- Daily - CERT.at

Tageszusammenfassung - 17.08.2023
by Daily end-of-shift report 17 Aug '23

17 Aug '23

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 16-08-2023 18:00 − Donnerstag 17-08-2023 18:00 Handler: Robert Waldner Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Triple Extortion Ransomware and the Cybercrime Supply Chain ∗∗∗ --------------------------------------------- Ransomware attacks continue to grow both in sophistication and quantity. 2023 has already seen more ransomware attacks involving data exfiltration and extortion than all of 2022, an increasing trend we expect to continue. This article will explore the business model of ransomware groups and the complex cybercrime ecosystem that has sprung up around them. --------------------------------------------- https://www.bleepingcomputer.com/news/security/triple-extortion-ransomware-… ∗∗∗ New Apple iOS 16 Exploit Enables Stealthy Cellular Access Under Fake Airplane Mode ∗∗∗ --------------------------------------------- The method "tricks the victim into thinking their devices Airplane Mode works when in reality the attacker (following successful device exploit) has planted an artificial Airplane Mode which edits the UI to display Airplane Mode icon and cuts internet connection to all apps except the attacker application," [..] --------------------------------------------- https://thehackernews.com/2023/08/new-apple-ios-16-exploit-enables.html ∗∗∗ CISA Releases JCDC Remote Monitoring and Management (RMM) Cyber Defense Plan ∗∗∗ --------------------------------------------- This plan addresses systemic risks facing the exploitation of RMM software. Cyber threat actors can gain footholds via RMM software into managed service providers (MSPs) or manage security service providers (MSSPs) servers and, by extension, can cause cascading impacts for the small and medium-sized organizations that are MSP/MSSP customers. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2023/08/16/cisa-releases-jcdc-remot… ∗∗∗ Angreifer attackieren Citrix ShareFile ∗∗∗ --------------------------------------------- Die US-Behörde [CISA] hat die "kritische" Sicherheitslücke (CVE-2023-24489) in ihren Katalog bekannter ausgenutzter Sicherheitslücken eingetragen. In welchem Umfang die Attacken ablaufen, ist derzeit nicht bekannt. [..] Die Lücke ist seit Juni 2023 bekannt. Seitdem gibt es auch die gepatchte Version 5.11.24. --------------------------------------------- https://www.heise.de/news/Jetzt-patchen-Angreifer-attackieren-Citrix-ShareF… ∗∗∗ Wordfence Intelligence Weekly WordPress Vulnerability Report (August 7, 2023 to August 13, 2023) ∗∗∗ --------------------------------------------- Last week, there were 86 vulnerabilities disclosed in 68 WordPress Plugins and 3 WordPress themes that have been added to the Wordfence Intelligence Vulnerability Database [..] Patch Status : - Unpatched 25 - Patched 61 --------------------------------------------- https://www.wordfence.com/blog/2023/08/wordfence-intelligence-weekly-wordpr… ∗∗∗ Phishing-Kampagne zielt auf Zimbra-Nutzer ab ∗∗∗ --------------------------------------------- Die Kampagne ist seit mindestens April 2023 aktiv und dauert laut Security-Forschern von ESET an. --------------------------------------------- https://www.zdnet.de/88411237/phishing-kampagne-zielt-auf-zimbra-nutzer-ab/ ===================== = Vulnerabilities = ===================== ∗∗∗ PAN-SA-2023-0004 Informational Bulletin: Impact of TunnelCrack Vulnerabilities (CVE-2023-36671 CVE-2023-36672 CVE-2023-35838 CVE-2023-36673) ∗∗∗ --------------------------------------------- LocalNet attack is only applicable to GlobalProtect Agent configurations that allow direct access to the local network setting in the Split Tunnel tab on the firewall configuration. ServerIP attack is relevant only to PAN-OS firewall configurations with a GlobalProtect gateway enabled. You can verify whether you have a GlobalProtect portal or gateway configured by checking for entries in Network > GlobalProtect > Gateways from the web interface. --------------------------------------------- https://security.paloaltonetworks.com/PAN-SA-2023-0004 ∗∗∗ ClamAV 1.1.1, 1.0.2, 0.103.9 patch versions published ∗∗∗ --------------------------------------------- - CVE-2023-20197 Fixed a possible denial of service vulnerability in the HFS+ file parser. - CVE-2023-20212 Fixed a possible denial of service vulnerability in the AutoIt file parser. This issue affects versions 1.0.1 and 1.0.0. This issue does not affect version 1.1.0. ClamAV 0.105 and 0.104 have reached end-of-life according to the ClamAV’s End of Life (EOL) policy and will not be patched. --------------------------------------------- https://blog.clamav.net/2023/07/2023-08-16-releases.html ∗∗∗ Parsec Remote Desktop App is prone to a local elevation of privilege due to a logical flaw in its code integrity verification process ∗∗∗ --------------------------------------------- By exploiting this race condition, a local attacker could swap out the officially signed Parsec DLL with a DLL that they created, which would subsequently be executed as the SYSTEM user as described in CVE-2023-37250. The vulnerability applies to a "Per User" installation as opposed to a "Shared User". There is an update that has been made available. --------------------------------------------- https://kb.cert.org/vuls/id/287122 ∗∗∗ TYPO3-EXT-SA-2023-007: Broken Access Control in extension "hCaptcha for EXT:form" (hcaptcha) ∗∗∗ --------------------------------------------- The extension fails to check the requirement of the captcha field in submitted form data allowing a remote user to bypass the captcha check. [..] An updated version 2.1.2 is available --------------------------------------------- https://typo3.org/security/advisory/typo3-ext-sa-2023-007 ∗∗∗ Varnish Enterprise/Cache: Base64 decoding vulnerability in vmod-digest ∗∗∗ --------------------------------------------- The potential outcome of the vulnerability can be both authentication bypass and information disclosure, however the exact attack surface will depend on the particular VCL configuration in use. [..] Affected software versions: - vmod-digest shipped with Varnish Enterprise 6.0 series up to and including 6.0.11r4. - vmod-digest for Varnish Cache 6.0 LTS built on upstream source code prior to 2023-08-17. - vmod-digest for Varnish Cache trunk built on upstream source code prior to 2023-08-17. --------------------------------------------- https://docs.varnish-software.com/security/VSV00012/ ∗∗∗ IP-Telefonie: Schwachstellen in der Provisionierung von Zoom und Audiocodes ∗∗∗ --------------------------------------------- Der Security-Experte Moritz Abrell von SySS hat Schwachstellen bei der IP-Telefonie mithilfe des Zoom Zero Touch Provisioning-Prozesses in Kombination mit Audiocodes 400HD Telefonen entdeckt. [..] Angreifer könnten gemäß den Darstellungen Gesprächsinhalte mithören, ein Botnetz aus infizierten Geräten bilden oder auf Basis der Kompromittierung der Endgeräte die Netzwerke attackieren, in denen diese betrieben werden. --------------------------------------------- https://www.heise.de/news/IP-Telefonie-Schwachstellen-in-der-Provisionierun… ∗∗∗ Synology-SA-23:11 Synology Camera ∗∗∗ --------------------------------------------- A vulnerability allows remote attackers to execute arbitrary code via a susceptible version of Synology Camera BC500 Firmware and Synology Camera TC500 Firmware. Solution: Upgrade to 1.0.5-0185 or above. Workaround: Setting up firewall rules to allow only trusted clients to connect can be used as a temporary mitigation. --------------------------------------------- https://www.synology.com/en-global/security/advisory/Synology_SA_23_11 ∗∗∗ CISA Releases Three Industrial Control Systems Advisories ∗∗∗ --------------------------------------------- - ICSA-23-229-01 ICONICS and Mitsubishi Electric Products: CVE-2022-3602, CVE-2022-3786, CVE-2022-4203, CVE-2022-4304, CVE-2022-4450, CVE-2023-0401 - ICSA-23-229-03 Schnieder Electric PowerLogic ION7400 PM8000 ION9000 Power Meters: CVE-2022-46680 - ICSA-23-229-04 Walchem Intuition 9: CVE-2022-3602, CVE-2022-3786, CVE-2022-4203, CVE-2022-4304, CVE-2022-4450, CVE-2023-0401 --------------------------------------------- https://www.cisa.gov/news-events/alerts/2023/08/17/cisa-releases-three-indu… ∗∗∗ Privilege Escalation in IBM Spectrum Virtualize ∗∗∗ --------------------------------------------- Im Rahmen einer oberflächlichen Sicherheitsprüfung stellte Certitude zwei Schwachstellen in der Firmware der IBM Spectrum Virtualize Storage-Lösung fest. Eine der Schwachstellen erlaubt es einem Benutzer der Administrationsschnittstelle, der nur über eingeschränkte Berechtigungen verfügt, beliebigen Code auszuführen. --------------------------------------------- https://certitude.consulting/blog/de/privilege-escalation-in-ibm-spectrum-v… ∗∗∗ Atlassian Releases Security Update for Confluence Server and Data Center ∗∗∗ --------------------------------------------- Atlassian has released its security bulletin for August 2023 to address a vulnerability in Confluence Server and Data Center, CVE-2023-28709. A remote attacker can exploit this vulnerability to cause a denial-of-service condition.CISA encourages users and administrators to review Atlassian’s August 2003 Security Bulletin and apply the necessary update. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2023/08/17/atlassian-releases-secur… ∗∗∗ Cisco Integrated Management Controller Cross-Site Scripting Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco Umbrella Virtual Appliance Undocumented Support Tunnel Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco Unified Contact Center Express Finesse Portal Web Cache Poisoning Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco ThousandEyes Enterprise Agent Virtual Appliance Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco ThousandEyes Enterprise Agent Virtual Appliance Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco Prime Infrastructure and Evolved Programmable Network Manager Stored Cross-Site Scripting Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco Prime Infrastructure and Evolved Programmable Network Manager Cross-Site Scripting Vulnerabilities ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco Intersight Private Virtual Appliance Command Injection Vulnerabilities ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco Identity Services Engine Device Credential Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco IP Phone 6800, 7800, and 8800 Series with Multiplatform Firmware Cross-Site Request Forgery Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco Intersight Virtual Appliance Unauthenticated Port Forwarding Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco Expressway Series and Cisco TelePresence Video Communication Server Command Injection Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco Duo Device Health Application for Windows Arbitrary File Write Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco Unified Communications Manager SQL Injection Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco Unified Communications Products Cross-Site Scripting Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ ClamAV HFS+ File Scanning Infinite Loop Denial of Service Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ ClamAV AutoIt Module Denial of Service Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Vulnerability in Apache Tomcat Server (CVE-2023-28709 ) affects Power HMC ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7005499 ∗∗∗ IBM Security Guardium is affected by Using Components with Known Vulnerabilities [CVE-2018-8909, CVE-2021-41100 and CVE-2021-41119] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7027854 ∗∗∗ IBM Security Guardium is affected by a Command injection in CLI vulnerability [CVE-2023-35893] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7027853 ∗∗∗ IBM Security Guardium is affected by several vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7007815 ∗∗∗ Vulnerability in IBM Java SDK and IBM Java Runtime affect Rational Functional Tester ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7027855 ∗∗∗ IBM Security Guardium is affected by a multiple vulnerabilities (CVE-2023-22809, CVE-2019-12490, CVE-2023-0041) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7000021 ∗∗∗ IBM Security Guardium is affected by multiple Oracle\u00ae MySQL vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6981105 ∗∗∗ IBM Security Guardium is affected by a denial of service vulnerability in MIT keb5 (CVE-2022-42898) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6981101 ∗∗∗ Security Vulnerabilities affect IBM Cloud Pak for Data - Python (CVE-2019-20907) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6380954 ∗∗∗ Security Vulnerabilities affect IBM Cloud Pak for Data - Golang (CVE-2020-24553) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6380968 ∗∗∗ Security Vulnerabilities in GNU glibc affect IBM Cloud Pak for Data - GNU glibc (CVE-2020-1751) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6381220 ∗∗∗ Vulnerability in IBM JDK (CVE-2022-40609 ) affects Power HMC ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7027898 ∗∗∗ IBM WebSphere Application Server Liberty, which is bundled with IBM Cloud Pak for Applications, is vulnerable to a denial of service (CVE-2023-38737) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7027921 ∗∗∗ IBM WebSphere Application Server Liberty, which is bundled with IBM WebSphere Hybrid Edition, is vulnerable to a denial of service (CVE-2023-38737) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7027919 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 16.08.2023
by Daily end-of-shift report 16 Aug '23

16 Aug '23

===================== = End-of-Day report = ===================== Timeframe: Montag 14-08-2023 18:00 − Mittwoch 16-08-2023 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Jetzt 2FA aktivieren: Hackerangriffe auf Linkedin-Konten nehmen massiv zu ∗∗∗ --------------------------------------------- Cyberkriminelle haben es zuletzt vermehrt auf Linkedin-Konten abgesehen. Bei Google getätigte Suchanfragen bestätigen diesen Trend. --------------------------------------------- https://www.golem.de/news/jetzt-2fa-aktivieren-hackerangriffe-auf-linkedin-… ∗∗∗ Vielfältige Attacken auf Ivanti Enterprise Mobility Management möglich (CVE-2023-32560) ∗∗∗ --------------------------------------------- Die Forscher geben an, die Schwachstelle im April 2023 gemeldet zu haben. Die gegen die Attacke abgesicherte EMM-Version 6.4.1 ist Anfang August erschienen. Mitte August haben die Sicherheitsforscher ihren Bericht veröffentlicht. --------------------------------------------- https://www.heise.de/news/Vielfaeltige-Attacken-auf-Ivanti-Enterprise-Mobil… ∗∗∗ IT-Schutz für Kommunen: 18 Checklisten für den Schnelleinstieg ∗∗∗ --------------------------------------------- Kommunen sind zunehmend Ziele von Cyber-Angriffen. Für angemessenen Schutz mangelt es oft an Wissen und Personal. 18 WiBA-Checklisten des BSI sollen das ändern. --------------------------------------------- https://heise.de/-9246027 ∗∗∗ TR-75 - Unauthenticated remote code execution vulnerability in NetScaler ADC (formerly Citrix ADC) and NetScaler Gateway (formerly Citrix Gateway) - CVE-2023-3519 ∗∗∗ --------------------------------------------- Use this Checklist to identify if your infrastructure already shows indications of a successful compromise --------------------------------------------- https://www.circl.lu/pub/tr-75/ ∗∗∗ Indicators of Compromise Scanner for Citrix ADC Zero-Day (CVE-2023-3519) ∗∗∗ --------------------------------------------- Today we are releasing a tool to help organizations scan their Citrix appliances for evidence of post-exploitation activity related to CVE-2023-3519. The tool contains indicators of compromise (IOCs) collected during Mandiant investigations and sourced from our partners and the community. Head over to the Mandiant GitHub page to download the tool today to scan your appliances. --------------------------------------------- https://www.mandiant.com/resources/blog/citrix-adc-vulnerability-ioc-scanner ∗∗∗ l+f: Trojaner unterscheiden nicht zwischen Gut und Böse ∗∗∗ --------------------------------------------- D’oh! Sicherheitsforscher sind auf rund 120.000 mit Malware infizierte PCs gestoßen – von Cybergangstern. --------------------------------------------- https://heise.de/-9244810 ∗∗∗ Instagram-Nachricht: Gefälschte Beschwerde über Produktqualität führt zu Schadsoftware ∗∗∗ --------------------------------------------- Sie erhalten eine Nachricht auf Instagram. Darin beschwert sich eine Kundin, dass Ihre Produktqualität schlecht ist und das Produkt bereits nach 2 Tagen kaputt war. Ein Bild wird mitgeschickt. Laden Sie das Dokument mit der Endung .rar nicht herunter, es handelt sich um Schadsoftware. --------------------------------------------- https://www.watchlist-internet.at/news/instagram-nachricht-gefaelschte-besc… ∗∗∗ An Apple malware-flagging tool is “trivially” easy to bypass ∗∗∗ --------------------------------------------- Background Task Manager can potentially miss malicious software on your machine. --------------------------------------------- https://arstechnica.com/?p=1960742 ∗∗∗ Ongoing scam tricks kids playing Roblox and Fortnite ∗∗∗ --------------------------------------------- The scams are often disguised as promotions, and they can all be linked to one network. --------------------------------------------- https://arstechnica.com/?p=1961085 ∗∗∗ Raccoon Stealer malware returns with new stealthier version ∗∗∗ --------------------------------------------- The developers of Raccoon Stealer information-stealing malware have ended their 6-month hiatus from hacker forums to promote a new 2.3.0 version of the malware to cyber criminals. --------------------------------------------- https://www.bleepingcomputer.com/news/security/raccoon-stealer-malware-retu… ∗∗∗ Massive 400,000 proxy botnet built with stealthy malware infections ∗∗∗ --------------------------------------------- A new campaign involving the delivery of proxy server apps to Windows systems has been uncovered, where users are reportedly involuntarily acting as residential exit nodes controlled by a private company. --------------------------------------------- https://www.bleepingcomputer.com/news/security/massive-400-000-proxy-botnet… ∗∗∗ QwixxRAT: New Remote Access Trojan Emerges via Telegram and Discord ∗∗∗ --------------------------------------------- A new remote access trojan (RAT) called QwixxRAT is being advertised for sale by its threat actor through Telegram and Discord platforms. "Once installed on the victims Windows platform machines, the RAT stealthily collects sensitive data, which is then sent to the attackers Telegram bot, providing them with unauthorized access to the victims sensitive information," [...] --------------------------------------------- https://thehackernews.com/2023/08/qwixxrat-new-remote-access-trojan.html ∗∗∗ Cookie Crumbles: Breaking and Fixing Web Session Integrity ∗∗∗ --------------------------------------------- In this paper, we question the effectiveness of existing protections and study the real-world security implications of cookie integrity issues. In particular, we focus on network and same-site attackers, a class of attackers increasingly becoming a significant threat to Web application security. --------------------------------------------- https://www.usenix.org/system/files/usenixsecurity23-squarcina.pdf ∗∗∗ Chrome 116 Patches 26 Vulnerabilities ∗∗∗ --------------------------------------------- Google has released Chrome 116 with patches for 26 vulnerabilities and plans to ship weekly security updates for the popular web browser. --------------------------------------------- https://www.securityweek.com/chrome-116-patches-26-vulnerabilities/ ∗∗∗ Monti ransomware targets legal and gov’t entities with new Linux-based variant ∗∗∗ --------------------------------------------- The Monti hacker gang appears to have resumed its operations after a two-month break, this time claiming to target legal and government entities with a fresh Linux-based ransomware variant, according to new research. Monti was first discovered in June 2022, shortly after the infamous Conti ransomware group went out of business. --------------------------------------------- https://therecord.media/monti-ransomware-targets-govt-entities ∗∗∗ CISA Adds One Known Exploited Vulnerability to Catalog ∗∗∗ --------------------------------------------- CISA has added one new vulnerability to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation. CVE-2023-24489 Citrix Content Collaboration ShareFile Improper Access Control Vulnerability - These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2023/08/16/cisa-adds-one-known-expl… ∗∗∗ PowerHell: Active Flaws in PowerShell Gallery Expose Users to Attacks ∗∗∗ --------------------------------------------- Recent findings by Aqua Nautilus have exposed significant flaws that are still active in the PowerShell Gallerys policy regarding package names and owners. These flaws make typosquatting attacks inevitable in this registry, while also making it extremely difficult for users to identify the true owner of a package. Consequently, these flaws pave the way for potential supply chain attacks on the registrys vast user base. --------------------------------------------- https://blog.aquasec.com/powerhell-active-flaws-in-powershell-gallery-expos… ∗∗∗ Verwundbare Webserver: Status in Österreich ∗∗∗ --------------------------------------------- Nachdem wir in den letzten Wochen von Schwachstellen in Systemen von Citrix, Ivanti und Fortinet berichtet haben, wollte ich wissen, wie weit Österreich beim Patchen ist. Wir bekommen von ShadowServer täglich Reports mit den Ergebnissen ihrer Scans über das ganze Internet. Im „Vulnerable HTTP Report“ geht es unter anderem um Schwachstellen, die in Web-Applikationen gefunden wurden. Auf Hersteller bezogen kann man aus den Daten für Österreich folgende folgende Entwicklung ablesen: [...] --------------------------------------------- https://cert.at/de/aktuelles/2023/8/verwundbare-webserver-status-in-osterre… ===================== = Vulnerabilities = ===================== ∗∗∗ Advisory | NetModule Router Software Race Condition Leads to Remote Code Execution ∗∗∗ --------------------------------------------- CVSSv3.1 Score: 8.4 Affected Vendor & Products: NetModule NB1601, NB1800, NB1810, NB2800, NB2810, NB3701, NB3800, NB800, NG800 Vulnerable version: < 4.6.0.105, < 4.7.0.103 --------------------------------------------- https://pentest.blog/advisory-netmodule-router-software-race-condition-lead… ∗∗∗ Sicherheitslücken: Angreifer können Hintertüren in Datenzentren platzieren ∗∗∗ --------------------------------------------- Schwachstellen in Software von CyberPower und Dataprobe zur Energieüberwachung und -Verteilung gefährden Datenzentren. --------------------------------------------- https://heise.de/-9245788 ∗∗∗ Lücken in Kennzeichenerkennungssoftware gefährden Axis-Überwachungskamera ∗∗∗ --------------------------------------------- Mehrere Sicherheitslücken in Software für Überwachungskameras von Axis gefährden Geräte. --------------------------------------------- https://heise.de/-9245978 ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (samba), Red Hat (.NET 6.0, .NET 7.0, rh-dotnet60-dotnet, rust, rust-toolset-1.66-rust, and rust-toolset:rhel8), and SUSE (kernel and opensuse-welcome). --------------------------------------------- https://lwn.net/Articles/941658/ ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (datatables.js and openssl), Fedora (ghostscript, java-11-openjdk, java-latest-openjdk, microcode_ctl, and xen), Red Hat (redhat-ds:11), SUSE (java-1_8_0-openj9, kernel, krb5, pcre2, and perl-HTTP-Tiny), and Ubuntu (gstreamer1.0, mysql-8.0, tiff, and webkit2gtk). --------------------------------------------- https://lwn.net/Articles/941722/ ∗∗∗ Schneider Electric EcoStruxure Control Expert, Process Expert, Modicon M340, M580 and M580 CPU ∗∗∗ --------------------------------------------- Successful exploitation of this vulnerability could allow an attacker to execute unauthorized Modbus functions on the controller when hijacking an authenticated Modbus session. --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-227-01 ∗∗∗ Rockwell Automation Armor PowerFlex ∗∗∗ --------------------------------------------- Successful exploitation of this vulnerability could allow an attacker to send an influx of network commands, causing the product to generate an influx of event log traffic at a high rate, resulting in the stop of normal operation. --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-227-02 ∗∗∗ K000135852 : FasterXML jackson-databind vulnerability CVE-2022-42003 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000135852 ∗∗∗ CPE2023-003 Vulnerability Mitigation/Remediation for Inkjet Printers (Home and Office/Large Format) – 15 August 2023 ∗∗∗ --------------------------------------------- https://www.canon-europe.com/support/product-security-latest-news/ ∗∗∗ [R1] Sensor Proxy Version 1.0.8 Fixes Multiple Vulnerabilities ∗∗∗ --------------------------------------------- https://www.tenable.com/security/tns-2023-28 ∗∗∗ Vulnerabilities in Node.js modules affect IBM Voice Gateway ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7026694 ∗∗∗ Security Vulnerabilities affect IBM Cloud Pak for Data - Python (CVE-2019-20907) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6380956 ∗∗∗ Multiple Eclipse Jetty Vulnerabilities Affect IBM Analytic Accelerator Framework for Communication Service Providers & IBM Customer and Network Analytics ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7027483 ∗∗∗ AWS SDK for Java as used by IBM QRadar SIEM is vulnerable to path traversal (CVE-2022-31159) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7027598 ∗∗∗ IBM WebSphere Application Server Liberty is vulnerable to a denial of service (CVE-2023-38737) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7027509 ∗∗∗ IBM Cognos Analytics has addressed multiple security vulnerabilities (CVE-2022-48285, CVE-2023-35009, CVE-2023-35011) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7026692 ∗∗∗ Zyxel security advisory for post-authentication command injection in NTP feature of NBG6604 home router ∗∗∗ --------------------------------------------- https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-… ∗∗∗ Zyxel security advisory for DoS vulnerability of XGS2220, XMG1930, and XS1930 series switches ∗∗∗ --------------------------------------------- https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 14.08.2023
by Daily end-of-shift report 14 Aug '23

14 Aug '23

===================== = End-of-Day report = ===================== Timeframe: Freitag 11-08-2023 18:00 − Montag 14-08-2023 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ MaginotDNS attacks exploit weak checks for DNS cache poisoning ∗∗∗ --------------------------------------------- A team of researchers from UC Irvine and Tsinghua University has developed a new powerful cache poisoning attack named MaginotDNS, that targets Conditional DNS (CDNS) resolvers and can compromise entire TLDs top-level domains. --------------------------------------------- https://www.bleepingcomputer.com/news/security/maginotdns-attacks-exploit-w… ∗∗∗ Phishing with hacked sites ∗∗∗ --------------------------------------------- Scammers are hacking websites powered by WordPress and placing phishing pages inside hidden directories. We share some statistics and tips on recognizing a hacked site. --------------------------------------------- https://securelist.com/phishing-with-hacked-sites/110334/ ∗∗∗ Zoom ZTP & AudioCodes Phones Flaws Uncovered, Exposing Users to Eavesdropping ∗∗∗ --------------------------------------------- Multiple security vulnerabilities have been disclosed in AudioCodes desk phones and Zooms Zero Touch Provisioning (ZTP) that could be potentially exploited by a malicious attacker to conduct remote attacks. "An external attacker who leverages the vulnerabilities discovered in AudioCodes Ltd.'s desk phones and Zoom's Zero Touch Provisioning feature can gain full remote control of the devices," SySS security researcher Moritz Abrell said in an analysis published Friday. --------------------------------------------- https://thehackernews.com/2023/08/zoom-ztp-audiocodes-phones-flaws.html ∗∗∗ Ongoing Xurum Attacks on E-commerce Sites Exploiting Critical Magento 2 Vulnerability ∗∗∗ --------------------------------------------- E-commerce sites using Adobes Magento 2 software are the target of an ongoing campaign that has been active since at least January 2023. The attacks, dubbed Xurum by Akamai, leverage a now-patched critical security flaw (CVE-2022-24086, CVSS score: 9.8) in Adobe Commerce and Magento Open Source that, if successfully exploited, could lead to arbitrary code execution. --------------------------------------------- https://thehackernews.com/2023/08/ongoing-xurum-attacks-on-e-commerce.html ∗∗∗ HAK5 BashBunny USB Gadget IoC Removal ∗∗∗ --------------------------------------------- StealthBunny is a tool designed to modify HAK5s BashBunny USB gadget kernel driver to remove possible indicators of compromise. --------------------------------------------- https://github.com/emptynebuli/StealthBunny ∗∗∗ Microsofts Cloud-Hack: Überprüfung durch US Cyber Safety Review Board ∗∗∗ --------------------------------------------- Die Cybervorfälle der letzten Monate haben die US-Sicherheitsbehörden aufgeschreckt. Nun will sich das US Cyber Safety Review Board (CSRB) den Hack der Microsoft Cloud durch die mutmaßlich chinesische Hackergruppe Storm-0558 genauer ansehen. Der Fall war im Juli 2023 bekannt geworden und hatte wegen der Umstände Wellen geschlagen. --------------------------------------------- https://www.borncity.com/blog/2023/08/12/microsofts-cloud-hack-berprfung-du… ∗∗∗ Whats New in CVSS v4 ∗∗∗ --------------------------------------------- The standard has been improved over time with the release of v1 in Feb. 2005, v2 in June 2007, and v3 in June 2015. The current version (v3.1) debuted in June 2019. Version 4 is slated for release on October 1, 2023. --------------------------------------------- https://www.rapid7.com/blog/post/2023/08/14/whats-new-in-cvss-v4/ ===================== = Vulnerabilities = ===================== ∗∗∗ VU#127587: Python Parsing Error Enabling Bypass CVE-2023-24329 ∗∗∗ --------------------------------------------- An issue in the urllib.parse component of Python before v3.11 allows attackers to bypass blocklisting methods by supplying a URL that starts with blank characters. --------------------------------------------- https://kb.cert.org/vuls/id/127587 ∗∗∗ Schwachstelle in Sync 3: Infotainmentsystem von Ford ermöglicht Angriff via Wi-Fi ∗∗∗ --------------------------------------------- Das in vielen Ford-Modellen genutzte Infotainmentsystem Sync 3 hat eine Schwachstelle, durch die Angreifer böswilligen Code ausführen können. --------------------------------------------- https://www.golem.de/news/schwachstelle-in-sync-3-infotainmentsystem-von-fo… ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (gst-plugins-ugly1.0, libreoffice, linux-5.10, netatalk, poppler, and sox), Fedora (chromium, ghostscript, java-1.8.0-openjdk-portable, java-11-openjdk, java-11-openjdk-portable, java-17-openjdk-portable, java-latest-openjdk-portable, kernel, linux-firmware, mingw-python-certifi, ntpsec, and php), Oracle (.NET 6.0, .NET 7.0, 15, 18, bind, bind9.16, buildah, cjose, curl, dbus, emacs, firefox, go-toolset and golang, go-toolset:ol8, grafana, iperf3, java-1.8.0-openjdk, java-11-openjdk, java-17-openjdk, kernel, libcap, libeconf, libssh, libtiff, libxml2, linux-firmware, mod_auth_openidc:2.3, nodejs, nodejs:16, nodejs:18, open-vm-tools, openssh, postgresql:12, postgresql:13, python-requests, python27:2.7, python3, python38:3.8 and python38-devel:3.8, python39:3.9 and python39-devel:3.9, ruby:2.7, samba, sqlite, systemd, thunderbird, virt:ol and virt-devel:rhel, and webkit2gtk3), SUSE (docker, java-1_8_0-openj9, kernel, kernel-firmware, libyajl, nodejs14, openssl-1_0_0, poppler, and webkit2gtk3), and Ubuntu (golang-yaml.v2, intel-microcode, linux, linux-aws, linux-aws-5.4, linux-gcp, linux-gcp-5.4, linux-gkeop, linux-iot, linux-kvm, linux-oracle, linux-oracle-5.4, linux-raspi, linux-raspi-5.4, linux, linux-aws, linux-azure, linux-gcp, linux-ibm, linux-kvm, linux-lowlatency, linux-oracle, linux-raspi, linux-oem-6.1, pygments, and pypdf2). --------------------------------------------- https://lwn.net/Articles/941587/ ∗∗∗ F5: K000135795 : Downfall Attacks CVE-2022-40982 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000135795 ∗∗∗ F5: K000135831 : Node.js vulnerability CVE-2023-32067 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000135831 ∗∗∗ A vulnerability in IBM WebSphere Application Server Liberty affects IBM Storage Scale packaged in IBM Elastic Storage System (CVE-2023-24998) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7025515 ∗∗∗ Multiple Linux Kernel vulnerabilities may affect IBM Elastic Storage System ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7025507 ∗∗∗ IBM Elastic Storage System is affected by a vulnerability in OpenSSL (CVE-2022-4450) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7025510 ∗∗∗ Postgresql JDBC drivers shipped with IBM Security Verify Access have a vulnerability (CVE-2022-41946) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7014261 ∗∗∗ IBM GSKit as shipped with IBM Security Verify Access has fixed a reported vulnerability (CVE-2023-32342) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7014259 ∗∗∗ Security Vulnerabilities fixed in IBM Security Verify Access (CVE-2022-40303) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7009741 ∗∗∗ Apache Log4j Vulnerability affects Cloud Pak for Data (CVE-2021-44228) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6529302 ∗∗∗ IBM PowerVM Novalink is vulnerable because flaw was found in IBM SDK, Java Technology Edition, which could allow a remote attacker to execute arbitrary code on the system caused by an unsafe deserialization flaw. (CVE-2022-40609) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7026380 ∗∗∗ Kafka nodes in IBM App Connect Enterprise and IBM Integration Bus are vulnerable to a denial of service due to snappy-java (CVE-2023-34453, CVE-2023-34455, CVE-2023-34454). ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7026403 ∗∗∗ IBM ELM affected as Java deserialization filters (JEP 290) ignored during IBM ORB deserialization (CVE-2022-40609) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7026536 ∗∗∗ Vulnerability in IBM Java SDK affects WebSphere Service Registry and Repository (CVE-2022-40609) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7026489 ∗∗∗ Security Vulnerabilities in JRE and Java packages affect IBM Voice Gateway ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7026553 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 11.08.2023
by Daily end-of-shift report 11 Aug '23

11 Aug '23

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 10-08-2023 18:00 − Freitag 11-08-2023 18:00 Handler: Robert Waldner Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Gafgyt malware exploits five-years-old flaw in EoL Zyxel router ∗∗∗ --------------------------------------------- Fortinet has issued an alert warning that the Gafgyt botnet malware is actively trying to exploit a vulnerability in the end-of-life Zyxel P660HN-T1A router in thousands of daily attacks. --------------------------------------------- https://www.bleepingcomputer.com/news/security/gafgyt-malware-exploits-five… ∗∗∗ Nutzerdaten in Gefahr: Microsoft Onedrive als Werkzeug für Ransomware-Angriffe ∗∗∗ --------------------------------------------- Onedrive soll die Daten von Windows-Nutzern eigentlich vor Ransomware-Angriffen schützen. Effektiv ist das aber offenbar nicht immer. --------------------------------------------- https://www.golem.de/news/nutzerdaten-in-gefahr-microsoft-onedrive-als-werk… ∗∗∗ 16 New CODESYS SDK Flaws Expose OT Environments to Remote Attacks ∗∗∗ --------------------------------------------- A set of 16 high-severity security flaws have been disclosed in the CODESYS V3 software development kit (SDK) that could result in remote code execution and denial-of-service under specific conditions, posing risks to operational technology (OT) environments. The flaws, tracked from CVE-2022-47378 through CVE-2022-47393 and dubbed CoDe16, carry a CVSS score of 8.8 with the exception of CVE-2022-47391, which has a severity rating of 7.5. Twelve of the flaws are buffer overflow vulnerabilities. --------------------------------------------- https://thehackernews.com/2023/08/15-new-codesys-sdk-flaws-expose-ot.html ∗∗∗ When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability ∗∗∗ --------------------------------------------- While the SugarCRM CVE-2023-22952 zero-day authentication bypass and remote code execution vulnerability might seem like a typical exploit, there’s actually more for defenders to be aware of. [..] This article maps out various attacks against AWS environments following the MITRE ATT&CK Matrix framework, wrapping up with multiple prevention mechanisms an organization can put in place to protect themselves. Some of these protections include taking advantage of controls and services provided by AWS, cloud best practices, and ensuring sufficient data retention to catch the full attack. --------------------------------------------- https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat/ ∗∗∗ Lexmark Command Injection Vulnerability ZDI-CAN-19470 Pwn2Own Toronto 2022 ∗∗∗ --------------------------------------------- In December 2022, we competed at our first pwn2own. We were able to successfully exploit the Lexmark MC3224i using a command injection 0-day. This post will detail the process we used to discover, weaponize, and have some fun with this vulnerability. --------------------------------------------- https://www.horizon3.ai/lexmark-command-injection-vulnerability-zdi-can-194… ∗∗∗ Theres a good chance your VPN is vulnerable to privacy-menacing TunnelCrack attack ∗∗∗ --------------------------------------------- A couple of techniques collectively known as TunnelCrack can, in the right circumstances, be used by snoops to force victims network traffic to go outside their encrypted VPNs, it was demonstrated this week. [..] Their co-authored Usenix-accepted paper [PDF] has all the details. The researchers said they tested more than 60 VPN clients, and found that "all VPN apps" on iOS are vulnerable. Android appears to be most secure of the bunch. --------------------------------------------- https://www.theregister.com/2023/08/10/tunnelcrack_vpn/ ∗∗∗ Site Takeover via SCCM’s AdminService API ∗∗∗ --------------------------------------------- tl:dr: The SCCM AdminService API is vulnerable to NTLM relaying and can be abused for SCCM site takeover. --------------------------------------------- https://posts.specterops.io/site-takeover-via-sccms-adminservice-api-d932e2… ∗∗∗ A-Z: OPNsense - Penetration Test ∗∗∗ --------------------------------------------- We reported found vulnerabilities to OPNsense maintainers and we really want to thank them for a great response. They handled the whole process very professionally, quickly prepared effective patches for many vulnerabilities and included them in the newest release - OPNsense 23.7 “Restless Roadrunner”. Also, they provided us with reasoning behind decision to not patch some of them right now. --------------------------------------------- https://logicaltrust.net/blog/2023/08/opnsense.html ∗∗∗ Lesetipp: Wenn der Microsoft Defender zum Angreifer wird ∗∗∗ --------------------------------------------- Forscher haben spannende Details zu einer im April gefixten Lücke im Defender-Signaturupdateprozess veröffentlicht. Sie sehen Potenzial für künftige Angriffe. --------------------------------------------- https://heise.de/-9241230 ∗∗∗ Samsonite-Gewinnspiel auf Facebook führt in teure Abo-Falle! ∗∗∗ --------------------------------------------- Die betrügerische Facebook-Seite „Koffer-Paradies“ verbreitet derzeit ein Gewinnspiel, das in eine teure Abo-Falle führt. Versprochen wird ein Koffer der Marke Samsonite. Achtung! Wer mitspielt, erhält keinen Gewinn, sondern soll monatlich 70 Euro an Kriminelle bezahlen. --------------------------------------------- https://www.watchlist-internet.at/news/samsonite-gewinnspiel-auf-facebook-f… ∗∗∗ Phishing über Amazon Web Services ∗∗∗ --------------------------------------------- Sicherheitsforscher von Check Point haben vor einiger Zeit einen weiteren Dienst entdeckt, der für fortschrittliche Phishing-Kampagnen von Hackern missbraucht wird. Diesmal erfolgt der Missbrauch für Phishing-Kampagnen über die Amazon Web Services (AWS). . Das Programm wird zum Versenden von Phishing-E-Mails genutzt, um diesen einen täuschend echten Anstrich zu geben. --------------------------------------------- https://www.borncity.com/blog/2023/08/11/phishing-ber-amazon-web-services/ ===================== = Vulnerabilities = ===================== ∗∗∗ AMD and Intel CPU security bugs bring Linux patches ∗∗∗ --------------------------------------------- Its not really a Linux problem, but as is so often the case, Linux kernel developers have to clean up after AMD and Intel. It happened again with the chipmakers latest CPU vulnerabilities: AMD Inception and Intel Downfall. To fix these, Linux creator Linus Torvalds has released a new set of patches. Oddly, both are speculative side-channel attacks, which can lead to privileged data leakage to unprivileged processes. --------------------------------------------- https://www.zdnet.com/article/amd-and-intel-cpu-security-bugs-bring-linux-p… ∗∗∗ Statischer Schlüssel in Dell Compellent leakt Zugangsdaten für VMware vCenter ∗∗∗ --------------------------------------------- Aufgrund einer Schwachstelle in Dells Compellent Integration Tools for VMware (CITV) können Angreifer Log-in-Daten entschlüsseln. --------------------------------------------- https://heise.de/-9241495 ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (intel-microcode, kernel, and php-dompdf), Fedora (linux-firmware, OpenImageIO, and php), Oracle (aardvark-dns, kernel, linux-firmware, python-flask, and python-werkzeug), SUSE (container-suseconnect, go1.19, gstreamer-plugins-bad, gstreamer-plugins-base, gstreamer-plugins-good, java-11-openjdk, kernel-firmware, kubernetes1.24, openssl-1_1, poppler, python-scipy, qatengine, ucode-intel, util-linux, and vim), and Ubuntu (dotnet6, dotnet7, php-dompdf, and velocity-tools). --------------------------------------------- https://lwn.net/Articles/941271/ ∗∗∗ IBM Operational Decision Manager July 2023 - Multiple CVEs ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7014699 ∗∗∗ IBM InfoSphere Global Name Management Vulnerable to CVE-2023-30441 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7025193 ∗∗∗ App Connect Professional is affected by Bouncy Castle vulnerability. ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7025330 ∗∗∗ Multiple Linux Kernel vulnerabilities may affect IBM Elastic Storage System ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7025344 ∗∗∗ Vulnerability in the Flask repo may affect affect IBM Elastic Storage System (CVE-2023-30861) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7025351 ∗∗∗ Multiple vulnerabilities in the werkzeug repo affect IBM Elastic Storage System ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7025349 ∗∗∗ A vulnerability in IBM WebSphere Application Server Liberty affects IBM Storage Scale packaged in IBM Elastic Storage Server (CVE-2023-24998) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7025354 ∗∗∗ Multiple vulnerabilities may affect CICS Transaction Gateway for Multiplatforms and CICS Transaction Gateway Desktop Edition. ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7025446 ∗∗∗ Multiple vulnerabilities may affect CICS Transaction Gateway for Multiplatforms and CICS Transaction Gateway Desktop Edition. ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7025170 ∗∗∗ IBM TXSeries for Multiplatforms Web Services is vulnerable to Slowloris attack which is a type of denial-of-service (DoS) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7025476 ∗∗∗ A vulnerability has been identified in IBM WebSphere Application Server shipped with IBM Business Automation Workflow (CVE-2022-40609) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7024675 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 10.08.2023
by Daily end-of-shift report 10 Aug '23

10 Aug '23

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 09-08-2023 18:00 − Donnerstag 10-08-2023 18:00 Handler: Robert Waldner Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Common TTPs of attacks against industrial organizations ∗∗∗ --------------------------------------------- In 2022 we investigated a series of attacks against industrial organizations in Eastern Europe. In the campaigns, the attackers aimed to establish a permanent channel for data exfiltration, including data stored on air-gapped systems. --------------------------------------------- https://securelist.com/common-ttps-of-attacks-against-industrial-organizati… ∗∗∗ Cryptographic Flaw in Libbitcoin Explorer Cryptocurrency Wallet ∗∗∗ --------------------------------------------- Cryptographic flaws still matter. Here’s a flaw in the random-number generator used to create private keys. The seed has only 32 bits of entropy.Seems like this flaw is being exploited in the wild. --------------------------------------------- https://www.schneier.com/blog/archives/2023/08/cryptographic-flaw-in-libbit… ∗∗∗ Cybercriminals Increasingly Using EvilProxy Phishing Kit to Target Executives ∗∗∗ --------------------------------------------- Threat actors are increasingly using a phishing-as-a-service (PhaaS) toolkit dubbed EvilProxy to pull off account takeover attacks aimed at high-ranking executives at prominent companies.According to Proofpoint, an ongoing hybrid campaign has leveraged the service to target thousands of Microsoft 365 user accounts, sending approximately 120,000 phishing emails to hundreds of organizations --------------------------------------------- https://thehackernews.com/2023/08/cybercriminals-increasingly-using.html ∗∗∗ New Statc Stealer Malware Emerges: Your Sensitive Data at Risk ∗∗∗ --------------------------------------------- A new information malware strain called Statc Stealer has been found infecting devices running Microsoft Windows to siphon sensitive personal and payment information."Statc Stealer exhibits a broad range of stealing capabilities, making it a significant threat," Zscaler ThreatLabz researchers Shivam Sharma and Amandeep Kumar said in a technical report published this week. --------------------------------------------- https://thehackernews.com/2023/08/new-statc-stealer-malware-emerges-your.ht… ∗∗∗ CISA Analysis Report: MAR-10454006.r4.v2 SEASPY and WHIRLPOOL Backdoors ∗∗∗ --------------------------------------------- CISA obtained four malware samples - including SEASPY and WHIRLPOOL backdoors. The device was compromised by threat actors exploiting CVE-2023-2868, a former zero-day vulnerability affecting versions 5.1.3.001-9.2.0.006 of Barracuda Email Security Gateway (ESG). --------------------------------------------- https://www.cisa.gov/news-events/analysis-reports/ar23-221a ∗∗∗ Microsoft Azure Machine Learning Compute Instance certificate Exposure of Resource to Wrong Sphere Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows remote attackers to disclose sensitive information on Microsoft Azure. An attacker must first obtain the ability to execute high-privileged code on the target environment in order to exploit this vulnerability. The specific flaw exists within the handling of certificates. The issue results from the exposure of a resource to the wrong control sphere. An attacker can leverage this vulnerability to disclose stored credentials, leading to further compromise. --------------------------------------------- https://www.zerodayinitiative.com/advisories/ZDI-23-1056/ ∗∗∗ Some things never change ? such as SQL Authentication ?encryption? ∗∗∗ --------------------------------------------- Fat client applications running on (usually) Windows are still extremely common in enterprises. [..] “traditional” fat client applications will most of the time connect directly to a database (again, since we’re looking at Windows environment primarily here, this will be most of the time a Microsoft SQL Server database). [..] Finally, how do we prevent this? Well, one solution is easy – do not use SQL Server authentication but instead have users use their Windows credentials --------------------------------------------- https://isc.sans.edu/diary/rss/30112 ∗∗∗ Honeypot: Forscher lockten Hacker in über 20.000 RDP-Sitzungen ∗∗∗ --------------------------------------------- Die Sicherheitsforscher planen für die kommenden Monate die Veröffentlichung einer Blog-Post-Serie, in der sie die Strategien und Tools der beobachteten Hacker näher erläutern wollen. Die Erkenntnisse sollen vor allem Strafverfolgern sowie anderen Sicherheitsexperten dienen, um effektive Abwehrstrategien gegen Cyberangriffe zu entwickeln und Ermittlungen gegen kriminelle Akteure in Zukunft schneller voranzutreiben --------------------------------------------- https://www.golem.de/news/honeypot-forscher-lockten-hacker-in-ueber-20-000-… ∗∗∗ Emerging Attacker Exploit: Microsoft Cross-Tenant Synchronization ∗∗∗ --------------------------------------------- Attackers continue to target Microsoft identities to gain access to connected Microsoft applications and federated SaaS applications. Additionally, attackers continue to progress their attacks in these environments, not by exploiting vulnerabilities, but by abusing native Microsoft functionality to achieve their objective. [..] This article demonstrates an additional native functionality that when leveraged by an attacker enables persistent access to a Microsoft cloud tenant and lateral movement --------------------------------------------- https://thehackernews.com/2023/08/emerging-attacker-exploit-microsoft.html ∗∗∗ A Pain in the NAS: Exploiting Cloud Connectivity to PWN your NAS: WD PR4100 Edition ∗∗∗ --------------------------------------------- Team82 today shares some details about a unique attack technique that could allow an attacker to impersonate Western Digital (WD) network-attached storage (NAS) devices. [..] Western Digital has provided firmware updates for all affected devices and also released advisories (here, here, here). Connected devices have been updated automatically. Any device yet to be updated has been banned by WD from connecting to the MyCloud service until it’s running the current firmware version. --------------------------------------------- https://claroty.com/team82/research/a-pain-in-the-nas-exploiting-cloud-conn… ∗∗∗ A Pain in the NAS: Exploiting Cloud Connectivity to PWN your NAS: Synology DS920+ Edition ∗∗∗ --------------------------------------------- Team82 has developed a unique technique that allowed us to impersonate Synology’s DS920+ network-attached storage device and force its QuickConnect cloud service to redirect users to an attacker-controlled device. Synology, a top-tier NAS vendor, has addressed the vulnerabilities we uncovered, and has updated its cloud service to protect its users. [..] We uncovered not only credential theft flaws, but also remote code execution vulnerabilities [..] --------------------------------------------- https://claroty.com/team82/research/a-pain-in-the-nas-exploiting-cloud-conn… ∗∗∗ Smashing the state machine: the true potential of web race conditions ∗∗∗ --------------------------------------------- For too long, web race condition attacks have focused on a tiny handful of scenarios. Their true potential has been masked thanks to tricky workflows, missing tooling, and simple network jitter hiding all but the most trivial, obvious examples. In this paper, Ill introduce new classes of race condition that go far beyond the limit-overrun exploits youre probably already familiar with. --------------------------------------------- https://portswigger.net/research/smashing-the-state-machine? ∗∗∗ Wordfence Intelligence Weekly WordPress Vulnerability Report (July 31, 2023 to August 6, 2023) ∗∗∗ --------------------------------------------- Last week, there were 29 vulnerabilities disclosed in 24 WordPress Plugins and no WordPress themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 18 Vulnerability Researchers that contributed to WordPress Security last week. --------------------------------------------- https://www.wordfence.com/blog/2023/08/wordfence-intelligence-weekly-wordpr… ∗∗∗ Achtung, Smishing-Welle zu Online-Banking im Umlauf! ∗∗∗ --------------------------------------------- Derzeit melden uns zahlreiche Leser:innen eine SMS, die im Namen von verschiedenen Banken versendet wird. Kriminelle behaupten dabei, dass „Ihre George Registrierung“, "Ihre Bawag Security App" oder „Ihre Mein-Elba Registrierung“ abläuft. Die „Legitimation“ könne man mit einem Klick auf einen Link verlängern. Wer auf den mitgeschickten Link klickt, wird aufgefordert Bankdaten und andere persönliche Daten einzugeben. Ignorieren Sie diese SMS und geben Sie keine Daten preis. --------------------------------------------- https://www.watchlist-internet.at/news/achtung-smishing-welle-zu-online-ban… ∗∗∗ Ein Deepdive in die ESXiArgs Ransomware Kampagne ∗∗∗ --------------------------------------------- Da dieser Vorfall inzwischen schon etwas weiter in der Vergangenheit liegt, ist Ruhe um ihn eingekehrt. Allerdings gibt es doch so manch interessanten Aspekt, der - zumindest mir bekannt - so noch nicht berichtet wurde. --------------------------------------------- https://cert.at/de/blog/2023/8/ein-deepdive-in-die-esxiargs-ransomware-kamp… ∗∗∗ Mac systems turned into proxy exit nodes by AdLoad ∗∗∗ --------------------------------------------- AdLoad malware is still infecting Mac systems years after its first appearance in 2017. AdLoad, a package bundler, has been observed delivering a wide range of payloads throughout its existence. During AT&T Alien Labs’ investigation of its most recent payload, it was discovered that the most common component dropped by AdLoad during the past year has been a proxy application turning MacOS AdLoad victims into a giant, residential proxy botnet. --------------------------------------------- https://cybersecurity.att.com/blogs/labs-research/mac-systems-turned-into-p… ===================== = Vulnerabilities = ===================== ∗∗∗ Multiple Vulnerabilities in Nextcloud/Nextcloud Enterprise/Nextcloud Talk Android app ∗∗∗ --------------------------------------------- High severity: - Missing password confirmation when creating app passwords, CVSS 8.1 - Path traversal allows tricking the Talk Android app into writing files into its root directory, CVSS 7.2 - Users can delete external storage mount points, CVSS 7.7 3x Moderate Severity, 4x Low Severity --------------------------------------------- https://github.com/nextcloud/security-advisories/security ∗∗∗ Multiple Vulnerabilities in Softing edgeAggregator/Secure Integration Server/edgeConnector Siemens ∗∗∗ --------------------------------------------- CVE-2023-27335/CVSS 8.8, CVE-2023-38126/CVSS 7.2, CVE-2023-38125/CVSS 7.5, CVE-2023-39478/CSS 6.6, CVE-2023-39479/CVSS 6.6, CVE-2023-39480/CVSS 4.4, CVE-2023-39481/CVSS 6.6, CVE-2023-39482/CVSS 4.9, CVE-2023-27336/CVSS 7.5, CVE-2023-27334/CVSS 7.5, CVE-2023-29377/CVSS 6.6 --------------------------------------------- https://www.zerodayinitiative.com/advisories/published/ ∗∗∗ Videomeeting-Anwendungen: Zoom rüstet Produkte gegen mögliche Attacken ∗∗∗ --------------------------------------------- Wichtige Sicherheitsupdates, für unter anderem den Windows-Client von Zoom, schließen mehrere Lücken. --------------------------------------------- https://heise.de/-9240044 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (firefox-esr), Fedora (chromium, kernel, krb5, and rust), and Ubuntu (graphite-web and velocity). --------------------------------------------- https://lwn.net/Articles/941082/ ∗∗∗ Vulnerability in IBM\u00ae Java SDK affects IBM Liberty for Java for IBM Cloud due to CVE-2022-40609 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7024969 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 09.08.2023
by Daily end-of-shift report 09 Aug '23

