===================== = End-of-Day report = =====================

Timeframe: Donnerstag 19-12-2024 18:00 − Freitag 20-12-2024 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a

===================== = News = =====================

∗∗∗ In eigener Sache: CERT.at sucht Junior IT-Security Analyst:in (m/w/d - Vollzeit - Wien) ∗∗∗ --------------------------------------------- Für unsere laufenden Routinetätigkeiten suchen wir derzeit eine:n Berufsein- oder -umsteiger:in mit Interesse an IT-Security. --------------------------------------------- https://www.cert.at/de/ueber-uns/jobs/

∗∗∗ BadBox malware botnet infects 192,000 Android devices despite disruption ∗∗∗ --------------------------------------------- The BadBox Android malware botnet has grown to over 192,000 infected devices worldwide despite a recent sinkhole operation that attempted to disrupt the operation in Germany. --------------------------------------------- https://www.bleepingcomputer.com/news/security/badbox-malware-botnet-infects...

∗∗∗ The Windows Registry Adventure #5: The regf file format ∗∗∗ --------------------------------------------- This post aimed to systematically explore the inner workings of the regf format, focusing on the hard requirements enforced by Windows. Due to my role and interests, I looked at the format from a strictly security-oriented angle rather than digital forensics, which is the context in which registry hives are typically considered. --------------------------------------------- https://googleprojectzero.blogspot.com/2024/12/the-windows-registry-adventur...

∗∗∗ BellaCPP: Discovering a new BellaCiao variant written in C++ ∗∗∗ --------------------------------------------- While investigating an incident involving the BellaCiao .NET malware, Kaspersky researchers discovered a C++ version they dubbed "BellaCPP". --------------------------------------------- https://securelist.com/bellacpp-cpp-version-of-bellaciao/115087/

∗∗∗ Auslaufmodell NTLM: Aus Windows 11 24H2 und Server 2025 teils entfernt ∗∗∗ --------------------------------------------- Weitgehend unbemerkt wurden in Windows 11 24H2 und Server 2025 zudem NTLMv1 entfernt. --------------------------------------------- https://heise.de/-10217239

===================== = Vulnerabilities = =====================

∗∗∗ ZDI-24-1718: (0Day) Arista NG Firewall custom_handler Directory Traversal Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows remote attackers to execute arbitrary code on affected installations of Arista NG Firewall. Authentication is not required to exploit this vulnerability. The ZDI has assigned a CVSS rating of 8.1. The following CVEs are assigned: CVE-2024-12830. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-24-1718/

∗∗∗ ZDI-24-1724: (0Day) Delta Electronics DRASimuCAD STP File Parsing Type Confusion Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows remote attackers to execute arbitrary code on affected installations of Delta Electronics DRASimuCAD. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The ZDI has assigned a CVSS rating of 7.8. The following CVEs are assigned: CVE-2024-12836. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-24-1724/

∗∗∗ Sophos: Resolved Multiple Vulnerabilities in Sophos Firewall (CVE-2024-12727, CVE-2024-12728, CVE-2024-12729) ∗∗∗ --------------------------------------------- Sophos has resolved three independent security vulnerabilities in Sophos Firewall (2x Critical, 1x High). To confirm that the hotfix has been applied to your firewall, please refer to KBA-000010084. --------------------------------------------- https://www.sophos.com/en-us/security-advisories/sophos-sa-20241219-sfos-rce

∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (chromium and gunicorn), Fedora (jupyterlab), Oracle (bluez, containernetworking-plugins, edk2:20220126gitbb1bba3d77, edk2:20240524, gstreamer1-plugins-base, gstreamer1-plugins-good, kernel, libsndfile, libsndfile:1.0.31, mpg123, mpg123:1.32.9, pam, python3.11-urllib3, skopeo, tuned, and unbound:1.16.2), SUSE (avahi, docker, emacs, govulncheck-vulndb, haproxy, kernel, libmozjs-128-0, python-grpcio, python310-xhtml2pdf, sudo, and tailscale), and Ubuntu (dpdk, linux-hwe-5.15, and linux-iot). --------------------------------------------- https://lwn.net/Articles/1003019/

∗∗∗ Autodesk: DWFX File Parsing Vulnerabilities in Autodesk Navisworks Desktop Software ∗∗∗ --------------------------------------------- https://www.autodesk.com/trust/security-advisories/adsk-sa-2024-0027

∗∗∗ Tenable: [R1] Stand-alone Security Patch Available for Tenable Security Center versions 6.3.0, 6.4.0 and 6.4.5: SC-202412.1 ∗∗∗ --------------------------------------------- https://www.tenable.com/security/tns-2024-21