Daily

daily@lists.cert.at

1 participants
3154 discussions

Tageszusammenfassung - 04.08.2023
by Daily end-of-shift report 04 Aug '23

04 Aug '23

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 03-08-2023 18:00 − Freitag 04-08-2023 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ A Call to Action: Bolster UEFI Cybersecurity Now ∗∗∗ --------------------------------------------- Based on recent incident responses to UEFI malware such as BlackLotus, the cybersecurity community and UEFI developers appear to still be in learning mode. [...] Adversaries have demonstrated that they already know how to exploit UEFI components for persistence, and they will only get better with practice. CISA encourages the UEFI community to pursue all the options discussed in this blog with vigor. And the work must start today. --------------------------------------------- https://www.cisa.gov/news-events/news/call-action-bolster-uefi-cybersecurit… ∗∗∗ Fake VMware vConnector package on PyPI targets IT pros ∗∗∗ --------------------------------------------- A malicious package that mimics the VMware vSphere connector module vConnector was uploaded on the Python Package Index (PyPI) under the name VMConnect, targeting IT professionals. --------------------------------------------- https://www.bleepingcomputer.com/news/security/fake-vmware-vconnector-packa… ∗∗∗ Midnight Blizzard conducts targeted social engineering over Microsoft Teams ∗∗∗ --------------------------------------------- Microsoft Threat Intelligence has identified highly targeted social engineering attacks using credential theft phishing lures sent as Microsoft Teams chats by the threat actor that Microsoft tracks as Midnight Blizzard (previously tracked as NOBELIUM). --------------------------------------------- https://www.microsoft.com/en-us/security/blog/2023/08/02/midnight-blizzard-… ∗∗∗ From small LNK to large malicious BAT file with zero VT score, (Thu, Aug 3rd) ∗∗∗ --------------------------------------------- Last week, my spam trap caught an e-mail with LNK attachment, which turned out to be quite interesting. --------------------------------------------- https://isc.sans.edu/diary/rss/30094 ∗∗∗ Malicious npm Packages Found Exfiltrating Sensitive Data from Developers ∗∗∗ --------------------------------------------- Cybersecurity researchers have discovered a new bunch of malicious packages on the npm package registry that are designed to exfiltrate sensitive developer information. Software supply chain firm Phylum, which first identified the "test" packages on July 31, 2023, said they "demonstrated increasing functionality and refinement," [...] --------------------------------------------- https://thehackernews.com/2023/08/malicious-npm-packages-found.html ∗∗∗ Are Leaked Credentials Dumps Used by Attackers? ∗∗∗ --------------------------------------------- I’ve been watching dumps of leaked credentials for a long time. [...] But are these leaks used to try to get access to mailboxes (or other services)? [...] Conclusion: Even if the quality of these dumps is very poor, they are used a lot in the wild! This is a perfect example of why you must safely manage your credentials! --------------------------------------------- https://isc.sans.edu/diary/rss/30098 ∗∗∗ Handwerker:innen aufgepasst: Hier sollten Sie keine Werkzeuge kaufen! ∗∗∗ --------------------------------------------- Aktuell stoßen wir auf zahlreiche Fake-Shops, die Werkzeuge aller Art verkaufen. Allein in den letzten zwei Wochen haben wir mehr als 70 Online-Shops gefunden, die Werkzeuge anbieten – diese aber trotz Bezahlung nicht liefern. --------------------------------------------- https://www.watchlist-internet.at/news/handwerkerinnen-aufgepasst-hier-soll… ===================== = Vulnerabilities = ===================== ∗∗∗ VMware VMSA-2023-0017 - VMware Horizon Server updates address multiple security vulnerabilities ∗∗∗ --------------------------------------------- - Request smuggling vulnerability (CVE-2023-34037), CVSSv3 base score of 5.3 - Information disclosure vulnerability (CVE-2023-34038), CVSSv3 base score of 5.3 --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2023-0017.html ∗∗∗ Mozilla VPN: CVE-2023-4104: Privileged vpndaemon on Linux wrongly and incompletely implements Polkit authentication ∗∗∗ --------------------------------------------- [...] it contains a privileged D-Bus service running as root and a Polkit policy. In the course of this review we noticed a broken and otherwise lacking Polkit authorization logic in the privileged `mozillavpn linuxdaemon` process. We publish this report today, because the maximum embargo period of 90 days we offer has been exceeded. Most of the issues mentioned in this report are currently not addressed by upstream, as is outlined in more detail below. --------------------------------------------- https://www.openwall.com/lists/oss-security/2023/08/03/1 ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (bind and kernel), Debian (cjose, firefox-esr, ntpsec, and python-django), Fedora (chromium, firefox, librsvg2, and webkitgtk), Red Hat (firefox), Scientific Linux (firefox and openssh), SUSE (go1.20, ImageMagick, javapackages-tools, javassist, mysql-connector-java, protobuf, python-python-gflags, kernel, openssl-1_1, pipewire, python-pip, and xtrans), and Ubuntu (cargo, rust-cargo, cpio, poppler, and xmltooling). --------------------------------------------- https://lwn.net/Articles/940481/ ∗∗∗ Fujitsu Software Infrastructure Manager (ISM) stores sensitive information in cleartext ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN38847224/ ∗∗∗ Multiple security vulnerabilities affecting Watson Knowledge Catalog for IBM Cloud Pak for Data ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7020316 ∗∗∗ Timing Oracle in RSA Decryption vulnerability might affect GSKit supplied with IBM TXSeries for Multiplatforms. ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7010369 ∗∗∗ IBM Db2 has multiple denial of service vulnerabilities with a specially crafted query ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7010557 ∗∗∗ IBM Watson Assistant for IBM Cloud Pak for Data is vulnerable to multiple Tensorflow vulnerabilities. ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7020364 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 03.08.2023
by Daily end-of-shift report 03 Aug '23

03 Aug '23

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 02-08-2023 18:00 − Donnerstag 03-08-2023 18:00 Handler: Robert Waldner Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Fake FlipperZero sites promise free devices after completing offer ∗∗∗ --------------------------------------------- A site impersonating Flipper Devices promises a free Flipper Zero after completing an offer but only leads to shady browser extensions and scam sites. --------------------------------------------- https://www.bleepingcomputer.com/news/security/fake-flipperzero-sites-promi… ∗∗∗ Hackers can abuse Microsoft Office executables to download malware ∗∗∗ --------------------------------------------- The list of LOLBAS files - legitimate binaries and scripts present in Windows that can be abused for malicious purposes, will include the main executables for Microsofts Outlook email client and Access database management system. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hackers-can-abuse-microsoft-… ∗∗∗ "Grob fahrlässig": Sicherheitsproblem gefährdet Microsoft-Kunden seit Monaten ∗∗∗ --------------------------------------------- Eine Microsoft seit März bekannte kritische Schwachstelle in Azure AD macht weitere zahllose Organisationen noch heute anfällig für Cyberangriffe. --------------------------------------------- https://www.golem.de/news/grob-fahrlaessig-sicherheitsproblem-gefaehrdet-mi… ∗∗∗ What’s happening in the world of crimeware: Emotet, DarkGate and LokiBot ∗∗∗ --------------------------------------------- In this report, we share our recent crimeware findings: the new DarkGate loader, new LokiBot campaign and new Emotet version delivered via OneNote. --------------------------------------------- https://securelist.com/emotet-darkgate-lokibot-crimeware-report/110286/ ∗∗∗ New Rilide Stealer Version Targets Banking Data and Works Around Google Chrome Manifest V3 ∗∗∗ --------------------------------------------- Trustwave SpiderLabs discovered a new version of the Rilide Stealer extension targeting Chromium-based browsers such as Google Chrome, Microsoft Edge, Brave, and Opera. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/new-rilide-… ∗∗∗ Exploiting a Flaw in Bitmap Handling in Windows User-Mode Printer Drivers ∗∗∗ --------------------------------------------- In this guest blog from researcher Marcin Wiązowski, he details CVE-2023-21822 – a Use-After-Free (UAF) in win32kfull that could lead to a privilege escalation. The bug was reported through the ZDI program and later patched by Microsoft. Marcin has graciously provided this detailed write-up of the vulnerability, examines how it could be exploited, and a look at the patch Microsoft released to address the bug. --------------------------------------------- https://www.zerodayinitiative.com/blog/2023/8/1/exploiting-a-flaw-in-bitmap… ∗∗∗ Hook, Line, and Phishlet: Conquering AD FS with Evilginx ∗∗∗ --------------------------------------------- Recently, I was assigned to a red team engagement, and the client specifically requested a phishing simulation targeting their employees. The organisation utilises AD FS for federated single sign-on and has implemented Multi-Factor Authentication (MFA) as a company-wide policy. [..] Despite my efforts to find a detailed write-up on how to successfully phish a target where AD FS is being used, I couldn’t find a technical post covering this topic. So I saw this as an opportunity to learn --------------------------------------------- https://research.aurainfosec.io/pentest/hook-line-and-phishlet/ ∗∗∗ New Report: Medical Health Care Organizations Highly Vulnerable Due to Improper De-acquisition Processes ∗∗∗ --------------------------------------------- In Security Implications from Improper De-acquisition of Medical Infusion Pumps Heiland performs a physical and technical teardown of more than a dozen medical infusion pumps — devices used to deliver and control fluids directly into a patient’s body. Each of these devices was available for purchase on the secondary market and each one had issues that could compromise their previous organization’s networks. --------------------------------------------- https://www.rapid7.com/blog/post/2023/08/02/security-implications-improper-… ∗∗∗ MSMQ QueueJumper (RCE Vulnerability): An In-Depth Technical Analysis ∗∗∗ --------------------------------------------- The security updates released by Microsoft on April 11, 2023, addressed over 90 individual vulnerabilities. Of particular note was CVE-2023-21554, dubbed QueueJumper, a remote code execution vulnerability affecting the Microsoft Message Queueing (MSMQ) service. MSMQ is an optional Windows component that enables applications to exchange messages via message queues that are reachable both locally and remotely. --------------------------------------------- https://securityintelligence.com/posts/msmq-queuejumper-rce-vulnerability-t… ∗∗∗ Google Project Zero - Summary: MTE As Implemented ∗∗∗ --------------------------------------------- In mid-2022, Project Zero was provided with access to pre-production hardware implementing the ARM MTE specification. This blog post series is based on that review, and includes general conclusions about the effectiveness of MTE as implemented, specifically in the context of preventing the exploitation of memory-safety vulnerabilities. Despite its limitations, MTE is still by far the most promising path forward for improving C/C++ software security in 2023. --------------------------------------------- https://googleprojectzero.blogspot.com/2023/08/summary-mte-as-implemented.h… ∗∗∗ Microsoft veröffentlicht TokenTheft-Playbook ∗∗∗ --------------------------------------------- Der Diebstahl von Tokens kann Angreifern den Zugriff auf entsprechende Dienste ermöglichen. Als Folge eines entsprechenden Vorfalls hat Microsoft daher das sogenannte TokenTheft-Playbook veröffentlicht. Es handelt sich um ein Online-Dokument mit zahlreichen Hinweisen für "Cloud-Verantwortliche", die sich um die Sicherheit und den Schutz vor dem Diebstahl von Zugangstokens kümmern müssen. --------------------------------------------- https://www.borncity.com/blog/2023/08/03/microsoft-verffentlicht-tokentheft… ∗∗∗ BSI Newsletter SICHER INFORMIERT vom 03.08.2023 ∗∗∗ --------------------------------------------- DSGVO – ein Segen für die IT-Sicherheit, Hersteller beklagen Patch-Müdigkeit, kritische Sicherheitslücke gefährdet Router & das BSI auf der Gamescom --------------------------------------------- https://www.bsi.bund.de/SharedDocs/Newsletter/DE/BuergerCERT-Newsletter/16_… ∗∗∗ How Malicious Android Apps Slip Into Disguise ∗∗∗ --------------------------------------------- Researchers say mobile malware purveyors have been abusing a bug in the Google Android platform that lets them sneak malicious code into benign mobile apps and evade security scanning tools. Google says it has updated its app malware detection mechanisms in response to the new research. --------------------------------------------- https://krebsonsecurity.com/2023/08/how-malicious-android-apps-slip-into-di… ∗∗∗ Watchlist Internet: Bestellen Sie unsere neue Broschüre „Betrug im Internet: So schützen Sie sich“ ∗∗∗ --------------------------------------------- Mit unserer neuen Broschüre „Betrug im Internet“ informieren wir Interessierte zu den Themen Einkaufen im Internet, betrügerische Nachrichten, Schadsoftware, Phishing, Vorschussbetrug und Finanzbetrug. Die kostenlose Broschüre können Sie herunterladen oder bei uns bestellen. --------------------------------------------- https://www.watchlist-internet.at/news/bestellen-sie-unsere-neue-broschuere… ∗∗∗ Reptile Malware Targeting Linux Systems ∗∗∗ --------------------------------------------- Reptile is an open-source kernel module rootkit that targets Linux systems and is publicly available on GitHub. Rootkits are malware that possess the capability to conceal themselves or other malware. They primarily target files, processes, and network communications for their concealment. Reptile’s concealment capabilities include not only its own kernel module but also files, directories, file contents, processes, and network traffic. --------------------------------------------- https://asec.ahnlab.com/en/55785/ ∗∗∗ 2022 Top Routinely Exploited Vulnerabilities ∗∗∗ --------------------------------------------- This advisory provides details on the Common Vulnerabilities and Exposures (CVEs) routinely and frequently exploited by malicious cyber actors in 2022 and the associated Common Weakness Enumeration(s) (CWE). In 2022, malicious cyber actors exploited older software vulnerabilities more frequently than recently disclosed vulnerabilities and targeted unpatched, internet-facing systems. --------------------------------------------- https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-215a ===================== = Vulnerabilities = ===================== ∗∗∗ Matomo Analytics - Less critical - Cross Site Scripting - SA-CONTRIB-2023-033 ∗∗∗ --------------------------------------------- Security risk: Less critical Description: This module enables you to add the Matomo web statistics tracking system to your website.The module does not check the Matomo JS code loaded on the website. So a user could configure the module to load JS from a malicious website.This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer matomo" or "administer matomo tag manager" (D8+ only) to access the settings forms where this can be configured. --------------------------------------------- https://www.drupal.org/sa-contrib-2023-033 ∗∗∗ CVE-2023-35082 – Remote Unauthenticated API Access Vulnerability in MobileIron Core 11.2 and older ∗∗∗ --------------------------------------------- A vulnerability has been discovered in MobileIron Core which affects version 11.2 and prior. [..] MobileIron Core 11.2 has been out of support since March 15, 2022. Therefore, Ivanti will not be issuing a patch or any other remediations to address this vulnerability in 11.2 or earlier versions. Upgrading to the latest version of Ivanti Endpoint Manager Mobile (EPMM) is the best way to protect your environment from threats. --------------------------------------------- https://forums.ivanti.com/s/article/CVE-2023-35082-Remote-Unauthenticated-A… ∗∗∗ CVE-2023-28130 – Command Injection in Check Point Gaia Portal ∗∗∗ --------------------------------------------- The parameter hostname in the web request /cgi-bin/hosts_dns.tcl is vulnerable for command injection. This can be exploited by any user with a valid session, as long as the user has write permissions on the DNS settings. The injected commands are executed by the user ‘Admin’. --------------------------------------------- https://pentests.nl/pentest-blog/cve-2023-28130-command-injection-in-check-… ∗∗∗ CVE-2023-31928 - XSS vulnerability in Brocade Webtools ∗∗∗ --------------------------------------------- A reflected cross-site scripting (XSS) vulnerability exists in Brocade Webtools PortSetting.html of Brocade Fabric OS version before Brocade Fabric OS v9.2.0 that could allow a remote unauthenticated attacker to execute arbitrary JavaScript code in a target user’s session with the Brocade Webtools application. --------------------------------------------- https://support.broadcom.com/web/ecx/support-content-notification/-/externa… ∗∗∗ CVE-2023-31927 - An information disclosure in the web interface of Brocade Fabric OS ∗∗∗ --------------------------------------------- An information disclosure in the web interface of Brocade Fabric OS versions before Brocade Fabric OS v9.2.0 and v9.1.1c, could allow a remote unauthenticated attacker to get technical details about the web interface. --------------------------------------------- https://support.broadcom.com/web/ecx/support-content-notification/-/externa… ∗∗∗ CVE-2023-31926 - Arbitrary File Overwrite using less command ∗∗∗ --------------------------------------------- System files could be overwritten using the less command in Brocade Fabric OS before Brocade Fabric OS v9.1.1c and v9.2.0. --------------------------------------------- https://support.broadcom.com/web/ecx/support-content-notification/-/externa… ∗∗∗ CVE-2023-31432 - Privilege issues in multiple commands ∗∗∗ --------------------------------------------- Through manipulation of passwords or other variables, using commands such as portcfgupload, configupload, license, myid, a non-privileged user could obtain root privileges in Brocade Fabric OS versions before Brocade Fabric OS v9.1.1c and v9.2.0. --------------------------------------------- https://support.broadcom.com/web/ecx/support-content-notification/-/externa… ∗∗∗ CVE-2023-31431 - A buffer overflow vulnerability in “diagstatus” command ∗∗∗ --------------------------------------------- A buffer overflow vulnerability in “diagstatus” command in Brocade Fabric OS before Brocade Fabric v9.2.0 and v9.1.1c could allow an authenticated user to crash the Brocade Fabric OS switch leading to a denial of service. --------------------------------------------- https://support.broadcom.com/web/ecx/support-content-notification/-/externa… ∗∗∗ CVE-2023-31430 - buffer overflow vulnerability in “secpolicydelete” command ∗∗∗ --------------------------------------------- A buffer overflow vulnerability in “secpolicydelete” command in Brocade Fabric OS before Brocade Fabric OS v9.1.1c and v9.2.0 could allow an authenticated privileged user to crash the Brocade Fabric OS switch leading to a denial of service. --------------------------------------------- https://support.broadcom.com/web/ecx/support-content-notification/-/externa… ∗∗∗ VE-2023-31425 - Privilege escalation via the fosexec command ∗∗∗ --------------------------------------------- A vulnerability in the fosexec command of Brocade Fabric OS after Brocade Fabric OS v9.1.0 and, before Brocade Fabric OS v9.1.1 could allow a local authenticated user to perform privilege escalation to root by breaking the rbash shell. Starting with Fabric OS v9.1.0, “root” account access is disabled. --------------------------------------------- https://support.broadcom.com/web/ecx/support-content-notification/-/externa… ∗∗∗ CVE-2023-31429 - Vulnerability in multiple commands ∗∗∗ --------------------------------------------- Brocade Fabric OS before Brocade Fabric OS v9.1.1c, v9.2.0 contains a vulnerability when using various commands such as “chassisdistribute”, “reboot”, “rasman”, errmoduleshow, errfilterset, hassiscfgperrthreshold, supportshowcfgdisable and supportshowcfgenable commands that can cause the content of shell interpreted variables to be printed in the terminal. --------------------------------------------- https://support.broadcom.com/web/ecx/support-content-notification/-/externa… ∗∗∗ CVE-2023-31427 - Knowledge of full path name ∗∗∗ --------------------------------------------- Brocade Fabric OS versions before Brocade Fabric OS v9.1.1c, and v9.2.0 Could allow an authenticated, local user with knowledge of full path names inside Brocade Fabric OS to execute any command regardless of assigned privilege. Starting with Fabric OS v9.1.0, “root” account access is disabled. --------------------------------------------- https://support.broadcom.com/web/ecx/support-content-notification/-/externa… ∗∗∗ CVE-2023-31428 - CLI allows upload or transfer files of dangerous types ∗∗∗ --------------------------------------------- Brocade Fabric OS before Brocade Fabric OS v9.1.1c, v9.2.0 contains a vulnerability in the command line that could allow a local user to dump files under users home directory using grep. --------------------------------------------- https://support.broadcom.com/web/ecx/support-content-notification/-/externa… ∗∗∗ Sicherheitsupdates: Angreifer können Aruba-Switches kompromittieren (CVE-2023-3718) ∗∗∗ --------------------------------------------- Bestimmte Switch-Modelle von Aruba sind verwundbar. Die Entwickler haben eine Sicherheitslücke geschlossen. --------------------------------------------- https://heise.de/-9233677 ∗∗∗ Wordfence Intelligence Weekly WordPress Vulnerability Report (July 24, 2023 to July 30, 2023) ∗∗∗ --------------------------------------------- Last week, there were 64 vulnerabilities disclosed in 66 WordPress Plugins and 3 WordPress themes that have been added to the Wordfence Intelligence Vulnerability Database --------------------------------------------- https://www.wordfence.com/blog/2023/08/wordfence-intelligence-weekly-wordpr… ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (linux-5.10), Red Hat (.NET 6.0 and iperf3), Slackware (openssl), SUSE (kernel, mariadb, poppler, and python-Django), and Ubuntu (gst-plugins-base1.0, gst-plugins-good1.0, maradns, openjdk-20, and vim). --------------------------------------------- https://lwn.net/Articles/940335/ ∗∗∗ CISA Releases Five Industrial Control Systems Advisories ∗∗∗ --------------------------------------------- - ICSA-23-215-01 Mitsubishi Electric GOT2000 and GOT SIMPLE - ICSA-23-215-02 Mitsubishi Electric GT and GOT Series Products - ICSA-23-215-03 TEL-STER TelWin SCADA WebInterface - ICSA-23-215-04 Sensormatic Electronics VideoEdge - ICSA-23-208-03 Mitsubishi Electric CNC Series --------------------------------------------- https://www.cisa.gov/news-events/alerts/2023/08/03/cisa-releases-five-indus… ∗∗∗ Sicherheitsschwachstelle in verschiedenen Canon Inkjet-Druckermodellen (SYSS-2023-011) ∗∗∗ --------------------------------------------- Bei dem Canon Inkjet-Drucker PIXMA TR4550 besteht eine Sicherheitsschwachstelle aufgrund eines unzureichenden Schutzes sensibler Daten. --------------------------------------------- https://www.syss.de/pentest-blog/sicherheitsschwachstelle-in-verschiedenen-… ∗∗∗ [R1] Nessus Version 10.5.4 Fixes Multiple Vulnerabilities ∗∗∗ --------------------------------------------- Nessus leverages third-party software to help provide underlying functionality. One of the third-party components (OpenSSL) was found to contain vulnerabilities, and updated versions have been made available by the provider. Out of caution and in line with best practice, Tenable has opted to upgrade these components to address the potential impact of the issues. Nessus 10.5.4 updates OpenSSL to version 3.0.10 to address the identified vulnerabilities. --------------------------------------------- https://www.tenable.com/security/tns-2023-27 ∗∗∗ Mozilla Releases Security Updates for Multiple Products ∗∗∗ --------------------------------------------- Mozilla has released security updates to address vulnerabilities for Firefox 116, Firefox ESR 115.1, Firefox ESR 102.14, Thunderbird 115.1, and Thunderbird 102.14. An attacker could exploit some of these vulnerabilities to take control of an affected system. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2023/08/02/mozilla-releases-securit… ∗∗∗ Cisco BroadWorks CommPilot Application Software Cross-Site Scripting Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco Secure Web Appliance Content Encoding Filter Bypass Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco Unified Communications Products Arbitrary File Read Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ CODESYS: Missing Brute-Force protection in CODESYS Development System ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2023-023/ ∗∗∗ CODESYS: Control runtime system memory and integrity check vulnerabilities (CVE-2022-4046, CVE-2023-28355)) ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2023-025/ ∗∗∗ CODESYS: Vulnerability in CODESYS Development System allows execution of binaries ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2023-021/ ∗∗∗ CODESYS: Missing integrity check in CODESYS Development System ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2023-022/ ∗∗∗ Shelly 4PM Pro four-channel smart switch: Authentication Bypass via an out-of-bounds read vulnerability (CVE-2023-033383) ∗∗∗ --------------------------------------------- https://www.exploitsecurity.io/post/cve-2023-33383-authentication-bypass-vi… ∗∗∗ CODESYS: Multiple Vulnerabilities in CmpApp CmpAppBP and CmpAppForce ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2023-019/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 02.08.2023
by Daily end-of-shift report 02 Aug '23

