[CERT-daily] Tageszusammenfassung - 19.02.2021

[Daily end-of-shift report]

=====================
= End-of-Day report =
=====================

Timeframe:   Donnerstag 18-02-2021 18:00 − Freitag 19-02-2021 18:00
Handler:     Thomas Pribitzer
Co-Handler:  Dimitri Robl

=====================
=       News        =
=====================

∗∗∗ RIPE NCC Internet Registry discloses SSO credential stuffing attack ∗∗∗
---------------------------------------------
RIPE NCC is warning members that they suffered a credential stuffing attack attempting to gain access to single sign-on (SSO) accounts.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/ripe-ncc-internet-registry-discloses-sso-credential-stuffing-attack/


∗∗∗ Microsoft: Solarwinds-Angriffe gingen nach Auffliegen weiter ∗∗∗
---------------------------------------------
Microsoft bestätigt Angriffe der Solarwinds-Hacker bis in den Januar. Die Angreifer konnten zudem Quellcode herunterladen.
---------------------------------------------
https://www.golem.de/news/microsoft-solarwinds-angriffe-gingen-nach-auffliegen-weiter-2102-154339-rss.html


∗∗∗ Router Security ∗∗∗
---------------------------------------------
This report is six months old, and I don’t know anything about the organization that produced it, but it has some alarming data about router security.Conclusion: Our analysis showed that Linux is the most used OS running on more than 90% of the devices. However, many routers are powered by very old versions of Linux. Most devices are still powered with a 2.6 Linux kernel, which is no longer maintained for many years.
---------------------------------------------
https://www.schneier.com/blog/archives/2021/02/router-security.html


∗∗∗ myMail Manages Your Mailbox… in a Strange Way! ∗∗∗
---------------------------------------------
myMail is a popular (10M+ downloads!) alternative email client for mobile devices. Available for iOS and Android, it is a powerful email client compatible with most of the mail providers (POP3/IMAP, Gmail, Yahoo!, Outlook, and even ActiveSync).
---------------------------------------------
https://blog.rootshell.be/2021/02/19/mymail-manages-your-mailbox-in-a-strange-way/


∗∗∗ Dynamic Data Exchange (DDE) is Back in the Wild?, (Fri, Feb 19th) ∗∗∗
---------------------------------------------
DDE or "Dynamic Data Exchange" is a Microsoft technology for interprocess communication used in early versions of Windows and OS/2. DDE allows programs to manipulate objects provided by other programs, and respond to user actions affecting those objects.
---------------------------------------------
https://isc.sans.edu/diary/rss/27116


∗∗∗ Kriminelle versuchen an Ihre Microsoft-Zugangsdaten zu kommen ∗∗∗
---------------------------------------------
Gerade durch das vermehrte Arbeiten im Home-Office werden Absprachen und Planungen immer stärker in die digitale Welt verlagert. Der „Microsoft Planner“ ist ein oft genutztes Werkzeug, um den Überblick zu behalten – das wissen auch BetrügerInnen. Denn im Namen des „Microsoft Planner“ verschicken Kriminelle derzeit E-Mails in der Hoffnung, dass die EmpfängerInnen Ihre Microsoft-Zugangsdaten preisgeben.
---------------------------------------------
https://www.watchlist-internet.at/news/kriminelle-versuchen-an-ihre-microsoft-zugangsdaten-zu-kommen/


∗∗∗ IronNetInjector: Turla’s New Malware Loading Tool ∗∗∗
---------------------------------------------
IronPython has been used for malicious purposes before, but in its new malware loading tool IronNetInjector, threat group Turla uses it in a new way.
---------------------------------------------
https://unit42.paloaltonetworks.com/ironnetinjector/


∗∗∗ SectopRAT Adds Encrypted Communication ∗∗∗
---------------------------------------------
SectopRAT first appeared in 2019, but a recent version discovered by G DATA shows it has evolved since original analysis.
---------------------------------------------
https://exchange.xforce.ibmcloud.com/collection/1c75b182cb0446128ac95b0e49cc5a26



=====================
=  Vulnerabilities  =
=====================

∗∗∗ Security Advisory: Privilege Management for Unix & Linux (PMUL) Basic and Privilege Management for Mac (PMM) Affected by Sudo Vulnerability ∗∗∗
---------------------------------------------
​On January 26, 2021, the Qualys research team disclosed a heap overflow vulnerability (CVE-2021-3156) within sudo that allows any unprivileged user to gain root privileges on Linux without requiring a password. BeyondTrust PBsudo/Privilege Management for Unix & Linux Basic is affected by this CVE. Apple also acknowledged and released updates to macOS for this CVE on Feb 10, 2021. Based on macOS releases, we confirmed that Privilege Management for Mac (PMM) is also impacted by this
---------------------------------------------
https://www.beyondtrust.com/blog/entry/security-advisory-privilege-management-for-unix-linux-pmul-basic-and-privilege-management-for-mac-pmm-affected-by-sudo-vulnerability


∗∗∗ VU#240785: Atlassian Bitbucket on Windows is vulnerable to privilege escalation due to weak ACLs ∗∗∗
---------------------------------------------
OverviewAtlassian Bitbucket on Windows fails to properly set ACLs, which can allow an unprivileged Windows user to run arbitrary code with SYSTEM privileges.DescriptionThe Atlassian Bitbucket Windows installer fails to set a secure access-control list (ACL) on the default installation directory, such as C:\Atlassian\Bitbucket\. By default, unprivileged users can create files in this directory structure, which creates a privilege-escalation vulnerability.ImpactBy placing a specially-crafted DLL
---------------------------------------------
https://kb.cert.org/vuls/id/240785


∗∗∗ Ceritude Securiy Advisory - CSA-2021-001: CSRF in Apache MyFaces (CVE-2021-26296) ∗∗∗
---------------------------------------------
Apache MyFaces is an open-source implementation of JSF. During a quick evaluation, Certitude found that the default CSRF protection of Apache MyFaces was insufficient as the CSRF tokens the framework generates can be guessed by an attacker.
---------------------------------------------
https://certitude.consulting/advisories/CSA_2021_001_Cross_Site_Request_Forgery_in_Apache_MyFaces.md.txt


∗∗∗ Security updates for Friday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (bind9, libbsd, openssl1.0, php-horde-text-filter, qemu, and unrar-free), Fedora (kiwix-desktop and libntlm), Mageia (coturn, mediawiki, privoxy, and veracrypt), openSUSE (buildah, libcontainers-common, podman), Oracle (kernel, nss, and perl), Red Hat (xterm), SUSE (java-1_7_1-ibm, php74, python-urllib3, and qemu), and Ubuntu (libjackson-json-java and shiro).
---------------------------------------------
https://lwn.net/Articles/846787/


∗∗∗ Security Bulletin: WebSphere Application Server is vulnerable to a directory traversal vulnerability (CVE-2021-20354) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-websphere-application-server-is-vulnerable-to-a-directory-traversal-vulnerability-cve-2021-20354/


∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM WebSphere Cast Iron Solution & App Connect Professional ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-ibm-java-sdk-affect-ibm-websphere-cast-iron-solution-app-connect-professional-5/


∗∗∗ Security Bulletin: Vulnerabilities in XStream, Apache HTTP, Jackson Databind, OpenSSL, and Node.js affect IBM Spectrum Control ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-xstream-apache-http-jackson-databind-openssl-and-node-js-affect-ibm-spectrum-control/


∗∗∗ OpenSSL vulnerability CVE-2021-23840 ∗∗∗
---------------------------------------------
https://support.f5.com/csp/article/K24624116


∗∗∗ OpenSSL vulnerability CVE-2021-23839 ∗∗∗
---------------------------------------------
https://support.f5.com/csp/article/K61903372


∗∗∗ OpenSSL vulnerability CVE-2021-23841 ∗∗∗
---------------------------------------------
https://support.f5.com/csp/article/K52833764


∗∗∗ cURL vulnerability CVE-2020-8284 ∗∗∗
---------------------------------------------
https://support.f5.com/csp/article/K63525058


∗∗∗ cURL vulnerability CVE-2020-8285 ∗∗∗
---------------------------------------------
https://support.f5.com/csp/article/K61186963


∗∗∗ cURL vulnerability CVE-2020-8286 ∗∗∗
---------------------------------------------
https://support.f5.com/csp/article/K15402727


∗∗∗ Johnson Controls Metasys Reporting Engine (MRE) Web Services ∗∗∗
---------------------------------------------
https://us-cert.cisa.gov/ics/advisories/icsa-21-049-01


∗∗∗ Mitsubishi Electric FA engineering software products ∗∗∗
---------------------------------------------
https://us-cert.cisa.gov/ics/advisories/icsa-21-049-02

-- 
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily