[CERT-daily] Tageszusammenfassung - 02.09.2020
Daily end-of-shift report
team at cert.at
Wed Sep 2 18:30:14 CEST 2020
=====================
= End-of-Day report =
=====================
Timeframe: Dienstag 01-09-2020 18:00 − Mittwoch 02-09-2020 18:00
Handler: Thomas Pribitzer
Co-Handler: Stephan Richter
=====================
= News =
=====================
∗∗∗ Attackers abuse Google DNS over HTTPS to download malware ∗∗∗
---------------------------------------------
More details have emerged on a malware sample that uses Google DNS over HTTPS to retrieve the stage 2 malicious payload.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/attackers-abuse-google-dns-over-https-to-download-malware/
∗∗∗ Exposed Windows Domain Controllers Used in CLDAP DDoS Attacks, (Tue, Sep 1st) ∗∗∗
---------------------------------------------
LDAP, like many UDP based protocols, has the ability to send responses that are larger than the request. With UDP not requiring any handshake before data is sent, these protocols make ideal amplifiers for reflective distributed denial of service attacks. Most commonly, these attacks abuse DNS and we have talked about this in the past. But LDAP is another protocol that is often abused.
---------------------------------------------
https://isc.sans.edu/diary/rss/26526
∗∗∗ Using assert() to Execute Malware in PHP 7 Environments ∗∗∗
---------------------------------------------
Initially released December 2015, PHP 7 introduced a multitude of performance and security improvements. Approximately 43.7% of websites across the web currently use PHP 7.x, making it an incredibly popular scripting language — which is likely why attackers are creating malware to target environments which leverage it. During a recent investigation, our team stumbled across some malicious code which is used to inject a .user.ini file into a PHP 7 environment and add zend.assertions = 1.
---------------------------------------------
https://blog.sucuri.net/2020/09/using-assert-to-execute-malware-php-7.html
∗∗∗ Cloud firewall management API SNAFU put 500k SonicWall customers at risk ∗∗∗
---------------------------------------------
TL;DR I found an IDOR in SonicWall’s cloud management platform API Any user could add themselves to any account at any organisation using it Anyone could create a user account [...]
---------------------------------------------
https://www.pentestpartners.com/security-blog/cloud-firewall-management-api-snafu-put-500k-sonicwall-customers-at-risk/
∗∗∗ Erpressungs-Mail mit Bombendrohung massenhaft versendet ∗∗∗
---------------------------------------------
Vorsicht vor einer betrügerischen Erpressungs-E-Mail: Kriminelle versenden Nachrichten, in denen sie behaupten, dass eine Bombe im Geschäftsgebäude der EmpfängerInnen platziert wurde. Sollten die Unternehmen, die die Nachrichten erhalten haben, nicht binnen 80 Stunden 20.000 Dollar in Bitcoin bezahlen, soll diese explodieren. Die E-Mail ist frei erfunden und es muss nichts bezahlt werden!
---------------------------------------------
https://www.watchlist-internet.at/news/erpressungs-mail-mit-bombendrohung-massenhaft-versendet/
=====================
= Vulnerabilities =
=====================
∗∗∗ New Intel microcode updates for Windows 10 fix CPU hardware bugs ∗∗∗
---------------------------------------------
Microsoft has released a new batch of Intel microcode updates for Windows 10 2004, 1909, 1903, and older versions to fix hardware bugs in Intel CPUs.
---------------------------------------------
https://www.bleepingcomputer.com/news/microsoft/new-intel-microcode-updates-for-windows-10-fix-cpu-hardware-bugs/
∗∗∗ Magento Sites Vulnerable to RCE Stemming From Magmi Plugin Flaws ∗∗∗
---------------------------------------------
Two flaws - one of them yet to be fixed - are afflicting a third-party plugin used by Magento e-commerce websites.
---------------------------------------------
https://threatpost.com/magento-sites-vulnerable-to-rce-stemming-from-magmi-plugin-flaws/158864/
∗∗∗ Verschlüsselung: TLS-1.3-Fauxpas gefährdet Embedded-Systeme mit wolfSSL ∗∗∗
---------------------------------------------
Aus Sicherheitsgründen sollten Admins die TLS-Programmbibliothek wolfSSL auf den aktuellen Stand bringen.
---------------------------------------------
https://heise.de/-4883741
∗∗∗ TYPO3-EXT-SA-2020-017: Multiple vulnerabilities in extension "Event management and registration" (sf_event_mgt) ∗∗∗
---------------------------------------------
It has been discovered that the extension "Event management and registration" (sf_event_mgt) is susceptible to Information Disclosure and Broken Access Control.
---------------------------------------------
https://typo3.org/security/advisory/typo3-ext-sa-2020-017
∗∗∗ TYPO3-EXT-SA-2020-016: Information Disclosure in extension "Localization Manager" (l10nmgr) ∗∗∗
---------------------------------------------
It has been discovered that the extension "Localization Manager" (l10nmgr) is susceptible to Information Disclosure.
---------------------------------------------
https://typo3.org/security/advisory/typo3-ext-sa-2020-016
∗∗∗ 700,000 WordPress Users Affected by Zero-Day Vulnerability in File Manager Plugin ∗∗∗
---------------------------------------------
This morning, on September 1, 2020, the Wordfence Threat Intelligence team was alerted to the presence of a vulnerability being actively exploited in File Manager, a WordPress plugin with over 700,000 active installations. This vulnerability allowed unauthenticated users to execute commands and upload malicious files on a target site. A patch was released this morning [...]
---------------------------------------------
https://www.wordfence.com/blog/2020/09/700000-wordpress-users-affected-by-zero-day-vulnerability-in-file-manager-plugin/
∗∗∗ Security updates for Wednesday ∗∗∗
---------------------------------------------
Security updates have been issued by CentOS (firefox), Mageia (mutt and putty), openSUSE (ldb, samba, libqt5-qtbase, opera, and postgresql10), Red Hat (bash, kernel, and libvncserver), SUSE (apache2, curl, and squid), and Ubuntu (ark, linux, linux-aws, linux-aws-5.4, linux-azure, linux-azure-5.4, linux-gcp, linux-gcp-5.4, linux-kvm, linux-oracle, linux-oracle-5.4, linux-raspi, linux-raspi-5.4, linux, linux-aws, linux-aws-hwe, linux-azure, linux-azure-4.15, linux-gcp, linux-gcp-4.15, [...]
---------------------------------------------
https://lwn.net/Articles/830392/
∗∗∗ Multiple Vulnerabilities in Red Lion N-Tron 702-W, Red Lion N-Tron 702M12-W ∗∗∗
---------------------------------------------
https://sec-consult.com/./en/blog/advisories/multiple-vulnerabilities-in-red-lion-n-tron-702-w-red-lion-n-tron-702m12-w/
∗∗∗ Security Advisory - Command Injection Vulnerability in Some Huawei Products ∗∗∗
---------------------------------------------
http://www.huawei.com/en/psirt/security-advisories/2020/huawei-sa-20200902-01-command-en
∗∗∗ Security Advisory - DoS Vulnerability in Some Huawei Smart Phones ∗∗∗
---------------------------------------------
http://www.huawei.com/en/psirt/security-advisories/2020/huawei-sa-20200902-03-smartphone-en
∗∗∗ Security Advisory - Information Disclosure Vulnerability in Several Smartphones ∗∗∗
---------------------------------------------
http://www.huawei.com/en/psirt/security-advisories/2020/huawei-sa-20200902-07-smartphone-en
∗∗∗ Security Advisory - Remote Code Execution vulnerability in Apache Struts 2 ∗∗∗
---------------------------------------------
http://www.huawei.com/en/psirt/security-advisories/2020/huawei-sa-20200902-01-struts2-en
∗∗∗ Security Bulletin: Multiple vulnerabilities of Mozilla Firefox (less than Firefox 68.9.0 ESR) hava affected Synthetic Playback Agent 8.1.4.0-8.1.4 IF11 + ICAM2019.3.0 – 2020.2.0 ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-of-mozilla-firefox-less-than-firefox-68-9-0-esr-hava-affected-synthetic-playback-agent-8-1-4-0-8-1-4-if11-icam2019-3-0-2020-2-0/
∗∗∗ Security Bulletin: IBM Security Guardium is affected by a Cross-Site Scripting vulnerability ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-affected-by-a-cross-site-scripting-vulnerability-4/
∗∗∗ Security Bulletin: Vulnerability in Apache Commons Codec affects IBM Spectrum Scale Transparent Cloud Tiering (177835) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-commons-codec-affects-ibm-spectrum-scale-transparent-cloud-tiering-177835/
∗∗∗ Security Bulletin: Code injection vulnerability in IBM Spectrum Protect Operations Center (CVE-2020-4693) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-code-injection-vulnerability-in-ibm-spectrum-protect-operations-center-cve-2020-4693/
∗∗∗ Security Bulletin: Information Disclosure vulnerability in IBM Spectrum Protect Server (CVE-2020-4591) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-information-disclosure-vulnerability-in-ibm-spectrum-protect-server-cve-2020-4591-2/
∗∗∗ Security Bulletin: IBM Security Guardium is affected by Use of Hard-Coded Credentials vulnerabilities ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-affected-by-use-of-hard-coded-credentials-vulnerabilities-3/
∗∗∗ Security Bulletin: IBM Spectrum Scale Transparent Cloud Tiering is affected by a Java vulnerability (CVE-2020-2654) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-spectrum-scale-transparent-cloud-tiering-is-affected-by-a-java-vulnerability-cve-2020-2654/
∗∗∗ Security Bulletin: IBM Security Guardium is affected by an OS Command Injection vulnerabilities ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-affected-by-an-os-command-injection-vulnerabilities-8/
∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Security Guardium ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-ibm-java-sdk-affect-ibm-security-guardium-6/
∗∗∗ Security Bulletin: IBM Security Guardium is affected by an OS Command Injection vulnerabilities ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-affected-by-an-os-command-injection-vulnerabilities-7/
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
More information about the Daily
mailing list