02 Aug '23

===================== = End-of-Day report = ===================== Timeframe: Dienstag 01-08-2023 18:00 − Mittwoch 02-08-2023 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Threat actors abuse Google AMP for evasive phishing attacks ∗∗∗ --------------------------------------------- Security researchers are warning of increased phishing activity that abuses Google Accelerated Mobile Pages (AMP) to bypass email security measures and get to inboxes of enterprise employees. --------------------------------------------- https://www.bleepingcomputer.com/news/security/threat-actors-abuse-google-a… ∗∗∗ Amazons AWS SSM agent can be used as post-exploitation RAT malware ∗∗∗ --------------------------------------------- Researchers have discovered a new post-exploitation technique in Amazon Web Services (AWS) that allows hackers to use the platforms System Manager (SSM) agent as an undetectable Remote Access Trojan (RAT). --------------------------------------------- https://www.bleepingcomputer.com/news/security/amazons-aws-ssm-agent-can-be… ∗∗∗ New NodeStealer Variant Targeting Facebook Business Accounts and Crypto Wallets ∗∗∗ --------------------------------------------- Cybersecurity researchers have unearthed a Python variant of a stealer malware NodeStealer thats equipped to fully take over Facebook business accounts as well as siphon cryptocurrency. Palo Alto Network Unit 42 said it detected the previously undocumented strain as part of a campaign that commenced in December 2022. There is no evidence to suggest that the cyber offensive is currently active. --------------------------------------------- https://thehackernews.com/2023/08/new-nodestealer-targeting-facebook.html ∗∗∗ Nearly All Modern CPUs Leak Data to New Collide+Power Side-Channel Attack ∗∗∗ --------------------------------------------- A new side-channel attack method that can lead to data leakage works against nearly any modern CPU, but we’re unlikely to see it being used in the wild any time soon. [..] Collide+Power is a generic software-based attack that works against devices powered by Intel, AMD or Arm processors and it’s applicable to any application and any type of data. The chipmakers are publishing their own advisories for the attack and the CVE-2023-20583 has been assigned. --------------------------------------------- https://www.securityweek.com/nearly-all-modern-cpus-leak-data-to-new-collid… ∗∗∗ New hVNC macOS Malware Advertised on Hacker Forum ∗∗∗ --------------------------------------------- A new macOS-targeting hVNC malware family is being advertised on a prominent cybercrime forum. --------------------------------------------- https://www.securityweek.com/new-hvnc-macos-malware-advertised-on-hacker-fo… ∗∗∗ SSH Remains Most Targeted Service in Cado’s Cloud Threat Report ∗∗∗ --------------------------------------------- Cado Security Labs 2023 Cloud Threat Findings Report dives deep into the world of cybercrime, cyberattacks, and vulnerabilities. --------------------------------------------- https://www.hackread.com/ssh-targeted-service-cado-cloud-threat-report/ ∗∗∗ The Most Important Part of the Internet You’ve Probably Never Heard Of ∗∗∗ --------------------------------------------- Few people realize how much they depend on the Border Gateway Protocol (BGP) every day—a set of technical rules responsible for routing data efficiently. --------------------------------------------- https://www.cisa.gov/news-events/news/most-important-part-internet-youve-pr… ∗∗∗ CISA and International Partner NCSC-NO Release Joint Cybersecurity Advisory on Threat Actors Exploiting Ivanti EPMM Vulnerabilities ∗∗∗ --------------------------------------------- The Cybersecurity and Infrastructure Security Agency (CISA) and the Norwegian National Cyber Security Centre (NCSC-NO) have released a joint Cybersecurity Advisory (CSA), Threat Actors Exploiting Ivanti EPMM Vulnerabilities, in response to the active exploitation of CVE-2023-35078 and CVE-2023-35081 affecting Ivanti Endpoint Manager Mobile (EPMM) (formerly known as MobileIron Core). --------------------------------------------- https://www.cisa.gov/news-events/alerts/2023/08/01/cisa-and-international-p… ===================== = Vulnerabilities = ===================== ∗∗∗ K000135479: Overview of F5 vulnerabilities (August 2023) ∗∗∗ --------------------------------------------- On August 2, 2023, F5 announced the following security issues. This document is intended to serve as an overview of these vulnerabilities to help determine the impact to your F5 devices. You can find the details of each issue in the associated articles. --------------------------------------------- https://my.f5.com/manage/s/article/K000135479 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (bouncycastle), Fedora (firefox), Red Hat (cjose, curl, iperf3, kernel, kernel-rt, kpatch-patch, libeconf, libxml2, mod_auth_openidc:2.3, openssh, and python-requests), SUSE (firefox, jtidy, libredwg, openssl, salt, SUSE Manager Client Tools, and SUSE Manager Salt Bundle), and Ubuntu (firefox). --------------------------------------------- https://lwn.net/Articles/940103/ ∗∗∗ IBM TRIRIGA Application Platform discloses use of Apache Xerces (CVE-2022-23437) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7017724 ∗∗∗ IBM TRIRIGA Application Platform suseptable to clickjacking (CBE-2017-4015) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7017716 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 01.08.2023
by Daily end-of-shift report 01 Aug '23

01 Aug '23

===================== = End-of-Day report = ===================== Timeframe: Montag 31-07-2023 18:00 − Dienstag 01-08-2023 18:00 Handler: Robert Waldner Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Hackers steal Signal, WhatsApp user data with fake Android chat app ∗∗∗ --------------------------------------------- Hackers are using a fake Android app named SafeChat to infect devices with spyware malware that steals call logs, texts, and GPS locations from phones. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hackers-steal-signal-whatsap… ∗∗∗ European Bank Customers Targeted in SpyNote Android Trojan Campaign ∗∗∗ --------------------------------------------- Various European customers of different banks are being targeted by an Android banking trojan called SpyNote as part of an aggressive campaign detected in June and July 2023."The spyware is distributed through email phishing or smishing campaigns and the fraudulent activities are executed with a combination of remote access trojan (RAT) capabilities and vishing attack," [..] --------------------------------------------- https://thehackernews.com/2023/08/european-bank-customers-targeted-in.html ∗∗∗ BSI-Magazin: Neue Ausgabe erschienen ∗∗∗ --------------------------------------------- In der neuen Ausgabe seines Magazins „Mit Sicherheit“ beleuchtet das Bundesamt für Sicherheit in der Informationstechnik (BSI) aktuelle Themen der Cybersicherheit. Im Fokus steht der digitale Verbraucherschutz. --------------------------------------------- https://www.bsi.bund.de/DE/Service-Navi/Presse/Pressemitteilungen/Presse202… ∗∗∗ Kaufen Sie nicht in diesen betrügerischen Online-Apotheken ein! ∗∗∗ --------------------------------------------- Ob Schlaftabletten, Schmerz- oder Potzenmittel: Betrügerische Online-Apotheken setzen auf eine breite Produktpalette und bieten verschreibungspflichtige Medikamente ohne Rezept an. Aktuell stoßen wir auf zahlreiche solcher betrügerischen Versandapotheken. Die bestellten Waren werden oftmals gar nicht geliefert und wenn doch, müssen Konsument:innen mit wirkungslosen oder sogar mit gesundheitsschädigenden Fälschungen rechnen. --------------------------------------------- https://www.watchlist-internet.at/news/kaufen-sie-nicht-in-diesen-betrueger… ∗∗∗ Tuesday August 8th 2023 Security Releases ∗∗∗ --------------------------------------------- The Node.js project will release new versions of the 16.x, 18.x and 20.x releases lines on or shortly after, Tuesday August 8th 2023 in order to address: * 3 high severity issues. * 2 medium severity issues. * 2 low severity issues. --------------------------------------------- https://nodejs-9c1r4fxv8-openjs.vercel.app/en/blog/vulnerability/august-202… ===================== = Vulnerabilities = ===================== ∗∗∗ TacJS - Moderately critical - Cross site scripting - SA-CONTRIB-2023-029 ∗∗∗ --------------------------------------------- Security risk: Moderately critical This module enables sites to comply with the European cookie law using tarteaucitron.js. The module doesn't sufficiently filter user-supplied text leading to a Cross Site Scripting (XSS) vulnerability. This vulnerability is mitigated by the fact that an attacker needs additional permissions. --------------------------------------------- https://www.drupal.org/sa-contrib-2023-029 ∗∗∗ Expandable Formatter - Moderately critical - Cross Site Scripting - SA-CONTRIB-2023-028 ∗∗∗ --------------------------------------------- Security risk: Moderately critical This module enables you to render a field in an expandable/collapsible region. The module doesn't sufficiently sanitize the field content when displaying it to an end user. This vulnerability is mitigated by the fact that an attacker must have a role capable of creating content that uses the field formatter. --------------------------------------------- https://www.drupal.org/sa-contrib-2023-028 ∗∗∗ Libraries UI - Moderately critical - Access bypass - SA-CONTRIB-2023-027 ∗∗∗ --------------------------------------------- Security risk: Moderately critical This module enables a UI to display all libraries provided by modules and themes on the Drupal site. The module doesn't sufficiently protect the libraries reporting page. It curently is using the 'access content' permission and not a proper administrative/access permission. --------------------------------------------- https://www.drupal.org/sa-contrib-2023-027 ∗∗∗ OpenSSL version 3.1.2 released ∗∗∗ --------------------------------------------- Major changes between OpenSSL 3.1.1 and OpenSSL 3.1.2 [1 Aug 2023] - Fix excessive time spent checking DH q parameter value ([CVE-2023-3817]) - Fix DH_check() excessive time with over sized modulus ([CVE-2023-3446]) - Do not ignore empty associated data entries with AES-SIV ([CVE-2023-2975]) --------------------------------------------- https://www.openssl.org/news/openssl-3.1-notes.html ∗∗∗ OpenSSL version 3.0.10 released ∗∗∗ --------------------------------------------- Major changes between OpenSSL 3.0.9 and OpenSSL 3.0.10 [1 Aug 2023] - Fix excessive time spent checking DH q parameter value ([CVE-2023-3817]) - Fix DH_check() excessive time with over sized modulus ([CVE-2023-3446]) - Do not ignore empty associated data entries with AES-SIV ([CVE-2023-2975]) --------------------------------------------- https://www.openssl.org/news/openssl-3.0-notes.html ∗∗∗ OpenSSL version 1.1.1v released ∗∗∗ --------------------------------------------- Major changes between OpenSSL 1.1.1u and OpenSSL 1.1.1v [1 Aug 2023] - Fix excessive time spent checking DH q parameter value (CVE-2023-3817) - Fix DH_check() excessive time with over sized modulus (CVE-2023-3446) --------------------------------------------- https://www.openssl.org/news/openssl-1.1.1-notes.html ∗∗∗ Xen Security Advisory 436 v1 (CVE-2023-34320) - arm: Guests can trigger a deadlock on Cortex-A77 ∗∗∗ --------------------------------------------- Cortex-A77 cores (r0p0 and r1p0) are affected by erratum 1508412 where software, under certain circumstances, could deadlock a core due to the execution of either a load to device or non-cacheable memory, and either a store exclusive or register read of the Physical Address Register (PAR_EL1) in close proximity. [..] A (malicious) guest that doesnt include the workaround for erratum 1508412 could deadlock the core. This will ultimately result to a deadlock of the system. --------------------------------------------- https://lists.xenproject.org/archives/html/xen-announce/2023-08/msg00000.ht… ∗∗∗ SVD-2023-0702: Unauthenticated Log Injection In Splunk SOAR ∗∗∗ --------------------------------------------- Splunk SOAR versions 6.0.2 and earlier are indirectly affected by a potential vulnerability accessed through the user’s terminal. A third party can send Splunk SOAR a maliciously crafted web request containing special ANSI characters to cause log file poisoning. When a terminal user attempts to view the poisoned logs, this can tamper with the terminal and cause possible malicious code execution from the terminal user’s action. --------------------------------------------- https://advisory.splunk.com//advisories/SVD-2023-0702 ∗∗∗ WebToffee Addresses Authentication Bypass Vulnerability in Stripe Payment Plugin for WooCommerce WordPress Plugin ∗∗∗ --------------------------------------------- Description: Stripe Payment Plugin for WooCommerce <= 3.7.7 – Authentication Bypass Affected Plugin: Stripe Payment Plugin for WooCommerce Plugin Slug: payment-gateway-stripe-and-woocommerce-integration Affected Versions: <= 3.7.7 Fully Patched Version: 3.7.8 CVE ID: CVE-2023-3162 CVSS Score: 9.8 (Critical) --------------------------------------------- https://www.wordfence.com/blog/2023/08/webtoffee-addresses-authentication-b… ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (tiff), Fedora (curl), Red Hat (bind, ghostscript, iperf3, java-1.8.0-ibm, nodejs, nodejs:18, openssh, postgresql:15, and samba), Scientific Linux (iperf3), Slackware (mozilla and seamonkey), SUSE (compat-openssl098, gnuplot, guava, openssl-1_0_0, pipewire, python-requests, qemu, samba, and xmltooling), and Ubuntu (librsvg, openjdk-8, openjdk-lts, openjdk-17, openssh, rabbitmq-server, and webkit2gtk). --------------------------------------------- https://lwn.net/Articles/939917/ ∗∗∗ Security Vulnerabilities fixed in Firefox 116 ∗∗∗ --------------------------------------------- Impact high: CVE-2023-4045, CVE-2023-4046, CVE-2023-4047, CVE-2023-4048, CVE-2023-4049, CVE-2023-4050 --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2023-29/ ∗∗∗ IBM Cloud Pak for Security includes components with multiple known vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7015859 ∗∗∗ IBM Cloud Pak for Security includes components with multiple known vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7015865 ∗∗∗ IBM App Connect Enterprise Certified Container operator and operands are vulnerable to arbitrary code execution due to [CVE-2023-29402] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7015871 ∗∗∗ IBM App Connect Enterprise Certified Container IntegrationServer and IntegrationRuntime operands that use Google PubSub nodes are vulnerable to arbitrary code execution due to [CVE-2023-36665] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7015873 ∗∗∗ IBM Robotic Process Automation for Cloud Pak is vulnerable to cross-protocol attacks due to sendmail (CVE-2021-3618) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7013521 ∗∗∗ Vulnerabilities in Node.js affects IBM Voice Gateway ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7013909 ∗∗∗ IBM Virtualization Engine TS7700 is susceptible to multiple vulnerabilities due to use of IBM SDK Java Technology Edition, Version 8 (CVE-2023-21967, CVE-2023-21939, CVE-2023-21968, CVE-2023-21937) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7015879 ∗∗∗ IBM MQ Operator and Queue manager container images are vulnerable to multiple vulnerabilities from openssl-libs, libssh, libarchive, sqlite and go-toolset ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7016688 ∗∗∗ Multiple security vulnerabilities have been identified in IBM Db2 shipped with IBM Security Guardium Key Lifecycle Manager ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7016660 ∗∗∗ IBM PowerVM Novalink is vulnerable because RESTEasy could allow a local authenticated attacker to gain elevated privileges on the system, caused by the creation of insecure temp files in the File. (CVE-2023-0482) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7016690 ∗∗∗ IBM PowerVM Novalink is vulnerable because An unspecified vulnerability in Oracle Java SE. (CVE-2023-21930) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7016696 ∗∗∗ IBM PowerVM Novalink is vulnerable because GraphQL Java is vulnerable to a denial of service, caused by a stack-based buffer overflow. (CVE-2023-28867) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7016698 ∗∗∗ Multiple Vulnerabilities in Rational Synergy 7.2.2.5 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7014913 ∗∗∗ Vulnerability in Rational Change 5.3.2 Fix Pack 05 and earlier versions. ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7014915 ∗∗∗ Multiple Vulnerabilities in Rational Change 5.3.2 Fix Pack 05 and earlier versions. ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7014917 ∗∗∗ Multiple Vulnerabilities in Rational Synergy 7.2.2 Fix Pack 05 and earlier versions. ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7014919 ∗∗∗ The IBM Engineering Lifecycle Engineering product using IBM WebSphere Application Server Liberty is vulnerable to spoofing - CVE-2022-39161 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7010669 ∗∗∗ The IBM Engineering Lifecycle Engineering product using IBM WebSphere Application Server traditional is vulnerable to an XML External Entity (XXE) Injection vulnerability - CVE-2023-27554 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7016810 ∗∗∗ CVE-2022-40609 affects IBM SDK, Java Technology Edition ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7017032 ∗∗∗ The IBM Engineering Lifecycle Engineering products using IBM Java versions 8.0.7.0 - 8.0.7.11 are vulnerable to crypto attacks. (CVE-2023-30441) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7015777 ∗∗∗ IBM Cloud Pak for Security includes components with multiple known vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7015859 ∗∗∗ IBM Cloud Pak for Security includes components with multiple known vulnerabilities (CVE-2023-24998 , CVE-2022-31129) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7015061 ∗∗∗ IBM Robotic Process Automation is vulnerable to unauthorized access to data due to insufficient authorization validation on some API routes (CVE-2023-23476) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7017490 ∗∗∗ Decision Optimization for Cloud Pak for Data is vulnerable to a server-side request forgery (CVE-2023-28155). ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7017586 ∗∗∗ IBM Event Streams is affected by a vulnerability in Node.js Request package (CVE-2023-28155) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7017628 ∗∗∗ IBM Event Streams is affected by a vulnerability in Golang Go (CVE-2023-29406) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7017634 ∗∗∗ APSystems Altenergy Power Control ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-213-01 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 31.07.2023
by Daily end-of-shift report 31 Jul '23

31 Jul '23

===================== = End-of-Day report = ===================== Timeframe: Freitag 28-07-2023 18:00 − Montag 31-07-2023 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Linux version of Abyss Locker ransomware targets VMware ESXi servers ∗∗∗ --------------------------------------------- The Abyss Locker operation is the latest to develop a Linux encryptor to target VMwares ESXi virtual machines platform in attacks on the enterprise. --------------------------------------------- https://www.bleepingcomputer.com/news/security/linux-version-of-abyss-locke… ∗∗∗ Hackers exploit BleedingPipe RCE to target Minecraft servers, players ∗∗∗ --------------------------------------------- Hackers are actively exploiting a BleedingPipe remote code execution vulnerability in Minecraft mods to run malicious commands on servers and clients, allowing them to take control of the devices. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hackers-exploit-bleedingpipe… ∗∗∗ P2PInfect server botnet spreads using Redis replication feature ∗∗∗ --------------------------------------------- Threat actors are actively targeting exposed instances of the Redis open-source data store with a peer-to-peer self-replicating worm with versions for both Windows and Linux that the malware authors named P2Pinfect. --------------------------------------------- https://www.bleepingcomputer.com/news/security/p2pinfect-server-botnet-spre… ∗∗∗ Automatically Finding Prompt Injection Attacks ∗∗∗ --------------------------------------------- Researchers have just published a paper showing how to automate the discovery of prompt injection attacks. --------------------------------------------- https://www.schneier.com/blog/archives/2023/07/automatically-finding-prompt… ∗∗∗ WordPress Vulnerability & Patch Roundup July 2023 ∗∗∗ --------------------------------------------- Vulnerability reports and responsible disclosures are essential for website security awareness and education. Automated attacks targeting known software vulnerabilities are one of the leading causes of website compromises. To help educate website owners on emerging threats to their environments, we’ve compiled a list of important security updates and vulnerability patches for the WordPress ecosystem this past month. --------------------------------------------- https://blog.sucuri.net/2023/07/wordpress-vulnerability-patch-roundup-july-… ∗∗∗ AVRecon Botnet Leveraging Compromised Routers to Fuel Illegal Proxy Service ∗∗∗ --------------------------------------------- More details have emerged about a botnet called AVRecon, which has been observed making use of compromised small office/home office (SOHO) routers as part of a multi-year campaign active since at least May 2021. --------------------------------------------- https://thehackernews.com/2023/07/avrecon-botnet-leveraging-compromised.html ∗∗∗ Apple iOS, Google Android Patch Zero-Days in July Security Updates ∗∗∗ --------------------------------------------- Plus: Mozilla fixes two high-severity bugs in Firefox, Citrix fixes a flaw that was used to attack a US-based critical infrastructure organization, and Oracle patches over 500 vulnerabilities. --------------------------------------------- https://www.wired.com/story/apple-google-microsoft-zero-day-fix-july-2023/ ∗∗∗ Exploiting the StackRot vulnerability ∗∗∗ --------------------------------------------- For those who are interested in the gory details of how the StackRot vulnerability works, Ruihan Li hasposted a detailedwriteup of the bug and how it can be exploited. As StackRot is a Linux kernel vulnerability found in the memory management subsystem, it affects almost all kernel configurations and requires minimal capabilities to trigger. However, it should be noted that maple nodes are freed using RCU callbacks, delaying the actual memory deallocation until after the RCU grace period. --------------------------------------------- https://lwn.net/Articles/939542/ ∗∗∗ Sie verkaufen Ihr Auto? Vorsicht bei Abwicklung über Kurierdiensten oder Speditionen ∗∗∗ --------------------------------------------- Auf allen gängigen Verkaufsplattformen gibt es sie: betrügerische Anfragen. Die Person will Ihr Auto ohne Besichtigung und Preisverhandlung kaufen, schickt ungefragt eine Ausweiskopie und wirkt unkompliziert. Da die Person aber im Ausland ist und das Auto nicht abholen kann, beauftragt sie einen Kurierdienst. Spätestens jetzt sollten die Alarmglocken schrillen, denn es handelt sich um eine Betrugsmasche! --------------------------------------------- https://www.watchlist-internet.at/news/sie-verkaufen-ihr-auto-vorsicht-bei-… ∗∗∗ Windows UAC aushebeln ∗∗∗ --------------------------------------------- Gerade auf Twitter auf ein Projekt mit dem Namen Defeating Windows User Account Control gestoßen, wo jemand über Wege nachdenkt, die Benutzerkontensteuerung von Windows auszuhebeln. Er hat ein kleines Tool entwickelt, mit dem sich die Windows-Benutzerkontensteuerung durch Missbrauch der integrierten [...] --------------------------------------------- https://www.borncity.com/blog/2023/07/29/windows-uac-aushebeln/ ∗∗∗ CISA Releases Malware Analysis Reports on Barracuda Backdoors ∗∗∗ --------------------------------------------- CISA has published three malware analysis reports on malware variants associated with exploitation of CVE-2023-2868. CVE-2023-2868 is a remote command injection vulnerability affecting Barracuda Email Security Gateway (ESG) Appliance, versions 5.1.3.001-9.2.0.006. It was exploited as a zero day as early as October 2022 to gain access to ESG appliances. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2023/07/28/cisa-releases-malware-an… ===================== = Vulnerabilities = ===================== ∗∗∗ CVE-2023-35081 - New Ivanti EPMM Vulnerability ∗∗∗ --------------------------------------------- During our thorough investigation of Ivanti Endpoint Manager Mobile (EPMM) vulnerability CVE-2023-35078 announced 23 July 2023, we have discovered additional vulnerabilities. We are reporting these vulnerabilities as CVE-2023-35081. As was the case with CVE-2023-35078, CVE-2023-35081 impacts all supported versions – Version 11.4 releases 11.10, 11.9 and 11.8. Older versions/releases are also at risk. --------------------------------------------- https://www.ivanti.com/blog/cve-2023-35081-new-ivanti-epmm-vulnerability ∗∗∗ WAGO: Bluetooth LE vulnerability in WLAN-ETHERNET-Gateway ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2023-014/ ∗∗∗ WAGO: Multiple products prone to multiple vulnerabilities in e!Runtime / CODESYS V3 Runtime ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2023-026/ ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 28.07.2023
by Daily end-of-shift report 28 Jul '23

28 Jul '23

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 27-07-2023 18:00 − Freitag 28-07-2023 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ New Android malware uses OCR to steal credentials from images ∗∗∗ --------------------------------------------- Two new Android malware families named CherryBlos and FakeTrade were discovered on Google Play, aiming to steal cryptocurrency credentials and funds or conduct scams. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-android-malware-uses-ocr… ∗∗∗ Nutzerdaten in Gefahr: Hunderttausende von Wordpress-Seiten anfällig für Datenklau ∗∗∗ --------------------------------------------- Drei Schwachstellen im Wordpress-Plugin Ninja Forms können mitunter massive Datenlecks zur Folge haben. Admins sollten zeitnah updaten. --------------------------------------------- https://www.golem.de/news/nutzerdaten-in-gefahr-hunderttausende-von-wordpre… ∗∗∗ ShellCode Hidden with Steganography, (Fri, Jul 28th) ∗∗∗ --------------------------------------------- When hunting, I'm often surprised by the interesting pieces of code that you may discover... Attackers (or pentesters/redteamers) like to share scripts on VT to evaluate the detection rates against many antivirus products. Sometimes, you find something cool stuffs. --------------------------------------------- https://isc.sans.edu/diary/rss/30074 ∗∗∗ Hackers Abusing Windows Search Feature to Install Remote Access Trojans ∗∗∗ --------------------------------------------- A legitimate Windows search feature is being exploited by malicious actors to download arbitrary payloads from remote servers and compromise targeted systems with remote access trojans such as AsyncRAT and Remcos RAT. The novel attack technique, per Trellix, takes advantage of the "search-ms:" URI protocol handler, which offers the ability for applications and HTML links to launch custom local searches on a device, and the "search:" application protocol, a mechanism for calling the desktop search application on Windows. --------------------------------------------- https://thehackernews.com/2023/07/hackers-abusing-windows-search-feature.ht… ∗∗∗ IcedID Malware Adapts and Expands Threat with Updated BackConnect Module ∗∗∗ --------------------------------------------- The threat actors linked to the malware loader known as IcedID have made updates to the BackConnect (BC) module thats used for post-compromise activity on hacked systems, new findings from Team Cymru reveal. --------------------------------------------- https://thehackernews.com/2023/07/icedid-malware-adapts-and-expands.html ∗∗∗ Hackers are infecting Call of Duty (Modern Warfare 2 (2009)) players with a self-spreading malware ∗∗∗ --------------------------------------------- Hackers are infecting players of an old Call of Duty game with a worm that spreads automatically in online lobbies, according to two analyses of the malware. [..] Activision spokesperson Neil Wood referred to a tweet posted by the company on an official Call of Duty updates Twitter account, which vaguely acknowledges the malware. “Multiplayer for Call of Duty: Modern Warfare 2 (2009) on Steam was brought offline while we investigate reports of an issue,” the tweet read. --------------------------------------------- https://techcrunch.com/2023/07/27/hackers-are-infecting-call-of-duty-player… ∗∗∗ Angreifer können NAS- und IP-Videoüberwachungssysteme von Qnap lahmlegen ∗∗∗ --------------------------------------------- Mehrere Netzwerkprodukte von Qnap sind für eine DoS-Attacken anfällig. Dagegen abgesicherte Software schafft Abhilfe. --------------------------------------------- https://heise.de/-9229575 ∗∗∗ The Ups and Downs of 0-days: A Year in Review of 0-days Exploited In-the-Wild in 2022 ∗∗∗ --------------------------------------------- This is Google’s fourth annual year-in-review of 0-days exploited in-the-wild [2021, 2020, 2019] and builds off of the mid-year 2022 review. The goal of this report is not to detail each individual exploit, but instead to analyze the exploits from the year as a whole, looking for trends, gaps, lessons learned, and successes. --------------------------------------------- https://security.googleblog.com/2023/07/the-ups-and-downs-of-0-days-year-in… ∗∗∗ Zimbra Patches Exploited Zero-Day Vulnerability ∗∗∗ --------------------------------------------- Zimbra has released patches for a cross-site scripting (XSS) vulnerability that has been exploited in malicious attacks. --------------------------------------------- https://www.securityweek.com/zimbra-patches-exploited-zero-day-vulnerabilit… ∗∗∗ CISA and Partners Release Joint Cybersecurity Advisory on Preventing Web Application Access Control Abuse ∗∗∗ --------------------------------------------- The Australian Signals Directorate’s Australian Cyber Security Centre (ACSC), the Cybersecurity and Infrastructure Security Agency (CISA), and the National Security Agency (NSA) are releasing a joint Cybersecurity Advisory (CSA), Preventing Web Application Access Control Abuse, to warn vendors, designers, developers, and end-user organizations of web applications about insecure direct object reference (IDOR) vulnerabilities. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2023/07/27/cisa-and-partners-releas… ===================== = Vulnerabilities = ===================== ∗∗∗ Major Security Flaw Discovered in Metabase BI Software – Urgent Update Required ∗∗∗ --------------------------------------------- Users of Metabase, a popular business intelligence and data visualization software package, are being advised to update to the latest version following the discovery of an "extremely severe" flaw that could result in pre-authenticated remote code execution on affected installations. --------------------------------------------- https://thehackernews.com/2023/07/major-security-flaw-discovered-in.html ∗∗∗ ZDI-23-1010: Adtran SR400ac ping Command Injection Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows remote attackers to execute arbitrary code on affected installations of Adtran SR400ac routers. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. --------------------------------------------- https://www.zerodayinitiative.com/advisories/ZDI-23-1010/ ∗∗∗ Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software ACLs Not Installed upon Reload ∗∗∗ --------------------------------------------- An issue with the boot-time programming of access control lists (ACLs) for Cisco Adaptive Security Appliance (ASA) Software and Firepower Threat Defense (FTD) Software could allow a device to boot without all of its ACLs being correctly installed. This issue is due to a logic error that occurs when ACLs are programmed at boot time. If object groups are not in sequential order in the startup configuration, some access control entries (ACEs) may not be installed. --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (curl), Fedora (kitty, mingw-qt5-qtbase, and mingw-qt6-qtbase), Mageia (cri-o, kernel, kernel-linus, mediawiki, and microcode), SUSE (chromium, conmon, go1.20-openssl, iperf, java-11-openjdk, kernel-firmware, and mariadb), and Ubuntu (libvirt, linux, linux-aws, linux-aws-5.4, linux-azure, linux-azure-5.4, linux-gcp, linux-gcp-5.4, linux-gke, linux-gkeop, linux-hwe-5.4, linux-ibm, linux-ibm-5.4, linux-kvm, linux-oracle, linux-oracle-5.4, linux-raspi, linux-raspi-5.4, linux-xilinx-zynqmp, linux, linux-aws, linux-aws-hwe, linux-azure, linux-azure-4.15, linux-dell300x, linux-gcp, linux-gcp-4.15, linux-hwe, linux-kvm, linux-oracle, linux-snapdragon, linux, linux-aws, linux-kvm, linux-lts-xenial, linux-aws-5.19, linux-gcp-5.19, linux-hwe-5.19, linux-intel-iotg-5.15, linux-iot, llvm-toolchain-13, llvm-toolchain-14, llvm-toolchain-15, open-iscsi, open-vm-tools, and xorg-server-hwe-16.04). --------------------------------------------- https://lwn.net/Articles/939445/ ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (kernel and libmail-dkim-perl), Fedora (openssh), and SUSE (kernel). --------------------------------------------- https://lwn.net/Articles/939519/ ∗∗∗ Vulnerability in QVPN Device Client for Windows ∗∗∗ --------------------------------------------- An insecure library loading vulnerability has been reported to affect devices running QVPN Device Client for Windows. --------------------------------------------- https://www.qnap.com/en-us/security-advisory/QSA-23-04 ∗∗∗ Vulnerability in QTS, QuTS hero, QuTScloud, and QVP (QVR Pro appliances) ∗∗∗ --------------------------------------------- An uncontrolled resource consumption vulnerability has been reported to affect multiple QNAP operating systems. --------------------------------------------- https://www.qnap.com/en-us/security-advisory/QSA-23-09 ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 27.07.2023
by Daily end-of-shift report 27 Jul '23

27 Jul '23

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 26-07-2023 18:00 − Donnerstag 27-07-2023 18:00 Handler: Robert Waldner Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Windows 10 KB5028244 update released with 19 fixes, improved security ∗∗∗ --------------------------------------------- Microsoft has released the optional KB5028244 Preview cumulative update for Windows 10 22H2 with 19 fixes or changes, including an update to the Vulnerable Driver Blocklist to block BYOVD attacks. --------------------------------------------- https://www.bleepingcomputer.com/news/microsoft/windows-10-kb5028244-update… ∗∗∗ APT trends report Q2 2023 ∗∗∗ --------------------------------------------- This is our latest summary of the significant events and findings, focusing on activities that we observed during Q2 2023. --------------------------------------------- https://securelist.com/apt-trends-report-q2-2023/110231/ ∗∗∗ Hackers Target Apache Tomcat Servers for Mirai Botnet and Crypto Mining ∗∗∗ --------------------------------------------- Misconfigured and poorly secured Apache Tomcat servers are being targeted as part of a new campaign designed to deliver the Mirai botnet malware and cryptocurrency miners.The findings come courtesy of Aqua, which detected more than 800 attacks against its Tomcat server honeypots over a two-year time period, with 96% of the attacks linked to the Mirai botnet. --------------------------------------------- https://thehackernews.com/2023/07/hackers-target-apache-tomcat-servers.html ∗∗∗ Android Güncelleme – dissecting a malicious update installer ∗∗∗ --------------------------------------------- Recently, during one of F-Secure Android’s routine tests, we came across one such fake Android update sample – Android Güncelleme, that proved to be evasive and exhibited interesting exfiltration characteristics. Although the sample is not novel (some features have already been covered in other articles on the Internet), it nevertheless combines several malicious actions together, such as anti-analysis and anti-uninstallation, making it a more potent threat. --------------------------------------------- https://blog.f-secure.com/android-guncelleme-dissecting-a-malicious-update-… ∗∗∗ Fruity trojan downloader performs multi-stage infection of Windows computers ∗∗∗ --------------------------------------------- For about a year, Doctor Web has been registering support requests from users complaining about Windows-based computers getting infected with the Remcos RAT (Trojan.Inject4.57973) spyware trojan. While investigating these incidents, our specialists uncovered an attack in which Trojan.Fruity.1, a multi-component trojan downloader, played a major role. To distribute it, threat actors create malicious websites and specifically crafted software installers. --------------------------------------------- https://news.drweb.com/show/?i=14728&lng=en&c=9 ∗∗∗ SySS Proof of Concept-Video: "Reversing the Irreversible, again: Unlocking locked Omnis Studio classes" (CVE-2023-38334) ∗∗∗ --------------------------------------------- Das Softwareentwicklungstool unterstützt eine nach eigenen Angaben irreversible Funktion, mit der sich Programmklassen in Omnis-Bibliotheken sperren lassen (locked classes).[..] Aufgrund von Implementierungsfehlern, die während eines Sicherheitstests entdeckt wurden, ist es jedoch möglich, gesperrte Omnis-Klassen zu entsperren, um diese im Omnis Studio-Browser weiter analysieren oder auch modifizieren zu können. Dieser Sachverhalt erfüllt nicht die Erwartungen an eine irreversible Funktion. --------------------------------------------- https://www.syss.de/pentest-blog/syss-proof-of-concept-video-reversing-the-… ∗∗∗ Vorsicht bei "fehlgeschlagenen Zahlungen" auf Booking ∗∗∗ --------------------------------------------- Sie haben eine Nachricht des Hotels bekommen, das Sie über Booking.com gebucht haben und werden zur Bestätigung Ihrer Kreditkarte aufgefordert? Achtung – hierbei handelt es sich um eine ausgeklügelte Phishing-Masche! Die Kriminellen stehlen Ihre Daten und Sie bezahlen Ihr Hotel doppelt! --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-bei-fehlgeschlagenen-zahlun… ∗∗∗ Online-Banking: Vorsicht vor Suchmaschinen-Phishing ∗∗∗ --------------------------------------------- Cyberkriminelle bewerben ihre betrügerischen Bank-Webseiten auch bei populären Suchmaschinen wie Google, Yahoo oder Bing. --------------------------------------------- https://www.zdnet.de/88410826/online-banking-vorsicht-vor-suchmaschinen-phi… ===================== = Vulnerabilities = ===================== ∗∗∗ VU#813349: Software driver for D-Link Wi-Fi USB Adapter vulnerable to service path privilege escalation ∗∗∗ --------------------------------------------- The software driver for D-Link DWA-117 AC600 MU-MIMO Wi-Fi USB Adapter contains a unquoted service path privilege escalation vulnerability. In certain conditions, this flaw can lead to a local privilege escalation. --------------------------------------------- https://kb.cert.org/vuls/id/813349 ∗∗∗ Schwachstellen entdeckt: 40 Prozent aller Ubuntu-Systeme erlauben Rechteausweitung ∗∗∗ --------------------------------------------- Zwei Schwachstellen im OverlayFS-Modul von Ubuntu gefährden zahllose Server-Systeme. Admins sollten die Kernel-Module zeitnah aktualisieren. (Sicherheitslücke, Ubuntu) --------------------------------------------- https://www.golem.de/news/schwachstellen-entdeckt-40-prozent-aller-ubuntu-s… ∗∗∗ ZDI-23-1002: SolarWinds Network Configuration Manager VulnDownloader Directory Traversal Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows remote attackers to execute arbitrary code on affected installations of SolarWinds Network Configuration Manager. Authentication is required to exploit this vulnerability. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-23-1002/ ∗∗∗ Minify Source HTML - Moderately critical - Cross site scripting - SA-CONTRIB-2023-032 ∗∗∗ --------------------------------------------- Carefully crafted input by an attacker will not be sanitized by this module, which can result in a script injection. Solution: Install the latest version --------------------------------------------- https://www.drupal.org/sa-contrib-2023-032 ∗∗∗ Drupal Symfony Mailer - Moderately critical - Cross site request forgery - SA-CONTRIB-2023-031 ∗∗∗ --------------------------------------------- The module doesn’t sufficiently protect against malicious links, which means an attacker can trick an administrator into performing unwanted actions. This vulnerability is mitigated by the fact that the set of unwanted actions is limited to specific configurations. Solution: Originally the solution was listed as just updating the module, however, a cache rebuild will be necessary for the solution to take effect. --------------------------------------------- https://www.drupal.org/sa-contrib-2023-031 ∗∗∗ Sitefinity Security Advisory for Addressing Security Vulnerability, July 2023 ∗∗∗ --------------------------------------------- The Progress Sitefinity team recently discovered a potential security vulnerability in the Progress Sitefinity .NET Core Renderer Application. It has since been addressed. [..] For optimal security, we recommend an upgrade to the latest Sitefinity .NET Core Renderer version, which currently is 14.4.8127. A product update is also available for older supported Sitefinity versions --------------------------------------------- https://community.progress.com/s/article/Sitefinity-Security-Advisory-for-A… ∗∗∗ SolarWinds Platform Security Advisories ∗∗∗ --------------------------------------------- - Access Control Bypass Vulnerability CVE-2023-3622 - Incorrect Behavior Order Vulnerability CVE-2023-33224 - Incorrect Input Neutralization Vulnerability CVE-2023-33229 - Deserialization of Untrusted Data Vulnerability CVE-2023-33225 - Incomplete List of Disallowed Inputs Vulnerability CVE-2023-23844 - Incorrect Comparison Vulnerability CVE-2023-23843 --------------------------------------------- https://www.solarwinds.com/trust-center/security-advisories ∗∗∗ SECURITY BULLETIN: July 2023 Security Bulletin for Trend Micro Apex Central ∗∗∗ --------------------------------------------- CVE Identifier(s): CVE-2023-38624, CVE-2023-38625, CVE-2023-38626, CVE-2023-38627 CVSS 3.0 Score(s): 4.2 Post-authenticated server-side request forgery (SSRF) vulnerabilities in Trend Micro Apex Central 2019 could allow an attacker to interact with internal or local services directly. Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. --------------------------------------------- https://success.trendmicro.com/dcx/s/solution/000294176?language=en_US ∗∗∗ Security updates available in Foxit PDF Editor for Mac 12.1.1 and Foxit PDF Reader for Mac 12.1.1 ∗∗∗ --------------------------------------------- Platform: macOS Summary: Foxit has released Foxit PDF Editor for Mac 12.1.1 and Foxit PDF Reader for Mac 12.1.1, which address potential security and stability issues. CVE-2023-28744, CVE-2023-38111, CVE-2023-38107, CVE-2023-38109, CVE-2023-38113, CVE-2023-38112, CVE-2023-38110, CVE-2023-38117 --------------------------------------------- https://www.foxit.com/support/security-bulletins.html ∗∗∗ Sicherheitsupdates: Angreifer können Access Points von Aruba übernehmen ∗∗∗ --------------------------------------------- Wenn die Netzwerkbetriebssysteme ArubaOS 10 oder InstantOS zum Einsatz kommen, sind Access Points von Aruba verwundbar. --------------------------------------------- https://heise.de/-9227914 ∗∗∗ Jetzt patchen! Root-Sicherheitslücke gefährdet Mikrotik-Router ∗∗∗ --------------------------------------------- Stimmten die Voraussetzungen, können sich Angreifer in Routern von Mikrotik zum Super-Admin hochstufen. --------------------------------------------- https://heise.de/-9226696 ∗∗∗ Sicherheitsupdate: Angreifer können Sicherheitslösung Sophos UTM attackieren ∗∗∗ --------------------------------------------- Sophos Unified Threat Management ist verwundbar. Aktuelle Software schafft Abhilfe. --------------------------------------------- https://heise.de/-9228570 ∗∗∗ Synology-SA-23:10 SRM ∗∗∗ --------------------------------------------- Multiple vulnerabilities allow remote attackers to read specific files, obtain sensitive information, and inject arbitrary web script or HTML, man-in-the-middle attackers to bypass security constraint, and remote authenticated users to execute arbitrary commands and conduct denial-of-service attacks via a susceptible version of Synology Router Manager (SRM). --------------------------------------------- https://www.synology.com/en-global/support/security/Synology_SA_23_10 ∗∗∗ CISA Releases Five Industrial Control Systems Advisories ∗∗∗ --------------------------------------------- - ICSA-23-208-01 ETIC Telecom RAS Authentication - ICSA-23-208-02 PTC KEPServerEX - ICSA-23-208-03 Mitsubishi Electric CNC Series - ICSA-22-307-01 ETIC RAS (Update A) - ICSA-22-172-01 Mitsubishi Electric MELSEC iQ-R, Q, L Series and MELIPC Series (Update B) --------------------------------------------- https://www.cisa.gov/news-events/alerts/2023/07/27/cisa-releases-five-indus… ∗∗∗ WAGO: Multiple vulnerabilities in web-based management of multiple products ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2022-060/ ∗∗∗ IBM Watson Discovery Cartridge for IBM Cloud Pak for Data affected by vulnerability in Node.js ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7012005 ∗∗∗ IBM Watson Discovery Cartridge for IBM Cloud Pak for Data affected by vulnerability in Angular ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7012009 ∗∗∗ IBM Watson Discovery Cartridge for IBM Cloud Pak for Data affected by vulnerability in Python ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7012001 ∗∗∗ IBM Watson Discovery Cartridge for IBM Cloud Pak for Data affected by vulnerability in LibTIFF ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7012033 ∗∗∗ IBM Watson Discovery Cartridge for IBM Cloud Pak for Data affected by multiple vulnerabilities in Golang Go ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7014267 ∗∗∗ IBM Watson Discovery Cartridge for IBM Cloud Pak for Data affected by vulnerability in Bouncy Castle ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7012003 ∗∗∗ IBM Watson Discovery Cartridge for IBM Cloud Pak for Data affected by vulnerability in Java ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7012037 ∗∗∗ IBM Sterling Connect:Direct Browser User Interface is vulnerable to multiple vulnerabilities due to Jetty. ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7014905 ∗∗∗ IBM B2B Advanced Communication is vulnerable to cross-site scripting (CVE-2023-22595) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7014929 ∗∗∗ IBM B2B Advanced Communications is vulnerable to denial of service (CVE-2023-24971) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7014933 ∗∗∗ Multiple Vulnerabilities in CloudPak for Watson AIOps ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7014939 ∗∗∗ IBM\u00ae Db2\u00ae has multiple denial of service vulnerabilities with a specially crafted query ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7010557 ∗∗∗ Watson CP4D Data Stores is vulnerable to Golang Go denial of service vulnerability ( CVE-2022-41724) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7014981 ∗∗∗ IBM App Connect Enterprise Certified Container operands are vulnerable to denial of service and security restriction bypass due to [CVE-2023-2283], [CVE-2023-1667] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7014991 ∗∗∗ IBM App Connect Enterprise Certified Container operands are vulnerable to denial of service due to [CVE-2020-24736] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7014993 ∗∗∗ IBM App Connect Enterprise Certified Container operands are vulnerable to security restriction bypass due to [CVE-2023-24329] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7014995 ∗∗∗ IBM App Connect Enterprise Certified Container operands are vulnerable to privilege elevation due to [CVE-2023-26604] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7014997 ∗∗∗ IBM App Connect Enterprise Certified Container DesignerAuthoring operands that use mapping assistance are vulnerable to denial of service and loss of confidentiality due to multiple vulnerabilities in libtiff ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7014999 ∗∗∗ IBM App Connect Enterprise Certified Container operands are vulnerable to server-side request forgery due to [CVE-2023-28155] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7015003 ∗∗∗ IBM App Connect Enterprise Certified Container operator and operands are vulnerable to privilege escalation due to [CVE-2023-29403] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7015007 ∗∗∗ IBM App Connect Enterprise Certified Container IntegrationServer and IntegrationRuntime operands that use Kafka nodes are vulnerable to denial of service due to [CVE-2023-34453], [CVE-2023-34454], [CVE-2023-34455] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7015009 ∗∗∗ IBM Event Streams is affected by multiple vulnerabilities in Golang Go ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7014405 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 26.07.2023
by Daily end-of-shift report 26 Jul '23

26 Jul '23

===================== = End-of-Day report = ===================== Timeframe: Dienstag 25-07-2023 18:00 − Mittwoch 26-07-2023 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Mysterious Decoy Dog malware toolkit still lurks in DNS shadows ∗∗∗ --------------------------------------------- New details have emerged about Decoy Dog, a largely undetected sophisticated toolkit likely used for at least a year in cyber intelligence operations, relying on the domain name system (DNS) for command and control activity. --------------------------------------------- https://www.bleepingcomputer.com/news/security/mysterious-decoy-dog-malware… ∗∗∗ New Nitrogen malware pushed via Google Ads for ransomware attacks ∗∗∗ --------------------------------------------- A new Nitrogen initial access malware campaign uses Google and Bing search ads to promote fake software sites that infect unsuspecting users with Cobalt Strike and ransomware payloads. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-nitrogen-malware-pushed-… ∗∗∗ How to Scan A Website for Vulnerabilities ∗∗∗ --------------------------------------------- Even the most diligent site owners should consider when they had their last website security check. As our own research indicates, infections resulting from known website vulnerabilities continue to plague website owners. According to our 2022 Hacked Website Report, last year alone WordPress accounted for 96.2% of infected websites due to its market share and popularity. Statistics like these highlight why it’s so important that you regularly scan your website for vulnerabilities. --------------------------------------------- https://blog.sucuri.net/2023/07/how-to-scan-website-for-vulnerabilities.html ∗∗∗ Sneaky Python package security fixes help no one – except miscreants ∗∗∗ --------------------------------------------- Good thing these eggheads have created a database of patches - Python security fixes often happen through "silent" code commits, without an associated Common Vulnerabilities and Exposures (CVE) identifier, according to a group of computer security researchers. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2023/07/26/python_silen… ∗∗∗ Tool Release: Cartographer ∗∗∗ --------------------------------------------- Cartographer is a Ghidra plugin that creates a visual "map" of code coverage data, enabling researchers to easily see what parts of a program are executed. It has a wide range of uses, such as better understanding a program, honing in on target functionality, or even discovering unused content in video games. --------------------------------------------- https://research.nccgroup.com/2023/07/20/tool-release-cartographer/ ∗∗∗ New Realst Mac malware, disguised as blockchain games, steals cryptocurrency wallets ∗∗∗ --------------------------------------------- Fake blockchain games, that are being actively promoted by cybercriminals on social media, are actually designed to infect the computers of unsuspecting Mac users with cryptocurrency-stealing malware. --------------------------------------------- https://grahamcluley.com/new-realst-mac-malware-disguised-as-blockchain-gam… ∗∗∗ Introducing CVE-2023-24489: A Critical Citrix ShareFile RCE Vulnerability ∗∗∗ --------------------------------------------- GreyNoise researchers have identified active exploitation for a remote code execution (RCE) vulnerability in Citrix ShareFile (CVE-2023-24489) --------------------------------------------- https://www.greynoise.io/blog/introducing-cve-2023-24489-a-critical-citrix-… ===================== = Vulnerabilities = ===================== ∗∗∗ ModSecurity v3: DoS Vulnerability in Four Transformations (CVE-2023-38285) ∗∗∗ --------------------------------------------- ModSecurity is an open-source Web Application Firewall (WAF) engine maintained by Trustwave. This blog post discusses an issue with four transformation actions that could enable a Denial of Service (DoS) attack by a malicious actor. The issue has been addressed with fixes in v3.0.10. ModSecurity v2 is not affected. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/modsecurity… ∗∗∗ B&R Automation Runtime SYN Flooding Vulnerability in Portmapper ∗∗∗ --------------------------------------------- CVE-2023-3242, CVSS v3.1 Base Score: 8.6 The Portmapper service used in Automation Runtime versions <G4.93 is vulnerable to SYN flooding attacks. An unauthenticated network-based attacker may use this vulnerability to cause several services running on B&R Automation Runtime to become permanently inaccessible. --------------------------------------------- https://www.br-automation.com/downloads_br_productcatalogue/assets/16897876… ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (amd64-microcode, gst-plugins-bad1.0, gst-plugins-base1.0, gst-plugins-good1.0, iperf3, openjdk-17, and pandoc), Fedora (389-ds-base, kitty, and thunderbird), SUSE (libqt5-qtbase, libqt5-qtsvg, mysql-connector-java, netty, netty-tcnative, openssl, openssl-1_1, openssl1, php7, python-scipy, and xmltooling), and Ubuntu (amd64-microcode, avahi, libxpm, linux, linux-aws, linux-aws-5.15, linux-azure, linux-azure-5.15, linux-azure-fde, linux-azure-fde-5.15, linux-gcp, linux-gcp-5.15, linux-gke, linux-gke-5.15, linux-gkeop, linux-gkeop-5.15, linux-hwe-5.15, linux-ibm, linux-intel-iotg, linux-kvm, linux-lowlatency, linux-lowlatency-hwe-5.15, linux-nvidia, linux-oracle, linux-oracle-5.15, linux-raspi, linux, linux-aws, linux-azure, linux-gcp, linux-ibm, linux-kvm, linux-lowlatency, linux-oracle, linux-raspi, linux-oem-5.17, linux-oem-6.0, linux-oem-6.1, openstack-trove, and python-django). --------------------------------------------- https://lwn.net/Articles/939305/ ∗∗∗ Mattermost security updates 8.0.1 / 7.10.5 / 7.8.9 (ESR) released ∗∗∗ --------------------------------------------- We’re informing you about a Mattermost security update, which addresses medium-level severity vulnerabilities. We highly recommend that you apply the update. The security update is available for Mattermost dot releases 8.0.1, 7.10.5, and 7.8.9 (Extended Support Release), for both Team Edition and Enterprise Edition. --------------------------------------------- https://mattermost.com/blog/mattermost-security-updates-8-0-1-7-10-5-7-8-9-… ∗∗∗ Multiple Vulnerabilities PRA-ES8P2S Ethernet-Switch ∗∗∗ --------------------------------------------- BOSCH-SA-247054-BT: Multiple vulnerabilities were found in the PRA-ES8P2S Ethernet-Switch. Customers are advised to upgrade to version 1.01.10 since it solves all vulnerabilities listed. Customers are advised to isolate the switch from the Internet if upgrading is not possible. The PRA-ES8P2S switch contains technology from the Advantech EKI-7710G series switches. --------------------------------------------- https://psirt.bosch.com/security-advisories/bosch-sa-247054-bt.html ∗∗∗ CISA Adds One Known Exploited Vulnerability to Catalog ∗∗∗ --------------------------------------------- CISA has added one new vulnerability to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation. CVE-2023-37580 Zimbra Collaboration (ZCS) Cross-Site Scripting (XSS) Vulnerability - These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2023/07/26/cisa-adds-one-known-expl… ∗∗∗ Fujitsu Real-time Video Transmission Gear "IP series" uses a hard-coded credentials ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN95727578/ ∗∗∗ AIX is vulnerable to denial of service due to zlib (CVE-2022-37434) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7014483 ∗∗∗ AIX is vulnerable to a denial of service due to libxml2 (CVE-2023-29469 and CVE-2023-28484) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7014485 ∗∗∗ IBM Security Directory Suite has multiple vulnerabilities [CVE-2022-33163 and CVE-2022-33168] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7001885 ∗∗∗ A security vulnerability has been identified in IBM WebSphere Application Server used by IBM Rational ClearQuest (CVE-2023-35890) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7014649 ∗∗∗ A security vulnerability has been identified in IBM HTTP Server used by IBM Rational ClearQuest (CVE-2023-32342) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7014651 ∗∗∗ IBM Cloud Transformation Advisor is vulnerable to multiple vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7014659 ∗∗∗ CVE-2023-0465 may affect IBM CICS TX Advanced 10.1 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7014675 ∗∗∗ IBM Db2 has multiple denial of service vulnerabilities with a specially crafted query ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7010557 ∗∗∗ IBM Operational Decision Manager July 2023 - Multiple CVEs ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7014699 ∗∗∗ IBM Sterling Connect:Direct for UNIX is vulnerable to remote sensitive information exposure due to IBM GSKit (CVE-2023-32342) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7014693 ∗∗∗ IBM Watson Assistant for IBM Cloud Pak for Data is vulnerable to TensorFlow denial of service vulnerabilitiy [CVE-2023-25661] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7014695 ∗∗∗ IBM Watson Assistant for IBM Cloud Pak for Data is vulnerable to YAML denial of service vulnerabilitiy [CVE-2023-2251] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7014697 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 25.07.2023
by Daily end-of-shift report 25 Jul '23

25 Jul '23

===================== = End-of-Day report = ===================== Timeframe: Montag 24-07-2023 18:00 − Dienstag 25-07-2023 18:00 Handler: Robert Waldner Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Casbaneiro Banking Malware Goes Under the Radar with UAC Bypass Technique ∗∗∗ --------------------------------------------- The financially motivated threat actors behind the Casbaneiro banking malware family have been observed making use of a User Account Control (UAC) bypass technique to gain full administrative privileges on a machine, a sign that the threat actor is evolving their tactics to avoid detection and execute malicious code on compromised assets. --------------------------------------------- https://thehackernews.com/2023/07/casbaneiro-banking-malware-goes-under.html ∗∗∗ Rooting the Amazon Echo Dot ∗∗∗ --------------------------------------------- Thanks to a debug feature implemented by Lab126 (Amazons hardware development company) it is now possible to obtain a tethered root on the device. Thanks to strong security practices enforced by the company such as a chain of trust from the beginning of the boot process, this should not be a major issue. --------------------------------------------- https://dragon863.github.io/blog/echoroot.html ∗∗∗ Will the real Citrix CVE-2023-3519 please stand up? ∗∗∗ --------------------------------------------- While the most recent Citrix Security Advisory identifies CVE-2023-3519 as the only vulnerability resulting in unauthenticated remote code execution, there are at least two vulnerabilities that were patched during the most recent version upgrade. --------------------------------------------- https://www.greynoise.io/blog/will-the-real-citrix-cve-2023-3519-please-sta… ∗∗∗ Forthcoming OpenSSL Releases ∗∗∗ --------------------------------------------- The OpenSSL project team would like to announce the forthcoming release of OpenSSL versions 3.1.2, 3.0.10 and 1.1.1v. These releases will be made available on Tuesday 1st August 2023 between 1300-1700 UTC. These are security-fix releases. The highest severity issue fixed in each of these three releases is Low --------------------------------------------- https://mta.openssl.org/pipermail/openssl-announce/2023-July/000266.html ∗∗∗ Phishing-Alarm: Unsere Liste mit aktuellen Phishing-Nachrichten ∗∗∗ --------------------------------------------- In Phishing-Nachrichten fordern Kriminelle per E-Mail oder SMS dazu auf, Links zu folgen oder Dateianhänge zu öffnen. So versuchen Kriminelle an Ihre Login-, Bank- oder Kreditkartendaten zu kommen. Jeden Tag werden uns zahlreiche Phishing-Nachrichten gemeldet. Sobald wir neue Phishing-Nachrichten entdecken, ergänzen wir sie in unserem Phishing-Alarm! --------------------------------------------- https://www.watchlist-internet.at/news/phishing-alarm-unsere-liste-mit-aktu… ===================== = Vulnerabilities = ===================== ∗∗∗ Atlassian Releases Patches for Critical Flaws in Confluence and Bamboo ∗∗∗ --------------------------------------------- Atlassian has released updates to address three security flaws impacting its Confluence Server, Data Center, and Bamboo Data Center products that, if successfully exploited, could result in remote code execution on susceptible systems. - CVE-2023-22505 (CVSS score: 8.0) - RCE (Remote Code Execution) in Confluence Data Center and Server (Fixed in versions 8.3.2 and 8.4.0) - CVE-2023-22508 (CVSS score: 8.5) - RCE (Remote Code Execution) in Confluence Data Center and Server (Fixed in versions 7.19.8 and 8.2.0) - CVE-2023-22506 (CVSS score: 7.5) - Injection, RCE (Remote Code Execution) in Bamboo (Fixed in versions 9.2.3 and 9.3.1) --------------------------------------------- https://thehackernews.com/2023/07/atlassian-releases-patches-for-critical.h… ∗∗∗ CVE-2023-35078 - Remote Unauthenticated API Access Vulnerability (CVSS: 10.0) ∗∗∗ --------------------------------------------- A vulnerability has been discovered in Ivanti Endpoint Manager Mobile (EPMM), formerly known as MobileIron Core. This vulnerability impacts all supported versions – Version 11.4 releases 11.10, 11.9 and 11.8. Older versions/releases are also at risk. [..] Upon learning of the vulnerability, we immediately mobilized resources to fix the problem and have a patch available now. --------------------------------------------- https://forums.ivanti.com/s/article/CVE-2023-35078-Remote-unauthenticated-A… ∗∗∗ F5 Security Advisory K000135555: Java vulnerabilities CVE-2020-2756 and CVE-2020-2757 ∗∗∗ --------------------------------------------- This vulnerability may allow an attacker with network access to compromise the affected component. Successful exploit can result in unauthorized ability to cause a partial denial-of-service (DoS) of the affected component. BIG-IP and BIG-IQ Versions known to be vulnerable: BIG-IP (all modules) 13.x-17.x, BIG-IQ Centralized Management 8.0.0-8.3.0 --------------------------------------------- https://my.f5.com/manage/s/article/K000135555 ∗∗∗ Citrix Hypervisor Security Update for CVE-2023-20593 ∗∗∗ --------------------------------------------- AMD has released updated microcode to address an issue with certain AMD CPUs. Although this is not an issue in the Citrix Hypervisor product itself, we have released a hotfix that includes this microcode to mitigate this CPU hardware issue. --------------------------------------------- https://support.citrix.com/article/CTX566835/citrix-hypervisor-security-upd… ∗∗∗ Xen Security Advisory XSA-433 x86/AMD: Zenbleed ∗∗∗ --------------------------------------------- This issue can be mitigated by disabling AVX, either by booting Xen with `cpuid=no-avx` on the command line, or by specifying `cpuid="host:avx=0"` in the vm.cfg file of all untrusted VMs. However, this will come with a significant impact on the system and is not recommended for anyone able to deploy the microcode or patch described below. [..] In cases where microcode is not available, the appropriate attached patch updates Xen to use a control register to avoid the issue. --------------------------------------------- https://xenbits.xen.org/xsa/advisory-433.html ∗∗∗ VMWare VMSA-2023-0016 (CVE-2023-20891) ∗∗∗ --------------------------------------------- CVSSv3 Range: 6.5 Synopsis: VMware Tanzu Application Service for VMs and Isolation Segment updates address information disclosure vulnerability Known Attack Vectors: A malicious non-admin user who has access to the platform system audit logs can access hex encoded CF API admin credentials and can push new malicious versions of an application. In a default deployment non-admin users do not have access to the platform system audit logs. --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2023-0016.html ∗∗∗ TYPO3 12.4.4 and 11.5.30 security releases published ∗∗∗ --------------------------------------------- All versions are security releases and contain important security fixes - read the corresponding security advisories: - TYPO3-CORE-SA-2023-002: By-passing Cross-Site Scripting Protection in HTML Sanitizer (CVE-2023-38500) - TYPO3-CORE-SA-2023-003: Information Disclosure due to Out-of-scope Site Resolution (CVE-2023-38499) - TYPO3-CORE-SA-2023-004: Cross-Site Scripting in CKEditor4 WordCount Plugin (CVE-2023-37905) --------------------------------------------- https://typo3.org/article/typo3-1244-and-11530-security-releases-published ∗∗∗ Lücken gestopft: Apple bringt iOS 16.6, macOS 13.5, watchOS 9.6 und tvOS 16.6 ∗∗∗ --------------------------------------------- Fehlerbehebungen und vor allem sicherheitsrelevante Fixes liefern frische Apple-Updates vom Montagabend. Es gab auch Zero-Day-Löcher. --------------------------------------------- https://heise.de/-9225677 ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (python-git and renderdoc), Red Hat (edk2, kernel, kernel-rt, and kpatch-patch), Slackware (kernel), SUSE (firefox, libcap, openssh, openssl-1_1, python39, and zabbix), and Ubuntu (cinder, ironic, nova, python-glance-store, python-os-brick, frr, graphite-web, and openssh). --------------------------------------------- https://lwn.net/Articles/939179/ ∗∗∗ Security Vulnerabilities fixed in Thunderbird 102.13.1 ∗∗∗ --------------------------------------------- CVE-2023-3417: File Extension Spoofing using the Text Direction Override Character ilenames. An email attachment could be incorrectly shown as being a document file, while in fact it was an executable file. Newer versions of Thunderbird will strip the character and show the correct file extension. --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2023-28/ ∗∗∗ Spring Security 5.6.12, 5.7.10, 5.8.5, 6.0.5, and 6.1.2 are available now, including fixes for CVE-2023-34034 and CVE-2023-34035 ∗∗∗ --------------------------------------------- Those versions fix the following CVEs: - CVE-2023-34034: WebFlux Security Bypass With Un-Prefixed Double Wildcard Pattern - CVE-2023-34035: Authorization rules can be misconfigured when using multiple servlets --------------------------------------------- https://spring.io/blog/2023/07/24/spring-security-5-6-12-5-7-10-5-8-5-6-0-5… ∗∗∗ CISA Releases Four Industrial Control Systems Advisories ∗∗∗ --------------------------------------------- CISA released four Industrial Control Systems (ICS) advisories on July 25, 2023. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS. - ICSA-23-206-01 AXIS A1001 - ICSA-23-206-02 Rockwell Automation ThinManager ThinServer - ICSA-23-206-03 Emerson ROC800 Series RTU and DL8000 Preset Controller - ICSA-23-206-04 Johnson Controls IQ Wifi 6 --------------------------------------------- https://www.cisa.gov/news-events/alerts/2023/07/25/cisa-releases-four-indus… ∗∗∗ 2023-07-24: Cyber Security Advisory - ABB Ability Zenon directory permission and internal issues ∗∗∗ --------------------------------------------- https://search.abb.com/library/Download.aspx?DocumentID=2NGA001801&Language… ∗∗∗ AMD Cross-Process Information Leak ∗∗∗ --------------------------------------------- http://support.lenovo.com/product_security/PS500571-AMD-CROSS-PROCESS-INFOR… ∗∗∗ [R1] Stand-alone Security Patch Available for Security Center versions 6.0.0, 6.1.0 and 6.1.1: SC-202307.1-6.x ∗∗∗ --------------------------------------------- https://www.tenable.com/security/tns-2023-26 ∗∗∗ [R1] Stand-alone Security Patch Available for Security Center version 5.23.1: SC-202307.1-5.23.1 ∗∗∗ --------------------------------------------- https://www.tenable.com/security/tns-2023-25 ∗∗∗ OAuthlib is vulnerable to CVE-2022-36087 used in IBM Maximo Application Suite - Monitor Component ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7014235 ∗∗∗ SnakeYaml is vulnerable to security CVEs used in IBM Maximo Application Suite - Monitor Component ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7014243 ∗∗∗ Node.js http-cache-semantics module is vulnerable to CVE-2022-25881 used in IBM Maximo Application Suite - Monitor Component ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7014237 ∗∗∗ Wekzeug is vulnerable to CVE-2023-25577 and CVE-2023-23934 used in IBM Maximo Application Suite - Monitor Component ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7014239 ∗∗∗ Cisco node-jose is vulnerable to CVE-2023-25653 used in IBM Maximo Application Suite - Monitor Component ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7014241 ∗∗∗ Apache Commons FileUpload and Tomcat are vulnerable to CVE-2023-24998 used in IBM Maximo Application Suite - Monitor Component ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7014245 ∗∗∗ Xml2js is vulnerable to CVE-2023-0842 used in IBM Maximo Application Suite - Monitor Component ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7014247 ∗∗∗ Flask is vulnerable to CVE-2023-30861 used in IBM Maximo Application Suite - Monitor Component ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7014251 ∗∗∗ Apache Commons Codec is vulnerable to PRISMA-2021-0055 used in IBM Maximo Application Suite - Monitor Component ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7014255 ∗∗∗ IBM QRadar Wincollect is vulnerable to using components with known vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7014253 ∗∗∗ IBM GSKit as shipped with IBM Security Verify Access has fixed a reported vulnerability (CVE-2023-32342) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7014259 ∗∗∗ IBM Security Verify Access product is vulnerable to Open Redirects (AAC module ) (CVE-2023-30433) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7012613 ∗∗∗ Postgresql JDBC drivers shipped with IBM Security Verify Access have a vulnerability (CVE-2022-41946) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7014261 ∗∗∗ json-20220320.jar is vulnerable to CVE-2022-45688 used in IBM Maximo Application Suite ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7014269 ∗∗∗ Apache Kafka is vulnerable to CVE-2022-34917 and CVE-2023-25194 used in IBM Maximo Application Suite - Monitor Component ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7014273 ∗∗∗ Netplex json-smart-v2 is vulnerable to CVE-2023-1370 used in IBM Maximo Application Suite - Monitor Component ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7014271 ∗∗∗ Netty is vulnerable to CVE-2022-41915 used in IBM Maximo Application Suite - Monitor Component ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7014281 ∗∗∗ VMware Tanzu Spring Security is vulnerable to CVE-2022-31692 and CVE-2023-20862 used in IBM Maximo Application Suite - Monitor Component ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7014361 ∗∗∗ VMware Tanzu Spring Framework is vulnerable to CVE-2023-20861 and CVE-2023-20863 used in IBM Maximo Application Suite - Monitor Component ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7014353 ∗∗∗ Netty is vulnerable to CVE-2023-34462 used in IBM Maximo Application Suite - Monitor Component ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7014357 ∗∗∗ VMware Tanzu Spring Framework is vulnerable to CVE-2023-20860 used in IBM Maximo Application Suite - Monitor Component ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7014363 ∗∗∗ Apache Commons FileUpload and Apache Tomcat are vulnerable to CVE-2023-24998, CVE-2022-45143, and CVE-2023-28708 used in IBM Maximo Application Suite - Monitor Component ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7014365 ∗∗∗ VMware Tanzu Spring Boot is vulnerable to CVE-2023-20883 used in IBM Maximo Application Suite - Monitor Component ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7014369 ∗∗∗ Vulnerabilities in Node.js affects IBM Voice Gateway ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7013909 ∗∗∗ Python-requests is vulnerable to CVE-2023-32681 used in IBM Maximo Application Suite - Monitor Component ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7014371 ∗∗∗ Google Guava is vulnerable to CVE-2023-2976 used in IBM Maximo Application Suite - Monitor Component ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7014373 ∗∗∗ Snappy-java is vulnerable to security CVEs used in IBM Maximo Application Suite - Monitor Component ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7014375 ∗∗∗ The Bouncy Castle Crypto Package For Java is vulnerable to CVE-2023-33201 used in IBM Maximo Application Suite - Monitor Component ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7014377 ∗∗∗ Multiple vulnerabilities affect IBM Data Virtualization on Cloud Pak for Data ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7014379 ∗∗∗ Vulnerabilities in Python, OpenSSH, Golang Go, Minio and Redis may affect IBM Spectrum Protect Plus Container backup and restore for Kubernetes and OpenShift ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7011697 ∗∗∗ Multiple vulnerabilities in Apache Log4j affects IBM Security Access Manager for Enterprise Single Sign-On ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7014395 ∗∗∗ IBM Event Streams is affected by multiple Golang Go vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7014403 ∗∗∗ IBM WebSphere Application Server, used in IBM Security Verify Governance Identity Manager, could provide weaker than expected security (CVE-2023-35890) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7014401 ∗∗∗ The IBM\u00ae Engineering System Design Rhapsody products on IBM Jazz Technology contains additional security fixes for X-Force ID 220800 and CVE-2017-12626 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7014413 ∗∗∗ A security vulnerability has been identified in IBM DB2 shipped with IBM Intelligent Operations Center(CVEs - Remediation\/Fixes) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7014429 ∗∗∗ Multiple vulnerabilities affect IBM Data Virtualization on Cloud Pak for Data ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7014379 ∗∗∗ IBM App Connect Enterprise Certified Container Dashboard operands are vulnerable to arbitrary code execution due to [CVE-2022-28805] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7014459 ∗∗∗ IBM App Connect Enterprise Certified Container Dashboard operands are vulnerable to denial of service due to [CVE-2021-27212] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7014457 ∗∗∗ IBM App Connect Enterprise Certified Container IntegrationServer operands are vulnerable to denial of service due to [CVE-2022-21349] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7014455 ∗∗∗ IBM App Connect Enterprise Certified Container Dashboard operands are vulnerable to denial of service and loss of confidentiality due to multiple vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7014451 ∗∗∗ IBM App Connect Enterprise Certified Container operands are vulnerable to denial of service due to [CVE-2022-40897] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7014453 ∗∗∗ A security vulnerability has been identified in IBM WebSphere Application Server shipped with IBM Tivoli System Automation Application Manager (CVE-2023-24966) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7014473 ∗∗∗ IBM WebSphere Application Server traditional is vulnerable to spoofing when using Web Server Plug-ins (CVE-2022-39161) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7014475 ∗∗∗ Multiple vulnerabilities in IBM Java SDK affect IBM Decision Optimization for IBM Cloud Private for Data (ICP4Data) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/876830 ∗∗∗ Watson Query potentially exposes adminstrators key under some conditions due to CVE-2022-22410 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6569235 ∗∗∗ Security Vulnerabilities affect IBM Cloud Pak for Data - OpenSSL ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6453431 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 24.07.2023
by Daily end-of-shift report 24 Jul '23

24 Jul '23

===================== = End-of-Day report = ===================== Timeframe: Freitag 21-07-2023 18:00 − Montag 24-07-2023 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Eine einfache Aktion beugt Telefonbetrug vor ∗∗∗ --------------------------------------------- Betrüger*innen nutzen gezielt Telefonbücher, um ihre Opfer zu identifizieren. In Visier rücken dabei vor allem ältere Menschen. --------------------------------------------- https://futurezone.at/digital-life/telefonbetrug-vorbeugen-spam-sperren-blo… ∗∗∗ Security baseline for Microsoft Edge version 115 ∗∗∗ --------------------------------------------- We are pleased to announce the security review for Microsoft Edge, version 115! We have reviewed the new settings in Microsoft Edge version 115 and determined that there are no additional security settings that require enforcement. The Microsoft Edge version 114 security baseline continues to be our recommended configuration which can be downloaded from the Microsoft Security Compliance Toolkit. --------------------------------------------- https://techcommunity.microsoft.com/t5/microsoft-security-baselines/securit… ∗∗∗ Critical Zero-Days in Atera Windows Installers Expose Users to Privilege Escalation Attacks ∗∗∗ --------------------------------------------- Zero-day vulnerabilities in Windows Installers for the Atera remote monitoring and management software could act as a springboard to launch privilege escalation attacks. The flaws, discovered by Mandiant on February 28, 2023, have been assigned the identifiers CVE-2023-26077 and CVE-2023-26078, with the issues remediated in versions 1.8.3.7 and 1.8.4.9 released by Atera on April 17, 2023, [...] --------------------------------------------- https://thehackernews.com/2023/07/critical-zero-days-in-atera-windows.html ∗∗∗ TETRA Radio Code Encryption Has a Flaw: A Backdoor ∗∗∗ --------------------------------------------- A secret encryption cipher baked into radio systems used by critical infrastructure workers, police, and others around the world is finally seeing sunlight. Researchers say it isn’t pretty. --------------------------------------------- https://www.wired.com/story/tetra-radio-encryption-backdoor/ ∗∗∗ Microsofts gestohlener Schlüssel mächtiger als vermutet ∗∗∗ --------------------------------------------- Ein gestohlener Schlüssel funktionierte möglicherweise nicht nur bei Exchange Online, sondern war eine Art Masterkey für große Teile der Mircrosoft-Cloud. --------------------------------------------- https://heise.de/-9224640 ∗∗∗ Achtung Fake-Shop: vailia-parfuemerie.com ∗∗∗ --------------------------------------------- Bei Vailia Parfümerie finden Sie günstige Kosmetikprodukte und Parfüms. Der Online-Shop macht zwar einen professionellen Eindruck, liefert aber keine Ware. Wenn Sie Ihre Kreditkartendaten als Zahlungsmethode angegeben haben, kommt es entweder zu nicht genehmigten Abbuchungen oder Ihre Daten werden für einen Betrugsversuch zu einem späteren Zeitpunkt missbraucht. --------------------------------------------- https://www.watchlist-internet.at/news/achtung-fake-shop-vailia-parfuemerie… ∗∗∗ Palo Alto Networks warnt vor P2P-Wurm für Cloud-Container-Umgebungen ∗∗∗ --------------------------------------------- Die neue Malware ist mindestens seit rund zwei Wochen im Umlauf. Sie nimmt eine bekannte Schwachstelle in der Datenbankanwendung Redis ins Visier. --------------------------------------------- https://www.zdnet.de/88410715/palo-alto-networks-warnt-vor-p2p-wurm-fuer-cl… ∗∗∗ Sicherheit: Die AES 128/128 Cipher Suite sollte am IIS deaktiviert werden ∗∗∗ --------------------------------------------- Kurzer Informationssplitter aus dem Bereich der Sicherheit, der Administratoren eines Internet Information-Server (IIS) im Windows-Umfeld interessieren könnte. --------------------------------------------- https://www.borncity.com/blog/2023/07/22/sicherheit-die-aes-128-128-cipher-… ===================== = Vulnerabilities = ===================== ∗∗∗ Zenbleed (CVE-2023-20593) - If you remove the first word from the string "hello world", what should the result be? ∗∗∗ --------------------------------------------- This is the story of how we discovered that the answer could be your root password! [..] AMD have released an microcode update for affected processors. Your BIOS or Operating System vendor may already have an update available that includes it. Workaround: It is highly recommended to use the microcode update. If you can’t apply the update for some reason, there is a software workaround: you can set the chicken bit DE_CFG. This may have some performance cost. --------------------------------------------- https://lock.cmpxchg8b.com/zenbleed.html ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (webkit2gtk), Fedora (curl, dotnet6.0, dotnet7.0, ghostscript, kernel-headers, kernel-tools, libopenmpt, openssh, and samba), Mageia (virtualbox), Red Hat (java-1.8.0-openjdk and java-11-openjdk), and Scientific Linux (java-1.8.0-openjdk and java-11-openjdk). --------------------------------------------- https://lwn.net/Articles/939059/ ∗∗∗ Atlassian Patches Remote Code Execution Vulnerabilities in Confluence, Bamboo ∗∗∗ --------------------------------------------- Atlassian patches high-severity remote code execution vulnerabilities in Confluence and Bamboo products. --------------------------------------------- https://www.securityweek.com/atlassian-patches-remote-code-execution-vulner… ∗∗∗ AMI MegaRAC SP-X BMC Redfish Vulnerabilities ∗∗∗ --------------------------------------------- https://support.lenovo.com/product_security/PS500570-AMI-MEGARAC-SP-X-BMC-R… ∗∗∗ Multiple vulnerabilities affect the embedded Content Navigator in Business Automation Workflow - CVE-2023-24998, 254437 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7013897 ∗∗∗ Vulnerability in IBM Java Runtime affects Host On-Demand ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7014039 ∗∗∗ Vulnerability in IBM Java Runtime affects Host On-Demand ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7014057 ∗∗∗ IBM App Connect for Manufacturing is vulnerable to a denial of service due to FasterXML jackson-databind (CVE-2022-42004, CVE-2022-42003) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7014181 ∗∗∗ IBM App Connect Enterprise is vulnerable to a remote authenticated attacker due to Node.js (CVE-2023-23920) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7014193 ∗∗∗ IBM Sterling Connect:Direct File Agent is vulnerable to a buffer overflow and unspecified vulnerabilities in IBM Runtime Environment Java Technology Edition (CVE-2023-21930, CVE-2023-21939, CVE-2023-21967, CVE-2023-21968) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7009987 ∗∗∗ Multiple security vulnerabilities have been identified in IBM WebSphere Application Server which is a component of IBM Operations Analytics Predictive Insights ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7013889 ∗∗∗ IBM Storage Protect Server is vulnerable to denial of service due to Golang Go ( CVE-2023-24534 ) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7014223 ∗∗∗ IBM Storage Protect Server is vulnerable to sensitive information disclosure due to IBM GSKit ( CVE-2023-32342 ) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7014225 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Jump to page:

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

Daily