09 Aug '23

===================== = End-of-Day report = ===================== Timeframe: Dienstag 08-08-2023 18:00 − Mittwoch 09-08-2023 18:00 Handler: Robert Waldner Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Malicious extensions can abuse VS Code flaw to steal auth tokens ∗∗∗ --------------------------------------------- Microsofts Visual Studio Code (VS Code) code editor and development environment contains a flaw that allows malicious extensions to retrieve authentication tokens stored in Windows, Linux, and macOS credential managers. --------------------------------------------- https://www.bleepingcomputer.com/news/security/malicious-extensions-can-abu… ∗∗∗ EvilProxy phishing campaign targets 120,000 Microsoft 365 users ∗∗∗ --------------------------------------------- EvilProxy is becoming one of the more popular phishing platforms to target MFA-protected accounts, with researchers seeing 120,000 phishing emails sent to over a hundred organizations to steal Microsoft 365 accounts. --------------------------------------------- https://www.bleepingcomputer.com/news/security/evilproxy-phishing-campaign-… ∗∗∗ Malicious Campaigns Exploit Weak Kubernetes Clusters for Crypto Mining ∗∗∗ --------------------------------------------- Exposed Kubernetes (K8s) clusters are being exploited by malicious actors to deploy cryptocurrency miners and other backdoors. Cloud security firm Aqua, in a report shared with The Hacker News, said a majority of the clusters belonged to small to medium-sized organizations, with a smaller subset tied to bigger companies, spanning financial, aerospace, automotive, industrial, and security sectors. --------------------------------------------- https://thehackernews.com/2023/08/malicious-campaigns-exploit-weak.html ∗∗∗ Achtung, Smishing-Welle zu Online-Banking im Umlauf! ∗∗∗ --------------------------------------------- Derzeit melden uns zahlreiche Leser:innen eine SMS, die im Namen von verschiedenen Banken versendet wird. Kriminelle behaupten dabei, dass „Ihre George Registrierung“ oder „Ihre Mein-Elba Registrierung“ abläuft. Die „Legitimation“ könne man mit einem Klick auf einen Link verlängern. Wer auf den mitgeschickten Link klickt, wird aufgefordert Bankdaten und andere persönliche Daten einzugeben. Ignorieren Sie diese SMS und geben Sie keine Daten preis. --------------------------------------------- https://www.watchlist-internet.at/news/achtung-smishing-welle-zu-online-ban… ∗∗∗ Ein Deepdive in die ESXiArgs Ransomware Kampagne ∗∗∗ --------------------------------------------- Es war ein schöner Tag dieser Freitag der 03. Februar 2023, aber wie es Freitage im Cybersicherheits-Umfeld leider so an sich haben, sollte sich das schnell ändern. Da dieser Vorfall inzwischen schon etwas weiter in der Vergangenheit liegt, ist Ruhe um ihn eingekehrt. Allerdings gibt es doch so manch interessanten Aspekt, der - zumindest mir bekannt - so noch nicht berichtet wurde. --------------------------------------------- https://cert.at/de/blog/2023/8/ein-deepdive-in-die-esxiargs-ransomware-kamp… ∗∗∗ Fantastic Rootkits: And Where To Find Them (Part 3) – ARM Edition ∗∗∗ --------------------------------------------- In this blog, we will discuss innovative rootkit techniques on a non-traditional architecture, Windows 11 on ARM64. --------------------------------------------- https://www.cyberark.com/resources/threat-research-blog/fantastic-rootkits-… ===================== = Vulnerabilities = ===================== ∗∗∗ FortiOS - Buffer overflow in execute extender command (CVE-2023-29182) ∗∗∗ --------------------------------------------- A stack-based buffer overflow vulnerability [CWE-121] in FortiOS may allow a privileged attacker to execute arbitrary code via specially crafted CLI commands, provided the attacker were able to evade FortiOS stack protections. --------------------------------------------- https://fortiguard.fortinet.com/psirt/FG-IR-23-149 ∗∗∗ Lenovo: Multi-vendor BIOS Security Vulnerabilities (August 2023) ∗∗∗ --------------------------------------------- The following list of vulnerabilities were reported by suppliers and researchers or were found during our regular internal testing. CVE Identifier: CVE-2022-24351, CVE-2022-27879, CVE-2022-37343, CVE-2022-38083, CVE-2022-40982, CVE-2022-41804, CVE-2022-43505, CVE-2022-44611, CVE-2022-46897, CVE-2023-2004, CVE-2023-20555, CVE-2023-20569, CVE-2023-23908, CVE-2023-26090, CVE-2023-27471, CVE-2023-28468, CVE-2023-31041, CVE-2023-34419, CVE-2023-4028, CVE-2023-4029, CVE-2023-4030 --------------------------------------------- https://support.lenovo.com/at/en/product_security/ps500572-multi-vendor-bio… ∗∗∗ Lenovo: AMD Graphics OpenSSL Vulnerabilities ∗∗∗ --------------------------------------------- CVE Identifier: CVE-2022-3602, CVE-2022-3786 Summary Description: AMD reported two high severity OpenSSL vulnerabilities affecting certain versions of their product. Mitigation Strategy for Customers (what you should do to protect yourself): Update AMD Graphics Driver to the version (or newer) indicated for your model in the Product Impact section. --------------------------------------------- https://support.lenovo.com/at/en/product_security/ps500575-amd-graphics-ope… ∗∗∗ Lenovo: Intel PROSet Wireless WiFi and Killer WiFi Advisory ∗∗∗ --------------------------------------------- CVE Identifier: CVE-2022-27635, CVE-2022-46329, CVE-2022-40964, CVE-2022-36351, CVE-2022-38076 Summary Description: Intel reported potential security vulnerabilities in some Intel PROSet/Wireless WiFi and Killer WiFi products that may allow escalation of privilege or denial of service. Mitigation Strategy for Customers (what you should do to protect yourself): Update to the firmware or software version (or higher) as recommended in the Product Impact section below. --------------------------------------------- https://support.lenovo.com/at/en/product_security/ps500574-intel-proset-wir… ∗∗∗ Lenovo: Intel Chipset Firmware Advisory ∗∗∗ --------------------------------------------- CVE Identifier: CVE-2022-36392, CVE-2022-38102, CVE-2022-29871 Summary Description: Intel reported potential security vulnerabilities in the Intel Converged Security Management Engine (CSME) that may allow escalation of privilege and Denial of Service. Mitigation Strategy for Customers (what you should do to protect yourself): Update to the firmware or software version (or higher) as recommended in the Product Impact section below. --------------------------------------------- https://support.lenovo.com/at/en/product_security/ps500573-intel-chipset-fi… ∗∗∗ Xen XSA-432: Linux: buffer overrun in netback due to unusual packet (CVE-2023-34319) ∗∗∗ --------------------------------------------- The fix for XSA-423 added logic to Linuxes netback driver to deal with a frontend splitting a packet in a way such that not all of the headers would come in one piece. Unfortunately the logic introduced there didnt account for the extreme case of the entire packet being split into as many pieces as permitted by the protocol, yet still being smaller than the area thats specially dealt with to keep all (possible) headers together. --------------------------------------------- https://xenbits.xen.org/xsa/advisory-432.html ∗∗∗ Xen XSA-434 x86/AMD: Speculative Return Stack Overflow (CVE-2023-20569) ∗∗∗ --------------------------------------------- It is possible to poison the branch type and target predictions such that, at a point of the attackers choosing, the branch predictor predicts enough CALLs back-to-back to wrap around the entire RAS and overwrite a correct return prediction with one of the attackers choosing. This allows the attacker to control RET speculation in a victim context, and leak arbitrary data as a result. --------------------------------------------- https://xenbits.xen.org/xsa/advisory-434.html ∗∗∗ Xen XSA-435 x86/Intel: Gather Data Sampling ∗∗∗ --------------------------------------------- A researcher has discovered Gather Data Sampling, a transient execution side-channel whereby the AVX GATHER instructions can forward the content of stale vector registers to dependent instructions. The physical register file is a structure competitively shared between sibling threads. Therefore an attacker can infer data from the sibling thread, or from a more privileged context. --------------------------------------------- https://xenbits.xen.org/xsa/advisory-435.html ∗∗∗ Citrix Hypervisor Security Bulletin for CVE-2023-20569, CVE-2023-34319 and CVE-2022-40982 ∗∗∗ --------------------------------------------- - An issue has been discovered in Citrix Hypervisor 8.2 CU1 LTSR that may allow malicious, privileged code in a guest VM to cause the host to crash. (CVE-2023-34319) - In addition, Intel has disclosed a security issue affecting certain Intel CPUs [..] (CVE-2022-40982) - In addition, AMD has disclosed a security issue affecting AMD CPUs [..] (CVE-2023-20569) --------------------------------------------- https://support.citrix.com/article/CTX569353/citrix-hypervisor-security-bul… ∗∗∗ LibreSwan: CVE-2023-38710: Invalid IKEv2 REKEY proposal causes restart ∗∗∗ --------------------------------------------- When an IKEv2 Child SA REKEY packet contains an invalid IPsec protocol ID number of 0 or 1, an error notify INVALID_SPI is sent back. The notify payloads protocol ID is copied from the incoming packet, but the code that verifies outgoing packets fails an assertion that the protocol ID must be ESP (2) or AH(3) and causes the pluto daemon to crash and restart. --------------------------------------------- https://libreswan.org/security/CVE-2023-38710/CVE-2023-38710.txt ∗∗∗ LibreSwan: CVE-2023-38711: Invalid IKEv1 Quick Mode ID causes restart ∗∗∗ --------------------------------------------- When an IKEv1 Quick Mode connection configured with ID_IPV4_ADDR or ID_IPV6_ADDR, receives an IDcr payload with ID_FQDN, a null pointer dereference causes a crash and restart of the pluto daemon. --------------------------------------------- https://libreswan.org/security/CVE-2023-38711/CVE-2023-38711.txt ∗∗∗ LibreSwan: CVE-2023-38712: Invalid IKEv1 repeat IKE SA delete causes crash and restart ∗∗∗ --------------------------------------------- When an IKEv1 ISAKMP SA Informational Exchange packet contains a Delete/Notify payload followed by further Notifies that act on the ISAKMP SA, such as a duplicated Delete/Notify message, a null pointer dereference on the deleted state causes the pluto daemon to crash and restart. --------------------------------------------- https://libreswan.org/security/CVE-2023-38712/CVE-2023-38712.txt ∗∗∗ LWN: Stable kernels with security fixes ∗∗∗ --------------------------------------------- The 6.4.9, 6.1.44, 5.15.125, 5.10.189, 5.4.252, 4.19.290, and 4.14.321 stable kernel updates have all been released; they are dominated by fixes for the latest round of speculative-execution vulnerabilities. Do note the warning attached to each of these releases --------------------------------------------- https://lwn.net/Articles/940798/ ∗∗∗ Neue Sicherheitslücken in AMD- und Intel-Prozessoren entdeckt ∗∗∗ --------------------------------------------- Die Security-Konferenz Black Hat ist für AMD und Intel kein Spaß. Beide Hersteller müssen sich mit zahlreichen Sicherheitslücken befassen – BIOS-Updates kommen. --------------------------------------------- https://heise.de/-9239339 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (cjose, hdf5, and orthanc), Fedora (java-17-openjdk and seamonkey), Red Hat (curl, dbus, iperf3, kernel, kpatch-patch, libcap, libxml2, nodejs:16, nodejs:18, postgresql:10, postgresql:12, postgresql:13, and python-requests), SUSE (bluez, cjose, gstreamer-plugins-bad, gstreamer-plugins-base, gstreamer-plugins-good, gstreamer-plugins-ugly, keylime, openssl-1_1, openssl-3, pipewire, poppler, qemu, rubygem-actionpack-4_2, rubygem-actionpack-5_1, rust1.71, tomcat, webkit2gtk3, and wireshark), and Ubuntu (binutils, dotnet6, dotnet7, openssh, php-dompdf, and unixodbc). --------------------------------------------- https://lwn.net/Articles/940912/ ∗∗∗ SAP Patches Critical Vulnerability in PowerDesigner Product ∗∗∗ --------------------------------------------- SAP has fixed over a dozen new vulnerabilities with its Patch Tuesday updates, including a critical flaw in its PowerDesigner product. --------------------------------------------- https://www.securityweek.com/sap-patches-critical-vulnerability-in-powerdes… ∗∗∗ Microsoft Releases August 2023 Security Updates ∗∗∗ --------------------------------------------- Microsoft has released updates to address multiple vulnerabilities in Microsoft software. An attacker can exploit some of these vulnerabilities to take control of an affected system. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2023/08/08/microsoft-releases-augus… ∗∗∗ Released: August 2023 Exchange Server Security Updates ∗∗∗ --------------------------------------------- We are aware of Setup issues on non-English servers and have temporarily removed August SU from Windows / Microsoft update. If you are using a non-English language server, we recommend you wait with deployment of August SU until we provide more information. --------------------------------------------- https://techcommunity.microsoft.com/t5/exchange-team-blog/released-august-2… ∗∗∗ Adobe Releases Security Updates for Multiple Products ∗∗∗ --------------------------------------------- Adobe has released security updates to address multiple vulnerabilities in Adobe software. An attacker can exploit some of these vulnerabilities to take control of an affected system. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2023/08/08/adobe-releases-security-… ∗∗∗ Certifi component is vulnerable to CVE-2022-23491 used by IBM Maximo Application Suite ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7023647 ∗∗∗ protobuf-java component is vulnerable to CVE-2022-3510 and CVE-2022-3509 is used by IBM Maximo Application Suite ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7023656 ∗∗∗ A vulnerability has been identified in IBM WebSphere Application Server shipped with IBM Buinses Automation Workflow (CVE-2022-40609) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7024675 ∗∗∗ Multiple Vulnerabilities in IBM\u00ae Java SDK affect IBM WebSphere Application Server shipped with IBM Business Automation Workflow containers - April 2023 CPU ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7024729 ∗∗∗ Multiple security vulnerabilities have been identified in IBM Db2 shipped with IBM Security Guardium Key Lifecycle Manager ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7016660 ∗∗∗ IBM Facsimile Support for i is vulnerable to local privilege escalation (CVE-2023-38721) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7023423 ∗∗∗ IBM App Connect Enterprise toolkit and IBM Integration Bus toolkit are vulnerable to a local authenticated attacker and a denial of service due to Guava and JDOM (CVE-2023-2976, CVE-2021-33813). ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7024862 ∗∗∗ IBM MQ is affected by multiple Angular JS vulnerabilities. ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7023212 ∗∗∗ IBM MQ Appliance is affected by multiple AngularJS vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7013499 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 08.08.2023
by Daily end-of-shift report 08 Aug '23

08 Aug '23

===================== = End-of-Day report = ===================== Timeframe: Montag 07-08-2023 18:00 − Dienstag 08-08-2023 18:00 Handler: Robert Waldner Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Microsoft GitHub Dev-Containers Improper Privilege Management Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows remote attackers to escalate privileges on affected installations of Microsoft GitHub. Authentication is required to exploit this vulnerability. [..] The vendor states this is by-design, and they do not consider it to be a security risk. --------------------------------------------- https://www.zerodayinitiative.com/advisories/ZDI-23-1044/ ∗∗∗ Understanding Active Directory Attack Paths to Improve Security ∗∗∗ --------------------------------------------- Active Directory, Actively Problematic. But as central as it is, Active Directory security posture is often woefully lacking. Lets take a quick peek at how Active Directory assigns users, which will shed some light on why this tool has some shall we say, issues, associated with it. --------------------------------------------- https://thehackernews.com/2023/08/understanding-active-directory-attack.html ∗∗∗ Fake-Shop presssi.shop kopiert österreichisches Unternehmen ∗∗∗ --------------------------------------------- Der Online-Shop presssi.shop ist besonders schwer als Fake-Shop zu erkennen, da er ein echtes Unternehmen kopiert. Die Kriminellen stehlen Firmendaten und das Logo der „niceshops GmbH“, einer E-Commerce-Dienstleistung aus Österreich. Außerdem sind herkömmliche Tipps zum Erkennen von Fake-Shops in diesem Fall nicht anwendbar. Wir zeigen Ihnen, wie wir den Shop als Fake entlarvt haben. --------------------------------------------- https://www.watchlist-internet.at/news/fake-shop-presssishop-kopiert-oester… ∗∗∗ Abmahnung im Namen von Dr. Matthias Losert ist betrügerisch ∗∗∗ --------------------------------------------- Kriminelle versenden im Namen vom Berliner Anwalt Dr. Matthias Losert Abmahnungen wegen einer Urheberrechtsverletzung. Sie werden beschuldigt, illegal einen Film heruntergeladen zu haben. Für diesen Verstoß fordert man von Ihnen nun 450 Euro. Ignorieren Sie dieses E-Mail und antworten Sie nicht, es handelt sich um Betrug. --------------------------------------------- https://www.watchlist-internet.at/news/abmahnung-im-namen-von-dr-matthias-l… ===================== = Vulnerabilities = ===================== ∗∗∗ Bypassing Tunnels: Leaking VPN Client Traffic by Abusing Routing Tables Affecting Cisco AnyConnect Secure Mobility Client and Cisco Secure Client ∗∗∗ --------------------------------------------- On August 8, 2023, the paper Bypassing Tunnels: Leaking VPN Client Traffic by Abusing Routing Tables was made public. The paper discusses two attacks that can cause VPN clients to leak traffic outside the protected VPN tunnel. In both instances, an attacker can manipulate routing exceptions that are maintained by the client to redirect traffic to a device that they control without the benefit of the VPN tunnel encryption. --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Siemens: Multiple Vulnerabilities ∗∗∗ --------------------------------------------- JT Open, JT Utilities, Parasolid, Parasolid Installer, Solid Edge, JT2Go, Teamcenter Visualization, APOGEE/TALON Field Panels, Siemens Software Center, SIMATIC Products, RUGGEDCOM CROSSBOW, RUGGEDCOM ROS Devices, SICAM TOOLBOX II --------------------------------------------- https://new.siemens.com/global/en/products/services/cert.html#SecurityPubli… ∗∗∗ Multiple Vulnerabilities in Inductive Automation Ignition ∗∗∗ --------------------------------------------- * Deserialization of Untrusted Data Remote Code Execution (CVE-2023-39473, CVE-2023-39476, CVE-2023-39475) * XML External Entity Processing Information Disclosure (CVE-2023-39472) * Remote Code Execution (CVE-2023-39477) --------------------------------------------- https://www.zerodayinitiative.com/advisories/published/ ∗∗∗ Microsoft Edge (Chromium-based) Security Feature Bypass Vulnerability (CVE-2023-38157) ∗∗∗ --------------------------------------------- CVSS:3.1 6.5 / 5.7 This vulnerability requires a user to open a Web Archive file with spoofed origin of the web content in the affected version of Microsoft Edge (Chromium-based). --------------------------------------------- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-38157 ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (libhtmlcleaner-java and thunderbird), Red Hat (dbus, kernel, kernel-rt, kpatch-patch, and thunderbird), Scientific Linux (thunderbird), SUSE (chromium, gstreamer-plugins-bad, gstreamer-plugins-base, gstreamer-plugins-good, gstreamer-plugins-ugly, kernel-firmware, libqt5-qtbase, libqt5-qtsvg, librsvg, pcre2, perl-Net-Netmask, qt6-base, and thunderbird), and Ubuntu (firefox). --------------------------------------------- https://lwn.net/Articles/940755/ ∗∗∗ Android: August-Patchday bringt Fixes für 53 Schwachstellen ∗∗∗ --------------------------------------------- Vier Lücken stuft Google als kritisch ein. Sie erlauben unter anderem das Ausführen von Schadcode ohne Interaktion mit einem Nutzer. --------------------------------------------- https://www.zdnet.de/88411017/android-august-patchday-bringt-fixes-fuer-53-… ∗∗∗ PHOENIX CONTACT: PLCnext Engineer Vulnerabilities in LibGit2Sharp/LibGit2 ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2023-016/ ∗∗∗ PHOENIX CONTACT: Multiple vulnerabilities in TC ROUTER, TC CLOUD CLIENT and CLOUD CLIENT devices ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2023-017/ ∗∗∗ PHOENIX CONTACT: Multiple vulnerabilities in WP 6xxx Web panels ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2023-018/ ∗∗∗ Vulnerability in IBM Java SDK affects IBM WebSphere Application Server due to CVE-2022-40609 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7022475 ∗∗∗ IBM Security Guardium is affected by multiple vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6999317 ∗∗∗ A remote code execution vulnerability in IBM Java SDK affects IBM InfoSphere Information Server (CVE-2022-40609) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7022836 ∗∗∗ IBM Jazz Team Server is vulnerable to server-side request forgery. (CVE-2022-43879) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7023193 ∗∗∗ OpenSSL publicly disclosed vulnerabilities affect IBM MobileFirst Platform ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7023206 ∗∗∗ Multiple vulnerabilities found on thirdparty libraries used by IBM MobileFirst Platform ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7023204 ∗∗∗ IBM App Connect Enterprise and IBM Integration Bus are vulnerable to a remote attack due to IBM SDK Java (CVE-2022-40609) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7023275 ∗∗∗ Schneider Electric IGSS ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-220-01 ∗∗∗ Hitachi Energy RTU500 series ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-220-02 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 07.08.2023
by Daily end-of-shift report 07 Aug '23

07 Aug '23

===================== = End-of-Day report = ===================== Timeframe: Freitag 04-08-2023 18:00 − Montag 07-08-2023 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ New SkidMap Linux Malware Variant Targeting Vulnerable Redis Servers ∗∗∗ --------------------------------------------- Vulnerable Redis services have been targeted by a "new, improved, dangerous" variant of a malware called SkidMap thats engineered to target a wide range of Linux distributions. "The malicious nature of this malware is to adapt to the system on which it is executed," Trustwave security researcher Radoslaw Zdonczyk said in an analysis published last week. --------------------------------------------- https://thehackernews.com/2023/08/new-skidmap-redis-malware-variant.html ∗∗∗ New 'Deep Learning Attack' Deciphers Laptop Keystrokes with 95% Accuracy ∗∗∗ --------------------------------------------- A group of academics has devised a "deep learning-based acoustic side-channel attack" that can be used to classify laptop keystrokes that are recorded using a nearby phone with 95% accuracy. "When trained on keystrokes recorded using the video conferencing software Zoom, an accuracy of 93% was achieved, a new best for the medium," researchers Joshua Harrison, Ehsan Toreini, and Maryam Mehrnezhad said in a new study published last week. --------------------------------------------- https://thehackernews.com/2023/08/new-deep-learning-attack-deciphers.html ∗∗∗ Technical Summary of Observed Citrix CVE-2023-3519 Incidents ∗∗∗ --------------------------------------------- The Shadowserver Foundation and trusted partners have observed three different malicious campaigns that have exploited CVE-2023-3519, a code injection vulnerability rated CVSS 9.8 critical in Citrix NetScaler ADC and NetScaler Gateway. [...] Please ensure you follow the detection and hunting steps provided for signs of possible compromise and webshell presence. --------------------------------------------- https://www.shadowserver.org/news/technical-summary-of-observed-citrix-cve-… ∗∗∗ Security-Bausteine, Teil 5: Vier Stufen – Risiko und Security Levels ∗∗∗ --------------------------------------------- Das Einrichten des IT-Schutzes bedeutet häufig langwierige Prozesse. Abhilfe schaffen die Security Levels zum Absichern gegen potenzielle Angreiferklassen. --------------------------------------------- https://heise.de/-9220500 ∗∗∗ Vernetzte Geräte: EU gewährt Aufschub für höhere Cybersicherheit ∗∗∗ --------------------------------------------- Die EU wollte Hersteller von Smartphones, Wearables & Co. ab 2024 zu deutlich mehr IT-Sicherheit und Datenschutz verpflichten. Doch jetzt gibt es Aufschub. --------------------------------------------- https://heise.de/-9235663 ∗∗∗ Zutatenliste: BSI stellt Regeln zum Absichern der Software-Lieferkette auf ∗∗∗ --------------------------------------------- Das BSI hat eine Richtlinie für Software Bills of Materials (SBOM) herausgegeben. Solche Übersichtslisten sollen Sicherheitsdebakeln wie Log4J entgegenwirken. --------------------------------------------- https://heise.de/-9235853 ∗∗∗ Visualizing Qakbot Infrastructure Part II: Uncharted Territory ∗∗∗ --------------------------------------------- A Data-Driven Approach Based on Analysis of Network Telemetry - In this blog post, we will provide an update on our high-level analysis of... --------------------------------------------- https://www.team-cymru.com/post/visualizing-qakbot-infrastructure-part-ii-u… ===================== = Vulnerabilities = ===================== ∗∗∗ Kritische RCE-Schwachstelle CVE-2023-39143 in PaperCut vor Version 22.1.3 ∗∗∗ --------------------------------------------- Wer die Druck-Management-Lösung Papercut MF/NG im Einsatz hat, sollte das Produkt dringend patchen. Eine gerade bekannt gewordene kritische RCE-Schwachstelle CVE-2023-39143 ermöglicht die Übernahme der PaperCut-Server. Der Anbieter hat bereits einen entsprechenden Sicherheitspatch zum Beseitigen der Schwachstelle veröffentlicht. --------------------------------------------- https://www.borncity.com/blog/2023/08/05/kritische-rce-schwachstelle-cve-20… ∗∗∗ Sicherheitsupdates: Angreifer können Drucker von HP und Samsung attackieren ∗∗∗ --------------------------------------------- Einige Drucker-Modelle von HP und Samsung sind verwundbar. Sicherheitsupdates lösen das Problem. --------------------------------------------- https://heise.de/-9236703 ∗∗∗ VU#947701: Freewill Solutions IFIS new trading web application vulnerable to unauthenticated remote code execution ∗∗∗ --------------------------------------------- Freewill Solutions IFIS new trading web application version 20.01.01.04 is vulnerable to unauthenticated remote code execution. Successful exploitation of this vulnerability allows an attacker to run arbitrary shell commands on the affected host. [...] The CERT/CC is currently unaware of a practical solution to this problem. [...] We have not received a statement from the vendor. --------------------------------------------- https://kb.cert.org/vuls/id/947701 ∗∗∗ ZDI-23-1017: Extreme Networks AP410C Stack-based Buffer Overflow Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of Extreme Networks AP410C routers. Authentication is not required to exploit this vulnerability. --------------------------------------------- https://www.zerodayinitiative.com/advisories/ZDI-23-1017/ ∗∗∗ Triangle MicroWorks SCADA Data Gateway: Multiple Vulnerabilities ∗∗∗ --------------------------------------------- CVE: CVE-2023-39458, CVE-2023-39459, CVE-2023-39460, CVE-2023-39461, CVE-2023-39462, CVE-2023-39463, CVE-2023-39464, CVE-2023-39465, CVE-2023-39466, CVE-2023-39467, CVE-2023-39468, CVE-2023-39457 CVSS Scores: <= 9.8 See also https://www.zerodayinitiative.com/advisories/published/ --------------------------------------------- https://www.trianglemicroworks.com/products/scada-data-gateway/whats-new ∗∗∗ CVE-2023-35082 - Vulnerability affecting EPMM and MobileIron Core ∗∗∗ --------------------------------------------- On 2 August 2023 at 10:00 MDT, Ivanti reported CVE-2023-35082. This vulnerability, which was originally discovered in MobileIron Core had not been previously identified as a vulnerability [...] Ivanti has continued its investigation and has found additional paths to exploiting CVE-2023-35082 depending on configuration of the Ivanti Endpoint Manager Mobile (EPMM) appliance. This impacts all versions of EPMM 11.10, 11.9 and 11.8 and MobileIron Core 11.7 and below. --------------------------------------------- https://www.ivanti.com/blog/vulnerability-affecting-mobileiron-core-11-2-an… ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (burp, chromium, ghostscript, openimageio, pdfcrack, python-werkzeug, thunderbird, and webkit2gtk), Fedora (amanda, libopenmpt, llhttp, samba, seamonkey, and xen), Red Hat (thunderbird), Slackware (mozilla and samba), and SUSE (perl-Net-Netmask, python-Django1, trytond, and virtualbox). --------------------------------------------- https://lwn.net/Articles/940682/ ∗∗∗ AUMA: SIMA Master Station affected by WRECK vulnerability ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2023-028/ ∗∗∗ AUMA: Reflected Cross-Site Scripting Vulnerability in SIMA Master Stations ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2023-027/ ∗∗∗ A security vulnerability has been identified in IBM WebSphere Application Server shipped with IBM Tivoli System Automation Application Manager (CVE-2023-27554) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7020515 ∗∗∗ An unauthorized attacker who has obtained an IBM Watson IoT Platform security authentication token can use it to impersonate an authorized platform user (CVE-2023-38372) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7020635 ∗∗∗ ISC BIND on IBM i is vulnerable to denial of service due to a memory usage flaw (CVE-2023-2828) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7017974 ∗∗∗ IBM OpenPages for IBM Cloud Pak for Data is Vulnerable to FasterXML jackson-databind [CVE-2022-42003, CVE-2022-42004] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7020695 ∗∗∗ IBM OpenPages for IBM Cloud Pak for Data is Vulnerable to JetBrains Kotlin weak security [CVE-2022-24329] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7020659 ∗∗∗ IBM OpenPages for IBM Cloud Pak for Data is Vulnerable to JCommander [X-Force ID: 221124] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7020636 ∗∗∗ Timing Oracle in RSA Decryption issue may affect GSKit shipped with IBM CICS TX Standard ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7022413 ∗∗∗ Timing Oracle in RSA Decryption issue may affect GSKit shipped with IBM CICS TX Advanced ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7022414 ∗∗∗ A vulnerability has been identified in the IBM Storage Scale GUI where a remote authenticated user can execute commands (CVE-2023-33201) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7022431 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 04.08.2023
by Daily end-of-shift report 04 Aug '23

04 Aug '23

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 03-08-2023 18:00 − Freitag 04-08-2023 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ A Call to Action: Bolster UEFI Cybersecurity Now ∗∗∗ --------------------------------------------- Based on recent incident responses to UEFI malware such as BlackLotus, the cybersecurity community and UEFI developers appear to still be in learning mode. [...] Adversaries have demonstrated that they already know how to exploit UEFI components for persistence, and they will only get better with practice. CISA encourages the UEFI community to pursue all the options discussed in this blog with vigor. And the work must start today. --------------------------------------------- https://www.cisa.gov/news-events/news/call-action-bolster-uefi-cybersecurit… ∗∗∗ Fake VMware vConnector package on PyPI targets IT pros ∗∗∗ --------------------------------------------- A malicious package that mimics the VMware vSphere connector module vConnector was uploaded on the Python Package Index (PyPI) under the name VMConnect, targeting IT professionals. --------------------------------------------- https://www.bleepingcomputer.com/news/security/fake-vmware-vconnector-packa… ∗∗∗ Midnight Blizzard conducts targeted social engineering over Microsoft Teams ∗∗∗ --------------------------------------------- Microsoft Threat Intelligence has identified highly targeted social engineering attacks using credential theft phishing lures sent as Microsoft Teams chats by the threat actor that Microsoft tracks as Midnight Blizzard (previously tracked as NOBELIUM). --------------------------------------------- https://www.microsoft.com/en-us/security/blog/2023/08/02/midnight-blizzard-… ∗∗∗ From small LNK to large malicious BAT file with zero VT score, (Thu, Aug 3rd) ∗∗∗ --------------------------------------------- Last week, my spam trap caught an e-mail with LNK attachment, which turned out to be quite interesting. --------------------------------------------- https://isc.sans.edu/diary/rss/30094 ∗∗∗ Malicious npm Packages Found Exfiltrating Sensitive Data from Developers ∗∗∗ --------------------------------------------- Cybersecurity researchers have discovered a new bunch of malicious packages on the npm package registry that are designed to exfiltrate sensitive developer information. Software supply chain firm Phylum, which first identified the "test" packages on July 31, 2023, said they "demonstrated increasing functionality and refinement," [...] --------------------------------------------- https://thehackernews.com/2023/08/malicious-npm-packages-found.html ∗∗∗ Are Leaked Credentials Dumps Used by Attackers? ∗∗∗ --------------------------------------------- I’ve been watching dumps of leaked credentials for a long time. [...] But are these leaks used to try to get access to mailboxes (or other services)? [...] Conclusion: Even if the quality of these dumps is very poor, they are used a lot in the wild! This is a perfect example of why you must safely manage your credentials! --------------------------------------------- https://isc.sans.edu/diary/rss/30098 ∗∗∗ Handwerker:innen aufgepasst: Hier sollten Sie keine Werkzeuge kaufen! ∗∗∗ --------------------------------------------- Aktuell stoßen wir auf zahlreiche Fake-Shops, die Werkzeuge aller Art verkaufen. Allein in den letzten zwei Wochen haben wir mehr als 70 Online-Shops gefunden, die Werkzeuge anbieten – diese aber trotz Bezahlung nicht liefern. --------------------------------------------- https://www.watchlist-internet.at/news/handwerkerinnen-aufgepasst-hier-soll… ===================== = Vulnerabilities = ===================== ∗∗∗ VMware VMSA-2023-0017 - VMware Horizon Server updates address multiple security vulnerabilities ∗∗∗ --------------------------------------------- - Request smuggling vulnerability (CVE-2023-34037), CVSSv3 base score of 5.3 - Information disclosure vulnerability (CVE-2023-34038), CVSSv3 base score of 5.3 --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2023-0017.html ∗∗∗ Mozilla VPN: CVE-2023-4104: Privileged vpndaemon on Linux wrongly and incompletely implements Polkit authentication ∗∗∗ --------------------------------------------- [...] it contains a privileged D-Bus service running as root and a Polkit policy. In the course of this review we noticed a broken and otherwise lacking Polkit authorization logic in the privileged `mozillavpn linuxdaemon` process. We publish this report today, because the maximum embargo period of 90 days we offer has been exceeded. Most of the issues mentioned in this report are currently not addressed by upstream, as is outlined in more detail below. --------------------------------------------- https://www.openwall.com/lists/oss-security/2023/08/03/1 ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (bind and kernel), Debian (cjose, firefox-esr, ntpsec, and python-django), Fedora (chromium, firefox, librsvg2, and webkitgtk), Red Hat (firefox), Scientific Linux (firefox and openssh), SUSE (go1.20, ImageMagick, javapackages-tools, javassist, mysql-connector-java, protobuf, python-python-gflags, kernel, openssl-1_1, pipewire, python-pip, and xtrans), and Ubuntu (cargo, rust-cargo, cpio, poppler, and xmltooling). --------------------------------------------- https://lwn.net/Articles/940481/ ∗∗∗ Fujitsu Software Infrastructure Manager (ISM) stores sensitive information in cleartext ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN38847224/ ∗∗∗ Multiple security vulnerabilities affecting Watson Knowledge Catalog for IBM Cloud Pak for Data ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7020316 ∗∗∗ Timing Oracle in RSA Decryption vulnerability might affect GSKit supplied with IBM TXSeries for Multiplatforms. ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7010369 ∗∗∗ IBM Db2 has multiple denial of service vulnerabilities with a specially crafted query ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7010557 ∗∗∗ IBM Watson Assistant for IBM Cloud Pak for Data is vulnerable to multiple Tensorflow vulnerabilities. ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7020364 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 03.08.2023
by Daily end-of-shift report 03 Aug '23

03 Aug '23

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 02-08-2023 18:00 − Donnerstag 03-08-2023 18:00 Handler: Robert Waldner Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Fake FlipperZero sites promise free devices after completing offer ∗∗∗ --------------------------------------------- A site impersonating Flipper Devices promises a free Flipper Zero after completing an offer but only leads to shady browser extensions and scam sites. --------------------------------------------- https://www.bleepingcomputer.com/news/security/fake-flipperzero-sites-promi… ∗∗∗ Hackers can abuse Microsoft Office executables to download malware ∗∗∗ --------------------------------------------- The list of LOLBAS files - legitimate binaries and scripts present in Windows that can be abused for malicious purposes, will include the main executables for Microsofts Outlook email client and Access database management system. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hackers-can-abuse-microsoft-… ∗∗∗ "Grob fahrlässig": Sicherheitsproblem gefährdet Microsoft-Kunden seit Monaten ∗∗∗ --------------------------------------------- Eine Microsoft seit März bekannte kritische Schwachstelle in Azure AD macht weitere zahllose Organisationen noch heute anfällig für Cyberangriffe. --------------------------------------------- https://www.golem.de/news/grob-fahrlaessig-sicherheitsproblem-gefaehrdet-mi… ∗∗∗ What’s happening in the world of crimeware: Emotet, DarkGate and LokiBot ∗∗∗ --------------------------------------------- In this report, we share our recent crimeware findings: the new DarkGate loader, new LokiBot campaign and new Emotet version delivered via OneNote. --------------------------------------------- https://securelist.com/emotet-darkgate-lokibot-crimeware-report/110286/ ∗∗∗ New Rilide Stealer Version Targets Banking Data and Works Around Google Chrome Manifest V3 ∗∗∗ --------------------------------------------- Trustwave SpiderLabs discovered a new version of the Rilide Stealer extension targeting Chromium-based browsers such as Google Chrome, Microsoft Edge, Brave, and Opera. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/new-rilide-… ∗∗∗ Exploiting a Flaw in Bitmap Handling in Windows User-Mode Printer Drivers ∗∗∗ --------------------------------------------- In this guest blog from researcher Marcin Wiązowski, he details CVE-2023-21822 – a Use-After-Free (UAF) in win32kfull that could lead to a privilege escalation. The bug was reported through the ZDI program and later patched by Microsoft. Marcin has graciously provided this detailed write-up of the vulnerability, examines how it could be exploited, and a look at the patch Microsoft released to address the bug. --------------------------------------------- https://www.zerodayinitiative.com/blog/2023/8/1/exploiting-a-flaw-in-bitmap… ∗∗∗ Hook, Line, and Phishlet: Conquering AD FS with Evilginx ∗∗∗ --------------------------------------------- Recently, I was assigned to a red team engagement, and the client specifically requested a phishing simulation targeting their employees. The organisation utilises AD FS for federated single sign-on and has implemented Multi-Factor Authentication (MFA) as a company-wide policy. [..] Despite my efforts to find a detailed write-up on how to successfully phish a target where AD FS is being used, I couldn’t find a technical post covering this topic. So I saw this as an opportunity to learn --------------------------------------------- https://research.aurainfosec.io/pentest/hook-line-and-phishlet/ ∗∗∗ New Report: Medical Health Care Organizations Highly Vulnerable Due to Improper De-acquisition Processes ∗∗∗ --------------------------------------------- In Security Implications from Improper De-acquisition of Medical Infusion Pumps Heiland performs a physical and technical teardown of more than a dozen medical infusion pumps — devices used to deliver and control fluids directly into a patient’s body. Each of these devices was available for purchase on the secondary market and each one had issues that could compromise their previous organization’s networks. --------------------------------------------- https://www.rapid7.com/blog/post/2023/08/02/security-implications-improper-… ∗∗∗ MSMQ QueueJumper (RCE Vulnerability): An In-Depth Technical Analysis ∗∗∗ --------------------------------------------- The security updates released by Microsoft on April 11, 2023, addressed over 90 individual vulnerabilities. Of particular note was CVE-2023-21554, dubbed QueueJumper, a remote code execution vulnerability affecting the Microsoft Message Queueing (MSMQ) service. MSMQ is an optional Windows component that enables applications to exchange messages via message queues that are reachable both locally and remotely. --------------------------------------------- https://securityintelligence.com/posts/msmq-queuejumper-rce-vulnerability-t… ∗∗∗ Google Project Zero - Summary: MTE As Implemented ∗∗∗ --------------------------------------------- In mid-2022, Project Zero was provided with access to pre-production hardware implementing the ARM MTE specification. This blog post series is based on that review, and includes general conclusions about the effectiveness of MTE as implemented, specifically in the context of preventing the exploitation of memory-safety vulnerabilities. Despite its limitations, MTE is still by far the most promising path forward for improving C/C++ software security in 2023. --------------------------------------------- https://googleprojectzero.blogspot.com/2023/08/summary-mte-as-implemented.h… ∗∗∗ Microsoft veröffentlicht TokenTheft-Playbook ∗∗∗ --------------------------------------------- Der Diebstahl von Tokens kann Angreifern den Zugriff auf entsprechende Dienste ermöglichen. Als Folge eines entsprechenden Vorfalls hat Microsoft daher das sogenannte TokenTheft-Playbook veröffentlicht. Es handelt sich um ein Online-Dokument mit zahlreichen Hinweisen für "Cloud-Verantwortliche", die sich um die Sicherheit und den Schutz vor dem Diebstahl von Zugangstokens kümmern müssen. --------------------------------------------- https://www.borncity.com/blog/2023/08/03/microsoft-verffentlicht-tokentheft… ∗∗∗ BSI Newsletter SICHER INFORMIERT vom 03.08.2023 ∗∗∗ --------------------------------------------- DSGVO – ein Segen für die IT-Sicherheit, Hersteller beklagen Patch-Müdigkeit, kritische Sicherheitslücke gefährdet Router & das BSI auf der Gamescom --------------------------------------------- https://www.bsi.bund.de/SharedDocs/Newsletter/DE/BuergerCERT-Newsletter/16_… ∗∗∗ How Malicious Android Apps Slip Into Disguise ∗∗∗ --------------------------------------------- Researchers say mobile malware purveyors have been abusing a bug in the Google Android platform that lets them sneak malicious code into benign mobile apps and evade security scanning tools. Google says it has updated its app malware detection mechanisms in response to the new research. --------------------------------------------- https://krebsonsecurity.com/2023/08/how-malicious-android-apps-slip-into-di… ∗∗∗ Watchlist Internet: Bestellen Sie unsere neue Broschüre „Betrug im Internet: So schützen Sie sich“ ∗∗∗ --------------------------------------------- Mit unserer neuen Broschüre „Betrug im Internet“ informieren wir Interessierte zu den Themen Einkaufen im Internet, betrügerische Nachrichten, Schadsoftware, Phishing, Vorschussbetrug und Finanzbetrug. Die kostenlose Broschüre können Sie herunterladen oder bei uns bestellen. --------------------------------------------- https://www.watchlist-internet.at/news/bestellen-sie-unsere-neue-broschuere… ∗∗∗ Reptile Malware Targeting Linux Systems ∗∗∗ --------------------------------------------- Reptile is an open-source kernel module rootkit that targets Linux systems and is publicly available on GitHub. Rootkits are malware that possess the capability to conceal themselves or other malware. They primarily target files, processes, and network communications for their concealment. Reptile’s concealment capabilities include not only its own kernel module but also files, directories, file contents, processes, and network traffic. --------------------------------------------- https://asec.ahnlab.com/en/55785/ ∗∗∗ 2022 Top Routinely Exploited Vulnerabilities ∗∗∗ --------------------------------------------- This advisory provides details on the Common Vulnerabilities and Exposures (CVEs) routinely and frequently exploited by malicious cyber actors in 2022 and the associated Common Weakness Enumeration(s) (CWE). In 2022, malicious cyber actors exploited older software vulnerabilities more frequently than recently disclosed vulnerabilities and targeted unpatched, internet-facing systems. --------------------------------------------- https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-215a ===================== = Vulnerabilities = ===================== ∗∗∗ Matomo Analytics - Less critical - Cross Site Scripting - SA-CONTRIB-2023-033 ∗∗∗ --------------------------------------------- Security risk: Less critical Description: This module enables you to add the Matomo web statistics tracking system to your website.The module does not check the Matomo JS code loaded on the website. So a user could configure the module to load JS from a malicious website.This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer matomo" or "administer matomo tag manager" (D8+ only) to access the settings forms where this can be configured. --------------------------------------------- https://www.drupal.org/sa-contrib-2023-033 ∗∗∗ CVE-2023-35082 – Remote Unauthenticated API Access Vulnerability in MobileIron Core 11.2 and older ∗∗∗ --------------------------------------------- A vulnerability has been discovered in MobileIron Core which affects version 11.2 and prior. [..] MobileIron Core 11.2 has been out of support since March 15, 2022. Therefore, Ivanti will not be issuing a patch or any other remediations to address this vulnerability in 11.2 or earlier versions. Upgrading to the latest version of Ivanti Endpoint Manager Mobile (EPMM) is the best way to protect your environment from threats. --------------------------------------------- https://forums.ivanti.com/s/article/CVE-2023-35082-Remote-Unauthenticated-A… ∗∗∗ CVE-2023-28130 – Command Injection in Check Point Gaia Portal ∗∗∗ --------------------------------------------- The parameter hostname in the web request /cgi-bin/hosts_dns.tcl is vulnerable for command injection. This can be exploited by any user with a valid session, as long as the user has write permissions on the DNS settings. The injected commands are executed by the user ‘Admin’. --------------------------------------------- https://pentests.nl/pentest-blog/cve-2023-28130-command-injection-in-check-… ∗∗∗ CVE-2023-31928 - XSS vulnerability in Brocade Webtools ∗∗∗ --------------------------------------------- A reflected cross-site scripting (XSS) vulnerability exists in Brocade Webtools PortSetting.html of Brocade Fabric OS version before Brocade Fabric OS v9.2.0 that could allow a remote unauthenticated attacker to execute arbitrary JavaScript code in a target user’s session with the Brocade Webtools application. --------------------------------------------- https://support.broadcom.com/web/ecx/support-content-notification/-/externa… ∗∗∗ CVE-2023-31927 - An information disclosure in the web interface of Brocade Fabric OS ∗∗∗ --------------------------------------------- An information disclosure in the web interface of Brocade Fabric OS versions before Brocade Fabric OS v9.2.0 and v9.1.1c, could allow a remote unauthenticated attacker to get technical details about the web interface. --------------------------------------------- https://support.broadcom.com/web/ecx/support-content-notification/-/externa… ∗∗∗ CVE-2023-31926 - Arbitrary File Overwrite using less command ∗∗∗ --------------------------------------------- System files could be overwritten using the less command in Brocade Fabric OS before Brocade Fabric OS v9.1.1c and v9.2.0. --------------------------------------------- https://support.broadcom.com/web/ecx/support-content-notification/-/externa… ∗∗∗ CVE-2023-31432 - Privilege issues in multiple commands ∗∗∗ --------------------------------------------- Through manipulation of passwords or other variables, using commands such as portcfgupload, configupload, license, myid, a non-privileged user could obtain root privileges in Brocade Fabric OS versions before Brocade Fabric OS v9.1.1c and v9.2.0. --------------------------------------------- https://support.broadcom.com/web/ecx/support-content-notification/-/externa… ∗∗∗ CVE-2023-31431 - A buffer overflow vulnerability in “diagstatus” command ∗∗∗ --------------------------------------------- A buffer overflow vulnerability in “diagstatus” command in Brocade Fabric OS before Brocade Fabric v9.2.0 and v9.1.1c could allow an authenticated user to crash the Brocade Fabric OS switch leading to a denial of service. --------------------------------------------- https://support.broadcom.com/web/ecx/support-content-notification/-/externa… ∗∗∗ CVE-2023-31430 - buffer overflow vulnerability in “secpolicydelete” command ∗∗∗ --------------------------------------------- A buffer overflow vulnerability in “secpolicydelete” command in Brocade Fabric OS before Brocade Fabric OS v9.1.1c and v9.2.0 could allow an authenticated privileged user to crash the Brocade Fabric OS switch leading to a denial of service. --------------------------------------------- https://support.broadcom.com/web/ecx/support-content-notification/-/externa… ∗∗∗ VE-2023-31425 - Privilege escalation via the fosexec command ∗∗∗ --------------------------------------------- A vulnerability in the fosexec command of Brocade Fabric OS after Brocade Fabric OS v9.1.0 and, before Brocade Fabric OS v9.1.1 could allow a local authenticated user to perform privilege escalation to root by breaking the rbash shell. Starting with Fabric OS v9.1.0, “root” account access is disabled. --------------------------------------------- https://support.broadcom.com/web/ecx/support-content-notification/-/externa… ∗∗∗ CVE-2023-31429 - Vulnerability in multiple commands ∗∗∗ --------------------------------------------- Brocade Fabric OS before Brocade Fabric OS v9.1.1c, v9.2.0 contains a vulnerability when using various commands such as “chassisdistribute”, “reboot”, “rasman”, errmoduleshow, errfilterset, hassiscfgperrthreshold, supportshowcfgdisable and supportshowcfgenable commands that can cause the content of shell interpreted variables to be printed in the terminal. --------------------------------------------- https://support.broadcom.com/web/ecx/support-content-notification/-/externa… ∗∗∗ CVE-2023-31427 - Knowledge of full path name ∗∗∗ --------------------------------------------- Brocade Fabric OS versions before Brocade Fabric OS v9.1.1c, and v9.2.0 Could allow an authenticated, local user with knowledge of full path names inside Brocade Fabric OS to execute any command regardless of assigned privilege. Starting with Fabric OS v9.1.0, “root” account access is disabled. --------------------------------------------- https://support.broadcom.com/web/ecx/support-content-notification/-/externa… ∗∗∗ CVE-2023-31428 - CLI allows upload or transfer files of dangerous types ∗∗∗ --------------------------------------------- Brocade Fabric OS before Brocade Fabric OS v9.1.1c, v9.2.0 contains a vulnerability in the command line that could allow a local user to dump files under users home directory using grep. --------------------------------------------- https://support.broadcom.com/web/ecx/support-content-notification/-/externa… ∗∗∗ Sicherheitsupdates: Angreifer können Aruba-Switches kompromittieren (CVE-2023-3718) ∗∗∗ --------------------------------------------- Bestimmte Switch-Modelle von Aruba sind verwundbar. Die Entwickler haben eine Sicherheitslücke geschlossen. --------------------------------------------- https://heise.de/-9233677 ∗∗∗ Wordfence Intelligence Weekly WordPress Vulnerability Report (July 24, 2023 to July 30, 2023) ∗∗∗ --------------------------------------------- Last week, there were 64 vulnerabilities disclosed in 66 WordPress Plugins and 3 WordPress themes that have been added to the Wordfence Intelligence Vulnerability Database --------------------------------------------- https://www.wordfence.com/blog/2023/08/wordfence-intelligence-weekly-wordpr… ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (linux-5.10), Red Hat (.NET 6.0 and iperf3), Slackware (openssl), SUSE (kernel, mariadb, poppler, and python-Django), and Ubuntu (gst-plugins-base1.0, gst-plugins-good1.0, maradns, openjdk-20, and vim). --------------------------------------------- https://lwn.net/Articles/940335/ ∗∗∗ CISA Releases Five Industrial Control Systems Advisories ∗∗∗ --------------------------------------------- - ICSA-23-215-01 Mitsubishi Electric GOT2000 and GOT SIMPLE - ICSA-23-215-02 Mitsubishi Electric GT and GOT Series Products - ICSA-23-215-03 TEL-STER TelWin SCADA WebInterface - ICSA-23-215-04 Sensormatic Electronics VideoEdge - ICSA-23-208-03 Mitsubishi Electric CNC Series --------------------------------------------- https://www.cisa.gov/news-events/alerts/2023/08/03/cisa-releases-five-indus… ∗∗∗ Sicherheitsschwachstelle in verschiedenen Canon Inkjet-Druckermodellen (SYSS-2023-011) ∗∗∗ --------------------------------------------- Bei dem Canon Inkjet-Drucker PIXMA TR4550 besteht eine Sicherheitsschwachstelle aufgrund eines unzureichenden Schutzes sensibler Daten. --------------------------------------------- https://www.syss.de/pentest-blog/sicherheitsschwachstelle-in-verschiedenen-… ∗∗∗ [R1] Nessus Version 10.5.4 Fixes Multiple Vulnerabilities ∗∗∗ --------------------------------------------- Nessus leverages third-party software to help provide underlying functionality. One of the third-party components (OpenSSL) was found to contain vulnerabilities, and updated versions have been made available by the provider. Out of caution and in line with best practice, Tenable has opted to upgrade these components to address the potential impact of the issues. Nessus 10.5.4 updates OpenSSL to version 3.0.10 to address the identified vulnerabilities. --------------------------------------------- https://www.tenable.com/security/tns-2023-27 ∗∗∗ Mozilla Releases Security Updates for Multiple Products ∗∗∗ --------------------------------------------- Mozilla has released security updates to address vulnerabilities for Firefox 116, Firefox ESR 115.1, Firefox ESR 102.14, Thunderbird 115.1, and Thunderbird 102.14. An attacker could exploit some of these vulnerabilities to take control of an affected system. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2023/08/02/mozilla-releases-securit… ∗∗∗ Cisco BroadWorks CommPilot Application Software Cross-Site Scripting Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco Secure Web Appliance Content Encoding Filter Bypass Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco Unified Communications Products Arbitrary File Read Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ CODESYS: Missing Brute-Force protection in CODESYS Development System ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2023-023/ ∗∗∗ CODESYS: Control runtime system memory and integrity check vulnerabilities (CVE-2022-4046, CVE-2023-28355)) ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2023-025/ ∗∗∗ CODESYS: Vulnerability in CODESYS Development System allows execution of binaries ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2023-021/ ∗∗∗ CODESYS: Missing integrity check in CODESYS Development System ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2023-022/ ∗∗∗ Shelly 4PM Pro four-channel smart switch: Authentication Bypass via an out-of-bounds read vulnerability (CVE-2023-033383) ∗∗∗ --------------------------------------------- https://www.exploitsecurity.io/post/cve-2023-33383-authentication-bypass-vi… ∗∗∗ CODESYS: Multiple Vulnerabilities in CmpApp CmpAppBP and CmpAppForce ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2023-019/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 02.08.2023
by Daily end-of-shift report 02 Aug '23

02 Aug '23

===================== = End-of-Day report = ===================== Timeframe: Dienstag 01-08-2023 18:00 − Mittwoch 02-08-2023 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Threat actors abuse Google AMP for evasive phishing attacks ∗∗∗ --------------------------------------------- Security researchers are warning of increased phishing activity that abuses Google Accelerated Mobile Pages (AMP) to bypass email security measures and get to inboxes of enterprise employees. --------------------------------------------- https://www.bleepingcomputer.com/news/security/threat-actors-abuse-google-a… ∗∗∗ Amazons AWS SSM agent can be used as post-exploitation RAT malware ∗∗∗ --------------------------------------------- Researchers have discovered a new post-exploitation technique in Amazon Web Services (AWS) that allows hackers to use the platforms System Manager (SSM) agent as an undetectable Remote Access Trojan (RAT). --------------------------------------------- https://www.bleepingcomputer.com/news/security/amazons-aws-ssm-agent-can-be… ∗∗∗ New NodeStealer Variant Targeting Facebook Business Accounts and Crypto Wallets ∗∗∗ --------------------------------------------- Cybersecurity researchers have unearthed a Python variant of a stealer malware NodeStealer thats equipped to fully take over Facebook business accounts as well as siphon cryptocurrency. Palo Alto Network Unit 42 said it detected the previously undocumented strain as part of a campaign that commenced in December 2022. There is no evidence to suggest that the cyber offensive is currently active. --------------------------------------------- https://thehackernews.com/2023/08/new-nodestealer-targeting-facebook.html ∗∗∗ Nearly All Modern CPUs Leak Data to New Collide+Power Side-Channel Attack ∗∗∗ --------------------------------------------- A new side-channel attack method that can lead to data leakage works against nearly any modern CPU, but we’re unlikely to see it being used in the wild any time soon. [..] Collide+Power is a generic software-based attack that works against devices powered by Intel, AMD or Arm processors and it’s applicable to any application and any type of data. The chipmakers are publishing their own advisories for the attack and the CVE-2023-20583 has been assigned. --------------------------------------------- https://www.securityweek.com/nearly-all-modern-cpus-leak-data-to-new-collid… ∗∗∗ New hVNC macOS Malware Advertised on Hacker Forum ∗∗∗ --------------------------------------------- A new macOS-targeting hVNC malware family is being advertised on a prominent cybercrime forum. --------------------------------------------- https://www.securityweek.com/new-hvnc-macos-malware-advertised-on-hacker-fo… ∗∗∗ SSH Remains Most Targeted Service in Cado’s Cloud Threat Report ∗∗∗ --------------------------------------------- Cado Security Labs 2023 Cloud Threat Findings Report dives deep into the world of cybercrime, cyberattacks, and vulnerabilities. --------------------------------------------- https://www.hackread.com/ssh-targeted-service-cado-cloud-threat-report/ ∗∗∗ The Most Important Part of the Internet You’ve Probably Never Heard Of ∗∗∗ --------------------------------------------- Few people realize how much they depend on the Border Gateway Protocol (BGP) every day—a set of technical rules responsible for routing data efficiently. --------------------------------------------- https://www.cisa.gov/news-events/news/most-important-part-internet-youve-pr… ∗∗∗ CISA and International Partner NCSC-NO Release Joint Cybersecurity Advisory on Threat Actors Exploiting Ivanti EPMM Vulnerabilities ∗∗∗ --------------------------------------------- The Cybersecurity and Infrastructure Security Agency (CISA) and the Norwegian National Cyber Security Centre (NCSC-NO) have released a joint Cybersecurity Advisory (CSA), Threat Actors Exploiting Ivanti EPMM Vulnerabilities, in response to the active exploitation of CVE-2023-35078 and CVE-2023-35081 affecting Ivanti Endpoint Manager Mobile (EPMM) (formerly known as MobileIron Core). --------------------------------------------- https://www.cisa.gov/news-events/alerts/2023/08/01/cisa-and-international-p… ===================== = Vulnerabilities = ===================== ∗∗∗ K000135479: Overview of F5 vulnerabilities (August 2023) ∗∗∗ --------------------------------------------- On August 2, 2023, F5 announced the following security issues. This document is intended to serve as an overview of these vulnerabilities to help determine the impact to your F5 devices. You can find the details of each issue in the associated articles. --------------------------------------------- https://my.f5.com/manage/s/article/K000135479 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (bouncycastle), Fedora (firefox), Red Hat (cjose, curl, iperf3, kernel, kernel-rt, kpatch-patch, libeconf, libxml2, mod_auth_openidc:2.3, openssh, and python-requests), SUSE (firefox, jtidy, libredwg, openssl, salt, SUSE Manager Client Tools, and SUSE Manager Salt Bundle), and Ubuntu (firefox). --------------------------------------------- https://lwn.net/Articles/940103/ ∗∗∗ IBM TRIRIGA Application Platform discloses use of Apache Xerces (CVE-2022-23437) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7017724 ∗∗∗ IBM TRIRIGA Application Platform suseptable to clickjacking (CBE-2017-4015) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7017716 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 01.08.2023
by Daily end-of-shift report 01 Aug '23

01 Aug '23

===================== = End-of-Day report = ===================== Timeframe: Montag 31-07-2023 18:00 − Dienstag 01-08-2023 18:00 Handler: Robert Waldner Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Hackers steal Signal, WhatsApp user data with fake Android chat app ∗∗∗ --------------------------------------------- Hackers are using a fake Android app named SafeChat to infect devices with spyware malware that steals call logs, texts, and GPS locations from phones. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hackers-steal-signal-whatsap… ∗∗∗ European Bank Customers Targeted in SpyNote Android Trojan Campaign ∗∗∗ --------------------------------------------- Various European customers of different banks are being targeted by an Android banking trojan called SpyNote as part of an aggressive campaign detected in June and July 2023."The spyware is distributed through email phishing or smishing campaigns and the fraudulent activities are executed with a combination of remote access trojan (RAT) capabilities and vishing attack," [..] --------------------------------------------- https://thehackernews.com/2023/08/european-bank-customers-targeted-in.html ∗∗∗ BSI-Magazin: Neue Ausgabe erschienen ∗∗∗ --------------------------------------------- In der neuen Ausgabe seines Magazins „Mit Sicherheit“ beleuchtet das Bundesamt für Sicherheit in der Informationstechnik (BSI) aktuelle Themen der Cybersicherheit. Im Fokus steht der digitale Verbraucherschutz. --------------------------------------------- https://www.bsi.bund.de/DE/Service-Navi/Presse/Pressemitteilungen/Presse202… ∗∗∗ Kaufen Sie nicht in diesen betrügerischen Online-Apotheken ein! ∗∗∗ --------------------------------------------- Ob Schlaftabletten, Schmerz- oder Potzenmittel: Betrügerische Online-Apotheken setzen auf eine breite Produktpalette und bieten verschreibungspflichtige Medikamente ohne Rezept an. Aktuell stoßen wir auf zahlreiche solcher betrügerischen Versandapotheken. Die bestellten Waren werden oftmals gar nicht geliefert und wenn doch, müssen Konsument:innen mit wirkungslosen oder sogar mit gesundheitsschädigenden Fälschungen rechnen. --------------------------------------------- https://www.watchlist-internet.at/news/kaufen-sie-nicht-in-diesen-betrueger… ∗∗∗ Tuesday August 8th 2023 Security Releases ∗∗∗ --------------------------------------------- The Node.js project will release new versions of the 16.x, 18.x and 20.x releases lines on or shortly after, Tuesday August 8th 2023 in order to address: * 3 high severity issues. * 2 medium severity issues. * 2 low severity issues. --------------------------------------------- https://nodejs-9c1r4fxv8-openjs.vercel.app/en/blog/vulnerability/august-202… ===================== = Vulnerabilities = ===================== ∗∗∗ TacJS - Moderately critical - Cross site scripting - SA-CONTRIB-2023-029 ∗∗∗ --------------------------------------------- Security risk: Moderately critical This module enables sites to comply with the European cookie law using tarteaucitron.js. The module doesn't sufficiently filter user-supplied text leading to a Cross Site Scripting (XSS) vulnerability. This vulnerability is mitigated by the fact that an attacker needs additional permissions. --------------------------------------------- https://www.drupal.org/sa-contrib-2023-029 ∗∗∗ Expandable Formatter - Moderately critical - Cross Site Scripting - SA-CONTRIB-2023-028 ∗∗∗ --------------------------------------------- Security risk: Moderately critical This module enables you to render a field in an expandable/collapsible region. The module doesn't sufficiently sanitize the field content when displaying it to an end user. This vulnerability is mitigated by the fact that an attacker must have a role capable of creating content that uses the field formatter. --------------------------------------------- https://www.drupal.org/sa-contrib-2023-028 ∗∗∗ Libraries UI - Moderately critical - Access bypass - SA-CONTRIB-2023-027 ∗∗∗ --------------------------------------------- Security risk: Moderately critical This module enables a UI to display all libraries provided by modules and themes on the Drupal site. The module doesn't sufficiently protect the libraries reporting page. It curently is using the 'access content' permission and not a proper administrative/access permission. --------------------------------------------- https://www.drupal.org/sa-contrib-2023-027 ∗∗∗ OpenSSL version 3.1.2 released ∗∗∗ --------------------------------------------- Major changes between OpenSSL 3.1.1 and OpenSSL 3.1.2 [1 Aug 2023] - Fix excessive time spent checking DH q parameter value ([CVE-2023-3817]) - Fix DH_check() excessive time with over sized modulus ([CVE-2023-3446]) - Do not ignore empty associated data entries with AES-SIV ([CVE-2023-2975]) --------------------------------------------- https://www.openssl.org/news/openssl-3.1-notes.html ∗∗∗ OpenSSL version 3.0.10 released ∗∗∗ --------------------------------------------- Major changes between OpenSSL 3.0.9 and OpenSSL 3.0.10 [1 Aug 2023] - Fix excessive time spent checking DH q parameter value ([CVE-2023-3817]) - Fix DH_check() excessive time with over sized modulus ([CVE-2023-3446]) - Do not ignore empty associated data entries with AES-SIV ([CVE-2023-2975]) --------------------------------------------- https://www.openssl.org/news/openssl-3.0-notes.html ∗∗∗ OpenSSL version 1.1.1v released ∗∗∗ --------------------------------------------- Major changes between OpenSSL 1.1.1u and OpenSSL 1.1.1v [1 Aug 2023] - Fix excessive time spent checking DH q parameter value (CVE-2023-3817) - Fix DH_check() excessive time with over sized modulus (CVE-2023-3446) --------------------------------------------- https://www.openssl.org/news/openssl-1.1.1-notes.html ∗∗∗ Xen Security Advisory 436 v1 (CVE-2023-34320) - arm: Guests can trigger a deadlock on Cortex-A77 ∗∗∗ --------------------------------------------- Cortex-A77 cores (r0p0 and r1p0) are affected by erratum 1508412 where software, under certain circumstances, could deadlock a core due to the execution of either a load to device or non-cacheable memory, and either a store exclusive or register read of the Physical Address Register (PAR_EL1) in close proximity. [..] A (malicious) guest that doesnt include the workaround for erratum 1508412 could deadlock the core. This will ultimately result to a deadlock of the system. --------------------------------------------- https://lists.xenproject.org/archives/html/xen-announce/2023-08/msg00000.ht… ∗∗∗ SVD-2023-0702: Unauthenticated Log Injection In Splunk SOAR ∗∗∗ --------------------------------------------- Splunk SOAR versions 6.0.2 and earlier are indirectly affected by a potential vulnerability accessed through the user’s terminal. A third party can send Splunk SOAR a maliciously crafted web request containing special ANSI characters to cause log file poisoning. When a terminal user attempts to view the poisoned logs, this can tamper with the terminal and cause possible malicious code execution from the terminal user’s action. --------------------------------------------- https://advisory.splunk.com//advisories/SVD-2023-0702 ∗∗∗ WebToffee Addresses Authentication Bypass Vulnerability in Stripe Payment Plugin for WooCommerce WordPress Plugin ∗∗∗ --------------------------------------------- Description: Stripe Payment Plugin for WooCommerce <= 3.7.7 – Authentication Bypass Affected Plugin: Stripe Payment Plugin for WooCommerce Plugin Slug: payment-gateway-stripe-and-woocommerce-integration Affected Versions: <= 3.7.7 Fully Patched Version: 3.7.8 CVE ID: CVE-2023-3162 CVSS Score: 9.8 (Critical) --------------------------------------------- https://www.wordfence.com/blog/2023/08/webtoffee-addresses-authentication-b… ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (tiff), Fedora (curl), Red Hat (bind, ghostscript, iperf3, java-1.8.0-ibm, nodejs, nodejs:18, openssh, postgresql:15, and samba), Scientific Linux (iperf3), Slackware (mozilla and seamonkey), SUSE (compat-openssl098, gnuplot, guava, openssl-1_0_0, pipewire, python-requests, qemu, samba, and xmltooling), and Ubuntu (librsvg, openjdk-8, openjdk-lts, openjdk-17, openssh, rabbitmq-server, and webkit2gtk). --------------------------------------------- https://lwn.net/Articles/939917/ ∗∗∗ Security Vulnerabilities fixed in Firefox 116 ∗∗∗ --------------------------------------------- Impact high: CVE-2023-4045, CVE-2023-4046, CVE-2023-4047, CVE-2023-4048, CVE-2023-4049, CVE-2023-4050 --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2023-29/ ∗∗∗ IBM Cloud Pak for Security includes components with multiple known vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7015859 ∗∗∗ IBM Cloud Pak for Security includes components with multiple known vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7015865 ∗∗∗ IBM App Connect Enterprise Certified Container operator and operands are vulnerable to arbitrary code execution due to [CVE-2023-29402] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7015871 ∗∗∗ IBM App Connect Enterprise Certified Container IntegrationServer and IntegrationRuntime operands that use Google PubSub nodes are vulnerable to arbitrary code execution due to [CVE-2023-36665] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7015873 ∗∗∗ IBM Robotic Process Automation for Cloud Pak is vulnerable to cross-protocol attacks due to sendmail (CVE-2021-3618) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7013521 ∗∗∗ Vulnerabilities in Node.js affects IBM Voice Gateway ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7013909 ∗∗∗ IBM Virtualization Engine TS7700 is susceptible to multiple vulnerabilities due to use of IBM SDK Java Technology Edition, Version 8 (CVE-2023-21967, CVE-2023-21939, CVE-2023-21968, CVE-2023-21937) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7015879 ∗∗∗ IBM MQ Operator and Queue manager container images are vulnerable to multiple vulnerabilities from openssl-libs, libssh, libarchive, sqlite and go-toolset ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7016688 ∗∗∗ Multiple security vulnerabilities have been identified in IBM Db2 shipped with IBM Security Guardium Key Lifecycle Manager ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7016660 ∗∗∗ IBM PowerVM Novalink is vulnerable because RESTEasy could allow a local authenticated attacker to gain elevated privileges on the system, caused by the creation of insecure temp files in the File. (CVE-2023-0482) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7016690 ∗∗∗ IBM PowerVM Novalink is vulnerable because An unspecified vulnerability in Oracle Java SE. (CVE-2023-21930) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7016696 ∗∗∗ IBM PowerVM Novalink is vulnerable because GraphQL Java is vulnerable to a denial of service, caused by a stack-based buffer overflow. (CVE-2023-28867) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7016698 ∗∗∗ Multiple Vulnerabilities in Rational Synergy 7.2.2.5 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7014913 ∗∗∗ Vulnerability in Rational Change 5.3.2 Fix Pack 05 and earlier versions. ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7014915 ∗∗∗ Multiple Vulnerabilities in Rational Change 5.3.2 Fix Pack 05 and earlier versions. ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7014917 ∗∗∗ Multiple Vulnerabilities in Rational Synergy 7.2.2 Fix Pack 05 and earlier versions. ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7014919 ∗∗∗ The IBM Engineering Lifecycle Engineering product using IBM WebSphere Application Server Liberty is vulnerable to spoofing - CVE-2022-39161 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7010669 ∗∗∗ The IBM Engineering Lifecycle Engineering product using IBM WebSphere Application Server traditional is vulnerable to an XML External Entity (XXE) Injection vulnerability - CVE-2023-27554 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7016810 ∗∗∗ CVE-2022-40609 affects IBM SDK, Java Technology Edition ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7017032 ∗∗∗ The IBM Engineering Lifecycle Engineering products using IBM Java versions 8.0.7.0 - 8.0.7.11 are vulnerable to crypto attacks. (CVE-2023-30441) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7015777 ∗∗∗ IBM Cloud Pak for Security includes components with multiple known vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7015859 ∗∗∗ IBM Cloud Pak for Security includes components with multiple known vulnerabilities (CVE-2023-24998 , CVE-2022-31129) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7015061 ∗∗∗ IBM Robotic Process Automation is vulnerable to unauthorized access to data due to insufficient authorization validation on some API routes (CVE-2023-23476) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7017490 ∗∗∗ Decision Optimization for Cloud Pak for Data is vulnerable to a server-side request forgery (CVE-2023-28155). ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7017586 ∗∗∗ IBM Event Streams is affected by a vulnerability in Node.js Request package (CVE-2023-28155) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7017628 ∗∗∗ IBM Event Streams is affected by a vulnerability in Golang Go (CVE-2023-29406) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7017634 ∗∗∗ APSystems Altenergy Power Control ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-213-01 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 31.07.2023
by Daily end-of-shift report 31 Jul '23

31 Jul '23

===================== = End-of-Day report = ===================== Timeframe: Freitag 28-07-2023 18:00 − Montag 31-07-2023 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Linux version of Abyss Locker ransomware targets VMware ESXi servers ∗∗∗ --------------------------------------------- The Abyss Locker operation is the latest to develop a Linux encryptor to target VMwares ESXi virtual machines platform in attacks on the enterprise. --------------------------------------------- https://www.bleepingcomputer.com/news/security/linux-version-of-abyss-locke… ∗∗∗ Hackers exploit BleedingPipe RCE to target Minecraft servers, players ∗∗∗ --------------------------------------------- Hackers are actively exploiting a BleedingPipe remote code execution vulnerability in Minecraft mods to run malicious commands on servers and clients, allowing them to take control of the devices. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hackers-exploit-bleedingpipe… ∗∗∗ P2PInfect server botnet spreads using Redis replication feature ∗∗∗ --------------------------------------------- Threat actors are actively targeting exposed instances of the Redis open-source data store with a peer-to-peer self-replicating worm with versions for both Windows and Linux that the malware authors named P2Pinfect. --------------------------------------------- https://www.bleepingcomputer.com/news/security/p2pinfect-server-botnet-spre… ∗∗∗ Automatically Finding Prompt Injection Attacks ∗∗∗ --------------------------------------------- Researchers have just published a paper showing how to automate the discovery of prompt injection attacks. --------------------------------------------- https://www.schneier.com/blog/archives/2023/07/automatically-finding-prompt… ∗∗∗ WordPress Vulnerability & Patch Roundup July 2023 ∗∗∗ --------------------------------------------- Vulnerability reports and responsible disclosures are essential for website security awareness and education. Automated attacks targeting known software vulnerabilities are one of the leading causes of website compromises. To help educate website owners on emerging threats to their environments, we’ve compiled a list of important security updates and vulnerability patches for the WordPress ecosystem this past month. --------------------------------------------- https://blog.sucuri.net/2023/07/wordpress-vulnerability-patch-roundup-july-… ∗∗∗ AVRecon Botnet Leveraging Compromised Routers to Fuel Illegal Proxy Service ∗∗∗ --------------------------------------------- More details have emerged about a botnet called AVRecon, which has been observed making use of compromised small office/home office (SOHO) routers as part of a multi-year campaign active since at least May 2021. --------------------------------------------- https://thehackernews.com/2023/07/avrecon-botnet-leveraging-compromised.html ∗∗∗ Apple iOS, Google Android Patch Zero-Days in July Security Updates ∗∗∗ --------------------------------------------- Plus: Mozilla fixes two high-severity bugs in Firefox, Citrix fixes a flaw that was used to attack a US-based critical infrastructure organization, and Oracle patches over 500 vulnerabilities. --------------------------------------------- https://www.wired.com/story/apple-google-microsoft-zero-day-fix-july-2023/ ∗∗∗ Exploiting the StackRot vulnerability ∗∗∗ --------------------------------------------- For those who are interested in the gory details of how the StackRot vulnerability works, Ruihan Li hasposted a detailedwriteup of the bug and how it can be exploited. As StackRot is a Linux kernel vulnerability found in the memory management subsystem, it affects almost all kernel configurations and requires minimal capabilities to trigger. However, it should be noted that maple nodes are freed using RCU callbacks, delaying the actual memory deallocation until after the RCU grace period. --------------------------------------------- https://lwn.net/Articles/939542/ ∗∗∗ Sie verkaufen Ihr Auto? Vorsicht bei Abwicklung über Kurierdiensten oder Speditionen ∗∗∗ --------------------------------------------- Auf allen gängigen Verkaufsplattformen gibt es sie: betrügerische Anfragen. Die Person will Ihr Auto ohne Besichtigung und Preisverhandlung kaufen, schickt ungefragt eine Ausweiskopie und wirkt unkompliziert. Da die Person aber im Ausland ist und das Auto nicht abholen kann, beauftragt sie einen Kurierdienst. Spätestens jetzt sollten die Alarmglocken schrillen, denn es handelt sich um eine Betrugsmasche! --------------------------------------------- https://www.watchlist-internet.at/news/sie-verkaufen-ihr-auto-vorsicht-bei-… ∗∗∗ Windows UAC aushebeln ∗∗∗ --------------------------------------------- Gerade auf Twitter auf ein Projekt mit dem Namen Defeating Windows User Account Control gestoßen, wo jemand über Wege nachdenkt, die Benutzerkontensteuerung von Windows auszuhebeln. Er hat ein kleines Tool entwickelt, mit dem sich die Windows-Benutzerkontensteuerung durch Missbrauch der integrierten [...] --------------------------------------------- https://www.borncity.com/blog/2023/07/29/windows-uac-aushebeln/ ∗∗∗ CISA Releases Malware Analysis Reports on Barracuda Backdoors ∗∗∗ --------------------------------------------- CISA has published three malware analysis reports on malware variants associated with exploitation of CVE-2023-2868. CVE-2023-2868 is a remote command injection vulnerability affecting Barracuda Email Security Gateway (ESG) Appliance, versions 5.1.3.001-9.2.0.006. It was exploited as a zero day as early as October 2022 to gain access to ESG appliances. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2023/07/28/cisa-releases-malware-an… ===================== = Vulnerabilities = ===================== ∗∗∗ CVE-2023-35081 - New Ivanti EPMM Vulnerability ∗∗∗ --------------------------------------------- During our thorough investigation of Ivanti Endpoint Manager Mobile (EPMM) vulnerability CVE-2023-35078 announced 23 July 2023, we have discovered additional vulnerabilities. We are reporting these vulnerabilities as CVE-2023-35081. As was the case with CVE-2023-35078, CVE-2023-35081 impacts all supported versions – Version 11.4 releases 11.10, 11.9 and 11.8. Older versions/releases are also at risk. --------------------------------------------- https://www.ivanti.com/blog/cve-2023-35081-new-ivanti-epmm-vulnerability ∗∗∗ WAGO: Bluetooth LE vulnerability in WLAN-ETHERNET-Gateway ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2023-014/ ∗∗∗ WAGO: Multiple products prone to multiple vulnerabilities in e!Runtime / CODESYS V3 Runtime ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2023-026/ ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 28.07.2023
by Daily end-of-shift report 28 Jul '23

28 Jul '23

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 27-07-2023 18:00 − Freitag 28-07-2023 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ New Android malware uses OCR to steal credentials from images ∗∗∗ --------------------------------------------- Two new Android malware families named CherryBlos and FakeTrade were discovered on Google Play, aiming to steal cryptocurrency credentials and funds or conduct scams. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-android-malware-uses-ocr… ∗∗∗ Nutzerdaten in Gefahr: Hunderttausende von Wordpress-Seiten anfällig für Datenklau ∗∗∗ --------------------------------------------- Drei Schwachstellen im Wordpress-Plugin Ninja Forms können mitunter massive Datenlecks zur Folge haben. Admins sollten zeitnah updaten. --------------------------------------------- https://www.golem.de/news/nutzerdaten-in-gefahr-hunderttausende-von-wordpre… ∗∗∗ ShellCode Hidden with Steganography, (Fri, Jul 28th) ∗∗∗ --------------------------------------------- When hunting, I'm often surprised by the interesting pieces of code that you may discover... Attackers (or pentesters/redteamers) like to share scripts on VT to evaluate the detection rates against many antivirus products. Sometimes, you find something cool stuffs. --------------------------------------------- https://isc.sans.edu/diary/rss/30074 ∗∗∗ Hackers Abusing Windows Search Feature to Install Remote Access Trojans ∗∗∗ --------------------------------------------- A legitimate Windows search feature is being exploited by malicious actors to download arbitrary payloads from remote servers and compromise targeted systems with remote access trojans such as AsyncRAT and Remcos RAT. The novel attack technique, per Trellix, takes advantage of the "search-ms:" URI protocol handler, which offers the ability for applications and HTML links to launch custom local searches on a device, and the "search:" application protocol, a mechanism for calling the desktop search application on Windows. --------------------------------------------- https://thehackernews.com/2023/07/hackers-abusing-windows-search-feature.ht… ∗∗∗ IcedID Malware Adapts and Expands Threat with Updated BackConnect Module ∗∗∗ --------------------------------------------- The threat actors linked to the malware loader known as IcedID have made updates to the BackConnect (BC) module thats used for post-compromise activity on hacked systems, new findings from Team Cymru reveal. --------------------------------------------- https://thehackernews.com/2023/07/icedid-malware-adapts-and-expands.html ∗∗∗ Hackers are infecting Call of Duty (Modern Warfare 2 (2009)) players with a self-spreading malware ∗∗∗ --------------------------------------------- Hackers are infecting players of an old Call of Duty game with a worm that spreads automatically in online lobbies, according to two analyses of the malware. [..] Activision spokesperson Neil Wood referred to a tweet posted by the company on an official Call of Duty updates Twitter account, which vaguely acknowledges the malware. “Multiplayer for Call of Duty: Modern Warfare 2 (2009) on Steam was brought offline while we investigate reports of an issue,” the tweet read. --------------------------------------------- https://techcrunch.com/2023/07/27/hackers-are-infecting-call-of-duty-player… ∗∗∗ Angreifer können NAS- und IP-Videoüberwachungssysteme von Qnap lahmlegen ∗∗∗ --------------------------------------------- Mehrere Netzwerkprodukte von Qnap sind für eine DoS-Attacken anfällig. Dagegen abgesicherte Software schafft Abhilfe. --------------------------------------------- https://heise.de/-9229575 ∗∗∗ The Ups and Downs of 0-days: A Year in Review of 0-days Exploited In-the-Wild in 2022 ∗∗∗ --------------------------------------------- This is Google’s fourth annual year-in-review of 0-days exploited in-the-wild [2021, 2020, 2019] and builds off of the mid-year 2022 review. The goal of this report is not to detail each individual exploit, but instead to analyze the exploits from the year as a whole, looking for trends, gaps, lessons learned, and successes. --------------------------------------------- https://security.googleblog.com/2023/07/the-ups-and-downs-of-0-days-year-in… ∗∗∗ Zimbra Patches Exploited Zero-Day Vulnerability ∗∗∗ --------------------------------------------- Zimbra has released patches for a cross-site scripting (XSS) vulnerability that has been exploited in malicious attacks. --------------------------------------------- https://www.securityweek.com/zimbra-patches-exploited-zero-day-vulnerabilit… ∗∗∗ CISA and Partners Release Joint Cybersecurity Advisory on Preventing Web Application Access Control Abuse ∗∗∗ --------------------------------------------- The Australian Signals Directorate’s Australian Cyber Security Centre (ACSC), the Cybersecurity and Infrastructure Security Agency (CISA), and the National Security Agency (NSA) are releasing a joint Cybersecurity Advisory (CSA), Preventing Web Application Access Control Abuse, to warn vendors, designers, developers, and end-user organizations of web applications about insecure direct object reference (IDOR) vulnerabilities. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2023/07/27/cisa-and-partners-releas… ===================== = Vulnerabilities = ===================== ∗∗∗ Major Security Flaw Discovered in Metabase BI Software – Urgent Update Required ∗∗∗ --------------------------------------------- Users of Metabase, a popular business intelligence and data visualization software package, are being advised to update to the latest version following the discovery of an "extremely severe" flaw that could result in pre-authenticated remote code execution on affected installations. --------------------------------------------- https://thehackernews.com/2023/07/major-security-flaw-discovered-in.html ∗∗∗ ZDI-23-1010: Adtran SR400ac ping Command Injection Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows remote attackers to execute arbitrary code on affected installations of Adtran SR400ac routers. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. --------------------------------------------- https://www.zerodayinitiative.com/advisories/ZDI-23-1010/ ∗∗∗ Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software ACLs Not Installed upon Reload ∗∗∗ --------------------------------------------- An issue with the boot-time programming of access control lists (ACLs) for Cisco Adaptive Security Appliance (ASA) Software and Firepower Threat Defense (FTD) Software could allow a device to boot without all of its ACLs being correctly installed. This issue is due to a logic error that occurs when ACLs are programmed at boot time. If object groups are not in sequential order in the startup configuration, some access control entries (ACEs) may not be installed. --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (curl), Fedora (kitty, mingw-qt5-qtbase, and mingw-qt6-qtbase), Mageia (cri-o, kernel, kernel-linus, mediawiki, and microcode), SUSE (chromium, conmon, go1.20-openssl, iperf, java-11-openjdk, kernel-firmware, and mariadb), and Ubuntu (libvirt, linux, linux-aws, linux-aws-5.4, linux-azure, linux-azure-5.4, linux-gcp, linux-gcp-5.4, linux-gke, linux-gkeop, linux-hwe-5.4, linux-ibm, linux-ibm-5.4, linux-kvm, linux-oracle, linux-oracle-5.4, linux-raspi, linux-raspi-5.4, linux-xilinx-zynqmp, linux, linux-aws, linux-aws-hwe, linux-azure, linux-azure-4.15, linux-dell300x, linux-gcp, linux-gcp-4.15, linux-hwe, linux-kvm, linux-oracle, linux-snapdragon, linux, linux-aws, linux-kvm, linux-lts-xenial, linux-aws-5.19, linux-gcp-5.19, linux-hwe-5.19, linux-intel-iotg-5.15, linux-iot, llvm-toolchain-13, llvm-toolchain-14, llvm-toolchain-15, open-iscsi, open-vm-tools, and xorg-server-hwe-16.04). --------------------------------------------- https://lwn.net/Articles/939445/ ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (kernel and libmail-dkim-perl), Fedora (openssh), and SUSE (kernel). --------------------------------------------- https://lwn.net/Articles/939519/ ∗∗∗ Vulnerability in QVPN Device Client for Windows ∗∗∗ --------------------------------------------- An insecure library loading vulnerability has been reported to affect devices running QVPN Device Client for Windows. --------------------------------------------- https://www.qnap.com/en-us/security-advisory/QSA-23-04 ∗∗∗ Vulnerability in QTS, QuTS hero, QuTScloud, and QVP (QVR Pro appliances) ∗∗∗ --------------------------------------------- An uncontrolled resource consumption vulnerability has been reported to affect multiple QNAP operating systems. --------------------------------------------- https://www.qnap.com/en-us/security-advisory/QSA-23-09 ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 27.07.2023
by Daily end-of-shift report 27 Jul '23

27 Jul '23

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 26-07-2023 18:00 − Donnerstag 27-07-2023 18:00 Handler: Robert Waldner Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Windows 10 KB5028244 update released with 19 fixes, improved security ∗∗∗ --------------------------------------------- Microsoft has released the optional KB5028244 Preview cumulative update for Windows 10 22H2 with 19 fixes or changes, including an update to the Vulnerable Driver Blocklist to block BYOVD attacks. --------------------------------------------- https://www.bleepingcomputer.com/news/microsoft/windows-10-kb5028244-update… ∗∗∗ APT trends report Q2 2023 ∗∗∗ --------------------------------------------- This is our latest summary of the significant events and findings, focusing on activities that we observed during Q2 2023. --------------------------------------------- https://securelist.com/apt-trends-report-q2-2023/110231/ ∗∗∗ Hackers Target Apache Tomcat Servers for Mirai Botnet and Crypto Mining ∗∗∗ --------------------------------------------- Misconfigured and poorly secured Apache Tomcat servers are being targeted as part of a new campaign designed to deliver the Mirai botnet malware and cryptocurrency miners.The findings come courtesy of Aqua, which detected more than 800 attacks against its Tomcat server honeypots over a two-year time period, with 96% of the attacks linked to the Mirai botnet. --------------------------------------------- https://thehackernews.com/2023/07/hackers-target-apache-tomcat-servers.html ∗∗∗ Android Güncelleme – dissecting a malicious update installer ∗∗∗ --------------------------------------------- Recently, during one of F-Secure Android’s routine tests, we came across one such fake Android update sample – Android Güncelleme, that proved to be evasive and exhibited interesting exfiltration characteristics. Although the sample is not novel (some features have already been covered in other articles on the Internet), it nevertheless combines several malicious actions together, such as anti-analysis and anti-uninstallation, making it a more potent threat. --------------------------------------------- https://blog.f-secure.com/android-guncelleme-dissecting-a-malicious-update-… ∗∗∗ Fruity trojan downloader performs multi-stage infection of Windows computers ∗∗∗ --------------------------------------------- For about a year, Doctor Web has been registering support requests from users complaining about Windows-based computers getting infected with the Remcos RAT (Trojan.Inject4.57973) spyware trojan. While investigating these incidents, our specialists uncovered an attack in which Trojan.Fruity.1, a multi-component trojan downloader, played a major role. To distribute it, threat actors create malicious websites and specifically crafted software installers. --------------------------------------------- https://news.drweb.com/show/?i=14728&lng=en&c=9 ∗∗∗ SySS Proof of Concept-Video: "Reversing the Irreversible, again: Unlocking locked Omnis Studio classes" (CVE-2023-38334) ∗∗∗ --------------------------------------------- Das Softwareentwicklungstool unterstützt eine nach eigenen Angaben irreversible Funktion, mit der sich Programmklassen in Omnis-Bibliotheken sperren lassen (locked classes).[..] Aufgrund von Implementierungsfehlern, die während eines Sicherheitstests entdeckt wurden, ist es jedoch möglich, gesperrte Omnis-Klassen zu entsperren, um diese im Omnis Studio-Browser weiter analysieren oder auch modifizieren zu können. Dieser Sachverhalt erfüllt nicht die Erwartungen an eine irreversible Funktion. --------------------------------------------- https://www.syss.de/pentest-blog/syss-proof-of-concept-video-reversing-the-… ∗∗∗ Vorsicht bei "fehlgeschlagenen Zahlungen" auf Booking ∗∗∗ --------------------------------------------- Sie haben eine Nachricht des Hotels bekommen, das Sie über Booking.com gebucht haben und werden zur Bestätigung Ihrer Kreditkarte aufgefordert? Achtung – hierbei handelt es sich um eine ausgeklügelte Phishing-Masche! Die Kriminellen stehlen Ihre Daten und Sie bezahlen Ihr Hotel doppelt! --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-bei-fehlgeschlagenen-zahlun… ∗∗∗ Online-Banking: Vorsicht vor Suchmaschinen-Phishing ∗∗∗ --------------------------------------------- Cyberkriminelle bewerben ihre betrügerischen Bank-Webseiten auch bei populären Suchmaschinen wie Google, Yahoo oder Bing. --------------------------------------------- https://www.zdnet.de/88410826/online-banking-vorsicht-vor-suchmaschinen-phi… ===================== = Vulnerabilities = ===================== ∗∗∗ VU#813349: Software driver for D-Link Wi-Fi USB Adapter vulnerable to service path privilege escalation ∗∗∗ --------------------------------------------- The software driver for D-Link DWA-117 AC600 MU-MIMO Wi-Fi USB Adapter contains a unquoted service path privilege escalation vulnerability. In certain conditions, this flaw can lead to a local privilege escalation. --------------------------------------------- https://kb.cert.org/vuls/id/813349 ∗∗∗ Schwachstellen entdeckt: 40 Prozent aller Ubuntu-Systeme erlauben Rechteausweitung ∗∗∗ --------------------------------------------- Zwei Schwachstellen im OverlayFS-Modul von Ubuntu gefährden zahllose Server-Systeme. Admins sollten die Kernel-Module zeitnah aktualisieren. (Sicherheitslücke, Ubuntu) --------------------------------------------- https://www.golem.de/news/schwachstellen-entdeckt-40-prozent-aller-ubuntu-s… ∗∗∗ ZDI-23-1002: SolarWinds Network Configuration Manager VulnDownloader Directory Traversal Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows remote attackers to execute arbitrary code on affected installations of SolarWinds Network Configuration Manager. Authentication is required to exploit this vulnerability. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-23-1002/ ∗∗∗ Minify Source HTML - Moderately critical - Cross site scripting - SA-CONTRIB-2023-032 ∗∗∗ --------------------------------------------- Carefully crafted input by an attacker will not be sanitized by this module, which can result in a script injection. Solution: Install the latest version --------------------------------------------- https://www.drupal.org/sa-contrib-2023-032 ∗∗∗ Drupal Symfony Mailer - Moderately critical - Cross site request forgery - SA-CONTRIB-2023-031 ∗∗∗ --------------------------------------------- The module doesn’t sufficiently protect against malicious links, which means an attacker can trick an administrator into performing unwanted actions. This vulnerability is mitigated by the fact that the set of unwanted actions is limited to specific configurations. Solution: Originally the solution was listed as just updating the module, however, a cache rebuild will be necessary for the solution to take effect. --------------------------------------------- https://www.drupal.org/sa-contrib-2023-031 ∗∗∗ Sitefinity Security Advisory for Addressing Security Vulnerability, July 2023 ∗∗∗ --------------------------------------------- The Progress Sitefinity team recently discovered a potential security vulnerability in the Progress Sitefinity .NET Core Renderer Application. It has since been addressed. [..] For optimal security, we recommend an upgrade to the latest Sitefinity .NET Core Renderer version, which currently is 14.4.8127. A product update is also available for older supported Sitefinity versions --------------------------------------------- https://community.progress.com/s/article/Sitefinity-Security-Advisory-for-A… ∗∗∗ SolarWinds Platform Security Advisories ∗∗∗ --------------------------------------------- - Access Control Bypass Vulnerability CVE-2023-3622 - Incorrect Behavior Order Vulnerability CVE-2023-33224 - Incorrect Input Neutralization Vulnerability CVE-2023-33229 - Deserialization of Untrusted Data Vulnerability CVE-2023-33225 - Incomplete List of Disallowed Inputs Vulnerability CVE-2023-23844 - Incorrect Comparison Vulnerability CVE-2023-23843 --------------------------------------------- https://www.solarwinds.com/trust-center/security-advisories ∗∗∗ SECURITY BULLETIN: July 2023 Security Bulletin for Trend Micro Apex Central ∗∗∗ --------------------------------------------- CVE Identifier(s): CVE-2023-38624, CVE-2023-38625, CVE-2023-38626, CVE-2023-38627 CVSS 3.0 Score(s): 4.2 Post-authenticated server-side request forgery (SSRF) vulnerabilities in Trend Micro Apex Central 2019 could allow an attacker to interact with internal or local services directly. Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. --------------------------------------------- https://success.trendmicro.com/dcx/s/solution/000294176?language=en_US ∗∗∗ Security updates available in Foxit PDF Editor for Mac 12.1.1 and Foxit PDF Reader for Mac 12.1.1 ∗∗∗ --------------------------------------------- Platform: macOS Summary: Foxit has released Foxit PDF Editor for Mac 12.1.1 and Foxit PDF Reader for Mac 12.1.1, which address potential security and stability issues. CVE-2023-28744, CVE-2023-38111, CVE-2023-38107, CVE-2023-38109, CVE-2023-38113, CVE-2023-38112, CVE-2023-38110, CVE-2023-38117 --------------------------------------------- https://www.foxit.com/support/security-bulletins.html ∗∗∗ Sicherheitsupdates: Angreifer können Access Points von Aruba übernehmen ∗∗∗ --------------------------------------------- Wenn die Netzwerkbetriebssysteme ArubaOS 10 oder InstantOS zum Einsatz kommen, sind Access Points von Aruba verwundbar. --------------------------------------------- https://heise.de/-9227914 ∗∗∗ Jetzt patchen! Root-Sicherheitslücke gefährdet Mikrotik-Router ∗∗∗ --------------------------------------------- Stimmten die Voraussetzungen, können sich Angreifer in Routern von Mikrotik zum Super-Admin hochstufen. --------------------------------------------- https://heise.de/-9226696 ∗∗∗ Sicherheitsupdate: Angreifer können Sicherheitslösung Sophos UTM attackieren ∗∗∗ --------------------------------------------- Sophos Unified Threat Management ist verwundbar. Aktuelle Software schafft Abhilfe. --------------------------------------------- https://heise.de/-9228570 ∗∗∗ Synology-SA-23:10 SRM ∗∗∗ --------------------------------------------- Multiple vulnerabilities allow remote attackers to read specific files, obtain sensitive information, and inject arbitrary web script or HTML, man-in-the-middle attackers to bypass security constraint, and remote authenticated users to execute arbitrary commands and conduct denial-of-service attacks via a susceptible version of Synology Router Manager (SRM). --------------------------------------------- https://www.synology.com/en-global/support/security/Synology_SA_23_10 ∗∗∗ CISA Releases Five Industrial Control Systems Advisories ∗∗∗ --------------------------------------------- - ICSA-23-208-01 ETIC Telecom RAS Authentication - ICSA-23-208-02 PTC KEPServerEX - ICSA-23-208-03 Mitsubishi Electric CNC Series - ICSA-22-307-01 ETIC RAS (Update A) - ICSA-22-172-01 Mitsubishi Electric MELSEC iQ-R, Q, L Series and MELIPC Series (Update B) --------------------------------------------- https://www.cisa.gov/news-events/alerts/2023/07/27/cisa-releases-five-indus… ∗∗∗ WAGO: Multiple vulnerabilities in web-based management of multiple products ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2022-060/ ∗∗∗ IBM Watson Discovery Cartridge for IBM Cloud Pak for Data affected by vulnerability in Node.js ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7012005 ∗∗∗ IBM Watson Discovery Cartridge for IBM Cloud Pak for Data affected by vulnerability in Angular ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7012009 ∗∗∗ IBM Watson Discovery Cartridge for IBM Cloud Pak for Data affected by vulnerability in Python ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7012001 ∗∗∗ IBM Watson Discovery Cartridge for IBM Cloud Pak for Data affected by vulnerability in LibTIFF ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7012033 ∗∗∗ IBM Watson Discovery Cartridge for IBM Cloud Pak for Data affected by multiple vulnerabilities in Golang Go ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7014267 ∗∗∗ IBM Watson Discovery Cartridge for IBM Cloud Pak for Data affected by vulnerability in Bouncy Castle ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7012003 ∗∗∗ IBM Watson Discovery Cartridge for IBM Cloud Pak for Data affected by vulnerability in Java ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7012037 ∗∗∗ IBM Sterling Connect:Direct Browser User Interface is vulnerable to multiple vulnerabilities due to Jetty. ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7014905 ∗∗∗ IBM B2B Advanced Communication is vulnerable to cross-site scripting (CVE-2023-22595) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7014929 ∗∗∗ IBM B2B Advanced Communications is vulnerable to denial of service (CVE-2023-24971) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7014933 ∗∗∗ Multiple Vulnerabilities in CloudPak for Watson AIOps ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7014939 ∗∗∗ IBM\u00ae Db2\u00ae has multiple denial of service vulnerabilities with a specially crafted query ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7010557 ∗∗∗ Watson CP4D Data Stores is vulnerable to Golang Go denial of service vulnerability ( CVE-2022-41724) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7014981 ∗∗∗ IBM App Connect Enterprise Certified Container operands are vulnerable to denial of service and security restriction bypass due to [CVE-2023-2283], [CVE-2023-1667] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7014991 ∗∗∗ IBM App Connect Enterprise Certified Container operands are vulnerable to denial of service due to [CVE-2020-24736] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7014993 ∗∗∗ IBM App Connect Enterprise Certified Container operands are vulnerable to security restriction bypass due to [CVE-2023-24329] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7014995 ∗∗∗ IBM App Connect Enterprise Certified Container operands are vulnerable to privilege elevation due to [CVE-2023-26604] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7014997 ∗∗∗ IBM App Connect Enterprise Certified Container DesignerAuthoring operands that use mapping assistance are vulnerable to denial of service and loss of confidentiality due to multiple vulnerabilities in libtiff ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7014999 ∗∗∗ IBM App Connect Enterprise Certified Container operands are vulnerable to server-side request forgery due to [CVE-2023-28155] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7015003 ∗∗∗ IBM App Connect Enterprise Certified Container operator and operands are vulnerable to privilege escalation due to [CVE-2023-29403] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7015007 ∗∗∗ IBM App Connect Enterprise Certified Container IntegrationServer and IntegrationRuntime operands that use Kafka nodes are vulnerable to denial of service due to [CVE-2023-34453], [CVE-2023-34454], [CVE-2023-34455] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7015009 ∗∗∗ IBM Event Streams is affected by multiple vulnerabilities in Golang Go ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7014405 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 26.07.2023
by Daily end-of-shift report 26 Jul '23

26 Jul '23

===================== = End-of-Day report = ===================== Timeframe: Dienstag 25-07-2023 18:00 − Mittwoch 26-07-2023 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Mysterious Decoy Dog malware toolkit still lurks in DNS shadows ∗∗∗ --------------------------------------------- New details have emerged about Decoy Dog, a largely undetected sophisticated toolkit likely used for at least a year in cyber intelligence operations, relying on the domain name system (DNS) for command and control activity. --------------------------------------------- https://www.bleepingcomputer.com/news/security/mysterious-decoy-dog-malware… ∗∗∗ New Nitrogen malware pushed via Google Ads for ransomware attacks ∗∗∗ --------------------------------------------- A new Nitrogen initial access malware campaign uses Google and Bing search ads to promote fake software sites that infect unsuspecting users with Cobalt Strike and ransomware payloads. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-nitrogen-malware-pushed-… ∗∗∗ How to Scan A Website for Vulnerabilities ∗∗∗ --------------------------------------------- Even the most diligent site owners should consider when they had their last website security check. As our own research indicates, infections resulting from known website vulnerabilities continue to plague website owners. According to our 2022 Hacked Website Report, last year alone WordPress accounted for 96.2% of infected websites due to its market share and popularity. Statistics like these highlight why it’s so important that you regularly scan your website for vulnerabilities. --------------------------------------------- https://blog.sucuri.net/2023/07/how-to-scan-website-for-vulnerabilities.html ∗∗∗ Sneaky Python package security fixes help no one – except miscreants ∗∗∗ --------------------------------------------- Good thing these eggheads have created a database of patches - Python security fixes often happen through "silent" code commits, without an associated Common Vulnerabilities and Exposures (CVE) identifier, according to a group of computer security researchers. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2023/07/26/python_silen… ∗∗∗ Tool Release: Cartographer ∗∗∗ --------------------------------------------- Cartographer is a Ghidra plugin that creates a visual "map" of code coverage data, enabling researchers to easily see what parts of a program are executed. It has a wide range of uses, such as better understanding a program, honing in on target functionality, or even discovering unused content in video games. --------------------------------------------- https://research.nccgroup.com/2023/07/20/tool-release-cartographer/ ∗∗∗ New Realst Mac malware, disguised as blockchain games, steals cryptocurrency wallets ∗∗∗ --------------------------------------------- Fake blockchain games, that are being actively promoted by cybercriminals on social media, are actually designed to infect the computers of unsuspecting Mac users with cryptocurrency-stealing malware. --------------------------------------------- https://grahamcluley.com/new-realst-mac-malware-disguised-as-blockchain-gam… ∗∗∗ Introducing CVE-2023-24489: A Critical Citrix ShareFile RCE Vulnerability ∗∗∗ --------------------------------------------- GreyNoise researchers have identified active exploitation for a remote code execution (RCE) vulnerability in Citrix ShareFile (CVE-2023-24489) --------------------------------------------- https://www.greynoise.io/blog/introducing-cve-2023-24489-a-critical-citrix-… ===================== = Vulnerabilities = ===================== ∗∗∗ ModSecurity v3: DoS Vulnerability in Four Transformations (CVE-2023-38285) ∗∗∗ --------------------------------------------- ModSecurity is an open-source Web Application Firewall (WAF) engine maintained by Trustwave. This blog post discusses an issue with four transformation actions that could enable a Denial of Service (DoS) attack by a malicious actor. The issue has been addressed with fixes in v3.0.10. ModSecurity v2 is not affected. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/modsecurity… ∗∗∗ B&R Automation Runtime SYN Flooding Vulnerability in Portmapper ∗∗∗ --------------------------------------------- CVE-2023-3242, CVSS v3.1 Base Score: 8.6 The Portmapper service used in Automation Runtime versions <G4.93 is vulnerable to SYN flooding attacks. An unauthenticated network-based attacker may use this vulnerability to cause several services running on B&R Automation Runtime to become permanently inaccessible. --------------------------------------------- https://www.br-automation.com/downloads_br_productcatalogue/assets/16897876… ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (amd64-microcode, gst-plugins-bad1.0, gst-plugins-base1.0, gst-plugins-good1.0, iperf3, openjdk-17, and pandoc), Fedora (389-ds-base, kitty, and thunderbird), SUSE (libqt5-qtbase, libqt5-qtsvg, mysql-connector-java, netty, netty-tcnative, openssl, openssl-1_1, openssl1, php7, python-scipy, and xmltooling), and Ubuntu (amd64-microcode, avahi, libxpm, linux, linux-aws, linux-aws-5.15, linux-azure, linux-azure-5.15, linux-azure-fde, linux-azure-fde-5.15, linux-gcp, linux-gcp-5.15, linux-gke, linux-gke-5.15, linux-gkeop, linux-gkeop-5.15, linux-hwe-5.15, linux-ibm, linux-intel-iotg, linux-kvm, linux-lowlatency, linux-lowlatency-hwe-5.15, linux-nvidia, linux-oracle, linux-oracle-5.15, linux-raspi, linux, linux-aws, linux-azure, linux-gcp, linux-ibm, linux-kvm, linux-lowlatency, linux-oracle, linux-raspi, linux-oem-5.17, linux-oem-6.0, linux-oem-6.1, openstack-trove, and python-django). --------------------------------------------- https://lwn.net/Articles/939305/ ∗∗∗ Mattermost security updates 8.0.1 / 7.10.5 / 7.8.9 (ESR) released ∗∗∗ --------------------------------------------- We’re informing you about a Mattermost security update, which addresses medium-level severity vulnerabilities. We highly recommend that you apply the update. The security update is available for Mattermost dot releases 8.0.1, 7.10.5, and 7.8.9 (Extended Support Release), for both Team Edition and Enterprise Edition. --------------------------------------------- https://mattermost.com/blog/mattermost-security-updates-8-0-1-7-10-5-7-8-9-… ∗∗∗ Multiple Vulnerabilities PRA-ES8P2S Ethernet-Switch ∗∗∗ --------------------------------------------- BOSCH-SA-247054-BT: Multiple vulnerabilities were found in the PRA-ES8P2S Ethernet-Switch. Customers are advised to upgrade to version 1.01.10 since it solves all vulnerabilities listed. Customers are advised to isolate the switch from the Internet if upgrading is not possible. The PRA-ES8P2S switch contains technology from the Advantech EKI-7710G series switches. --------------------------------------------- https://psirt.bosch.com/security-advisories/bosch-sa-247054-bt.html ∗∗∗ CISA Adds One Known Exploited Vulnerability to Catalog ∗∗∗ --------------------------------------------- CISA has added one new vulnerability to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation. CVE-2023-37580 Zimbra Collaboration (ZCS) Cross-Site Scripting (XSS) Vulnerability - These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2023/07/26/cisa-adds-one-known-expl… ∗∗∗ Fujitsu Real-time Video Transmission Gear "IP series" uses a hard-coded credentials ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN95727578/ ∗∗∗ AIX is vulnerable to denial of service due to zlib (CVE-2022-37434) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7014483 ∗∗∗ AIX is vulnerable to a denial of service due to libxml2 (CVE-2023-29469 and CVE-2023-28484) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7014485 ∗∗∗ IBM Security Directory Suite has multiple vulnerabilities [CVE-2022-33163 and CVE-2022-33168] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7001885 ∗∗∗ A security vulnerability has been identified in IBM WebSphere Application Server used by IBM Rational ClearQuest (CVE-2023-35890) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7014649 ∗∗∗ A security vulnerability has been identified in IBM HTTP Server used by IBM Rational ClearQuest (CVE-2023-32342) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7014651 ∗∗∗ IBM Cloud Transformation Advisor is vulnerable to multiple vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7014659 ∗∗∗ CVE-2023-0465 may affect IBM CICS TX Advanced 10.1 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7014675 ∗∗∗ IBM Db2 has multiple denial of service vulnerabilities with a specially crafted query ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7010557 ∗∗∗ IBM Operational Decision Manager July 2023 - Multiple CVEs ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7014699 ∗∗∗ IBM Sterling Connect:Direct for UNIX is vulnerable to remote sensitive information exposure due to IBM GSKit (CVE-2023-32342) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7014693 ∗∗∗ IBM Watson Assistant for IBM Cloud Pak for Data is vulnerable to TensorFlow denial of service vulnerabilitiy [CVE-2023-25661] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7014695 ∗∗∗ IBM Watson Assistant for IBM Cloud Pak for Data is vulnerable to YAML denial of service vulnerabilitiy [CVE-2023-2251] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7014697 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 25.07.2023
by Daily end-of-shift report 25 Jul '23

25 Jul '23

===================== = End-of-Day report = ===================== Timeframe: Montag 24-07-2023 18:00 − Dienstag 25-07-2023 18:00 Handler: Robert Waldner Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Casbaneiro Banking Malware Goes Under the Radar with UAC Bypass Technique ∗∗∗ --------------------------------------------- The financially motivated threat actors behind the Casbaneiro banking malware family have been observed making use of a User Account Control (UAC) bypass technique to gain full administrative privileges on a machine, a sign that the threat actor is evolving their tactics to avoid detection and execute malicious code on compromised assets. --------------------------------------------- https://thehackernews.com/2023/07/casbaneiro-banking-malware-goes-under.html ∗∗∗ Rooting the Amazon Echo Dot ∗∗∗ --------------------------------------------- Thanks to a debug feature implemented by Lab126 (Amazons hardware development company) it is now possible to obtain a tethered root on the device. Thanks to strong security practices enforced by the company such as a chain of trust from the beginning of the boot process, this should not be a major issue. --------------------------------------------- https://dragon863.github.io/blog/echoroot.html ∗∗∗ Will the real Citrix CVE-2023-3519 please stand up? ∗∗∗ --------------------------------------------- While the most recent Citrix Security Advisory identifies CVE-2023-3519 as the only vulnerability resulting in unauthenticated remote code execution, there are at least two vulnerabilities that were patched during the most recent version upgrade. --------------------------------------------- https://www.greynoise.io/blog/will-the-real-citrix-cve-2023-3519-please-sta… ∗∗∗ Forthcoming OpenSSL Releases ∗∗∗ --------------------------------------------- The OpenSSL project team would like to announce the forthcoming release of OpenSSL versions 3.1.2, 3.0.10 and 1.1.1v. These releases will be made available on Tuesday 1st August 2023 between 1300-1700 UTC. These are security-fix releases. The highest severity issue fixed in each of these three releases is Low --------------------------------------------- https://mta.openssl.org/pipermail/openssl-announce/2023-July/000266.html ∗∗∗ Phishing-Alarm: Unsere Liste mit aktuellen Phishing-Nachrichten ∗∗∗ --------------------------------------------- In Phishing-Nachrichten fordern Kriminelle per E-Mail oder SMS dazu auf, Links zu folgen oder Dateianhänge zu öffnen. So versuchen Kriminelle an Ihre Login-, Bank- oder Kreditkartendaten zu kommen. Jeden Tag werden uns zahlreiche Phishing-Nachrichten gemeldet. Sobald wir neue Phishing-Nachrichten entdecken, ergänzen wir sie in unserem Phishing-Alarm! --------------------------------------------- https://www.watchlist-internet.at/news/phishing-alarm-unsere-liste-mit-aktu… ===================== = Vulnerabilities = ===================== ∗∗∗ Atlassian Releases Patches for Critical Flaws in Confluence and Bamboo ∗∗∗ --------------------------------------------- Atlassian has released updates to address three security flaws impacting its Confluence Server, Data Center, and Bamboo Data Center products that, if successfully exploited, could result in remote code execution on susceptible systems. - CVE-2023-22505 (CVSS score: 8.0) - RCE (Remote Code Execution) in Confluence Data Center and Server (Fixed in versions 8.3.2 and 8.4.0) - CVE-2023-22508 (CVSS score: 8.5) - RCE (Remote Code Execution) in Confluence Data Center and Server (Fixed in versions 7.19.8 and 8.2.0) - CVE-2023-22506 (CVSS score: 7.5) - Injection, RCE (Remote Code Execution) in Bamboo (Fixed in versions 9.2.3 and 9.3.1) --------------------------------------------- https://thehackernews.com/2023/07/atlassian-releases-patches-for-critical.h… ∗∗∗ CVE-2023-35078 - Remote Unauthenticated API Access Vulnerability (CVSS: 10.0) ∗∗∗ --------------------------------------------- A vulnerability has been discovered in Ivanti Endpoint Manager Mobile (EPMM), formerly known as MobileIron Core. This vulnerability impacts all supported versions – Version 11.4 releases 11.10, 11.9 and 11.8. Older versions/releases are also at risk. [..] Upon learning of the vulnerability, we immediately mobilized resources to fix the problem and have a patch available now. --------------------------------------------- https://forums.ivanti.com/s/article/CVE-2023-35078-Remote-unauthenticated-A… ∗∗∗ F5 Security Advisory K000135555: Java vulnerabilities CVE-2020-2756 and CVE-2020-2757 ∗∗∗ --------------------------------------------- This vulnerability may allow an attacker with network access to compromise the affected component. Successful exploit can result in unauthorized ability to cause a partial denial-of-service (DoS) of the affected component. BIG-IP and BIG-IQ Versions known to be vulnerable: BIG-IP (all modules) 13.x-17.x, BIG-IQ Centralized Management 8.0.0-8.3.0 --------------------------------------------- https://my.f5.com/manage/s/article/K000135555 ∗∗∗ Citrix Hypervisor Security Update for CVE-2023-20593 ∗∗∗ --------------------------------------------- AMD has released updated microcode to address an issue with certain AMD CPUs. Although this is not an issue in the Citrix Hypervisor product itself, we have released a hotfix that includes this microcode to mitigate this CPU hardware issue. --------------------------------------------- https://support.citrix.com/article/CTX566835/citrix-hypervisor-security-upd… ∗∗∗ Xen Security Advisory XSA-433 x86/AMD: Zenbleed ∗∗∗ --------------------------------------------- This issue can be mitigated by disabling AVX, either by booting Xen with `cpuid=no-avx` on the command line, or by specifying `cpuid="host:avx=0"` in the vm.cfg file of all untrusted VMs. However, this will come with a significant impact on the system and is not recommended for anyone able to deploy the microcode or patch described below. [..] In cases where microcode is not available, the appropriate attached patch updates Xen to use a control register to avoid the issue. --------------------------------------------- https://xenbits.xen.org/xsa/advisory-433.html ∗∗∗ VMWare VMSA-2023-0016 (CVE-2023-20891) ∗∗∗ --------------------------------------------- CVSSv3 Range: 6.5 Synopsis: VMware Tanzu Application Service for VMs and Isolation Segment updates address information disclosure vulnerability Known Attack Vectors: A malicious non-admin user who has access to the platform system audit logs can access hex encoded CF API admin credentials and can push new malicious versions of an application. In a default deployment non-admin users do not have access to the platform system audit logs. --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2023-0016.html ∗∗∗ TYPO3 12.4.4 and 11.5.30 security releases published ∗∗∗ --------------------------------------------- All versions are security releases and contain important security fixes - read the corresponding security advisories: - TYPO3-CORE-SA-2023-002: By-passing Cross-Site Scripting Protection in HTML Sanitizer (CVE-2023-38500) - TYPO3-CORE-SA-2023-003: Information Disclosure due to Out-of-scope Site Resolution (CVE-2023-38499) - TYPO3-CORE-SA-2023-004: Cross-Site Scripting in CKEditor4 WordCount Plugin (CVE-2023-37905) --------------------------------------------- https://typo3.org/article/typo3-1244-and-11530-security-releases-published ∗∗∗ Lücken gestopft: Apple bringt iOS 16.6, macOS 13.5, watchOS 9.6 und tvOS 16.6 ∗∗∗ --------------------------------------------- Fehlerbehebungen und vor allem sicherheitsrelevante Fixes liefern frische Apple-Updates vom Montagabend. Es gab auch Zero-Day-Löcher. --------------------------------------------- https://heise.de/-9225677 ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (python-git and renderdoc), Red Hat (edk2, kernel, kernel-rt, and kpatch-patch), Slackware (kernel), SUSE (firefox, libcap, openssh, openssl-1_1, python39, and zabbix), and Ubuntu (cinder, ironic, nova, python-glance-store, python-os-brick, frr, graphite-web, and openssh). --------------------------------------------- https://lwn.net/Articles/939179/ ∗∗∗ Security Vulnerabilities fixed in Thunderbird 102.13.1 ∗∗∗ --------------------------------------------- CVE-2023-3417: File Extension Spoofing using the Text Direction Override Character ilenames. An email attachment could be incorrectly shown as being a document file, while in fact it was an executable file. Newer versions of Thunderbird will strip the character and show the correct file extension. --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2023-28/ ∗∗∗ Spring Security 5.6.12, 5.7.10, 5.8.5, 6.0.5, and 6.1.2 are available now, including fixes for CVE-2023-34034 and CVE-2023-34035 ∗∗∗ --------------------------------------------- Those versions fix the following CVEs: - CVE-2023-34034: WebFlux Security Bypass With Un-Prefixed Double Wildcard Pattern - CVE-2023-34035: Authorization rules can be misconfigured when using multiple servlets --------------------------------------------- https://spring.io/blog/2023/07/24/spring-security-5-6-12-5-7-10-5-8-5-6-0-5… ∗∗∗ CISA Releases Four Industrial Control Systems Advisories ∗∗∗ --------------------------------------------- CISA released four Industrial Control Systems (ICS) advisories on July 25, 2023. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS. - ICSA-23-206-01 AXIS A1001 - ICSA-23-206-02 Rockwell Automation ThinManager ThinServer - ICSA-23-206-03 Emerson ROC800 Series RTU and DL8000 Preset Controller - ICSA-23-206-04 Johnson Controls IQ Wifi 6 --------------------------------------------- https://www.cisa.gov/news-events/alerts/2023/07/25/cisa-releases-four-indus… ∗∗∗ 2023-07-24: Cyber Security Advisory - ABB Ability Zenon directory permission and internal issues ∗∗∗ --------------------------------------------- https://search.abb.com/library/Download.aspx?DocumentID=2NGA001801&Language… ∗∗∗ AMD Cross-Process Information Leak ∗∗∗ --------------------------------------------- http://support.lenovo.com/product_security/PS500571-AMD-CROSS-PROCESS-INFOR… ∗∗∗ [R1] Stand-alone Security Patch Available for Security Center versions 6.0.0, 6.1.0 and 6.1.1: SC-202307.1-6.x ∗∗∗ --------------------------------------------- https://www.tenable.com/security/tns-2023-26 ∗∗∗ [R1] Stand-alone Security Patch Available for Security Center version 5.23.1: SC-202307.1-5.23.1 ∗∗∗ --------------------------------------------- https://www.tenable.com/security/tns-2023-25 ∗∗∗ OAuthlib is vulnerable to CVE-2022-36087 used in IBM Maximo Application Suite - Monitor Component ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7014235 ∗∗∗ SnakeYaml is vulnerable to security CVEs used in IBM Maximo Application Suite - Monitor Component ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7014243 ∗∗∗ Node.js http-cache-semantics module is vulnerable to CVE-2022-25881 used in IBM Maximo Application Suite - Monitor Component ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7014237 ∗∗∗ Wekzeug is vulnerable to CVE-2023-25577 and CVE-2023-23934 used in IBM Maximo Application Suite - Monitor Component ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7014239 ∗∗∗ Cisco node-jose is vulnerable to CVE-2023-25653 used in IBM Maximo Application Suite - Monitor Component ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7014241 ∗∗∗ Apache Commons FileUpload and Tomcat are vulnerable to CVE-2023-24998 used in IBM Maximo Application Suite - Monitor Component ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7014245 ∗∗∗ Xml2js is vulnerable to CVE-2023-0842 used in IBM Maximo Application Suite - Monitor Component ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7014247 ∗∗∗ Flask is vulnerable to CVE-2023-30861 used in IBM Maximo Application Suite - Monitor Component ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7014251 ∗∗∗ Apache Commons Codec is vulnerable to PRISMA-2021-0055 used in IBM Maximo Application Suite - Monitor Component ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7014255 ∗∗∗ IBM QRadar Wincollect is vulnerable to using components with known vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7014253 ∗∗∗ IBM GSKit as shipped with IBM Security Verify Access has fixed a reported vulnerability (CVE-2023-32342) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7014259 ∗∗∗ IBM Security Verify Access product is vulnerable to Open Redirects (AAC module ) (CVE-2023-30433) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7012613 ∗∗∗ Postgresql JDBC drivers shipped with IBM Security Verify Access have a vulnerability (CVE-2022-41946) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7014261 ∗∗∗ json-20220320.jar is vulnerable to CVE-2022-45688 used in IBM Maximo Application Suite ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7014269 ∗∗∗ Apache Kafka is vulnerable to CVE-2022-34917 and CVE-2023-25194 used in IBM Maximo Application Suite - Monitor Component ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7014273 ∗∗∗ Netplex json-smart-v2 is vulnerable to CVE-2023-1370 used in IBM Maximo Application Suite - Monitor Component ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7014271 ∗∗∗ Netty is vulnerable to CVE-2022-41915 used in IBM Maximo Application Suite - Monitor Component ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7014281 ∗∗∗ VMware Tanzu Spring Security is vulnerable to CVE-2022-31692 and CVE-2023-20862 used in IBM Maximo Application Suite - Monitor Component ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7014361 ∗∗∗ VMware Tanzu Spring Framework is vulnerable to CVE-2023-20861 and CVE-2023-20863 used in IBM Maximo Application Suite - Monitor Component ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7014353 ∗∗∗ Netty is vulnerable to CVE-2023-34462 used in IBM Maximo Application Suite - Monitor Component ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7014357 ∗∗∗ VMware Tanzu Spring Framework is vulnerable to CVE-2023-20860 used in IBM Maximo Application Suite - Monitor Component ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7014363 ∗∗∗ Apache Commons FileUpload and Apache Tomcat are vulnerable to CVE-2023-24998, CVE-2022-45143, and CVE-2023-28708 used in IBM Maximo Application Suite - Monitor Component ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7014365 ∗∗∗ VMware Tanzu Spring Boot is vulnerable to CVE-2023-20883 used in IBM Maximo Application Suite - Monitor Component ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7014369 ∗∗∗ Vulnerabilities in Node.js affects IBM Voice Gateway ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7013909 ∗∗∗ Python-requests is vulnerable to CVE-2023-32681 used in IBM Maximo Application Suite - Monitor Component ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7014371 ∗∗∗ Google Guava is vulnerable to CVE-2023-2976 used in IBM Maximo Application Suite - Monitor Component ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7014373 ∗∗∗ Snappy-java is vulnerable to security CVEs used in IBM Maximo Application Suite - Monitor Component ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7014375 ∗∗∗ The Bouncy Castle Crypto Package For Java is vulnerable to CVE-2023-33201 used in IBM Maximo Application Suite - Monitor Component ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7014377 ∗∗∗ Multiple vulnerabilities affect IBM Data Virtualization on Cloud Pak for Data ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7014379 ∗∗∗ Vulnerabilities in Python, OpenSSH, Golang Go, Minio and Redis may affect IBM Spectrum Protect Plus Container backup and restore for Kubernetes and OpenShift ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7011697 ∗∗∗ Multiple vulnerabilities in Apache Log4j affects IBM Security Access Manager for Enterprise Single Sign-On ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7014395 ∗∗∗ IBM Event Streams is affected by multiple Golang Go vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7014403 ∗∗∗ IBM WebSphere Application Server, used in IBM Security Verify Governance Identity Manager, could provide weaker than expected security (CVE-2023-35890) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7014401 ∗∗∗ The IBM\u00ae Engineering System Design Rhapsody products on IBM Jazz Technology contains additional security fixes for X-Force ID 220800 and CVE-2017-12626 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7014413 ∗∗∗ A security vulnerability has been identified in IBM DB2 shipped with IBM Intelligent Operations Center(CVEs - Remediation\/Fixes) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7014429 ∗∗∗ Multiple vulnerabilities affect IBM Data Virtualization on Cloud Pak for Data ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7014379 ∗∗∗ IBM App Connect Enterprise Certified Container Dashboard operands are vulnerable to arbitrary code execution due to [CVE-2022-28805] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7014459 ∗∗∗ IBM App Connect Enterprise Certified Container Dashboard operands are vulnerable to denial of service due to [CVE-2021-27212] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7014457 ∗∗∗ IBM App Connect Enterprise Certified Container IntegrationServer operands are vulnerable to denial of service due to [CVE-2022-21349] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7014455 ∗∗∗ IBM App Connect Enterprise Certified Container Dashboard operands are vulnerable to denial of service and loss of confidentiality due to multiple vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7014451 ∗∗∗ IBM App Connect Enterprise Certified Container operands are vulnerable to denial of service due to [CVE-2022-40897] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7014453 ∗∗∗ A security vulnerability has been identified in IBM WebSphere Application Server shipped with IBM Tivoli System Automation Application Manager (CVE-2023-24966) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7014473 ∗∗∗ IBM WebSphere Application Server traditional is vulnerable to spoofing when using Web Server Plug-ins (CVE-2022-39161) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7014475 ∗∗∗ Multiple vulnerabilities in IBM Java SDK affect IBM Decision Optimization for IBM Cloud Private for Data (ICP4Data) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/876830 ∗∗∗ Watson Query potentially exposes adminstrators key under some conditions due to CVE-2022-22410 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6569235 ∗∗∗ Security Vulnerabilities affect IBM Cloud Pak for Data - OpenSSL ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6453431 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 24.07.2023
by Daily end-of-shift report 24 Jul '23

24 Jul '23

===================== = End-of-Day report = ===================== Timeframe: Freitag 21-07-2023 18:00 − Montag 24-07-2023 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Eine einfache Aktion beugt Telefonbetrug vor ∗∗∗ --------------------------------------------- Betrüger*innen nutzen gezielt Telefonbücher, um ihre Opfer zu identifizieren. In Visier rücken dabei vor allem ältere Menschen. --------------------------------------------- https://futurezone.at/digital-life/telefonbetrug-vorbeugen-spam-sperren-blo… ∗∗∗ Security baseline for Microsoft Edge version 115 ∗∗∗ --------------------------------------------- We are pleased to announce the security review for Microsoft Edge, version 115! We have reviewed the new settings in Microsoft Edge version 115 and determined that there are no additional security settings that require enforcement. The Microsoft Edge version 114 security baseline continues to be our recommended configuration which can be downloaded from the Microsoft Security Compliance Toolkit. --------------------------------------------- https://techcommunity.microsoft.com/t5/microsoft-security-baselines/securit… ∗∗∗ Critical Zero-Days in Atera Windows Installers Expose Users to Privilege Escalation Attacks ∗∗∗ --------------------------------------------- Zero-day vulnerabilities in Windows Installers for the Atera remote monitoring and management software could act as a springboard to launch privilege escalation attacks. The flaws, discovered by Mandiant on February 28, 2023, have been assigned the identifiers CVE-2023-26077 and CVE-2023-26078, with the issues remediated in versions 1.8.3.7 and 1.8.4.9 released by Atera on April 17, 2023, [...] --------------------------------------------- https://thehackernews.com/2023/07/critical-zero-days-in-atera-windows.html ∗∗∗ TETRA Radio Code Encryption Has a Flaw: A Backdoor ∗∗∗ --------------------------------------------- A secret encryption cipher baked into radio systems used by critical infrastructure workers, police, and others around the world is finally seeing sunlight. Researchers say it isn’t pretty. --------------------------------------------- https://www.wired.com/story/tetra-radio-encryption-backdoor/ ∗∗∗ Microsofts gestohlener Schlüssel mächtiger als vermutet ∗∗∗ --------------------------------------------- Ein gestohlener Schlüssel funktionierte möglicherweise nicht nur bei Exchange Online, sondern war eine Art Masterkey für große Teile der Mircrosoft-Cloud. --------------------------------------------- https://heise.de/-9224640 ∗∗∗ Achtung Fake-Shop: vailia-parfuemerie.com ∗∗∗ --------------------------------------------- Bei Vailia Parfümerie finden Sie günstige Kosmetikprodukte und Parfüms. Der Online-Shop macht zwar einen professionellen Eindruck, liefert aber keine Ware. Wenn Sie Ihre Kreditkartendaten als Zahlungsmethode angegeben haben, kommt es entweder zu nicht genehmigten Abbuchungen oder Ihre Daten werden für einen Betrugsversuch zu einem späteren Zeitpunkt missbraucht. --------------------------------------------- https://www.watchlist-internet.at/news/achtung-fake-shop-vailia-parfuemerie… ∗∗∗ Palo Alto Networks warnt vor P2P-Wurm für Cloud-Container-Umgebungen ∗∗∗ --------------------------------------------- Die neue Malware ist mindestens seit rund zwei Wochen im Umlauf. Sie nimmt eine bekannte Schwachstelle in der Datenbankanwendung Redis ins Visier. --------------------------------------------- https://www.zdnet.de/88410715/palo-alto-networks-warnt-vor-p2p-wurm-fuer-cl… ∗∗∗ Sicherheit: Die AES 128/128 Cipher Suite sollte am IIS deaktiviert werden ∗∗∗ --------------------------------------------- Kurzer Informationssplitter aus dem Bereich der Sicherheit, der Administratoren eines Internet Information-Server (IIS) im Windows-Umfeld interessieren könnte. --------------------------------------------- https://www.borncity.com/blog/2023/07/22/sicherheit-die-aes-128-128-cipher-… ===================== = Vulnerabilities = ===================== ∗∗∗ Zenbleed (CVE-2023-20593) - If you remove the first word from the string "hello world", what should the result be? ∗∗∗ --------------------------------------------- This is the story of how we discovered that the answer could be your root password! [..] AMD have released an microcode update for affected processors. Your BIOS or Operating System vendor may already have an update available that includes it. Workaround: It is highly recommended to use the microcode update. If you can’t apply the update for some reason, there is a software workaround: you can set the chicken bit DE_CFG. This may have some performance cost. --------------------------------------------- https://lock.cmpxchg8b.com/zenbleed.html ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (webkit2gtk), Fedora (curl, dotnet6.0, dotnet7.0, ghostscript, kernel-headers, kernel-tools, libopenmpt, openssh, and samba), Mageia (virtualbox), Red Hat (java-1.8.0-openjdk and java-11-openjdk), and Scientific Linux (java-1.8.0-openjdk and java-11-openjdk). --------------------------------------------- https://lwn.net/Articles/939059/ ∗∗∗ Atlassian Patches Remote Code Execution Vulnerabilities in Confluence, Bamboo ∗∗∗ --------------------------------------------- Atlassian patches high-severity remote code execution vulnerabilities in Confluence and Bamboo products. --------------------------------------------- https://www.securityweek.com/atlassian-patches-remote-code-execution-vulner… ∗∗∗ AMI MegaRAC SP-X BMC Redfish Vulnerabilities ∗∗∗ --------------------------------------------- https://support.lenovo.com/product_security/PS500570-AMI-MEGARAC-SP-X-BMC-R… ∗∗∗ Multiple vulnerabilities affect the embedded Content Navigator in Business Automation Workflow - CVE-2023-24998, 254437 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7013897 ∗∗∗ Vulnerability in IBM Java Runtime affects Host On-Demand ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7014039 ∗∗∗ Vulnerability in IBM Java Runtime affects Host On-Demand ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7014057 ∗∗∗ IBM App Connect for Manufacturing is vulnerable to a denial of service due to FasterXML jackson-databind (CVE-2022-42004, CVE-2022-42003) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7014181 ∗∗∗ IBM App Connect Enterprise is vulnerable to a remote authenticated attacker due to Node.js (CVE-2023-23920) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7014193 ∗∗∗ IBM Sterling Connect:Direct File Agent is vulnerable to a buffer overflow and unspecified vulnerabilities in IBM Runtime Environment Java Technology Edition (CVE-2023-21930, CVE-2023-21939, CVE-2023-21967, CVE-2023-21968) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7009987 ∗∗∗ Multiple security vulnerabilities have been identified in IBM WebSphere Application Server which is a component of IBM Operations Analytics Predictive Insights ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7013889 ∗∗∗ IBM Storage Protect Server is vulnerable to denial of service due to Golang Go ( CVE-2023-24534 ) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7014223 ∗∗∗ IBM Storage Protect Server is vulnerable to sensitive information disclosure due to IBM GSKit ( CVE-2023-32342 ) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7014225 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 21.07.2023
by Daily end-of-shift report 21 Jul '23

21 Jul '23

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 20-07-2023 18:00 − Freitag 21-07-2023 18:00 Handler: Robert Waldner Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ GitHub warns of Lazarus hackers targeting devs with malicious projects ∗∗∗ --------------------------------------------- GitHub is warning of a social engineering campaign targeting the accounts of developers in the blockchain, cryptocurrency, online gambling, and cybersecurity sectors to infect their devices with malware. --------------------------------------------- https://www.bleepingcomputer.com/news/security/github-warns-of-lazarus-hack… ∗∗∗ Sophisticated BundleBot Malware Disguised as Google AI Chatbot and Utilities ∗∗∗ --------------------------------------------- A new malware strain known as BundleBot has been stealthily operating under the radar by taking advantage of .NET single-file deployment techniques, enabling threat actors to capture sensitive information from compromised hosts. --------------------------------------------- https://thehackernews.com/2023/07/sophisticated-bundlebot-malware.html ∗∗∗ Supply chain security for Go, Part 3: Shifting left ∗∗∗ --------------------------------------------- Previously in our Supply chain security for Go series, we covered dependency and vulnerability management tools and how Go ensures package integrity and availability as part of the commitment to countering the rise in supply chain attacks in recent years. In this final installment, we’ll discuss how “shift left” security can help make sure you have the security information you need, when you need it, to avoid unwelcome surprises. --------------------------------------------- http://security.googleblog.com/2023/07/supply-chain-security-for-go-part-3.… ===================== = Vulnerabilities = ===================== ∗∗∗ VU#653767: Perimeter81 macOS Application Multiple Vulnerabilities ∗∗∗ --------------------------------------------- At the time, the latest Perimeter81 MacOS application (10.0.0.19) suffers from local privilege escalation vulnerability inside its com.perimeter81.osx.HelperTool. This HelperTool allows main application to setup things which require administrative privileges such as VPN connection, changing routing table, etc. --------------------------------------------- https://kb.cert.org/vuls/id/653767 ∗∗∗ Schwachstellen in AMI-Firmware: Gigabyte-Hack gefährdet unzählige Serversysteme ∗∗∗ --------------------------------------------- Nach einem Hackerangriff auf Gigabyte ist unter anderem eine AMI-Firmware geleakt, in der Forscher nun äußerst brisante Schwachstellen fanden. --------------------------------------------- https://www.golem.de/news/schwachstellen-in-ami-firmware-gigabyte-hack-gefa… ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (golang, nodejs16, nodejs18, and R-jsonlite), Red Hat (java-1.8.0-openjdk and java-17-openjdk), SUSE (container-suseconnect, redis, and redis7), and Ubuntu (wkhtmltopdf). --------------------------------------------- https://lwn.net/Articles/938878/ ∗∗∗ WebKitGTK and WPE WebKit Security Advisory WSA-2023-0006 ∗∗∗ --------------------------------------------- Several vulnerabilities were discovered in WebKitGTK and WPE WebKit. CVE identifiers: CVE-2023-37450, CVE-2023-32393. --------------------------------------------- https://webkitgtk.org/security/WSA-2023-0006.html ∗∗∗ Foxit PDF Reader und PDF Editor 12.1.3 als Sicherheitsupdates ∗∗∗ --------------------------------------------- Kurze Information für Leute, die noch den Foxit PDF Reader und/oder den PDF Editor einsetzen sollten. In älteren Versionen gibt es Sicherheitslücken, die durch ein Sicherheitsupdate auf die Version 12.1.3.15356 beseitigt werden [...] --------------------------------------------- https://www.borncity.com/blog/2023/07/20/foxit-pdf-reader-und-pdf-editor-12… ∗∗∗ GBrowse vulnerable to unrestricted upload of files with dangerous types ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN35897618/ ∗∗∗ Security Vulnerabilities fixed in Thunderbird 115.0.1 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2023-27/ ∗∗∗ Multiple vulnerabilities in IBM Java SDK and IBM Java Runtime affect Rational Business Developer ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7013595 ∗∗∗ IBM Sterling Connect:Direct for Microsoft Windows is vulnerable to unspecified vulnerabilities in IBM Runtime Environment Java Technology Edition ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7010095 ∗∗∗ IBM Sterling Global Mailbox is vulnerable to arbitrary command execution due to com.ibm.ws.org.apache.commons.collections (CVE-2015-7501) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6963962 ∗∗∗ IBM App Connect Enterprise and IBM Integration Bus are vulnerable to SOAPAction spoofing when processing JAX-WS Web Services requests (CVE-2022-38712) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6855661 ∗∗∗ IBM Sterling Global Mailbox is vulnerable to denial of service due to WebSphere Liberty Server ( CVE-2022-3509, CVE-2022-3171) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6963956 ∗∗∗ IBM Sterling Global Mailbox is vulnerable to arbitrary code execution due to Apache Commons Collections [CVE-2015-6420, CVE-2017-15708] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6957392 ∗∗∗ IBM Sterling Global Mailbox is vulnerable to server-side request forgery due to Apache CXF (CVE-2022-46364) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6963958 ∗∗∗ IBM Sterling Global Mailbox is vulnerable to sensitive data exposure due to Apache CXF (CVE-2022-46363) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6963960 ∗∗∗ IBM Sterling Global Mailbox is vulnerable to HTTP header injection due WebSphere Liberty Server (CVE-2022-34165) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6954401 ∗∗∗ IBM Sterling Global Mailbox is vulnerable to denial of service due to FasterXML jackson-databind (CVE-2022-42003) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6954403 ∗∗∗ IBM Global Mailbox is vulnerable to remote code execution due to Apache Cassandra (CVE-2021-44521) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6852565 ∗∗∗ IBM Sterling Global Mailbox is vulnerable to security bypass due to Apache HttpClient (CVE-2020-13956) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6954405 ∗∗∗ IBM App Connect Enterprise and IBM Integration Bus are vulnerable to a denial of service due to IBM MQ (CVE-2023-26285, CVE-2023-28950) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7011767 ∗∗∗ Multiple vulnerabilities in IBM SDK, Java Technology Edition affect IBM Operations Analytics Predictive Insights ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7013887 ∗∗∗ Vulnerability in Google gson 2.2.4 libraries (CVE-2022-25647) affects IBM Operations Analytics Predictive Insights ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7013881 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 20.07.2023
by Daily end-of-shift report 20 Jul '23

20 Jul '23

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 19-07-2023 18:00 − Donnerstag 20-07-2023 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Citrix-Zero-Days: Angriffsspuren auf Netscaler ADC und Gateway aufspüren ∗∗∗ --------------------------------------------- Vor der Verfügbarkeit von Updates wurden CItrix-Lücken bereits in freier Wildbahn angegriffen. Daher ist eine Überprüfung auf Angriffsspuren sinnvoll. --------------------------------------------- https://heise.de/-9221655 ∗∗∗ Microsoft Relents, Offers Free Critical Logging to All 365 Customers ∗∗∗ --------------------------------------------- Industry pushback prompts Microsoft to drop premium pricing for access to cloud logging data. --------------------------------------------- https://www.darkreading.com/application-security/microsoft-relents-offers-f… ∗∗∗ Docker Hub images found to expose secrets and private keys ∗∗∗ --------------------------------------------- Numerous Docker images shared on Docker Hub are exposing sensitive data, according to a study conducted by researchers at the German university RWTH Aachen. Needless to say, this poses a significant security risk. --------------------------------------------- https://www.malwarebytes.com/blog/news/2023/07/docker-hub-images-found-to-e… ∗∗∗ Vorab bezahlen, um arbeiten zu können? Finger weg von Jobs der Nice Tech GmbH ∗∗∗ --------------------------------------------- Auf nice102.com, nice02.com, unice688.com, nicetechmax.com und vermutlich zahlreichen weiteren Domains betreibt die Nice Tech GmbH ein undurchsichtiges Pyramidensystem, bei dem Sie angeblich Geld von zu Hause aus verdienen können. Die Aufgabenbeschreibungen sind aber äußerst vage, um loslegen zu können, sollen Sie vorab Geld bezahlen und das meiste Geld gibt es für die Anwerbung neuer Mitglieder. --------------------------------------------- https://www.watchlist-internet.at/news/vorab-bezahlen-um-arbeiten-zu-koenne… ∗∗∗ P2PInfect: The Rusty Peer-to-Peer Self-Replicating Worm ∗∗∗ --------------------------------------------- A novel peer-to-peer worm written in Rust is uniquely scalable. It targets open-source database Redis and can infect multiple platforms. --------------------------------------------- https://unit42.paloaltonetworks.com/peer-to-peer-worm-p2pinfect/ ∗∗∗ Announcing New DMARC Policy Handling Defaults for Enhanced Email Security ∗∗∗ --------------------------------------------- For our consumer service (live.com / outlook.com / hotmail.com), we have changed our DMARC policy handling to honor the sender’s DMARC policy. If an email fails DMARC validation and the sender’s policy is set to p=reject or p=quarantine, we will reject the email. --------------------------------------------- https://techcommunity.microsoft.com/t5/exchange-team-blog/announcing-new-dm… ∗∗∗ The SOC Toolbox: Analyzing AutoHotKey compiled executables ∗∗∗ --------------------------------------------- A quick post on how to extract AutoHotKey scripts from an AutoHotKey script compiled executable. --------------------------------------------- https://blog.nviso.eu/2023/07/20/the-soc-toolbox-analyzing-autohotkey-compi… ∗∗∗ Escalating Privileges via Third-Party Windows Installers ∗∗∗ --------------------------------------------- In this blog post, we will share how Mandiant’s red team researches and exploits zero-day vulnerabilities in third-party Windows Installers, what software developers should do to reduce risk of exploitation, and introduce a new tool to simplify enumeration of cached Microsoft Software Installer (MSI). --------------------------------------------- https://www.mandiant.com/resources/blog/privileges-third-party-windows-inst… ===================== = Vulnerabilities = ===================== ∗∗∗ VMware Tanzu Spring: Update schließt kritische Lücke ∗∗∗ --------------------------------------------- Aktualisierte Versionen von VMware Tanzu Spring schließen Sicherheitslücken. Eine davon gilt als kritisch. --------------------------------------------- https://heise.de/-9221869 ∗∗∗ CVE-2023-38205: Adobe ColdFusion Access Control Bypass [FIXED] ∗∗∗ --------------------------------------------- Rapid7 discovered that the initial patch for CVE-2023-29298 (Adobe ColdFusion access control bypass vulnerability) did not successfully remediate the issue. --------------------------------------------- https://www.rapid7.com/blog/post/2023/07/19/cve-2023-38205-adobe-coldfusion… ∗∗∗ Wordfence Intelligence Weekly WordPress Vulnerability Report (July 10, 2023 to July 16, 2023) ∗∗∗ --------------------------------------------- Last week, there were 69 vulnerabilities disclosed in 68 WordPress Plugins and 1 WordPress themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 29 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected. --------------------------------------------- https://www.wordfence.com/blog/2023/07/wordfence-intelligence-weekly-wordpr… ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (chromium), Fedora (sysstat), Gentoo (openssh), Mageia (firefox/nss, kernel, kernel-linus, maven, mingw-nsis, mutt/neomutt, php, qt4/qtsvg5, and texlive), Red Hat (java-1.8.0-openjdk, java-11-openjdk, java-17-openjdk, and kpatch-patch), Slackware (curl and openssh), SUSE (curl, grafana, kernel, mariadb, MozillaFirefox, MozillaFirefox-branding-SLE, poppler, python-Flask, python310, samba, SUSE Manager Client Tools, and texlive), and Ubuntu (curl, ecdsautils, and samba). --------------------------------------------- https://lwn.net/Articles/938711/ ∗∗∗ Apache OpenMeetings Wide Open to Account Takeover, Code Execution ∗∗∗ --------------------------------------------- Researcher discovers vulnerabilities in the open source Web application, which were fixed in the latest Apache OpenMeeting update. --------------------------------------------- https://www.darkreading.com/remote-workforce/apache-openmeetings-account-ta… ∗∗∗ CVE-2023-38408: Remote Code Execution in OpenSSH's forwarded ssh-agent ∗∗∗ --------------------------------------------- In this advisory, we present our research, experiments, reproducible results, and further ideas to exploit this "dlopen() then dlclose()" primitive. We will also publish the source code of our crude fuzzer at https://www.qualys.com/research/security-advisories/. --------------------------------------------- https://www.qualys.com/2023/07/19/cve-2023-38408/rce-openssh-forwarded-ssh-… ∗∗∗ Sicherheitsschwachstellen in Omnis Studio (SYSS-2023-005/-006) ∗∗∗ --------------------------------------------- Implementierungsfehler erlauben Angreifern, private Omnis-Bibliotheken und gesperrte Klassen im Omnis Studio Browser zu öffnen und zu bearbeiten. --------------------------------------------- https://www.syss.de/pentest-blog/sicherheitsschwachstellen-in-omnis-studio-… ∗∗∗ TP-LINK TL-WR840N: Schwachstelle ermöglicht Stack Buffer Overflow DOS ∗∗∗ --------------------------------------------- In der Firmware des TP-Link Routers TP-LINK TL-WR840N gibt es eine Schwachstelle, die es einem Remote-Angreifer ermöglicht, einen Stack Buffer Overflow DOS-Angriff durchzuführen. TP-Link will keinen Sicherheitshinweis dazu veröffentlichen, hat aber eine neue Firmware (TL-WR840N(KR)_V6.2_230702) auf dieser Webseite bereitgestellt. --------------------------------------------- https://www.borncity.com/blog/2023/07/20/tp-link-tl-wr84-schwachstelle-ermg… ∗∗∗ Cisco BroadWorks Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco Small Business SPA500 Series IP Phones Web UI Vulnerabilities ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ IBM Security Guardium is affected by several vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7007815 ∗∗∗ IBM Db2 Web Query for i is vulnerable to arbitrary code execution due to SnakeYaml [CVE-2022-1471] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7013297 ∗∗∗ IBM Cognos Analytics has addressed multiple vulnerabilities (CVE-2023-28530, XFID: 212233, CVE-2022-24999, CVE-2023-28530, CVE-2023-25929) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7012621 ∗∗∗ IBM Workload Scheduler is potentially affected by multiple vulnerabilities in OpenSSL (CVE-2022-4304, CVE-2023-0215, CVE-2023-0286) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7003501 ∗∗∗ IBM App Connect Enterprise Certified Container Dashboard operands are vulnerable to security restrictions bypass due to [CVE-2022-32221], [CVE-2023-27533], [CVE-2023-28322] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7013517 ∗∗∗ Security Vulnerabilities in hazelcast client affect IBM Voice Gateway ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7013527 ∗∗∗ IBM InfoSphere Information Server is affected by a vulnerability in VMware Tanzu Spring Framework (CVE-2023-20863) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7003899 ∗∗∗ IBM InfoSphere Information Server is affected by a vulnerability in VMware Tanzu Spring Security (CVE-2023-20862) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7003901 ∗∗∗ IBM Watson Assistant for IBM Cloud Pak for Data is vulnerable to VMware Tanzu Spring Framework denial of service vulnerabilitiy [CVE-2023-20863] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7012251 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 19.07.2023
by Daily end-of-shift report 19 Jul '23

19 Jul '23

===================== = End-of-Day report = ===================== Timeframe: Dienstag 18-07-2023 18:00 − Mittwoch 19-07-2023 18:00 Handler: Robert Waldner Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Neue Ransomware: Kriminelle verschlüsseln Systeme im Namen von Sophos ∗∗∗ --------------------------------------------- Eine vermeintliche Verschlüsselungssoftware von Sophos entpuppt sich als Bitcoin einspielender Ransomware-Dienst für kriminelle Akteure. --------------------------------------------- https://www.golem.de/news/neue-ransomware-kriminelle-verschluesseln-systeme… ∗∗∗ Comprehensive analysis of initial attack samples exploiting CVE-2023-23397 vulnerability ∗∗∗ --------------------------------------------- On March 14, 2023, Microsoft published a blogpost describing an Outlook Client Elevation of Privilege Vulnerability (CVSS: 9.8 CRITICAL). The publication generated a lot of activity among white, grey and black hat researchers, as well as lots of publications and tweets about the vulnerability and its exploitation. Below, we will highlight the key points and then focus on the initial use of this vulnerability by attackers before it became public. --------------------------------------------- https://securelist.com/analysis-of-attack-samples-exploiting-cve-2023-23397… ∗∗∗ Massive Google Colaboratory Abuse: Gambling and Subscription Scam ∗∗∗ --------------------------------------------- While Google’s free and open tools are undeniably valuable for collaboration (and innovation), it’s evident that complications arise when they become a haven for bad actors. Millions of documents with spam content on the Google Colab platform reveal that spammers have found yet another method to host doorways that they actively promote via spam link injections on compromised websites. --------------------------------------------- https://blog.sucuri.net/2023/07/massive-google-colaboratory-abuse-gambling-… ∗∗∗ LKA Niedersachsen warnt vor Phishing und Abofallen mit iCloud- und Google-Mails ∗∗∗ --------------------------------------------- Derzeit versenden Betrüger Mails, laut denen Apple iCloud- oder Google-Speicherplatz volllaufe. Davor warnt das LKA Niedersachsen. --------------------------------------------- https://heise.de/-9220688 ∗∗∗ Network and Information Systems Security (NIS2): recommendations for NRENs ∗∗∗ --------------------------------------------- GÉANT worked with Stratix, an independent consultancy firm specialised in communication infrastructures and services, to go through the steps that NRENs need to follow and the questions that need to be answered during the NIS2 implementation phase. --------------------------------------------- https://connect.geant.org/2023/07/19/network-and-information-systems-securi… ∗∗∗ HotRat: The Risks of Illegal Software Downloads and Hidden AutoHotkey Script Within ∗∗∗ --------------------------------------------- Despite risks to their own data and devices, some users continue to be lured into downloading illegal versions of popular paid-for software, disregarding the potentially more severe repercussions than legitimate alternatives. We have analyzed how cybercriminals deploy HotRat, a remote access trojan (RAT), through an AutoHotkey script attached to cracked software. --------------------------------------------- https://decoded.avast.io/martinchlumecky/hotrat-the-risks-of-illegal-softwa… ===================== = Vulnerabilities = ===================== ∗∗∗ OpenSSL Security Advisory: Excessive time spent checking DH keys and parameters (CVE-2023-3446) ∗∗∗ --------------------------------------------- Severity: Low Impact summary: Applications that use the functions DH_check(), DH_check_ex() or EVP_PKEY_param_check() to check a DH key or DH parameters may experience long delays. Where the key or parameters that are being checked have been obtained from an untrusted source this may lead to a Denial of Service. --------------------------------------------- https://www.openssl.org/news/secadv/20230714.txt ∗∗∗ Webbrowser: Google stopft 20 Sicherheitslecks in Chrome 115 ∗∗∗ --------------------------------------------- Google hat den Webbrowser Chrome in Version 115 vorgelegt. Darin bessern die Entwickler 20 Schwachstellen aus. --------------------------------------------- https://heise.de/-9220438 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (bind9, libapache2-mod-auth-openidc, and python-django), Fedora (nodejs18 and redis), Red Hat (python3.9 and webkit2gtk3), Scientific Linux (bind and kernel), SUSE (cni, cni-plugins, cups-filters, curl, dbus-1, ImageMagick, kernel, libheif, and python-requests), and Ubuntu (bind9, connman, curl, libwebp, and yajl). --------------------------------------------- https://lwn.net/Articles/938596/ ∗∗∗ Session Token Enumeration in RWS WorldServer ∗∗∗ --------------------------------------------- Session tokens in RWS WorldServer have a low entropy and can be enumerated, leading to unauthorised access to user sessions. --------------------------------------------- https://www.redteam-pentesting.de/en/advisories/rt-sa-2023-001/ ∗∗∗ Oracle Releases Security Updates ∗∗∗ --------------------------------------------- Oracle has released its Critical Patch Update Advisory, Solaris Third Party Bulletin, and Linux Bulletin for July 2023 to address vulnerabilities affecting multiple products. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2023/07/18/oracle-releases-security… ∗∗∗ Vulnerability with guava (CVE-2023-2976) affect IBM Cloud Object Storage Systems (July 2023) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7012815 ∗∗∗ IBM WebSphere Application Server shipped with Jazz for Service Management (JazzSM) is vulnerable to spoofing when using Web Server Plug-ins (CVE-2022-39161) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7010311 ∗∗∗ IBM WebSphere Application Server shipped with Jazz for Service Management (JazzSM) is vulnerable to cross-site scripting in the Admin Console (CVE-2023-24966) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7010313 ∗∗∗ Multiple Vulnerabilities have been identified in IBM Db2 shipped with IBM WebSphere Remote Server ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7012979 ∗∗∗ IBM WebSphere Application Server is vulnerable to an XML External Entity (XXE) Injection vulnerability (CVE-2023-27554) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6989451 ∗∗∗ IBM Edge Application Manager 4.5.1 addresses security vulnerability listed in CVE below. ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7013037 ∗∗∗ IBM Edge Application Manager 4.5.1 addresses security vulnerability listed in CVE below. ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7013035 ∗∗∗ IBM WebSphere Application Server shipped with Jazz for Service Management (JazzSM) is vulnerable to SOAPAction spoofing (CVE-2022-38712) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6855613 ∗∗∗ WebSphere Application Server shipped with Jazz for Service Management (JazzSM) is vulnerable to a server-side request forgery vulnerability(CVE-2022-35282). ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6827807 ∗∗∗ IBM WebSphere Application Server shipped with Jazz for Service Management (JazzSM) is vulnerable to a remote code execution vulnerability (CVE-2023-23477) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6953111 ∗∗∗ IBM Jazz for Service Management is vulnerable to commons-fileupload-1.4.jar (Publicly disclosed vulnerability found by Mend) (CVE-2023-24998) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6964530 ∗∗∗ IBM WebSphere Application Server shipped with Jazz for Service Management (JazzSM) is vulnerable to cross-site scripting in the Admin Console (CVE-2023-26283) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6983186 ∗∗∗ IBM WebSphere Application Server shipped with Jazz for Service Management (JazzSM) is vulnerable to a denial of service due to Apache Commons FileUpload (CVE-2023-24998) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6983188 ∗∗∗ CVE-2023-32342 may affect GSKit shipped with IBM CICS TX Standard ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7013135 ∗∗∗ CVE-2023-32342 may affect GSKit shipped with IBM CICS TX Advanced ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7013139 ∗∗∗ IBM MQ as used by IBM QRadar SIEM contains multiple vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7013143 ∗∗∗ Weintek Weincloud ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-199-04 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 18.07.2023
by Daily end-of-shift report 18 Jul '23

18 Jul '23

===================== = End-of-Day report = ===================== Timeframe: Montag 17-07-2023 18:00 − Dienstag 18-07-2023 18:00 Handler: Robert Waldner Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ FIN8 Group Using Modified Sardonic Backdoor for BlackCat Ransomware Attacks ∗∗∗ --------------------------------------------- The financially motivated threat actor known as FIN8 has been observed using a "revamped" version of a backdoor called Sardonic to deliver the BlackCat ransomware. According to the Symantec Threat Hunter Team, part of Broadcom, the development is an attempt on the part of the e-crime group to diversify its focus and maximize profits from infected entities. --------------------------------------------- https://thehackernews.com/2023/07/fin8-group-using-modified-sardonic.html ∗∗∗ Uncovering drIBAN fraud operations. Chapter 3: Exploring the drIBAN web inject kit ∗∗∗ --------------------------------------------- So far, we have discussed the malspam campaign that started spreading sLoad. Then, we discovered that sLoad is a dropper for Ramnit [..] After that, we also described Ramnit’s capabilities, focusing mainly on its injection and persistence techniques. As a final step, we will discuss drIBAN, a sophisticated and modular web-inject kit that can hide resources, masquerade its presence, and perform large-scale ATS attacks. --------------------------------------------- https://www.cleafy.com/cleafy-labs/uncovering-driban-fraud-operations-chapt… ∗∗∗ Wordpress: Angriffswelle auf Woocommerce Payments läuft derzeit ∗∗∗ --------------------------------------------- Die IT-Forscher von Wordfence beobachten eine Angriffswelle auf das Woocommerce Payments-Plug-in. Es ist auf mehr als 600.000 Websites installiert. --------------------------------------------- https://heise.de/-9219114 ∗∗∗ JavaScript-Sandbox vm2: Neue kritische Schwachstelle, kein Update mehr ∗∗∗ --------------------------------------------- Für die jüngste kritische Sicherheitslücke im Open-Source-Projekt vm2 gibt es keinen Bugfix, sondern der Betreiber rät zum Umstieg auf isolated-vm. --------------------------------------------- https://heise.de/-9219087 ∗∗∗ Verkaufen auf Shpock: Vorsicht, wenn Sie den Kaufbetrag in Ihrer Banking-App "bestätigen" müssen ∗∗∗ --------------------------------------------- Sie verkaufen etwas auf Shpock. Sofort meldet sich jemand und möchte es kaufen. Zeitgleich erhalten Sie ein E-Mail von „TeamShpock“ mit der Information, dass die Ware bezahlt wurde und Sie das Geld anfordern können. Sie werden auf eine "Auszahlungsseite" verlinkt. Vorsicht, diese Vorgehensweise ist Betrug. Wir zeigen Ihnen, wie die Betrugsmasche abläuft und wie Sie sicher auf Shpock verkaufen! --------------------------------------------- https://www.watchlist-internet.at/news/verkaufen-auf-shpock-vorsicht-wenn-s… ∗∗∗ NSA, CISA Release Guidance on Security Considerations for 5G Network Slicing ∗∗∗ --------------------------------------------- This guidance—created by the Enduring Security Framework (ESF), a public-private cross-sector working group led by the NSA and CISA—presents recommendations to address some identified threats to 5G standalone network slicing, and provides industry recognized practices for the design, deployment, operation, and maintenance of a hardened 5G standalone network slice(s). --------------------------------------------- https://www.cisa.gov/news-events/alerts/2023/07/17/nsa-cisa-release-guidanc… ===================== = Vulnerabilities = ===================== ∗∗∗ Role-based Access Control and Privilege Management in OpenEdge Management (OEM) and in OpenEdge Explorer (OEE) (CVE-2023-34203) ∗∗∗ --------------------------------------------- Using a local or remote admin service, a logged-in OpenEdge Management (OEM) or OpenEdge Explorer (OEE) user could perform a URL injection attack to change identity or role membership. Only users that are already authorized members of OEM or OEE user roles were able to perform this exploit. Non-admin role members were able to obtain unauthorized escalation to admin role privileges where unrestricted OEM and OEE capabilities were available to the user. --------------------------------------------- https://community.progress.com/s/article/Role-based-Access-Control-and-Priv… ∗∗∗ Bad.Build: A Critical Privilege Escalation Design Flaw in Google Cloud Build Enables a Supply Chain Attack ∗∗∗ --------------------------------------------- The flaw presents a significant supply chain risk since it allows attackers to maliciously tamper with application images, which can then infect users and customers when they install the application. [..] Orca Security immediately reported the findings to the Google Security Team, who investigated the issue and deployed a partial fix. However, Google’s fix doesn’t revoke the discovered Privilege Escalation (PE) vector. It only limits it – turning it into a design flaw that still leaves organizations vulnerable to the larger supply chain risk. --------------------------------------------- https://orca.security/resources/blog/bad-build-google-cloud-build-potential… ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (java-1.8.0-openjdk), Red Hat (bind, bind9.16, curl, edk2, java-1.8.0-ibm, kernel, kernel-rt, and kpatch-patch), SUSE (iniparser, installation-images, java-1_8_0-ibm, kernel, libqt5-qtbase, nodejs16, openvswitch, and ucode-intel), and Ubuntu (linux-oem-6.0 and linux-xilinx-zynqmp). --------------------------------------------- https://lwn.net/Articles/938488/ ∗∗∗ Sicherheitslücken, teils kritisch, in Citrix/Netscaler ADC und Gateway - aktiv ausgenützt - Updates verfügbar ∗∗∗ --------------------------------------------- Eine kritische Schwachstelle in Citrix/Netscaler ADC und Citrix Gateway erlaubt es unauthentisierten Angreifenden, beliebigen Code auszuführen. Diese Schwachstelle wird auch bereits aktiv ausgenützt. Weitere mit diesen Updates geschlossene Sicherheitslücken betreffen Reflected Cross Site Scripting (XSS) sowie Privilege Escalation. --------------------------------------------- https://cert.at/de/warnungen/2023/7/sicherheitslucken-teil-kritisch-in-citr… ∗∗∗ Zyxel security advisory for multiple vulnerabilities in firewalls and WLAN controllers ∗∗∗ --------------------------------------------- Zyxel has released patches addressing multiple vulnerabilities in some firewall and WLAN controller versions. Users are advised to install the patches for optimal protection. --------------------------------------------- https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-… ∗∗∗ IBM Security Verify Access product is vulnerable to Open Redirects (AAC module ) (CVE-2023-30433) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7012613 ∗∗∗ Vulnerability in bottle-0.12.16 affects IBM Cloud Pak for Data System 1.0(CPDS 1.0) [CVE-2020-28473] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7012387 ∗∗∗ IBM Security Verify Governance has multiple vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7012649 ∗∗∗ IBM Security Verify Governance has multiple vulnerabilities (CVE-2022-41946, CVE-2022-46364, CVE-2023-24998) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7012647 ∗∗∗ Vulnerabilities in httpclient library affects IBM Engineering Test Management (ETM) (CVE-2020-13956) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7012659 ∗∗∗ Vulnerabilities in Commons Codec library affects IBM Engineering Test Management (ETM) (IBM X-Force ID:177835) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7012657 ∗∗∗ Vulberability in Apache commons io library affects IBM Engineering Test Management (ETM) (CVE-2021-29425) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7012661 ∗∗∗ Vulnerability in Junit library affects IBM Engineering Test Management (ETM) ( CVE-2020-15250) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7012663 ∗∗∗ IBM App Connect Enterprise and IBM Integration Bus are vulnerable to a denial of service due to IBM MQ (CVE-2023-26285, CVE-2023-28950) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7011767 ∗∗∗ Netcool Operations Insights 1.6.9 addresses multiple security vulnerabilities. ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7012675 ∗∗∗ AIX is vulnerable to denial of service due to ISC BIND (CVE-2022-3094, CVE-2022-3736, CVE-2022-3924) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7012711 ∗∗∗ Daeja ViewONE may be affected by Bouncy Castle Vulnerability (CVE-2023-33201) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7012809 ∗∗∗ Rockwell Automation Kinetix 5700 DC Bus Power Supply ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-199-01 ∗∗∗ Weintek Weincloud ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-199-04 ∗∗∗ Keysight N6845A Geolocation Server ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-199-02 ∗∗∗ GeoVision GV-ADR2701 ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-199-05 ∗∗∗ WellinTech KingHistorian ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-199-07 ∗∗∗ Iagona ScrutisWeb ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-199-03 ∗∗∗ GE Digital CIMPLICITY ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-199-06 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 17.07.2023
by Daily end-of-shift report 17 Jul '23

17 Jul '23

===================== = End-of-Day report = ===================== Timeframe: Freitag 14-07-2023 18:00 − Montag 17-07-2023 18:00 Handler: Michael Schlagenhaufer Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Meet NoEscape: Avaddon ransomware gangs likely successor ∗∗∗ --------------------------------------------- The new NoEscape ransomware operation is believed to be a rebrand of Avaddon, a ransomware gang that shut down and released its decryption keys in 2021. --------------------------------------------- https://www.bleepingcomputer.com/news/security/meet-noescape-avaddon-ransom… ∗∗∗ Analysis of Storm-0558 techniques for unauthorized email access ∗∗∗ --------------------------------------------- Analysis of the techniques used by the threat actor tracked as Storm-0558 for obtaining unauthorized access to email data, tools, and unique infrastructure characteristics. --------------------------------------------- https://www.microsoft.com/en-us/security/blog/2023/07/14/analysis-of-storm-… ∗∗∗ Xen Security Notice 1: winpvdrvbuild.xenproject.org potentially compromised ∗∗∗ --------------------------------------------- Software running on the Xen Project hosted subdomain winpvdrvbuild.xenproject.org is outdated and vulnerable to several CVEs. Some of the reported issues include remote code execution. [..] Since the list of CVEs reported include remote code execution we no longer have confidence that binaries previously available at https://xenbits.xen.org/pvdrivers/win/ are trustworthy. [..] A new set of drivers based on the current master branch and built on a trusted environment have been uploaded --------------------------------------------- https://seclists.org/oss-sec/2023/q3/37 ∗∗∗ Exploitation of ColdFusion Vulnerability Reported as Adobe Patches Another Critical Flaw ∗∗∗ --------------------------------------------- Adobe patches critical code execution vulnerability in ColdFusion for which a proof-of-concept (PoC) blog exists. --------------------------------------------- https://www.securityweek.com/exploitation-of-coldfusion-vulnerability-repor… ∗∗∗ Last Minute Bikini-Shopping: Nicht in diesen Shops ∗∗∗ --------------------------------------------- Sind Sie auf der Suche nach Bademode? Dann werden Ihnen möglicherweise auch auf Facebook und Instagram Werbeanzeigen angezeigt. Wir sehen aktuell viele Werbeanzeigen von unseriösen Shops, die auf der Webseite zwar schöne Bademode präsentieren, aber minderwertige Ware versenden. Wir zeigen Ihnen, wo Sie lieber nicht bestellen sollen. --------------------------------------------- https://www.watchlist-internet.at/news/last-minute-bikini-shopping-nicht-in… ===================== = Vulnerabilities = ===================== ∗∗∗ AIOS WordPress Plugin Faces Backlash for Storing User Passwords in Plaintext ∗∗∗ --------------------------------------------- All-In-One Security (AIOS), a WordPress plugin installed on over one million sites, has issued a security update after a bug introduced in version 5.1.9 of the software caused users passwords being added to the database in plaintext format."A malicious site administrator (i.e. a user already logged into the site as an admin) could then have read them," --------------------------------------------- https://thehackernews.com/2023/07/aios-wordpress-plugin-faces-backlash.html ∗∗∗ Wireshark 4.0.7 Released, (Sat, Jul 15th) ∗∗∗ --------------------------------------------- Wireshark version 4.0.7 was released with 2 vulnerabilities and 22 bugs fixed. --------------------------------------------- https://isc.sans.edu/diary/rss/30030 ∗∗∗ PoC-Exploit verfügbar: Adobe legt Patch für Coldfusion nach ∗∗∗ --------------------------------------------- Kurz nach dem Juli-Patchday legt Adobe weitere Updates nach, um eine kritische Schwachstelle in Coldfusion abzudichten. PoC-Exploitcode wurde entdeckt. --------------------------------------------- https://heise.de/-9217427 ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (gpac, iperf3, kanboard, kernel, and pypdf2), Fedora (ghostscript), SUSE (bind, bouncycastle, ghostscript, go1.19, go1.20, installation-images, kernel, mariadb, MozillaFirefox, MozillaFirefox-branding-SLE, php74, poppler, and python-Django), and Ubuntu (cups, linux-oem-6.1, and ruby2.3, ruby2.5, ruby2.7, ruby3.0, ruby3.1). --------------------------------------------- https://lwn.net/Articles/938375/ ∗∗∗ IBM InfoSphere Information Server is affected but not vulnerable to multiple vulnerabilities in Undertow ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7007051 ∗∗∗ IBM InfoSphere Information Server is affected but not classified as vulnerable to multiple vulnerabilities in snakeYAML ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6988677 ∗∗∗ IBM InfoSphere Information Server is affected by multiple vulnerabilities in VMware Tanzu Spring Framework [CVE-2023-2861, CVE-2023-20860] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6988683 ∗∗∗ IBM Watson Assistant for IBM Cloud Pak for Data is vulnerable to RubyGems commonmarker gem denial of service vulnerabilitiy [IBM X-Force ID: 252809] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7012231 ∗∗∗ IBM Watson Assistant for IBM Cloud Pak for Data is vulnerable to VMware Tanzu Spring Framework denial of service vulnerabilitiy [CVE-2023-20863] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7012235 ∗∗∗ IBM InfoSphere Information Server is affected by a denial of service vulnerability in netplex json-smart-v2 (CVE-2023-1370) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6988679 ∗∗∗ IBM InfoSphere Information Server is affected by a denial of service vulnerability in Apache Commons FileUpload and Tomcat (CVE-2023-24998) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7008447 ∗∗∗ Watson CP4D Data Stores is vulnerable to SAP NetWeaver AS Java for Deploy Service information disclosure vulnerability ( CVE-2023-24527) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7012297 ∗∗∗ IBM i is vulnerable to an attacker executing CL commands due to an exploitation of DDM architecture (CVE-2023-30990) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7008573 ∗∗∗ IBM InfoSphere Information Server is affected but not vulnerable to a vulnerability in jose.4j ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7007055 ∗∗∗ IBM InfoSphere Information Server is affected by multiple vulnerabilities in VMware Tanzu Spring Boot ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7008437 ∗∗∗ IBM InfoSphere Information Server is affected by a vulnerability in Apache Cassandra (CVE-2023-30601) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7003915 ∗∗∗ IBM InfoSphere Information Server is affected by multiple vulnerabilities in Apache Tomcat (CVE-2023-28708, CVE-2023-24998) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7007057 ∗∗∗ IBM InfoSphere Information Server is affected by an information disclosure vulnerability (CVE-2023-33857) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7007059 ∗∗∗ IBM InfoSphere Information Server is affected by a vulnerability in Google Guava (CVE-2023-2976) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7012025 ∗∗∗ IBM InfoSphere Information Server is affected by multiple vulnerabilities in snappy-java ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7011483 ∗∗∗ IBM Robotic Process Automation is vulnerable to client side validation bypass (CVE-2023-35901) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7012317 ∗∗∗ IBM Performance Tools for i is vulnerable to local privilege escalation (CVE-2023-30989) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7012353 ∗∗∗ IBM Facsimile Support for i is vulnerable to local privilege escalation (CVE-2023-30988) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7012355 ∗∗∗ IBM InfoSphere Information Server is affected by an information disclosure vulnerability (CVE-2023-35898) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7009205 ∗∗∗ IBM InfoSphere Information Server is affected by a vulnerability in Eclipse Jetty (CVE-2023-26048) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7008445 ∗∗∗ Multiple vulnerabilities of Apache common collections (commons-collections-3.2.jar) have affected APM WebSphere Application Server Agent ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7012397 ∗∗∗ Multiple Vulnerabilities in IBM Sterling Connect:Direct Browser User Interface due to Java and Eclipse ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7012395 ∗∗∗ Security vulnerabilities have been identified in IBM DB2 shipped with IBM License Metric Tool v9. ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7012409 ∗∗∗ A vulnerability in OpenStack Swift affects IBM Storage Scale environments with the S3 capability of Object protocol enabled (CVE-2022-47950) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7012419 ∗∗∗ Mulitple vulnerabilities in Dojo dojox repo may affect IBM Storage Scale ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7012427 ∗∗∗ Vulnerability in bottle-0.12.16 affects IBM Cloud Pak for Data System 1.0(CPDS 1.0) [CVE-2020-28473] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7012387 ∗∗∗ Vulnerability in paramiko-2.4.2-py2.py3 affects IBM Cloud Pak for Data System 1.0(CPDS 1.0) [CVE-2022-24302] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7012433 ∗∗∗ IBM i Modernization Engine for Lifecycle Integration is vulnerable to execution of arbitrary code on the system (CVE-2022-1471) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7012437 ∗∗∗ IBM Performance Tools for i is vulnerable to local privilege escalation (CVE-2023-30989) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7012353 ∗∗∗ IBM Facsimile Support for i is vulnerable to local privilege escalation (CVE-2023-30988) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7012355 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 14.07.2023
by Daily end-of-shift report 14 Jul '23

14 Jul '23

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 13-07-2023 18:00 − Freitag 14-07-2023 18:00 Handler: Michael Schlagenhaufer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ AVrecon malware infects 70,000 Linux routers to build botnet ∗∗∗ --------------------------------------------- Since at least May 2021, stealthy Linux malware called AVrecon was used to infect over 70,000 Linux-based small office/home office (SOHO) routers and add them to a botnet designed to steal bandwidth and provide a hidden residential proxy service. --------------------------------------------- https://www.bleepingcomputer.com/news/security/avrecon-malware-infects-70-0… ∗∗∗ WormGPT Cybercrime Tool Heralds an Era of AI Malware vs. AI Defenses ∗∗∗ --------------------------------------------- A black-hat alternative to GPT models specifically designed for malicious activities like BEC, malware, and phishing attacks is here, and will push organizations to level up with generative AI themselves. --------------------------------------------- https://www.darkreading.com/attacks-breaches/wormgpt-heralds-an-era-of-usin… ∗∗∗ Security: Schwachstellen-Scanner für Google Go geht an den Start ∗∗∗ --------------------------------------------- Das Tool Govulncheck untersucht Go-Projekte auf bekannte Schwachstellen in den Dependencies. Eine Extension integriert die Überprüfung in Visual Studio Code. --------------------------------------------- https://heise.de/-9216187 ∗∗∗ Hackers Target Reddit Alternative Lemmy via Zero-Day Vulnerability ∗∗∗ --------------------------------------------- Several instances of the Reddit alternative Lemmy were hacked in recent days by attackers who had exploited a zero-day vulnerability. --------------------------------------------- https://www.securityweek.com/hackers-target-reddit-alternative-lemmy-via-ze… ∗∗∗ Meta-Werbekonto gehackt? So handeln Sie richtig! ∗∗∗ --------------------------------------------- Ob Fake-Shop, betrügerische Trading-Plattform oder unseriöse Coaching-Angebote: Kriminelle nutzen Social Media, um unterschiedliche Betrugsmaschen zu bewerben. Häufig werden solche Anzeigen von Unternehmensseiten geschaltet, die mit dem beworbenen Produkt nichts zu tun haben. Manchmal sind es auch private Profile, von denen aus betrügerische Anzeigen verbreitet werden. --------------------------------------------- https://www.watchlist-internet.at/news/meta-werbekonto-gehackt-so-handeln-s… ∗∗∗ The danger within: 5 steps you can take to combat insider threats ∗∗∗ --------------------------------------------- Some threats may be closer than you think. Are security risks that originate from your own trusted employees on your radar? --------------------------------------------- https://www.welivesecurity.com/2023/07/13/danger-within-5-steps-combat-insi… ∗∗∗ What is session hijacking and how do you prevent it? ∗∗∗ --------------------------------------------- Attackers use session hijacking to take control of your sessions and impersonate you online. Discover how session hijacking works and how to protect yourself. --------------------------------------------- https://www.emsisoft.com/en/blog/44071/what-is-session-hijacking-and-how-do… ∗∗∗ Attack Surface Management (ASM) – What You Need to Know ∗∗∗ --------------------------------------------- This is the third post in our series on technologies to test your organization’s resilience to cyberattacks. In this installment, we dive into attack surface management (ASM). --------------------------------------------- https://www.safebreach.com/blog/attack-surface-management-asm-what-you-need… ∗∗∗ Old Blackmoon Trojan, NEW Monetization Approach ∗∗∗ --------------------------------------------- Rapid7 is tracking a new, more sophisticated and staged campaign using the Blackmoon trojan, which appears to have originated in November 2022. --------------------------------------------- https://www.rapid7.com/blog/post/2023/07/13/old-blackmoon-trojan-new-moneti… ∗∗∗ PenTales: Old Vulns, New Tricks ∗∗∗ --------------------------------------------- At Rapid7 we love a good pentest story. So often they show the cleverness, skill, resilience, and dedication to our customer’s security that can only come from actively trying to break it! In this series, we’re going to share some of our favorite tales from the pen test desk and hopefully highlight some ways you can improve your own organization’s security. --------------------------------------------- https://www.rapid7.com/blog/post/2023/07/13/pentales-old-vulns-new-tricks/ ===================== = Vulnerabilities = ===================== ∗∗∗ Groupware Zimbra: Zero-Day-Lücke macht manuelles Patchen nötig ∗∗∗ --------------------------------------------- Zimbra hat einen manuell anzuwendenden Patch veröffentlicht, der eine Zero-Day-Sicherheitslücke in der Groupware schließt. --------------------------------------------- https://heise.de/-9216179 ∗∗∗ ZDI-23-970: (0Day) Sante DICOM Viewer Pro DCM File Parsing Use-After-Free Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows remote attackers to disclose sensitive information on affected installations of Sante DICOM Viewer Pro. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. --------------------------------------------- https://www.zerodayinitiative.com/advisories/ZDI-23-970/ ∗∗∗ Security Advisory for Multiple Vulnerabilities on the ProSAFE® Network Management System, PSV-2023-0024 & PSV-2023-0025 ∗∗∗ --------------------------------------------- NETGEAR is aware of multiple security vulnerabilities on the NMS300. NETGEAR strongly recommends that you download the latest version as soon as possible. --------------------------------------------- https://kb.netgear.com/000065707/Security-Advisory-for-Multiple-Vulnerabili… ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (lemonldap-ng and php-dompdf), Red Hat (.NET 6.0, .NET 7.0, firefox, and thunderbird), Scientific Linux (firefox and thunderbird), SUSE (ghostscript, installation-images, kernel, php7, python, and python-Django), and Ubuntu (linux-azure, linux-gcp, linux-ibm, linux-oracle, mozjs102, postgresql-9.5, and tiff). --------------------------------------------- https://lwn.net/Articles/938233/ ∗∗∗ CVE-2023-24936 .NET, .NET Framework, and Visual Studio Elevation of Privilege Vulnerability ∗∗∗ --------------------------------------------- In the Security Updates table, added all supported versions of all supported versions of .NET Framework, Visual Studio 2022 version 17.0, Visual Studio 2022 version 17.2, and Visual Studio 2022 version 17.4 because these products are also affected by this vulnerability. --------------------------------------------- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-24936 ∗∗∗ CVE-2023-36883 Microsoft Edge for iOS Spoofing Vulnerability ∗∗∗ --------------------------------------------- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36883 ∗∗∗ CVE-2023-36887 Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36887 ∗∗∗ CVE-2023-36888 Microsoft Edge for Android (Chromium-based) Tampering Vulnerability ∗∗∗ --------------------------------------------- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36888 ∗∗∗ There is a vulnerability in Apache Commons Net used by IBM Maximo Asset Management (CVE-2021-37533) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7009539 ∗∗∗ IBM InfoSphere Information Server is affected by multiple vulnerabilities in Progress DataDirect Connect for ODBC ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7010743 ∗∗∗ Multiple vulnerabilities in IBM Java SDK (April 2023) affect IBM InfoSphere Information Server ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7007675 ∗∗∗ Enterprise Content Management System Monitor is affected by a vulnerability in Oracle Java SE ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7011963 ∗∗∗ IBM Security SOAR is using a component with multiple known vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7011965 ∗∗∗ CVE-2023-28867 may affect IBM WebSphere Application Server Liberty shipped with IBM CICS TX Advanced ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7011975 ∗∗∗ CVE-2023-28867 may affect IBM WebSphere Application Server Liberty shipped with IBM CICS TX Standard ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7011979 ∗∗∗ Timing Oracle in RSA Decryption vulnerability might affect GSKit supplied with IBM TXSeries for Multiplatforms. ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7010369 ∗∗∗ CVE-2023-28867 may affect IBM WebSphere Application Server Liberty shipped with IBM TXSeries for Multiplatforms ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7011977 ∗∗∗ Vulnerability of Apache Thrift (libthrift-0.12.0.jar ) have affected APM WebSphere Application Server Agent , APM SAP NetWeaver Agent and APM WebLogic Agent ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7003479 ∗∗∗ Vulnerability of Google Gson (gson-2.8.2.jar ) have affected APM WebSphere Application Server Agent , APM SAP NetWeaver Agent and APM WebLogic Agent ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7003477 ∗∗∗ TADDM affected by multiple vulnerabilities due to IBM Java and its runtime ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7009499 ∗∗∗ InfoSphere Identity Insight is vulnerable to a denial of service due to Apache Commons FileUpload (CVE-2023-24998) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7012011 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 13.07.2023
by Daily end-of-shift report 13 Jul '23

13 Jul '23

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 12-07-2023 18:00 − Donnerstag 13-07-2023 18:00 Handler: Stephan Richter Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Update fürs Update: Apple überholt letzte "Rapid Security Response" ∗∗∗ --------------------------------------------- Eigentlich sollte ein schneller Fix für den Safari-Browser für mehr Sicherheit sorgen. Aufgrund eines Fehlers musste Apple diesen nun neu auflegen. --------------------------------------------- https://heise.de/-9214819 ∗∗∗ Source code for BlackLotus Windows UEFI malware leaked on GitHub ∗∗∗ --------------------------------------------- The source code for the BlackLotus UEFI bootkit has leaked online, allowing greater insight into a malware that has caused great concern among the enterprise, governments, and the cybersecurity community. --------------------------------------------- https://www.bleepingcomputer.com/news/security/source-code-for-blacklotus-w… ∗∗∗ Fake PoC for Linux Kernel Vulnerability on GitHub Exposes Researchers to Malware ∗∗∗ --------------------------------------------- In a sign that cybersecurity researchers continue to be under the radar of malicious actors, a proof-of-concept (PoC) has been discovered on GitHub, concealing a backdoor with a "crafty" persistence method. --------------------------------------------- https://thehackernews.com/2023/07/blog-post.html ∗∗∗ An introduction to the benefits and risks of Packet Sniffing ∗∗∗ --------------------------------------------- Packet sniffing is both a very beneficial and, sadly, a malicious technique used to capture and analyze data packets. It serves as a useful tool for network administrators to identify network issues and fix them. Meanwhile, threat actors use it for malicious purposes such as data theft and to distribute malware. Organizations need to be aware of the benefits and uses of packet sniffing while also implementing security controls to prevent malicious sniffing activity. --------------------------------------------- https://www.tripwire.com/state-of-security/introduction-benefits-and-risks-… ∗∗∗ Popular WordPress Security Plugin Caught Logging Plaintext Passwords ∗∗∗ --------------------------------------------- The All-In-One Security (AIOS) WordPress plugin was found to be writing plaintext passwords to log files. --------------------------------------------- https://www.securityweek.com/popular-wordpress-security-plugin-caught-loggi… ∗∗∗ CISA warns of dangerous Rockwell industrial bug being exploited by gov’t group ∗∗∗ --------------------------------------------- The Cybersecurity and Infrastructure Security Agency (CISA) warned on Wednesday of a vulnerability affecting industrial technology from Rockwell Automation that is being exploited by government hackers. --------------------------------------------- https://therecord.media/cisa-warns-of-bug-affecting-rockwell ∗∗∗ Detecting BPFDoor Backdoor Variants Abusing BPF Filters ∗∗∗ --------------------------------------------- An analysis of advanced persistent threat (APT) group Red Menshen’s different variants of backdoor BPFDoor as it evolves since it was first documented in 2021. --------------------------------------------- https://www.trendmicro.com/en_us/research/23/g/detecting-bpfdoor-backdoor-v… ∗∗∗ A Deep Dive into Penetration Testing of macOS Applications (Part 1) ∗∗∗ --------------------------------------------- We created this blog to share our experience and provide a valuable resource for other security researchers and penetration testers facing similar challenges when testing macOS applications. This blog is the first part of an “A Deep Dive into Penetration Testing of macOS Applications” series. Part 1 is intended for penetration testers who may not have prior experience working with macOS. --------------------------------------------- https://www.cyberark.com/resources/threat-research-blog/a-deep-dive-into-pe… ∗∗∗ TeamTNT Reemerged with New Aggressive Cloud Campaign ∗∗∗ --------------------------------------------- In part one of this two-part blog series, titled "The Anatomy of Silentbobs Cloud Attack," we provided an overview of the preliminary stages of an aggressive botnet campaign that aimed at cloud native environments. This post will dive into the full extent of the campaign and provide a more comprehensive exploration of an extensive botnet infestation campaign. --------------------------------------------- https://blog.aquasec.com/teamtnt-reemerged-with-new-aggressive-cloud-campai… ===================== = Vulnerabilities = ===================== ∗∗∗ Ghostscript: Sicherheitslücke plagt Libreoffice, Gimp, Inkscape und Linux ∗∗∗ --------------------------------------------- Durch eine kritische Sicherheitslücke in Ghostscript können Angreifer auf unzähligen Rechnern schadhaften Code ausführen. --------------------------------------------- https://www.golem.de/news/ghostscript-sicherheitsluecke-plagt-libreoffice-g… ∗∗∗ Cisco SD-WAN vManage Unauthenticated REST API Access Vulnerability ∗∗∗ --------------------------------------------- A vulnerability in the request authentication validation for the REST API of Cisco SD-WAN vManage software could allow an unauthenticated, remote attacker to gain read permissions or limited write permissions to the configuration of an affected Cisco SD-WAN vManage instance. --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Urgent Security Notice: SonicWall GMS/Analytics Impacted by suite of vulnerabilities ∗∗∗ --------------------------------------------- GMS/Analytics is remediating a suite of 15 security vulnerabilities, disclosed in a Coordinated Vulnerability Disclosure (CVD) report in conjunction with NCCGroup. This suite of vulnerabililtes, which was responsibility disclosed, includes four (4) vulnerabilities with a CVSSv3 rating of CRITICAL, that allows an attacker to bypass authentication and could potentially result in exposure of sensitive information to an unauthorized actor. SonicWall PSIRT is not aware of active exploitation [...] --------------------------------------------- https://www.sonicwall.com/support/knowledge-base/urgent-security-notice-son… ∗∗∗ Webkonferenzen: Zoom schließt mehrere Sicherheitslücken ∗∗∗ --------------------------------------------- Vor allem in Zoom Rooms und im Zoom Desktop-Client für Windows schlummern hochriskante Sicherheitslücken. Updates stehen bereit. --------------------------------------------- https://heise.de/-9214929 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (ruby-doorkeeper), Fedora (mingw-nsis and thunderbird), Red Hat (bind9.16, nodejs, nodejs:16, nodejs:18, python38:3.8 and python38-devel:3.8, and rh-nodejs14-nodejs), Slackware (krb5), SUSE (geoipupdate, installation-images, libqt5-qtbase, python-Django1, and skopeo), and Ubuntu (knot-resolver, lib3mf, linux, linux-aws, linux-kvm, linux-lowlatency, linux-raspi, linux, linux-aws, linux-kvm, linux-lts-xenial, linux-azure, linux-gcp, linux-ibm, linux-oracle, linux-azure-fde, linux-xilinx-zynqmp, and scipy). --------------------------------------------- https://lwn.net/Articles/938108/ ∗∗∗ Juniper Networks Patches High-Severity Vulnerabilities in Junos OS ∗∗∗ --------------------------------------------- Juniper Networks has patched multiple high-severity vulnerabilities in Junos OS, Junos OS Evolved, and Junos Space. --------------------------------------------- https://www.securityweek.com/juniper-networks-patches-high-severity-vulnera… ∗∗∗ Microsoft Office Updates (11. Juli 2023) ∗∗∗ --------------------------------------------- Am 11. Juli 2023 (zweiter Dienstag im Monat, Microsoft Patchday) hat Microsoft mehrere sicherheitsrelevante Updates für noch unterstützte Microsoft Office Versionen und andere Produkte veröffentlicht. Mit dem April 2023-Patchday endete der Support für Office 2013 – aber es wurden auch im Juli noch Schwachstellen geschlossen. Nachfolgend finden Sie eine Übersicht über die verfügbaren Updates. --------------------------------------------- https://www.borncity.com/blog/2023/07/13/microsoft-office-updates-11-juli-2… *** IBM Security Bulletins *** --------------------------------------------- IBM SDK, IBM Db2, IBM Match 360, IBM Wattson, IBM Jazz Technology, IBM, Storage Protect, IBM WebSphere, IBM Storage Protect, IBM App Connect Enterprise, IBM Integration Bus, IBM i, IBM Event Streams and IBM Security Directory Integrator. --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ *** ZDI: Dassault Systèmes SolidWorks (CVE-2023-2763) *** --------------------------------------------- ZDI-23-908 bis ZDI-23911 --------------------------------------------- https://www.zerodayinitiative.com/advisories/published/ ∗∗∗ Drupal: Two-factor Authentication (TFA) - Critical - Access bypass - SA-CONTRIB-2023-030 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2023-030 ∗∗∗ Rockwell Automation PowerMonitor 1000 ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-194-05 ∗∗∗ Honeywell Experion PKS, LX and PlantCruise ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-194-06 ∗∗∗ Case update: DIVD-2021-00020 - OSNexsus QuantaStor limited disclosure and product warning ∗∗∗ --------------------------------------------- https://csirt.divd.nl/cases/DIVD-2021-00020/ ∗∗∗ CVE-2023-38046 PAN-OS: Read System Files and Resources During Configuration Commit (Severity: MEDIUM) ∗∗∗ --------------------------------------------- https://security.paloaltonetworks.com/CVE-2023-38046 ∗∗∗ CISA Adds Two Known Vulnerabilities to Catalog ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/alerts/2023/07/13/cisa-adds-two-known-vuln… ∗∗∗ BD Alaris System with Guardrails Suite MX ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-medical-advisories/icsma-23-194-01 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 12.07.2023
by Daily end-of-shift report 12 Jul '23

12 Jul '23

===================== = End-of-Day report = ===================== Timeframe: Dienstag 11-07-2023 18:00 − Mittwoch 12-07-2023 18:00 Handler: Michael Schlagenhaufer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Patchday: Microsoft meldet fünf Zero-Days, teils ohne Update ∗∗∗ --------------------------------------------- Der Juli-Patchday von Microsoft liefert viele Updates: 130 Lücken behandelt das Unternehmen. Darunter fünf Zero-Days. Eine Sicherheitslücke bleibt aber offen. --------------------------------------------- https://heise.de/-9213685 ∗∗∗ Teils kritische Sicherheitslücken in Citrix Secure Access Clients ∗∗∗ --------------------------------------------- Citrix hat Aktualisierungen für die Secure Access Clients veröffentlicht, die teils kritische Schwachstellen ausbessern. --------------------------------------------- https://heise.de/-9214076 ∗∗∗ Update gegen kritische Lücke in FortiOS/FortiProxy ∗∗∗ --------------------------------------------- Fortinet verteilt Sicherheitsupdates für FortiOS/FortiProxy. Sie schließen eine kritische Sicherheitslücke. --------------------------------------------- https://heise.de/-9214207 ∗∗∗ Patchday: Kritische Schwachstellen in Adobe Indesign und Coldfusion abgedichtet ∗∗∗ --------------------------------------------- Der Juli-Patchday von Adobe bringt Sicherheitsupdates für Indesign und Coldfusion. Sie schließen Lücken, die der Hersteller als kritisches Risiko einstuft. --------------------------------------------- https://heise.de/-9213920 ∗∗∗ Kernel-Treiber: Hacker überlisten Windows-Richtlinie durch alte Zertifikate ∗∗∗ --------------------------------------------- Indem sie ihre böswilligen Kerneltreiber mit alten Zertifikaten signierten, konnten Angreifer auf Windows-Systemen Vollzugriff erlangen. --------------------------------------------- https://www.golem.de/news/kernel-treiber-hacker-ueberlisten-windows-richtli… ∗∗∗ vm2 Project Discontinued ∗∗∗ --------------------------------------------- TL;DR The library contains critical security issues and should not be used for production! The maintenance of the project has been discontinued. Consider migrating your code to isolated-vm. --------------------------------------------- https://github.com/patriksimek/vm2/blob/master/README.md ∗∗∗ How to Harden WordPress With WP-Config & Avoid Data Exposure ∗∗∗ --------------------------------------------- What is wp-config.php?The wp-config.php file is a powerful core WordPress file that is vital for running your website. It contains important configuration settings for WordPress, including details on where to find the database, login credentials, name and host. This config file is also used to define advanced options for database elements, security keys, and developer options. In this post, we’ll outline some important website hardening recommendations for your wp-config file [...] --------------------------------------------- https://blog.sucuri.net/2023/07/tips-for-wp-config-how-to-avoid-sensitive-d… ∗∗∗ Python-Based PyLoose Fileless Attack Targets Cloud Workloads for Cryptocurrency Mining ∗∗∗ --------------------------------------------- A new fileless attack dubbed PyLoose has been observed striking cloud workloads with the goal of delivering a cryptocurrency miner, new findings from Wiz reveal. "The attack consists of Python code that loads an XMRig Miner directly into memory using memfd, a known Linux fileless technique," security researchers Avigayil Mechtinger, Oren Ofer, and Itamar Gilad said. --------------------------------------------- https://thehackernews.com/2023/07/python-based-pyloose-fileless-attack.html ∗∗∗ Dissecting a Clever Malware Sample for Optimized Detection and Protection ∗∗∗ --------------------------------------------- As part of our product lineup, we offer security monitoring and malware removal services to our Wordfence Care and Response customers. In case of a security incident, our incident response team will investigate the root cause, find and remove malware from your site, and help with other complications that may arise as a result of [...] --------------------------------------------- https://www.wordfence.com/blog/2023/07/dissecting-a-clever-malware-sample-f… ∗∗∗ Qbot, Guloader und SpinOk führen Mobile Malware-Ranking an ∗∗∗ --------------------------------------------- Bedrohungsindex von Checkpoint für Juni 2023 zeigt: Qbot ist noch immer die am meisten verbreitete Malware in Deutschland. --------------------------------------------- https://www.zdnet.de/88410517/qbot-guloader-und-spinok-fuehren-mobile-malwa… ∗∗∗ Security Flaws unraveled in Popular QuickBlox Chat and Video Framework could exposed sensitive data of millions ∗∗∗ --------------------------------------------- Check Point Research (CPR) in collaboration with Claroty Team82 uncovered major security vulnerabilities in the popular QuickBlox platform, used for telemedicine, finance and smart IoT devices If exploited, the vulnerabilities could allow threat actors to access applications’ user databases and expose sensitive data of millions. QuickBlox worked closely with Team82 and CPR to address our disclosure and has fixed the vulnerabilities via a new secure architecture design [...] --------------------------------------------- https://blog.checkpoint.com/security/security-flaws-unraveled-in-popular-qu… ∗∗∗ The Spies Who Loved You: Infected USB Drives to Steal Secrets ∗∗∗ --------------------------------------------- In the first half of 2023, Mandiant Managed Defense has observed a threefold increase in the number of attacks using infected USB drives to steal secrets. Mandiant tracked all of the cases and found that the majority of the incidents could be attributed to several active USB-based operation campaigns affecting both the public and private sectors globally. --------------------------------------------- https://www.mandiant.com/resources/blog/infected-usb-steal-secrets ∗∗∗ CISA and FBI Release Cybersecurity Advisory on Enhanced Monitoring to Detect APT Activity Targeting Outlook Online ∗∗∗ --------------------------------------------- The Cybersecurity and Infrastructure Security Agency (CISA) and Federal Bureau of Investigation (FBI) have released a joint Cybersecurity Advisory (CSA), Enhanced Monitoring to Detect APT Activity Targeting Outlook Online, to provide guidance to agencies and critical infrastructure organizations on enhancing monitoring in Microsoft Exchange Online environments. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2023/07/12/cisa-and-fbi-release-cyb… ===================== = Vulnerabilities = ===================== ∗∗∗ FortiOS/FortiProxy - Proxy mode with deep inspection - Stack-based buffer overflow ∗∗∗ --------------------------------------------- A stack-based overflow vulnerability [CWE-124] in FortiOS & FortiProxy may allow a remote attacker to execute arbitrary code or command via crafted packets reaching proxy policies or firewall policies with proxy mode alongside SSL deep packet inspection. Workaround: Disable deep inspection on proxy policies or firewall policies with proxy mode. --------------------------------------------- https://fortiguard.fortinet.com/psirt/FG-IR-23-183 ∗∗∗ FortiAnalyzer & FortiManager - Path traversal in history downloadzip ∗∗∗ --------------------------------------------- An improper limitation of a pathname to a restricted directory (Path Traversal) vulnerability [CWE-23] in FortiAnalyzer and FortiManager management interface may allow a remote and authenticated attacker to retrieve arbitrary files from the underlying filesystem via specially crafted web requests. --------------------------------------------- https://fortiguard.fortinet.com/psirt/FG-IR-22-471 ∗∗∗ FortiExtender - Path Traversal vulnerability ∗∗∗ --------------------------------------------- An improper limitation of a pathname to a restricted directory (Path Traversal) vulnerability [CWE-22] in FortiExtender management interface may allow an unauthenticated and remote attacker to retrieve arbitrary files from the underlying filesystem via specially crafted web requests. --------------------------------------------- https://fortiguard.fortinet.com/psirt/FG-IR-22-039 ∗∗∗ FortiOS - Existing websocket connection persists after deleting API admin ∗∗∗ --------------------------------------------- An insufficient session expiration [CWE-613] vulnerability in FortiOS REST API may allow an attacker to reuse the session of a deleted user, should the attacker manage to obtain the API token. --------------------------------------------- https://fortiguard.fortinet.com/psirt/FG-IR-23-028 ∗∗∗ Interesting Arbitrary File Upload Vulnerability Patched in User Registration WordPress Plugin ∗∗∗ --------------------------------------------- On June 19, 2023, the Wordfence Threat Intelligence team identified and began the responsible disclosure process for an Arbitrary File Upload vulnerability in WPEverest’s User Registration plugin, which is actively installed on more than 60,000 WordPress websites. This vulnerability makes it possible for an authenticated attacker with minimal permissions, such as a subscriber, to upload [...] --------------------------------------------- https://www.wordfence.com/blog/2023/07/interesting-arbitrary-file-upload-vu… ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (erlang, symfony, thunderbird, and yajl), Fedora (cutter-re, kernel, rizin, and yt-dlp), Red Hat (grafana), SUSE (kernel and python-Django), and Ubuntu (dotnet6, dotnet7 and firefox). --------------------------------------------- https://lwn.net/Articles/937972/ ∗∗∗ ICS Patch Tuesday: Siemens, Schneider Electric Fix 50 Vulnerabilities ∗∗∗ --------------------------------------------- ICS Patch Tuesday: Siemens and Schneider Electric release nine new security advisories and fix 50 vulnerabilities in their industrial products. --------------------------------------------- https://www.securityweek.com/ics-patch-tuesday-siemens-schneider-electric-f… ∗∗∗ Mattermost security updates 7.10.4 / 7.9.6 / 7.8.8 (ESR) released ∗∗∗ --------------------------------------------- We’re informing you about a Mattermost security update, which addresses medium-level severity vulnerabilities. We highly recommend that you apply the update. The security update is available for Mattermost dot releases 7.10.4, 7.9.6 and 7.8.8 (Extended Support Release), for both Team Edition and Enterprise Edition. --------------------------------------------- https://mattermost.com/blog/mattermost-security-updates-7-10-4-7-9-6-7-8-8-… ∗∗∗ Windows 7/Server 2008 R2; Server 2012 R2: Updates (11. Juli 2023) ∗∗∗ --------------------------------------------- Zum 11. Juli 2023 wurden diverse Sicherheitsupdates für Windows Server 2008 R2 (im 4. ESU Jahr) sowie für Windows Server 2012/R2 veröffentlicht (die Updates lassen sich ggf. auch noch unter Windows 7 SP1 installieren). Hier ein Überblick über diese Updates --------------------------------------------- https://www.borncity.com/blog/2023/07/12/windows-7-server-2008-r2-server-20… ∗∗∗ Sandbox Escape ∗∗∗ --------------------------------------------- In vm2 for versions up to 3.9.19, Node.js custom inspect function allows attackers to escape the sandbox and run arbitrary code. --------------------------------------------- https://github.com//patriksimek/vm2/security/advisories/GHSA-g644-9gfx-q4q4 ∗∗∗ Sandbox Escape ∗∗∗ --------------------------------------------- In vm2 for versions up to 3.9.19, Promise handler sanitization can be bypassed, allowing attackers to escape the sandbox and run arbitrary code. --------------------------------------------- https://github.com//patriksimek/vm2/security/advisories/GHSA-cchq-frgv-rjh5 ∗∗∗ Citrix Secure Access client for Ubuntu Security Bulletin for CVE-2023-24492 ∗∗∗ --------------------------------------------- https://support.citrix.com/article/CTX564169/citrix-secure-access-client-fo… ∗∗∗ Citrix Secure Access client for Windows Security Bulletin for CVE-2023-24491 ∗∗∗ --------------------------------------------- https://support.citrix.com/article/CTX561480/citrix-secure-access-client-fo… ∗∗∗ Lenovo UDC Vulnerability ∗∗∗ --------------------------------------------- https://support.lenovo.com/product_security/PS500567-LENOVO-UDC-VULNERABILI… ∗∗∗ AMD SEV VM Power Side Channel Security Notice ∗∗∗ --------------------------------------------- https://support.lenovo.com/product_security/PS500569-AMD-SEV-VM-POWER-SIDE-… ∗∗∗ AMI MegaRAC SP-X BMC Vulnerabilities ∗∗∗ --------------------------------------------- https://support.lenovo.com/product_security/PS500568-AMI-MEGARAC-SP-X-BMC-V… ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ Rockwell Automation Select Communication Modules ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-193-01 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 11.07.2023
by Daily end-of-shift report 11 Jul '23

11 Jul '23

===================== = End-of-Day report = ===================== Timeframe: Montag 10-07-2023 18:00 − Dienstag 11-07-2023 18:00 Handler: Stephan Richter Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Exploit für Root-Lücke in VMware Aria Operations for Logs aufgetaucht ∗∗∗ --------------------------------------------- Teils kritische Sicherheitslücken in VMware Aria Operations for Logs stopfen Updates aus dem April. Jetzt ist Exploit-Code aufgetaucht, der eine Lücke angreift. --------------------------------------------- https://heise.de/-9212276 ∗∗∗ Fake-E-Mail einer EU-Förderung über 850.000 Euro im Umlauf ∗∗∗ --------------------------------------------- Aktuell kursiert ein gefälschtes E-Mail über eine EU-Förderung von 850.000 Euro. Der Zuschuss wurde angeblich für Unternehmen, Start-ups und Einzelpersonen mit innovativen Ideen entwickelt. Wer das Geld beantragen will, muss persönliche Daten an eine E-Mail-Adresse senden. Das Angebot ist aber Fake, antworten Sie nicht und verschieben Sie das E-Mail in Ihren Spam-Ordner. --------------------------------------------- https://www.watchlist-internet.at/news/fake-e-mail-einer-eu-foerderung-uebe… ∗∗∗ Roots of Trust are difficult ∗∗∗ --------------------------------------------- The phrase "Root of Trust" turns up at various points in discussions about verified boot and measured boot, and to a first approximation nobody is able to give you a coherent explanation of what it means[1]. The Trusted Computing Group has a fairly wordy definition, but (a) its a lot of words and (b) I dont like it, so instead Im going to start by defining a root of trust as "A thing that has to be trustworthy for anything else on your computer to be trustworthy". --------------------------------------------- https://mjg59.dreamwidth.org/66907.html ∗∗∗ It’s Raining Phish and Scams – How Cloudflare Pages.dev and Workers.dev Domains Get Abused ∗∗∗ --------------------------------------------- As they say, when it rains, it pours. Recently, we observed more than 3,000 phishing emails containing phishing URLs abusing services at workers.dev and pages.dev domains. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/its-raining… ∗∗∗ Critical Foswiki Vulnerablities: A Logic Error Turned Remote Code Execution ∗∗∗ --------------------------------------------- We love open-source software. In context of our mission #moresecurity, Christian Pöschl, security consultant and penetration tester at usd HeroLab had a look at Foswiki as a research project. In this blog post, we summarize the journey to discover the functionality of Foswiki and identify multiple vulnerabilities, which ultimately allowed us to elevate privileges from a freshly registered user to full remote code execution on the server. All vulnerabilities were reported to the developers according to our Responsible Disclosure Policy. --------------------------------------------- https://herolab.usd.de/en/critical-foswiki-vulnerablities-a-logic-error-tur… ∗∗∗ Cybercriminals Evolve Antidetect Tooling for Mobile OS-Based Fraud ∗∗∗ --------------------------------------------- Cybercriminals continue to evolve their tactics, techniques, and procedures (TTPs) to defraud the customers of online banking, payment systems, advertising networks, and online marketplaces worldwide. Resecurity has observed a rising trend involving threat actors increased use of specialized mobile Android OS device spoofing tools. These tools enable fraudsters to impersonate compromised account holders and bypass anti-fraud controls effectively. --------------------------------------------- https://www.resecurity.com/blog/article/cybercriminals-evolve-antidetect-to… ∗∗∗ Lowering the Bar(d)? Check Point Research’s security analysis spurs concerns over Google Bard’s limitations ∗∗∗ --------------------------------------------- Check Point Research (CPR) releases an analysis of Google’s generative AI platform ‘Bard’, surfacing several scenarios where the platform permits cybercriminals’ malicious efforts. Check Point Researchers were able to generate phishing emails, malware keyloggers and basic ransomware code. --------------------------------------------- https://blog.checkpoint.com/security/lowering-the-bard-check-point-research… ∗∗∗ MISP 2.4.173 released with various bugfixes and improvements ∗∗∗ --------------------------------------------- We have added a new functionality allowing administrators to enable user self-service for forgotten passwords. When enabled, users will have an additional link below the login screen, allowing them to enter their e-mails and receive a token that can be used to reset their passwords. --------------------------------------------- https://github.com/MISP/MISP/releases/tag/v2.4.173 ∗∗∗ Unveiling the secrets: Exploring whitespace steganography for secure communication ∗∗∗ --------------------------------------------- In the realm of data security, there exists a captivating technique known as whitespace steganography. Unlike traditional methods of encryption, whitespace steganography allows for the hiding of sensitive information within whitespace characters, such as spaces, tabs, and line breaks. --------------------------------------------- https://cybersecurity.att.com/blogs/security-essentials/unveiling-the-secre… ∗∗∗ Defend Against the Latest Active Directory Certificate Services Threats ∗∗∗ --------------------------------------------- To help security professionals understand the complexities of AD CS and how to mitigate its abuse, Mandiant has published a hardening guide that focuses on the most impactful AD CS attack techniques and abuse scenarios we are seeing on the frontlines of the latest breaches and attacks. --------------------------------------------- https://www.mandiant.com/blog/resources/defend-ad-cs-threats ===================== = Vulnerabilities = ===================== ∗∗∗ Zero-Day für Safari geschlossen - Update: Zurückgezogen ∗∗∗ --------------------------------------------- Apple hat Montagabend eine schnelle Aktualisierung für seinen Browser ausgespielt. Betroffen von der offenbar bereits ausgenutzten Lücke: Macs und Mobilgeräte. [...] Apple hat die RSR-Updates für Mac, iPhone und iPad mittlerweile zurückgezogen. Grund ist offenbar, dass es verschiedene Websites gab, die nach dem Update Warnmeldungen ausspucken, dass der aktualisierte Safari-Browser "nicht mehr" unterstützt werde. Apple hat im User-Agent-String ein --------------------------------------------- https://heise.de/-9212228 ∗∗∗ Patchday: SAP warnt vor 16 Sicherheitslücken in der Business-Software ∗∗∗ --------------------------------------------- Am Juli-Patchday hat SAP 16 Sicherheitsmeldungen zur Geschäfts-Software aus dem Unternehmen veröffentlicht. Updates dichten auch eine kritische Lücke ab. --------------------------------------------- https://heise.de/-9213319 ∗∗∗ ABB: 2023-02-10 (**Updated 2023-07-10**) - Cyber Security Advisory - Drive Composer multiple vulnerabilities ∗∗∗ --------------------------------------------- Updated to reflect the latest version 2.8.2 of Drive Composer (both Entry and pro) where vulnerability CVE-2022-35737 has been resolved. Originally this vulnerability had not been resolved when this advisory was published alongside Drive Composer 2.8.1. --------------------------------------------- https://search.abb.com/library/Download.aspx?DocumentID=9AKK108467A7957 ∗∗∗ Siemens Security Advisories ∗∗∗ --------------------------------------------- Siemens has released 5 new and 12 updated Security Advisories. (CVSS Scores ranging from 5.3 to 10) --------------------------------------------- https://new.siemens.com/global/en/products/services/cert.html?d=2023-07 ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (mediawiki and node-tough-cookie), Red Hat (bind, kernel, kpatch-patch, and python38:3.8, python38-devel:3.8), SUSE (kernel, nextcloud-desktop, and python-tornado), and Ubuntu (dwarves-dfsg and thunderbird). --------------------------------------------- https://lwn.net/Articles/937879/ ∗∗∗ CVE-2023-29298: Adobe ColdFusion Access Control Bypass ∗∗∗ --------------------------------------------- Rapid7 discovered an access control bypass vulnerability affecting Adobe ColdFusion that allows an attacker to access the administration endpoints. --------------------------------------------- https://www.rapid7.com/blog/post/2023/07/11/cve-2023-29298-adobe-coldfusion… ∗∗∗ Technicolor: VU#913565: Hard-coded credentials in Technicolor TG670 DSL gateway router ∗∗∗ --------------------------------------------- https://kb.cert.org/vuls/id/913565 ∗∗∗ Mozilla: Security Vulnerabilities fixed in Firefox 115.0.2 and Firefox ESR 115.0.2 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2023-26/ ∗∗∗ Lenovo: NVIDIA Display Driver Advisory - June 2023 ∗∗∗ --------------------------------------------- http://support.lenovo.com/product_security/PS500566-NVIDIA-DISPLAY-DRIVER-A… ∗∗∗ Panasonic Control FPWin Pro7 ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-192-03 ∗∗∗ Rockwell Automation Enhanced HIM ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-192-01 ∗∗∗ Sensormatic Electronics iSTAR ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-192-02 ∗∗∗ TADDM affected by multiple vulnerabilities due to IBM Java and its runtime ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7009499 ∗∗∗ IBM Db2 with Federated configuration is vulnerable to arbitrary code execution. (CVE-2023-35012) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7010747 ∗∗∗ IBM Robotic Process Automation is vulnerable to disclosure of server version information (CVE-2023-35900) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7010895 ∗∗∗ IBM Sterling Connect:Express for UNIX browser UI is vulnerable to attacks that rely on the use of cookies without the SameSite attribute ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7010921 ∗∗∗ IBM Sterling Connect:Express for UNIX is vulnerable to server-side request forgery (SSRF) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7010923 ∗∗∗ IBM Sterling Connect:Express uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7010925 ∗∗∗ Vulnerability of System.Text.Encodings.Web.4.5.0 .dll has afftected to .NET Agent ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7010945 ∗∗∗ IBM Watson Assistant for IBM Cloud Pak for Data is vulnerable to multiple vulnerabilities in Python ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7011035 ∗∗∗ IBM Watson Assistant for IBM Cloud Pak for Data is vulnerable to multiple vulnerabilities in Perl ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7011033 ∗∗∗ IBM Watson Assistant for IBM Cloud Pak for Data is vulnerable to GNU Libtasn1 information disclosure vulnerability [CVE-2021-46848] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7011037 ∗∗∗ Vulnerabilities have been identified in OpenSSL, Apache HTTP Server and other system libraries shipped with the DS8000 Hardware Management Console (HMC) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7006449 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 10.07.2023
by Daily end-of-shift report 10 Jul '23

10 Jul '23

===================== = End-of-Day report = ===================== Timeframe: Freitag 07-07-2023 18:00 − Montag 10-07-2023 18:00 Handler: Michael Schlagenhaufer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ 1,5 Millionen Installationen: Android-Malware im Google-Play-Store entdeckt ∗∗∗ --------------------------------------------- IT-Sicherheitsforscher haben zwei vermeintliche Dateimanager mit mehr als 1,5 Millionen Downloads im Google Play Store entdeckt. Es handelt sich um Spyware. --------------------------------------------- https://heise.de/-9211287 ∗∗∗ ARM-Grafikeinheit: Warnung vor Angriffen auf Sicherheitslücle in Treibern ∗∗∗ --------------------------------------------- Cyberkriminelle missbrauchen eine Sicherheitslücke in Treibern für ARMs Mali-Grafikeinheiten, um ihre Rechte auszuweiten oder Informationen abzugreifen. --------------------------------------------- https://heise.de/-9211310 ∗∗∗ BSI veröffentlicht Positionspapier zu Secured Applications for Mobile ∗∗∗ --------------------------------------------- Das Bundesamt für Sicherheit in der Informationstechnik (BSI) veröffentlicht ein aktuelles Positionspapier zum Thema „Secured Applications for Mobile“ (SAM). --------------------------------------------- https://www.bsi.bund.de/DE/Service-Navi/Presse/Alle-Meldungen-News/Meldunge… ∗∗∗ PoC Exploit Published for Recent Ubiquiti EdgeRouter Vulnerability ∗∗∗ --------------------------------------------- PoC exploit has been published for a recently patched Ubiquiti EdgeRouter vulnerability leading to arbitrary code execution. --------------------------------------------- https://www.securityweek.com/poc-exploit-published-for-recent-ubiquiti-edge… ∗∗∗ Was tun, wenn Sie bei einem problematischen Online-Shop bestellt haben? ∗∗∗ --------------------------------------------- Ihre Bestellung entspricht nicht Ihren Erwartungen? Die Qualität ist minderwertig, das Produkt etwas vollkommen anderes oder einfach Schrott? Eine Rücksendung ist teuer und nur nach China möglich? Dann haben Sie in einem problematischen bzw. unseriösen Online-Shop bestellt. Wir zeigen Ihnen, was Sie tun können. --------------------------------------------- https://www.watchlist-internet.at/news/was-tun-wenn-sie-bei-einem-problemat… ∗∗∗ Vorsicht: ‘Big Head’ Ransomware zeigt "Windows Update"-Benachrichtigung an ∗∗∗ --------------------------------------------- Ich nehme das Thema mal hier zur Vorsicht im Blog mit auf, vielleicht bewahrt es Einzelne aus der Leserschaft vor einem fatalen Fehler. Eine Big Head genannte Ransomware-Familie nutzt einen neuen Trick, um potentielle Opfer zu übertölpeln. --------------------------------------------- https://www.borncity.com/blog/2023/07/10/vorsicht-big-head-ransomware-zeigt… ∗∗∗ Advanced Vishing Attack Campaign “LetsCall” Targets Andriod Users ∗∗∗ --------------------------------------------- In a newly detected muli-stage vishing campaign attackers are using an advanced toolset dubbed LetsCall, featuring strong evasion tactics. --------------------------------------------- https://www.hackread.com/advanced-vishing-attack-letscall-andriod-users/ ===================== = Vulnerabilities = ===================== ∗∗∗ Ateme TITAN File 3.9 Job Callbacks SSRF File Enumeration ∗∗∗ --------------------------------------------- Authenticated Server-Side Request Forgery (SSRF) vulnerability exists in the Titan File video transcoding software. The application parses user supplied data in the job callback url GET parameter. Since no validation is carried out on the parameter, an attacker can specify an external domain and force the application to make an HTTP/DNS/File request to an arbitrary destination. --------------------------------------------- https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5781.php ∗∗∗ SSD Advisory – EdgeRouters and AirCube miniupnpd Heap Overflow ∗∗∗ --------------------------------------------- A vulnerability in EdgeRouters’s and AirCube’s miniupnpd allows LAN attackers to cause the service to overflow an internal heap and potentially execute arbitrary code. --------------------------------------------- https://ssd-disclosure.com/ssd-advisory-edgerouters-and-aircube-miniupnpd-h… ∗∗∗ Codeschmuggel möglich: Hochriskante Sicherheitslücken in ArubaOS-Firmware ∗∗∗ --------------------------------------------- Die HPE-Tochter Aruba hat Aktualisierungen für die ArubaOS-Firmware veröffentlicht. Sie schließen hochriskante Sicherheitslücken, die Codeschmuggel erlauben. --------------------------------------------- https://heise.de/-9211464 ∗∗∗ Minecraft: Virtuelle Computer reißen Sicherheitslücken auf ∗∗∗ --------------------------------------------- In zwei Minecraft-Mods, die tatsächlich programmierbare Computer oder Roboter für das Spiel bereitstellen, klaffen kritische Sicherheitslücken. --------------------------------------------- https://heise.de/-9211864 ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (firefox-esr, fusiondirectory, ocsinventory-server, php-cas, and thunderbird), Fedora (dav1d, perl-CPAN, and yt-dlp), Red Hat (python39:3.9 and python39-devel:3.9), Slackware (mozilla), SUSE (prometheus-ha_cluster_exporter and prometheus-sap_host_exporter), and Ubuntu (ghostscript, linux-azure, linux-intel-iotg, linux-intel-iotg-5.15, and ruby-doorkeeper). --------------------------------------------- https://lwn.net/Articles/937803/ ∗∗∗ Limited disclosure of 6 vulnerabilities in OSNexus Quantastor ∗∗∗ --------------------------------------------- The story of DIVD case DIVD-2021-00020 is a story that started more then 1.5 years ago, when DIVD researcher Wietse Boondsta discovered six vulnerabilities ( CVE-2021-42079, CVE-2021-42080, CVE-2021-42080, CVE-2021-42080, CVE-2021-42080, and CVE-2021-4066 ) in OSNexus Quantastor. As per our CNA policy we tried to contact the vendor and this was not a smooth ride. We started the process in November 2021 and it took us a lot of effort, and help from NCSC-NL and its US partners [...] --------------------------------------------- https://csirt.divd.nl/2023/07/10/Limited-disclosure-OSNexus-vulnerabilities/ ∗∗∗ Festo: Several vulnerabilities in FactoryViews ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2023-013/ ∗∗∗ IBM Db2 JDBC driver is vulnerable to remote code execution. (CVE-2023-27869, CVE-2023-27867, CVE-2023-27868) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7010029 ∗∗∗ IBM Db2 has multiple denial of service vulnerablities with a specially crafted query ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7010557 ∗∗∗ IBM Db2 federated server is vulnerable to a denial of service when using a specially crafted wrapper using certain options. (CVE-2023-30442) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7010561 ∗∗∗ IBM Db2 db2set is vulnerable to arbitrary code execution. (CVE-2023-30431) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7010565 ∗∗∗ IBM Db2 is vulnerable to insufficient audit logging. (CVE-2023-23487) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7010567 ∗∗∗ IBM Db2 on Windows is vulnerable to privilege escalation. (CVE-2023-27558) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7010571 ∗∗∗ IBM Db2 is vulnerable to information disclosure due to improper privilege management when certain federation features are used. (CVE-2023-29256) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7010573 ∗∗∗ A security vulnerability has been identified in IBM WebSphere Application Server shipped with IBM WebSphere Remote Server (CVE-2023-35890) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7010577 ∗∗∗ Multiple Vulnerabilities in IBM Runtime Environment Java Technology Edition affects WebSphere eXtreme Scale ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7010585 ∗∗∗ The IBM Engineering Lifecycle Engineering product using IBM WebSphere Application Server Liberty is vulnerable to GraphQL - CVE-2023-28867 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7010655 ∗∗∗ The IBM Engineering Lifecycle Engineering product using IBM WebSphere Application Server Liberty is vulnerable to spoofing - CVE-2022-39161 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7010659 ∗∗∗ The IBM Engineering Lifecycle Engineering product using IBM WebSphere Application Server Liberty is vulnerable to spoofing - CVE-2022-39161 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7010665 ∗∗∗ IBM App Connect Enterprise Certified Container DesignerAuthoring operands that use mapping assistance are vulnerable to denial of service due to [CVE-2023-25399] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7010711 ∗∗∗ A vulnerability in Apache Commons Code affects IBM Robotic Process Automation and may result in a disclosure of sensitive information. (IBM X-Force ID: 177834) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7010725 ∗∗∗ IBM Db2 JDBC driver is vulnerable to remote code execution. (CVE-2023-27869, CVE-2023-27867, CVE-2023-27868) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7010029 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 07.07.2023
by Daily end-of-shift report 07 Jul '23

07 Jul '23

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 06-07-2023 18:00 − Freitag 07-07-2023 18:00 Handler: Robert Waldner Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Google Play apps with 1.5 million installs send your data to China ∗∗∗ --------------------------------------------- Security researchers discovered two malicious file management applications on Google Play with a collective installation count of over 1.5 million that collected excessive user data that goes well beyond whats needed to offer the promised functionality. [..] File Recovery and Data Recovery, identified as "com.spot.music.filedate" on devices, has at least 1 million installs. The install count for File Manager reads at least 500,000 and it can be identified on devices as "com.file.box.master.gkd." --------------------------------------------- https://www.bleepingcomputer.com/news/security/google-play-apps-with-15-mil… ∗∗∗ Iranian Hackers Sophisticated Malware Targets Windows and macOS Users ∗∗∗ --------------------------------------------- The Iranian nation-state actor known as TA453 has been linked to a new set of spear-phishing attacks that infect both Windows and macOS operating systems with malware."TA453 eventually used a variety of cloud hosting providers to deliver a novel infection chain that deploys the newly identified PowerShell backdoor GorjolEcho," Proofpoint said in a new report. --------------------------------------------- https://thehackernews.com/2023/07/iranian-hackers-sophisticated-malware.html ∗∗∗ BlackByte 2.0 Ransomware: Infiltrate, Encrypt, and Extort in Just 5 Days ∗∗∗ --------------------------------------------- Recently, Microsoft's Incident Response team investigated the BlackByte 2.0 ransomware attacks and exposed these cyber strikes' terrifying velocity and damaging nature. The findings indicate that hackers can complete the entire attack process, from gaining initial access to causing significant damage, in just five days. They waste no time infiltrating systems, encrypting important data, and demanding a ransom to release it. --------------------------------------------- https://thehackernews.com/2023/07/blackbyte-20-ransomware-infiltrate.html ∗∗∗ StackRot (CVE-2023-3269): Linux kernel privilege escalation vulnerability ∗∗∗ --------------------------------------------- A flaw was found in the handling of stack expansion in the Linux kernel 6.1 through 6.4, aka "Stack Rot". The maple tree, responsible for managing virtual memory areas, can undergo node replacement without properly acquiring the MM write lock, leading to use-after-free issues. An unprivileged local user could use this flaw to compromise the kernel and escalate their privileges. --------------------------------------------- https://github.com/lrh2000/StackRot ∗∗∗ Sie sollen eine „Erstattung aus dem Sozialfonds erhalten“? Ignorieren Sie diese SMS! ∗∗∗ --------------------------------------------- Unsere Leser:innen melden uns aktuell SMS, die im Namen des „Staates“ verschickt werden. Angeblich sollen Sie eine „Erstattung aus dem Sozialfonds“ erhalten. Achtung, Phishing-Alarm! Löschen Sie die SMS und geben Sie auf keinen Fall Ihre Kontodaten an. --------------------------------------------- https://www.watchlist-internet.at/news/sie-sollen-eine-erstattung-aus-dem-s… ∗∗∗ A Network of SOCs? ∗∗∗ --------------------------------------------- I wrote most of this text quickly in January 2021 when the European Commission asked me to apply my lessons learned from the CSIRTs Network to a potential European Network of SOCs. During 2022, the plans for SOC collaboration have been toned down a bit, the DIGITAL Europe funding scheme proposes multiple platforms where SOCs can work together. In 2023, the newly proposed “Cyber Solidarity Act” builds upon this and codifies the concept of a “national SOC” and “cross-border SOC platforms” into an EU regulation. --------------------------------------------- https://cert.at/en/blog/2023/7/a-network-of-socs ∗∗∗ Cybererpresser: Ransomware-Gruppe BianLian verzichtet auf Verschlüsselung ∗∗∗ --------------------------------------------- Die Hintermänner konzentrieren sich auf die Exfiltration von Daten. Sie reagieren auf die Veröffentlichung eines kostenlosen Entschlüsselungstools für die Ransomware BianLian. --------------------------------------------- https://www.zdnet.de/88410380/cybererpresser-ransomware-gruppe-bianlian-ver… ∗∗∗ CISA and Partners Release Joint Cybersecurity Advisory on Newly Identified Truebot Malware Variants ∗∗∗ --------------------------------------------- Today, the Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigations (FBI), the Multi-State Information Sharing and Analysis Center (MS-ISAC), and the Canadian Centre for Cyber Security (CCCS) released a joint Cybersecurity Advisory (CSA), Increased Truebot Activity Infects U.S. and Canada Based Networks, to help organizations detect and protect against newly identified Truebot malware variants. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2023/07/06/cisa-and-partners-releas… ===================== = Vulnerabilities = ===================== ∗∗∗ Google Releases Android Patch Update for 3 Actively Exploited Vulnerabilities ∗∗∗ --------------------------------------------- Google has released its monthly security updates for the Android operating system, addressing 46 new software vulnerabilities. Among these, three vulnerabilities have been identified as actively exploited in targeted attacks. --------------------------------------------- https://thehackernews.com/2023/07/google-releases-android-patch-update.html ∗∗∗ Mastodon Social Network Patches Critical Flaws Allowing Server Takeover ∗∗∗ --------------------------------------------- Mastodon, a popular decentralized social network, has released a security update to fix critical vulnerabilities that could expose millions of users to potential attacks.Mastodon is known for its federated model, consisting of thousands of separate servers called "instances," and it has over 14 million users across more than 20,000 instances. The most critical vulnerability, CVE-2023-36460, [..] --------------------------------------------- https://thehackernews.com/2023/07/mastodon-social-network-patches.html ∗∗∗ CISA Releases Three Industrial Control Systems Advisories ∗∗∗ --------------------------------------------- * ICSA-23-187-01 PiiGAB M-Bus * ICSA-23-187-02 ABUS TVIP * ICSA-23-143-03 Mitsubishi Electric MELSEC Series CPU module (Update A) --------------------------------------------- https://www.cisa.gov/news-events/alerts/2023/07/06/cisa-releases-three-indu… ∗∗∗ VMSA-2023-0015 ∗∗∗ --------------------------------------------- CVSSv3 Range: 5.3 CVE(s): CVE-2023-20899 VMware SD-WAN contains a bypass authentication vulnerability. VMware has evaluated the severity of this issue to be in the moderate severity range with a maximum CVSSv3 base score of 5.3. Known Attack Vectors: An unauthenticated attacker can download the Diagnostic bundle of the application under VMware SD-WAN Management. --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2023-0015.html ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (debian-archive-keyring, libusrsctp, nsis, ruby-redcloth, and webkit2gtk), Fedora (firefox), Mageia (apache-ivy, cups, curaengine, glances, golang, keepass, libreoffice, minidlna, nodejs, opensc, perl-DBD-SQLite, python-setuptools, python-wheel, skopeo/buildah/podman, systemd, testng, and webkit2), SUSE (bind), and Ubuntu (Gerbv, golang-websocket, linux-gke, linux-intel-iotg, and linux-oem-5.17). --------------------------------------------- https://lwn.net/Articles/937616/ ∗∗∗ [R1] Nessus Agent Version 10.4.1 Fixes Multiple Vulnerabilities ∗∗∗ --------------------------------------------- Nessus Agent leverages third-party software to help provide underlying functionality. One of the third-party components (OpenSSL) was found to contain vulnerabilities, and updated versions have been made available by the provider.Out of caution and in line with best practice, Tenable has opted to upgrade these components to address the potential impact of the issues. --------------------------------------------- https://www.tenable.com/security/tns-2023-24 ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 06.07.2023
by Daily end-of-shift report 06 Jul '23

06 Jul '23

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 05-07-2023 18:00 − Donnerstag 06-07-2023 18:00 Handler: Michael Schlagenhaufer Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Silentbob Campaign: Cloud-Native Environments Under Attack ∗∗∗ --------------------------------------------- The activity, dubbed Silentbob in reference to an AnonDNS domain set up by the attacker, is said to be linked to the infamous cryptojacking group tracked as TeamTNT, citing overlaps in tactics, techniques, and procedures (TTPs). Alternatively, it could be the work of an "advanced copycat." --------------------------------------------- https://thehackernews.com/2023/07/silentbob-campaign-cloud-native.html ∗∗∗ Flutter Restrictions Bypass ∗∗∗ --------------------------------------------- This article investigates the Flutter framework (Google, n.d.) and the methods for bypassing its detections on iOS. CyberCX have also published the scripts used for this bypass for other mobile application security researchers to use in their workflow on our GitHub. --------------------------------------------- https://blog.cybercx.co.nz/flutter-restrictions-bypass ∗∗∗ TeamsPhisher: Tool automatisiert Angriffe auf Teams-Schwachstelle ∗∗∗ --------------------------------------------- Über eine Schwachstelle in Teams können Angreifer Malware unterjubeln. Ein jetzt veröffentlichtes Tool macht diese Attacken noch einfacher. --------------------------------------------- https://heise.de/-9208677 ∗∗∗ Wie steht’s eigentlich um Emotet? ∗∗∗ --------------------------------------------- Eine kurze Zusammenfassung zur aktuellen Situation um Emotet seit dessen "Comeback". --------------------------------------------- https://www.welivesecurity.com/deutsch/2023/07/06/wie-stehts-eigentlich-um-… ∗∗∗ How to delete saved addresses and credit cards in Firefox for improved security and privacy ∗∗∗ --------------------------------------------- If youre looking to get the most out of Firefox security and privacy, you might consider not only deleting all saved addresses and credit cards but also disabling the autofill option. --------------------------------------------- https://www.zdnet.com/article/how-to-delete-saved-addresses-and-credit-card… ===================== = Vulnerabilities = ===================== ∗∗∗ MOVEit Transfer: Service Pack schließt weitere kritische Lücke ∗∗∗ --------------------------------------------- Mit dem Service Pack für MOVEit Transfer im Juli schließt Progress weitere Sicherheitslücken. Eine davon stuft der Hersteller als kritisch ein. (CVE-2023-36932, CVE-2023-36933, CVE-2023-36934) --------------------------------------------- https://heise.de/-9208451 ∗∗∗ MOVEit Transfer 2020.1 (12.1) Service Pack (July 2023) ∗∗∗ --------------------------------------------- CVE-2023-36934 (CRITICAL): SQL Injection CVE-2023-36932 (HIGH): multiple SQL injections CVE-2023-36933 (HIGH): unhandled exception --------------------------------------------- https://community.progress.com/s/article/MOVEit-Transfer-2020-1-Service-Pac… ∗∗∗ Stackrot: Kernel-Schwachstelle ermöglicht Rechteausweitung unter Linux ∗∗∗ --------------------------------------------- Durch eine Sicherheitslücke im Speichermanagement-Subsystem des Linux-Kernels können Angreifer potenziell erweiterte Rechte erlangen. --------------------------------------------- https://www.golem.de/news/stackrot-kernel-schwachstelle-erlaubt-rechteauswe… ∗∗∗ Patchday: Vielfältige Attacken auf Android 11, 12 und 13 möglich ∗∗∗ --------------------------------------------- Es gibt wichtige Sicherheitsupdates für verschiedene Android-Versionen. Im schlimmsten Fall könnte Schadcode auf Geräte gelangen. --------------------------------------------- https://heise.de/-9208524 ∗∗∗ Taking over Milesight UR32L routers behind a VPN: 22 vulnerabilities and a full chain ∗∗∗ --------------------------------------------- In all, Cisco Talos is releasing 22 security advisories today, nine of which have a CVSS score greater than 8, associated with 69 CVEs. --------------------------------------------- https://blog.talosintelligence.com/talos-discovers-17-vulnerabilities-in-mi… ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (golang-yaml.v2, kernel, and mediawiki), Fedora (kernel and picocli), SUSE (bind and python-sqlparse), and Ubuntu (cpdb-libs). --------------------------------------------- https://lwn.net/Articles/937481/ *** IBM Security Bulletins *** --------------------------------------------- IBM i, IBM Rational Functional Tester, IBM Security Verify Access, IBM Cloud Pak, IBM Match 360, IBM Watson, IBM Integration Designer, IBM Sterling Connect:Direct File Agent, IBM Operations Analytics and TADDM. --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ Vulnerability in Cisco Enterprise Switches Allows Attackers to Modify Encrypted Traffic ∗∗∗ --------------------------------------------- Cisco says a high-severity vulnerability in Nexus 9000 series switches could allow attackers to intercept and modify encrypted traffic. Tracked as CVE-2023-20185, the issue impacts the ACI multi-site CloudSec encryption feature of the Nexus 9000 switches that are configured in application centric infrastructure (ACI) mode – typically used in data centers for controlling physical and virtual networks. --------------------------------------------- https://www.securityweek.com/vulnerability-in-cisco-enterprise-switches-all… ∗∗∗ Cisco ACI Multi-Site CloudSec Encryption Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco Webex Meetings Web UI Vulnerabilities ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco Duo Authentication Proxy Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco BroadWorks Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ ZDI-23-896: D-Link DAP-2622 DDP Change ID Password Auth Password Stack-based Buffer Overflow Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-23-896/ ∗∗∗ Wordfence Intelligence Weekly WordPress Vulnerability Report (June 26, 2023 to July 2, 2023) ∗∗∗ --------------------------------------------- https://www.wordfence.com/blog/2023/07/wordfence-intelligence-weekly-wordpr… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 05.07.2023
by Daily end-of-shift report 05 Jul '23

05 Jul '23

===================== = End-of-Day report = ===================== Timeframe: Dienstag 04-07-2023 18:00 − Mittwoch 05-07-2023 18:00 Handler: Michael Schlagenhaufer Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Email crypto phishing scams: stealing from hot and cold crypto wallets ∗∗∗ --------------------------------------------- Here is how email phishing scams targeting hot and cold crypto wallets, such as Trezor and Ledger, work. --------------------------------------------- https://securelist.com/hot-and-cold-cryptowallet-phishing/110136/ ∗∗∗ Jetzt patchen! Über 335.000 SSL-VPN-Interfaces von Fortinet attackierbar ∗∗∗ --------------------------------------------- Sicherheitsforscher warnen vor weiteren Attacken auf eine kritische Lücke in FortiOS. Patches zum Schließen der Schwachstelle sind seit Wochen verfügbar. --------------------------------------------- https://heise.de/-9206478 ∗∗∗ Verbaucherzentralen warnen vor personalisiertem Phishing ∗∗∗ --------------------------------------------- Seit Anfang der Woche landen viele Phishingmails mit persönlicher Anrede betreffend der ING in Postfächern von Internetnutzern, warnen die Verbraucherzentralen. --------------------------------------------- https://heise.de/-9207386 ∗∗∗ TEMU Shopping App und temu.com: Problematische Angebote aus China ∗∗∗ --------------------------------------------- Wer sich aktuell durch Social Media bewegt, kommt kaum an Werbeschaltungen für die Shopping App TEMU vorbei. Die Plattform mit Sitz in Dublin und ihrem Ursprung in China startet aktuell eine Offensive auf den österreichischen und deutschen Markt. Die Produkte bei TEMU sind teils unfassbar günstig und für viele verlockend. Möglich ist das aber vor allem durch fragwürdige Geschäftspraktiken, teils mangelhafte Produkte und Nicht-Einhaltung rechtlicher Vorgaben. --------------------------------------------- https://www.watchlist-internet.at/news/temu-shopping-app-und-temucom-proble… ===================== = Vulnerabilities = ===================== ∗∗∗ Path traversal bypass & Denial of service in Kyocera TASKalfa 4053ci printer ∗∗∗ --------------------------------------------- CVE Number: CVE-2023-34259, CVE-2023-34260, CVE-2023-34261 Kyocera TASKalfa 4053ci printers are vulnerable to multiple vulnerabilities. The path traversal vulnerability can be used to access arbitrary files on the filesystem, even files that require root privileges. Also, the path traversal vulnerability can be used to conduct a denial-of-service (DoS). Due the username enumeration vulnerability, it is possible to identify valid user accounts. --------------------------------------------- https://sec-consult.com/vulnerability-lab/advisory/path-traversal-bypass-de… ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (firefox and python-reportlab), Slackware (mozilla), SUSE (dnsdist, grpc, protobuf, python-Deprecated, python-PyGithub, python-aiocontextvars, python-avro, python-bcrypt, python-cryptography, python- cryptography-vectors, python-google-api-core, pyt, kernel, kubernetes1.18, libdwarf, python311, qt6-base, rmt-server, and virtualbox), and Ubuntu (containerd, firefox, and python-django). --------------------------------------------- https://lwn.net/Articles/937368/ ∗∗∗ The "StackRot" kernel vulnerability ∗∗∗ --------------------------------------------- Ruihan Li has discloseda significant vulnerability introduced into the 6.1 kernel: A flaw was found in the handling of stack expansion in the Linux kernel 6.1 through 6.4, aka "Stack Rot". The maple tree, responsible for managing virtual memory areas, can undergo node replacement without properly acquiring the MM write lock, leading to use-after-free issues. An unprivileged local user could use this flaw to compromise the kernel and escalate their privileges. --------------------------------------------- https://lwn.net/Articles/937377/ ∗∗∗ Frauscher: Diagnostic System FDS001 for FAdC/FAdCi Path Traversal vulnerability ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2023-011/ ∗∗∗ IBM App Connect Enterprise and IBM Integration Bus are vulnerable to a remote attacker and denial of service due to Guava (CVE-2020-8908, CVE-2018-10237). ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7009535 ∗∗∗ A security vulnerability has been identified in IBM WebSphere Application Server shipped with Asset and Service Management (CVE-2023-35890) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7009537 ∗∗∗ IBM Watson Assistant for IBM Cloud Pak for Data is vulnerable to xml2js abitrary code execution vulnerability(CVE-2023-0842) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7009049 ∗∗∗ A security vulnerability has been identified in IBM WebSphere Application Server shipped with Tivoli Netcool\/OMNIbus WebGUI (CVE-2023-35890) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7009625 ∗∗∗ Multiple security vulnerabilities has been identified in IBM WebSphere Application Server shipped with Tivoli Netcool\/OMNIbus WebGUI - April 2023 CPU ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7009627 ∗∗∗ A security vulnerability has been identified in WebSphere Application Server traditional shipped with IBM Intelligent Operations Center(CVE-2023-35890) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7009635 ∗∗∗ IBM App Connect Enterprise and IBM Integration Bus are vulnerable to a remote attacker and denial of service due to Guava (CVE-2020-8908, CVE-2018-10237). ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7009535 ∗∗∗ IBM WebSphere Application Server could provide weaker than expected security (CVE-2023-35890) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7007857 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 04.07.2023
by Daily end-of-shift report 04 Jul '23

04 Jul '23

===================== = End-of-Day report = ===================== Timeframe: Montag 03-07-2023 18:00 − Dienstag 04-07-2023 18:00 Handler: Robert Waldner Co-Handler: n/a ===================== = News = ===================== ∗∗∗ DDoSia Attack Tool Evolves with Encryption, Targeting Multiple Sectors ∗∗∗ --------------------------------------------- The threat actors behind the DDoSia attack tool have come up with a new version that incorporates a new mechanism to retrieve the list of targets to be bombarded with junk HTTP requests in an attempt to bring them down.The updated variant, written in Golang, "implements an additional security mechanism to conceal the list of targets, which is transmitted from the [command-and-control] to the users," cybersecurity company Sekoia said in a technical write-up. --------------------------------------------- https://thehackernews.com/2023/07/ddosia-attack-tool-evolves-with.html ∗∗∗ Hunting for Bitwarden master passwords stored in memory ∗∗∗ --------------------------------------------- A blog post on how I was able to identify unknown master passwords stored in the memory of the Bitwarden web extension and desktop client, after a vault has been locked. I also cover the decisions made for developing a proof of concept to automate the process of extracting potential passwords. --------------------------------------------- https://redmaple.tech/blogs/2023/extract-bitwarden-vault-passwords/ ∗∗∗ Achtung Fake-Shop: sharkos.de ∗∗∗ --------------------------------------------- Sharkos – „Ihr Experte für Garten, Pools und Haushalt“. Das sehen wir anders. Der Online-Shop sieht zwar vielversprechend aus, wenn Sie dort bestellen, bekommen Sie aber trotz Zahlung keine Ware. Wir zeigen Ihnen, wie Sie Fake-Shops erkennen. --------------------------------------------- https://www.watchlist-internet.at/news/achtung-fake-shop-sharkosde/ ===================== = Vulnerabilities = ===================== ∗∗∗ Geräteverwaltung: hochriskante Schwachstelle in Ivanti Endpoint Manager ∗∗∗ --------------------------------------------- Eine Sicherheitslücke in der Geräte- und Softwareverwaltung von Ivanti für ChromeOS, Linux, macOS und Windows ermöglicht Angreifern aus dem Netz Codeschmuggel. --------------------------------------------- https://heise.de/-9206574 ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (ghostscript), Fedora (apache-ivy, chromium, golang-github-schollz-croc, golang-github-schollz-mnemonicode, and webkitgtk), SUSE (amazon-ecs-init, dnsdist, libcap, python-tornado, terraform, and xmltooling), and Ubuntu (imagemagick, openldap, php7.4, php8.1, and screen). --------------------------------------------- https://lwn.net/Articles/937292/ ∗∗∗ CISA issues warning for cardiac device system vulnerability ∗∗∗ --------------------------------------------- The Cybersecurity and Infrastructure Security Agency (CISA) warned of a severe vulnerability in a cardiac device from medical device company Medtronic. The issue – tracked as CVE-2023-31222 – carries a “critical” CVSS score of 9.8 out of 10 and affects the company’s Paceart Optima software that runs on a healthcare organization’s Windows server. --------------------------------------------- https://therecord.media/cisa-warning-for-cardiac-device-system-vulnerability ∗∗∗ Zyxel security advisory for buffer overflow vulnerability in 4G LTE and 5G NR outdoor routers ∗∗∗ --------------------------------------------- A buffer overflow vulnerability in the CGI program of some Zyxel 4G LTE and 5G NR outdoor routers could allow a remote authenticated attacker to cause denial of service (DoS) conditions by sending a crafted HTTP request to a vulnerable device. (CVE: CVE-2023-27989) --------------------------------------------- https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-… ∗∗∗ Security Vulnerabilities fixed in Thunderbird 102.13 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2023-24/ ∗∗∗ Security Vulnerabilities fixed in Firefox ESR 102.13 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2023-23/ ∗∗∗ Security Vulnerabilities fixed in Firefox 115 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2023-22/ ∗∗∗ Vulnerability in the interface module SLC-0-GPNT00300 ∗∗∗ --------------------------------------------- https://psirt.bosch.com/security-advisories/bosch-sa-894143.html ∗∗∗ Security Advisory for the FL MGUARD family of devices ∗∗∗ --------------------------------------------- https://psirt.bosch.com/security-advisories/bosch-sa-833074.html ∗∗∗ IBM Integration Bus is vulnerable to a remote attack due to Apache Jena (CVE-2021-39239, CVE-2022-28890, CVE-2023-22665). ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7009371 ∗∗∗ Vulnerability in Spring Framework affects IBM Process Mining [CVE-2016-1000027] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7009383 ∗∗∗ IBM Content Navigator is vulnerable to DoS due to Apache Commons FileUpload (CVE-2023-24998) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7002807 ∗∗∗ Vulnerability in IBM SDK Java Technology affects IBM Cloud Pak System (CVE-2021-35561) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7009441 ∗∗∗ Vulnerabilities in OpenSSL affect Cloud Pak System (CVE-2021-23840, CVE-2021-23841) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7005857 ∗∗∗ Multiple vulnerabilities in IBM Java SDK affect IBM License Metric Tool v9. ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7009457 ∗∗∗ Vulnerability of Newtonsoft.Json-12.0.1.22727.dll has afftected to .NET Agent ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7009459 ∗∗∗ Multiple CVEs may affect IBM\u00ae SDK, Java\u2122 Technology Edition shipped with IBM CICS TX Standard ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7009483 ∗∗∗ Multiple CVEs may affect IBM\u00ae SDK, Java\u2122 Technology Edition shipped with IBM CICS TX Advanced ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7009485 ∗∗∗ Multiple CVEs may affect IBM\u00ae SDK, Java\u2122 Technology Edition shipped with IBM TXSeries for Multiplatforms ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7009487 ∗∗∗ Vulnerabilities in Apache Struts affect IBM Tivoli Application Dependency Discovery Manager. (CVE-2023-34396, CVE-2023-34149) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7009497 ∗∗∗ TADDM affected by multiple vulnerabilities due to IBM Java and its runtime ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7009499 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 03.07.2023
by Daily end-of-shift report 03 Jul '23

03 Jul '23

===================== = End-of-Day report = ===================== Timeframe: Freitag 30-06-2023 18:00 − Montag 03-07-2023 18:00 Handler: Robert Waldner Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Beware: New RustBucket Malware Variant Targeting macOS Users ∗∗∗ --------------------------------------------- "This variant of RustBucket, a malware family that targets macOS systems, adds persistence capabilities not previously observed," Elastic Security Labs researchers said in a report published this week, adding it's "leveraging a dynamic network infrastructure methodology for command-and-control." --------------------------------------------- https://thehackernews.com/2023/07/beware-new-rustbucket-malware-variant.html ∗∗∗ Entschlüsselungstool: Sicherheitsforscher knacken Akira-Ransomware ∗∗∗ --------------------------------------------- Stimmten die Voraussetzungen, können Opfer des Erpressungstrojaner Akira ohne Lösegeld zu zahlen auf ihre Daten zugreifen. --------------------------------------------- https://heise.de/-9204932 ∗∗∗ Vorsicht vor Malvertising: Fake-WinSCP-Tool verbreitet BackCat-Ransomware ∗∗∗ --------------------------------------------- Die Hintermänner des Verschlüsselungstrojaners BlackCat (aka ALPHV) setzen auf einen weiteren Verbreitungsweg. --------------------------------------------- https://heise.de/-9204958 ∗∗∗ Vorsicht vor gefälschten Polizei-Mails ∗∗∗ --------------------------------------------- Aktuell geben sich Kriminelle per E-Mail als Polizei aus. Im Mail steht, dass Sie in der Anlage Ihre Einberufung finden und innerhalb von 48 Stunden antworten müssen. Ansonsten droht Ihnen eine Festnahme. Ignorieren Sie dieses E-Mail, es handelt sich um Betrug! --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-gefaelschten-polizei-ma… ∗∗∗ CVE-2023-20864: Remote Code Execution in VMware Aria Operations for Logs ∗∗∗ --------------------------------------------- In this excerpt of a Trend Micro Vulnerability Research Service vulnerability report, Jonathan Lein and Dusan Stevanovic of the Trend Micro Research Team detail a recently patched remote code execution vulnerability in VMware Aria Operations for Logs (formerly vRealize). --------------------------------------------- https://www.zerodayinitiative.com/blog/2023/6/29/cve-2023-20864-remote-code… ===================== = Vulnerabilities = ===================== ∗∗∗ Sicherheitsupdates: Schadcode-Attacken auf HP-LaserJet-Pro-Drucker möglich ∗∗∗ --------------------------------------------- Mehrere LaserJet-Pro-Modelle von HP sind verwundbar. Sicherheitsupdates schaffen Abhilfe. --------------------------------------------- https://heise.de/-9205846 ∗∗∗ WP AutoComplete 1.0.4 - Unauthenticated SQLi ∗∗∗ --------------------------------------------- The WP AutoComplete Search WordPress plugin through 1.0.4 does not sanitise and escape a parameter before using it in a SQL statement via an AJAX available to unauthenticated users, leading to an unauthenticated SQL injection. --------------------------------------------- https://www.exploit-db.com/exploits/51560 ∗∗∗ Sicherheitsupdate: Attacken auf WordPress-Plug-in Ultimate Member ∗∗∗ --------------------------------------------- Derzeit nutzen Angreifer eine kritische Lücke im WordPress-Plug-in Ultimate Member aus. Der Anbieter rät zu einem zügigen Update. --------------------------------------------- https://heise.de/-9204916 ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (cups, gst-plugins-bad1.0, gst-plugins-base1.0, gst-plugins-good1.0, python3.7, and yajl), Fedora (chromium, kubernetes, pcs, and webkitgtk), Scientific Linux (open-vm-tools), SUSE (iniparser, keepass, libvirt, prometheus-ha_cluster_exporter, prometheus-sap_host_exporter, rekor, terraform-provider-aws, terraform-provider-helm, and terraform-provider-null), and Ubuntu (python-reportlab and vim). --------------------------------------------- https://lwn.net/Articles/937189/ ∗∗∗ Root-Zugang zu Smarthome-Server Loxone Miniserver Go Gen. 2 (SySS-2023-004/-012/-013) ∗∗∗ --------------------------------------------- Durch verschiedene Schwachstellen kann ein Administrator Betriebssystemzugriff auf dem Loxone Miniserver Go im Kontext des root-Benutzers erreichen. --------------------------------------------- https://www.syss.de/pentest-blog/root-zugang-zu-smarthome-server-loxone-min… ∗∗∗ Multiple Vulnerabilities including Unauthenticated Remote Code Execution in Siemens A8000 ∗∗∗ --------------------------------------------- The vendor provides a patch which should be installed immediately. Customers should update to CPCI85 V05 or later version (https://support.industry.siemens.com/cs/ww/en/view/109804985/). - Unauthenticated Remote Code Execution (CVE-2023-28489) - Authenticated Command Injection (CVE-2023-33919) - Hard-coded Root Password (CVE-2023-33920) - Console Login via UART (CVE-2023-33921) --------------------------------------------- https://sec-consult.com/vulnerability-lab/advisory/multiple-vulnerabilities… ∗∗∗ Multiple vulnerabilities in SoftEther VPN and PacketiX VPN ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN64316789/ ∗∗∗ ZDI-23-894: NETGEAR RAX30 UPnP Command Injection Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-23-894/ ∗∗∗ ZDI-23-893: NETGEAR Multiple Routers curl_post Improper Certificate Validation Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-23-893/ ∗∗∗ WordPress Social Login and Register (Discord, Google, Twitter, LinkedIn) <= 7.6.4 – Authentication Bypass ∗∗∗ --------------------------------------------- https://cxsecurity.com/issue/WLB-2023070002 ∗∗∗ Watson CP4D Data Stores is vulnerable to Golang Go to a denial of service (CVE-2022-1962) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7009053 ∗∗∗ Watson CP4D Data Stores is vulnerable to Golang Go is vulnerable to HTTP request smuggling(CVE-2022-1705) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7009055 ∗∗∗ Watson AI Gateway for Cloud Pak for Data is vulnerable to an Ajv (aka Another JSON Schema Validator) could allow a remote attacker to execute arbitrary code on the system (CVE-2020-15366) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7009061 ∗∗∗ IBM Watson Assistant for IBM Cloud Pak for Data is vulnerable to xml2js abitrary code execution vulnerability(CVE-2023-0842) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7009049 ∗∗∗ IBM Watson Assistant for IBM Cloud Pak for Data is vulnerable to Node.js http-cache-semantics module denial of service ( CVE-2022-25881) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7009051 ∗∗∗ IBM Watson Assistant for IBM Cloud Pak for Data is vulnerable to Envoy security bypass ( CVE-2023-27488) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7009057 ∗∗∗ IBM Watson Assistant for IBM Cloud Pak for Data is vulnerable ConfigObj denial of service ( CVE-2023-26112) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7009059 ∗∗∗ IBM Connect:Direct Web Services vulnerable to sensitive information exposure due to PostgreSQL (CVE-2023-2455) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7009293 ∗∗∗ IBM Connect:Direct Web Services vulnerable to sensitive information exposure due to PostgreSQL (CVE-2022-41862) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7009295 ∗∗∗ IBM Security Key Lifecycle Manager is vulnerable to Incorrect Permission Assignment for Critical Resource (CVE-2018-1750) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/733311 ∗∗∗ Multiple Vulnerabilities in CloudPak for Watson AIOPs ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7007837 ∗∗∗ Multiple vulnerabilities of Apache Groovy (groovy-all-2.3.11.jar) have affected APM JBoss and APM WebLogic Agent [CVE-202-17521, CVE-2016-6814, CVE-2015-3253] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7009323 ∗∗∗ Multiple vulnerabilities of Apache Ant (ant-1.7.0.jar, ant-1.8.4.jar) have affected APM JBoss, APM WebLogic and APM SAP NetWeaver Java Stack Agents. ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7009321 ∗∗∗ Multiple vulnerabilities in the IBM SDK, Java Technology Edition affects APM Agents for Monitoring ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7009327 ∗∗∗ Security Bulletin: IBM App Connect Enterprise Certified Container DesignerAuthoring operand is vulnerable to DOS/loss of integrity/confidentiality [CVE-2023-21930 CVE-2023-21937 CVE-2023-21938 CVE-2023-21939 CVE-2023-21954 CVE-2023-21967 CVE-2023-21968] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7009333 ∗∗∗ Watson CP4D Data Stores is vulnerable to Golang Go to a denial of service (CVE-2022-1962) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7009053 ∗∗∗ Multiple vulnerabilities in IBM Java SDK affects IBM WebSphere Application Server April 2023 CPU that is bundled with IBM WebSphere Application Server Patterns ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7009353 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 30.06.2023
by Daily end-of-shift report 30 Jun '23

30 Jun '23

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 29-06-2023 18:00 − Freitag 30-06-2023 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Torrent of image-based phishing emails are harder to detect and more convincing ∗∗∗ --------------------------------------------- The arms race between scammers and defenders continues. --------------------------------------------- https://arstechnica.com/?p=1951208 ∗∗∗ Spamdexing: What is SEO Spam & How to Remove It ∗∗∗ --------------------------------------------- Ever had an uninvited guest crash your party, resulting in chaos, confusion, and some unhappy visitors? Well, SEO spam is that party crasher - just for websites. Why should you care, you ask? Well, just imagine your meticulously crafted website content being replaced with unsolicited ads for services and products that would make your grandma blush. Or even worse, your loyal site visitors being redirected to shady third party websites. Not the picture of ideal user experience, --------------------------------------------- https://blog.sucuri.net/2023/06/spamdexing-what-is-seo-spam.html ∗∗∗ Cybercriminals Hijacking Vulnerable SSH Servers in New Proxyjacking Campaign ∗∗∗ --------------------------------------------- An active financially motivated campaign is targeting vulnerable SSH servers to covertly ensnare them into a proxy network. "This is an active campaign in which the attacker leverages SSH for remote access, running malicious scripts that stealthily enlist victim servers into a peer-to-peer (P2P) proxy network, such as Peer2Profit or Honeygain," Akamai researcher Allen West said [...] --------------------------------------------- https://thehackernews.com/2023/06/cybercriminals-hijacking-vulnerable-ssh.h… ∗∗∗ Its 2023 and memory overwrite bugs are not just a thing, theyre still number one ∗∗∗ --------------------------------------------- Cough, cough, use Rust. Plus: Eight more exploited bugs added to CISAs must-patch list The most dangerous type of software bug is the out-of-bounds write, according to MITRE this week. This type of flaw is responsible for 70 CVE-tagged holes in the US governments list of known vulnerabilities that are under active attack and need to be patched, we note. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2023/06/29/cwe_top_25_2… ∗∗∗ Router-Malware: Aktuelle Kampagne des Mirai-Botnet greift viele Lücken an ∗∗∗ --------------------------------------------- Das Mirari-Botnet ist weiter aktiv. Die Drahtzieher nutzen in einer aktuellen Kampagne zahlreiche Sicherheitslücken, um diverse Internetrouter zu infizieren. --------------------------------------------- https://heise.de/-9203406 ∗∗∗ 200,000 WordPress Sites Exposed to Attacks Exploiting Flaw in ‘Ultimate Member’ Plugin ∗∗∗ --------------------------------------------- Attackers exploit critical vulnerability in the Ultimate Member plugin to create administrative accounts on WordPress websites. --------------------------------------------- https://www.securityweek.com/200000-wordpress-sites-exposed-to-attacks-expl… ∗∗∗ Neue browserbasierte Social-Engineering-Trends ∗∗∗ --------------------------------------------- Report von WatchGuard Threat Lab: Angreifer nutzen neue Wege, um im Internet surfende Anwender auszutricksen. --------------------------------------------- https://www.zdnet.de/88410262/neue-browserbasierte-social-engineering-trend… ∗∗∗ Malware Execution Method Using DNS TXT Record ∗∗∗ --------------------------------------------- AhnLab Security Emergency response Center (ASEC) has confirmed instances where DNS TXT records were being utilized during the execution process of malware. This is considered meaningful from various perspectives, including analysis and detection as this method has not been widely utilized as a means of executing malware. --------------------------------------------- https://asec.ahnlab.com/en/54916/ ∗∗∗ Malvertising Used as Entry Vector for BlackCat, Actors Also Leverage SpyBoy Terminator ∗∗∗ --------------------------------------------- We found that malicious actors used malvertising to distribute malware via cloned webpages of legitimate organizations. The distribution involved a webpage of the well-known application WinSCP, an open-source Windows application for file transfer. We were able to identify that this activity led to a BlackCat (aka ALPHV) infection, and actors also used SpyBoy, a terminator that tampers with protection provided by agents. --------------------------------------------- https://www.trendmicro.com/en_us/research/23/f/malvertising-used-as-entry-v… ∗∗∗ Decrypted: Akira Ransomware ∗∗∗ --------------------------------------------- Researchers for Avast have developed a decryptor for the Akira ransomware and released it for public download. The Akira ransomware appeared in March 2023 and since then, the gang claims successful attacks on various organizations in the education, finance and real estate industries, amongst others. --------------------------------------------- https://decoded.avast.io/threatresearch/decrypted-akira-ransomware/ ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (docker-registry, flask, systemd, and trafficserver), Fedora (moodle, python-reportlab, suricata, and vim), Red Hat (go-toolset and golang, go-toolset-1.19 and go-toolset-1.19-golang, go-toolset:rhel8, open-vm-tools, python27:2.7, and python3), SUSE (buildah, chromium, gifsicle, libjxl, sqlite3, and xonotic), and Ubuntu (linux, linux-allwinner, linux-allwinner-5.19, linux-aws, linux-aws-5.19, linux-azure, linux-gcp, linux-gcp-5.19, linux-hwe-5.19, linux-ibm, linux-kvm, linux-lowlatency, linux-oracle, linux-raspi, linux-starfive, linux-starfive-5.19, linux, linux-aws, linux-aws-5.15, linux-aws-5.4, linux-azure, linux-azure-5.15, linux-azure-5.4, linux-azure-fde-5.15, linux-bluefield, linux-gcp, linux-gcp-5.15, linux-gcp-5.4, linux-gke, linux-gke-5.15, linux-gkeop, linux-gkeop-5.15, linux-hwe-5.15, linux-hwe-5.4, linux-ibm, linux-ibm-5.4, linux-kvm, linux-lowlatency, linux-lowlatency-hwe-5.15, linux-nvidia, linux-oracle, linux-oracle-5.15, linux-oracle-5.4, linux-raspi, linux-raspi-5.4, and linux-oem-6.1). --------------------------------------------- https://lwn.net/Articles/936949/ ∗∗∗ Nessus Network Monitor 6.2.2 Fixes Multiple Vulnerabilities ∗∗∗ --------------------------------------------- https://www.tenable.com/security/tns-2023-23 ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 29.06.2023
by Daily end-of-shift report 29 Jun '23

29 Jun '23

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 28-06-2023 18:00 − Donnerstag 29-06-2023 18:00 Handler: Robert Waldner Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Linux version of Akira ransomware targets VMware ESXi servers ∗∗∗ --------------------------------------------- The Akira ransomware operation uses a Linux encryptor to encrypt VMware ESXi virtual machines in double-extortion attacks against companies worldwide. --------------------------------------------- https://www.bleepingcomputer.com/news/security/linux-version-of-akira-ranso… ∗∗∗ Exploit released for new Arcserve UDP auth bypass vulnerability ∗∗∗ --------------------------------------------- Data protection vendor Arcserve has addressed a high-severity security flaw in its Unified Data Protection (UDP) backup software that can let attackers bypass authentication and gain admin privileges. --------------------------------------------- https://www.bleepingcomputer.com/news/security/exploit-released-for-new-arc… ∗∗∗ Security Baseline for M365 Apps for enterprise v2306 ∗∗∗ --------------------------------------------- Microsoft is pleased to announce the release of the recommended security configuration baseline settings for Microsoft 365 Apps for enterprise, version 2306. --------------------------------------------- https://techcommunity.microsoft.com/t5/microsoft-security-baselines/securit… ∗∗∗ GuLoader- or DBatLoader/ModiLoader-style infection for Remcos RAT, (Thu, Jun 29th) ∗∗∗ --------------------------------------------- On Monday 2023-06-26, I received an email in one of my honeypot accounts, and the email led to a loader-based infection for Remcos RAT. The loader seems to be a GuLoader- or ModiLoader (DBatLoader)-style malware, but it's not like the GuLoader or ModiLoader samples I've run across so far. --------------------------------------------- https://isc.sans.edu/diary/rss/29990 ∗∗∗ Fluhorse: Flutter-Based Android Malware Targets Credit Cards and 2FA Codes ∗∗∗ --------------------------------------------- Cybersecurity researchers have shared the inner workings of an Android malware family called Fluhorse. The malware "represents a significant shift as it incorporates the malicious components directly within the Flutter code," Fortinet FortiGuard Labs researcher Axelle Apvrille said in a report published last week. --------------------------------------------- https://thehackernews.com/2023/06/fluhorse-flutter-based-android-malware.ht… ∗∗∗ Finding Gadgets for CPU Side-Channels with Static Analysis Tools ∗∗∗ --------------------------------------------- We have recently begun research on using static analysis tools to find Spectre-v1 gadgets. During this research, we discovered two gadgets, one in do_prlimit (CVE-2023-0458) and one in copy_from_user (CVE-2023-0459). In this writeup, we explain these issues and how we found them. --------------------------------------------- https://github.com/google/security-research/blob/master/pocs/cpus/spectre-g… ∗∗∗ Verantwortungsvolle Veröffentlichung einer Exploit-Kette, die auf die Implementierung der RFC-Schnittstelle im SAP Application Server für ABAP abzielt ∗∗∗ --------------------------------------------- In einer unabhängigen Analyse der serverseitigen Implementierung der proprietären Remote Function Call (RFC)-Schnittstelle in SAP NetWeaver Application Server ABAP und ABAP Platform (beide im Folgenden als AS ABAP bezeichnet) wurden von Fabian Hagg, Sicherheitsforscher im SEC Consult Vulnerability Lab und SAP Security Experte, eine Reihe von schwerwiegenden Implementierungs- und Designfehlern identifiziert. --------------------------------------------- https://sec-consult.com/de/blog/detail/verantwortungsvolle-veroeffentlichun… ∗∗∗ Das können Sie tun, wenn Kriminelle Ihren Online-Shop kopieren ∗∗∗ --------------------------------------------- Fake-Shops bieten im Internet Markenprodukte zu Spottpreisen an. Kriminelle bauen dabei die echten Webseiten einfach nach, sodass die Fälschung auf den ersten Blick oft gar nicht ersichtlich ist. Wir zeigen Ihnen, was Sie tun können, wenn Ihr Online-Shop betroffen ist und wie Sie Ihre Kund:innen schützen können. --------------------------------------------- https://www.watchlist-internet.at/news/das-koennen-sie-tun-wenn-kriminelle-… ∗∗∗ CISA and NSA Release Joint Guidance on Defending Continuous Integration/Continuous Delivery (CI/CD) Environments ∗∗∗ --------------------------------------------- Recognizing the various types of security threats that could affect CI/CD operations and taking steps to defend against each one is critical in securing a CI/CD environment. Organizations will find in this guide a list of common risks found in CI/CD pipelines and attack surfaces that could be exploited and threaten network security. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2023/06/28/cisa-and-nsa-release-joi… ∗∗∗ Detection, Containment, and Hardening Opportunities for Privileged Guest Operations, Anomalous Behavior, and VMCI Backdoors on Compromised VMware Hosts ∗∗∗ --------------------------------------------- In Mandiant’s initial publication of this vulnerability, we covered the attackers’ exploitation of CVE-2023-20867, the harvesting of ESXi service account credentials on vCenter machines, and the implications of backdoor communications over VMCI socket. In this blog post, we will focus on the artifacts, logging options, and hardening steps to detect and prevent the following tactics and techniques seen being used by UNC3886. --------------------------------------------- https://www.mandiant.com/resources/blog/vmware-detection-containment-harden… ∗∗∗ Introducing KBOM – Kubernetes Bill of Materials ∗∗∗ --------------------------------------------- SBOM (Software Bill of Materials) is an accepted best practice to map the components and dependencies of your applications in order to better understand your applications’ risks. SBOMs are used as a basis for vulnerability assessment, licensing compliance, and more. There are plenty of available tools, such as Aqua Trivy, that help you easily generate SBOM for your applications. --------------------------------------------- https://blog.aquasec.com/introducing-kbom-kubernetes-bill-of-materials ===================== = Vulnerabilities = ===================== ∗∗∗ Drupal Security advisories 2023-06-28 ∗∗∗ --------------------------------------------- Drupal released 7 new security advisories. (1x Critical, 5x Moderatly Critical, 1x Less Critical) --------------------------------------------- https://www.drupal.org/security ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (chromium and maradns), SUSE (iniparser, kubernetes1.23, python-reportlab, and python-sqlparse), and Ubuntu (accountsservice and linux, linux-aws, linux-aws-hwe, linux-azure, linux-azure-4.15, linux-dell300x, linux-gcp, linux-gcp-4.15, linux-hwe, linux-kvm, linux-oracle, linux-raspi2, linux-snapdragon). --------------------------------------------- https://lwn.net/Articles/936752/ *** IBM Security Bulletins *** --------------------------------------------- AIX, IBM QRadar SIEM, WebSphere Application Server, IBM Security SOAR, IBM Cloud Pak, CICS, IBM SDK, IBM Tivoli, FileNet Content Manager, Db2 Graph, IBM OpenPages and IBM Semeru Runtime. --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ WebKitGTK and WPE WebKit Security Advisory WSA-2023-0005 ∗∗∗ --------------------------------------------- https://webkitgtk.org/security/WSA-2023-0005.html ∗∗∗ F5: K000135262 : Apache Tomcat vulnerability CVE-2023-28709 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000135262 ∗∗∗ Stable Channel Update for ChromeOS/ChromeOS Flex ∗∗∗ --------------------------------------------- http://chromereleases.googleblog.com/2023/06/stable-channel-update-for_28.h… ∗∗∗ [R1] Nessus Version 10.5.3 Fixes Multiple Vulnerabilities ∗∗∗ --------------------------------------------- https://www.tenable.com/security/tns-2023-22 ∗∗∗ Delta Electronics InfraSuite Device Master ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-180-01 ∗∗∗ Ovarro TBox RTUs ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-180-03 ∗∗∗ Mitsubishi Electric MELSEC-F Series ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-180-04 ∗∗∗ Medtronic Paceart Optima System ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-medical-advisories/icsma-23-180-01 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 28.06.2023
by Daily end-of-shift report 28 Jun '23

28 Jun '23

===================== = End-of-Day report = ===================== Timeframe: Dienstag 27-06-2023 18:00 − Mittwoch 28-06-2023 18:00 Handler: Stephan Richter Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Andariel’s silly mistakes and a new malware family ∗∗∗ --------------------------------------------- In this crimeware report, Kaspersky researchers provide insights into Andariel’s activity targeting organizations: clumsy commands executed manually, off-the-shelf tools and EasyRat malware. --------------------------------------------- https://securelist.com/lazarus-andariel-mistakes-and-easyrat/110119/ ∗∗∗ Warning: JavaScript registry npm vulnerable to manifest confusion abuse ∗∗∗ --------------------------------------------- Failure to match metadata with packaged files is perfect for supply chain attacks. The npm Public Registry, a database of JavaScript packages, fails to compare npm package manifest data with the archive of files that data describes, creating an opportunity for the installation and execution of malicious files. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2023/06/27/javascript_r… ∗∗∗ Black Basta Ransomware ∗∗∗ --------------------------------------------- What is Black Basta Ransomware? Black Basta is a threat group that provides ransomware-as-a-service (RaaS). The service is maintained by dedicated developers and is a highly efficient and professionally run operation; there’s a TOR website that provides a victim login portal, a chat room, and a wall of company’s names who’s data has been leaked. --------------------------------------------- https://www.pentestpartners.com/security-blog/black-basta-ransomware/ ∗∗∗ Manic Menagerie 2.0: The Evolution of a Highly Motivated Threat Actor ∗∗∗ --------------------------------------------- Manic Menagerie 2.0 is a campaign deploying coin miners and web shells, among other tactics. Hijacked machines could be used as C2 for further operations. --------------------------------------------- https://unit42.paloaltonetworks.com/manic-menagerie-targets-web-hosting-and… ∗∗∗ Charming Kitten Updates POWERSTAR with an InterPlanetary Twist ∗∗∗ --------------------------------------------- Volexity works with many individuals and organizations often subjected to sophisticated and highly targeted spear-phishing campaigns from a variety of nation-state-level threat actors. In the last few years, Volexity has observed threat actors dramatically increase the level of effort they put into compromising credentials or systems of individual targets. --------------------------------------------- https://www.volexity.com/blog/2023/06/28/charming-kitten-updates-powerstar-… ∗∗∗ Hackers Hiding DcRAT Malware in Fake OnlyFans Content ∗∗∗ --------------------------------------------- A malicious campaign targeting smartphone users has been uncovered, utilizing fake OnlyFans content to distribute a dangerous Remote Access Trojan (RAT) known as DcRAT malware. --------------------------------------------- https://www.hackread.com/hackers-dcrat-malware-fake-onlyfans-content/ ∗∗∗ Newly Surfaced ThirdEye Infostealer Targeting Windows Devices ∗∗∗ --------------------------------------------- FortiGuard Labs uncovered a not-so-sophisticated but highly malicious infostealer while analyzing suspicious files during a cursory review. They named this ThirdEye Infostealer. --------------------------------------------- https://www.hackread.com/thirdeye-infostealer-windows-devices/ ===================== = Vulnerabilities = ===================== ∗∗∗ Critical SQL Injection Flaws Expose Gentoo Soko to Remote Code Execution ∗∗∗ --------------------------------------------- Multiple SQL injection vulnerabilities have been disclosed in Gentoo Soko that could lead to remote code execution (RCE) on vulnerable systems. --------------------------------------------- https://thehackernews.com/2023/06/critical-sql-injection-flaws-expose.html ∗∗∗ App Bypass und andere Schwachstellen in Boomerang Parental Control App ∗∗∗ --------------------------------------------- Die Kinderüberwachungs-App "Boomerang" von National Education Technologies ist von Schwachstellen mit hohem Risiko betroffen. Angreifer können ein lokales ADB Backup erzeugen, über welches Zugang zu API Token erlangt werden kann. Dadurch kann ein Angreifer Privilege Escalation durchführen oder auch Cross-Site Scripting im Web Dashboard der Eltern. Des weiteren können Kinder die Beschränkungen der Eltern auf einfache Weise umgehen. --------------------------------------------- https://sec-consult.com/de/vulnerability-lab/advisory/app-bypass-und-andere… ∗∗∗ Nvidia: Treiber-Update schließt Codeschmuggel-Schwachstellen ∗∗∗ --------------------------------------------- Nvidias Grafikkartentreiber für Linux und Windows haben hochriskante Sicherheitslücken. Der Hersteller liefert jetzt Aktualisierungen zum Abdichten der Lecks. --------------------------------------------- https://heise.de/-9200904 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Mageia (docker-docker-registry, libcap, libx11, mediawiki, python-requests, python-tornado, sofia-sip, sqlite, and xonotic), Red Hat (kernel, kernel-rt, kpatch-patch, libssh, libtiff, python27:2.7, python39:3.9, python39-devel:3.9, ruby:2.7, sqlite, systemd, and virt:rhel, virt-devel:rhel), SUSE (bind, cosign, guile1, lilypond, keepass, kubernetes1.24, nodejs16, nodejs18, phpMyAdmin, and sqlite3), and Ubuntu (etcd). --------------------------------------------- https://lwn.net/Articles/936671/ *** IBM Security Bulletins *** --------------------------------------------- IBM App Connect Enterprise, IBM Security Guardium, CloudPak for Watson, IBM MQ, IBM Maximo Manage application, IBM TXSeries, IBM CICS TX, IBM Cloud Object Storage Systems, IBM Tivoli Netcool Impact, IBM Tivoli Business Service Manager, IBM Informix JDBC Driver, IBM i, IBM Tivoli Netcool Impact, IBM Robotic Process Automation, IBM WebSphere Application Server and FileNet Content Manager. --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ Path Traversal / Cross-Site Scripting im Gira KNX IP-Router (SYSS-2023-015/-016) ∗∗∗ --------------------------------------------- Das Webinterface des Gira KNX IP-Routers ermöglicht ein Path Traversal (Zugriff auf Systemdateien) und ist anfällig für Cross-Site Scripting-Angriffe. --------------------------------------------- https://www.syss.de/pentest-blog/path-traversal-/-cross-site-scripting-im-g… ∗∗∗ Information Disclosure Vulnerability in Bosch IP cameras ∗∗∗ --------------------------------------------- https://psirt.bosch.com/security-advisories/bosch-sa-839739-bt.html -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 27.06.2023
by Daily end-of-shift report 27 Jun '23

27 Jun '23

===================== = End-of-Day report = ===================== Timeframe: Montag 26-06-2023 18:00 − Dienstag 27-06-2023 18:00 Handler: Stephan Richter Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Prominent cryptocurrency exchange infected with previously unseen Mac malware ∗∗∗ --------------------------------------------- Its not yet clear how the full-featured JokerSpy backdoor gets installed. --------------------------------------------- https://arstechnica.com/?p=1950160 ∗∗∗ New Mockingjay process injection technique evades EDR detection ∗∗∗ --------------------------------------------- A new process injection technique named Mockingjay could allow threat actors to bypass EDR (Endpoint Detection and Response) and other security products to stealthily execute malicious code on compromised systems. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-mockingjay-process-injec… ∗∗∗ The Importance of Malware Triage, (Tue, Jun 27th) ∗∗∗ --------------------------------------------- When dealing with malware analysis, you like to get "fresh meat". Just for hunting purposes or when investigating incidents in your organization, its essential to have a triage process to reduce the noise and focus on really interesting files. For example, if you detect a new sample of Agent Tesla, you dont need to take time to investigate it deeply. Just extract IOCs to share with your colleagues. From a business point of view, you dont have time to analyze all samples! --------------------------------------------- https://isc.sans.edu/diary/rss/29984 ∗∗∗ Smartwatches Are Being Used To Distribute Malware ∗∗∗ --------------------------------------------- "Smartwatches are being sent to random military members loaded with malware, much like malware distribution via USB drives in the past," writes longtime Slashdot reader frdmfghtr. "Recipients are advised not to turn them on and report the incident to their local security office." --------------------------------------------- https://it.slashdot.org/story/23/06/27/0641253/smartwatches-are-being-used-… ∗∗∗ SNAPPY: Detecting Rogue and Fake 802.11 Wireless Access Points Through Fingerprinting Beacon Management Frames ∗∗∗ --------------------------------------------- I’ve found a novel technique to detect both rogue and fake 802.11 wireless access points through fingerprinting Beacon Management Frames, and created a tool to do so, called snap.py (Snappy) – the blog post title doesn’t lie! --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/snappy-dete… ∗∗∗ New Ongoing Campaign Targets npm Ecosystem with Unique Execution Chain ∗∗∗ --------------------------------------------- Cybersecurity researchers have discovered a new ongoing campaign aimed at the npm ecosystem that leverages a unique execution chain to deliver an unknown payload to targeted systems."The packages in question seem to be published in pairs, each pair working in unison to fetch additional resources which are subsequently decoded and/or executed," [..] --------------------------------------------- https://thehackernews.com/2023/06/new-ongoing-campaign-targets-npm.html ∗∗∗ Anatsa banking Trojan hits UK, US and DACH with new campaign ∗∗∗ --------------------------------------------- As of March 2023, ThreatFabric’s cyber fraud analysts have been monitoring multiple ongoing Google Play Store dropper campaigns delivering the Android banking Trojan Anatsa, with over 30.000 installations. The threat actors behind this new wave of Anatsa showed interest in new institutions from the US, UK, and DACH region. Our fraud intelligence platform was able to confirm this dangerous malware family adding multiple Android banking apps from these regions as new targets. --------------------------------------------- https://www.threatfabric.com/blogs/anatsa-hits-uk-and-dach-with-new-campaign ∗∗∗ Rowpress: DRAM-Angriff Rowhammer hat einen jüngeren Bruder ∗∗∗ --------------------------------------------- Ein neuer Seitenkanalangriff manipuliert vermeintlich geschützte Bereiche des Arbeitsspeichers und funktioniert unabhängig von der eingesetzten CPU. --------------------------------------------- https://heise.de/-9199330 ∗∗∗ Malvertising: A stealthy precursor to infostealers and ransomware attacks ∗∗∗ --------------------------------------------- Malvertising, the practice of using online ads to spread malware, can have dire consequences—and the problem only seems to be growing. --------------------------------------------- https://www.malwarebytes.com/blog/business/2023/06/malvertising-a-stealthy-… ∗∗∗ „Hallo Mama, mein Handy ist kaputt“ ∗∗∗ --------------------------------------------- Eine unbekannte Nummer schreibt Ihnen. Angeblich ist es Ihr Kind. In der Nachricht steht, dass das Handy kaputt ist und das jetzt die neue Nummer sei. Antworten Sie nicht, dahinter steckt Betrug. Wenn Sie zurückschreiben, bitten Kriminelle Sie um eine dringende Überweisung und Sie verlieren Geld. --------------------------------------------- https://www.watchlist-internet.at/news/hallo-mama-mein-handy-ist-kaputt/ ∗∗∗ Breaking GPT-4 Bad: Check Point Research Exposes How Security Boundaries Can Be Breached as Machines Wrestle with Inner Conflicts ∗∗∗ --------------------------------------------- Highlights Check Point Research examines security and safety aspects of GPT-4 and reveals how limitations can be bypassed Researchers present a new mechanism dubbed “double bind bypass”, colliding GPT-4s internal motivations against itself --------------------------------------------- https://blog.checkpoint.com/artificial-intelligence/breaking-gpt-4-bad-chec… ∗∗∗ A technical analysis of the SALTWATER backdoor used in Barracuda 0-day vulnerability (CVE-2023-2868) exploitation ∗∗∗ --------------------------------------------- SALTWATER is a backdoor that has been used in the exploitation of the Barracuda 0-day vulnerability CVE-2023-2868. It is a module for the Barracuda SMTP daemon called bsmtpd. The malware hooked the recv, send, and close functions using an open-source hooking library called funchook. The following functionalities are implemented: execute arbitrary commands, download and [..] --------------------------------------------- https://cybergeeks.tech/a-technical-analysis-of-the-saltwater-backdoor-used… ∗∗∗ CISA Releases SCuBA TRA and eVRF Guidance Documents ∗∗∗ --------------------------------------------- CISA has released several documents as part of the Secure Cloud Business Applications (SCuBA) project: - The Technical Reference Architecture (TRA) document [..] is [..] a security guide that agencies can use to adopt technology for cloud deployment, adaptable solutions, secure architecture, and zero trust frameworks. - The extensible Visibility Reference Framework (eVRF) guidebook provides an overview of the eVRF framework, which enables organizations to identify visibility data that can be used to mitigate threats, understand the extent to which specific products and services provide that visibility data, and identify potential visibility gaps. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2023/06/27/cisa-releases-scuba-tra-… ===================== = Vulnerabilities = ===================== ∗∗∗ Security Bulletin: NVIDIA Jetson AGX Xavier Series, Jetson Xavier NX, Jetson TX1, Jetson TX2 Series (including Jetson TX2 NX), and Jetson Nano (including Jetson Nano 2GB) - June 2023 ∗∗∗ --------------------------------------------- NVIDIA has released a software update for NVIDIA Jetson AGX Xavier series, Jetson Xavier NX, Jetson TX1, Jetson TX2 series (including Jetson TX2 NX), and Jetson Nano devices (including Jetson Nano 2GB) in the NVIDIA JetPack software development kit (SDK). The update addresses security issues that may lead to code execution, denial of service, information disclosure, and loss of integrity. --------------------------------------------- https://nvidia.custhelp.com/app/answers/detail/a_id/5466 ∗∗∗ Security Bulletin: NVIDIA GPU Display Driver - June 2023 ∗∗∗ --------------------------------------------- NVIDIA has released a software security update for NVIDIA GPU Display Driver. This update addresses issues that may lead to code execution, denial of service, escalation of privileges, data tampering, or information disclosure. --------------------------------------------- https://nvidia.custhelp.com/app/answers/detail/a_id/5468 ∗∗∗ Webbrowser: Update für Google Chrome dichtet hochriskante Sicherheitslücken ab ∗∗∗ --------------------------------------------- Google hat den Webbrowser Chrome in aktualisierter Fassung veröffentlicht. In der neuen Version dichten die Entwickler hochriskante Sicherheitslecks ab. --------------------------------------------- https://heise.de/-9199157 ∗∗∗ Sicherheitsupdates: Dell-BIOS gegen verschiedene Attacken gerüstet ∗∗∗ --------------------------------------------- Wer einen Computer von Dell besitzt, sollte das BIOS aus Sicherheitsgründen auf den aktuellen Stand bringen. --------------------------------------------- https://heise.de/-9199274 ∗∗∗ Arbitrary User Password Change Vulnerability in LearnDash LMS WordPress Plugin ∗∗∗ --------------------------------------------- On June 5, 2023, our Wordfence Threat Intelligence team identified, and began the responsible disclosure process, for an Arbitrary User Password Change vulnerability in LearnDash LMS plugin, a WordPress plugin that is actively installed on more than 100,000 WordPress websites according to our estimates. --------------------------------------------- https://www.wordfence.com/blog/2023/06/arbitrary-user-password-change-vulne… ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (c-ares and libx11), Fedora (chromium and kubernetes), Red Hat (python3 and python38:3.8, python38-devel:3.8), and SUSE (amazon-ssm-agent, kernel, kubernetes1.24, libvirt, nodejs16, openssl-1_1, and webkit2gtk3). --------------------------------------------- https://lwn.net/Articles/936549/ ∗∗∗ Synology-SA-23:09 Mail Station ∗∗∗ --------------------------------------------- Multiple vulnerabilities allow remote attackers to potentially inject SQL commands and inject arbitrary web scripts or HTML via a susceptible version of Mail Station. --------------------------------------------- https://www.synology.com/en-global/support/security/Synology_SA_23_09 ∗∗∗ Zahlreiche Schwachstellen mit hohem Risiko in ILIAS eLearning platform ∗∗∗ --------------------------------------------- Es wurden Sicherheitslücken mit hohem Risiko in der ILIAS eLearning Plattform identifiziert, welche es einem Angreifer über mehrere Angriffspfade ermöglichen, beliebigen Code auszuführen. Zum einen werden Eingaben in einer "unserialize" Funktion nicht ausreichend gefiltert, zum anderen können beliebige PHP Dateien durch Umgehen eines Filters hochgeladen werden. Des weiteren können Cross-Site Scripting Angriffe durchgeführt werden. --------------------------------------------- https://sec-consult.com/de/vulnerability-lab/advisory/zahlreiche-schwachste… ∗∗∗ [R1] Tenable Plugin Feed ID #202306261202 Fixes Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- As a part of Tenable’s vulnerability disclosure program, a vulnerability in a Nessus plugin was identified and reported. This vulnerability could allow a malicious actor with sufficient permissions on a scan target to place a binary in a specific filesystem location, and abuse the impacted plugin in order to escalate privileges. --------------------------------------------- https://www.tenable.com/security/tns-2023-21 ∗∗∗ A vulnerability in the IBM Spectrum Protect Backup-Archive Client on Microsoft Windows Workstation operating systems can lead to local user escalated privileges (CVE-2023-28956) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7005519 ∗∗∗ Security vulnerabilities have been identified in IBM WebSphere Application Server used by IBM Master Data Management ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7007069 ∗∗∗ A vulnerabbility exists in the IBM\u00ae SDK, Java\u2122 Technology Edition affect IBM Tivoli Network Configuration Manager (CVE-2022-21426). ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7007317 ∗∗∗ A security vulnerability has been identified in IBM WebSphere Application Server, which is a required product for IBM Tivoli Netcool Configuration Manager (CVE-2022-39161) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7007313 ∗∗∗ A security vulnerability has been identified in embedded IBM WebSphere Application Server which is shipped with IBM Tivoli Netcool Configuration Manager (CVE-2022-39161) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7007315 ∗∗∗ Vulnerability in Spring Security affects IBM Process Mining . Multiple CVEs ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7007351 ∗∗∗ Vulnerability in Spring Security affects IBM Process Mining . CVE-2022-22978 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7007363 ∗∗∗ Vulnerability in Spring Security affects IBM Process Mining . CVE-2021-22119 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7007359 ∗∗∗ Vulnerability in Pallets Flask affects IBM Process Mining . CVE-2023-30861 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7007345 ∗∗∗ Vulnerability in Spring Boot affects IBM Process Mining . CVE-2023-20883 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7007349 ∗∗∗ Vulnerability in netplex json-smart affects IBM Process Mining . CVE-2023-1370 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7007357 ∗∗∗ Vulnerability in Spring Framework affects IBM Process Mining . CVE-2023-20863 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7007365 ∗∗∗ A vulnerability exists in the IBM\u00ae SDK, Java\u2122 Technology Edition affect IBM Tivoli Network Configuration Manager (CVE-2023-21830, CVE-2023-21843). ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7007353 ∗∗∗ A security vulnerability has been identified in IBM WebSphere Application Server, which is a required product for IBM Tivoli Netcool Configuration Manager (CVE-2023-24998) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7007355 ∗∗∗ IBM App Connect Enterprise Certified Container DesignerAuthoring operands are vulnerable to denial of service due to [CVE-2023-32695] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7007367 ∗∗∗ Vulnerability in Spring Security affects IBM Process Mining . CVE-2023-20862 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7007371 ∗∗∗ Vulnerability in Spring Framework affects IBM Process Mining . CVE-2023-20873 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7007373 ∗∗∗ Vulnerability in Apache Tomcat affects IBM Process Mining . Multiple CVEs ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7007375 ∗∗∗ CVE-2022-21426 may affect JAXP component in Java SE used by Content Collector for Email, Content Collector for File Systems and Content Collector for Microsoft SharePoint ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7007387 ∗∗∗ A vulnerability has been identified in IBM Storage Scale System which could allow unauthorized access to user data or injection of arbitrary data in the communication protocol (CVE-2020-4927) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7007405 ∗∗∗ Hitachi Energy FOXMAN-UN and UNEM Products ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-178-01 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 26.06.2023
by Daily end-of-shift report 26 Jun '23

26 Jun '23

===================== = End-of-Day report = ===================== Timeframe: Freitag 23-06-2023 18:00 − Montag 26-06-2023 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ FortiNAC: Kritische Sicherheitslücke erlaubt Codeschmuggel, Update vergfügbar ∗∗∗ --------------------------------------------- Fortinet stellt Softwareupdates bereit, die unter anderem eine kritische Sicherheitslücke in FortiNAC schließen. Angreifer können Schadcode einschleusen. --------------------------------------------- https://heise.de/-9197438 ∗∗∗ Teams-Lücke vereinfacht Unterjubeln von Malware ∗∗∗ --------------------------------------------- In Microsoft Teams können Angreifer potenziellen Opfern einfach Malware zukommen lassen. Herkömmlicher Phishing-Schutz hilft nicht dagegen. --------------------------------------------- https://heise.de/-9197620 ∗∗∗ DNS Analyzer - Finden von DNS-Schwachstellen mit Burp Suite ∗∗∗ --------------------------------------------- Ein brandneues Plugin für Burp Suite zum Aufspüren von DNS-Schwachstellen in Webanwendungen! --------------------------------------------- https://sec-consult.com/de/blog/detail/dns-analyzer-finden-von-dns-schwachs… ∗∗∗ Betrug bei der Wohnungssuche: Kriminelle führen in gemieteten Airbnb-Wohnungen Besichtigungen durch ∗∗∗ --------------------------------------------- Es ist kaum zu glauben: Sie haben gerade Ihre Traumwohnung besichtigt, noch dazu ist sie sehr günstig! In diesem Fall raten wir aber, Verträge nicht voreilig zu unterschreiben und auch keine Kaution zu überweisen, denn aktuell mieten Kriminelle Airbnb-Wohnungen und stellen diese dann zur Vermietung ins Internet. Sie besichtigen eine nicht verfügbare Wohnung, unterschreiben einen ungültigen Vertrag und überweisen Kriminellen die Kaution! --------------------------------------------- https://www.watchlist-internet.at/news/betrug-bei-der-wohnungssuche-krimine… ∗∗∗ Grafana warns of critical auth bypass due to Azure AD integration ∗∗∗ --------------------------------------------- Grafana has released security fixes for multiple versions of its application, addressing a vulnerability that enables attackers to bypass authentication and take over any Grafana account that uses Azure Active Directory for authentication. --------------------------------------------- https://www.bleepingcomputer.com/news/security/grafana-warns-of-critical-au… ∗∗∗ 5 facts to know about the Royal ransomware gang ∗∗∗ --------------------------------------------- A quick look the cybercriminal group known as Royal—one of the fastest growing ransomware gangs today. --------------------------------------------- https://www.malwarebytes.com/blog/business/2023/06/5-facts-to-know-about-th… ∗∗∗ Exploiting Noisy Oracles with Bayesian Inference ∗∗∗ --------------------------------------------- In cryptographic attacks, we often rely on abstracted information sources which we call “oracles”. [...] In practice, however, not all oracles are created equal: an oracle that comes from error messages may well be perfectly reliable, whereas one which relies on (say) timing side channels may have to deal with a non-negligible amount of noise. In this post, we’ll look at how to deal with noisy oracles, and how to mount attacks using them. --------------------------------------------- https://research.nccgroup.com/2023/06/23/exploiting-noisy-oracles-with-baye… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (bind9 and owslib), Fedora (dav1d, dotnet6.0, dotnet7.0, mingw-dbus, vim, and wabt), and SUSE (cloud-init and golang-github-vpenso-prometheus_slurm_exporter). --------------------------------------------- https://lwn.net/Articles/936332/ ∗∗∗ Multiple Vulnerabilities in Autodesk® InfraWorks software ∗∗∗ --------------------------------------------- Autodesk InfraWorks has been affected by multiple vulnerabilities detailed below. Exploitation of these vulnerabilities may lead to remote code execution and/or denial-of-service to the software and user devices. Hotfixes are available in the Autodesk Desktop App or the Accounts Portal to help resolve these vulnerabilities --------------------------------------------- https://www.autodesk.com/trust/security-advisories/adsk-sa-2023-0012 ∗∗∗ WAGO: Controller with CODESYS 2.3 Runtime Denial-of-Service ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2023-006/ ∗∗∗ WAGO: Series 750-3x/-8x prone to MODBUS server DoS ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2023-005/ ∗∗∗ A vulnerability in containerd affects IBM Robotic Process Automation for Cloud Pak and may result in a denial of service (CVE-2022-23471) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7006699 ∗∗∗ IBM Spectrum Scale Transparent Cloud Tiering is affected by a vulnerability which can allow an attacker to execute arbitrary code ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7006819 ∗∗∗ Security vulnerabilities are addressed with IBM Cloud Pak for Business Automation iFixes for May 2023 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6998727 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 23.06.2023
by Daily end-of-shift report 23 Jun '23

23 Jun '23

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 22-06-2023 18:00 − Freitag 23-06-2023 18:00 Handler: Robert Waldner Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Microsoft: Hackers hijack Linux systems using trojanized OpenSSH version ∗∗∗ --------------------------------------------- Microsoft says Internet-exposed Linux and Internet of Things (IoT) devices are being hijacked in brute-force attacks as part of a recently observed cryptojacking campaign. --------------------------------------------- https://www.bleepingcomputer.com/news/security/microsoft-hackers-hijack-lin… ∗∗∗ NSA shares tips on blocking BlackLotus UEFI malware attacks ∗∗∗ --------------------------------------------- The U.S. National Security Agency (NSA) released today guidance on how to defend against BlackLotus UEFI bootkit malware attacks. --------------------------------------------- https://www.bleepingcomputer.com/news/security/nsa-shares-tips-on-blocking-… ∗∗∗ Powerful JavaScript Dropper PindOS Distributes Bumblebee and IcedID Malware ∗∗∗ --------------------------------------------- A new strain of JavaScript dropper has been observed delivering next-stage payloads like Bumblebee and IcedID. Cybersecurity firm Deep Instinct is tracking the malware as PindOS, which contains the name in its "User-Agent" string. Both Bumblebee and IcedID serve as loaders, acting as a vector for other malware on compromised hosts, including ransomware. --------------------------------------------- https://thehackernews.com/2023/06/powerful-javascript-dropper-pindos.html ∗∗∗ Security: RepoJacking auf GitHub betrifft auch große Firmen wie Google ∗∗∗ --------------------------------------------- Durch die Übernahme von Repositories hinter umbenannten Organisationen auf GitHub können Angreifer Schadcode verbreiten. --------------------------------------------- https://heise.de/-9195575 ∗∗∗ Fake-Umfrage im Namen der ÖBB im Umlauf! ∗∗∗ --------------------------------------------- Sie gehören zu den „500 glücklichen Kunden“, die von der ÖBB kontaktiert wurden, um an einer Umfrage teilzunehmen? Für das Ausfüllen der Umfrage erhalten Sie 55 Euro? Das klingt zwar verlockend, es handelt sich aber um Betrug. Nachdem Sie die Umfrage ausgefüllt haben, sollen Sie Ihre Kreditkartendaten angeben und eine Zahlung freigeben! Ignorieren Sie diese E-Mail daher. --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-fake-umfrage-im-namen-der-o… ===================== = Vulnerabilities = ===================== ∗∗∗ Microsoft Teams: Sicherheitslücke lässt Malware von externen Konten durch ∗∗∗ --------------------------------------------- Eine Sicherheitslücke in Microsoft Teams erlaubt es Angreifern, Malware direkt in den internen Posteingang zu senden. --------------------------------------------- https://www.golem.de/news/microsoft-teams-sicherheitsluecke-laesst-malware-… ∗∗∗ Fortinet fixes critical FortiNAC RCE, install updates asap ∗∗∗ --------------------------------------------- Fortinet addressed a critical remote command execution vulnerability, tracked as CVE-2023-33299, affecting FortiNAC solution. FortiNAC is a network access control (NAC) solution designed by Fortinet that is used by organizations to secure and control access to networks by enforcing security policies, monitoring devices, and managing their access privileges. --------------------------------------------- https://securityaffairs.com/147770/security/fortinet-fortinac-critical-flaw… ∗∗∗ Role-based Access Control and Privilege Management in OpenEdge Management (OEM) and in OpenEdge Explorer (OEE) ∗∗∗ --------------------------------------------- Using a local or remote admin service, a logged-in OpenEdge Management (OEM) or OpenEdge Explorer (OEE) user could perform a URL injection attack to change identity or role membership. Only users that are already authorized members of OEM or OEE user roles were able to perform this exploit. [..] We have addressed the issue and updated the product for customers to remediate it. --------------------------------------------- https://community.progress.com/s/article/Role-based-Access-Control-and-Priv… ∗∗∗ Junos OS and Junos OS Evolved: A BGP session will flap upon receipt of a specific, optional transitive attribute (CVE-2023-0026) ∗∗∗ --------------------------------------------- An Improper Input Validation vulnerability in the Routing Protocol Daemon (rpd) of Juniper Networks Junos OS and Junos OS Evolved allows an unauthenticated, network-based attacker to cause a Denial of Service (DoS). When a BGP update message is received over an established BGP session, and that message contains a specific, optional transitive attribute, this session will be torn down with an update message error. --------------------------------------------- https://supportportal.juniper.net/s/article/2023-06-Out-of-Cycle-Security-B… ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (asterisk, lua5.3, and trafficserver), Fedora (tang and trafficserver), Oracle (.NET 7.0, c-ares, firefox, openssl, postgresql, python3, texlive, and thunderbird), Red Hat (python27:2.7 and python39:3.9 and python39-devel:3.9), Scientific Linux (c-ares), Slackware (cups), SUSE (cups, dav1d, google-cloud-sap-agent, java-1_8_0-openjdk, libX11, openssl-1_0_0, openssl-1_1, openssl-3, openvswitch, and python-sqlparse), and Ubuntu (cups, dotnet6, dotnet7, and openssl). --------------------------------------------- https://lwn.net/Articles/936040/ ∗∗∗ High-severity vulnerabilities patched in popular domain name software BIND ∗∗∗ --------------------------------------------- With the recently discovered vulnerabilities remote attackers could launch denial-of-service attacks, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) said in an advisory released Friday. BIND stands for Berkeley Internet Name Domain. --------------------------------------------- https://therecord.media/bind-9-patches-internet-dns-vulnerabilities ∗∗∗ VMware schließt Schwachstellen in vCenter Server (22. Juni 2023) ∗∗∗ --------------------------------------------- Der Anbieter VMware hat Updates seiner vCenter-Server veröffentlicht, um gravierende (Einstufung als important) Schwachstellen (CVE-2023-20892, CVE-2023-20893, CVE-2023-20894, CVE-2023-20895 und CVE-2023-20896) zu schließen. --------------------------------------------- https://www.borncity.com/blog/2023/06/23/vmware-schliet-schwachstellen-in-v… ∗∗∗ Multiple Vulnerabilities in Fortra Globalscape EFT Administration Server [FIXED] ∗∗∗ --------------------------------------------- Rapid7 has uncovered four issues in Fortra Globalscape EFT, the worst of which can lead to remote code execution. --------------------------------------------- https://www.rapid7.com/blog/post/2023/06/22/multiple-vulnerabilities-in-for… ∗∗∗ FortiNAC - argument injection in XML interface on port tcp/5555 ∗∗∗ --------------------------------------------- https://fortiguard.fortinet.com/psirt/FG-IR-23-096 ∗∗∗ FortiNAC - java untrusted object deserialization RCE ∗∗∗ --------------------------------------------- https://fortiguard.fortinet.com/psirt/FG-IR-23-074 ∗∗∗ F5: K000135178 : OpenSSL vulnerability CVE-2023-2650 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000135178 ∗∗∗ CISA Adds Five Known Exploited Vulnerabilities to Catalog ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/alerts/2023/06/23/cisa-adds-five-known-exp… ∗∗∗ Enphase Envoy ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-171-01 ∗∗∗ Enphase Installer Toolkit Android App ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-171-02 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 22.06.2023
by Daily end-of-shift report 22 Jun '23

22 Jun '23

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 21-06-2023 18:00 − Donnerstag 22-06-2023 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ IoT Under Siege: The Anatomy of the Latest Mirai Campaign Leveraging Multiple IoT Exploits ∗∗∗ --------------------------------------------- Mirai is a still-active botnet with new variants. We highlight observed exploitation of IoT vulnerabilities — due to low complexity and high impact. --------------------------------------------- https://unit42.paloaltonetworks.com/mirai-variant-targets-iot-exploits/ ∗∗∗ Alert: Million of GitHub Repositories Likely Vulnerable to RepoJacking Attack ∗∗∗ --------------------------------------------- Millions of software repositories on GitHub are likely vulnerable to an attack called RepoJacking, a new study has revealed. This includes repositories from organizations such as Google, Lyft, and several others, Massachusetts-based cloud-native security firm Aqua said in a Wednesday report. --------------------------------------------- https://thehackernews.com/2023/06/alert-million-of-github-repositories.html ∗∗∗ LibreOffice Arbitrary File Write (CVE-2023-1883) ∗∗∗ --------------------------------------------- While performing a cursory inspection of the LibreOffice Base desktop database, we stumbled across an (arbitrary) file write issue. The fine folks at LibreOffice immediately addressed the vulnerability. --------------------------------------------- https://secfault-security.com/blog/libreoffice.html ∗∗∗ Virenschutz: Avast dreht alten Scannern Signaturnachschub ab ∗∗∗ --------------------------------------------- Avast beendet die Unterstützung älterer Virenscanner. Die Versionen Avast 9, 10 und 11 erhalten ab Sommerende keine Updates mehr, auch keine neuen Signaturen. --------------------------------------------- https://heise.de/-9194464 ∗∗∗ PoC-Exploit für Cisco AnyConnect-Schwachstelle CVE-2023-20178 ermöglicht SYSTEM-Privilegien ∗∗∗ --------------------------------------------- In der Cisco AnyConnect Secure Mobility Client Software gibt es eine Schwachstelle, über die Angreifer sich SYSTEM-Privilegien unter Windows verschaffen können. Nun ist ein Proof of Concept für einen Exploit zum Ausnutzen dieser Schwachstelle (CVE-2023-20178) verfügbar. --------------------------------------------- https://www.borncity.com/blog/2023/06/22/poc-exploit-fr-cisco-anyconnect-sc… ===================== = Vulnerabilities = ===================== ∗∗∗ iOS 16.5.1 & Co: Apple beseitigt Zero-Day-Lücken in allen Systemen ∗∗∗ --------------------------------------------- Die gravierenden Schwachstellen wurden offenbar ausgenutzt, um Überwachungs-Tools auf Apple-Hardware einzuschleusen. Patches gibt es auch für ältere Hardware. --------------------------------------------- https://heise.de/-9194404 ∗∗∗ VMSA-2023-0014 ∗∗∗ --------------------------------------------- The vCenter Server contains a heap overflow vulnerability due to the usage of uninitialized memory in the implementation of the DCERPC protocol. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 8.1. --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2023-0014.html ∗∗∗ Critical Flaw Found in WordPress Plugin for WooCommerce Used by 30,000 Websites ∗∗∗ --------------------------------------------- A critical security flaw has been disclosed in the WordPress "Abandoned Cart Lite for WooCommerce" plugin thats installed on more than 30,000 websites. --------------------------------------------- https://thehackernews.com/2023/06/critical-flaw-found-in-wordpress-plugin.h… ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (avahi, hsqldb, hsqldb1.8.0, minidlna, trafficserver, and xmltooling), Oracle (.NET 6.0, .NET 7.0, 18, c-ares, firefox, kernel, less, libtiff, libvirt, python, python3.11, texlive, and thunderbird), Red Hat (c-ares, kernel, kernel-rt, kpatch-patch, less, libtiff, libvirt, openssl, and postgresql), Slackware (bind and kernel), SUSE (bluez, curl, geoipupdate, kernel, netty, netty-tcnative, ntp, open-vm-tools, php8, python-reportlab, rustup, Salt, salt, terraform-provider-aws, terraform-provider-null, and webkit2gtk3), and Ubuntu (bind9, linux-aws, linux-azure, linux-bluefield, linux-gcp, linux-gke, linux-gkeop, linux-ibm, linux-kvm, linux-oracle, linux-raspi, linux-azure, linux-gcp, linux-ibm, linux-kvm, linux-oracle, and linux-ibm). --------------------------------------------- https://lwn.net/Articles/935872/ ∗∗∗ CISA Adds Six Known Exploited Vulnerabilities to Catalog ∗∗∗ --------------------------------------------- CVE-2023-20887 VMware Aria Operations for Networks Command Injection Vulnerability CVE-2020-35730 Roundcube Webmail Cross-Site Scripting (XSS) Vulnerability CVE-2020-12641 Roundcube Webmail Remote Code Execution Vulnerability CVE-2021-44026 Roundcube Webmail SQL Injection Vulnerability CVE-2016-9079 Mozilla Firefox, Firefox ESR, and Thunderbird Use-After-Free Vulnerability CVE-2016-0165 Microsoft Win32k Privilege Escalation Vulnerability --------------------------------------------- https://www.cisa.gov/news-events/alerts/2023/06/22/cisa-adds-six-known-expl… ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- IBM App Connect Enterprise, IBM Security Directory Integrator, IBM Security QRadar SIEM, CICS TX, IBM InfoSphere Information Server, IBM MQ, IBM Integration Bus for z/OS, IBM Spectrum Protect, IBM Robotic Process Automation. --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ ZDI-23-891: (0Day) ManageEngine ADSelfService Plus GINA Client Insufficient Verification of Data Authenticity Authentication Bypass Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-23-891/ ∗∗∗ Drupal: Album Photos - Critical - Access bypass - SA-CONTRIB-2023-022 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2023-022 ∗∗∗ Drupal: Civic Cookie Control - Moderately critical - Cross Site Scripting - SA-CONTRIB-2023-021 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2023-021 ∗∗∗ Cisco Duo Two-Factor Authentication for macOS Authentication Bypass Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco Secure Email Gateway, Cisco Secure Email and Web Manager, and Cisco Secure Web Appliance Cross-Site Scripting Vulnerabilities ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ BIND 9: CVE-2023-2828: nameds configured cache size limit can be significantly exceeded ∗∗∗ --------------------------------------------- https://kb.isc.org/docs/cve-2023-2828 ∗∗∗ BIND 9: CVE-2023-2829: Malformed NSEC records can cause named to terminate unexpectedly when synth-from-dnssec is enabled ∗∗∗ --------------------------------------------- https://kb.isc.org/docs/cve-2023-2829 ∗∗∗ BIND 9: CVE-2023-2911: Exceeding the recursive-clients quota may cause named to terminate unexpectedly when stale-answer-client-timeout is set to 0 ∗∗∗ --------------------------------------------- https://kb.isc.org/docs/cve-2023-2911 ∗∗∗ F5: K000134942 : Intel CPU vulnerability CVE-2022-33972 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000134942 ∗∗∗ SpiderControl SCADAWebServer ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-173-03 ∗∗∗ Advantech R-SeeNet ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-173-02 ∗∗∗ Nextcloud: End-to-End encrypted file-drops can be made inaccessible ∗∗∗ --------------------------------------------- https://github.com/nextcloud/security-advisories/security/advisories/GHSA-x… ∗∗∗ Nextcloud: Password reset endpoint is not brute force protected ∗∗∗ --------------------------------------------- https://github.com/nextcloud/security-advisories/security/advisories/GHSA-m… ∗∗∗ Nextcloud: Open redirect on "Unsupported browser" warning ∗∗∗ --------------------------------------------- https://github.com/nextcloud/security-advisories/security/advisories/GHSA-h… ∗∗∗ Nextcloud: Brute force protection allows to send more requests than intended ∗∗∗ --------------------------------------------- https://github.com/nextcloud/security-advisories/security/advisories/GHSA-q… ∗∗∗ Nextcloud: User scoped external storage can be used to gather credentials of other users ∗∗∗ --------------------------------------------- https://github.com/nextcloud/security-advisories/security/advisories/GHSA-6… ∗∗∗ Nextcloud: System addressbooks can be modified by malicious trusted server ∗∗∗ --------------------------------------------- https://github.com/nextcloud/security-advisories/security/advisories/GHSA-h… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 21.06.2023
by Daily end-of-shift report 21 Jun '23

21 Jun '23

===================== = End-of-Day report = ===================== Timeframe: Dienstag 20-06-2023 18:00 − Mittwoch 21-06-2023 18:00 Handler: Michael Schlagenhaufer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Sicherheitsupdates: Angreifer können Zyxel NAS ins Visier nehmen ∗∗∗ --------------------------------------------- Aktualisierte Firmware-Versionen für verschiedene NAS-Modelle von Zyxel schließen eine kritische Schwachstelle. --------------------------------------------- https://heise.de/-9193271 ∗∗∗ Zielgerichtete Angriffe auf iPhones: Neue Details zu Spyware ∗∗∗ --------------------------------------------- iPhone-Spyware kommt per iMessage und kann laut einer Analyse etwa Dateien manipulieren und den Standort tracken. Möglicherweise zählen auch Macs zu den Zielen. --------------------------------------------- https://heise.de/-9193906 ∗∗∗ VMware Aria: Angriffe auf kritische Sicherheitslücke – Update installieren! ∗∗∗ --------------------------------------------- VMware hat seine Sicherheitsmeldung zu einer kritischen Schwachstelle in der Monitoring-Software Aria Operations aktualisiert. Demnach wird sie angegriffen. --------------------------------------------- https://heise.de/-9193354 ∗∗∗ Hilfe, Kriminelle imitieren meine Telefonnummer für betrügerische Anrufe! ∗∗∗ --------------------------------------------- Dass Kriminelle auch gerne zum Telefon greifen, um Menschen zu betrügen, ist wohl allseits bekannt. Häufig setzen sie dabei allerdings auf „Spoofing“, wodurch bei den Angerufenen nicht die tatsächliche Nummer angezeigt wird, die hinter dem Scam-Anruf steckt. Immer häufiger wenden sich Personen an uns, deren Nummer simuliert und für Spam-Anrufe genutzt wird, weil sie ständig Rückrufe verärgerter Personen erhalten, [...] --------------------------------------------- https://www.watchlist-internet.at/news/hilfe-kriminelle-imitieren-meine-tel… ∗∗∗ Microsoft fixes Azure AD auth flaw enabling account takeover ∗∗∗ --------------------------------------------- Microsoft has addressed an Azure Active Directory (Azure AD) authentication flaw that could allow threat actors to escalate privileges and potentially fully take over the targets account. --------------------------------------------- https://www.bleepingcomputer.com/news/security/microsoft-fixes-azure-ad-aut… ∗∗∗ New Condi malware builds DDoS botnet out of TP-Link AX21 routers ∗∗∗ --------------------------------------------- A new DDoS-as-a-Service botnet called "Condi" emerged in May 2023, exploiting a vulnerability in TP-Link Archer AX21 (AX1800) Wi-Fi routers to build an army of bots to conduct attacks. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-condi-malware-builds-ddo… ∗∗∗ Critical WordPress Plugin Vulnerabilities Impact Thousands of Sites ∗∗∗ --------------------------------------------- Two critical-severity authentication bypass vulnerabilities in WordPress plugins with tens of thousands of installations. --------------------------------------------- https://www.securityweek.com/critical-wordpress-plugin-vulnerabilities-impa… ∗∗∗ Enphase Ignores CISA Request to Fix Remotely Exploitable Flaws ∗∗∗ --------------------------------------------- Enphase Energy has ignored CISA requests to fix remotely exploitable vulnerabilities in Enphase products. --------------------------------------------- https://www.securityweek.com/enphase-ignores-cisa-request-to-fix-remotely-e… ∗∗∗ Graphican: Flea Uses New Backdoor in Attacks Targeting Foreign Ministries ∗∗∗ --------------------------------------------- Backdoor leverages Microsoft Graph API for C&C communication. --------------------------------------------- https://symantec-enterprise-blogs.security.com/threat-intelligence/flea-bac… ∗∗∗ Analysis of Ransomware With BAT File Extension Attacking MS-SQL Servers (Mallox) ∗∗∗ --------------------------------------------- AhnLab Security Emergency response Center (ASEC) has recently discovered the Mallox ransomware with the BAT file extension being distributed to poorly managed MS-SQL servers. Extensions of files distributed to poorly managed MS-SQL servers include not only EXE but also BAT, which is a fileless format. The files distributed with the BAT file extension that has been discovered so far are Remcos RAT and Mallox. The distributions include cases that use PowerShell and sqlps. --------------------------------------------- https://asec.ahnlab.com/en/54704/ ∗∗∗ AWS WAF Clients Left Vulnerable to SQL Injection Due to Unorthodox MSSQL Design Choice ∗∗∗ --------------------------------------------- While doing research on Microsoft SQL (MSSQL) Server, a GoSecure ethical hacker found an unorthodox design choice that ultimately led to a web application firewall (WAF) bypass. --------------------------------------------- https://www.gosecure.net/blog/2023/06/21/aws-waf-clients-left-vulnerable-to… ∗∗∗ MOVEIt Vulnerability: A Painful Reminder That Threat Actors Aren’t the Only Ones Responsible for a Data Breach ∗∗∗ --------------------------------------------- The MOVEIt data breach continues to impact a number of both private and government groups across the US and Europe by exposing confidential data. With breaches like this becoming increasingly common, it can be easy to blame advanced persistent threat (APT) groups and other malicious actors; however, there is a valuable lesson to learn from the MOVEit breach: it is essential to be proactive about these threats, Not doing so may lead to a breach. I’ve put together this blog post as a reminder that security organizations—and quite frankly, boards and executive leadership—should view internal security threats just as seriously as external ones when it comes time to protecting their organization’s sensitive information. --------------------------------------------- https://www.safebreach.com/moveit-vulnerability-a-painful-reminder-that-thr… ∗∗∗ Gaps in Azure Service Fabric’s Security Call for User Vigilance ∗∗∗ --------------------------------------------- In this blog post, we discuss different configuration scenarios that may lead to security issues with Azure Service Fabric, a distributed platform for deploying, managing, and scaling microservices and container applications. --------------------------------------------- https://www.trendmicro.com/en_us/research/23/f/gaps-in-azure-service-fabric… ∗∗∗ GitHub Dataset Research Reveals Millions Potentially Vulnerable to RepoJacking ∗∗∗ --------------------------------------------- Millions of GitHub repositories are potentially vulnerable to RepoJacking. New research by Aqua Nautilus sheds light on the extent of RepoJacking, which if exploited may lead to code execution on organizations’ internal environments or on their customers’ environments. As part of our research, we found an enormous source of data that allowed us to sample a dataset and find some highly popular targets. --------------------------------------------- https://blog.aquasec.com/github-dataset-research-reveals-millions-potential… ===================== = Vulnerabilities = ===================== ∗∗∗ Heap-based buffer over-read in Autodesk® Desktop Licensing Service ∗∗∗ --------------------------------------------- Autodesk® Desktop Licensing Installer has been affected by privilege escalation vulnerabilities. Exploitation of these vulnerabilities could lead to code execution due to weak permissions. --------------------------------------------- https://www.autodesk.com/trust/security-advisories/adsk-sa-2023-0011 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (libfastjson, libx11, opensc, python-mechanize, and wordpress), SUSE (salt and terraform-provider-helm), and Ubuntu (firefox, libx11, pngcheck, python-werkzeug, ruby3.1, and vlc). --------------------------------------------- https://lwn.net/Articles/935552/ ∗∗∗ K000135122 : Linux kernel vulnerability CVE-2023-0461 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000135122 ∗∗∗ Multiple vulnerabilities in Open JDK affecting Rational Functional Tester ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7005601 ∗∗∗ IBM Storage Protect is vulnerable to a denial of service attack due to Google Gson (CVE-2022-25647) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7005605 ∗∗∗ Multiple vulnerabilities in IBM® Java SDK affects IBM WebSphere Application Server January 2023 CPU that is bundled with IBM WebSphere Application Server Patterns ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7005623 ∗∗∗ Python Cryptographic Authority cryptography is vulnerable to IBM X-Force ID: 239927 used in IBM Maximo Application Suite ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7005639 ∗∗∗ There is a vulnerability in Apache Commons BCEL used by IBM Maximo Asset Management (CVE-2022-42920) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6991671 ∗∗∗ IBM Aspera Faspex 4.4.2 PL3 has addressed multiple vulnerabilities (CVE-2023-27871, CVE-2023-27873, CVE-2023-27874) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6964694 ∗∗∗ Multiple Vulnerabilities in IBM Java SDK affect Cloud Pak System (CVE-2023-21830, 2023-21843) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7005573 ∗∗∗ Vulnerability in Apache Tomcat Server (CVE-2023-28709 ) affects Power HMC ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7005499 ∗∗∗ IBM Operational Decision Manager June 2023 - Multiple CVEs ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7005851 ∗∗∗ Operations Dashboard is vulnerable to multiple vulnerabilities in Golang ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7005869 ∗∗∗ SnakeYaml is vulnerable to CVE-2022-1471 used by IBM Maximo Application Suite ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7005873 ∗∗∗ A security vulnerability has been identified in FasterXML jackson-databind shipped with IBM Tivoli Netcool Impact (CVE-2021-46877) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7005907 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 20.06.2023
by Daily end-of-shift report 20 Jun '23

20 Jun '23

===================== = End-of-Day report = ===================== Timeframe: Montag 19-06-2023 18:00 − Dienstag 20-06-2023 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ SeroXen Mechanisms: Exploring Distribution, Risks, and Impact ∗∗∗ --------------------------------------------- This is the third installment of a three-part technical analysis of the fully undetectable (FUD) obfuscation engine BatCloak and SeroXen malware. In this entry, we document the techniques used to spread and abuse SeroXen, as well as the security risks, impact, implications of, and insights into highly evasive FUD batch obfuscators. --------------------------------------------- https://www.trendmicro.com/en_us/research/23/f/seroxen-mechanisms-exploring… ∗∗∗ New RDStealer malware steals from drives shared over Remote Desktop ∗∗∗ --------------------------------------------- A cyberespionage and hacking campaign tracked as RedClouds uses the custom RDStealer malware to automatically steal data from drives shared through Remote Desktop connections. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-rdstealer-malware-steals… ∗∗∗ Honeypot Recon: MSSQL Server – Database Threat Overview 22’/23’ ∗∗∗ --------------------------------------------- In this article, well reveal botnet behavior before and after a successful attack. These bots have one job: to install malicious software that can mine digital coins or create backdoors into systems. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/honeypot-re… ∗∗∗ Wie wir ein Bahnticket buchen wollten und am Ende 245.000 Datensätze hatten ∗∗∗ --------------------------------------------- Um die deutsch-französische Freundschaft zu feiern, haben sich Bundesverkehrsminister Wissing und sein französischer Kollege Beaune etwas Besonderes ausgedacht: Je Land 30.000 kostenlose Interrail-Tickets für Reisen in Deutschland und Frankreich für junge Erwachsene zwischen 18 und 27. Allerdings lief beim Verteilen der Interrail-Pässe einiges schief. --------------------------------------------- https://zerforschung.org/posts/freundschaftspass-de/ ∗∗∗ "iCloud-Speicher ist voll": Phishing-Kampagne zielt auf Apple-Nutzer ∗∗∗ --------------------------------------------- iCloud-Gratisspeicherplatz ist schnell gefüllt, Mails mit Upgrade-Hinweisen sind für viele Nutzer ein vertrauter Anblick. Darauf setzen erneut auch Kriminelle. --------------------------------------------- https://heise.de/-9192454 ∗∗∗ OT:Icefall: Vulnerabilities Identified in Wago Controllers ∗∗∗ --------------------------------------------- Forescout Technologies has disclosed the details of vulnerabilities impacting operational technology (OT) products from Wago and Schneider Electric. --------------------------------------------- https://www.securityweek.com/oticefall-vulnerabilities-identified-in-wago-c… ∗∗∗ Vorsicht vor gefälschten Gymshark-Shops ∗∗∗ --------------------------------------------- Sie suchen nach günstigen Angeboten der Marke Gymshark? Fündig werden Sie bei den Fake-Shops gymsharkwien.com, gym-shark-osterreich.com oder gymsharkosterreichsale.com. Die Shops vermitteln durch den Zusatz „Wien“ oder „Österreich“ in der Internetadresse den Eindruck, dass es sich um österreichische Shops handelt. Tatsächlich sind Sie aber in einem Fake-Shop gelandet. --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-gefaelschten-gymshark-s… ∗∗∗ RecordBreaker Infostealer Disguised as a .NET Installer ∗∗∗ --------------------------------------------- Malware that are being distributed disguised as cracks are evolving. In the past, malware was simply distributed as the executable itself. However, there was a gradual shift towards also including normal files within a compressed file. More recently, there was a sample where a normal installer was downloaded and executed. If the malware is executed in an ordinary user environment, the encrypted malware file is downloaded from the threat actor’s server and executed. --------------------------------------------- https://asec.ahnlab.com/en/54658/ ∗∗∗ Tsunami DDoS Malware Distributed to Linux SSH Servers ∗∗∗ --------------------------------------------- AhnLab Security Emergency response Center (ASEC) has recently discovered an attack campaign that consists of the Tsunami DDoS Bot being installed on inadequately managed Linux SSH servers. Not only did the threat actor install Tsunami, but they also installed various other malware such as ShellBot, XMRig CoinMiner, and Log Cleaner. When looking at the attack cases against poorly managed Linux SSH servers, most of them involve the installation of DDoS bots or CoinMiners. --------------------------------------------- https://asec.ahnlab.com/en/54647/ ===================== = Vulnerabilities = ===================== ∗∗∗ Router-Firmware: Asus rät aufgrund kritischer Lücken dringend zum Update ∗∗∗ --------------------------------------------- Asus hat in der Firmware für mehrere Router-Modelle kritische Schwachstellen geschlossen, die Angreifer potenziell bösartigen Code ausführen lassen. --------------------------------------------- https://www.golem.de/news/router-firmware-asus-raet-aufgrund-kritischer-lue… ∗∗∗ Zyxel security advisory for pre-authentication command injection vulnerability in NAS products ∗∗∗ --------------------------------------------- The pre-authentication command injection vulnerability in some Zyxel NAS devices could allow an unauthenticated attacker to execute some operating system (OS) commands remotely by sending a crafted HTTP request. After a thorough investigation, we have identified the vulnerable products that are within their vulnerability support period, with their firmware patches shown in the table below. --------------------------------------------- https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-… ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- IBM Storage Protect Server, IBM Spectrum Protect Backup-Archive Client, IBM Spectrum Protect Plus, ICP - IBM Answer Retrieval for Watson Discovery, IBM Watson Speech Services, IBM Robotic Process Automation, IBM dashDB Local, HMC, IBM Operations Analytics Predictive Insights, IBM Cloud Pak for Network Automation, IBM Spectrum Discover, IBM Copy Services Manager, IBM SDK and IBM Maximo. --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (libxpm and php7.3), Fedora (chromium), Mageia (kernel, kernel-linus, and sysstat), Red Hat (c-ares), SUSE (libwebp), and Ubuntu (cups-filters, libjettison-java, and libsvgpp-dev). --------------------------------------------- https://lwn.net/Articles/935353/ ∗∗∗ Enphase Envoy ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-171-01 ∗∗∗ Enphase Installer Toolkit Android App ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-171-02 ∗∗∗ 2023-06-20: OXAS-ADV-2023-0002 ∗∗∗ --------------------------------------------- https://documentation.open-xchange.com/security/advisories/txt/oxas-adv-202… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 19.06.2023
by Daily end-of-shift report 19 Jun '23

19 Jun '23

===================== = End-of-Day report = ===================== Timeframe: Freitag 16-06-2023 18:00 − Montag 19-06-2023 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Android spyware camouflaged as VPN, chat apps on Google Play ∗∗∗ --------------------------------------------- Three Android apps on Google Play were used by state-sponsored threat actors to collect intelligence from targeted devices, such as location data and contact lists. --------------------------------------------- https://www.bleepingcomputer.com/news/security/android-spyware-camouflaged-… ∗∗∗ Security Expert Defeats Lenovo Laptop BIOS Password With a Screwdriver ∗∗∗ --------------------------------------------- Cybersecurity experts at CyberCX have demonstrated a simple method for consistently accessing older BIOS-locked laptops by shorting pins on the EEPROM chip with a screwdriver, enabling full access to the BIOS settings and bypassing the password. --------------------------------------------- https://it.slashdot.org/story/23/06/16/2322255/security-expert-defeats-leno… ∗∗∗ From Cryptojacking to DDoS Attacks: Diicot Expands Tactics with Cayosin Botnet ∗∗∗ --------------------------------------------- Cybersecurity researchers have discovered previously undocumented payloads associated with a Romanian threat actor named Diicot, revealing its potential for launching distributed denial-of-service (DDoS) attacks. "The Diicot name is significant, as its also the name of the Romanian organized crime and anti-terrorism policing unit," Cado Security said in a technical report. --------------------------------------------- https://thehackernews.com/2023/06/from-cryptojacking-to-ddos-attacks.html ∗∗∗ New Mystic Stealer Malware Targets 40 Web Browsers and 70 Browser Extensions ∗∗∗ --------------------------------------------- A new information-stealing malware called Mystic Stealer has been found to steal data from about 40 different web browsers and over 70 web browser extensions. First advertised on April 25, 2023, for $150 per month, the malware also targets cryptocurrency wallets, Steam, and Telegram, and employs extensive mechanisms to resist analysis. --------------------------------------------- https://thehackernews.com/2023/06/new-mystic-stealer-malware-targets-40.html ∗∗∗ [SANS ISC] Malware Delivered Through .inf File ∗∗∗ --------------------------------------------- Today, I published the following diary on isc.sans.edu: “Malware Delivered Through .inf File“: Microsoft has used “.inf” files for a while. They are simple text files and contain setup information in a driver package. They describe what must be performed to install a driver package on a device. When you read them, the syntax is straightforward to understand. The file is based on sections that describe what must be performed. One of them is very interesting for attackers: [RunPreSetupCommandsSection]. --------------------------------------------- https://blog.rootshell.be/2023/06/19/sans-isc-malware-delivered-through-inf… ∗∗∗ The Phantom Menace: Exposing hidden risks through ACLs in Active Directory (Part 1) ∗∗∗ --------------------------------------------- The abuse of misconfigured Access Control Lists is nothing new. However, it is still one of the main ways of lateral movement and privilege escalation within an active directory domain. [..] In this post, we will discuss, in a general overview, some concepts that will help us understand how Windows handles access relationships and privileges between objects and how to enumerate these relationships. --------------------------------------------- https://labs.lares.com/securing-active-directory-via-acls/ ∗∗∗ Speculative Denial-of-Service Attacks in Ethereum ∗∗∗ --------------------------------------------- Block proposers speculatively execute transactions when creating blocks to maximize their profits. How can this go wrong? In “Speculative Denial-of-Service Attacks in Ethereum”, we show how speculative execution allows attackers to cheaply DoS the network. --------------------------------------------- https://medium.com/@aviv.yaish/speculative-denial-of-service-attacks-in-eth… ∗∗∗ Warning: Malware Disguised as a Security Update Installer Being Distributed ∗∗∗ --------------------------------------------- AhnLab, in collaboration with the National Cyber Security Center (NCSC) Joint Analysis and Consultation Council, has recently uncovered the attack of a hacking group that is supported by a certain government. The discovered malware disguised itself as a security update installer and was developed using the Inno Setup software. --------------------------------------------- https://asec.ahnlab.com/en/54375/ ===================== = Vulnerabilities = ===================== ∗∗∗ ZDI-23-889: Schneider Electric IGSS DashFiles Deserialization of Untrusted Data Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows remote attackers to execute arbitrary code on affected installations of Schneider Electric IGSS. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. --------------------------------------------- https://www.zerodayinitiative.com/advisories/ZDI-23-889/ ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (golang-go.crypto, maradns, requests, sofia-sip, and xmltooling), Fedora (chromium, iaito, iniparser, libX11, matrix-synapse, radare2, and thunderbird), Red Hat (c-ares, jenkins and jenkins-2-plugins, and texlive), SUSE (bluez, chromium, go1.19, go1.20, jetty-minimal, kernel, kubernetes1.18, kubernetes1.23, kubernetes1.24, libX11, open-vm-tools, openvswitch3, opera, syncthing, and xen), and Ubuntu (libcap2, libpod, linux, linux-aws, linux-aws-5.15, linux-azure, linux-azure-5.15, linux-azure-fde-5.15, linux-gcp, linux-gcp-5.15, linux-gke, linux-gke-5.15, linux-gkeop, linux-hwe-5.15, linux-ibm, linux-kvm, linux-lowlatency, linux-lowlatency-hwe-5.15, linux-oracle, linux-oracle-5.15, linux-raspi, linux, linux-aws, linux-azure, linux-gcp, linux-hwe-5.19, linux-kvm, linux-lowlatency, linux-oracle, linux-raspi, linux, linux-aws, linux-lowlatency, linux-raspi, linux-oem-5.17, linux-oem-6.1, pypdf2, and qemu). --------------------------------------------- https://lwn.net/Articles/935184/ ∗∗∗ Vulnerability in Apache Commons FileUpload may affect IBM Spectrum Sentinel Anomaly Scan Engine (CVE-2023-24998) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6998653 ∗∗∗ Multiple vulnerabilities in IBM Java SDK and IBM Java Runtime affect Rational Performance Tester ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7004699 ∗∗∗ Vulnerability in Eclipse OpenJ9 affects Rational Performance Tester (CVE-2022-3676) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7004703 ∗∗∗ Multiple vulnerabilities in IBM Java SDK and IBM Java Runtime affect Rational Service Tester ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7004701 ∗∗∗ Vulnerability in Eclipse OpenJ9 affects Rational Service Tester (CVE-2022-3676) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7004705 ∗∗∗ Vulnerabilities in Golang, Python, postgresql, cURL libcurl might affect IBM Spectrum Copy Data Management ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6995589 ∗∗∗ Vulnerabilities with OpenSSL, Apache HTTP Server, Python affect IBM Cloud Object Storage Systems (June 2023v1) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7004661 ∗∗∗ A vulnerability in IBM Java SDK and IBM Java Runtime affects Rational Performance Tester. ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7004709 ∗∗∗ A vulnerability in IBM Java SDK and IBM Java Runtime affect Rational Service Tester. ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7004711 ∗∗∗ Vulnerabilities in Linux Kernel might affect IBM Spectrum Copy Data Management (CVE-2022-1280, CVE-2023-0386, CVE-2022-4269, CVE-2022-2873, CVE-2022-4378) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6995585 ∗∗∗ Vulnerabilities with Linux Kernel, OpenJDK affect IBM Cloud Object Storage Systems (June 2023) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7002711 ∗∗∗ Vulnerabilities in Golang Go might affect IBM Spectrum Copy Data Management ( CVE-2023-24536, CVE-2023-24537, CVE-2023-24538) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6998399 ∗∗∗ IBM Sterling Control Center is vulnerable to denial of service attack due to Java SE (CVE-2022-21426) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7004723 ∗∗∗ IBM Sterling Control Center is vulnerable to denial of service due to Java SE (CVE-2023-21830, CVE-2023-21843) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7004721 ∗∗∗ Vulnerabilities in OpenSSL might affect IBM Spectrum Copy Data Management (CVE-2022-4450, CVE-2023-0216, CVE-2023-0401, CVE-2022-4203, CVE-2023-0217) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6995593 ∗∗∗ IBM Aspera Shares is vulnerable to cross-site scripting due to JQuery-UI (CVE-2021-41184, CVE-2021-41183, CVE-2021-41182) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7004731 ∗∗∗ Vulnerabilities in Oracle Java SE might affect IBM Spectrum Copy Data Management (CVE-2023-21968, CVE-2023-21938, CVE-2023-21939, CVE-2023-21954, CVE-2023-21967, CVE-2023-21937, CVE-2023-21930) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6995595 ∗∗∗ IBM MQ Operator and Queue manager container images are vulnerable to multiple vulnerabilities from Kubernetes, curl and systemd ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7004197 ∗∗∗ Vulnerabilities in Flask and Pallets Werkzeug may affect IBM Spectrum Protect Plus Microsoft File Systems Backup and Restore (CVE-2023-30861, CVE-2023-25577, CVE-2023-23934) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6999973 ∗∗∗ IBM MQ Operator and Queue manager container images are vulnerable to multiple vulnerabilities from libcurl, openssl, gnutls, libarchive and libsepol ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6986323 ∗∗∗ Multiple vulnerabilities may affect IBM® SDK, Java™ Technology Edition ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7001663 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 16.06.2023
by Daily end-of-shift report 16 Jun '23

16 Jun '23

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 15-06-2023 18:00 − Freitag 16-06-2023 18:00 Handler: Robert Waldner Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Another RAT Delivered Through VBS, (Fri, Jun 16th) ∗∗∗ --------------------------------------------- VBS looks popular these days. After the last Didier's diary, I found another interesting script. It started with an email that referenced a fake due invoice. The invoice icon pointed to a URL. Usually, such URLs display a fake login page asking for credentials. Not this time. --------------------------------------------- https://isc.sans.edu/diary/rss/29956 ∗∗∗ Demystifying Website Hacktools: Types, Threats, and Detection ∗∗∗ --------------------------------------------- When we think about website malware, visible infection symptoms most often come to mind: unwanted ads or pop-ups, redirects to third party sites, or spam keywords in search results. However, in some cases these very symptoms are the results of hacktools, a diverse and often insidious category of software designed to exploit vulnerabilities and compromise website security. --------------------------------------------- https://blog.sucuri.net/2023/06/demystifying-website-hacktools-types-threat… ∗∗∗ ChamelDoH: New Linux Backdoor Utilizing DNS-over-HTTPS Tunneling for Covert CnC ∗∗∗ --------------------------------------------- The threat actor known as ChamelGang has been observed using a previously undocumented implant to backdoor Linux systems, marking a new expansion of the threat actors capabilities.The malware, dubbed ChamelDoH by Stairwell, is a C++-based tool for communicating via DNS-over-HTTPS (DoH) tunneling. --------------------------------------------- https://thehackernews.com/2023/06/chameldoh-new-linux-backdoor-utilizing.ht… ===================== = Vulnerabilities = ===================== ∗∗∗ FortiOS & FortiProxy: authenticated user null pointer dereference in SSL-VPN ∗∗∗ --------------------------------------------- A NULL pointer dereference vulnerability in SSL-VPN may allow an authenticated remote attacker to trigger a crash of the SSL-VPN service via crafted requests. CVE: CVE-2023-33306 --------------------------------------------- https://fortiguard.fortinet.com/psirt/FG-IR-23-015 ∗∗∗ Microsoft ODBC and OLE DB Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- An attacker could exploit the vulnerability by tricking an authenticated user into attempting to connect to a malicious SQL server via a connection driver (for example: ODBC and / or OLEDB as applicable). --------------------------------------------- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-29349 ∗∗∗ Microsoft OLE DB Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- An attacker could exploit the vulnerability by tricking an authenticated user into attempting to connect to a malicious SQL server via OLEDB, which could result in the server receiving a malicious networking packet. This could allow the attacker to execute code remotely on the client. --------------------------------------------- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-32028 ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (chromium, openjdk-17, and wireshark), Fedora (iniparser, mariadb, mingw-glib2, perl-HTML-StripScripts, php, python3.7, and syncthing), Oracle (.NET 6.0, c-ares, kernel, nodejs, and python3.9), Slackware (libX11), SUSE (amazon-ssm-agent and chromium), and Ubuntu (gsasl, libx11, and sssd). --------------------------------------------- https://lwn.net/Articles/934939/ ∗∗∗ Mattermost security updates 7.10.3 / 7.9.5 / 7.8.7 (ESR) released ∗∗∗ --------------------------------------------- We’re informing you about a Mattermost security update, which addresses low- to medium-level severity vulnerabilities. --------------------------------------------- https://mattermost.com/blog/mattermost-security-updates-7-10-3-7-9-5-7-8-7-… ∗∗∗ Weitere kritische Sicherheitslücke in MOVEit Transfer - Workaround und Patches verfügbar ∗∗∗ --------------------------------------------- In MOVEit Transfer wurde eine weitere kritische Sicherheitslücke entdeckt. Auswirkungen Da es sich um eine SQL-Injection - Schwachstelle handelt, ist davon auszugehen dass alle auf betroffenen Systemen hinterlegten Daten gefährdet sind. --------------------------------------------- https://cert.at/de/warnungen/2023/6/weitere-kritische-sicherheitslucke-in-m… ∗∗∗ CISA Releases Fourteen Industrial Control Systems Advisories ∗∗∗ --------------------------------------------- * SUBNET PowerSYSTEM Center * Advantech WebAccessSCADA * Siemens SICAM Q200 Devices * Siemens SIMOTION * Siemens SIMATIC WinCC * Siemens TIA Portal * Siemens SIMATIC WinCC V7 * Siemens SIMATIC STEP 7 and Derived Products * Siemens Solid Edge * Siemens SIMATIC S7-1500 TM MFP BIOS * Siemens SIMATIC S7-1500 TM MFP Linux Kernel * Siemens SINAMICS Medium Voltage Products * Siemens SICAM A8000 Devices * Siemens Teamcenter Visualization and JT2Go --------------------------------------------- https://www.cisa.gov/news-events/alerts/2023/06/15/cisa-releases-fourteen-i… ∗∗∗ Multiple vulnerabilities in Panasonic AiSEG2 ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN19748237/ ∗∗∗ ZDI-23-879: (0Day) Ashlar-Vellum Cobalt AR File Parsing Out-Of-Bounds Read Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-23-879/ ∗∗∗ ZDI-23-878: (0Day) Ashlar-Vellum Cobalt AR File Parsing Uninitialized Memory Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-23-878/ ∗∗∗ ZDI-23-877: (0Day) Ashlar-Vellum Cobalt IGS File Parsing Out-Of-Bounds Read Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-23-877/ ∗∗∗ ZDI-23-876: (0Day) Ashlar-Vellum Cobalt XE File Parsing Uninitialized Memory Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-23-876/ ∗∗∗ ZDI-23-875: (0Day) Ashlar-Vellum Cobalt XE File Parsing Uninitialized Memory Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-23-875/ ∗∗∗ ZDI-23-874: (0Day) Ashlar-Vellum Cobalt XE File Parsing Untrusted Pointer Dereference Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-23-874/ ∗∗∗ ZDI-23-873: (0Day) Ashlar-Vellum Cobalt Stack-based Buffer Overflow Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-23-873/ ∗∗∗ ZDI-23-872: (0Day) Ashlar-Vellum Cobalt Heap-based Buffer Overflow Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-23-872/ ∗∗∗ ZDI-23-871: (0Day) Ashlar-Vellum Cobalt Untrusted Pointer Dereference Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-23-871/ ∗∗∗ ZDI-23-870: (0Day) Ashlar-Vellum Cobalt Uninitialized Memory Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-23-870/ ∗∗∗ ZDI-23-869: (0Day) Ashlar-Vellum Cobalt Untrusted Pointer Dereference Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-23-869/ ∗∗∗ ZDI-23-868: (0Day) Ashlar-Vellum Graphite VC6 File Parsing Out-Of-Bounds Write Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-23-868/ ∗∗∗ ZDI-23-867: (0Day) Ashlar-Vellum Graphite VC6 File Parsing Out-Of-Bounds Write Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-23-867/ ∗∗∗ ZDI-23-866: (0Day) Ashlar-Vellum Graphite VC6 File Parsing Stack-based Buffer Overflow Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-23-866/ ∗∗∗ ZDI-23-865: (0Day) Ashlar-Vellum Cobalt Out-Of-Bounds Write Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-23-865/ ∗∗∗ ZDI-23-864: (0Day) Ashlar-Vellum Cobalt Out-Of-Bounds Access Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-23-864/ ∗∗∗ ZDI-23-863: (0Day) Ashlar-Vellum Cobalt Out-Of-Bounds Read Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-23-863/ ∗∗∗ ZDI-23-862: (0Day) Ashlar-Vellum Cobalt CO File Parsing Stack-based Buffer Overflow Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-23-862/ ∗∗∗ ZDI-23-861: (0Day) Ashlar-Vellum Cobalt CO File Parsing Untrusted Pointer Dereference Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-23-861/ ∗∗∗ ZDI-23-860: (0Day) Ashlar-Vellum Cobalt XE File Parsing Untrusted Pointer Dereference Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-23-860/ ∗∗∗ ZDI-23-859: (0Day) Ashlar-Vellum Cobalt CO File Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-23-859/ ∗∗∗ CVE-2023-32027 Microsoft ODBC Driver for SQL Server Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-32027 ∗∗∗ CVE-2023-29356 Microsoft ODBC Driver for SQL Server Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-29356 ∗∗∗ CVE-2023-32025 Microsoft ODBC Driver for SQL Server Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-32025 ∗∗∗ CVE-2023-32026 Microsoft ODBC Driver for SQL Server Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-32026 ∗∗∗ Multiple vulnerabilities in Curl affect PowerSC ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7004263 ∗∗∗ There is a security vulnerability in AWS SDK for Java used by Maximo Asset Management (CVE-2022-31159) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7002345 ∗∗∗ IBM SPSS Modeler is vulnerabile to SSL private key exposure (CVE-2023-33842) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7004299 ∗∗∗ Vulnerability of xmlbeans-2.6.0.jar has affected APM DataPower agent. ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7004599 ∗∗∗ Vulnerabilities of Apache commons codec (commons-codec-1.6.jar) have affected APM NetApp Storage and APM File Gateway Agent ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7004597 ∗∗∗ IBM Cloud Pak for Security includes components with multiple known vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7004655 ∗∗∗ IBM Cloud Pak for Security includes components with multiple known vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7004653 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 15.06.2023
by Daily end-of-shift report 15 Jun '23

15 Jun '23

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 14-06-2023 18:00 − Donnerstag 15-06-2023 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Microsoft: Windows Kernel CVE-2023-32019 fix is disabled by default ∗∗∗ --------------------------------------------- Microsoft has released an optional fix to address a Kernel information disclosure vulnerability affecting systems running multiple Windows versions, including the latest Windows 10, Windows Server, and Windows 11 releases. --------------------------------------------- https://www.bleepingcomputer.com/news/security/microsoft-windows-kernel-cve… ∗∗∗ Chinese UNC4841 Group Exploits Zero-Day Flaw in Barracuda Email Security Gateway ∗∗∗ --------------------------------------------- A suspected China-nexus threat actor dubbed UNC4841 has been linked to the exploitation of a recently patched zero-day flaw in Barracuda Email Security Gateway (ESG) appliances since October 2022."UNC4841 is an espionage actor behind this wide-ranging campaign in support of the Peoples Republic of China," Google-owned Mandiant said in a new report published today, [...] --------------------------------------------- https://thehackernews.com/2023/06/chinese-unc4841-group-exploits-zero-day.h… ∗∗∗ Hardware Hacking to Bypass BIOS Passwords ∗∗∗ --------------------------------------------- This article serves as a beginner’s hardware hacking journey, performing a BIOS password bypass on Lenovo laptops. We identify what the problem is, how to identify a vulnerable chip, how to bypass a vulnerable chip, and finally, analyse why this attack works and ways that it can be prevented. --------------------------------------------- https://blog.cybercx.co.nz/bypassing-bios-password ∗∗∗ Reverse Engineering Terminator aka Zemana AntiMalware/AntiLogger Driver ∗∗∗ --------------------------------------------- Recently, a threat actor (TA) known as SpyBot posted a tool, on a Russian hacking forum, that can terminate any antivirus/Endpoint Detection & Response (EDR/XDR) software. [..] While I’ve seen a lot of material from the defensive community (they were fast on this one) about the detection mechanism, IOCs, prevention policies and intelligence, I feel some other, perhaps more interesting vulnerable code paths in this driver were not explored nor discussed. --------------------------------------------- https://voidsec.com/reverse-engineering-terminator-aka-zemana-antimalware-a… ∗∗∗ Sicherheitsupdates: Attacken auf Pixel-Smartphones von Google gesichtet ∗∗∗ --------------------------------------------- Google hat etliche Sicherheitslücken in Pixel-Smartphones mit Android 13 geschlossen. Eine Lücke gilt als kritisch. --------------------------------------------- https://heise.de/-9188302 ∗∗∗ Eset schließt Sicherheitslücken in Virenscannern für Linux und Mac ∗∗∗ --------------------------------------------- Aufgrund einer hochriskanten Sicherheitslücke in Esets Virenschutz für Linux und Mac können Angreifer ihre Rechte ausweiten. Updates stehen bereit. --------------------------------------------- https://heise.de/-9188823 ∗∗∗ Kritisches Leck: Codeschmuggel auf mehr als 50 HP Laserjet MFP-Modelle möglich ∗∗∗ --------------------------------------------- HP warnt vor einer kritischen Sicherheitslücke in mehr als 50 HP (Enterprise) Laserjet MFP-Modellen. Angreifer aus dem Netz können Schadcode einschleusen. --------------------------------------------- https://heise.de/-9188162 ∗∗∗ WhatsApp Backups im Visier von Android GravityRAT ∗∗∗ --------------------------------------------- ESET-Forscher analysierten eine aktualisierte Version der Android-Spyware GravityRAT, die WhatsApp-Backup-Dateien stiehlt und Befehle zum Löschen von Dateien empfangen kann. --------------------------------------------- https://www.welivesecurity.com/deutsch/2023/06/15/whatsapp-backups-im-visie… ∗∗∗ Android Malware Impersonates ChatGPT-Themed Applications ∗∗∗ --------------------------------------------- Android malware posing as ChatGPT-themed apps targets mobile users. We report on instances of this attack vector, identifying two distinct types. --------------------------------------------- https://unit42.paloaltonetworks.com/android-malware-poses-as-chatgpt/ ∗∗∗ Unternehmen von LinkedIn-Betrugsfällen betroffen ∗∗∗ --------------------------------------------- Beliebteste Betrugsform sind Kontaktanfragen von einer unbekannten Person mit einem verdächtigen Link in der Nachricht. --------------------------------------------- https://www.zdnet.de/88409942/unternehmen-von-linkedin-betrugsfaellen-betro… ∗∗∗ CISA and NSA Release Joint Guidance on Hardening Baseboard Management Controllers (BMCs) ∗∗∗ --------------------------------------------- Today, CISA, together with the National Security Agency (NSA), released a Cybersecurity Information Sheet (CSI), highlighting threats to Baseboard Management Controller (BMC) implementations and detailing actions organizations can use to harden them. BMCs are trusted components designed into a computers hardware that operate separately from the operating system (OS) and firmware to allow for remote management and control, even when the system is shut down. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2023/06/14/cisa-and-nsa-release-joi… ∗∗∗ Gut gemachter Phishing-Versuch mit Malware im Namen Microsofts ∗∗∗ --------------------------------------------- Ein Blog-Leser hat mich auf einen gut gemachten Phishing-Versuch per E-Mail aufmerksam gemacht, der das Thema Multifactor-Authentifizierung (MFA) aufgreift. Dabei wird suggeriert, dass die Mail von Microsoft selbst stammt (es wird eine Sub-Domain von Microsoft benutzt) und die Leute agieren [...] --------------------------------------------- https://www.borncity.com/blog/2023/06/15/gut-gemachter-phishing-versuch-mit… ∗∗∗ Hijacking S3 Buckets: New Attack Technique Exploited in the Wild by Supply Chain Attackers ∗∗∗ --------------------------------------------- Without altering a single line of code, attackers poisoned the NPM package “bignum” by hijacking the S3 bucket serving binaries necessary for its function and replacing them with malicious ones. --------------------------------------------- https://checkmarx.com/blog/hijacking-s3-buckets-new-attack-technique-exploi… ===================== = Vulnerabilities = ===================== ∗∗∗ ZDI-23-858: (0Day) Pulse Secure Client SetupService Directory Traversal Local Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows local attackers to escalate privileges on affected installations of Pulse Secure Client. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. --------------------------------------------- https://www.zerodayinitiative.com/advisories/ZDI-23-858/ ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (webkit2gtk), Fedora (python-django-filter and qt), Mageia (cups, firefox/nss, httpie, thunderbird, and webkit2), Red Hat (.NET 6.0, .NET 7.0, c-ares, firefox, jenkins and jenkins-2-plugins, nodejs, nodejs:18, python3, python3.11, python3.9, and thunderbird), Scientific Linux (firefox and thunderbird), SUSE (frr, opensc, python3, and rekor), and Ubuntu (c-ares, glib2.0, libcap2, linux-intel-iotg-5.15, pano13, and requests). --------------------------------------------- https://lwn.net/Articles/934802/ ∗∗∗ Vulnerabilities in Samba ∗∗∗ --------------------------------------------- The Samba Team has released security updates to address vulnerabilities in multiple versions of Samba, including vulnerabilities related to RC4 encryption. If exploited, some of these vulnerabilities allow an attacker to take control of an affected system. --------------------------------------------- https://www.qnap.com/en-us/security-advisory/QSA-23-05 ∗∗∗ Windows PowerShell PS1 Trojan File RCE ∗∗∗ --------------------------------------------- https://cxsecurity.com/issue/WLB-2023060031 ∗∗∗ Office Hours - Moderately critical - Cross Site Scripting - SA-CONTRIB-2023-020 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2023-020 ∗∗∗ CVE-2023-0010 PAN-OS: Reflected Cross-Site Scripting (XSS) Vulnerability in Captive Portal Authentication (Severity: MEDIUM) ∗∗∗ --------------------------------------------- https://security.paloaltonetworks.com/CVE-2023-0010 ∗∗∗ CVE-2023-0009 GlobalProtect App: Local Privilege Escalation (PE) Vulnerability (Severity: MEDIUM) ∗∗∗ --------------------------------------------- https://security.paloaltonetworks.com/CVE-2023-0009 ∗∗∗ IBM Sterling Partner Engagement Manager is vulnerable to CSS injection due to Swagger UI (CVE-2019-17495) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7004151 ∗∗∗ IBM Sterling Partner Engagement Manager vulnerable to buffer overflow due to OpenJDK (CVE-2023-2597) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7004153 ∗∗∗ IBM Sterling Connect:Direct for Microsoft Windows is vulnerable to remote sensitive information exposure due to IBM GSKit (CVE-2023-32342) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7004175 ∗∗∗ A security vulnerability has been identified in IBM HTTP Server shipped with IBM Rational ClearCase [CVE-2022-39161] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7004183 ∗∗∗ Multiple security vulnerabilities have been identified in IBM WebSphere Application Server shipped with IBM Rational ClearCase ( CVE-2023-24966, CVE-2022-39161, CVE-2023-27554, CVE-2023-24998) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7004187 ∗∗∗ A vulnerability in IBM WebSphere Application Server Liberty affects IBM Storage Scale (CVE-2023-24998) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7004199 ∗∗∗ IBM MQ Operator and Queue manager container images are vulnerable to multiple vulnerabilities from Kubernetes, curl and systemd ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7004197 ∗∗∗ IBM MQ Operator and Queue manager container images are vulnerable to multiple vulnerabilities from curl, go and apr-util ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6999605 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 14.06.2023
by Daily end-of-shift report 14 Jun '23

14 Jun '23

===================== = End-of-Day report = ===================== Timeframe: Dienstag 13-06-2023 18:00 − Mittwoch 14-06-2023 18:00 Handler: Robert Waldner Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Microsoft: Windows 10 21H2 has reached end of servicing ∗∗∗ --------------------------------------------- Multiple editions of Windows 10 21H2 have reached their end of service (EOS) in this months Patch Tuesday, as Microsoft reminded customers today. --------------------------------------------- https://www.bleepingcomputer.com/news/microsoft/microsoft-windows-10-21h2-h… ∗∗∗ Fake Researcher Profiles Spread Malware through GitHub Repositories as PoC Exploits ∗∗∗ --------------------------------------------- At least half of dozen GitHub accounts from fake researchers associated with a fraudulent cybersecurity company have been observed pushing malicious repositories on the code hosting service.All seven repositories, which are still available as of writing, claim to be a proof-of-concept (PoC) exploit for purported zero-day flaws in Discord, Google Chrome, and Microsoft Exchange Server, --------------------------------------------- https://thehackernews.com/2023/06/fake-researcher-profiles-spread-malware.h… ∗∗∗ Shampoo: A New ChromeLoader Campaign ∗∗∗ --------------------------------------------- Recently HP Wolf Security detected a new malware campaign built around a new malicious ChromeLoader extension called Shampoo. [..] Its goal is to install a malicious extension in Google Chrome that is used for advertising. Older versions of ChromeLoader have a particularly complex infection chain, starting with the victim downloading malicious ISO files from websites hosting illegal content. --------------------------------------------- https://www.bromium.com/shampoo-a-new-chromeloader-campaign/ ∗∗∗ VMware ESXi Zero-Day Used [..] to Perform Privileged Guest Operations on Compromised Hypervisors ∗∗∗ --------------------------------------------- This blog post describes an expanded understanding of the attack path seen in Figure 1 and highlights the implications of both the zero-day vulnerability (CVE-2023-20867) and VMCI communication sockets the attacker leveraged to complete their goal. [Note: Patch verfügbar, siehe VMSA-2023-0013: "VMware Tools update addresses Authentication Bypass vulnerability"] --------------------------------------------- https://www.mandiant.com/resources/blog/vmware-esxi-zero-day-bypass ∗∗∗ Pre-announcement of BIND 9 security issues scheduled for disclosure 21 June 2023 ∗∗∗ --------------------------------------------- As part of our policy of pre-notification of upcoming security releases, we are writing to inform you that the June 2023 BIND 9 maintenance releases that will be published on Wednesday, 21 June will contain patches for security vulnerabilities affecting stable BIND 9 release branches. --------------------------------------------- https://lists.isc.org/pipermail/bind-announce/2023-June/001234.html ∗∗∗ Booking.com-Betrug: Unterkünfte stornieren Buchungen und verlangen externe Zahlungen! ∗∗∗ --------------------------------------------- Auf booking.com scheinen Kriminelle eine neue Betrugsmethode für sich entdeckt zu haben. Sie bieten eine Unterkunft mit Zahlung vor Ort und kostenloser Stornierung an. Bucht jemand die Unterkunft, wird diese kurz darauf storniert. Außerhalb der booking.com-Kommunikationskanäle verspricht man nach „Verifikation des Zahlungsmittels“ einen neuerlichen Buchungsabschluss. --------------------------------------------- https://www.watchlist-internet.at/news/bookingcom-betrug-unterkuenfte-storn… ∗∗∗ U.S. and International Partners Release Comprehensive Cyber Advisory on LockBit Ransomware ∗∗∗ --------------------------------------------- This joint advisory is a comprehensive resource with common tools; exploitations; and tactics, techniques, and procedures (TTPs) used by LockBit affiliates, along with recommended mitigations for organizations to reduce the likelihood and impact of future ransomware incidents. --------------------------------------------- https://www.cisa.gov/news-events/news/us-and-international-partners-release… ===================== = Vulnerabilities = ===================== ∗∗∗ WordPress Stripe payment plugin bug leaks customer order details ∗∗∗ --------------------------------------------- The WooCommerce Stripe Gateway plugin for WordPress was found to be vulnerable to a bug that allows any unauthenticated user to view order details placed through the plugin. --------------------------------------------- https://www.bleepingcomputer.com/news/security/wordpress-stripe-payment-plu… ∗∗∗ Webbrowser: Neue Chrome-Version schließt kritische Schwachstelle ∗∗∗ --------------------------------------------- Im Webbrowser Chrome von Google klafft eine kritische Sicherheitslücke. Updates zum Schließen stehen bereit. Chrome-Nutzer sollten sie zügig installieren. --------------------------------------------- https://heise.de/-9186834 ∗∗∗ Webkonferenz-Software: Mehrere hochriskante Lücken in Zoom gestopft ∗∗∗ --------------------------------------------- Die Entwickler der Webkonferenz-Software Zoom haben zwölf Sicherheitsmeldungen veröffentlicht. Zum Abdichten der Schwachstellen liefern sie Aktualisierungen. --------------------------------------------- https://heise.de/-9186898 ∗∗∗ WordPress-Shops mit WooCommerce-Plug-in: Angreifer könnten Kundendaten einsehen ∗∗∗ --------------------------------------------- Aufgrund einer Schwachstelle sind persönliche Kundendaten in WordPress-Shopwebsites nicht optimal geschützt. Admins sollten zügig handeln. --------------------------------------------- https://heise.de/-9187447 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (ffmpeg, owslib, php7.4, and php8.2), Fedora (ntp-refclock, php, and python3.7), Red Hat (c-ares, firefox, and thunderbird), SUSE (kernel, openldap2, and tomcat), and Ubuntu (binutils, dotnet6, dotnet7, node-fetch, and python-tornado). --------------------------------------------- https://lwn.net/Articles/934619/ ∗∗∗ SAP Patches High-Severity Vulnerabilities With June 2023 Security Updates ∗∗∗ --------------------------------------------- SAP has released eight new security notes on June 2023 Security Patch Day, including two that address high-severity vulnerabilities.The post SAP Patches High-Severity Vulnerabilities With June 2023 Security Updates appeared first on SecurityWeek. --------------------------------------------- https://www.securityweek.com/sap-patches-high-severity-vulnerabilities-with… ∗∗∗ ICS Patch Tuesday: Siemens Addresses Over 180 Third-Party Component Vulnerabilities ∗∗∗ --------------------------------------------- ICS Patch Tuesday: Siemens and Schneider Electric have published more than a dozen advisories addressing over 200 vulnerabilities.The post ICS Patch Tuesday: Siemens Addresses Over 180 Third-Party Component Vulnerabilities appeared first on SecurityWeek. --------------------------------------------- https://www.securityweek.com/ics-patch-tuesday-siemens-addresses-over-180-t… ∗∗∗ Windows and Linux Virtual Delivery Agent for CVAD and Citrix DaaS Security Bulletin CVE-2023-24490 ∗∗∗ --------------------------------------------- CTX559370 NewWindows and Linux Virtual Delivery Agent for CVAD and Citrix DaaS Security Bulletin CVE-2023-24490Applicable Products : Citrix Virtual Apps and Desktops --------------------------------------------- https://support.citrix.com/article/CTX559370/windows-and-linux-virtual-deli… ∗∗∗ Fortinet Releases June 2023 Vulnerability Advisories ∗∗∗ --------------------------------------------- Fortinet has released its June 2023 Vulnerability Advisories to address vulnerabilities affecting multiple products. An attacker could exploit one of these vulnerabilities to take control of an affected system.CISA encourages users and administrators to review the Fortinet June 2023 Vulnerability Advisories page for more information and apply the necessary updates. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2023/06/13/fortinet-releases-june-2… ∗∗∗ Adobe Releases Security Updates for Multiple Products ∗∗∗ --------------------------------------------- Adobe has released security updates to address multiple vulnerabilities in Adobe software. An attacker can exploit these vulnerabilities to take control of an affected system.CISA encourages users and administrators to review the following Adobe Security Bulletins and apply the necessary updates.Experience Manager APSB23-31Commerce APSB23-35Animate APSB23-36Substance 3D Designer APSB23-39 --------------------------------------------- https://www.cisa.gov/news-events/alerts/2023/06/13/adobe-releases-security-… ∗∗∗ Tuesday June 20 2023 Security Releases ∗∗∗ --------------------------------------------- The Node.js project will release new versions of the 16.x, 18.x and 20.x releases lines on or shortly after, Tuesday June 20 2023 in order to address: 7 medium severity issues, 3 high severity issues, OpenSSL security updates, c-ares 22th May security updates --------------------------------------------- https://nodejs.org/en/blog/vulnerability/june-2023-security-releases ∗∗∗ Microsoft Releases June 2023 Security Updates ∗∗∗ --------------------------------------------- Microsoft has released updates to address multiple vulnerabilities in Microsoft software. An attacker can exploit some of these vulnerabilities to take control of an affected system.CISA encourages users and administrators to review Microsoft’s June 2023 Security Update Guide and Deployment Information and apply the necessary updates. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2023/06/13/microsoft-releases-june-… ∗∗∗ IBM Security Guardium is affected by multiple vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6999317 ∗∗∗ IBM Security Guardium is affected by multiple Oracle\u00ae MySQL vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6981105 ∗∗∗ IBM Security Guardium is affected by a denial of service vulnerability in MIT keb5 (CVE-2022-42898) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6981101 ∗∗∗ IBM Security Guardium is affected by a multiple vulnerabilities (CVE-2023-22809, CVE-2019-12490, CVE-2023-0041) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7000021 ∗∗∗ IBM Security Guardium is affected by FasterXML jackson-databind vulnerabilities (CVE-2020-25649, X-Force ID 217968) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6573001 ∗∗∗ IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data is vulnerable to HTTP request smuggling in Apache Tomcat (CVE-2022-42252). ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7003581 ∗∗∗ IBM Cloud Pak for Security includes components with multiple known vulnerabilities (CVE-2023-0286, CVE-2023-23931) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7003815 ∗∗∗ A vulnerability in Certifi package may affect IBM Storage Scale (CVE-2022-23491) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7003817 ∗∗∗ IBM App Connect for Healthcare is affected by multiple Apache vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6999671 ∗∗∗ Apache Commons FileUpload vulnerability affects IBM Financial Transaction Manager (CVE-2023-24998) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7003827 ∗∗∗ TADDM is vulnerable to a denial of service due to vulnerability in Castor Library ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7003861 ∗∗∗ Multiple Vulnerabilities of Apache HttpClient have affected APM Linux KVM Agent ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7003887 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 13.06.2023
by Daily end-of-shift report 13 Jun '23

13 Jun '23

===================== = End-of-Day report = ===================== Timeframe: Montag 12-06-2023 18:00 − Dienstag 13-06-2023 18:00 Handler: Robert Waldner Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Hackers can steal cryptographic keys by video-recording power LEDs 60 feet away ∗∗∗ --------------------------------------------- Key-leaking side channels are a fact of life. Now they can be done by video-recording power LEDs. --------------------------------------------- https://arstechnica.com/?p=1947319 ∗∗∗ Passwort-Manager Bitwarden: Master-Schlüssel war für alle lesbar ∗∗∗ --------------------------------------------- Der Passwort-Manager Bitwarden unterstützt die Authentifizierung mit Windows Hello. Bis vor Kurzem war darüber der Master-Schlüssel für alle auslesbar. --------------------------------------------- https://heise.de/-9184586 ∗∗∗ BSI veröffentlicht Version 1.0.1 des TLS-Testtools TaSK ∗∗∗ --------------------------------------------- Nach der Veröffentlichung einer Beta-Version im Januar hat das BSI in der neuen Version weitere Funktionalitäten eingefügt. Die Version ist funktionsfähig für TLS-Server, TLS-Clients sowie für weitere Fachanwendungen wie beispielsweise eID-Clients, eID-Server oder auch E-Mail-Server. --------------------------------------------- https://www.bsi.bund.de/DE/Service-Navi/Presse/Alle-Meldungen-News/Meldunge… ∗∗∗ Vorsicht vor zu günstigen „La Sportiva“-Produkten ∗∗∗ --------------------------------------------- Der Berg und die Fake-Angebote im Internet rufen. Aktuell werden uns vermehrt Fake-Shops der Outdoor-Marke „La Sportiva“ gemeldet. Aufmerksam auf die Schnäppchen werden Kund:innen vor allem durch Werbung auf Facebook, Instagram und Co. Ist der Preis zu schön, um wahr zu sein, handelt es sich um Fake. --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-zu-guenstigen-la-sporti… ∗∗∗ Inside Win32k Exploitation: Background on Implementations of Win32k and Exploitation Methodologies ∗∗∗ --------------------------------------------- This is part one of a series that will cover Win32k internals and exploitation in general using these two vulnerabilities (CVE-2022-21882, CVE-2021-1732) and their related proof-of-concept (PoC) exploits as examples. --------------------------------------------- https://unit42.paloaltonetworks.com/win32k-analysis-part-1/ ∗∗∗ Are smartphone thermal cameras sensitive enough to uncover PIN codes? ∗∗∗ --------------------------------------------- I started out thinking that these cameras were gimmicks, but theyve become an important tool in the toolbox. Heres why - and a little test. --------------------------------------------- https://www.zdnet.com/home-and-office/are-smartphone-thermal-cameras-sensit… ===================== = Vulnerabilities = ===================== ∗∗∗ Dynamic Linq Injection Remote Code Execution Vulnerability (CVE-2023-32571) ∗∗∗ --------------------------------------------- Product Name: System.Linq.Dynamic.Core Affected versions 1.0.7.10 to 1.2.25 CVE: CVE-2023-32571 CVSSv3.1 base score 9.1 Users can execute arbitrary code and commands where user input is passed to Dynmic Linq methods such as .Where(...), .All(...), .Any(...) and .OrderBy(...). --------------------------------------------- https://research.nccgroup.com/2023/06/13/dynamic-linq-injection-remote-code… ∗∗∗ TYPO3 Security Advisories ∗∗∗ --------------------------------------------- several vulnerabilities have been found in the following third party TYPO3 extensions: "Faceted Search" (ke_search) "ipandlanguageredirect" (ipandlanguageredirect) "Canto Extension" (canto_extension) For further information on the issues, please read the related advisories TYPO3-EXT-SA-2023-004, TYPO3-EXT-SA-2023-005 and TYPO3-EXT-SA-2023-006 --------------------------------------------- https://typo3.org/help/security-advisories ∗∗∗ New Siemens Security Advisories ∗∗∗ --------------------------------------------- TIA Portal, SIMOTION, SIMATIC WinCC, Teamcenter Visualization and JT2Go, CPCI85 Firmware of SICAM A8000 Devices, SIMATIC S7-1500 TM MFP V1.0, SICAM Q200 Devices, SIMATIC WinCC V7, Integrated SCALANCE S615 of SINAMICS Medium Voltage Products, in SIMATIC STEP 7 V5.x and Derived Products, Solid Edge --------------------------------------------- https://new.siemens.com/global/en/products/services/cert.html#SecurityPubli… ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (vim), Fedora (kernel), Oracle (emacs, firefox, python3, and qemu), SUSE (firefox, java-1_8_0-ibm, and libwebp), and Ubuntu (firefox, glusterfs, and sniproxy). --------------------------------------------- https://lwn.net/Articles/934492/ ∗∗∗ Synology-SA-23:08 SRM ∗∗∗ --------------------------------------------- A vulnerability allows remote attackers to obtain user credential via a susceptible version of Synology Router Manager (SRM). --------------------------------------------- https://www.synology.com/en-global/support/security/Synology_SA_23_08 ∗∗∗ Synology-SA-23:07 DSM ∗∗∗ --------------------------------------------- A vulnerability allows remote attackers to obtain user credential via a susceptible version of Synology DiskStation Manager (DSM). --------------------------------------------- https://www.synology.com/en-global/support/security/Synology_SA_23_07 ∗∗∗ Synology-SA-23:06 SRM ∗∗∗ --------------------------------------------- A vulnerability allows remote authenticated users to read arbitrary files via a susceptible version of Synology Router Manager (SRM). --------------------------------------------- https://www.synology.com/en-global/support/security/Synology_SA_23_06 ∗∗∗ Synology-SA-23:05 DSM ∗∗∗ --------------------------------------------- A vulnerability allows remote authenticated users to read arbitrary files via a susceptible version of Synology DiskStation Manager (DSM). --------------------------------------------- https://www.synology.com/en-global/support/security/Synology_SA_23_05 ∗∗∗ ShareFile StorageZones Controller Security Update for CVE-2023-24489 ∗∗∗ --------------------------------------------- A vulnerability has been discovered in the customer-managed ShareFile storage zones controller which, if exploited, could allow an unauthenticated attacker to remotely compromise the customer-managed ShareFile storage zones controller. This vulnerability affects all currently supported versions of customer-managed ShareFile storage zones controller before version 5.11.24. [..] All customer-managed ShareFile storage zones controllers versions prior to the latest version 5.11.24 have been blocked to protect our customers. Customers will be able to reinstate the storage zones controller once the update to 5.11.24 is applied. --------------------------------------------- https://support.citrix.com/article/CTX559517/sharefile-storagezones-control… ∗∗∗ Kritische Sicherheitslücke in Fortinet FortiOS und FortiProxy SSL-VPN Produkten - aktiv ausgenutzt, Updates verfügbar ∗∗∗ --------------------------------------------- 13. Juni 2023 Beschreibung Fortinet hat eine Warnung herausgegeben, dass in den SSL-VPN - Komponenten der Produkte FortiOS und FortiProxy eine kritische Sicherheitslücke besteht, die auch bereits aktiv ausgenutzt wird, und stellt erste entsprechende Updates bereit. CVE-Nummer(n): CVE-2023-27997 CVSSv3 Score: 9.2 Auswirkungen Unauthentisierte Angreifer:innen können durch Ausnutzen der Lücke beliebigen Code auf betroffenen Geräten ausführen. Da diese Geräte --------------------------------------------- https://cert.at/de/warnungen/2023/6/kritische-sicherheitslucke-in-fortinet-… ∗∗∗ CISA Releases Four Industrial Control Systems Advisories ∗∗∗ --------------------------------------------- - ICSA-23-164-01 Datalogics Library Third-Party - ICSA-23-164-02 Rockwell Automation FactoryTalk Services Platform - ICSA-23-164-03 Rockwell Automation FactoryTalk Edge Gateway - ICSA-23-164-04 Rockwell Automation FactoryTalk Transaction Manager --------------------------------------------- https://www.cisa.gov/news-events/alerts/2023/06/13/cisa-releases-four-indus… ∗∗∗ Chatwork Desktop Application (Mac) vulnerable to code injection ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN96828492/ ∗∗∗ PHOENIX CONTACT: FL MGUARD affected by two vulnerabilities ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2023-010/ ∗∗∗ 2023-06-12: Cyber Security Advisory - ABB Relion REX640 Cyber Security Improvements ∗∗∗ --------------------------------------------- https://search.abb.com/library/Download.aspx?DocumentID=2NGA001423&Language… ∗∗∗ VMSA-2023-0013 ∗∗∗ --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2023-0013.html ∗∗∗ System Management Module (SMM) v1 and v2 / Fan Power Controller (FPC) Vulnerabilities ∗∗∗ --------------------------------------------- http://support.lenovo.com/product_security/PS500565-SYSTEM-MANAGEMENT-MODUL… ∗∗∗ Lenovo XClarity Administrator (LXCA) Vulnerabilities ∗∗∗ --------------------------------------------- http://support.lenovo.com/product_security/PS500564-LENOVO-XCLARITY-ADMINIS… ∗∗∗ IBM Content Navigator is vulnerable to DoS due to Apache Commons FileUpload (CVE-2023-24998) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7002807 ∗∗∗ Multiple vulnerabilities in IBM Semeru Runtime affect z\/Transaction Processing Facility ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7003337 ∗∗∗ Vulnerability of Apache Thrift (libthrift-0.12.0.jar ) have affected APM WebSphere Application Server Agent and APM SAP NetWeaver Agent ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7003479 ∗∗∗ Vulnerability of Google Gson (gson-2.8.2.jar ) have affected APM WebSphere Application Server Agent and APM SAP NetWeaver Agent ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7003477 ∗∗∗ A security vulnerability has been identified in IBM WebSphere Application Server shipped with IBM Tivoli System Automation Application Manager (CVE-2023-26283) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7003495 ∗∗∗ Multiple Vulnerabilities of Jackson-Mapper-asl have affected APM Linux KVM Agent ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7003497 ∗∗∗ IBM Workload Scheduler is potentially affected by multiple vulnerabilities in OpenSSL (CVE-2022-4304, CVE-2023-0215, CVE-2023-0286) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7003501 ∗∗∗ IBM Workload Scheduler is potentially affected by a vulnerability in OpenSSL causing system crash (CVE-2022-4450) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7003511 ∗∗∗ IBM Workload Scheduler potentially affected by a vulnerability in SnakeYaml (CVE-2022-1471) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7003513 ∗∗∗ OpenPages with Watson has addressed Node.js vulnerability (CVE-2022-32213) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7003313 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 12.06.2023
by Daily end-of-shift report 12 Jun '23

12 Jun '23

===================== = End-of-Day report = ===================== Timeframe: Freitag 09-06-2023 18:00 − Montag 12-06-2023 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Fortinet: SSL-VPN-Lücke ermöglicht Codeschmuggel ∗∗∗ --------------------------------------------- Fortinet hat Updates für das FortiOS-Betriebssystem veröffentlicht. Sie schließen eine Sicherheitslücke im SSL-VPN, die das Einschleusen von Schadcode erlaubt. --------------------------------------------- https://heise.de/-9184284 ∗∗∗ Passwort-Manager Bitwarden: Biometrischer Schlüssel war für alle lesbar ∗∗∗ --------------------------------------------- Der Passwort-Manager Bitwarden unterstützt die Authentifizierung mit Windows Hello. Bis vor kurzem war der biometrische Schlüssel in Windows für alle auslesbar. --------------------------------------------- https://heise.de/-9184586 ∗∗∗ New MOVEit Vulnerabilities Found as More Zero-Day Attack Victims Come Forward ∗∗∗ --------------------------------------------- Researchers discover new MOVEit vulnerabilities related to the zero-day, just as more organizations hit by the attack are coming forward. --------------------------------------------- https://www.securityweek.com/new-moveit-vulnerabilities-found-as-more-zero-… ∗∗∗ Exploit released for MOVEit RCE bug used in data theft attacks ∗∗∗ --------------------------------------------- Horizon3 security researchers have released proof-of-concept (PoC) exploit code for a remote code execution (RCE) bug in the MOVEit Transfer managed file transfer (MFT) solution abused by the Clop ransomware gang in data theft attacks. --------------------------------------------- https://www.bleepingcomputer.com/news/security/exploit-released-for-moveit-… ∗∗∗ Strava heatmap feature can be abused to find home addresses ∗∗∗ --------------------------------------------- Researchers at the North Carolina State University Raleigh have discovered a privacy risk in the Strava apps heatmap feature that could lead to identifying users home addresses. --------------------------------------------- https://www.bleepingcomputer.com/news/security/strava-heatmap-feature-can-b… ∗∗∗ Sneaky DoubleFinger loads GreetingGhoul targeting your cryptocurrency ∗∗∗ --------------------------------------------- Kaspersky researchers share insight into multistage DoubleFinger loader attack delivering GreetingGhoul cryptocurrency stealer and Remcos RAT. --------------------------------------------- https://securelist.com/doublefinger-loader-delivering-greetingghoul-cryptoc… ∗∗∗ Researchers Uncover Publisher Spoofing Bug in Microsoft Visual Studio Installer ∗∗∗ --------------------------------------------- Security researchers have warned about an "easily exploitable" flaw in the Microsoft Visual Studio installer that could be abused by a malicious actor to impersonate a legitimate publisher and distribute malicious extensions."A threat actor could impersonate a popular publisher and issue a malicious extension to compromise a targeted system," Varonis researcher Dolev Taler said. --------------------------------------------- https://thehackernews.com/2023/06/researchers-uncover-publisher-spoofing.ht… ∗∗∗ Bypassing Android Biometric Authentication ∗∗∗ --------------------------------------------- Cryptography and authentication issues are not only present in apps with a low number of downloads, but also in very popular apps. Furthermore, this affects also apps that aim to provide a high level of data protection, since they handle sensitive data that should be kept safe. [..] However, it is important to stress that to be able to perform a bypass, an attacker needs root permissions on the device of the victim or is able to talk the victim into installing a modified version of an app [..] --------------------------------------------- https://sec-consult.com/blog/detail/bypassing-android-biometric-authenticat… ∗∗∗ Circumventing inotify Watchdogs ∗∗∗ --------------------------------------------- Recently I’ve been building rudimentary file monitoring tools to get better at Golang, and build faux-watchdog programs for research at Arch Cloud Labs. Through this experimentation, I’ve identified some interesting gaps in the inotify subsystem that are new to me, but are well documented in the Linux man pages. This blog post will explore how to circumvent read detections implemented by inotify. --------------------------------------------- https://www.archcloudlabs.com/projects/inotify/ ∗∗∗ Every Signature is Broken: On the Insecurity of Microsoft Office’s OOXML Signatures ∗∗∗ --------------------------------------------- We are the first to provide an in-depth analysis of Office Open XML (OOXML) Signatures, the Ecma/ISO standard that all Microsoft Office applications use. Our analysis reveals major discrepancies between the structure of office documents and the way digital signatures are verified. These discrepancies lead to serious security flaws in the specification and in the implementation. As a result, we discovered five new attack classes. --------------------------------------------- https://www.usenix.org/system/files/sec23summer_235-rohlmann-prepub.pdf ∗∗∗ Defeating Windows DEP With A Custom ROP Chain ∗∗∗ --------------------------------------------- This article explains how to write a custom ROP (Return Oriented Programming) chain to bypass Data Execution Prevention (DEP) on a Windows 10 system. DEP makes certain parts of memory (e.g., the stack) used by an application non-executable. This means that overwriting EIP with a “JMP ESP” (or similar) instruction and then freely executing [...] --------------------------------------------- https://research.nccgroup.com/2023/06/12/defeating-windows-dep-with-a-custo… ∗∗∗ Instagram: Vorsicht vor gefälschter „Meta“-Nachricht ∗∗∗ --------------------------------------------- Ein Fake-Profil von Meta schreibt Ihnen auf Instagram. Angeblich haben Sie gegen das Urheberrecht verstoßen. Sie werden aufgefordert, ein Widerrufsformular auszufüllen, sonst wird das Konto gesperrt. Der Link zum Formular befindet sich gleich in der Nachricht. Vorsicht: Diese Nachricht ist Fake. Kriminelle stehlen Ihre Zugangsdaten und erpressen Sie im Anschluss. --------------------------------------------- https://www.watchlist-internet.at/news/instagram-vorsicht-vor-gefaelschter-… ∗∗∗ Varonis warnt vor nicht mehr genutzten Salesforce-Sites ∗∗∗ --------------------------------------------- Sicherheitsforscher von Varonis sind auf ein Problem in Verbindung mit Salesforce-Sites gestoßen, die verwaist sind und nicht mehr genutzt werden. Die Sicherheitsforscher der Varonis Threat Labs haben entdeckt, dass unsachgemäß deaktivierte Salesforce-Sites, sogenannte Ghost Sites, weiterhin aktuelle Daten abrufen und für Angreifer zugänglich sind: Durch Manipulation des Host-Headers können Cyberkriminelle Zugang zu sensiblen personenbezogenen Daten und Geschäftsinformationen erhalten. --------------------------------------------- https://www.borncity.com/blog/2023/06/10/varonis-warnt-vor-nicht-mehr-genut… ∗∗∗ OAuth2 Security Best Current Practices ∗∗∗ --------------------------------------------- Die IETF hat zum 6. Juni 2023 ein Dokument "OAuth2 Security Best Current Practices" aktualisiert. Das Dokument beschreibt die derzeit beste Sicherheitspraxis für OAuth 2.0. Es aktualisiert und erweitert das OAuth 2.0-Sicherheitsbedrohungsmodell. --------------------------------------------- https://www.borncity.com/blog/2023/06/11/oauth2-security-best-current-pract… ===================== = Vulnerabilities = ===================== ∗∗∗ Cisco AnyConnect Secure Mobility Client Software for Windows and Cisco Secure Client Software for Windows Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- A vulnerability in the client update process of Cisco AnyConnect Secure Mobility Client Software for Windows and Cisco Secure Client Software for Windows could allow a low-privileged, authenticated, local attacker to elevate privileges to those of SYSTEM. The client update process is executed after a successful VPN connection is established. --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (pypdf2 and thunderbird), Fedora (chromium, dbus, mariadb, matrix-synapse, sympa, and thunderbird), Scientific Linux (python and python3), SUSE (chromium, gdb, and openldap2), and Ubuntu (jupyter-core, requests, sssd, and vim). --------------------------------------------- https://lwn.net/Articles/934456/ ∗∗∗ WordPress Theme Workreap 2.2.2 Unauthenticated Upload Leading to Remote Code Execution ∗∗∗ --------------------------------------------- https://cxsecurity.com/issue/WLB-2023060012 ∗∗∗ ASUS Router RT-AX3000 vulnerable to using sensitive cookies without Secure attribute ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN34232595/ ∗∗∗ Security Vulnerabilities fixed in Thunderbird 102.12 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2023-21/ ∗∗∗ This Power System update is being released to address CVE-2023-25683 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7002721 ∗∗∗ IBM Content Navigator is vulnerable to DoS due to Apache Commons FileUpload (CVE-2023-24998) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7002807 ∗∗∗ IBMid credentials may be exposed when directly downloading code onto IBM SAN Volume Controller, IBM Storwize, IBM FlashSystem and IBM Spectrum Virtualize products [CVE-2023-27870] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6985697 ∗∗∗ Vulnerability in requests-2.27.1.tar.gz affects IBM Integrated Analytics System [CVE-2023-32681] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7003185 ∗∗∗ Vulnerability in bottle-0.12.16 affects IBM Integrated Analytics System [CVE-2020-28473] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7003195 ∗∗∗ Vulnerability in bottle-0.12.16 affects IBM Integrated Analytics System [CVE-2022-31799] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7003201 ∗∗∗ Vulnerability in certifi-2018.4.16 affects IBM Integrated Analytics System [ CVE-2022-23491] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7003205 ∗∗∗ IBM Cloud Kubernetes Service is affected by two containerd security vulnerabilities (CVE-2023-28642) (CVE-2023-27561) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7001317 ∗∗∗ Multiple vulnerabilities in IBM DB2 affect IBM Operations Analytics Predictive Insights ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7000903 ∗∗∗ IBM WebSphere Application Server Liberty, which is bundled with IBM Cloud Pak for Applications, is vulnerable to a denial of service due to GraphQL Java (CVE-2023-28867) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7003247 ∗∗∗ IBM WebSphere Application Server Liberty, which is bundled with IBM WebSphere Hybrid Edition, is vulnerable to a denial of service due to GraphQL Java (CVE-2023-28867) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7003245 ∗∗∗ IBM App Connect Enterprise Certified Container operands that use the Snowflake connector are vulnerable to arbitrary code execution due to [CVE-2023-34232] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7003259 ∗∗∗ IBM Sterling Connect:Direct for Microsoft Windows is vulnerable to arbitrary code execution due to PostgreSQL (CVE-2023-2454) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7003279 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 09.06.2023
by Daily end-of-shift report 09 Jun '23

09 Jun '23

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 07-06-2023 18:00 − Freitag 09-06-2023 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Barracuda Email Security Gateway Appliance (ESG) sofort austauschen! ∗∗∗ --------------------------------------------- Noch ein kurzes Thema, welche wegen Feiertag etwas liegen geblieben ist. Der Hersteller Barracuda fordert Administratoren seiner Email Security Gateway Appliance (ESG) auf, die Geräte sofort auszutauschen. Hintergrund ist eine Schwachstelle in den ESG-Modellen, die zwar Ende Mai 2025 gepatcht werden sollte. Das scheint aber nicht zu wirken und der Hersteller ruft zum Austausch auf. --------------------------------------------- https://www.borncity.com/blog/2023/06/08/barracuda-email-security-gateway-a… ∗∗∗ CVE-2023-2868: Total Compromise of Physical Barracuda ESG Appliances ∗∗∗ --------------------------------------------- Rapid7 incident response teams are investigating exploitation of physical Barracuda Networks Email Security Gateway (ESG) appliances. --------------------------------------------- https://www.rapid7.com/blog/post/2023/06/08/etr-cve-2023-2868-total-comprom… ∗∗∗ Royal ransomware gang adds BlackSuit encryptor to their arsenal ∗∗∗ --------------------------------------------- The Royal ransomware gang has begun testing a new encryptor called BlackSuit that shares many similarities with the operations usual encryptor. --------------------------------------------- https://www.bleepingcomputer.com/news/security/royal-ransomware-gang-adds-b… ∗∗∗ Detecting and mitigating a multi-stage AiTM phishing and BEC campaign ∗∗∗ --------------------------------------------- Microsoft Defender Experts observed a multi-stage adversary-in-the-middle (AiTM) and business email compromise (BEC) attack targeting banking and financial services organizations over two days. This attack originated from a compromised trusted vendor, involved AiTM and BEC attacks across multiple supplier/partner organizations for financial fraud, and did not use a reverse proxy like typical AiTM attacks. --------------------------------------------- https://www.microsoft.com/en-us/security/blog/2023/06/08/detecting-and-miti… ∗∗∗ Undetected PowerShell Backdoor Disguised as a Profile File, (Fri, Jun 9th) ∗∗∗ --------------------------------------------- PowerShell remains an excellent way to compromise computers. Many PowerShell scripts found in the wild are usually obfuscated. Most of the time, this helps to have the script detected by fewer antivirus vendors. Yesterday, I found a script that scored 0/59 on VT! Lets have a look at it. --------------------------------------------- https://isc.sans.edu/diary/rss/29930 ∗∗∗ Clop Ransomware Likely Sitting on MOVEit Transfer Vulnerability (CVE-2023-34362) Since 2021 ∗∗∗ --------------------------------------------- On June 5, 2023, the Clop ransomware group publicly claimed responsibility for exploitation of a zero-day vulnerability in the MOVEit Transfer secure file transfer web application (CVE-2023-34362). [...] Kroll forensic review has also identified activity indicating that the Clop threat actors were likely experimenting with ways to exploit this particular vulnerability as far back as 2021. --------------------------------------------- https://www.kroll.com/en/insights/publications/cyber/clop-ransomware-moveit… ∗∗∗ MSSQL linked servers: abusing ADSI for password retrieval ∗∗∗ --------------------------------------------- When we talk about Microsoft SQL Server linked servers, we usually think of links to another SQL Server instances. However, this is only one of the multiple available options, so today we are going to delve into the Active Directory Service Interfaces (ADSI) provider, which allows querying the AD using the LDAP protocol. --------------------------------------------- https://www.tarlogic.com/blog/linked-servers-adsi-passwords/ ∗∗∗ Sicherheitsupdates Cisco: Angreifer könnten Passwörter beliebiger Nutzer ändern ∗∗∗ --------------------------------------------- Unter anderem Cisco Expressway Series und Adaptive Security Appliance sind verwundbar. Admins sollten die Software aktualisieren. --------------------------------------------- https://heise.de/-9180829 ∗∗∗ Minecraft-Modifikationspakete mit Fractureiser-Malware verseucht ∗∗∗ --------------------------------------------- Minecraftspieler aufgepasst: Auf den legitimen Portalen Bukkit und CurseForge sind infizierte Modifikationen aufgetaucht. --------------------------------------------- https://heise.de/-9182068 ∗∗∗ Schadcode-Attacken auf Netzwerk-Monitoringlösung von VMware möglich ∗∗∗ --------------------------------------------- Es gibt ein wichtiges Sicherheitsupdate für VMware Aria Operations for Networks. Admins sollten zeitnah handeln. --------------------------------------------- https://heise.de/-9181036 ∗∗∗ Android-Viren: Trickreich vor Nutzern versteckt ∗∗∗ --------------------------------------------- Die Virenanalysten von Bitdefender sind beim Test einer Schutzkomponente auf Android-Malware gestoßen, die sich trickreich auf dem Smartphone versteckt. --------------------------------------------- https://heise.de/-9182008 ∗∗∗ Asylum Ambuscade: Crimeware oder Cyberspionage? ∗∗∗ --------------------------------------------- Ein seltsamer Fall eines Bedrohungsakteurs an der Grenze zwischen Crimeware und Cyberspionage. --------------------------------------------- https://www.welivesecurity.com/deutsch/2023/06/08/asylum-ambuscade-crimewar… ∗∗∗ SaaS Ransomware Attack Hit Sharepoint Online Without Using a Compromised Endpoint ∗∗∗ --------------------------------------------- A SaaS ransomware attack against a company’s Sharepoint Online was done without using a compromised endpoint. --------------------------------------------- https://www.securityweek.com/saas-ransomware-attack-hit-sharepoint-online-w… ∗∗∗ Shodan Verified Vulns 2023-06-01 ∗∗∗ --------------------------------------------- Mit Stand 2023-06-01 sieht Shodan in Österreich die folgenden Schwachstellen: [...] Auch diesen Monat ist ein Abfall bei fast allen Einträgen zu verzeichnen. Die einzige verhältnismäßig größere Ausnahme ist die Sicherheitslücke CVE-2015-2080 (Jetleak). --------------------------------------------- https://cert.at/de/aktuelles/2023/6/shodan-verified-vulns-2023-06-01 ∗∗∗ Adventures in Disclosure: When Reporting Bugs Goes Wrong ∗∗∗ --------------------------------------------- The Zero Day Initiative (ZDI) is the world’s largest vendor-agnostic bug bounty program. That means we purchase bug reports from independent security researchers around the world in Microsoft applications, Adobe, Cisco, Apple, IBM, Dell, Trend Micro, SCADA systems, etc. We don’t buy every bug report submitted, but we buy a lot of bugs. Of course, this means we disclose a lot of bugs. And not every disclosure goes according to plan. Why Disclose at All? This is a fine place to start. --------------------------------------------- https://www.thezdi.com/blog/2023/6/7/adventures-in-disclosure-when-reportin… ∗∗∗ May 2023’s Most Wanted Malware: New Version of Guloader Delivers Encrypted Cloud-Based Payloads ∗∗∗ --------------------------------------------- Check Point Research reported on a new version of shellcode-based downloader GuLoader featuring fully encrypted payloads for cloud-based delivery. Our latest Global Threat Index for May 2023 saw researchers report on a new version of shellcode-based downloader GuLoader, which was the fourth most prevalent malware. With fully encrypted payloads and anti-analysis techniques, the latest form can be stored undetected in well-known public cloud services, including Google Drive. --------------------------------------------- https://blog.checkpoint.com/security/may-2023s-most-wanted-malware-new-vers… ∗∗∗ Analyzing the FUD Malware Obfuscation Engine BatCloak ∗∗∗ --------------------------------------------- We look into BatCloak engine, its modular integration into modern malware, proliferation mechanisms, and interoperability implications as malicious actors take advantage of its fully undetectable (FUD) capabilities. --------------------------------------------- https://www.trendmicro.com/en_us/research/23/f/analyzing-the-fud-malware-ob… ===================== = Vulnerabilities = ===================== ∗∗∗ ZDI-23-818: (0Day) ZTE MF286R goahead Command Injection Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of ZTE MF286R routers. Authentication is required to exploit this vulnerability. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-23-818/ ∗∗∗ ZDI: Sante DICOM Viewer Pro Vulnerabilities ∗∗∗ --------------------------------------------- * ZDI-23-853: Sante DICOM Viewer Pro DCM File Parsing Use-After-Free Information Disclosure Vulnerability: https://www.zerodayinitiative.com/advisories/ZDI-23-853/ * ZDI-23-854: Sante DICOM Viewer Pro DCM File Parsing Out-Of-Bounds Write Remote Code Execution Vulnerability: https://www.zerodayinitiative.com/advisories/ZDI-23-854/ * ZDI-23-855: Sante DICOM Viewer Pro DCM File Parsing Out-Of-Bounds Write Remote Code Execution Vulnerability: https://www.zerodayinitiative.com/advisories/ZDI-23-855/ * ZDI-23-856: Sante DICOM Viewer Pro JP2 File Parsing Out-Of-Bounds Write Remote Code Execution Vulnerability: https://www.zerodayinitiative.com/advisories/ZDI-23-856/ --------------------------------------------- https://www.santesoft.com/win/sante-dicom-viewer-pro/download.html ∗∗∗ Virenschutz: Hochriskante Sicherheitslücken in Trend Micros Apex One ∗∗∗ --------------------------------------------- In der Schutzsoftware Trend Micro Apex One können Angreifer Schwachstellen missbrauchen, um ihre Rechte am System auszuweiten. Aktualisierungen stehen bereit. --------------------------------------------- https://heise.de/-9180965 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (chromium, firefox-esr, and ruby2.5), Fedora (curl, dbus, pypy, pypy3.8, pypy3.9, python3.10, and python3.8), Red Hat (python and python-flask), Scientific Linux (emacs), SUSE (firefox, google-cloud-sap-agent, libwebp, opensc, openssl, openssl-3, openssl1, python-sqlparse, python310, and supportutils), and Ubuntu (libxml2, netatalk, and sysstat). --------------------------------------------- https://lwn.net/Articles/934245/ ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (jupyter-core, openssl, and ruby2.5), Fedora (firefox), Mageia (libreoffice, openssl, and python-flask), Red Hat (python and python3), Slackware (mozilla, php8, and python3), SUSE (java-1_8_0-ibm, libcares2, mariadb, and python36), and Ubuntu (linux, linux-aws, linux-kvm, linux-lts-xenial, linux-gke, linux-intel-iotg, linux-raspi, linux-xilinx-zynqmp, and mozjs102). --------------------------------------------- https://lwn.net/Articles/934316/ ∗∗∗ Delta Electronics CNCSoft-B DOPSoft ∗∗∗ --------------------------------------------- Vulnerabilities: Stack-based Buffer Overflow, Heap-based Buffer Overflow --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-157-01 ∗∗∗ CISA Releases Two Industrial Control Systems Advisories ∗∗∗ --------------------------------------------- CISA released two Industrial Control Systems (ICS) advisories on June 8, 2023. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS. ICSA-23-159-01 Atlas Copco Power Focus 6000 ICSA-23-159-02 Sensormatic Electronics Illustra Pro Gen 4 CISA encourages users and administrators to review the newly released ICS advisories for technical details and mitigations. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2023/06/08/cisa-releases-two-indust… ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 07.06.2023
by Daily end-of-shift report 07 Jun '23

07 Jun '23

===================== = End-of-Day report = ===================== Timeframe: Dienstag 06-06-2023 18:00 − Mittwoch 07-06-2023 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Patchday: Schadcode könnte via Bluetooth-Lücke auf Android-Geräten landen ∗∗∗ --------------------------------------------- Google und weitere Hersteller haben wichtige Sicherheitsupdates für Android-Geräte veröffentlicht. Eine GPU-Lücke nutzen Angreifer bereits aus. --------------------------------------------- https://heise.de/-9179937 ∗∗∗ MOVEit: Ransomware-Gang "Clop" erpresst Unternehmen nach Sicherheitslücke ∗∗∗ --------------------------------------------- Ransomware-Gang erpresst Unternehmen wegen Sicherheitslücke in der Datenübertragungssoftware MOVEit. Unter den potenziellen Opfern sind auch prominente Firmen. --------------------------------------------- https://heise.de/-9179875 ∗∗∗ SpinOk: Weitere infizierte Android-Apps mit 30 Millionen Installationen entdeckt ∗∗∗ --------------------------------------------- Die Android-Malware SpinOk schlägt immer größere Wellen und Sicherheitsforscher sind auf fast 200 weitere damit infizierte Apps in Google Play gestoßen. --------------------------------------------- https://heise.de/-9180094 ∗∗∗ Wieso mich Cybersecurity-Awareness auch als KMU interessieren sollte… ∗∗∗ --------------------------------------------- „Wieso sollte ausgerechnet uns jemand angreifen?“ Geht es um Cyberkriminalität glauben nach wie vor viele kleine und mittlere Unternehmen, dass sie kein interessantes Ziel für Kriminelle sind. Doch Zahlen zeigen etwas anderes: Cybercrime nimmt zu und wird zur wachsenden Bedrohung für Unternehmen – und zwar auch für kleine und mittlere Unternehmen. Wir geben einen Überblick über die Cybercrime-Lage in österreichischen Unternehmen und KMU und [...] --------------------------------------------- https://www.watchlist-internet.at/news/wieso-mich-cybersecurity-awareness-a… ∗∗∗ Aufgebrochene Postkästen wegen Bestellbetrug ∗∗∗ --------------------------------------------- Ein aufgebrochener Postkasten lässt im ersten Moment nicht auf einen tiefergreifenden Betrug schließen. Man könnte vermuten, dass es jemand lediglich auf den Postkasteninhalt abgesehen hatte. Tatsächlich handelt es sich häufig um den letzten Schritt eines Bestellbetrugs, bei dem Kriminelle den gelben Zettel der Post aus dem Postkasten stehlen, um die dazugehörige Postempfangsbox öffnen und ein zuvor an die Adresse ihrer Opfer bestelltes Paket stehlen zu können. Opfer müssen spätere Rechnungen und Mahnungen nicht bezahlen! --------------------------------------------- https://www.watchlist-internet.at/news/aufgebrochene-postkaesten-wegen-best… ∗∗∗ 2023 Vulnerabilities and Threat Trends ∗∗∗ --------------------------------------------- Understanding and monitoring vulnerability trends is crucial in maintaining robust cybersecurity practices. The evolving threat landscape demands constant vigilance and proactive measures from organizations and individuals alike. --------------------------------------------- https://www.prio-n.com/2023-vulnerabilities-and-threat-trends/ ∗∗∗ Tens of Thousands of Compromised Android Apps Found by Bitdefender Anomaly Detection Technology ∗∗∗ --------------------------------------------- Here are some of the types of apps mimicked by the malware: Game cracks, Games with unlocked features, Free VPN, Fake videos, Netflix, Fake tutorials, YouTube/TikTok without ads, Cracked utility programs: weather, pdf viewers, etc, Fake security programs --------------------------------------------- https://www.bitdefender.com/blog/labs/tens-of-thousands-of-compromised-andr… ∗∗∗ High-risk vulnerabilities patched in ABB Aspect building management system ∗∗∗ --------------------------------------------- Prism Infosec has identified two high-risk vulnerabilities within the Aspect Control Engine building management system (BMS) developed by ABB. ABB’s Aspect BMS enables users to monitor a building’s performance and combines real-time integrated control, supervision, data logging, alarming, scheduling and network management functions with internet connectivity and web serving capabilities. Consequently, users can view system status, override setpoints and schedules, and more over [...] --------------------------------------------- https://www.helpnetsecurity.com/2023/06/07/cve-2023-0635-cve-2023-0636/ ===================== = Vulnerabilities = ===================== ∗∗∗ B&R APROL Abuse SLP based traffic for amplification attack CVE ID: CVE-2023-29552 ∗∗∗ --------------------------------------------- An attacker who successfully exploited this vulnerability could use affected products to cause 3rd party components to become temporarily inaccessible --------------------------------------------- https://www.br-automation.com/downloads_br_productcatalogue/assets/16834661… ∗∗∗ Sicherheitsupdates: Firefox und Firefox ESR gegen mögliche Attacken gerüstet ∗∗∗ --------------------------------------------- Aufgrund einer Schwachstelle in Firefox könnten Angreifer Opfer noch effektiver auf unverschlüsselte Fake-Websites locken. --------------------------------------------- https://heise.de/-9180185 ∗∗∗ VMSA-2023-0012 ∗∗∗ --------------------------------------------- VMware Aria Operations for Networks updates address multiple vulnerabilities. (CVE-2023-20887, CVE-2023-20888, CVE-2023-20889) --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2023-0012.html ∗∗∗ Critical Security Update: Directorist WordPress Plugin Patches Two High-risk Vulnerabilities ∗∗∗ --------------------------------------------- On April 3, 2023, our team uncovered two significant vulnerabilities – an Arbitrary User Password Reset to Privilege Escalation, and an Insecure Direct Object Reference leading to Arbitrary Post Deletion. Both vulnerabilities were found to affect Directorist versions 7.5.4 and earlier. --------------------------------------------- https://www.wordfence.com/blog/2023/06/critical-security-update-directorist… ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (c-ares), Fedora (curl and firefox), Oracle (cups-filters, kernel, and webkit2gtk3), Red Hat (emacs and kpatch-patch), Slackware (mozilla), SUSE (kernel and openssl-1_0_0), and Ubuntu (firefox and libreoffice). --------------------------------------------- https://lwn.net/Articles/934132/ ∗∗∗ Edge 114.0.1823.41 ∗∗∗ --------------------------------------------- Microsoft hat (nach dem Chrome-Sicherheitsupdate) den Edge-Browser am 6. Juni 2023 im Stable Channel auf die Version 114.0.1823.41 aktualisiert (Sicherheits- und Bug-Fixes). Laut Release Notes wird die Schwachstelle CVE-2023-3079 aus dem Chromium-Projekt geschlossen. --------------------------------------------- https://www.borncity.com/blog/2023/06/07/edge-114-0-1823-41/ ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ Cisco AnyConnect Secure Mobility Client Software for Windows and Cisco Secure Client Software for Windows Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco Small Business 200, 300, and 500 Series Switches Web-Based Management Stored Cross-Site Scripting Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco Expressway Series and Cisco TelePresence Video Communication Server Privilege Escalation Vulnerabilities ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco Unified Communications Manager IM & Presence Service Denial of Service Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco Unified Communications Manager Denial of Service Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco Secure Workload Authenticated OpenAPI Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software for Firepower 2100 Series Appliances SSL/TLS Denial of Service Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0