[CERT-daily] Tageszusammenfassung - 18.12.2020

Daily end-of-shift report team at cert.at
Fri Dec 18 18:13:09 CET 2020


=====================
= End-of-Day report =
=====================

Timeframe:   Donnerstag 17-12-2020 18:00 − Freitag 18-12-2020 18:00
Handler:     Dimitri Robl
Co-Handler:  Robert Waldner

=====================
=       News        =
=====================

∗∗∗ Security baseline (FINAL) for Windows 10 and Windows Server, version 20H2 ∗∗∗
---------------------------------------------
We are pleased to announce the final release of the for Windows 10 and Windows Server, version 20H2 (a.k.a. October 2020 Update) security baseline package! 
---------------------------------------------
https://techcommunity.microsoft.com/t5/microsoft-security-baselines/security-baseline-final-for-windows-10-and-windows-server/ba-p/1999393


∗∗∗ A slightly optimistic tale of how patching went for CVE-2019-19781, (Fri, Dec 18th) ∗∗∗
---------------------------------------------
Since we could all probably use a little distraction from the current Solarigate/SUNBURST news, I thought it might be good to look at something a little bit more positive today. Specifically, at how patching of CVE-2019-19781 AKA "Shitrix" AKA "one of the more famous named vulnerabilities from the end of 2019" went.
---------------------------------------------
https://isc.sans.edu/diary/rss/26900


∗∗∗ E-Mails mit gefälschten Domain-Rechnungen im Umlauf ∗∗∗
---------------------------------------------
Derzeit erhalten Unternehmen E-Mails, in denen vorgegeben wird, dass sie für eine Domainregistrierung die Rechnung bezahlen müssten. Tatsächlich haben die EmpfängerInnen jedoch keinen derartigen Auftrag erteilt. Daher sollten Sie nichts bezahlten und die E-Mail ignorieren.
---------------------------------------------
https://www.watchlist-internet.at/news/e-mails-mit-gefaelschten-domain-rechnungen-im-umlauf/


∗∗∗ SUPERNOVA: SolarStorm’s Novel .NET Webshell ∗∗∗
---------------------------------------------
The SolarStorm actors behind the supply chain attack on SolarWinds' Orion software have demonstrated a high degree of technical sophistication and attention to operational security, as well as a novel combination of techniques in the potential compromise of approximately 18,000 SolarWinds customers. As published in the original disclosure, the attackers were observed removing their initial backdoor once a more legitimate method of persistence was obtained.
---------------------------------------------
https://unit42.paloaltonetworks.com/solarstorm-supernova/


∗∗∗ Operation SignSight: Supply‑chain attack against a certification authority in Southeast Asia ∗∗∗
---------------------------------------------
ESET researchers uncovered this new supply-chain attack in early December 2020 and notified the compromised organization and the VNCERT. We believe that the website has not been delivering compromised software installers as of the end of August 2020 and ESET telemetry data does not indicate the compromised installers being distributed anywhere else. The Vietnam Government Certification Authority confirmed that they were aware of the attack before our notification and that they notified the users who downloaded the trojanized software.
---------------------------------------------
https://www.welivesecurity.com/2020/12/17/operation-signsight-supply-chain-attack-southeast-asia/


∗∗∗ Updates zu SolarWinds Orion ∗∗∗
---------------------------------------------
Die Situation um den Supply-Chain Angriff auf SolarWinds Orion Produkt ist um einige Facetten reichter geworden:
---------------------------------------------
https://cert.at/de/aktuelles/2020/12/updates-zu-solarwinds-orion



=====================
=  Vulnerabilities  =
=====================

∗∗∗ ZDI-20-1452: NETGEAR Multiple Routers mini_httpd Command Injection Remote Code Execution Vulnerability ∗∗∗
---------------------------------------------
This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of NETGEAR R6020, R6080, R6120, R6220, R6260, R6700v2, R6800, R6900v2, R7450, JNR3210, WNR2020, Nighthawk AC2100, and Nighthawk AC2400 routers. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed.
---------------------------------------------
http://www.zerodayinitiative.com/advisories/ZDI-20-1452/


∗∗∗ ZDI-20-1451: NETGEAR Multiple Routers mini_httpd Authentication Bypass Vulnerability ∗∗∗
---------------------------------------------
This vulnerability allows network-adjacent attackers to bypass authentication on affected installations of NETGEAR R6020, R6080, R6120, R6220, R6260, R6700v2, R6800, R6900v2, R7450, JNR3210, WNR2020, Nighthawk AC2100, and Nighthawk AC2400 routers. Authentication is not required to exploit this vulnerability.
---------------------------------------------
http://www.zerodayinitiative.com/advisories/ZDI-20-1451/


∗∗∗ VMSA-2020-0029 VMware ESXi, Workstation, Fusion and Cloud Foundation updates address a denial of service vulnerability (CVE-2020-3999) ∗∗∗
---------------------------------------------
A denial of service vulnerability in VMware ESXi, Workstation and Fusion was privately reported to VMware. Updates are available to address this vulnerability in affected VMware products.
---------------------------------------------
https://www.vmware.com/security/advisories/VMSA-2020-0029.html


∗∗∗ Security updates for Friday ∗∗∗
---------------------------------------------
Security updates have been issued by Arch Linux (blueman, chromium, gdk-pixbuf2, hostapd, lib32-gdk-pixbuf2, minidlna, nsd, pam, and unbound), CentOS (gd, openssl, pacemaker, python-rtslib, samba, and targetcli), Debian (kernel, lxml, and mediawiki), Fedora (mbedtls), openSUSE (clamav and openssl-1_0_0), Oracle (firefox and openssl), Red Hat (openssl, postgresql:12, postgresql:9.6, and thunderbird), Scientific Linux (openssl and thunderbird), and SUSE (cyrus-sasl, openssh, slurm_18_08, and webkit2gtk3). 
---------------------------------------------
https://lwn.net/Articles/840731/


∗∗∗ D-LINK Router DSL-2888A: Mehrere Schwachstellen ∗∗∗
---------------------------------------------
Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in D-LINK Router ausnutzen, um die Authentisierung zu umgehen, seine Rechte zu erweitern, Code auszuführen oder Informationen offenzulegen.
---------------------------------------------
http://www.cert-bund.de/advisoryshort/CB-K20-1246


∗∗∗ Security Bulletin: z/TPF is affected by an OpenSSL vulnerability ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-z-tpf-is-affected-by-an-openssl-vulnerability/


∗∗∗ Security Bulletin: IBM Planning Analytics has addressed a security vulnerability (CVE-2020-4764) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-planning-analytics-has-addressed-a-security-vulnerability-cve-2020-4764/


∗∗∗ Security Bulletin: Version 12.18.0 of Node.js included in IBM Netcool Operations Insight 1.6.2.x has several security vulnerabilities ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-version-12-18-0-of-node-js-included-in-ibm-netcool-operations-insight-1-6-2-x-has-several-security-vulnerabilities/


∗∗∗ Emerson Rosemount X-STREAM ∗∗∗
---------------------------------------------
https://us-cert.cisa.gov/ics/advisories/icsa-20-352-01


∗∗∗ PTC Kepware KEPServerEX ∗∗∗
---------------------------------------------
https://us-cert.cisa.gov/ics/advisories/icsa-20-352-02


∗∗∗ PTC Kepware LinkMaster ∗∗∗
---------------------------------------------
https://us-cert.cisa.gov/ics/advisories/icsa-20-352-03


∗∗∗ ctrlX Products affected by OpenSSL Vulnerability CVE-2020-1971 ∗∗∗
---------------------------------------------
https://psirt.bosch.com/security-advisories/bosch-sa-274557.html

-- 
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily




More information about the Daily mailing list