[CERT-daily] Tageszusammenfassung - 13.04.2021

Tue Apr 13 18:20:44 CEST 2021

=====================
= End-of-Day report =
=====================

Timeframe:   Montag 12-04-2021 18:00 − Dienstag 13-04-2021 18:00
Handler:     Dimitri Robl
Co-Handler:  Stephan Richter

=====================
=       News        =
=====================

∗∗∗ NAME:WRECK DNS vulnerabilities affect over 100 million devices ∗∗∗
---------------------------------------------
Security researchers today disclosed nine vulnerabilities affecting implementations of the Domain Name System protocol in popular TCP/IP network communication stacks running on at least 100 million devices.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/name-wreck-dns-vulnerabilities-affect-over-100-million-devices/


∗∗∗ RCE Exploit Released for Unpatched Chrome, Opera, and Brave Browsers ∗∗∗
---------------------------------------------
An Indian security researcher has publicly published a proof-of-concept (PoC) exploit code for a newly discovered flaw impacting Google Chrome and other Chromium-based browsers like Microsoft Edge, Opera, and Brave.
---------------------------------------------
https://thehackernews.com/2021/04/rce-exploit-released-for-unpatched.html


∗∗∗ CISA Details Malware Found on Hacked Exchange Servers ∗∗∗
---------------------------------------------
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) this week published details on additional malware identified on compromised Microsoft Exchange servers, namely China Chopper webshells and DearCry ransomware.
---------------------------------------------
https://www.securityweek.com/cisa-details-malware-found-hacked-exchange-servers


∗∗∗ Unseriöse Kreditkartenabbuchungen von screenacy.co ∗∗∗
---------------------------------------------
Wenn von Ihrer Kreditkarte monatlich ein Betrag von screenacy.co abgebucht wird, ohne dass Sie etwas bestellt oder abonniert haben, sind Sie höchstwahrscheinlich in eine Abo-Falle getappt. Viele Betroffene können nicht nachvollziehen, wo und warum es zu einem Vertragsabschluss gekommen ist - meist aber durch bewusste Täuschung.
---------------------------------------------
https://www.watchlist-internet.at/news/unserioese-kreditkartenabbuchungen-von-screenacyco/


∗∗∗ Winter 2020 Network Attack Trends: Internet of Threats ∗∗∗
---------------------------------------------
Network attack trends in the Winter quarter of 2020 revealed some interesting trends, such as increased attacker preference for newly released vulnerabilities and a large uptick in attacks deemed Critical. In addition to details of the newly observed exploits, in this blog, we also dive deep into the exploitation analysis, vendor analysis, attack origin, and attack category distribution.
---------------------------------------------
https://unit42.paloaltonetworks.com/network-attack-trends-winter-2020/


∗∗∗ Threat Assessment: Clop Ransomware ∗∗∗
---------------------------------------------
In response to an uptick in Clop ransomware activity, we provide an overview and courses of action that can be used to mitigate it.
---------------------------------------------
https://unit42.paloaltonetworks.com/clop-ransomware/


∗∗∗ Threat Actor Type Inference and Characterization within Cyber Threat Intelligence. (arXiv:2103.02301v3 [cs.CR] UPDATED) ∗∗∗
---------------------------------------------
As the cyber threat landscape is constantly becoming increasingly complex and polymorphic, the more critical it becomes to understand the enemy and its modus operandi for anticipatory threat reduction. Even though the cyber security community has developed a certain maturity in describing and sharing technical indicators for informing defense components, we still struggle with non-uniform, unstructured, and ambiguous higher-level information, such as the threat actor context, thereby limiting our ability to correlate with different sources to derive more contextual, accurate, and relevant intelligence.
---------------------------------------------
https://arxiv.org/abs/2103.02301


=====================
=  Vulnerabilities  =
=====================

∗∗∗ [20210402] - Core - Inadequate filters on module layout settings ∗∗∗
---------------------------------------------
Inadequate filters on module layout settings could lead to an LFI.
---------------------------------------------
https://developer.joomla.org:443/security-centre/851-20210402-core-inadequate-filters-on-module-layout-settings.html


∗∗∗ [20210401] - Core - Escape xss in logo parameter error pages ∗∗∗
---------------------------------------------
Inadequate escaping allowed XSS attacks using the logo parameter of the default templates on error pages.
---------------------------------------------
https://developer.joomla.org:443/security-centre/850-20210401-core-escape-xss-in-logo-parameter-error-pages.html


∗∗∗ Security updates for Tuesday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (libpano13), Fedora (mosquitto and perl-Net-CIDR-Lite), Mageia (curl, mongodb, pdfbox, python-jinja2, rygel, spamassassin, tor, velocity, webkit2, and wireshark), openSUSE (umoci), Oracle (389-ds:1.4, kernel, and virt:ol and virt-devel:rhel), Red Hat (kernel and kpatch-patch), Slackware (dnsmasq and irssi), and SUSE (cifs-utils, rubygem-actionpack-4_2, and spamassassin).
---------------------------------------------
https://lwn.net/Articles/852526/


∗∗∗ Exploit Released for Critical Vulnerability Affecting QNAP NAS Devices ∗∗∗
---------------------------------------------
An exploit is now publicly available for a remote code execution vulnerability affecting QNAP network-attached storage (NAS) devices that run the Surveillance Station video management system.
---------------------------------------------
https://www.securityweek.com/exploit-released-critical-vulnerability-affecting-qnap-nas-devices


∗∗∗ SAP Patchday April ∗∗∗
---------------------------------------------
Ein entfernter, authentisierter oder anonymer Angreifer kann mehrere Schwachstellen in SAP Produkten und Anwendungskomponenten ausnutzen, um die Vertraulichkeit, Verfügbarkeit und die Integrität der Anwendungen zu gefährden.
---------------------------------------------
https://www.cert-bund.de/advisoryshort/CB-K21-0370


∗∗∗ ZDI-21-406: (0Day) Microsoft 3D Builder PLY File Parsing Out-Of-Bounds Read Remote Code Execution Vulnerability ∗∗∗
---------------------------------------------
https://www.zerodayinitiative.com/advisories/ZDI-21-406/


∗∗∗ ZDI-21-405: (0Day) Microsoft Print 3D PLY File Parsing Out-Of-Bounds Read Remote Code Execution Vulnerability ∗∗∗
---------------------------------------------
https://www.zerodayinitiative.com/advisories/ZDI-21-405/


∗∗∗ D-Bus vulnerability CVE-2020-12049 ∗∗∗
---------------------------------------------
https://support.f5.com/csp/article/K16729408


∗∗∗ IBM Security Bulletins ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/


∗∗∗ SSA-163226 V1.0: CELL File Parsing Vulnerability in Tecnomatix RobotExpert ∗∗∗
---------------------------------------------
Siemens Tecnomatix RobotExpert version V16.1 fixes a vulnerability that could be triggered when the application reads CELL files. If a user is tricked to open a malicious file with the affected application, this could lead to a crash, and potentially also to arbitrary code execution or data extraction on the target host system. Siemens recommends to update to the latest version and to avoid opening of untrusted files from unknown sources.
---------------------------------------------
https://cert-portal.siemens.com/productcert/txt/ssa-163226.txt


∗∗∗ SSA-185699 V1.0: Out of Bounds Write Vulnerabilities (NAME:WRECK) in the DNS Module of Nucleus Products ∗∗∗
---------------------------------------------
Security researchers discovered and disclosed 9 vulnerabilities in several DNS implementations, also known as “NAME:WRECK” vulnerabilities. The vulnerabilities described in this advisories are from this set. The DNS client of affected products contains two out of bounds write vulnerabilities in the handling of DNS responses that could allow an attacker to cause a denial-of-service condition or to remotely execute code. Siemens has released updates for several affected products [...]
---------------------------------------------
https://cert-portal.siemens.com/productcert/txt/ssa-185699.txt


∗∗∗ SSA-187092 V1.0: Several Buffer-Overflow Vulnerabilities in Web Server of SCALANCE X-200 ∗∗∗
---------------------------------------------
Several SCALANCE X-200 switches contain buffer overflow vulnerabilities in the web server. In the most severe case an attacker could potentially remotely execute code. Siemens is preparing updates and recommends specific countermeasures for products where updates are not, or not yet available.
---------------------------------------------
https://cert-portal.siemens.com/productcert/txt/ssa-187092.txt


∗∗∗ SSA-201384 V1.0: Predictable UDP Port Number Vulnerability (NAME:WRECK) in the DNS Module of Nucleus Products ∗∗∗
---------------------------------------------
Security researchers discovered and disclosed 9 vulnerabilities in several DNS implementations, also known as “NAME:WRECK” vulnerabilities. The vulnerability described in this advisories is from this set. The DNS client of affected products contains a vulnerability related to the handling of UDP port numbers in DNS requests that could allow an attacker to poison the DNS cache or spoof DNS resolving. Siemens has released updates for several affected products and recommends to update [...]
---------------------------------------------
https://cert-portal.siemens.com/productcert/txt/ssa-201384.txt


∗∗∗ SSA-248289 V1.0: Denial-of-Service Vulnerabilities in the IPv6 Stack of Nucleus Products ∗∗∗
---------------------------------------------
The IPv6 stack of affected products contains two vulnerabilities when processing IPv6 headers which could allow an attacker to cause a denial-of-service condition. Siemens has released updates for several affected products and recommends to update to the latest versions. Siemens is preparing updates and recommends specific countermeasures for products where updates are not, or not yet available.
---------------------------------------------
https://cert-portal.siemens.com/productcert/txt/ssa-248289.txt


∗∗∗ SSA-292794 V1.0: Multiple Denial-of-Service Vulnerabilities in SINEMA Remote Connect Server ∗∗∗
---------------------------------------------
The latest update for SINEMA Remote Connect Server fixes two Denial-of-Service vulnerabilities in the underlying third-party XML parser. Siemens has released updates for the affected product and recommends to update to the latest versions.
---------------------------------------------
https://cert-portal.siemens.com/productcert/txt/ssa-292794.txt


