=====================
= End-of-Day report =
=====================
Timeframe: Montag 08-05-2023 18:00 − Dienstag 09-05-2023 18:00
Handler: Robert Waldner
Co-Handler: n/a
=====================
= News =
=====================
∗∗∗ A new, stealthier type of Typosquatting attack spotted targeting NPM ∗∗∗
---------------------------------------------
Attackers have been using lowercase letters in package names on the Node Package Manager (NPM) registry for potential malicious package impersonation. This deceptive tactic presents a dangerous twist on a well-known attack method -- "Typosquatting."
---------------------------------------------
https://checkmarx.com/blog/a-new-stealthier-type-of-typosquatting-attack-sp…
∗∗∗ AndoryuBot DDoS Botnet Exploiting Ruckus AP Vulnerability ∗∗∗
---------------------------------------------
Owners of Ruckus access points (APs) have been warned that a DDoS botnet named AndoryuBot has been exploiting a recently patched vulnerability to hack devices. The vulnerability in question is tracked as CVE-2023-25717 and it was patched by Ruckus in February in many of its wireless APs.
---------------------------------------------
https://www.securityweek.com/andoryubot-ddos-botnet-exploiting-ruckus-ap-vu…
∗∗∗ Building Automation System Exploit Brings KNX Security Back in Spotlight ∗∗∗
---------------------------------------------
A public exploit targeting building automation systems has brought KNX security back into the spotlight, with industrial giant Schneider Electric releasing a security bulletin to warn customers about the potential risks.
---------------------------------------------
https://www.securityweek.com/building-automation-system-exploit-brings-knx-…
∗∗∗ Buchen Sie Ihre Unterkunft nicht über booked.net oder hotel-mix.de ∗∗∗
---------------------------------------------
Sie suchen eine Unterkunft? Buchen Sie lieber nicht auf booked.net oder hotel-mix.de, denn die beiden Buchungsplattformen listen Unterkünfte, die keinen Vertrag mit der Plattform haben. In der gebuchten Unterkunft angekommen, kann es Ihnen passieren, dass die Betreiber:innen gar nichts von Ihrer Buchung wissen und Sie kurzfristig eine neue Schlafmöglichkeit suchen müssen.
---------------------------------------------
https://www.watchlist-internet.at/news/buchen-sie-ihre-unterkunft-nicht-ueb…
∗∗∗ New phishing-as-a-service tool “Greatness” already seen in the wild ∗∗∗
---------------------------------------------
A previously unreported phishing-as-a-service (PaaS) offering named “Greatness” has been used in several phishing campaigns since at least mid-2022. Greatness incorporates features seen in some of the most advanced PaaS offerings, such as multi-factor authentication (MFA) bypass, IP filtering and integration with Telegram bots.
---------------------------------------------
https://blog.talosintelligence.com/new-phishing-as-a-service-tool-greatness…
=====================
= Vulnerabilities =
=====================
∗∗∗ WordPress Plugin "Newsletter" vulnerable to cross-site scripting ∗∗∗
---------------------------------------------
WordPress Plugin "Newsletter" provided by Stefano Lissa & The Newsletter Team contains a cross-site scripting vulnerability (CWE-79). An arbitrary script may be executed on the web browser of the user who is logging in to the WordPress using the plugin.
---------------------------------------------
https://jvn.jp/en/jp/JVN59341308/
∗∗∗ WordPress Plugin "VK Blocks" and "VK All in One Expansion Unit" vulnerable to cross-site scripting ∗∗∗
---------------------------------------------
* An arbitrary script may be executed on the web browser of the user who is logging in to the product - CVE-2023-27923, CVE-2023-28367
* An arbitrary script may be executed on the web browser of the user who is accessing the site using the product - CVE-2023-27925, CVE-2023-27926
---------------------------------------------
https://jvn.jp/en/jp/JVN95792402/
∗∗∗ Security updates for Tuesday ∗∗∗
---------------------------------------------
Security updates have been issued by Fedora (java-11-openjdk-portable and rubygem-redcarpet), Red Hat (autotrace, bind, buildah, butane, conmon, containernetworking-plugins, curl, device-mapper-multipath, dhcp, edk2, emacs, fence-agents, freeradius, freerdp, frr, fwupd, gdk-pixbuf2, git, git-lfs, golang-github-cpuguy83-md2man, grafana, grafana-pcp, gstreamer1-plugins-good, Image Builder, jackson, kernel, kernel-rt, krb5, libarchive, libguestfs-winsupport, libreswan, libtiff, libtpms, lua, mysql, net-snmp, openssh, openssl, pcs, php:8.1, pki-core, podman, poppler, postgresql-jdbc, python-mako, qemu-kvm, samba, skopeo, sysstat, tigervnc, toolbox, unbound, webkit2gtk3, wireshark, xorg-x11-server, and xorg-x11-server-Xwayland), SUSE (cfengine, cfengine-masterfiles, go1.19, go1.20, libfastjson, python-cryptography, and python-ujson), and Ubuntu (mysql-5.7).
---------------------------------------------
https://lwn.net/Articles/931384/
∗∗∗ Citrix ADC and Citrix Gateway Security Bulletin ∗∗∗
---------------------------------------------
* CVE-2023-24488, Cross site scripting, CVSS 6.1
* CVE-2023-24487, Arbitrary file read, CVSS 6.3
---------------------------------------------
https://support.citrix.com/article/CTX477714/citrix-adc-and-citrix-gateway-…
∗∗∗ SSA-932528 V1.0: Multiple File Parsing Vulnerabilities in Solid Edge ∗∗∗
---------------------------------------------
https://cert-portal.siemens.com/productcert/html/ssa-932528.html
∗∗∗ SSA-892048 V1.0: Third-Party Component Vulnerabilities in SINEC NMS before V1.0.3.1 ∗∗∗
---------------------------------------------
https://cert-portal.siemens.com/productcert/html/ssa-892048.html
∗∗∗ SSA-789345 V1.0: Code Execution Vulnerabilities in Siveillance Video Event and Management Servers ∗∗∗
---------------------------------------------
https://cert-portal.siemens.com/productcert/html/ssa-789345.html
∗∗∗ SSA-555292 V1.0: Security Vulnerabilities Fixed in SIMATIC Cloud Connect 7 V2.1 ∗∗∗
---------------------------------------------
https://cert-portal.siemens.com/productcert/html/ssa-555292.html
∗∗∗ SSA-516174 V1.0: Wi-Fi Encryption Bypass Vulnerabilities in SCALANCE W1750D ∗∗∗
---------------------------------------------
https://cert-portal.siemens.com/productcert/html/ssa-516174.html
∗∗∗ SSA-325383 V1.0: Multiple Vulnerabilities in SCALANCE LPE9403 before V2.1 ∗∗∗
---------------------------------------------
https://cert-portal.siemens.com/productcert/html/ssa-325383.html
∗∗∗ F5: K000133759 : Python vulnerability CVE-2020-26116 ∗∗∗
---------------------------------------------
https://my.f5.com/manage/s/article/K000133759
∗∗∗ F5: K000134496 : Jettison vulnerability CVE-2022-45685 ∗∗∗
---------------------------------------------
https://my.f5.com/manage/s/article/K000134496
∗∗∗ Security vulnerabilities have been identified in IBM DB2 shipped with IBM License Metric Tool v9. ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6988953
∗∗∗ Tensorflow is vulnerable to security CVEs used in IBM Maximo Application Suite - Monitor Component ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6988959
∗∗∗ IBM WebSphere Application Server is vulnerable to cross-site scripting in the Admin Console (CVE-2023-24966) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6986333
∗∗∗ TensorFlow is vulnerable to security CVEs used in IBM Maximo Application Suite - Monitor Component ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6988979
∗∗∗ Ansi-html is vulnerable to CVE-2021-23424 used in IBM Maximo Application Suite ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6988981
∗∗∗ Node-forge is vulnerable to security CVEs used in IBM Maximo Application Suite - Monitor Component ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6988969
∗∗∗ Apache Log4j is vulnerable to CVE-2021-45105 and CVE-2021-45046 used in IBM Maximo Application Suite - Monitor Component ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6988975
∗∗∗ Vulnerabilities in OpenSSL affect QLogic 8Gb Intelligent Pass-thru Module and SAN Switch Module for IBM BladeCenter and QLogic Virtual Fabric Extension Module for IBM BladeCenter ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/888295
∗∗∗ IBM Cloud Pak for Network Automation 2.4.6 fixes multiple security vulnerabilities ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6989099
∗∗∗ CVE-2023-24536, CVE-2023-24537 and CVE-2023-24534 may affect IBM CICS TX Standard ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6989115
∗∗∗ CVE-2023-24536, CVE-2023-24537, CVE-2023-24534 may affect IBM CICS TX Advanced ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6989117
∗∗∗ A security vulnerability has been identified in IBM WebSphere Application Server shipped with IBM WebSphere Remote Server (CVE-2022-39161) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6989119
∗∗∗ WebSphere Application Server Liberty is vulnerable to CVE-2022-3509 and CVE-2022-3171 used in IBM Maximo Application Suite - Monitor Component ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6989133
∗∗∗ IBM WebSphere Application Server Liberty and Open Liberty is vulnerable to CVE-2022-22475 used in IBM Maximo Application Suite - Monitor Component ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6989131
∗∗∗ IBM WebSphere Application Server Liberty is vulnerable to CVE-2022-22393 used in IBM Maximo Application Suite - Monitor Component ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6989127
∗∗∗ A security vulnerability has been identified in IBM WebSphere Application Server shipped with Asset and Service Management (CVE-2022-39161) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6989145
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Freitag 05-05-2023 18:00 − Montag 08-05-2023 18:00
Handler: Robert Waldner
Co-Handler: Stephan Richter
=====================
= News =
=====================
∗∗∗ Meet Akira — A new ransomware operation targeting the enterprise ∗∗∗
---------------------------------------------
The new Akira ransomware operation has slowly been building a list of victims as they breach corporate networks worldwide, encrypt files, and then demand million-dollar ransoms.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/meet-akira-a-new-ransomware-…
∗∗∗ Datenleck: Firmware- und Bootguard-Schlüssel von MSI veröffentlicht ∗∗∗
---------------------------------------------
Eine Ransomwaregruppe hat nach einem Hack etliche interne Daten von MSI veröffentlicht. Darunter auch private Schlüssel zum Signieren.
---------------------------------------------
https://www.golem.de/news/datenleck-firmware-und-bootguard-schluessel-von-m…
∗∗∗ New Cactus ransomware encrypts itself to evade antivirus ∗∗∗
---------------------------------------------
While the new threat actor adopted the usual tactics seen in ransomware attacks - file encryption and data theft - it added its own touch to avoid detection. [..] Researchers at Kroll corporate investigation and risk consulting firm believe that Cactus obtains initial access into the victim network by exploiting known vulnerabilities in Fortinet VPN appliances.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/new-cactus-ransomware-encryp…
∗∗∗ Breaking down Reverse shell commands ∗∗∗
---------------------------------------------
In pentesting assessments and CTFs we always need reverse shells to execute commands on target machine once we have exploited a system and have a command injection at some point in our engagement. For that we have an awesome project: revshells.com or reverse-shell-generator where we have a ton of reverse shell payloads listed. This blog post tries to explain their working.
---------------------------------------------
https://adityatelange.in/blog/revshells/
∗∗∗ Quickly Finding Encoded Payloads in Office Documents ∗∗∗
---------------------------------------------
Malicious documents like this RevengeRAT ppam file found on MalwareBazaar contain VBA code that you can analyze with oledump.py. Some shortcuts can be used [..] But there is a quicker method: let zipdump.py produce JSON output that contains the decompressed content of each file, and then let base64dump.py consume this JSON output.
---------------------------------------------
https://isc.sans.edu/diary/rss/29818
∗∗∗ Dependabot Confusion: Gaining Access to Private GitHub Repositories using Dependabot ∗∗∗
---------------------------------------------
Dependabot is one of the most widely deployed tools to improve software supply chain security. But like all other software, it is not immune to security vulnerabilities. By using it, users take on the risk that any vulnerabilities in Dependabot itself may lead to the compromise of the very supply chain they are trying to secure. This article is about a vulnerability in Dependabot that allowed arbitrary user to gain access to a subset of GitHub repositories that have Dependabot enabled.
---------------------------------------------
https://giraffesecurity.dev/posts/dependabot-confusion/
∗∗∗ Microsoft-Webbrowser: Edge 113 schließt Sicherheitslücken ∗∗∗
---------------------------------------------
Microsoft hat den Webbrowser Edge in Version 113 veröffentlicht. Einige Funktionen haben die Entwickler darin verbessert sowie Schwachstellen abgedichtet.
---------------------------------------------
https://heise.de/-8990437
∗∗∗ Achtung! Diese Kosmetika sind gesundheitsschädigend! ∗∗∗
---------------------------------------------
Derzeit warnen die Agentur für Gesundheit und Ernährungssicherheit (AGES) und das Bundesamt für Verbrauchergesundheit (BAVG) vor kosmetischen Produkten, die verbotene und gesundheitsschädigende Duftstoffe enthalten. Die Produkte werden vor allem online verkauft. Wir zeigen Ihnen, von welchen Produkten Sie lieber die Finger lassen sollten.
---------------------------------------------
https://www.watchlist-internet.at/news/achtung-diese-kosmetika-sind-gesundh…
∗∗∗ Webinar: Sicher (ver)kaufen über Willhaben, Shpock & Co. ∗∗∗
---------------------------------------------
Was muss ich beachten, wenn ich auf Kleinanzeigenplattformen wie Willhaben, Shpock, Vinted & Co. etwas als Privatperson kaufen oder verkaufen möchte? Unser Rechtsexperte der Internet Ombudsstelle gibt Tipps für die sichere Abwicklung solcher Online-Geschäfte. Nehmen Sie kostenlos teil: Dienstag 16. Mai 2023, 18:30 - 20:00 Uhr via zoom
---------------------------------------------
https://www.watchlist-internet.at/news/webinar-sicher-verkaufen-ueber-willh…
∗∗∗ PRFs, PRPs and other fantastic things ∗∗∗
---------------------------------------------
A few weeks ago I ran into a conversation on Twitter about the weaknesses of applied cryptography textbooks, and how they tend to spend way too much time lecturing people about Feistel networks and the boring details of AES. Some of the folks in this conversation suggested that instead of these things, we should be into more fundamental topics like “what is a pseudorandom function.”
---------------------------------------------
https://blog.cryptographyengineering.com/2023/05/08/prfs-prps-and-other-fan…
∗∗∗ WordPress plugin vulnerability puts two million websites at risk ∗∗∗
---------------------------------------------
Millions of WordPress-powered websites are using the Advanced Custom Fields and Advanced Custom Fields Pro plugins, which security researchers say have been vulnerable to cross-site scripting (XSS) attacks.
---------------------------------------------
https://grahamcluley.com/wordpress-plugin-vulnerability-puts-two-million-we…
∗∗∗ Cisco SPA112 2-Port Telefonadapter unsicher, es bleibt nur noch entsorgen ∗∗∗
---------------------------------------------
Die US-Anbieter Cisco warnt in eine Meldung vor einer kritischen Schwachstelle in einem seiner Telefonadapter. Diese Schwachstelle ermöglicht einem Angreifer die Kontrolle über das Gerät zu übernehmen. Leider bleibt betroffenen Nutzern nur, diesen Telefonadapter zu entsorgen [...]
---------------------------------------------
https://www.borncity.com/blog/2023/05/06/cisco-spa112-2-port-telefonadapter…
=====================
= Vulnerabilities =
=====================
∗∗∗ ads-tec: Multiple Vulnerabilities in IRF1000, IRF2000 and IRF3000 ∗∗∗
---------------------------------------------
Vendor: ads-tec Industrial IT GmbH
Product name: IRF1000, IRF3000, IRF3000
CVE Numbers: CVE-2014-3669, CVE-2014-8142, CVE-2014-9425, CVE-2015-0231, CVE-2015-2348, CVE-2015-2787, CVE-2015-3414, CVE-2015-3415, CVE-2015-4602, CVE-2015-6835, CVE-2015-8876, CVE-2016-10161, CVE-2016-7124, CVE-2016-7411, CVE-2016-9138, CVE-2017-11142, CVE-2017-12933, CVE-2017-8923
CVSS Score: up to 9.8
---------------------------------------------
https://cert.vde.com/de/advisories/VDE-2023-009/
∗∗∗ Security updates for Monday ∗∗∗
---------------------------------------------
Security updates have been issued by Fedora (rust-cargo-c, rust-coreos-installer, rust-fedora-update-feedback, rust-git-delta, rust-gst-plugin-reqwest, rust-pore, rust-rpm-sequoia, rust-sequoia-octopus-librnp, rust-sequoia-policy-config, rust-sequoia-sq, rust-sevctl, rust-tealdeer, and rust-ybaas), Mageia (avahi, git, imagemagick, libfastjson, libxml2, parcellite, and virtualbox), SUSE (containerd, dnsmasq, ffmpeg, git, indent, installation-images, java-17-openjdk, maven and recommended update for antlr3, minlog, sbt, xmvn, ncurses, netty, netty-tcnative, openssl-1_0_0, python-Django1, redis, shim, terraform-provider-helm, and zstd), and Ubuntu (erlang, mysql-5.7, mysql-8.0, ruby2.3, ruby2.5, ruby2.7, and webkit2gtk).
---------------------------------------------
https://lwn.net/Articles/931259/
∗∗∗ 3 Schwachstellen in MS Azure API-Management entdeckt ∗∗∗
---------------------------------------------
Sicherheitsforscher des israelischen Sicherheitsanbieters Ermetic haben drei Schwachstellen in Microsofts Azure API-Management entdeckt. Zwei SSRF-Schwachstellen (Server-Side Request Forgery) und ein Problem beim uneingeschränkten Datei-Upload schaffen Risiken für die Microsoft Cloud-Umgebung. Die Schwachstellen können von böswilligen Akteuren missbraucht werden [...]
---------------------------------------------
https://www.borncity.com/blog/2023/05/06/3-schwachstellen-in-ms-azure-api-m…
∗∗∗ Multiple vulnerabilities in IBM Java SDK (January 2023) affect IBM InfoSphere Information Server ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6988347
∗∗∗ Security Vulnerabilities in IBM WebSphere Liberty and xml2js affect IBM Voice Gateway ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6988603
∗∗∗ Vulnerability in Jettison affects IBM Process Mining . CVE-2023-1436 ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6988673
∗∗∗ Vulnerabilities have been identified in IBM WebSphere Application Server traditional and Liberty profile shipped with IBM Business Automation Workflow (CVE-2023-24966, CVE-2022-39161) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6988885
∗∗∗ Atlas eDiscovery Process Management is affected by a vulnerable dom4j-1.6.1.jar ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6988889
∗∗∗ Atlas eDiscovery Process Management is affected by a vulnerable xstream-1.4.17.jar ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6988899
∗∗∗ Atlas eDiscovery Process Management is affected by a vulnerable poi-ooxml-3.9.jar ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6988895
∗∗∗ Atlas eDiscovery Process Management is affected by a vulnerable org.apache.xerces_2.9.0.v201101211617-4.8.0.jar ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6988893
∗∗∗ Atlas eDiscovery Process Management is affected by a vulnerable xmlbeans-2.3.0.jar ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6988897
∗∗∗ Vulnerability in paramiko affects IBM Cloud Pak for Data System 2.0 (CPDS 2.0) [CVE-2022-24302] ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6988909
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Donnerstag 04-05-2023 18:00 − Freitag 05-05-2023 18:00
Handler: Robert Waldner
Co-Handler: Michael Schlagenhaufer
=====================
= News =
=====================
∗∗∗ What is XML-RPC? Security Risks & How to Disable ∗∗∗
---------------------------------------------
In this article, we will discuss what xmlrpc.php is, why disabling it can improve your website’s security, and how to determine if it’s currently active on your WordPress site.
---------------------------------------------
https://blog.sucuri.net/2023/05/what-is-xml-rpc-security-risks-how-to-disab…
∗∗∗ Fleckpe Android Malware Sneaks onto Google Play Store with Over 620,000 Downloads ∗∗∗
---------------------------------------------
The list of the offending apps is as follows: - Beauty Camera Plus - Beauty Photo Camera - Beauty Slimming Photo Editor - Fingertip Graffiti - GIF Camera Editor - HD 4K Wallpaper - Impressionism Pro Camera - Microclip Video Editor - Night Mode Camera Pro - Photo Camera Editor - Photo Effect Editor
---------------------------------------------
https://thehackernews.com/2023/05/fleckpe-android-malware-sneaks-onto.html
∗∗∗ Packagist Repository Hacked: Over a Dozen PHP Packages with 500 Million Compromised ∗∗∗
---------------------------------------------
PHP software package repository Packagist revealed that an "attacker" gained access to four inactive accounts on the platform to hijack over a dozen packages with over 500 million installs to date. "The attacker forked each of the packages and replaced the package description in composer.json with their own message but did not otherwise make any malicious changes," [..]
---------------------------------------------
https://thehackernews.com/2023/05/packagist-repository-hacked-over-dozen.ht…
∗∗∗ An overview of the OSI model and its security threats ∗∗∗
---------------------------------------------
The OSI model is a representation of how communications between devices occur. The conceptual model makes it easier to understand how data is transmitted. In its complex process, threat actors have found ways to exploit and compromise systems. It is very important to identify the kind of attacks and vulnerabilities available on each layer and implement proper defense strategies to protect a network.
---------------------------------------------
https://www.tripwire.com/state-of-security/overview-osi-model-and-its-secur…
∗∗∗ „Login mit neuem Gerät“: Kriminelle versenden personalisierte E-Mail im Namen der BAWAG ∗∗∗
---------------------------------------------
Kriminelle versenden derzeit betrügerische Nachrichten im Namen der BAWAG. Die E-Mails sind personalisiert und daher besonders glaubwürdig. Sie werden zwar nicht mit Ihrem Namen, allerdings mit ihrer E-Mail-Adresse angesprochen. In der Nachricht behaupten die Kriminellen, dass mit einem neuen Gerät auf Ihr Konto zugegriffen wurde.
---------------------------------------------
https://www.watchlist-internet.at/news/login-mit-neuem-geraet-kriminelle-ve…
=====================
= Vulnerabilities =
=====================
∗∗∗ ZDI-23-547: (0Day) Linux Kernel IPv6 RPL Protocol Reachable Assertion Denial-of-Service Vulnerability ∗∗∗
---------------------------------------------
This vulnerability allows remote attackers to create a denial-of-service condition on affected installations of Linux Kernel. Authentication is not required to exploit this vulnerability.
---------------------------------------------
http://www.zerodayinitiative.com/advisories/ZDI-23-547/
∗∗∗ Sante DICOM Viewer Vulnerabilites ∗∗∗
---------------------------------------------
https://www.zerodayinitiative.com/advisories/ZDI-23-523/https://www.zerodayinitiative.com/advisories/ZDI-23-524/https://www.zerodayinitiative.com/advisories/ZDI-23-525/https://www.zerodayinitiative.com/advisories/ZDI-23-526/https://www.zerodayinitiative.com/advisories/ZDI-23-527/
---------------------------------------------
https://www.zerodayinitiative.com/advisories/published/
∗∗∗ Synology-SA-23:04 VPN Plus Server ∗∗∗
---------------------------------------------
A vulnerability allows remote attackers to inject SQL commands via a susceptible version of Synology VPN Plus Server. Affected Products: VPN Plus Server for SRM 1.3, VPN Plus Server for SRM 1.2
---------------------------------------------
https://www.synology.com/en-global/security/advisory/Synology_SA_23_04
∗∗∗ IBM Security Bulletins ∗∗∗
---------------------------------------------
IBM Elastic Storage System, IBM Spectrum Scale, IBM Maximo Application Suite, IBM Cognos Command Center, AIX, IBMid, IBM SAN Volume Controller, IBM CICS TX, IBM PowerVM Novalink, IBM Process Mining, IBM Cognos Analytics, IBM Planning Analytics.
---------------------------------------------
https://www.ibm.com/support/pages/bulletin/
∗∗∗ Security updates for Friday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (chromium, evolution, and odoo), Fedora (java-11-openjdk), Oracle (samba), Red Hat (libreswan and samba), Slackware (libssh), SUSE (amazon-ssm-agent, apache2-mod_auth_openidc, cmark, containerd, editorconfig-core-c, ffmpeg, go1.20, harfbuzz, helm, java-11-openjdk, java-1_8_0-ibm, liblouis, podman, and vim), and Ubuntu (linux-aws, linux-aws-hwe, linux-intel-iotg, and linux-oem-6.1).
---------------------------------------------
https://lwn.net/Articles/931050/
∗∗∗ K000134469 : MySQL vulnerability CVE-2023-21963 ∗∗∗
---------------------------------------------
https://my.f5.com/manage/s/article/K000134469
∗∗∗ Spring Cloud Data Flow 2.10.3 Released ∗∗∗
---------------------------------------------
https://spring.io/blog/2023/05/05/spring-cloud-data-flow-2-10-3-released
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Mittwoch 03-05-2023 18:00 − Donnerstag 04-05-2023 18:00
Handler: Robert Waldner
Co-Handler: Michael Schlagenhaufer
=====================
= News =
=====================
∗∗∗ Windows admins can now sign up for ‘known issue’ email alerts ∗∗∗
---------------------------------------------
Microsoft announced today that Windows admins can now choose to be emailed when new known issues are added to the Windows release health section of the Microsoft 365 admin center.
---------------------------------------------
https://www.bleepingcomputer.com/news/microsoft/windows-admins-can-now-sign…
∗∗∗ Infostealer Embedded in a Word Document, (Thu, May 4th) ∗∗∗
---------------------------------------------
hen attackers design malicious documents, one of their challenges is to make the potential victim confident to perform dangerous actions: click on a link, disable a security feature, etc. The best example is probably VBA macros in Microsoft Office documents. Disabled by default, the attacker must make the user confident to enable them by clicking on the “yellow ribbon” on top of the document. Yesterday I found a malicious document that implements another approach.
---------------------------------------------
https://isc.sans.edu/diary/rss/29810
∗∗∗ How to Analyze Java Malware – A Case Study of STRRAT ∗∗∗
---------------------------------------------
STRRAT is a Java-based malware that executes multiple commands transmitted by the C2 server. The JAR file was obfuscated using the Allatori obfuscator. It establishes persistence on the host by copying to the Startup folder and creating a scheduled task and a Run registry entry. The functionalities of the implemented commands include: reboot the machine, uninstall the malware and delete all its traces, download and execute files [..]
---------------------------------------------
https://resources.securityscorecard.com/cybersecurity/analyze-java-malware-…
=====================
= Vulnerabilities =
=====================
∗∗∗ S3 File System - Moderately critical - Access bypass - SA-CONTRIB-2023-014 ∗∗∗
---------------------------------------------
S3 File System (s3fs) provides an additional file system to your Drupal site, which stores files in Amazon's Simple Storage Service (S3) or any other S3-compatible storage service. This module may fail to validate that a file being requested to be moved to storage was uploaded during the same web request, possibly allowing an attacker to move files that should normally be inaccessible to them.
---------------------------------------------
https://www.drupal.org/sa-contrib-2023-014
∗∗∗ Cisco SPA112 2-Port Phone Adapters Remote Command Execution Vulnerability ∗∗∗
---------------------------------------------
A vulnerability in the web-based management interface of Cisco SPA112 2-Port Phone Adapters could allow an unauthenticated, remote attacker to execute arbitrary code on an affected device. This vulnerability is due to a missing authentication process within the firmware upgrade function.
---------------------------------------------
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso…
∗∗∗ Patchday Fortinet: Angreifer könnten eigene Befehle ausführen ∗∗∗
---------------------------------------------
Es gibt wichtige Sicherheitsupdates für verschiedene Produkte von Fortinet. Keine Lücke gilt als kritisch.
---------------------------------------------
https://heise.de/-8986618
∗∗∗ Security updates for Thursday ∗∗∗
---------------------------------------------
Security updates have been issued by Fedora (python-sentry-sdk) and Ubuntu (python-django and ruby2.3, ruby2.5, ruby2.7).
---------------------------------------------
https://lwn.net/Articles/930903/
∗∗∗ Malicious IKEv1 packet by unauthenticated peer can cause libreswan to restart ∗∗∗
---------------------------------------------
The Libreswan Project was notified by github user "XU-huai" of an issue with receiving a malformed IKEv1 Aggressive Mode packet that would cause a crash and restart of the libreswan pluto daemon. When sent continuously, this could lead to a denial of service attack.
---------------------------------------------
https://libreswan.org/security/CVE-2023-30570/CVE-2023-30570.txt
∗∗∗ Apple: Beats Firmware Update 5B66 ∗∗∗
---------------------------------------------
http://support.apple.com/kb/HT213752
∗∗∗ Apple: AirPods Firmware Update 5E133 ∗∗∗
---------------------------------------------
http://support.apple.com/kb/HT213752
∗∗∗ IBM ECM Content Management Interoperability Services (CMIS) spring-expression security vulnerability CVE-2023-20861 ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6988109
∗∗∗ IBM ECM Content Management Interoperability Services (CMIS) cfx-core security vulnerabilities CVE-2022-46363, CVE-2022-46364 ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6988115
∗∗∗ IBM ECM Content Management Interoperability Services (CMIS) woodstox\/XStream security vulnerability CVE-2022-40152 ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6988117
∗∗∗ IBM InfoSphere Information Server is affected but not classified as vulnerable to a denial of service vulnerability in NumPy (CVE-2021-34141) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6988125
∗∗∗ A vulnerability has been identified in IBM HTTP Server used by IBM Rational ClearQuest (CVE-2023-25690) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6988293
∗∗∗ A security vulnerability has been identified in IBM WebSphere Application Server used by IBM Rational ClearQuest (CVE-2023-26283) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6988295
∗∗∗ IBM Virtualization Engine TS7700 is vulnerable to a privilege escalation threat (CVE-2023-24958) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6980845
∗∗∗ IBM ECM Content Management Interoperability Services (CMIS) spring-expression\/spring-core security vulnerability [CVE-2023-20863] ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6988341
∗∗∗ IBM Cloud Transformation Advisor is vulnerable to multiple vulnerabilities ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6988351
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Dienstag 02-05-2023 18:00 − Mittwoch 03-05-2023 18:00
Handler: Robert Waldner
Co-Handler: Stephan Richter
=====================
= News =
=====================
∗∗∗ Firmware-TPM: faulTPM knackt AMD-CPUs nach drei Stunden lokalem Zugriff ∗∗∗
---------------------------------------------
TPMs sollen Geheimnisse wie kryptographische Schlüssel schützen. IT-Forscher haben jetzt mit "faulTPM" unbefugten Zugriff auf AMDs Firmware-TPM erlangt.
---------------------------------------------
https://heise.de/-8985704
∗∗∗ OpenCore: Apples erste Sicherheitsmaßnahme macht gepatchten Macs Probleme ∗∗∗
---------------------------------------------
Mit OpenCore auf macOS Ventura aktualisierte Macs starten nach der Installation von Apples jüngstem Update unter Umständen nicht mehr. Es gibt einen Workaround.
---------------------------------------------
https://heise.de/-8986252
∗∗∗ Exploitation of BGP Implementation Vulnerabilities Can Lead to Disruptions ∗∗∗
---------------------------------------------
Open source BGP implementation FRRouting is affected by three vulnerabilities that can be exploited to cause disruption via DoS attacks.
---------------------------------------------
https://www.securityweek.com/exploitation-of-bgp-implementation-vulnerabili…
∗∗∗ Betrügerische Werbung auf Microsoft Edge Startseite! ∗∗∗
---------------------------------------------
Wer Microsoft Windows nützt, bekommt automatisch auch den Edge Browser fürs Surfen im Internet mitgeliefert. Die Startseite bietet neben der Suche per Bing auch eine Auflistung zahlreicher Newsartikel, unter die sich auch Werbeanzeigen mischen. Ein genauer Blick auf die Werbungen zeigt: Fast alle Werbeschaltungen führen zu Trading-Betrug oder anderen dubiosen Seiten. Vorsicht!
---------------------------------------------
https://www.watchlist-internet.at/news/betruegerische-werbung-auf-microsoft…
∗∗∗ CVE-2023-28231: RCE in the Microsoft Windows DHCPv6 Service ∗∗∗
---------------------------------------------
In this excerpt of a Trend Micro Vulnerability Research Service vulnerability report, Guy Lederfein and Lucas Miller of the Trend Micro Research Team detail a recently patched remote code execution vulnerability in the Microsoft Windows DHCPv6 Service. This bug was originally discovered by YanZiShuang@BigCJTeam of cyberkl. The vulnerability results from the improper processing of DHCPv6 Relay-forward messages. A network-adjacent attacker can leverage this vulnerability to execute code [...]
---------------------------------------------
https://www.thezdi.com/blog/2023/5/1/cve-2023-28231-rce-in-the-microsoft-wi…
=====================
= Vulnerabilities =
=====================
∗∗∗ Google Chrome 113: Sicherheitsupdate für den Webbrowser ∗∗∗
---------------------------------------------
Die Entwickler haben in Google Chrome 113 insgesamt 15 Schwachstellen ausgebessert. Für die Zukunft kündigen sie an, dass das Schlosssymbol ausgetauscht wird.
---------------------------------------------
https://heise.de/-8985368
∗∗∗ Security updates for Wednesday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (avahi, kernel, linux-5.10, nodejs, webkit2gtk, and wpewebkit), Gentoo (chromium, google-chrome, microsoft-edge, dbus, dbus-broker, dhcp, firefox, firejail-lts, libapreq2, libsdl, libsdl2, lua, proftpd, python, PyPy3, sudo, syslog-ng, systemd, tor, uptimed, vim, and xfce4-settings), Oracle (emacs and libwebp), Red Hat (libwebp), Scientific Linux (libwebp), and SUSE (ceph, ffmpeg-4, git, pdns-recursor, and shim).
---------------------------------------------
https://lwn.net/Articles/930775/
∗∗∗ IBM Security Bulletins ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/bulletin/
∗∗∗ K000132719 : BIG-IQ iControl REST vulnerability CVE-2023-29240 ∗∗∗
---------------------------------------------
https://my.f5.com/manage/s/article/K000132719
∗∗∗ K000133417 : NGINX Management Suite vulnerability CVE-2023-28656 ∗∗∗
---------------------------------------------
https://my.f5.com/manage/s/article/K000133417
∗∗∗ K000132522 : BIG-IP Edge Client for Windows and macOS vulnerability CVE-2023-22372 ∗∗∗
---------------------------------------------
https://my.f5.com/manage/s/article/K000132522
∗∗∗ K000133132 : BIG-IP TMM SSL vulnerability CVE-2023-24594 ∗∗∗
---------------------------------------------
https://my.f5.com/manage/s/article/K000133132
∗∗∗ K000132768 : BIG-IP Configuration utility vulnerability CVE-2023-28406 ∗∗∗
---------------------------------------------
https://my.f5.com/manage/s/article/K000132768
∗∗∗ K000132972 : BIG-IP iQuery mesh vulnerability CVE-2023-28742 ∗∗∗
---------------------------------------------
https://my.f5.com/manage/s/article/K000132972
∗∗∗ K000132726 : BIG-IP Configuration utility XSS vulnerability CVE-2023-27378 ∗∗∗
---------------------------------------------
https://my.f5.com/manage/s/article/K000132726
∗∗∗ K000133233 : NGINX Management Suite vulnerability CVE-2023-28724 ∗∗∗
---------------------------------------------
https://my.f5.com/manage/s/article/K000133233
∗∗∗ K000132539 : BIG-IP Edge Client for Windows and macOS vulnerability CVE-2023-24461 ∗∗∗
---------------------------------------------
https://my.f5.com/manage/s/article/K000132539
∗∗∗ K20145107 : BIG-IP UDP profile vulnerability CVE-2023-29163 ∗∗∗
---------------------------------------------
https://my.f5.com/manage/s/article/K20145107?
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Freitag 28-04-2023 18:00 − Dienstag 02-05-2023 18:00
Handler: Michael Schlagenhaufer
Co-Handler: n/a
=====================
= News =
=====================
∗∗∗ Hackers target vulnerable Veeam backup servers exposed online ∗∗∗
---------------------------------------------
Veeam backup servers are being targeted by at least one group of threat actors known to work with multiple high-profile ransomware gangs.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/hackers-target-vulnerable-ve…
∗∗∗ New LOBSHOT malware gives hackers hidden VNC access to Windows devices ∗∗∗
---------------------------------------------
A new malware known as LOBSHOT distributed using Google ads allows threat actors to stealthily take over infected Windows devices using hVNC.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/new-lobshot-malware-gives-ha…
∗∗∗ Researchers Uncover New BGP Flaws in Popular Internet Routing Protocol Software ∗∗∗
---------------------------------------------
Cybersecurity researchers have uncovered weaknesses in a software implementation of the Border Gateway Protocol (BGP) that could be weaponized to achieve a denial-of-service (DoS) condition on vulnerable BGP peers.
---------------------------------------------
https://thehackernews.com/2023/05/researchers-uncover-new-bgp-flaws-in.html
∗∗∗ trawler: Dredging Windows for Persistence ∗∗∗
---------------------------------------------
Trawler is a PowerShell script designed to help Incident Responders discover potential indicators of compromise on Windows hosts, primarily focused on persistence mechanisms including Scheduled Tasks, Services, Registry Modifications, Startup Items, Binary Modifications and more.
---------------------------------------------
https://github.com/joeavanzato/Trawler
∗∗∗ Angriffe auf Lücken in TP-Link Archer, Apache Log4j2 und Oracle Weblogic ∗∗∗
---------------------------------------------
Angreifer nutzen Sicherheitslücken in TP-Link Archer, Apache Log4j2 und Oracle Weblogic aus, um Zugriff auf Netzwerke von Opfern zu erlangen.
---------------------------------------------
https://heise.de/-8984237
∗∗∗ Medizin-Geräte: Warnung vor kritischer Sicherheitslücke in Illumina-Software ∗∗∗
---------------------------------------------
Die US-IT-Sicherheitsbehörde CISA warnt vor kritischen Sicherheitslücken in den medizinischen Geräten von Illumina. Angreifer könnten die Kontrolle übernehmen.
---------------------------------------------
https://heise.de/-8983960
∗∗∗ Exploitation of 5-Year-Old TBK DVR Vulnerability Spikes ∗∗∗
---------------------------------------------
Fortinet warns of a massive spike in malicious attacks targeting a five-year-old authentication bypass vulnerability in TBK DVR devices.
---------------------------------------------
https://www.securityweek.com/exploitation-of-5-year-old-tbk-dvr-vulnerabili…
∗∗∗ Critical Infrastructure Organizations Urged to Identify Risky Communications Equipment ∗∗∗
---------------------------------------------
CISA urges organizations to review FCC’s Covered List of risky communications equipment and incorporate it in their supply chain risk management efforts.
---------------------------------------------
https://www.securityweek.com/critical-infrastructure-organizations-urged-to…
∗∗∗ Webinar: Recherchetools im Internet richtig nutzen ∗∗∗
---------------------------------------------
Wie kann ich Google, aber auch andere Suchmaschinen richtig nutzen? Welche Recherchetools und Suchmethoden gibt es noch? In diesem Webinar zeigen wir Ihnen, wie eine gute und effiziente Onlinerecherche aussehen kann. Nehmen Sie kostenlos teil: Dienstag 09. Mai 2023, 18:30 - 20:00 Uhr via zoom.
---------------------------------------------
https://www.watchlist-internet.at/news/webinar-recherchetools-im-internet-r…
∗∗∗ Online-Shopping: Bezahlen Sie nicht mit der PayPal-Funktion „Geld an einen Freund senden“ ∗∗∗
---------------------------------------------
Neuerdings missbrauchen Fake-Shops die PayPal-Funktion „Geld an Freunde und Familie senden“. Die Kriminellen hinter den Fake-Shops erstellen PayPal.Me-Zahlungslinks. Durch kleine Anpassungen der Kriminellen ist der Kaufbetrag dort hinterlegt und die Zahlungsart „Geld an einen Freund senden“ voreingestellt. Wenn Sie mit dieser Zahlungsart bezahlen, entfällt der Käuferschutz. Ihr Geld ist dann weg und kann nicht zurückgeholt werden.
---------------------------------------------
https://www.watchlist-internet.at/news/online-shopping-bezahlen-sie-nicht-m…
∗∗∗ Apple veröffentlicht „schnelle Sicherheitsmaßnahme“ für iOS, iPadOS und macOS ∗∗∗
---------------------------------------------
Die neue Updatemethode verkürzt den Installationsvorgang deutlich. Apple will mit schnellen Sicherheitsmaßnahmen künftig beispielsweise Bedrohungen wie Zero-Day-Lücken schneller beseitigen.
---------------------------------------------
https://www.zdnet.de/88408872/apple-veroeffentlicht-schnelle-sicherheitsmas…
∗∗∗ Enforce Zero Trust in Microsoft 365 – Part 1: Setting the basics ∗∗∗
---------------------------------------------
This first blog post is part of a series of blog posts related to the implementation of Zero Trust approach in Microsoft 365. This series will first cover the basics and then deep dive into the different features such as Azure Active Directory (Azure AD) Conditional Access policies, Microsoft Defender for Cloud Apps policies, Information Protection and Microsoft Endpoint Manager, to only cite a few.
---------------------------------------------
https://blog.nviso.eu/2023/05/02/enforce-zero-trust-in-microsoft-365-part-1…
∗∗∗ CoinMiner (KONO DIO DA) Distributed to Linux SSH Servers ∗∗∗
---------------------------------------------
AhnLab Security Emergency response Center (ASEC) has recently discovered XMRig CoinMiner being installed on poorly managed Linux SSH servers.
---------------------------------------------
https://asec.ahnlab.com/en/51908/
∗∗∗ A LNK Between Browsers: Hunting Methodologies and Extension Abusing Actors ∗∗∗
---------------------------------------------
Two pillars in sleight of hand magic are User Initiated Action, where the target needs to believe their actions are their own, and Hidden Action, the trick needs to be concealed behind something ordinary and nonthreatening. Mandiant became aware of a chain of adversary methodologies that leverage these two pillars to achieve persistence.
---------------------------------------------
https://www.mandiant.com/resources/blog/lnk-between-browsers
=====================
= Vulnerabilities =
=====================
∗∗∗ Wireshark 4.0.5 Released, (Sat, Apr 29th) ∗∗∗
---------------------------------------------
Wireshark version 4.0.5 was released with 11 bugs and 3 vulnerabilities fixed.
---------------------------------------------
https://isc.sans.edu/diary/rss/29790
∗∗∗ Azure DevOps CICD Pipelines - Command Injection with Parameters, Variables and a discussion on Runner hijacking ∗∗∗
---------------------------------------------
This article discusses a vulnerability with Azure DevOps that can be exploited by users able to run pipelines with user-controlled variables. The vulnerability allows malicious users with access to edit runtime parameter values to inject shell commands that execute on the pipeline runner. This can compromise the runner and allow access to sensitive information such as secrets used for deployments and Azure service principal credentials.
---------------------------------------------
https://pulsesecurity.co.nz/advisories/Azure-Devops-Command-Injection
∗∗∗ Security updates for Monday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (distro-info-data, ffmpeg, jackson-databind, jruby, libapache2-mod-auth-openidc, libxml2, openvswitch, sniproxy, and wireshark), Fedora (git, libsignal-protocol-c, php-nyholm-psr7, python-setuptools, rust-askama, rust-askama_shared, rust-comrak, thunderbird, and webkitgtk), SUSE (git, glib2, shadow, thunderbird, and webkit2gtk3), and Ubuntu (Apache Commons Net, git, linux-azure-5.15, linux-azure-fde, linux-kvm, linux-ibm-5.4, linux-snapdragon, netty, and ZenLib).
---------------------------------------------
https://lwn.net/Articles/930588/
∗∗∗ Security updates for Tuesday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (libdatetime-timezone-perl and tzdata), Fedora (chromium), Red Hat (emacs and libwebp), Slackware (netatalk), and Ubuntu (php7.0).
---------------------------------------------
https://lwn.net/Articles/930649/
∗∗∗ IBM Security Bulletins 2023-04-28 - 2023-05-02 ∗∗∗
---------------------------------------------
IBM Engineering Test Management, IBM Spectrum Scale, IBM DataPower Gateway, IBM i, Rational ClearQuest, IBM Business Automation Workflow, IBM Business Automation Workflow Enterprise Service Bus, IBM Case Manager, BladeCenter, PureFlex System and Flex System, System x, IBM Maximo, IBM Control Desk, Db2 for Linux, UNIX and Windows, IBM Robotic Process Automation, Tivoli Business Service Manager, Content Manager Client, IBM Sterling Secure Proxy, IBM App Connect Enterprise, IBM Security Key Lifecycle Manager, IBM MQ, IBM MQ Appliance, Tivoli Application Dependency Discovery Manager, IBM Cloud Pak, IBM InfoSphere Information, WebSphere Remote Server, IBM Workload Scheduler.
---------------------------------------------
∗∗∗ ZDI-23-503: (Pwn2Own) NETGEAR RAX30 logCtrl Command Injection Remote Code Execution Vulnerability ∗∗∗
---------------------------------------------
http://www.zerodayinitiative.com/advisories/ZDI-23-503/
∗∗∗ ZDI-23-502: (Pwn2Own) NETGEAR RAX30 SOAP Request SQL Injection Remote Code Execution Vulnerability ∗∗∗
---------------------------------------------
http://www.zerodayinitiative.com/advisories/ZDI-23-502/
∗∗∗ ZDI-23-501: (Pwn2Own) NETGEAR RAX30 Device Configuration Cleartext Storage Information Disclosure Vulnerability ∗∗∗
---------------------------------------------
http://www.zerodayinitiative.com/advisories/ZDI-23-501/
∗∗∗ ZDI-23-496: NETGEAR RAX30 lighttpd Misconfiguration Remote Code Execution Vulnerability ∗∗∗
---------------------------------------------
http://www.zerodayinitiative.com/advisories/ZDI-23-496/
∗∗∗ ZDI-23-495: NETGEAR RAX30 rex_cgi JSON Parsing Stack-based Buffer Overflow Remote Code Execution Vulnerability ∗∗∗
---------------------------------------------
http://www.zerodayinitiative.com/advisories/ZDI-23-495/
∗∗∗ Android-Sicherheitsbulletin – Mai 2023 ∗∗∗
---------------------------------------------
https://source.android.com/docs/security/bulletin/2023-05-01?hl=de
∗∗∗ F5: K000133706 : OpenSSL vulnerability CVE-2023-0464 ∗∗∗
---------------------------------------------
https://my.f5.com/manage/s/article/K000133706
∗∗∗ F5: K000133615 : device-mapper-multipath vulnerability CVE-2022-41974 ∗∗∗
---------------------------------------------
https://my.f5.com/manage/s/article/K000133615
∗∗∗ F5: K000133753 : PHP vulnerability CVE-2023-0662 ∗∗∗
---------------------------------------------
https://my.f5.com/manage/s/article/K000133753
∗∗∗ Securing Databricks cluster init scripts ∗∗∗
---------------------------------------------
https://sec-consult.com/blog/detail/securing-databricks-cluster-init-script…
∗∗∗ Vulnerabilities in the Autodesk® 3ds Max® USD plugin ∗∗∗
---------------------------------------------
https://www.autodesk.com/trust/security-advisories/adsk-sa-2023-0008
∗∗∗ Mitsubishi Electric Factory Automation Products ∗∗∗
---------------------------------------------
https://www.cisa.gov/news-events/ics-advisories/icsa-23-122-01
∗∗∗ Zyxel security advisory for post-authentication command injection vulnerability in NBG6604 home router ∗∗∗
---------------------------------------------
https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-…
∗∗∗ Zyxel security advisory for multiple vulnerabilities in NBG-418N v2 home router ∗∗∗
---------------------------------------------
https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-…
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Donnerstag 27-04-2023 18:00 − Freitag 28-04-2023 18:00
Handler: Stephan Richter
Co-Handler: n/a
=====================
= News =
=====================
∗∗∗ CISA warns of critical bugs in Illumina DNA sequencing systems ∗∗∗
---------------------------------------------
The U.S. Cybersecurity Infrastructure Security Agency (CISA) and the FDA have issued an urgent alert about two vulnerabilities that impact Illuminas Universal Copy Service (UCS), used for DNA sequencing in medical facilities and labs worldwide.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/cisa-warns-of-critical-bugs-…
∗∗∗ Quick IOC Scan With Docker, (Fri, Apr 28th) ∗∗∗
---------------------------------------------
When investigating an incident, you must perform initial tasks quickly. There is one tool in my arsenal that I'm using to quickly scan for interesting IOCs ("Indicators of Compromise"). This tool is called Loki[1], the free version of the Thor scanner. I like this tool because you can scan for a computer (processes & files) or a specific directory (only files) for suspicious content.
---------------------------------------------
https://isc.sans.edu/diary/rss/29788
∗∗∗ WordPress Vulnerability & Patch Roundup April 2023 ∗∗∗
---------------------------------------------
Vulnerability reports and responsible disclosures are essential for website security awareness and education. Automated attacks targeting known software vulnerabilities are one of the leading causes of website compromises. To help educate website owners on emerging threats to their environments, we’ve compiled a list of important security updates and vulnerability patches for the WordPress ecosystem this past month.
---------------------------------------------
https://blog.sucuri.net/2023/04/wordpress-vulnerability-patch-roundup-april…
∗∗∗ Attention Online Shoppers: Dont Be Fooled by Their Sleek, Modern Looks — Its Magecart! ∗∗∗
---------------------------------------------
An ongoing Magecart campaign has attracted the attention of cybersecurity researchers for leveraging realistic-looking fake payment screens to capture sensitive data entered by unsuspecting users.
---------------------------------------------
https://thehackernews.com/2023/04/attention-online-shoppers-dont-be.html
∗∗∗ New Atomic macOS Malware Steals Keychain Passwords and Crypto Wallets ∗∗∗
---------------------------------------------
Threat actors are advertising a new information stealer for the Apple macOS operating system called Atomic macOS Stealer (or AMOS) on Telegram for $1,000 per month, joining the likes of MacStealer. "The Atomic macOS Stealer can steal various types of information from the victims machine, including Keychain passwords, complete system information, files from the desktop and documents folder, and [...]
---------------------------------------------
https://thehackernews.com/2023/04/new-atomic-macos-stealer-can-steal-your.h…
∗∗∗ Microsoft Exchange Powershell Remoting Deserialization leading to RCE (CVE-2023-21707) ∗∗∗
---------------------------------------------
While analyzing CVE-2022-41082, also known as ProxyNotShell, we discovered this vulnerability which we have detailed in this blog. However, for a comprehensive understanding, we highly recommend reading the thorough analysis written by team ZDI.
---------------------------------------------
https://starlabs.sg/blog/2023/04-microsoft-exchange-powershell-remoting-des…
∗∗∗ Many Public Salesforce Sites are Leaking Private Data ∗∗∗
---------------------------------------------
A shocking number of organizations -- including banks and healthcare providers -- are leaking private and sensitive information from their public Salesforce Community websites, KrebsOnSecurity has learned. The data exposures all stem from a misconfiguration in Salesforce Community that allows an unauthenticated user to access records that should only be available after logging in.
---------------------------------------------
https://krebsonsecurity.com/2023/04/many-public-salesforce-sites-are-leakin…
∗∗∗ Rapture, a Ransomware Family With Similarities to Paradise ∗∗∗
---------------------------------------------
In March and April 2023, we observed a type of ransomware targeting its victims via a minimalistic approach with tools that leave only a minimal footprint behind. Our findings revealed many of the preparations made by the perpetrators and how quickly they managed to carry out the ransomware attack.
---------------------------------------------
https://www.trendmicro.com/en_us/research/23/d/rapture-a-ransomware-family-…
=====================
= Vulnerabilities =
=====================
∗∗∗ Cisco IP Phone 7800 and 8800 Series Cisco Discovery Protocol Stack Overflow Vulnerability ∗∗∗
---------------------------------------------
A vulnerability in the Cisco Discovery Protocol processing feature of Cisco IP Phone 7800 and 8800 Series firmware could allow an unauthenticated, adjacent attacker to cause a stack overflow on an affected device. This vulnerability is due to insufficient input validation of received Cisco Discovery Protocol packets. An attacker could exploit this vulnerability by sending crafted Cisco Discovery Protocol traffic to an affected device.
---------------------------------------------
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso…
∗∗∗ Grafana: Update schließt hochriskante Schwachstelle im Datenvisualisierungs-Tool ∗∗∗
---------------------------------------------
Grafana hat Updates für zahlreiche Versionszweige veröffentlicht. Sie schließen unter anderem eine Denial-of-Service-Lücke, die als hochriskant gilt.
---------------------------------------------
https://heise.de/-8981605
∗∗∗ Long Term Support Channel Update for ChromeOS ∗∗∗
---------------------------------------------
LTS-108 is being updated in the LTS channel to 108.0.5359.230 (Platform Version: 15183.93.0) for most ChromeOS devices. [...] This update contains multiple Security fixes [...]
---------------------------------------------
https://chromereleases.googleblog.com/2023/04/long-term-support-channel-upd…
∗∗∗ Security updates for Friday ∗∗∗
---------------------------------------------
Security updates have been issued by Fedora (git, libpcap, php-laminas-diactoros2, php-nyholm-psr7, tcpdump, and xen), Oracle (cloud-init), Scientific Linux (kernel), SUSE (conmon, docker, glib2, glibc, libmicrohttpd, libX11, liferea, python3, qemu, rubygem-actionview-5_1, s390-tools, stellarium, vim, and xen), and Ubuntu (linux, linux-aws, linux-aws-5.4, linux-azure, linux-azure-4.15, linux-azure-5.4, linux-gcp, linux-gcp-4.15, linux-gcp-5.4, linux-gke, linux-gkeop, linux-hwe, linux-hwe-5.4, linux-ibm, linux-kvm, linux-oracle, linux-oracle-5.4 and openssl-ibmca).
---------------------------------------------
https://lwn.net/Articles/930462/
∗∗∗ Use of Telnet in the interface module SLC-0-GPNT00300 ∗∗∗
---------------------------------------------
BOSCH-SA-387640: The SLC-0-GPNT00300 from Bosch Rexroth contains technology from SICK AG. The manufacturer has published a security bulletin [1] regarding the availability of a Telnet interface for debugging.The SLC-0-GPNT00300 provides a Telnet interface for debugging, which is enabled by factory default. No password is set in the default configuration. If the password is not set by the customer, a remote unauthorized adversary could connect via Telnet.
---------------------------------------------
https://psirt.bosch.com/security-advisories/bosch-sa-387640.html
∗∗∗ SonicOS SSLVPN: Schwachstelle CVE-2023-1101 bei MFA – neue Firmware für Gen6-Firewalls (6.5.4.12-101n) ∗∗∗
---------------------------------------------
Kleine Erinnerung für Administratoren, die Produkte von Sonic Wall verwenden. In SonicOS SSLVPN gibt es eine kritische Schwachstelle, die einem authentifizierten Angreifer ermöglicht, exzessive MFA-Codes zu verwenden. Die Schwachstelle CVE-2023-1101 hat von SonicWall [...]
---------------------------------------------
https://www.borncity.com/blog/2023/04/27/sonicos-sslvpn-schwachstelle-cve-2…
∗∗∗ Illumina Universal Copy Service ∗∗∗
---------------------------------------------
[...] Successful exploitation of these vulnerabilities could allow an attacker to take any action at the operating system level. A threat actor could impact settings, configurations, software, or data on the affected product; [...]
---------------------------------------------
https://www.cisa.gov/news-events/ics-medical-advisories/icsma-23-117-01
∗∗∗ IBM Security Bulletins ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/bulletin/
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Mittwoch 26-04-2023 18:00 − Donnerstag 27-04-2023 18:00
Handler: Stephan Richter
Co-Handler: Michael Schlagenhaufer
=====================
= News =
=====================
∗∗∗ Google disrupts the CryptBot info-stealing malware operation ∗∗∗
---------------------------------------------
Google is taking down malware infrastructure linked to the Cryptbot info stealer after suing those using it to infect Google Chrome users and steal their data.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/google-disrupts-the-cryptbot…
∗∗∗ Cisco discloses XSS zero-day flaw in server management tool ∗∗∗
---------------------------------------------
Cisco disclosed today a zero-day vulnerability in the companys Prime Collaboration Deployment (PCD) software that can be exploited for cross-site scripting attacks.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/cisco-discloses-xss-zero-day…
∗∗∗ LimeRAT Malware Analysis: Extracting the Config ∗∗∗
---------------------------------------------
ANY.RUN researchers have recently conducted an in-depth analysis of a LimeRAT sample and successfully extracted its configuration. In this article, we'll provide a brief overview of that analysis.
---------------------------------------------
https://thehackernews.com/2023/04/limerat-malware-analysis-extracting.html
∗∗∗ Healthy security habits to fight credential breaches: Cyberattack Series ∗∗∗
---------------------------------------------
This is the second in an ongoing series exploring some of the most notable cases of the Microsoft Incident Response Team. In this story, we’ll explore how organizations can adopt a defense-in-depth security posture to help protect against credential breaches and ransomware attacks.
---------------------------------------------
https://www.microsoft.com/en-us/security/blog/2023/04/26/healthy-security-h…
∗∗∗ Microsoft Confirms PaperCut Servers Used to Deliver LockBit and Cl0p Ransomware ∗∗∗
---------------------------------------------
Microsoft has confirmed that the active exploitation of PaperCut servers is linked to attacks designed to deliver Cl0p and LockBit ransomware families. The tech giant's threat intelligence team is attributing a subset of the intrusions to a financially motivated actor it tracks under the name Lace Tempest (formerly DEV-0950), which overlaps with other hacking groups like FIN11, TA505, and Evil Corp.
---------------------------------------------
https://thehackernews.com/2023/04/microsoft-confirms-papercut-servers.html
∗∗∗ RTM Lockers First Linux Ransomware Strain Targeting NAS and ESXi Hosts ∗∗∗
---------------------------------------------
The threat actors behind RTM Locker have developed a ransomware strain thats capable of targeting Linux machines, marking the groups first foray into the open source operating system.
---------------------------------------------
https://thehackernews.com/2023/04/rtm-lockers-first-linux-ransomware.html
∗∗∗ LUKS: Alte verschlüsselte Container unsicher? Ein Ratgeber für Updates ∗∗∗
---------------------------------------------
Angeblich konnte die französische Polizei einen LUKS-Container knacken. Kein Grund zur Panik, aber ein Anlass, Passwörter und LUKS-Parameter zu hinterfragen.
---------------------------------------------
https://heise.de/-8981054
∗∗∗ State of DNS Rebinding in 2023 ∗∗∗
---------------------------------------------
This update documents the state of DNS rebinding for April 2023. We describe Local Network Access, a new draft W3C specification currently implemented in some browsers that aims to prevent DNS rebinding, and show two potential ways to bypass these restrictions.
---------------------------------------------
https://research.nccgroup.com/2023/04/27/state-of-dns-rebinding-in-2023/
∗∗∗ Bringing IT & OT Security Together: Part 1 ∗∗∗
---------------------------------------------
Learn about the evolution of converged IT/OT environments and the impact on security control validation in this new blog series.
---------------------------------------------
https://www.safebreach.com/resources/blog/bringing-it-and-ot-security-toget…
=====================
= Vulnerabilities =
=====================
∗∗∗ Onlineshop-System PrestaShop: Angreifer könnten Datenbank manipulieren ∗∗∗
---------------------------------------------
Eine kritische Sicherheitslücke bedroht mit PrestaShop erstellte Onlineshops. Abgesicherte Versionen sind verfügbar.
---------------------------------------------
https://heise.de/-8980645
∗∗∗ Security updates for Thursday ∗∗∗
---------------------------------------------
Security updates have been issued by Fedora (chromium, perl-Alien-ProtoBuf, and redis), Oracle (kernel), SUSE (dmidecode, fwupd, libtpms, libxml2, openssl-ibmca, and webkit2gtk3), and Ubuntu (cloud-init, ghostscript, linux, linux-aws, linux-aws-5.15, linux-azure, linux-gke, linux-gke-5.15, linux-gkeop, linux-hwe-5.15, linux-ibm, linux-lowlatency, linux-lowlatency-hwe-5.15, linux-oracle, linux-oracle-5.15, linux, linux-aws, linux-azure, linux-gcp, linux-hwe-5.19, linux-ibm, linux-kvm, linux-lowlatency, linux-oracle, linux-raspi, and linux, linux-aws, linux-kvm, linux-lts-xenial).
---------------------------------------------
https://lwn.net/Articles/930367/
∗∗∗ Apache Superset: Schwachstelle CVE-2023-27524 ermöglicht Remote Code Execution (RCE) ∗∗∗
---------------------------------------------
Kurzer Hinweis für Nutzer, die Apache Superset in ihrem Umfeld einsetzen. Es gibt in der Standardkonfiguration das Problem, dass die Software per Remote Code Execution-Schwachstelle angegriffen werden kann. Das wird zum Problem, wenn der Server per Internet erreichbar ist.
---------------------------------------------
https://www.borncity.com/blog/2023/04/27/apache-superset-schwachstelle-cve-…
∗∗∗ F5: K000133673 : Bootstrap vulnerability CVE-2016-10735 ∗∗∗
---------------------------------------------
https://my.f5.com/manage/s/article/K000133673
∗∗∗ F5: K000133652 : Python vulnerability CVE-2018-18074 ∗∗∗
---------------------------------------------
https://my.f5.com/manage/s/article/K000133652
∗∗∗ F5: K000133448 : Python urllib3 vulnerability CVE-2019-11324 ∗∗∗
---------------------------------------------
https://my.f5.com/manage/s/article/K000133448
∗∗∗ F5: K000133668 : Python urllib3 vulnerability CVE-2018-20060 ∗∗∗
---------------------------------------------
https://my.f5.com/manage/s/article/K000133668
∗∗∗ IBM WebSphere Application Server, which is bundled with IBM Cloud Pak for Applications, is vulnerable to cross-site scripting in the Admin Console (CVE-2023-24966) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6986343
∗∗∗ IBM WebSphere Application Server, which is bundled with IBM WebSphere Hybrid Edition, is vulnerable to cross-site scripting in the Admin Console (CVE-2023-24966) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6986341
∗∗∗ Multiple Security Vulnerabilities may affect IBM Robotic Process Automation for Cloud Pak. ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6986361
∗∗∗ A security vulnerability has been identified in IBM WebSphere Application Server shipped with Asset and Service Management (CVE-2023-24966) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6986365
∗∗∗ IBM Planning Analytics Workspace is affected by vulnerabilities in Node,js (CVE-2022-43548, CVE-2020-7676, CVE-2021-42550, CVE-2021-38561, CVE-2022-32149) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6985675
∗∗∗ IBM Integration Designer is vulnerable to a denial of service due to commons-fileupload-1.4.jar (CVE-2023-24998) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6986509
∗∗∗ Vulnerability in libXpm (CVE-2022-4883, CVE-2022-44617 and CVE-2022-46285) affects Power HMC ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6986543
∗∗∗ Vulnerability in libtasn1 (CVE-2021-46848) affects Power HMC ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6986547
∗∗∗ Multiple publicly disclosed Libcurl vulnerabilities affect IBM Safer Payments ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6986573
∗∗∗ IBM App Connect Enterprise Certified Container DesignerAuthoring operands may be vulnerable to arbitrary code execution due to [CVE-2022-37601] ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6986575
∗∗∗ Multiple Vulnerabilities in CloudPak for Watson AIOPs ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6986577
∗∗∗ IBM MQ Operator and Queue manager container images are vulnerable to multiple vulnerabilities from libcurl, openssl, gnutls, libarchive and libsepol ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6986323
∗∗∗ Multiple vulnerabilities in Spring Framework affects IBM Tivoli Application Dependency Discovery Manager (CVE-2023-20860, CVE-2023-20861). ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6986585
∗∗∗ A security vulnerability has been identified in IBM WebSphere Application Server shipped with IBM Business Monitor (CVE-2023-24966) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6986619
∗∗∗ Vulnerability in IBM\u00ae Java SDK affects IBM WebSphere Application Server and IBM WebSphere Application Server Liberty due to CVE-2023-30441 ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6986617
∗∗∗ IBM App Connect Enterprise Certified Container IntegrationServer and Integration Runtime operands that run Designer flows containing a Box node may be vulnerable to arbitrary code execution due to [CVE-2023-29017] ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6986625
∗∗∗ IBM App Connect Enterprise Certified Container IntegrationServer and Integration Runtime operands that run Designer flows containing a Box node may be vulnerable to arbitrary code execution due to [CVE-2023-29199] ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6986629
∗∗∗ IBM App Connect Enterprise & IBM Integration Bus are vulnerable to a denial of service due to Eclipse Mosquitto (CVE-2021-41039, CVE-2021-34432, CVE-2021-34431) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6986627
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Dienstag 25-04-2023 18:00 − Mittwoch 26-04-2023 18:00
Handler: Michael Schlagenhaufer
Co-Handler: Stephan Richter
=====================
= News =
=====================
∗∗∗ Never Connect to RDP Servers Over Untrusted Networks ∗∗∗
---------------------------------------------
In this article, we will demonstrate why connecting using the Remote Desktop Protocol (RDP) must be avoided on untrusted networks like in hotels, conferences, or public Wi-Fi. Protecting the connection with a VPN or a Remote Desktop Gateway is the only safe alternative.
---------------------------------------------
https://www.gosecure.net/blog/2023/04/26/never-connect-to-rdp-servers-over-…
∗∗∗ So you think you can block Macros? ∗∗∗
---------------------------------------------
For the purpose of securing Microsoft Office installs we see many of our customers moving to a macro signing strategy. Furthermore, Microsoft is trying to battle macro malware by enforcing Mark-of-the-Web (MotW) control on macro-enabled documents. In this blog we will dive into some of the quirks of Microsoft Office macro security, various commonly used configuration options and their bypasses.
---------------------------------------------
https://outflank.nl/blog/2023/04/25/so-you-think-you-can-block-macros/
∗∗∗ Google Authenticator: Warnung - Backup der geheimen "Saat" im Klartext ∗∗∗
---------------------------------------------
Google spendierte dem Authenticator ein Backup der Geheimnisse, die zur Erstellung der Einmalpasswörter nötig sind. Google bekommt diese Daten aber im Klartext.
---------------------------------------------
https://heise.de/-8979932
∗∗∗ VMware Workstation und Fusion: Hersteller stopft kritische Zero-Day-Lücke ∗∗∗
---------------------------------------------
VMware stopft teils kritische Sicherheitslücken in Workstation und Fusion. Da sie auf der Pwn2Own-Konferenz vorgeführt wurden, handelt es sich um Zero-Days.
---------------------------------------------
https://heise.de/-8979106
∗∗∗ GuLoader returns with a rotten shipment ∗∗∗
---------------------------------------------
We take a look at a GuLoader campaign which comes bundled with an Italian language fake shipment email.
---------------------------------------------
https://www.malwarebytes.com/blog/news/2023/04/guloader-returns-with-a-rott…
∗∗∗ So bleiben Sie mit der Watchlist Internet am Laufenden! ∗∗∗
---------------------------------------------
Das Angebot der Watchlist Internet wächst stetig: Wir geben Ihnen einen Überblick, wie Sie mit uns in puncto Internetbetrug up to date bleiben, welche Angebote Sie wo finden und auf welchen Kanälen wir vertreten sind.
---------------------------------------------
https://www.watchlist-internet.at/news/so-bleiben-sie-mit-der-watchlist-int…
∗∗∗ Hacker greifen kritische Sicherheitslücke in Druckersoftware PaperCut an ∗∗∗
---------------------------------------------
Sie können die Kontrolle über einen PaperCut-Server übernehmen. Zudem steht nun auch Beispielcode für einen Exploit öffentlich zur Verfügung.
---------------------------------------------
https://www.zdnet.de/88408703/hacker-greifen-kritische-sicherheitsluecke-in…
∗∗∗ Attackers Use Containers for Profit via TrafficStealer ∗∗∗
---------------------------------------------
We found TrafficStealer abusing open container APIs in order to redirect traffic to specific websites and manipulate engagement with ads.
---------------------------------------------
https://www.trendmicro.com/en_us/research/23/d/attackers-use-containers-for…
=====================
= Vulnerabilities =
=====================
∗∗∗ VMSA-2023-0008 ∗∗∗
---------------------------------------------
VMware Workstation and Fusion updates address multiple security vulnerabilities (CVE-2023-20869, CVE-2023-20870, CVE-2023-20871, CVE-2023-20872)
---------------------------------------------
https://www.vmware.com/security/advisories/VMSA-2023-0008.html
∗∗∗ Security updates for Wednesday ∗∗∗
---------------------------------------------
Security updates have been issued by Fedora (chromium, lilypond, and lilypond-doc), Oracle (java-1.8.0-openjdk), Red Hat (emacs, java-1.8.0-openjdk, java-11-openjdk, java-17-openjdk, kernel, kernel-rt, pesign, and virt:rhel, virt-devel:rhel), Scientific Linux (java-1.8.0-openjdk and java-11-openjdk), Slackware (git), SUSE (fwupd, git, helm, and runc), and Ubuntu (firefox, golang-1.18, linux-hwe-5.15, and openssl, openssl1.0).
---------------------------------------------
https://lwn.net/Articles/930258/
∗∗∗ Insecure authentication in B420 legacy communication module ∗∗∗
---------------------------------------------
BOSCH-SA-341298-BT: An authentication vulnerability was found in the B420 Ethernet communication module from Bosch Security Systems. This is a legacy product which is currently obsolete and was announced to reach End on Life (EoL) on 2013. The B420 was last sold in July 2013 and was replaced by the B426. An EoL notice was provided to customers.
---------------------------------------------
https://psirt.bosch.com/security-advisories/bosch-sa-341298-bt.html
∗∗∗ Scada-LTS Third Party Component ∗∗∗
---------------------------------------------
Successful exploitation of this vulnerability could allow loss of sensitive information and execution of arbitrary code.
---------------------------------------------
https://www.cisa.gov/news-events/ics-advisories/icsa-23-115-02
∗∗∗ Keysight N8844A Data Analytics Web Service ∗∗∗
---------------------------------------------
Successful exploitation of this vulnerability could lead to remote code execution.
---------------------------------------------
https://www.cisa.gov/news-events/ics-advisories/icsa-23-115-01
∗∗∗ IBM Security Bulletins ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/bulletin/
∗∗∗ Security Advisory - Misinterpretation of Input Vulnerability in Huawei Printer ∗∗∗
---------------------------------------------
https://www.huawei.com/en/psirt/security-advisories/2023/huawei-sa-moivihp-…
∗∗∗ Security Advisory - Identity Authentication Bypass Vulnerability in Huawei HiLink AI Life Product ∗∗∗
---------------------------------------------
https://www.huawei.com/en/psirt/security-advisories/2023/huawei-sa-iabvihha…
∗∗∗ Security Advisory - Misinterpretation of Input Vulnerability in Huawei Printer ∗∗∗
---------------------------------------------
https://www.huawei.com/en/psirt/security-advisories/2023/huawei-sa-moivihp-…
∗∗∗ Security Advisory - System Command Injection Vulnerability in a Huawei Printer Product ∗∗∗
---------------------------------------------
https://www.huawei.com/en/psirt/security-advisories/2023/huawei-sa-sciviahp…
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Montag 24-04-2023 18:00 − Dienstag 25-04-2023 18:00
Handler: Stephan Richter
Co-Handler: Michael Schlagenhaufer
=====================
= News =
=====================
∗∗∗ Intel CPUs vulnerable to new transient execution side-channel attack ∗∗∗
---------------------------------------------
A new side-channel attack impacting multiple generations of Intel CPUs has been discovered, allowing data to be leaked through the EFLAGS register.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/intel-cpus-vulnerable-to-new…
∗∗∗ New .NET Malware “WhiteSnake” Targets Python Developers, Uses Tor for C&C Communication ∗∗∗
---------------------------------------------
The JFrog Security Research team recently discovered a new malware payload in the PyPI repository, written in C#. This is uncommon since PyPI is primarily a repository for Python packages, and its codebase consists mostly of Python code, or natively compiled libraries used by Python programs. This finding raised our concerns about the potential for cross-language malware attacks. Our team identified 22 malicious packages, containing the same payload, targeting both Windows and Linux systems[...]
---------------------------------------------
https://jfrog.com/blog/new-malware-targets-python-developers-uses-tor-for-c…
∗∗∗ Release of a Technical Report into Intel Trust Domain Extensions ∗∗∗
---------------------------------------------
Today, members of Google Project Zero and Google Cloud are releasing a report on a security review of Intels Trust Domain Extensions (TDX). [...] The result of the review was the discovery of 10 confirmed security vulnerabilities which were fixed before the final release of products with the TDX feature. The final report highlights the most interesting of these issues and provides an overview of the features architecture. 5 additional areas were identified for defense-in-depth changes [...]
---------------------------------------------
https://googleprojectzero.blogspot.com/2023/04/technical-report-into-intel-…
∗∗∗ New high-severity vulnerability (CVE-2023-29552) discovered in the Service Location Protocol (SLP) ∗∗∗
---------------------------------------------
Researchers from Bitsight and Curesec have jointly discovered a high-severity vulnerability — tracked as CVE-2023-29552 — in the Service Location Protocol (SLP), a legacy Internet protocol. Attackers exploiting this vulnerability could leverage vulnerable instances to launch massive Denial-of-Service (DoS) amplification attacks with a factor as high as 2200 times, potentially making it one of the largest amplification attacks ever reported.
---------------------------------------------
https://www.bitsight.com/blog/new-high-severity-vulnerability-cve-2023-2955…
∗∗∗ PoC for Pre-Auth RCE in Sophos Web Appliance (CVE-2023-1671) Published ∗∗∗
---------------------------------------------
The cybersecurity community is buzzing with the recent publication of a Proof-of-Concept (PoC) for CVE-2023-1671, a critical code execution vulnerability in Sophos Web Appliance with a CVSS score of 9.8. This high-risk vulnerability, caused by a pre-auth command injection flaw in the warn-proceed handler, poses significant risks to users.
---------------------------------------------
https://securityonline.info/poc-for-pre-auth-rce-in-sophos-web-appliance-cv…
∗∗∗ Attackers are logging in instead of breaking in ∗∗∗
---------------------------------------------
Cyberattackers leveraged more than 500 unique tools and tactics in 2022, according to Sophos. The data, analyzed from more than 150 Sophos Incident Response (IR) cases, identified more than 500 unique tools and techniques, including 118 “Living off the Land” binaries (LOLBins). Unlike malware, LOLBins are executables naturally found on operating systems, making them much more difficult for defenders to block when attackers exploit them for malicious activity.
---------------------------------------------
https://www.helpnetsecurity.com/2023/04/25/attacks-dwell-time/
∗∗∗ Gefälschte Facebook-Seite vom Tiergarten Schönbrunn verbreitet Fake-Gewinnspiel ∗∗∗
---------------------------------------------
Die gefälschte Facebook-Seite „ZooPark Wien“ verbreitet ein betrügerisches Gewinnspiel. Im Posting werden 4 Eintrittskarten verlost. Teilnehmer:innen müssen den Beitrag nur mit „Alles Gute zum Geburtstag“ kommentieren. Mit diesem Gewinnspiel versuchen Kriminelle aber an Ihre Kreditkartendaten zu kommen und Sie in eine Abo-Falle zu locken.
---------------------------------------------
https://www.watchlist-internet.at/news/gefaelschte-facebook-seite-vom-tierg…
=====================
= Vulnerabilities =
=====================
∗∗∗ CVE-2023-27524: Insecure Default Configuration in Apache Superset Leads to Remote Code Execution ∗∗∗
---------------------------------------------
Apache Superset is an open source data visualization and exploration tool. [...] there are more than 3000 instances of it exposed to the Internet. [...] at least 2000 (two-thirds of all servers) – are running with a dangerous default configuration. As a result, many of these servers are effectively open to the public. Any attacker can “log in” to these servers with administrative privileges, access and modify data connected to these servers, harvest credentials, and execute remote code.
---------------------------------------------
https://www.horizon3.ai/cve-2023-27524-insecure-default-configuration-in-ap…
∗∗∗ Xen Security Advisory CVE-2022-42335 / XSA-430 - x86 shadow paging arbitrary pointer dereference ∗∗∗
---------------------------------------------
Guests running in shadow mode and having a PCI device passed through may be able to cause Denial of Service and other problems, escalation of privilege cannot be ruled out.
---------------------------------------------
https://xenbits.xen.org/xsa/advisory-430.html
∗∗∗ Zyxel schließt teils kritische Sicherheitslücken in Firewalls und Access Points ∗∗∗
---------------------------------------------
Zyxel hat Warnungen vor Sicherheitslücken in Firewalls und Access Points herausgegeben. Firmware-Updates zum Abdichten der Lecks stehen bereit.
---------------------------------------------
https://heise.de/-8977831
∗∗∗ Security updates for Tuesday ∗∗∗
---------------------------------------------
Security updates have been issued by CentOS (firefox, java-11-openjdk, and thunderbird), Debian (apache2), Fedora (kernel), Oracle (emacs), Red Hat (emacs, haproxy, java-1.8.0-openjdk, kernel, kernel-rt, kpatch-patch, pcs, pki-core:10.6, and qatzip), and SUSE (avahi, cdi-apiserver-container, cdi-cloner-container, cdi- controller-container, cdi-importer-container, cdi-operator-container, cdi- uploadproxy-container, cdi-uploadserver-container, cont, giflib, kernel, kubevirt, virt-api-container, virt-controller-container, virt-handler-container, virt-launcher-container, virt-libguestfs-tools- container, virt-operator-container, ovmf, and protobuf-c).
---------------------------------------------
https://lwn.net/Articles/930128/
∗∗∗ WordPress Plugin "Appointment and Event Booking Calendar for WordPress - Amelia" vulnerable to cross-site scripting ∗∗∗
---------------------------------------------
https://jvn.jp/en/jp/JVN00971105/
∗∗∗ ZDI-23-458: SolarWinds Network Performance Monitor TFTP Link Following Local Privilege Escalation Vulnerability ∗∗∗
---------------------------------------------
http://www.zerodayinitiative.com/advisories/ZDI-23-458/
∗∗∗ ZDI-23-457: SolarWinds Network Performance Monitor ExecuteExternalProgram Command Injection Remote Code Execution Vulnerability ∗∗∗
---------------------------------------------
http://www.zerodayinitiative.com/advisories/ZDI-23-457/
∗∗∗ F5: K000133630 : Intel processor vulnerability CVE-2022-26343 ∗∗∗
---------------------------------------------
https://my.f5.com/manage/s/article/K000133630
∗∗∗ F5: K000133633 : Intel BIOS firmware vulnerability CVE-2022-32231 ∗∗∗
---------------------------------------------
https://my.f5.com/manage/s/article/K000133633
∗∗∗ Multiple Vulnerabilities Patched in Shield Security ∗∗∗
---------------------------------------------
https://www.wordfence.com/blog/2023/04/multiple-vulnerabilities-patched-in-…
∗∗∗ Belden: 2022-26 Multiple libexpat vulnerabilities in HiOS, Classic, HiSecOS, Wireless BAT-C2, Lite Managed, Edge ∗∗∗
---------------------------------------------
https://assets.belden.com/m/6f2d4e1f6bbaeb54/original/BSECV-2022-26.pdf
∗∗∗ Belden: 2022-29 strongSwan: integer overflow when replacing certificates in cache ∗∗∗
---------------------------------------------
https://assets.belden.com/m/25e4130e915c61a1/original/Belden_Security_Bulle…
∗∗∗ [R1] Stand-alone Security Patch Available for Tenable.sc versions 5.22.0, 5.23.1, and 6.0.0: SC-202304.1 ∗∗∗
---------------------------------------------
https://www.tenable.com/security/tns-2023-18
∗∗∗ Nextcloud: Missing brute force protection for passwords of password protected share links ∗∗∗
---------------------------------------------
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-r…
∗∗∗ Multiple vulnerabilities in IBM Java SDK and IBM Java Runtime affect Rational Functional Tester ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6985649
∗∗∗ IBM Tivoli Composite Application Manager for Application Diagnostics Installed WebSphere Application Server is vulnerable to cross-site scripting in the Admin Console (CVE-2023-26283) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6985651
∗∗∗ Security Bulletin: IBM® Db2® is vulnerable to a denial of service as the server may crash when using a specially crafted subquery. (CVE-2023-27559)) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6985667
∗∗∗ IBM® Db2® is vulnerable to a denial of service as the server may crash when an Out of Memory occurs. (CVE-2023-26022) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6985669
∗∗∗ IBM® Db2® is vulnerable to a denial of service. Under rare conditions, setting a special register may cause the Db2 server to terminate abnormally. (CVE-2023-25930) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6985677
∗∗∗ IBM® Db2® is vulnerable to a denial of service as the server may crash when compiling a specially crafted SQL query using a LIMIT clause. (CVE-2023-26021) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6985681
∗∗∗ IBM® Db2® is vulnerable to a denial of service as the server may crash when when attempting to use ACR client affinity for unfenced DRDA federation wrappers. (CVE-2023-27555) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6985683
∗∗∗ IBM® Db2® is vulnerable to a denial of service as as it may trap when compiling a variation of an anonymous block. (CVE-2023-29255) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6985687
∗∗∗ IBM® Db2® is vulnerable to remote code execution as a database administrator of one database may execute code or read\/write files from another database within the same instance. (CVE-2023-29257) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6985691
∗∗∗ IBM Maximo Asset Management is vulnerable to cross-site scripting (CVE-2023-27860) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6985679
∗∗∗ Multiple vulnerabilities affect IBM Db2\u00ae Graph ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6985689
∗∗∗ IBM WebSphere Application Server shipped with IBM Security Access Manager for Enterprise Single Sign-On is vulnerable to a denial of service due to IBM HTTP Server (CVE-2023-26281) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6985851
∗∗∗ Docker based datastores for IBM Instana do not currently require authentication ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6959969
∗∗∗ IBM® Engineering Requirements Management DOORS/DWA vulnerabilities fixed in 9.7.2.7 ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6984347
∗∗∗ IBM Safer Payments is vulnerable to OpenSSL Denial of Sevice Attack (CVE-2022-0778) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6985865
∗∗∗ TADDM is vulnerable to a denial of service due to vulnerabilities in Apache HttpClient ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6985905
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily