle-database-server-vu… ∗∗∗ Security Bulletin: Log4j vulnerability affects IBM Cloud Pak for Data System 1.0 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-log4j-vulnerability-affec… ∗∗∗ An update on the Apache Log4j 2.x vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/an-update-on-the-apache-log4j-cve-2021-4422… ∗∗∗ K61112120: BIG-IP ASM and Advanced WAF TMUI vulnerability CVE-2022-23031 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K61112120 ∗∗∗ K96924184: F5 HTTP profile vulnerability CVE-2022-23022 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K96924184 ∗∗∗ K82793463: BIG-IP MRF Diameter vulnerability CVE-2022-23019 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K82793463 ∗∗∗ K41503304: Advanced WAF, BIG-IP ASM, and NGINX App Protect attack signature bypass security exposure ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K41503304 ∗∗∗ K53442005: BIG-IP VE vulnerability CVE-2022-23030 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K53442005 ∗∗∗ K16101409: BIG-IP AFM vulnerability CVE-2022-23028 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K16101409 ∗∗∗ K28042514: BIG-IP TMM and DNS profile vulnerability CVE-2022-23017 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K28042514 ∗∗∗ K91013510: SSL Forward Proxy vulnerability CVE-2022-23016 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K91013510 ∗∗∗ K08476614: BIG-IP Client SSL profile vulnerability CVE-2022-23015 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K08476614 ∗∗∗ K17514331: BIG-IP TMM vulnerability CVE-2022-23020 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K17514331 ∗∗∗ K93526903: BIG-IP APM portal access vulnerability CVE-2022-23014 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K93526903 ∗∗∗ K30525503: BIG-IP APM Edge Client proxy vulnerability CVE-2022-23032 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K30525503 ∗∗∗ K54892865: BIG-IP AFM vulnerability CVE-2022-23024 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K54892865 ∗∗∗ K29500533: TMUI XSS vulnerability CVE-2022-23013 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K29500533 ∗∗∗ K50343028: BIG-IP FastL4 profile vulnerability CVE-2022-23029 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K50343028 ∗∗∗ K68755210: BIG-IP SYN Cookie Protection vulnerability CVE-2022-23011 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K68755210 ∗∗∗ K26310765: HTTP/2 profile vulnerability CVE-2022-23012 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K26310765 ∗∗∗ K34360320: BIG-IP FastL4 vulnerability CVE-2022-23010 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K34360320 ∗∗∗ K30911244: Advanced WAF, BIG-IP ASM, and NGINX App Protect attack signature check failure ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K30911244 ∗∗∗ K17514331: BIG-IP TMM vulnerability CVE-2022-23020 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K17514331 ∗∗∗ K41415626: Transparent DNS Cache can consume excessive resources ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K41415626 ∗∗∗ K44110411: BIG-IP SIP ALG vulnerability CVE-2022-23025 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K44110411 ∗∗∗ K08402414: BIG-IP ASM and Advanced WAF REST API endpoint vulnerability CVE-2022-23026 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K08402414 ∗∗∗ K11742742: iControl REST vulnerability CVE-2022-23023 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K11742742 ∗∗∗ K30573026: BIG-IP virtual server with FastL4 profile vulnerability CVE-2022-23027 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K30573026 ∗∗∗ K24358905: BIG-IP AFM virtual server vulnerability CVE-2022-23018 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K24358905 ∗∗∗ Multiple vulnerabilities in Bosch AMC2 (Access Modular Controller) ∗∗∗ --------------------------------------------- https://psirt.bosch.com/security-advisories/bosch-sa-940448-bt.html -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 18.01.2022
by Daily end-of-shift report 18 Jan '22

18 Jan '22

===================== = End-of-Day report = ===================== Timeframe: Montag 17-01-2022 18:00 − Dienstag 18-01-2022 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Microsoft releases emergency fixes for Windows Server, VPN bugs ∗∗∗ --------------------------------------------- Microsoft has released emergency out-of-band (OOB) updates to address multiple issues caused by Windows Updates issued during the January 2022 Patch Tuesday. --------------------------------------------- https://www.bleepingcomputer.com/news/microsoft/microsoft-releases-emergenc… ∗∗∗ Telenot-Schließanlage: Schwacher Zufall sorgt für offene Türen ∗∗∗ --------------------------------------------- Ein Alarmanlagen- und Schließsystem erstellte Zufallszahlen mit einer dafür nicht geeigneten C-Funktion. --------------------------------------------- https://www.golem.de/news/telenot-schliessanlage-schwacher-zufall-sorgt-fue… ∗∗∗ Understanding Website SQL Injections ∗∗∗ --------------------------------------------- SQL injection is one of the most common types of web hacking techniques used today. As data breaches continue to happen to some of the most high-profile corporations and brands, it’s become more important for web users to adapt to these increased breaches with changes in behavior like system generated passwords and 2FA. In this post, we’ll be discussing SQL Injections in further detail, and why, as a website owner, you should care about this kind of attack. --------------------------------------------- https://blog.sucuri.net/2022/01/understanding-website-sql-injections.html ∗∗∗ Zoho Patches Critical Vulnerability in Endpoint Management Solutions ∗∗∗ --------------------------------------------- Zoho Corp on Monday said it has released patches for a critical vulnerability affecting Desktop Central and Desktop Central MSP, the endpoint management solutions from ManageEngine. --------------------------------------------- https://www.securityweek.com/zoho-patches-critical-vulnerability-endpoint-m… ∗∗∗ Kreditbetrug auf globalekredit-fin.com & darlehenexpert.com ∗∗∗ --------------------------------------------- Sie möchten einen Kredit aufnehmen und suchen im Internet nach günstigen Konditionen? Wir raten zur Vorsicht. In den Suchergebnissen lauern auch betrügerische Angebote wie globalekredit-fin.com oder darlehenexpert.com. Wer dort eine Anfrage stellt, läuft Gefahr viel Geld zu verlieren. Und: Kredite gibt es hier keine! --------------------------------------------- https://www.watchlist-internet.at/news/kreditbetrug-auf-globalekredit-finco… ===================== = Vulnerabilities = ===================== ∗∗∗ VMSA-2022-0002 ∗∗∗ --------------------------------------------- VMware Workstation and Horizon Client for Windows updates address a denial-of-service vulnerability (CVE-2022-22938) --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2022-0002.html ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (slurm-llnl), openSUSE (apache2, ghostscript, and watchman), Red Hat (kernel and telnet), SUSE (apache2, ghostscript, and kernel), and Ubuntu (clamav). --------------------------------------------- https://lwn.net/Articles/881648/ ∗∗∗ Security Bulletin: IBM Rational Software Architect RealTime Edition (RSA RT) is is vulnerable to arbitrary code execution and denial of service due to Apache Log4j (CVE-2021-44228, CVE-2021-45046 and CVE-2021-45105) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-rational-software-arc… ∗∗∗ Security Bulletin: IBM Rational Build Forge 8.0.x is affected by Java version used in it.(CVE-2021-2341) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-rational-build-forge-… ∗∗∗ Security Bulletin: IBM Rational Build Forge 8.0.x is affected by Java version used in it.(CVE-2021-2388, CVE-2021-2369, CVE-2021-2432) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-rational-build-forge-… ∗∗∗ Security Bulletin: Automation Assets in IBM Cloud Pak for Integration is vulnerable to denial of service due to Apache Log4j (CVE-2021-44832) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-automation-assets-in-ibm-… ∗∗∗ Security Bulletin: IBM Rational Build Forge 8.0.x is affected by Apache HTTP Server version used in it.(CVE-2021-36160) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-rational-build-forge-… ∗∗∗ Security Bulletin: IBM Rational Build Forge 8.0.x is affected by Apache HTTP Server version used in it. (CVE-2021-34798) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-rational-build-forge-… ∗∗∗ Security Bulletin: Vulnerability in Apache Log4j affects Cloud Pak for Security (CVE-2021-44228) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-l… ∗∗∗ Security Bulletin: Host header injection vulnerability in Business Automation Studio in Cloud Pak for Automation (CVE-2021-29872) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-host-header-injection-vul… ∗∗∗ Security Bulletin: IBM Rational Build Forge 8.0.x is affected by Apache HTTP Server version used in it. (CVE-2021-39275) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-rational-build-forge-… ∗∗∗ Security Bulletin: IBM Rational Build Forge 8.0.x is affected by Apache HTTP Server version used in it. (CVE-2021-42013) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-rational-build-forge-… ∗∗∗ Security Bulletin: Log4j remote code execution vulnerability in Apache Solr and Logstash shipped with IBM Operations Analytics – Log Analysis (CVE-2021-44228) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-log4j-remote-code-executi… ∗∗∗ Security Bulletin: Automation Assets in IBM Cloud Pak for Integration is vulnerable to denial of service due to Apache Log4j (CVE-2021-45105) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-automation-assets-in-ibm-… ∗∗∗ Security Bulletin: IBM Rational Build Forge 8.0.x is affected by Apache HTTP Server version used in it. (CVE-2021-33193) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-rational-build-forge-… ∗∗∗ Security Bulletin: Cloudera Data Platform is vulnerable to arbitrary code execution due to Apache Log4j (CVE-2021-44228) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cloudera-data-platform-is… ∗∗∗ Security Bulletin: A vulnerability in Apache log4j (CVE-2021-45105) affects IBM Operations Analytics Predictive Insights ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-apache… ∗∗∗ Security Bulletin: Automation Assets in IBM Cloud Pak for Integration is vulnerable to denial of service due to Apache Log4j CVE-2021-45046 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-automation-assets-in-ibm-… ∗∗∗ Security Bulletin: Vulnerability in Apache Tomcat affects IBM SAN Volume Controller, IBM Storwize, IBM Spectrum Virtualize and IBM FlashSystem products ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-t… ∗∗∗ Security Bulletin: IBM Rational Build Forge 8.0.x is affected by Apache HTTP Server version used in it. (CVE-2021-44224) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-rational-build-forge-… ∗∗∗ Security Bulletin: Multiple security vulnerabilities fixed in Cloud Pak for Automation components ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-security-vulnera… ∗∗∗ Security Bulletin: IBM App Connect Enterprise Certified Container is vulnerable to arbitrary code execution due to Apache Log4j (CVE-2021-45046) and denial of service due to Apache Log4j (CVE-2021-45105) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-app-connect-enterpris… ∗∗∗ Security Bulletin: IBM Rational Build Forge 8.0.x is affected by Apache HTTP Server version used in it. (CVE-2021-31618, CVE-2020-13950, CVE-2019-17567, CVE-2020-26691, CVE-2021-26690, CVE-2020-13938, CVE-2021-30641, CVE-2020-35452) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-rational-build-forge-… ∗∗∗ Security Bulletin: IBM Rational Build Forge 8.0.x is affected by Apache HTTP Server version used in it.(CVE-2021-40438) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-rational-build-forge-… ∗∗∗ Security Bulletin: IBM Rational Build Forge 8.0.x is affected by Java version used in it.(CVE-2021-2161) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-rational-build-forge-… ∗∗∗ Security Bulletin: IBM Rational Build Forge 8.0.x is affected by Java version used in it.(CVE-2021-35560, CVE-2021-35586, CVE-2021-35578, CVE-2021-35564, CVE-2021-35559, CVE-2021-35556, CVE-2021-35565, CVE-2021-35588, CVE-2021-41035) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-rational-build-forge-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 17.01.2022
by Daily end-of-shift report 17 Jan '22

17 Jan '22

===================== = End-of-Day report = ===================== Timeframe: Freitag 14-01-2022 18:00 − Montag 17-01-2022 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Security baseline for Microsoft Edge v97 ∗∗∗ --------------------------------------------- We are pleased to announce the enterprise-ready release of the security baseline for Microsoft Edge version 97! We have reviewed the settings in Microsoft Edge version 97 and updated our guidance with the addition of 1 setting. A new Microsoft Edge security baseline package was just released to the Download Center. You can download the version 97 package from the Security Compliance Toolkit. --------------------------------------------- https://techcommunity.microsoft.com/t5/microsoft-security-baselines/securit… ∗∗∗ Log4Shell Attacks Getting "Smarter", (Mon, Jan 17th) ∗∗∗ --------------------------------------------- Ever since news of the Log4Shell vulnerability broke, we saw a stream of attacks attempting to exploit this vulnerability in log4j (CVE-2021-44228). --------------------------------------------- https://isc.sans.edu/diary/rss/28246 ∗∗∗ New Unpatched Apple Safari Browser Bug Allows Cross-Site User Tracking ∗∗∗ --------------------------------------------- A software bug introduced in Apple Safari 15s implementation of the IndexedDB API could be abused by a malicious website to track users online activity in the web browser and worse, even reveal their identity. The vulnerability, dubbed IndexedDB Leaks, was disclosed by fraud protection software company FingerprintJS, which reported the issue to the iPhone maker on November 28, 2021. --------------------------------------------- https://thehackernews.com/2022/01/new-unpatched-apple-safari-browser-bug.ht… ∗∗∗ Domain Persistence – Machine Account ∗∗∗ --------------------------------------------- Machine accounts play a role in red team operations as in a number of techniques are utilized for privilege escalation, lateral movement and domain escalation. However, there are also cases which a machine account could be used for establishing domain persistence. This involves either the addition of an arbitrary machine account to a high privilege group such as the domain admins or the modification of the “userAccountControl” attribute [...] --------------------------------------------- https://pentestlab.blog/2022/01/17/domain-persistence-machine-account/ ∗∗∗ "Smishing"-Masche: Weiter massenhaft Betrugs-SMS auf Handys ∗∗∗ --------------------------------------------- Wer eine SMS von unbekannt mit einem Link bekommt, sollte vorsichtig sein. Es könnte sich um eine Betrugs-SMS handeln. "Smishing" ist noch immer nicht vorbei. --------------------------------------------- https://heise.de/-6328158 ∗∗∗ Capturing RDP NetNTLMv2 Hashes: Attack details and a Technical How-To Guide ∗∗∗ --------------------------------------------- The GoSecure Titan Labs team saw an opportunity to further explore the topic of hash capturing (which is a must in the arsenal of any offensive team). This blog will examine RDP security modes, how they work and how to put that into action to capture NetNTLMv2 hashes via the RDP protocol using PyRDP—a library created by GoSecure. --------------------------------------------- https://www.gosecure.net/blog/2022/01/17/capturing-rdp-netntlmv2-hashes-att… ===================== = Vulnerabilities = ===================== ∗∗∗ Serious Security: Linux full-disk encryption bug fixed – patch now! ∗∗∗ --------------------------------------------- Imagine if someone who didnt have your password could sneakily modify data that was encrypted with it. --------------------------------------------- https://nakedsecurity.sophos.com/2022/01/14/serious-security-linux-full-dis… ∗∗∗ Über drei Millionen PCs in Deutschland mit unsicherem Windows-System ∗∗∗ --------------------------------------------- Vor zwei Jahren stellte Microsoft den Support für Windows 7 ein. Trotzdem schaffen es viele Anwender nicht, sich von dem unsicheren System zu trennen. --------------------------------------------- https://heise.de/-6328189 ∗∗∗ Virenschutz: Microsoft Defender erleichtert Einnisten von Schädlingen ∗∗∗ --------------------------------------------- Eine kleine Schwachstelle bei Zugriffsrechten des Microsoft Defender unter Windows 10 ermöglicht Angreifern, Malware vor Scans zu verstecken. --------------------------------------------- https://heise.de/-6329300 ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (chromium, firefox-esr, ghostscript, libreswan, prosody, sphinxsearch, thunderbird, and uriparser), Fedora (cryptsetup, flatpak, kernel, mingw-uriparser, python-celery, python-kombu, and uriparser), Mageia (htmldoc, mbedtls, openexr, perl-CPAN, systemd, thunderbird, and vim), openSUSE (chromium and prosody), Red Hat (httpd, kernel, and samba), Scientific Linux (kernel), Slackware (expat), SUSE (ghostscript), and Ubuntu (pillow). --------------------------------------------- https://lwn.net/Articles/881545/ ∗∗∗ Oracle to Release Nearly 500 New Security Patches ∗∗∗ --------------------------------------------- Oracle is preparing the release of nearly 500 new security patches with its Critical Patch Update (CPU) for January 2022. --------------------------------------------- https://www.securityweek.com/oracle-release-nearly-500-new-security-patches ∗∗∗ Microsoft Januar 2022 Patchday-Revisionen (14.1.2022) ∗∗∗ --------------------------------------------- Zum 11. Januar 2022 hat Microsoft eine Reihe Sicherheitsupdates für Windows und Office freigegeben, die Schwachstellen beseitigen sollen. Einige dieser Updates führten aber zu Problemen, so dass Funktionen in Windows gestört wurden. Am 14. Januar 2022 hat Microsoft eine Liste [...] --------------------------------------------- https://www.borncity.com/blog/2022/01/17/microsoft-januar-2022-patchday-rev… ∗∗∗ ZDI-22-081: TP-Link TL-WA1201 DNS Response Stack-based Buffer Overflow Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-22-081/ ∗∗∗ ZDI-22-080: TP-Link Archer C90 DNS Response Stack-based Buffer Overflow Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-22-080/ ∗∗∗ OpenBMCS 2.4 Secrets Disclosure ∗∗∗ --------------------------------------------- https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5695.php ∗∗∗ OpenBMCS 2.4 Unauthenticated SSRF / RFI ∗∗∗ --------------------------------------------- https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5694.php ∗∗∗ OpenBMCS 2.4 Create Admin / Remote Privilege Escalation ∗∗∗ --------------------------------------------- https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5693.php ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ Pepperl+Fuchs: Multiple DTM and VisuNet Software affected by log4net vulnerability (UPDATE A) ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2021-041/ ∗∗∗ GNU libc: Mehrere Schwachstellen ermöglichen Codeausführung und Denial of Service ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K22-0054 ∗∗∗ Stored Cross-Site Scripting Schwachstelle in Typo3 Extension "femanager" ∗∗∗ --------------------------------------------- https://sec-consult.com/de/vulnerability-lab/advisory/stored-cross-site-scr… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 14.01.2022
by Daily end-of-shift report 14 Jan '22

14 Jan '22

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 13-01-2022 18:00 − Freitag 14-01-2022 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Microsoft Defender weakness lets hackers bypass malware detection ∗∗∗ --------------------------------------------- Threat actors can take advantage of a weakness that affects Microsoft Defender antivirus on Windows to learn locations excluded from scanning and plant malware there. --------------------------------------------- https://www.bleepingcomputer.com/news/security/microsoft-defender-weakness-… ∗∗∗ Nach Log4J: Google will zusammen mit Regierungen Open Source absichern ∗∗∗ --------------------------------------------- Seit langem sucht Google nach Wegen, Open-Source-Software besser abzusichern. Nach der Log4J-Lücke kommen nun auch Regierungen ins Spiel. --------------------------------------------- https://www.golem.de/news/nach-log4j-google-will-zusammen-mit-regierungen-o… ∗∗∗ Microsoft Yanks Buggy Windows Server Updates ∗∗∗ --------------------------------------------- Since their release on Patch Tuesday, the updates have been breaking Windows, causing spontaneous boot loops on Windows domain controller servers, breaking Hyper-V and making ReFS volume systems unavailable. --------------------------------------------- https://threatpost.com/microsoft-yanks-buggy-windows-server-updates/177648/ ∗∗∗ A closer look at Flubot’s DoH tunneling ∗∗∗ --------------------------------------------- [...] The following blog post will take a closer look at Flubot version 4.9, and in particular its Command and Control (C&C) communication, based on the data F-Secure gathered during that campaign. --------------------------------------------- https://blog.f-secure.com/flubot_doh_tunneling/ ∗∗∗ Verwundbare Exchange-Server der öffentlichen Verwaltung ∗∗∗ --------------------------------------------- 20 Exchange-Server in öffentlicher Hand waren für eine Sicherheitslücke anfällig. Kriminelle hätten die Kontrolle übernehmen können. --------------------------------------------- https://heise.de/-6320504 ∗∗∗ Citrix liefert Sicherheitsupdates für Workspace App und Hypervisor ∗∗∗ --------------------------------------------- Sicherheitslücken in der Citrix Workspace App for Linux und im Hypervisor ermöglichten Angreifern die Rechteausweitung oder DoS-Attacken auf den Host. --------------------------------------------- https://heise.de/-6327171 ∗∗∗ Aus für iOS 14? Verwirrung über fehlende Sicherheits-Updates ∗∗∗ --------------------------------------------- Neben iOS 15 stellte Apple erstmals Updates für die Vorjahresversion des Betriebssystems in Aussicht. Es fehlen aber wichtige Patches für iOS 14. --------------------------------------------- https://heise.de/-6327709 ∗∗∗ Sicherheitsupdates: Admin-Lücke bedroht Cisco Unified Contact Manager ∗∗∗ --------------------------------------------- Admins von Cisco-Hard- und -Software sind gefragt, ihre Systeme abzusichern. --------------------------------------------- https://heise.de/-6327050 ∗∗∗ Schadcode-Schlupflöcher in Qnap NAS geschlossen ∗∗∗ --------------------------------------------- Die Qnap-Entwickler haben ihr NAS-Betriebssystem und zwei Apps gegen mögliche Attacken abgesichert. --------------------------------------------- https://heise.de/-6327201 ∗∗∗ Juniper Networks stopft zahlreiche Sicherheitslücken ∗∗∗ --------------------------------------------- In Geräten und Diensten von Juniper hätten Angreifer Schwachstellen etwa für DoS-Angriffe, die Ausweitung von Rechten oder Schlimmeres missbrauchen können. --------------------------------------------- https://heise.de/-6327645 ∗∗∗ Signierte Kernel‑Treiber – unbewachte Zugänge zum Windows‑Kern ∗∗∗ --------------------------------------------- ESET Forscher untersuchen Schwachstellen in signierten Windows-Treibern, die trotz Gegenmaßnahmen immer noch ein Sicherheitsproblem darstellen. --------------------------------------------- https://www.welivesecurity.com/deutsch/2022/01/13/signierte-kernel-treiber-… ∗∗∗ Telefon-Betrug: Drücken Sie nicht die Taste 1! ∗∗∗ --------------------------------------------- LeserInnen der Watchlist Internet melden uns derzeit betrügerische Anrufe: Dabei werden willkürlich Personen angerufen und mit einer Bandansage darauf hingewiesen, dass es einen Haftbefehl gegen sie gäbe. Um mehr zu erfahren, solle die Taste 1 gedrückt werden. Machen Sie das auf keinen Fall! Die BetrügerInnen wollen Sie damit in eine Kostenfalle locken. --------------------------------------------- https://www.watchlist-internet.at/news/telefon-betrug-druecken-sie-nicht-di… ∗∗∗ Schwachstellen in AWS Glue und AWS Cloud Formation entdeckt ∗∗∗ --------------------------------------------- Das Orca Security Research Team hat Sicherheitslücken im Amazon Web Services AWS Glue-Service sowie zur Zero-Day-Schwachstelle BreakingFormation erkannt. Beide Unternehmen konnten binnen weniger Tagen die Fehler beheben. --------------------------------------------- https://www.zdnet.de/88398803/schwachstellen-in-aws-glue-und-aws-cloud-form… ∗∗∗ Detection Rules for Sysjoker (and How to Make Them With Osquery) ∗∗∗ --------------------------------------------- On January 11, 2022, we released a blog post on a new malware called SysJoker. SysJoker is a malware targeting Windows, macOS, and Linux. At the time of the publication, the Linux and macOS versions were not detected by any scanning engines on VirusTotal. As a consequence to this, we decided to release a followup [...] --------------------------------------------- https://www.intezer.com/blog/cloud-security/detection-rules-sysjoker-osquer… ∗∗∗ Adobe Acrobat (Reader) DC 21.011.20039, Installationsfehler und offene Bugs ∗∗∗ --------------------------------------------- Kurzer Sammelbeitrag zum Acrobat Gelump, was Adobe auf die Rechner der Nutzer kippt. Zum 11. Januar 2022 gab es ein Sicherheitsupdate für den Adobe Acrobat (Reader) DC auf die Version 21.011.20039. Weiterhin haben mich die letzten Tage einige Nutzer auf eine Latte an offenen Bugs hingewiesen, die ich hier mal einfach einstellen will. Soll ja niemand behaupten, ich ließe die "Qualitätsupdates" von Adobe zum Acrobat unerwähnt. --------------------------------------------- https://www.borncity.com/blog/2022/01/14/adobe-acrobat-reader-dc-21-011-200… ===================== = Vulnerabilities = ===================== ∗∗∗ Positive Technologies Uncovers Vulnerability in IDEMIA Biometric Identification Devices That Can Unlock Doors and Turnstiles ∗∗∗ --------------------------------------------- Positive Technologies researchers, Natalya Tlyapova, Sergey Fedonin, Vladimir Kononovich, and Vyacheslav Moskvin have discovered a critical vulnerability (VU-2021-004) in IDEMIA biometric identification devices used in the world’s largest financial institutions, universities, healthcare organizations, and critical infrastructure facilities. By exploiting the flaw, which received a score of 9.1 on the CVSS v3 scale, attackers can unlock doors and turnsites. --------------------------------------------- https://www.ptsecurity.com/ww-en/about/news/positive-technologies-uncovers-… ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (firefox-esr), Fedora (cockpit, python-cvxopt, and vim), openSUSE (libmspack), Oracle (webkitgtk4), Scientific Linux (firefox and thunderbird), SUSE (kernel and libmspack), and Ubuntu (firefox and pillow). --------------------------------------------- https://lwn.net/Articles/881407/ ∗∗∗ Mitsubishi Electric MELSEC-F Series ∗∗∗ --------------------------------------------- This advisory contains mitigations for a Lack of Administrator Control Over Security vulnerability in the Mitsubishi Electric MELSEC-F Series FX3U-ENET Ethernet-Internet block. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-013-01 ∗∗∗ Mitsubishi Electric MELSEC-F Series ∗∗∗ --------------------------------------------- This advisory contains mitigations for an Improper Initialization vulnerability in the Mitsubishi Electric MELSEC-F Series FX3U-ENET Ethernet-Internet block, --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-013-07 ∗∗∗ Mitsubishi Electric MELSEC iQ-R, Q and L Series (Update B) ∗∗∗ --------------------------------------------- [...] 4.1 AFFECTED PRODUCTS [...] Begin Update B Part 1 of 1 - L 02/06/26 CPU (-P), L 26 CPU - (P) BT, serial number 23121 and earlier End Update B Part 1 of 1 --------------------------------------------- https://www.cisa.gov/uscert/ics/advisories/icsa-20-303-01 ∗∗∗ Trane Symbio (Update B) ∗∗∗ --------------------------------------------- [...] 3. RISK EVALUATION Begin Update B Part 1 of 1 Successful exploitation of this vulnerability could allow a user to execute arbitrary code on the controller. End Update B Part 1 of 1 --------------------------------------------- https://www.cisa.gov/uscert/ics/advisories/icsa-21-266-01 ∗∗∗ Ivanti Updates Log4j Advisory with Security Updates for Multiple Products ∗∗∗ --------------------------------------------- Ivanti has updated its Log4j Advisory with security updates for multiple products to address CVE-2021-44228. An unauthenticated attacker could exploit this vulnerability to take control of an affected system. CISA encourages users and administrators to review the Ivanti security advisories pages for Avalanche; File Director; and MobileIron Core, MobileIron Sentry (Core/Cloud), and MobileIron Core Connector and apply the necessary updates and workarounds. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2022/01/14/ivanti-updates-lo… ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ MediaWiki: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K22-0050 ∗∗∗ ClamAV: Schwachstelle ermöglicht Denial of Service ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K22-0052 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 13.01.2022
by Daily end-of-shift report 13 Jan '22

13 Jan '22

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 12-01-2022 18:00 − Donnerstag 13-01-2022 18:00 Handler: Stephan Richter Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ 19-jähriger Hacker kann Teslas in 13 Ländern fernsteuern ∗∗∗ --------------------------------------------- Der junge IT-Sicherheitsexperte kann die Autos lokalisieren, Türen öffnen und das Entertainment-System fernsteuern. [..] In einem Twitter-Beitrag, den er am Montag veröffentlichte, erklärte er auch, dass es sich bei dem Fehler nicht um eine Schwachstelle in der Infrastruktur von Tesla handelt. Es sei der Fehler der Besitzer*innen. Weiters schreibt Colombo, dass er das Problem an das Sicherheitsteam von Tesla gemeldet hat, das die Angelegenheit untersucht. --------------------------------------------- https://futurezone.at/digital-life/19-jaehriger-hacker-25-teslas-in-13-laen… ∗∗∗ Adobe Cloud Abused to Steal Office 365, Gmail Credentials ∗∗∗ --------------------------------------------- Threat actors are creating accounts within the Adobe Cloud suite and sending images and PDFs that appear legitimate to target Office 365 and Gmail users, researchers from Avanan discovered. --------------------------------------------- https://threatpost.com/adobe-cloud-steal-office-365-gmail-credentials/17762… ∗∗∗ Decrypting Qakbot’s Encrypted Registry Keys ∗∗∗ --------------------------------------------- One new skill is to insert encrypted data into the registry. One of the requests we received from Trustwave’s DFIR and Global Threats Operations teams is for us to decrypt the registry data that Qakbot created. We duly jumped into this task, and, as it was a bit of fun, decided to blog about it. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/decrypting-… ∗∗∗ Viele Lücken im Software-System Jenkins entdeckt – und noch nicht geschlossen ∗∗∗ --------------------------------------------- Entwickler sollten ihre Jenkins-Umgebung aus Sicherheitsgründen auf den aktuellen Stand bringen. Viele Updates sind jedoch noch nicht verfügbar. --------------------------------------------- https://heise.de/-6326362 ∗∗∗ 84,000 WordPress Sites Affected by Three Plugins With The Same Vulnerability ∗∗∗ --------------------------------------------- We sent the full disclosure details on November 5, 2021, after the developer confirmed the appropriate channel to handle communications. After several follow-ups a patched version of “Login/Signup Popup” was released on November 24, 2021, while patched versions of “Side Cart Woocommerce (Ajax)” and “Waitlist Woocommerce ( Back in stock notifier )” were released on December 17, 2021. We strongly recommend ensuring that your site has been updated to the latest patched version of any of these plugins.. --------------------------------------------- https://www.wordfence.com/blog/2022/01/84000-wordpress-sites-affected-by-th… ∗∗∗ Free Micropatches for "RemotePotato0", a "WONT FIX" Local Privilege Escalation Affecting all Windows Systems ∗∗∗ --------------------------------------------- [..] a local privilege escalation vulnerability they had found in Windows and reported to Microsoft, who decided not to fix because "Servers must defend themselves against NTLM relay attacks." As far as real world goes, many servers do not, in fact, defend themselves against NTLM relay attacks. Since the vulnerability is present on all supported Windows versions as of today (as well as all unsupported versions which we had security-adopted), we decided to fix it ourselves. --------------------------------------------- https://blog.0patch.com/2022/01/free-micropatches-for-remotepotato0.html ∗∗∗ Code-Signatur-Prozesse sichern ∗∗∗ --------------------------------------------- DevOps steht unter Druck, wie unter anderem bei der Attacke auf SolarWinds offenkundig wurde. Fünf Wege zur Absicherung von Code-Signatur-Prozessen schildert Tony Hadfield, Director Solutions Architect bei Venafi, in einem Gastbeitrag. --------------------------------------------- https://www.zdnet.de/88398761/code-signatur-prozesse-sichern/ ===================== = Vulnerabilities = ===================== ∗∗∗ Multiple vulnerabilities in WordPress Plugin "Quiz And Survey Master" ∗∗∗ --------------------------------------------- * Cross-site request forgery (CWE-352) - CVE-2022-0180 * Reflected cross-site scripting (CWE-79) - CVE-2022-0181 * Stored cross-site scripting (CWE-79) - CVE-2022-0182 Solution: Update the plugin --------------------------------------------- https://jvn.jp/en/jp/JVN72788165/ ∗∗∗ Juniper Security Advisories ∗∗∗ --------------------------------------------- Juniper hat 34 Security Advisories veröffentlicht. --------------------------------------------- https://kb.juniper.net/InfoCenter/index?page=content&channel=SECURITY_ADVIS… ∗∗∗ Klartextspeicherung des Kennwortes in Cisco IP Telefonen ∗∗∗ --------------------------------------------- Mehrere Cisco IP Telefone speichern das konfigurierte Verwalterkennwort als Klartext im unverschlüsselten Flash Speicher. Somit ist die Extrahierung des Kennworts bei physischem Zugriff auf ein Telefon problemlos möglich. Wird dieses Kennwort nun bei mehreren Telefonen verwendet, bekommt ein Angreifer Zugriff auf die administrativen Einstellungen aller Geräte im Netzwerk. --------------------------------------------- https://sec-consult.com/de/vulnerability-lab/advisory/klartextspeicherung-d… ∗∗∗ Apache Log4j vulnerabilities (Log4Shell) – impact on ABB products ∗∗∗ --------------------------------------------- Product / System line - Potentially affected products and versions * B&R Products - See further details in specific advisory * ABB Remote Service - ABB Remote Access Platform (RAP) --------------------------------------------- https://search.abb.com/library/Download.aspx?DocumentID=9ADB012621&Language… ∗∗∗ iOS 15.2.1 und iPadOS 15.2.1: Wartungsupdates für iPhone und iPad ∗∗∗ --------------------------------------------- Apple hat eine Bugfix- und Sicherheitsaktualisierung für seine Handys und Tablets. Neben einigen Fehler wird auch ein Sicherheitsproblem behoben. --------------------------------------------- https://heise.de/-6325566 ∗∗∗ Sicherheitsupdate: Schadcode-Lücke bedroht Computer mit HP-UX ∗∗∗ --------------------------------------------- HPE-Entwickler haben eine kritische Schwachstelle im Unix-Betriebssystem HP-UX geschlossen. --------------------------------------------- https://heise.de/-6326104 ∗∗∗ IBM sichert sein Server- und Workstation-System AIX ab ∗∗∗ --------------------------------------------- Angreifer könnten AIX-Systeme von IBM attackieren und Schadcode ausführen. Sicherheitsupdates sind verfügbar. --------------------------------------------- https://heise.de/-6326080 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (epiphany-browser, lxml, and roundcube), Fedora (gegl04, mingw-harfbuzz, and mod_auth_mellon), openSUSE (openexr and python39-pip), Oracle (firefox and thunderbird), Red Hat (firefox and thunderbird), SUSE (apache2, openexr, python36-pip, and python39-pip), and Ubuntu (apache-log4j1.2, ghostscript, linux, linux-gcp, linux-gcp-5.4, linux-hwe-5.4, and systemd). --------------------------------------------- https://lwn.net/Articles/881303/ ∗∗∗ Cisco Patches Critical Vulnerability in Contact Center Products ∗∗∗ --------------------------------------------- Cisco on Wednesday announced patches for a critical vulnerability in Unified Contact Center Management Portal (Unified CCMP) and Unified Contact Center Domain Manager (Unified CCDM) that could be exploited remotely to elevate privileges to administrator. --------------------------------------------- https://www.securityweek.com/cisco-patches-critical-vulnerability-contact-c… ∗∗∗ Citrix Hypervisor Security Update - CTX335432 ∗∗∗ --------------------------------------------- Several security issues have been identified in Citrix Hypervisor, that may each allow privileged code in a guest VM to cause the host to crash or become unresponsive. These issues have the following identifiers: CVE-2021-28704, CVE-2021-28705, CVE-2021-28714, CVE-2021-28715 All of these issues affect all currently supported versions of Citrix Hypervisor. Citrix has released hotfixes to address these issues --------------------------------------------- https://support.citrix.com/article/CTX335432 ∗∗∗ CVE-2022-0015 Cortex XDR Agent: An Uncontrolled Search Path Element Leads to Local Privilege Escalation (PE) Vulnerability (Severity: HIGH) ∗∗∗ --------------------------------------------- A local privilege escalation (PE) vulnerability exists in the Palo Alto Networks Cortex XDR agent that enables an authenticated local user to execute programs with elevated privileges. This issue impacts: * Cortex XDR agent 5.0 versions earlier than Cortex XDR agent 5.0.12; * Cortex XDR agent 6.1 versions earlier than Cortex XDR agent 6.1.9. --------------------------------------------- https://security.paloaltonetworks.com/CVE-2022-0015 ∗∗∗ Security Bulletin: IBM Cloud Pak System is vulnerable to arbitrary code execution due to Apache Log4j (CVE-2021-45046, CVE-2021-44228) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-pak-system-is-v… ∗∗∗ Security Bulletin: Vulnerability in Apache Log4j affects IBM Spectrum Archive Enterprise Edition (CVE-2021-44228) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-l… ∗∗∗ Security Bulletin: Vulnerabilities in Apache Log4j affect IBM Spectrum Archive Enterprise Edition (CVE-2021-45105, CVE-2021-45046) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-apache… ∗∗∗ Security Bulletin: Rational Asset Analyzer (RAA) is vulnerable to arbitrary code execution due to Apache Log4j (CVE-2021-4104) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-rational-asset-analyzer-r… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM HTTP Server used by IBM WebSphere Application Server ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM PowerVM Novalink is vulnerable to allow a remote attacker with permission to modify the logging configuration file to execute arbitrary code on the system due to Apache Log4j (CVE-2021-44832) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-powervm-novalink-is-v… ∗∗∗ Security Bulletin: IBM Engineering Lifecycle Management products are vulnerable to arbitrary code execution due to Apache Log4j (CVE-2021-44832, CVE-2021-45046, ) and denial of service due to Apache Log4j (CVE-2021-45105) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-engineering-lifecycle… ∗∗∗ Security Bulletin: IBM Db2 Big SQL for Hortonworks Data Platform, for Cloudera Data Platform Private Cloud, and IBM Db2 Big SQL on Cloud Pak for Data are affected by critical vulnerability in Log4j (CVE-2021-44228) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-big-sql-for-horto… ∗∗∗ Security Bulletin: The IBM i Extended Dynamic Remote SQL server (EDRSQL) is affected by CVE-2021-39056 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-the-ibm-i-extended-dynami… ∗∗∗ January 12, 2022 TNS-2022-03 [R1] Stand-alone Security Patch Available for Tenable.sc versions 5.16.0 to 5.19.1: Patch 202201.1 ∗∗∗ --------------------------------------------- http://www.tenable.com/security/tns-2022-03 ∗∗∗ CVE-2022-0014 Cortex XDR Agent: Unintended Program Execution When Using Live Terminal Session (Severity: MEDIUM) ∗∗∗ --------------------------------------------- https://security.paloaltonetworks.com/CVE-2022-0014 ∗∗∗ CVE-2022-0013 Cortex XDR Agent: File Information Exposure Vulnerability When Generating Support File (Severity: MEDIUM) ∗∗∗ --------------------------------------------- https://security.paloaltonetworks.com/CVE-2022-0013 ∗∗∗ CVE-2022-0012 Cortex XDR Agent: Local Arbitrary File Deletion Vulnerability (Severity: MEDIUM) ∗∗∗ --------------------------------------------- https://security.paloaltonetworks.com/CVE-2022-0012 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 12.01.2022
by Daily end-of-shift report 12 Jan '22

12 Jan '22

===================== = End-of-Day report = ===================== Timeframe: Dienstag 11-01-2022 18:00 − Mittwoch 12-01-2022 18:00 Handler: Stephan Richter Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ TellYouThePass ransomware returns as a cross-platform Golang threat ∗∗∗ --------------------------------------------- TellYouThePass ransomware has re-emerged as a Golang-compiled malware, making it easier to target major platforms beyond Windows, like macOS and Linux. --------------------------------------------- https://www.bleepingcomputer.com/news/security/tellyouthepass-ransomware-re… ∗∗∗ Coming Soon: New Security Update Guide Notification System ∗∗∗ --------------------------------------------- Sharing information through the Security Update Guide is an important part of our ongoing effort to help customers manage security risks and keep systems protected. --------------------------------------------- https://msrc-blog.microsoft.com:443/2022/01/11/coming-soon-new-security-upd… ∗∗∗ SysJoker, the first (macOS) malware of 2022! ∗∗∗ --------------------------------------------- Here, we analyze the macOS versions of a cross-platform backdoor. --------------------------------------------- https://objective-see.com/blog/blog_0x6C.html ∗∗∗ A Quick CVE-2022-21907 FAQ (work in progress), (Wed, Jan 12th) ∗∗∗ --------------------------------------------- Microsoft implemented http.sys as a kernel-mode driver. In other words: Running code via http.sys can lead to a complete system compromise. --------------------------------------------- https://isc.sans.edu/diary/rss/28234 ∗∗∗ Attacking RDP from Inside: How we abused named pipes for smart-card hijacking, unauthorized file system access to client machines and more ∗∗∗ --------------------------------------------- This vulnerability enables any standard unprivileged user connected to a remote machine via remote desktop to gain file system access to the client machines of other connected users, to view and modify clipboard data of other connected users, and to impersonate the identity of other users logged on to the machine using smart cards. --------------------------------------------- https://www.cyberark.com/resources/threat-research-blog/attacking-rdp-from-… ∗∗∗ Kaufen Sie keine Immobilien über term-re.com oder den-home.com! ∗∗∗ --------------------------------------------- Aktuell beobachten wir vermehrt Betrug mit angeblichen Traum-Immobilien: Kriminelle bieten dabei günstige Immobilien über bekannte Internetplattformen an. Besichtigungen sollen über ein Treuhandunternehmen abgewickelt werden. Aber Achtung: Kriminelle versuchen so an Ihre Ausweiskopie und an Ihr Geld zu kommen. --------------------------------------------- https://www.watchlist-internet.at/news/kaufen-sie-keine-immobilien-ueber-te… ∗∗∗ Check your SPF records: Wide IP ranges undo email security and make for tasty phishes ∗∗∗ --------------------------------------------- With parts of the Australian private sector, governments at all levels, and a university falling foul of wide IP ranges in a SPF record, it might be time to check yours. --------------------------------------------- https://www.zdnet.com/article/check-your-spf-records-wide-ip-ranges-undo-em… ∗∗∗ Signed kernel drivers – Unguarded gateway to Windows’ core ∗∗∗ --------------------------------------------- ESET researchers look at malware that abuses vulnerabilities in kernel drivers and outline mitigation techniques against this type of exploitation. --------------------------------------------- https://www.welivesecurity.com/2022/01/11/signed-kernel-drivers-unguarded-g… ∗∗∗ Ransomware-Angreifer leakten möglicherweise frühere Opfer ∗∗∗ --------------------------------------------- Kürzlich wurden wir damit beauftragt, einen Ransomware-Angriff zu untersuchen. Wir konnten den wahrscheinlichen Angriffsvektor rekonstruieren und die wahrscheinlich gestohlenen Daten identifizieren. Was diesen Fall besonders interessant machte, war der Mechanismus zum Exfiltrieren von Daten. --------------------------------------------- https://certitude.consulting/blog/de/ransomware-leak-de/ ∗∗∗ How to Analyze Malicious Microsoft Office Files ∗∗∗ --------------------------------------------- Most phishing attacks arrive via emails containing malicious attachments. A seemingly innocent Microsoft Word file, for example, can be the initial infection stage of a dangerous attack where a threat actor uses a document to deliver malware. --------------------------------------------- https://www.intezer.com/blog/malware-analysis/analyze-malicious-microsoft-o… ∗∗∗ Windows Server: Januar 2022-Sicherheitsupdates verursachen Boot-Schleife ∗∗∗ --------------------------------------------- Administratoren von Windows Domain Controllern sollten mit der Installation der Sicherheitsupdates von Januar 2022 vorsichtig sein.Mir liegen inzwischen zahlreiche Berichte vor, dass die Windows Server, die als Domain Controller fungieren, anschließend nicht mehr booten. --------------------------------------------- https://www.borncity.com/blog/2022/01/12/windows-server-januar-2022-sicherh… ∗∗∗ Magniber Ransomware Being Distributed via Microsoft Edge and Google Chrome ∗∗∗ --------------------------------------------- The ASEC analysis team has been continuously monitoring Magniber, ransomware that is distributed via Internet Explorer (IE) vulnerabilities. --------------------------------------------- https://asec.ahnlab.com/en/30645/ ∗∗∗ Nanocore, Netwire and AsyncRAT spreading campaign uses public cloud infrastructure ∗∗∗ --------------------------------------------- Cisco Talos discovered a malicious campaign in October 2021 delivering variants of Nanocore, Netwire and AsyncRATs targeting users information. --------------------------------------------- http://blog.talosintelligence.com/2022/01/nanocore-netwire-and-asyncrat-spr… ===================== = Vulnerabilities = ===================== ∗∗∗ Make sure youre up-to-date with Sonicwall SMA 100 VPN box patches – security hole exploit info is now out ∗∗∗ --------------------------------------------- Nothing like topping off unauthd remote code execution with a su password of ... password. Technical details and exploitation notes have been published for a remote-code-execution vulnerability in Sonicwall SMA 100 series VPN appliances. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2022/01/11/sonicwall_mu… ∗∗∗ Cisco Security Advisories 2022-01-12 ∗∗∗ --------------------------------------------- 1 Critical, 8 Medium severity --------------------------------------------- https://tools.cisco.com/security/center/Search.x?publicationTypeIDs=1&secur… ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- IBM published 14 Security Bulletins --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ Patchday: Trojaner könnte sich über kritische Windows-Lücke wurmartig verbreiten ∗∗∗ --------------------------------------------- Es sind wichtige Sicherheitsupdates für Office, Windows & Co. erschienen. Der Großteil der geschlossenen Lücken ist mit dem Bedrohungsgrad "hoch" eingestuft. --------------------------------------------- https://heise.de/-6323634 ∗∗∗ Patchday Adobe: Acrobat und Reader bekommen jede Menge Sicherheitsupdates ∗∗∗ --------------------------------------------- Angreifer könnten auf Computern mit Adobe-Anwendungen Schadcode platzieren. Dagegen abgesicherte Versionen schaffen Abhilfe. --------------------------------------------- https://heise.de/-6323723 ∗∗∗ Patchday: SAP schließt in mehreren Anwendungen Lücke mit Höchstwertung ∗∗∗ --------------------------------------------- Der deutsche Software-Hersteller SAP kümmert sich unter anderem um eine kritische Lücke in seinem Portfolio. --------------------------------------------- https://heise.de/-6323843 ∗∗∗ Firefox, Thunderbird: Angreifer könnten Opfer im Vollbildmodus gefangen halten ∗∗∗ --------------------------------------------- Mozillas Mailclient und Webrowser sind Versionen erschienen, die gegen verschiedene Attacken gewappnetet sind. --------------------------------------------- https://heise.de/-6323936 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (cfrpki, gdal, and lighttpd), Fedora (perl-CPAN and roundcubemail), Mageia (firefox), openSUSE (jawn, kernel, and thunderbird), Oracle (kernel, openssl, and webkitgtk4), Red Hat (cpio, idm:DL1, kernel, kernel-rt, openssl, virt:av and virt-devel:av, webkit2gtk3, and webkitgtk4), Scientific Linux (openssl and webkitgtk4), SUSE (kernel and thunderbird), and Ubuntu (apache-log4j2, ghostscript, and lxml). --------------------------------------------- https://lwn.net/Articles/881144/ ∗∗∗ ICS Patch Tuesday: Siemens, Schneider Electric Address 40 Vulnerabilities ∗∗∗ --------------------------------------------- The first round of security advisories released by Siemens and Schneider Electric in 2022 address a total of 40 vulnerabilities. --------------------------------------------- https://www.securityweek.com/ics-patch-tuesday-siemens-schneider-electric-a… ∗∗∗ Credential Disclosure in Web Interface of Crestron Device ∗∗∗ --------------------------------------------- When the administrative web interface of the Crestron HDMI switcher is accessed unauthenticated, user credentials are disclosed which are validto authenticate to the web interface. --------------------------------------------- https://www.redteam-pentesting.de/en/advisories/rt-sa-2021-009/ ∗∗∗ Released: January 2022 Exchange Server Security Updates ∗∗∗ --------------------------------------------- Microsoft has released security updates for vulnerabilities found in any version of: Exchange Server 2013, Exchange Server 2016, Exchange Server 2019 --------------------------------------------- https://techcommunity.microsoft.com/t5/exchange-team-blog/released-january-… ∗∗∗ QNX-2022-001 Vulnerability in QNX Neutrino Kernel Impacts QNX Software Development Platform (SDP), QNX OS for Medical, and QNX OS for Safety ∗∗∗ --------------------------------------------- https://support.blackberry.com/kb/articleDetail?language=en_US&articleNumbe… ∗∗∗ Apache Guacamole: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K22-0037 ∗∗∗ Vulnerability in QTS and QuTS hero ∗∗∗ --------------------------------------------- https://www.qnap.com/en-us/security-advisory/QSA-21-57 ∗∗∗ Stack Overflow Vulnerability in QVR Elite, QVR Pro, and QVR Guard ∗∗∗ --------------------------------------------- https://www.qnap.com/en-us/security-advisory/QSA-21-59 ∗∗∗ XSS and Open Redirect Vulnerabilities in QcalAgent ∗∗∗ --------------------------------------------- https://www.qnap.com/en-us/security-advisory/QSA-21-60 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 11.01.2022
by Daily end-of-shift report 11 Jan '22

11 Jan '22

===================== = End-of-Day report = ===================== Timeframe: Montag 10-01-2022 18:00 − Dienstag 11-01-2022 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ l+f: Malware-Entwickler kuscheln etwas zu eng mit ihrem Trojaner ∗∗∗ --------------------------------------------- Sicherheitsforscher bekommen unerwartet Hilfe. [...] Einem Bericht von Malwarebytes zufolge gehen alle gesammelten Informationen auf ein Missgeschick der Hintermänner der Kampagne zurück: Die Malware-Entwickler haben ihre Entwicklungsumgebung mit dem eigenen Trojaner infiziert. --------------------------------------------- https://heise.de/-6323191 ∗∗∗ macOS-Lücke: Spionieren über Teams und andere Apps ∗∗∗ --------------------------------------------- Microsoft hat Details zu einem Bug publiziert, mit dem es möglich war, den Systemschutz TCC zu umgehen, der eigentlich Mac-Nutzer vor Datenabgriff bewahrt. --------------------------------------------- https://heise.de/-6322269 ∗∗∗ Facebook-Währung „Diem“ nicht bei thediemtoken.com kaufen ∗∗∗ --------------------------------------------- Diem – eine Kryptowährung, die ursprünglich Libra hieß, wird vermutlich bald verfügbar sein. Kriminelle bieten Diem aber schon jetzt auf ihren betrügerischen Trading-Plattformen wie „thediemtoken.com“ an. Auf Facebook, Instagram und Co werden diese dann beworben, um möglichst viele AnlegerInnen in die Falle zu locken. Vorsicht: Wer dort investiert, verliert sein Geld! --------------------------------------------- https://www.watchlist-internet.at/news/facebook-waehrung-diem-nicht-bei-the… ∗∗∗ Linux version of AvosLocker ransomware targets VMware ESXi servers ∗∗∗ --------------------------------------------- AvosLocker is the latest ransomware gang that has added support for encrypting Linux systems to its recent malware variants, specifically targeting VMware ESXi virtual machines. --------------------------------------------- https://www.bleepingcomputer.com/news/security/linux-version-of-avoslocker-… ∗∗∗ Night Sky ransomware uses Log4j bug to hack VMware Horizon servers ∗∗∗ --------------------------------------------- The Night Sky ransomware gang has started to exploit the critical CVE-2021-4422 vulnerability in the Log4j logging library, also known as Log4Shell, to gain access to VMware Horizon systems. --------------------------------------------- https://www.bleepingcomputer.com/news/security/night-sky-ransomware-uses-lo… ∗∗∗ Millions of Routers Exposed to RCE by USB Kernel Bug ∗∗∗ --------------------------------------------- The high-severity RCE flaw is in the KCodes NetUSB kernel module, used by popular routers from Netgear, TP-Link, DLink, Western Digital, et al. --------------------------------------------- https://threatpost.com/millions-routers-exposed-bug-usb-module-kcodes-netus… ∗∗∗ Don’t Trust This Title: Abusing Terminal Emulators with ANSI Escape Characters ∗∗∗ --------------------------------------------- TL;DR This research led to: * Five high severity vulnerabilities: CVE-2021-28847, CVE-2021-28848, CVE-2021-32198, CVE-2021-33500 and CVE-2021-42095. We found a way to cause a remote DoS on the terminal client’s host. * An ANSI escape characters injection vulnerability in OpenShift and Kubernetes (CVE-2021-25743). * Three additional vulnerabilities: CVE-2021-31701, CVE-2021-37326 and CVE-2021-40147. We found a way to bypass the bracket paste mode mechanism inside the terminals. --------------------------------------------- https://www.cyberark.com/resources/threat-research-blog/dont-trust-this-tit… ∗∗∗ Domain Escalation – sAMAccountName Spoofing ∗∗∗ --------------------------------------------- Microsoft has released patches in order to prevent successful exploitation. However, there are many occasions where patches are not applied on time which creates a time period which this technique could be leveraged during a red team assessment. The prerequisites of the technique are the following: * A domain controller which is missing the KB5008380 and KB5008602 security patches * A valid domain user account * The machine account quota to be above 0 --------------------------------------------- https://pentestlab.blog/2022/01/10/domain-escalation-samaccountname-spoofin… ∗∗∗ What Is FIM (File Integrity Monitoring)? ∗∗∗ --------------------------------------------- Change is prolific in organizations’ IT environments. Hardware assets change. Software programs change. Configuration states change. Some of these modifications are authorized insofar as they occur during an organization’s regular patching cycle, while others cause concern by popping up unexpectedly. Organizations commonly respond to this dynamism by investing in asset discovery and secure configuration management [...] --------------------------------------------- https://www.tripwire.com/state-of-security/security-data-protection/securit… ∗∗∗ SFile (Escal) ransomware ported for Linux attacks ∗∗∗ --------------------------------------------- The operators of the SFile ransomware, also known as Escal, have ported their malware to work and encrypt files on Linux-based operating systems. --------------------------------------------- https://therecord.media/sfile-escal-ransomware-ported-for-linux-attacks/ ∗∗∗ New SysJoker Backdoor Targets Windows, Linux, and macOS ∗∗∗ --------------------------------------------- Malware targeting multiple operating systems has become no exception in the malware threat landscape. Vermilion Strike, which was documented just last September, is among the latest examples until now. In December 2021, we discovered a new multi-platform backdoor that targets Windows, Mac, and Linux. The Linux and Mac versions are fully undetected in VirusTotal. --------------------------------------------- https://www.intezer.com/blog/malware-analysis/new-backdoor-sysjoker/ ===================== = Vulnerabilities = ===================== ∗∗∗ Critical SonicWall NAC Vulnerability Stems from Apache Mods ∗∗∗ --------------------------------------------- Researchers offer more detail on the bug, which can allow attackers to completely take over targets. --------------------------------------------- https://threatpost.com/sonicwall-nac-vulnerability-apache-mods/177529/ ∗∗∗ Microsoft: macOS Powerdir Flaw Could Let Attackers Gain Access to User Data ∗∗∗ --------------------------------------------- Microsoft today disclosed a vulnerability in Apples macOS that could enable an attacker to gain unauthorized access to protected user data through bypassing the Transparency, Consent, and Control (TCC) technology in the operating system. [...] Apple addressed CVE-2021-30970, dubbed "Powerdir," in a rollout of security updates released on Dec. 13. --------------------------------------------- https://www.darkreading.com/vulnerabilities-threats/microsoft-macos-powerdi… ∗∗∗ Siemens Security Advisories ∗∗∗ --------------------------------------------- Siemens hat am 2022-01-11 5 neue und 7 aktualiserte Advisories veröffentlicht. (CVSS Scores von 3.4 bis 9.9) --------------------------------------------- https://new.siemens.com/de/de/produkte/services/cert.html#SecurityVeroffent… ∗∗∗ PHOENIX CONTACT: BLUEMARK X1 / LED / CLED printers utilizing the Siemens Nucleus RTOS TCP/IP Stack ∗∗∗ --------------------------------------------- The TCP/IP stack and of the networking component (Nucleus NET) in Nucleus Real-Time Operating System (RTOS) contain several vulnerabilities. Nucleus NET is utilized by BLUEMARK X1 / LED / CLED. The abovementioned BLUEMARK printers are discontinued and only impacted by a subset of 8 of the 13 discovered vulnerabilities. --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2021-059/ ∗∗∗ HPESBUX04206 rev.1 - HP-UX Telnetd, Remote Execution of Arbitrary Code ∗∗∗ --------------------------------------------- A potential security vulnerability has been identified with HP-UX telnetd which allows remote attackers to execute arbitrary code via short writes or urgent data. This is due to a remote buffer overflow involving the netclear and nextitem functions. --------------------------------------------- https://support.hpe.com/hpesc/public/docDisplay?elq_mid=17739&elq_cid=67018… ∗∗∗ SAP Security Patch Day - January 2022 ∗∗∗ --------------------------------------------- On 11th of January 2022, SAP Security Patch Day saw the release of 11 new Patch Day Security Notes. 16 security notes were released out-of-band. Further, there were 3 updates to Patch Day Security Notes released previously. Note: 3131047 consolidates all Security Notes addressing recent vulnerabilities related to Apache Log4j 2 component. This security note is a living document that will be updated when a new Security Note is released. So, please refer the central Security Note for up-to-date information about all released Apache Log4j 2 related Security Notes. --------------------------------------------- https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=596902035 ∗∗∗ Citrix Workspace App for Linux Security Update ∗∗∗ --------------------------------------------- A vulnerability has been identified in Citrix Workspace app for Linux that could result in a local user elevating their privilege level to root on the computer running Citrix Workspace app for Linux. --------------------------------------------- https://support.citrix.com/article/CTX338435 ∗∗∗ An update on the Apache Log4j 2.x vulnerabilities ∗∗∗ --------------------------------------------- Update on IBM’s response: IBM’s top priority remains the security of our clients and products. Product teams are releasing remediations for Log4j 2.x CVE-2021-44228 as fast as possible, moving to the latest version that’s available when they are developing a fix. Where possible, the dependency on Log4j is removed entirely. IBM is aware of additional, recently disclosed vulnerabilities in Apache Log4j, tracked under CVE-2021-45105 and CVE-2021-45046. Work continues to mitigate [...] --------------------------------------------- https://www.ibm.com/blogs/psirt/an-update-on-the-apache-log4j-cve-2021-4422… ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (clamav, vim, and wordpress), Mageia (ghostscript, osgi-core, apache-commons-compress, python-django, squashfs-tools, and suricata), openSUSE (libsndfile, net-snmp, and systemd), Oracle (httpd:2.4, kernel, and kernel-container), SUSE (libsndfile, libvirt, net-snmp, and systemd), and Ubuntu (exiv2, linux, linux-aws, linux-aws-5.11, linux-azure, linux-azure-5.11, linux-gcp, linux-gcp-5.11, linux-hwe-5.11, linux-kvm, linux-oem-5.10, linux-oracle, [...] --------------------------------------------- https://lwn.net/Articles/881005/ ∗∗∗ Synology-SA-22:01 DSM ∗∗∗ --------------------------------------------- Multiple vulnerabilities allow remote attackers, or remote authenticated users to inject arbitrary web script or HTML via a susceptible version of DiskStation Manager (DSM). --------------------------------------------- https://www.synology.com/en-global/support/security/Synology_SA_22_01 ∗∗∗ Johnson Controls VideoEdge ∗∗∗ --------------------------------------------- This advisory contains mitigations for an Improper Handling of Syntactically Invalid Structure vulnerability in the Sensormatic Electronics VideoEdge network video recorder. Sensormatic Electronics is a subsidiary of Johnson Controls. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-011-01 ∗∗∗ CISA Adds 15 Known Exploited Vulnerabilities to Catalog ∗∗∗ --------------------------------------------- CISA has added 15 new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence that threat actors are actively exploiting the vulnerabilities listed in the table below. These types of vulnerabilities are a frequent attack vector for malicious cyber actors of all types and pose significant risk to the federal enterprise. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2022/01/10/cisa-adds-15-know… ∗∗∗ January 10th 2022 Security Releases ∗∗∗ --------------------------------------------- Updates are now available for the v17.x, v16.x, v14.x, and v12.x Node.js release lines for the following issues. Improper handling of URI Subject Alternative Names (Medium)(CVE-2021-44531) Accepting arbitrary Subject Alternative Name (SAN) types, unless a PKI is specifically defined to use a particular SAN type, can result in bypassing name-constrained intermediates. Node.js was accepting URI SAN types, which PKIs are often not defined to use. --------------------------------------------- https://nodejs.org/en/blog/vulnerability/jan-2022-security-releases ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ Atlassian Jira Software: Mehrere Schwachstellen ermöglichen Offenlegung von Informationen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K22-0026 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 10.01.2022
by Daily end-of-shift report 10 Jan '22

10 Jan '22

===================== = End-of-Day report = ===================== Timeframe: Freitag 07-01-2022 18:00 − Montag 10-01-2022 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ FBI-Warnung: FIN7-Bande verschickt USB-Sticks mit Ransomware ∗∗∗ --------------------------------------------- Die Speichermedien mit der Malware erreichen US-Firmen etwa in der Rüstungsindustrie laut dem FBI getarnt als Geschenkbox oder Covid-19-Leitlinien. --------------------------------------------- https://heise.de/-6321079 ∗∗∗ FluBot malware now targets Europe posing as Flash Player app ∗∗∗ --------------------------------------------- The widely distributed FluBot malware continues to evolve, with new campaigns distributing the malware as Flash Player and the developers adding new features. --------------------------------------------- https://www.bleepingcomputer.com/news/security/flubot-malware-now-targets-e… ∗∗∗ Trojanized dnSpy app drops malware cocktail on researchers, devs ∗∗∗ --------------------------------------------- Hackers targeted cybersecurity researchers and developers this week in a sophisticated malware campaign distributing a malicious version of the dnSpy .NET application to install cryptocurrency stealers, remote access trojans, and miners. --------------------------------------------- https://www.bleepingcomputer.com/news/security/trojanized-dnspy-app-drops-m… ∗∗∗ Wheres the Interpreter!? ∗∗∗ --------------------------------------------- CVE-2021-30853 was able to bypass file quarantine, gatekeeper, & notarization requirements. In this post, we show exactly why! --------------------------------------------- https://objective-see.com/blog/blog_0x6A.html ∗∗∗ TShark & jq, (Sat, Jan 8th) ∗∗∗ --------------------------------------------- TShark (Wireshark's command-line version) can output JSON data, as shown in diary entry "Quicktip: TShark's Options -e and -T". --------------------------------------------- https://isc.sans.edu/diary/rss/28194 ∗∗∗ Extracting Cobalt Strike Beacons from MSBuild Scripts, (Sun, Jan 9th) ∗∗∗ --------------------------------------------- There is also a video of this analysis. --------------------------------------------- https://isc.sans.edu/diary/rss/28200 ∗∗∗ BADNEWS! Patchwork APT Hackers Score Own Goal in Recent Malware Attacks ∗∗∗ --------------------------------------------- Threat hunters have shed light on the tactics, techniques, and procedures embraced by an Indian-origin hacking group called Patchwork as part of a renewed campaign that commenced in late November 2021, targeting Pakistani government entities and individuals with a research focus on molecular medicine and biological science. --------------------------------------------- https://thehackernews.com/2022/01/badnews-patchwork-apt-hackers-score-own.h… ∗∗∗ Sophisticated phishing scheme spent years robbing authors of their unpublished work ∗∗∗ --------------------------------------------- The FBI says a multi-year phishing attack targeting authors and book publishers, and stole unpublished novels, manuscripts and other books. --------------------------------------------- https://blog.malwarebytes.com/scams/2022/01/sophisticated-phishing-scheme-s… ∗∗∗ Tool Release - insject: A Linux Namespace Injector ∗∗∗ --------------------------------------------- tl;dr Grab the release binary from our repo and have fun. Also, happy new year; 2021 couldn’t end soon enough. Background A while back, I was asked by one of my coworkers on the PSC team about ways in which to make their custom credit card data scanner cloud native to assess Kubernetes clusters. --------------------------------------------- https://research.nccgroup.com/2022/01/08/tool-release-insject-a-linux-names… ∗∗∗ U.S. Government Issues Warning Over Commercial Surveillance Tools ∗∗∗ --------------------------------------------- The U.S. State Department and the National Counterintelligence and Security Center (NCSC) on Friday issued a warning over the use of commercial surveillance tools. --------------------------------------------- https://www.securityweek.com/us-government-issues-warning-over-commercial-s… ∗∗∗ Abcbot botnet is linked to Xanthe cryptojacking group ∗∗∗ --------------------------------------------- Researchers believe the focus is moving from cryptocurrency to traditional botnet attacks. --------------------------------------------- https://www.zdnet.com/article/abcbot-botnet-has-now-been-linked-to-xanthe-c… ∗∗∗ Kernel Karnage - Part 8 (Getting Around DSE) ∗∗∗ --------------------------------------------- When life gives you exploits, you turn them into Beacon Object Files. 1. Back to BOFs I never thought I would say this, but after spending so much time in kernel land, it’s almost as if developing kernel functionality is easier than writing user land applications, especially when they need to fly under the radar. --------------------------------------------- https://blog.nviso.eu/2022/01/10/kernel-karnage-part-8-getting-around-dse/ ===================== = Vulnerabilities = ===================== ∗∗∗ VU#142629: Silicon Labs Z-Wave chipsets contain multiple vulnerabilities ∗∗∗ --------------------------------------------- Various Silicon Labs Z-Wave chipsets do not support encryption, can be downgraded to not use weaker encryption, and are vulnerable to denial of service. Some of these vulnerabilities are inherent in Z-Wave protocol specifications. --------------------------------------------- https://kb.cert.org/vuls/id/142629 ∗∗∗ Researchers Find Bugs in Over A Dozen Widely Used URL Parser Libraries ∗∗∗ --------------------------------------------- A study of 16 different Uniform Resource Locator (URL) parsing libraries has unearthed inconsistencies and confusions that could be exploited to bypass validations and open the door to a wide range of attack vectors. In a deep-dive analysis jointly conducted by cybersecurity firms Claroty and Synk, eight security vulnerabilities were identified in as many third-party libraries written in C, [...] --------------------------------------------- https://thehackernews.com/2022/01/researchers-find-bugs-in-over-dozen.html ∗∗∗ Qnap warnt vor Ransomware-Attacken auf Netzwerkspeicher ∗∗∗ --------------------------------------------- Es gibt wichtige Tipps zur Absicherung von NAS-Geräten von Qnap und aktuelle Sicherheitsupdates. --------------------------------------------- https://heise.de/-6321485 ∗∗∗ An update on the Apache Log4j 2.x vulnerabilities ∗∗∗ --------------------------------------------- IBM’s top priority remains the security of our clients and products. Product teams are releasing remediations for Log4j 2.x CVE-2021-44228 as fast as possible, moving to the latest version that’s available when they are developing a fix. Where possible, the dependency on Log4j is removed entirely. IBM is aware of additional, recently disclosed vulnerabilities in Apache Log4j, tracked under CVE-2021-45105 and CVE-2021-45046. Work continues to mitigate [...] --------------------------------------------- https://www.ibm.com/blogs/psirt/an-update-on-the-apache-log4j-cve-2021-4422… ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (ghostscript and roundcube), Fedora (gegl04, mbedtls, and mediawiki), openSUSE (kubevirt, virt-api-container, virt-controller-container, virt-handler-container, virt-launcher-container, virt-operator-container), SUSE (kubevirt, virt-api-container, virt-controller-container, virt-handler-container, virt-launcher-container, virt-operator-container and libvirt), and Ubuntu (apache2). --------------------------------------------- https://lwn.net/Articles/880807/ ∗∗∗ SonicWall Patches Y2K22 Bug in Email Security, Firewall Products ∗∗∗ --------------------------------------------- Cybersecurity firm SonicWall says it has released patches for some of its email security and firewall products to address a bug that resulted in failed junk box and message log updates. --------------------------------------------- https://www.securityweek.com/sonicwall-patches-y2k22-bug-email-security-fir… ∗∗∗ Vulnerability Spotlight: Buffer overflow vulnerability in AnyCubic Chitubox plugin ∗∗∗ --------------------------------------------- Cisco Talos recently discovered an exploitable heap-based buffer overflow vulnerability in the Chitubox AnyCubic plugin. Chitubox is 3-D printing software for users to download and process models and send them [...] --------------------------------------------- http://blog.talosintelligence.com/2022/01/vulnerability-spotlight-buffer-ov… ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ Samba: Schwachstelle ermöglicht Umgehen von Sicherheitsvorkehrungen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K22-0016 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 07.01.2022
by Daily end-of-shift report 07 Jan '22

07 Jan '22

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 05-01-2022 18:00 − Freitag 07-01-2022 18:00 Handler: Thomas Pribitzer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Google Docs commenting feature exploited for spear-phishing ∗∗∗ --------------------------------------------- A new trend in phishing attacks emerged in December 2021, with threat actors abusing the commenting feature of Google Docs to send out emails that appear trustworthy. --------------------------------------------- https://www.bleepingcomputer.com/news/security/google-docs-commenting-featu… ∗∗∗ Night Sky is the latest ransomware targeting corporate networks ∗∗∗ --------------------------------------------- Its a new year, and with it comes a new ransomware to keep an eye on called Night Sky that targets corporate networks and steals data in double-extortion attacks. --------------------------------------------- https://www.bleepingcomputer.com/news/security/night-sky-is-the-latest-rans… ∗∗∗ New Mac Malware Samples Underscore Growing Threat ∗∗∗ --------------------------------------------- A handful of malicious tools that emerged last year showed threat actors may be getting more serious about attacking Apple macOS and iOS environments. --------------------------------------------- https://www.darkreading.com/vulnerabilities-threats/new-mac-malware-samples… ∗∗∗ Custom Python RAT Builder, (Fri, Jan 7th) ∗∗∗ --------------------------------------------- This week I already wrote a diary about "code reuse" in the malware landscape but attackers also have plenty of tools to generate new samples on the fly. --------------------------------------------- https://isc.sans.edu/diary/rss/28224 ∗∗∗ NIST Cybersecurity Framework: A Quick Guide for SaaS Security Compliance ∗∗∗ --------------------------------------------- When I want to know the most recently published best practices in cyber security, I visit The National Institute of Standards and Technology (NIST). From the latest password requirements (NIST 800-63) to IoT security for manufacturers (NISTIR 8259), NIST is always the starting point. --------------------------------------------- https://thehackernews.com/2022/01/nist-cybersecurity-framework-quick.html ∗∗∗ iPhone-Angriff: Hacker könnten Reboot verunmöglichen ∗∗∗ --------------------------------------------- Malware wie die iOS-Version der Spyware Pegasus gehen nach einem Neustart verloren. Dieser lässt sich allerdings unterbinden, wie eine Sicherheitsfirma zeigt. --------------------------------------------- https://heise.de/-6319430 ∗∗∗ Patchday Android: Angreifer könnten sich weitreichende Berechtigungen aneignen ∗∗∗ --------------------------------------------- Google und weitere Smartphone-Hersteller haben wichtige Sicherheitsupdates für Android 9, 10, 11 und 12 veröffentlicht. --------------------------------------------- https://heise.de/-6320248 ∗∗∗ Vermeintlicher Amazon-Kundendienst verschickt betrügerische Mails zu Kundenprämienprogramm ∗∗∗ --------------------------------------------- LeserInnen melden uns derzeit eine E-Mail, die angeblich vom Amazon-Kundendienst stammt. Tatsächlich stecken Kriminelle dahinter. --------------------------------------------- https://www.watchlist-internet.at/news/vermeintlicher-amazon-kundendienst-v… ===================== = Vulnerabilities = ===================== ∗∗∗ QNAP warns of ransomware targeting Internet-exposed NAS devices ∗∗∗ --------------------------------------------- QNAP has warned customers today to secure Internet-exposed network-attached storage (NAS) devices immediately from ongoing ransomware and brute-force attacks. --------------------------------------------- https://www.bleepingcomputer.com/news/security/qnap-warns-of-ransomware-tar… ∗∗∗ NHS warns of hackers exploiting Log4Shell in VMware Horizon ∗∗∗ --------------------------------------------- UKs National Health Service (NHS) has published a cyber alert warning of an unknown threat group targeting VMware Horizon deployments with Log4Shell exploits. --------------------------------------------- https://www.bleepingcomputer.com/news/security/nhs-warns-of-hackers-exploit… ∗∗∗ Log4Shell-like Critical RCE Flaw Discovered in H2 Database Console ∗∗∗ --------------------------------------------- Researchers have disclosed a security flaw affecting H2 database consoles that could result in remote code execution in a manner that echoes the Log4j "Log4Shell" vulnerability that came to light last month. --------------------------------------------- https://thehackernews.com/2022/01/log4shell-like-critical-rce-flaw.html ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- IBM hat 36 Security Bulletins veröffentlicht --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ Sicherheitsupdate: Angreifer könnten sich auf WordPress-Websites einnisten ∗∗∗ --------------------------------------------- In der aktuellen Version des Content Management System WordPress haben die Entwickler vier Sicherheitslücken geschlossen. --------------------------------------------- https://heise.de/-6320363 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (log4j and quaternion), Mageia (gnome-shell and singularity), SUSE (libsndfile, libvirt, net-snmp, and python-Babel), and Ubuntu (linux, linux-aws, linux-aws-5.11, linux-azure, linux-azure-5.11, linux-gcp, linux-gcp-5.11, linux-hwe-5.11, linux-kvm, linux-oracle, linux-oracle-5.11, linux-raspi, linux, linux-aws, linux-aws-5.4, linux-azure, linux-azure-5.4, linux-gcp, linux-gcp-5.4, linux-gke, linux-gke-5.4, linux-gkeop, linux-hwe-5.4, linux-ibm, [...] --------------------------------------------- https://lwn.net/Articles/880564/ ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (sphinxsearch), Fedora (chromium and vim), Red Hat (rh-nodejs14-nodejs and rh-nodejs14-nodejs-nodemon), and Ubuntu (apache2 and webkit2gtk). --------------------------------------------- https://lwn.net/Articles/880672/ ∗∗∗ January 5, 2022 TNS-2022-01 [R1] Tenable.sc 5.20.0 Fixes Multiple Vulnerabilities ∗∗∗ --------------------------------------------- http://www.tenable.com/security/tns-2022-01 ∗∗∗ January 5, 2022 TNS-2022-02 [R1] Nessus Network Monitor 6.0.0 Fixes Multiple Third-party Vulnerabilities ∗∗∗ --------------------------------------------- http://www.tenable.com/security/tns-2022-02 ∗∗∗ VMware Tanzu Spring Framework: Schwachstelle ermöglicht Manipulation von Log-Dateien ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K22-0006 ∗∗∗ Drupal Plugins: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K22-0014 ∗∗∗ Omron CX-One ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-006-01 ∗∗∗ Fernhill SCADA ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-006-02 ∗∗∗ IDEC PLCs ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-006-03 ∗∗∗ Philips Engage Software ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsma-22-006-01 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 05.01.2022
by Daily end-of-shift report 05 Jan '22

05 Jan '22

===================== = End-of-Day report = ===================== Timeframe: Dienstag 04-01-2022 18:00 − Mittwoch 05-01-2022 18:00 Handler: Thomas Pribitzer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ iOS malware can fake iPhone shut downs to snoop on camera, microphone ∗∗∗ --------------------------------------------- Researchers have developed a new technique that fakes a shutdown or reboot of iPhones, preventing malware from being removed and allowing hackers to secretly snoop on microphones and receive sensitive data via a live network connection. --------------------------------------------- https://www.bleepingcomputer.com/news/security/ios-malware-can-fake-iphone-… ∗∗∗ Code Reuse In the Malware Landscape, (Wed, Jan 5th) ∗∗∗ --------------------------------------------- Code re-use is classic behavior for many developers and this looks legit: Why reinvent the wheel if you can find some pieces of code that do what you are trying to achieve? --------------------------------------------- https://isc.sans.edu/diary/rss/28216 ∗∗∗ New Zloader Banking Malware Campaign Exploiting Microsoft Signature Verification ∗∗∗ --------------------------------------------- An ongoing ZLoader malware campaign has been uncovered exploiting remote monitoring tools and Microsofts digital signature verification to siphon user credentials and sensitive information. --------------------------------------------- https://thehackernews.com/2022/01/new-zloader-banking-malware-campaign.html ∗∗∗ Elephant Beetle: Uncovering an organized financial-theft operation ∗∗∗ --------------------------------------------- Using an arsenal of over 80 unique tools & scripts, the group executes its attacks patiently over long periods of time, blending in with the target’s environment and going completely undetected while it quietly liberates organizations of large amounts of money. --------------------------------------------- https://blog.sygnia.co/elephant-beetle-an-organized-financial-theft-operati… ∗∗∗ „Media Markt Exclusive Giveaway“ Aktion ist Fake! ∗∗∗ --------------------------------------------- Auf Facebook werden derzeit Links zu einer nachgeahmten Media Markt Seite verbreitet. Dort heißt es, dass Media Markt landesweit Filialen schließt und daher eine „Online-Aktion“ durchführt. KonsumentInnen hätten so die Chance, Produkte wie iPhones, Macbooks, Playstations und mehr günstig zu kaufen. Wer bei dieser Aktion mitmacht, verliert jedoch Geld und erhält keine der versprochenen Produkte. --------------------------------------------- https://www.watchlist-internet.at/news/media-markt-exclusive-giveaway-aktio… ∗∗∗ Malware Reverse Engineering for Beginners – Part 1: From 0x0 ∗∗∗ --------------------------------------------- Malware researchers require a diverse skill set usually gained over time through experience and self-training. Reverse engineering (RE) is an integral part of malware analysis and research but it is also one of the most advanced skills a researcher can have. --------------------------------------------- https://www.intezer.com/blog/malware-analysis/malware-reverse-engineering-b… ===================== = Vulnerabilities = ===================== ∗∗∗ IBM Security Bulletins 2022-01-05 ∗∗∗ --------------------------------------------- IBM hat 26 Security Bulletins veröffentlicht. --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ VMware-Sicherheitsupdates: Virtuelles CD-ROM-Laufwerk als Angreifer-Schlupfloch ∗∗∗ --------------------------------------------- VMware warnt vor einer Lücke in seinen Anwendungen für virtuelle Maschinen Cloud Foundation, ESXi, Fusion und Workstation. Einige Patches fehlen noch. --------------------------------------------- https://heise.de/-6318269 ∗∗∗ Sicherheitspatches: Angreifer könnten Datenbanken in IBM Db2 manipulieren ∗∗∗ --------------------------------------------- IBM hat Sicherheitslücken in mehreren Anwendungen wie Cloud Private, Db2 und Elastic Search geschlossen. Außerdem gibt es Neuigkeiten zu Log4j-Anfälligkeiten. --------------------------------------------- https://heise.de/-6318740 ∗∗∗ Entwickler schließen 37 Sicherheitslücken in Chrome 97 ∗∗∗ --------------------------------------------- Die Vorgängerversion von Chrome 97 enthielt mindestens eine kritische Sicherheitslücke. Angreifer hätten vermutlich eingeschleusten Code ausführen können. --------------------------------------------- https://heise.de/-6318885 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (xorg-x11-server), Debian (apache2), openSUSE (libvirt), Oracle (grafana, qemu, and xorg-x11-server), Red Hat (idm:DL1, samba, and telnet), SUSE (libvirt), and Ubuntu (python-django). --------------------------------------------- https://lwn.net/Articles/880454/ ∗∗∗ Google Patches 48 Vulnerabilities With First Set of 2022 Android Updates ∗∗∗ --------------------------------------------- Google this week published information on the first set of 2022 security updates for Android, describing a total of 48 vulnerabilities that were addressed across Android OS, Pixel devices, and Android Automotive OS. --------------------------------------------- https://www.securityweek.com/google-patches-48-vulnerabilities-first-set-20… ∗∗∗ K10396196: Linux RPM vulnerability CVE-2021-20271 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K10396196 ∗∗∗ WAGO: Smart Script affected by Log4Shell Vulnerability ∗∗∗ --------------------------------------------- http://cert.vde.com/de/advisories/VDE-2021-060/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 04.01.2022
by Daily end-of-shift report 04 Jan '22

04 Jan '22

===================== = End-of-Day report = ===================== Timeframe: Montag 03-01-2022 18:00 − Dienstag 04-01-2022 18:00 Handler: Thomas Pribitzer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ A Simple Batch File That Blocks People, (Tue, Jan 4th) ∗∗∗ --------------------------------------------- I found another script that performs malicious actions. Its a simple batch file (.bat) that is not obfuscated but it has a very low VT score (1/53). --------------------------------------------- https://isc.sans.edu/diary/rss/28212 ∗∗∗ Purple Fox rootkit now bundled with Telegram installer ∗∗∗ --------------------------------------------- The Purple Fox malware family has been found to combine its payload with trusted apps in an interesting way. --------------------------------------------- https://blog.malwarebytes.com/trojans/2022/01/purple-fox-rootkit-now-bundle… ∗∗∗ Mails zu Hacks von einer Telefonnummer? Nicht zurückrufen! ∗∗∗ --------------------------------------------- Kriminelle versenden aktuell E-Mails, bei denen als Absender eine Telefonnummer angezeigt wird. Angeblich wurden die Systeme der EmpfängerInnen gehackt und mit Viren infiziert. Deshalb müsse dringend die Nummer zurückgerufen werden. Achtung: Hier lauert eine Falle und die E-Mail kann ignoriert werden. --------------------------------------------- https://www.watchlist-internet.at/news/mails-zu-hacks-von-einer-telefonnumm… ∗∗∗ A New Web Skimmer Campaign Targets Real Estate Websites Through Attacking Cloud Video Distribution Supply Chain ∗∗∗ --------------------------------------------- A supply chain attack leveraging a cloud video platform to distribute web skimmer campaigns compromised more than 100 real estate sites. --------------------------------------------- https://unit42.paloaltonetworks.com/web-skimmer-video-distribution/ ∗∗∗ Log4j flaw attack levels remain high, Microsoft warns ∗∗∗ --------------------------------------------- Organizations mights not realize their environments are already compromised. --------------------------------------------- https://www.zdnet.com/article/log4j-flaw-attacks-are-causing-lots-of-proble… ∗∗∗ State-of-the-art EDRs are not perfect, fail to detect common attacks ∗∗∗ --------------------------------------------- A team of Greek academics has tested endpoint detection & response (EDR) software from 11 of todays top cybersecurity firms and found that many fail to detect some of the most common attack techniques used by advanced persistent threat actors, such as state-sponsored espionage groups and ransomware gangs. --------------------------------------------- https://therecord.media/state-of-the-art-edrs-are-not-perfect-fail-to-detec… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (salt and thunderbird), Red Hat (xorg-x11-server), and Scientific Linux (xorg-x11-server). --------------------------------------------- https://lwn.net/Articles/880327/ ∗∗∗ Security Bulletin: Vulnerabilities in Apache Log4j affect IBM Spectrum Copy Data Management (CVE-2021-45105, CVE-2021-45046) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-apache… ∗∗∗ Security Bulletin: Apache Log4j vulnerabilities impact IBM Sterling Connect:Direct for UNIX (CVE-2021-45105, CVE-2021-45046) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-apache-log4j-vulnerabilit… ∗∗∗ Security Bulletin: IBM Jazz for Service Management is vulnerable to a Apache Log4j vulnerability(CVE-2021-44228) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-jazz-for-service-mana… ∗∗∗ Security Bulletin: IBM Jazz for Service Management is vulnerable to a Apache Log4j vulnerabilities(CVE-2021-45105, CVE-2021-45046) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-jazz-for-service-mana… ∗∗∗ Security Bulletin: Vulnerabilities in Apache Log4j impact IBM Spectrum Protect Plus (CVE-2021-45105, CVE-2021-45046) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-apache… ∗∗∗ Security Bulletin: Vulnerabilities in Apache Log4j affect IBM Spectrum Protect Plus Container Backup and Restore for Kubernetes and OpenShift (CVE-2021-45105, CVE-2021-45046) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-apache… ∗∗∗ VMSA-2022-0001 ∗∗∗ --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2022-0001.html ∗∗∗ Atlassian Jira Software: Schwachstelle ermöglicht Cross-Site Scripting ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K22-0002 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 03.01.2022
by Daily end-of-shift report 03 Jan '22

03 Jan '22

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 30-12-2021 18:00 − Montag 03-01-2022 18:00 Handler: Thomas Pribitzer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Dont copy-paste commands from webpages — you can get hacked ∗∗∗ --------------------------------------------- Programmers, sysadmins, security researchers, and tech hobbyists copying-pasting commands from web pages into a console or terminal risk having their system compromised. Wizers Gabriel Friedlander demonstrates an obvious, simple yet stunning trick that'll make you think twice before copying-pasting text from web pages. --------------------------------------------- https://www.bleepingcomputer.com/news/security/dont-copy-paste-commands-fro… ∗∗∗ Do you want your Agent Tesla in the 300 MB or 8 kB package?, (Fri, Dec 31st) ∗∗∗ --------------------------------------------- Since today is the last day of 2021, I decided to take a closer look at malware that got caught by my malspam trap over the course of the year. --------------------------------------------- https://isc.sans.edu/diary/rss/28202 ∗∗∗ McAfee Phishing Campaign with a Nice Fake Scan, (Mon, Jan 3rd) ∗∗∗ --------------------------------------------- I spotted this interesting phishing campaign that (ab)uses the McAfee antivirus to make people scared. --------------------------------------------- https://isc.sans.edu/diary/rss/28208 ∗∗∗ Detecting Evasive Malware on IoT Devices Using Electromagnetic Emanations ∗∗∗ --------------------------------------------- Cybersecurity researchers have proposed a novel approach that leverages electromagnetic field emanations from the Internet of Things (IoT) devices as a side-channel to glean precise knowledge about the different kinds of malware targeting the embedded systems, even in scenarios where obfuscation techniques have been applied to hinder analysis. --------------------------------------------- https://thehackernews.com/2022/01/detecting-evasive-malware-on-iot.html ∗∗∗ Nach Ransomware-Angriff: Webseiten mehrerer Medien aus Portugal offline ∗∗∗ --------------------------------------------- Eine neue Ransomware-Gruppe hat den portugiesischen Medienkonzern Impresa angegriffen. Mehrere Medien können aktuell nur über Social Media Meldungen verbreiten. --------------------------------------------- https://heise.de/-6316020 ∗∗∗ Y2K22-Bug stoppt Exchange-Mailzustellung: Antimalware-Engine stolpert über 2022 ∗∗∗ --------------------------------------------- Zum Jahreswechsel streiken weltweit zahlreiche Exchange-Server, weil die FIP-FS-Scan-Engine sich an der Jahreszahl verhebt. Immerhin gibt es temporäre Abhilfe. --------------------------------------------- https://heise.de/-6315605 ∗∗∗ On the malicious use of large language models like GPT-3 ∗∗∗ --------------------------------------------- Or, “Can large language models generate exploits?” --------------------------------------------- https://research.nccgroup.com/2021/12/31/on-the-malicious-use-of-large-lang… ∗∗∗ Detecting anomalous Vectored Exception Handlers on Windows ∗∗∗ --------------------------------------------- We have documented a method of enumerating which processes are using Vectored Exception Handling on Windows and which if any of the handlers are anomalous. --------------------------------------------- https://research.nccgroup.com/2022/01/03/detecting-anomalous-vectored-excep… ∗∗∗ Shodan Verified Vulns 2022-01-01 ∗∗∗ --------------------------------------------- Auch dieses Monat sehen wir wieder einen deutlichen Rückgang der verwundbaren Exchange-Server. Neu hinzugekommen ist die Grafana Path Traversal Schwachstelle CVE-2021-43798, welche am 7. Dezember veröffentlicht wurde. --------------------------------------------- https://cert.at/de/aktuelles/2022/1/shodan-verified-vulns-2022-01-01 ∗∗∗ Log4j Scanners ∗∗∗ --------------------------------------------- There are 19 tools, and each has certain stipulations with it. I would suggest take a look. --------------------------------------------- https://securitythreatnews.com/2022/01/03/log4j-scanners/ ===================== = Vulnerabilities = ===================== ∗∗∗ Apple: Sicherheitslücke kann iPhones und iPads unbenutzbar machen ∗∗∗ --------------------------------------------- Über eine Sicherheitslücke in Apples Homekit lassen sich iPhones erst nach einem Reset wieder nutzen. Ein Update hat Apple verschoben. --------------------------------------------- https://www.golem.de/news/apple-sicherheitsluecke-kann-iphones-und-ipads-un… ∗∗∗ Rootkit schlüpft durch Lücke in HPEs Fernwartung iLO ∗∗∗ --------------------------------------------- Eine Iranische Security-Firma hat ein Rootkit entdeckt, das sich in Hewlett Packards Fernwartungstechnik "Integrated Lights-Out" (iLO) eingenistet hat. --------------------------------------------- https://heise.de/-6315714 ∗∗∗ Jetzt patchen: Netgear-Router Nighthawk R6700v3 könnte Passwörter leaken ∗∗∗ --------------------------------------------- Angreifer könnten Nighthawk-Router von Netgear attackieren. Es könnten noch weitere Modelle betroffen sein. Aktuelle Firmware-Versionen sollen Abhilfe schaffen. --------------------------------------------- https://heise.de/-6316037 ∗∗∗ Trend Micro Apex One und Worry-Free Business Security gefährden Windows-PCs ∗∗∗ --------------------------------------------- Es sind wichtige Sicherheitsupdates für die Schutzlösungen Apex One und Worry-Free Business Security von Trend Micro erschienen. --------------------------------------------- https://heise.de/-6316263 ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (agg, aria2, fort-validator, and lxml), Fedora (libgda, pgbouncer, and xorg-x11-server-Xwayland), Mageia (calibre, e2guardian, eclipse, libtpms/swtpm, nodejs, python-lxml, and toxcore), openSUSE (c-toxcore, gegl, getdata, kernel-firmware, log4j, postrsd, and privoxy), and SUSE (gegl). --------------------------------------------- https://lwn.net/Articles/880100/ ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (thunderbird), Fedora (kernel, libopenmpt, and xorg-x11-server), Mageia (gegl, libgda5.0, log4j, ntfs-3g, and wireshark), openSUSE (log4j), and Red Hat (grafana). --------------------------------------------- https://lwn.net/Articles/880232/ ∗∗∗ Security Bulletin: IBM Insurance Information Warehouse is vulnerable to arbitrary code execution due to Apache Log4j (CVE-2021-44228) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-insurance-information… ∗∗∗ Security Bulletin: Vulnerability in Apache Log4j affects IBM Banking and Financial Markets Data Warehouse (CVE-2021-44228) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-l… ∗∗∗ Security Bulletin: Apache Log4j Vulnerability Affects IBM Sterling B2B Integrator (CVE-2021-45105, CVE-2021-45046) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-apache-log4j-vulnerabilit… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect Rational Directory Server (Tivoli) & Rational Directory Administrator ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM Unified Data Model for Healthcare is vulnerable to arbitrary code execution due to Apache Log4j (CVE-2021-44228) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-unified-data-model-fo… ∗∗∗ Security Bulletin: Apache Log4j Vulnerability Affects IBM Sterling File Gateway (CVE-2021-45105, CVE-2021-45046) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-apache-log4j-vulnerabilit… ∗∗∗ Security Bulletin: IBM Data Model for Energy and Utilities is vulnerable to arbitrary code execution due to Apache Log4j (CVE-2021-44228) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-data-model-for-energy… ∗∗∗ Security Bulletin: IBM Cognos Analytics: Apache Log4j vulnerability (CVE-2021-44228) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cognos-analytics-apac… ∗∗∗ Security Bulletin: Apache Log4j vulnerability impacts IBM Sterling Global Mailbox (CVE-2021-45046) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-apache-log4j-vulnerabilit… ∗∗∗ Security Bulletin: Apache Log4j Vulnerability Affects IBM Sterling B2B Integrator (CVE-2021-45105, CVE-2021-45046) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-apache-log4j-vulnerabilit… ∗∗∗ Security Bulletin: Vulnerability in Apache Log4j affects some features of IBM® Db2® (CVE-2021-4104) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-l… ∗∗∗ Security Bulletin: IBM i2 Analyze and IBM i2 Analyst's Notebook Premium are affected by Apache Log4j Vulnerabilities (CVE-2021-45105 and CVE-2021-45046) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-i2-analyze-and-ibm-i2… ∗∗∗ Security Bulletin: Multiple vulnerabilities in Apache Log4j impact IBM Spectrum Scale for IBM Elastic Storage Server (CVE-2021-45105,CVE-2021-45046) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Apache Log4j Vulnerability Affects IBM Sterling File Gateway (CVE-2021-45105, CVE-2021-45046) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-apache-log4j-vulnerabilit… ∗∗∗ Security Bulletin: Multiple vulnerabilities in Apache Log4j impact IBM Spectrum Scale (CVE-2021-45105, CVE-2021-45046) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in Apache Log4j impact IBM Elastic Storage System (CVE-2021-45105, CVE-2021-45046) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Vulnerabilities in Apache Log4j affect IBM App Connect Enterprise V11, V12 (CVE-2021-45046) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-apache… ∗∗∗ Security Bulletin: Vulnerabilities in Apache Log4j affect IBM App Connect Enterprise V11, V12 and IBM Integration Bus (CVE-2021-17571) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-apache… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

Daily