∗∗∗ SSA-497656 V1.0: Multiple NTP Vulnerabilities in TIM 4R-IE Devices ∗∗∗
---------------------------------------------
There are multiple vulnerabilities in the underlying NTP component of the affected TIM 4R-IE. Siemens recommends specific countermeasures for products where updates are not, or not yet available.
---------------------------------------------
https://cert-portal.siemens.com/productcert/txt/ssa-497656.txt


∗∗∗ SSA-574442 V1.0: Multiple PAR and DFT File Parsing Vulnerabilities in Solid Edge ∗∗∗
---------------------------------------------
Siemens has released a new version for Solid Edge to fix multiple vulnerabilities that could be triggered when the application reads files in different file formats (PAR, DFT extensions). If a user is tricked to open a malicious file with the affected application, this could lead to a crash, and potentially also to arbitrary code execution or data extraction on the target host system. Siemens recommends to update to the latest version and to avoid opening of untrusted files from unknown sources.
---------------------------------------------
https://cert-portal.siemens.com/productcert/txt/ssa-574442.txt


∗∗∗ SSA-669158 V1.0: DNS Client Vulnerabilities in SIMOTICS CONNECT 400 ∗∗∗
---------------------------------------------
SIMOTICS CONNECT 400 is affected by DNS Client vulnerabilities as initially reported in Siemens Security Advisory SSA-705111 for the Mentor DNS Module. Siemens is preparing updates and recommends countermeasures for products where updates are not, or not yet available.
---------------------------------------------
https://cert-portal.siemens.com/productcert/txt/ssa-669158.txt


∗∗∗ SSA-705111 V1.0: Vulnerabilities (NAME:WRECK) in DNS Module of Nucleus Products ∗∗∗
---------------------------------------------
Security researchers discovered and disclosed 9 vulnerabilities in several DNS implementations, also known as “NAME:WRECK” vulnerabilities. The vulnerabilities described in this advisories are from this set. The DNS client of affected products contains multiple vulnerabilities related to the handling of DNS responses and requests. The most severe could allow an attacker to manipulate the DNS responses and cause a denial-of-service condition. Siemens has released updates for several
---------------------------------------------
https://cert-portal.siemens.com/productcert/txt/ssa-705111.txt


∗∗∗ SSA-761844 V1.0: Multiple Vulnerabilities in Control Center Server (CCS) ∗∗∗
---------------------------------------------
The advisory informs about multiple vulnerabilities in the Central Control Server (CCS) application, as initially reported in SSA-761617 on 2019-12-10 and SSA-844761 on 2020-03-10. The vulnerabilities involve authentication bypass (CVE-2019-18337, CVE-2019-18341), path traversal (CVE-2019-18338, CVE-2019-19290), information disclosure (CVE-2019-13947, CVE-2019-18340, CVE-2019-19291), privilege escalation (CVE-2019-18342), SQL injection (CVE-2019-19292), cross-site scripting [...]
---------------------------------------------
https://cert-portal.siemens.com/productcert/txt/ssa-761844.txt


∗∗∗ SSA-788287 V1.0: Disclosure of Private Data ∗∗∗
---------------------------------------------
Due to SmartClient Installation technology (ClickOnce) a customer/integrator needs to create a customer specific Smartclient installer. The mentioned products delivered a trusted but yet expired codesigning certificate. An attacker could have exploited the vulnerability by spoofing the code-signing certificate and signing a malicious executable resulting in having a trusted digital signature from a trusted provider. The certificate was revoked immediately.
---------------------------------------------
https://cert-portal.siemens.com/productcert/txt/ssa-788287.txt


∗∗∗ SSA-853866 V1.0: User Credentials Disclosure Vulnerability in Siveillance Video Open Network Bridge (ONVIF) ∗∗∗
---------------------------------------------
Siemens has released hotfixes for Siveillance Video Open Network Bridge (ONVIF) which fix a security vulnerability related to unsecure storage of ONVIF user credentials. The vulnerability could allow an authenticated remote attacker to retrieve and decrypt all user credentials stored on the ONVIF server. Siemens recommends to apply the hotfixes at the earliest opportunity. See also the chapter Additional Information, how to apply the hotfix.
---------------------------------------------
https://cert-portal.siemens.com/productcert/txt/ssa-853866.txt


∗∗∗ SSA-983300 V1.0: Vulnerabilities in LOGO! Soft Comfort ∗∗∗
---------------------------------------------
Two vulnerabilities have been identified in the LOGO! Soft Comfort software. These could allow an attacker to take over a system with the affected software installed. Siemens is preparing updates and recommends specific countermeasures for products where updates are not, or not yet available.
---------------------------------------------
https://cert-portal.siemens.com/productcert/txt/ssa-983300.txt

-- 
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily