[CERT-daily] Tageszusammenfassung - 09.07.2021

Fri Jul 9 18:11:54 CEST 2021

=====================
= End-of-Day report =
=====================

Timeframe:   Donnerstag 08-07-2021 18:00 − Freitag 09-07-2021 18:00
Handler:     Robert Waldner
Co-Handler:  Stephan Richter

=====================
=       News        =
=====================

∗∗∗ Kaseya warns of phishing campaign pushing fake security updates ∗∗∗
---------------------------------------------
Kaseya has warned customers that an ongoing phishing campaign attempts to breach their networks by spamming emails bundling malicious attachments and embedded links posing as legitimate VSA security updates.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/kaseya-warns-of-phishing-campaign-pushing-fake-security-updates/


∗∗∗ Clarified Guidance for CVE-2021-34527 Windows Print Spooler Vulnerability ∗∗∗
---------------------------------------------
On Tuesday July 6, 2021, Microsoft issued CVE-2021-34527 regarding a Windows Print Spooler vulnerability. Updates were released on July 6 and 7 which addressed the vulnerability for all supported Windows versions. We encourage customers to update as soon as possible. CVE-2021-34527 – Windows Print Spooler Remote Code Execution Vulnerability. Following the out of band release (OOB) we investigated claims regarding the effectiveness of the security update and questions around the suggested mitigations.
---------------------------------------------
https://msrc-blog.microsoft.com:443/2021/07/08/clarified-guidance-for-cve-2021-34527-windows-print-spooler-vulnerability/


∗∗∗ Hancitor tries XLL as initial malware file, (Fri, Jul 9th) ∗∗∗
---------------------------------------------
On Thursday 2021-07-08, for a short while when Hancitor was initially active, if any victims clicked on a malicious link from the malspam, they would receive a XLL file instead of a malicious Word doc.  I tried one of the email links in my lab and received the malicious XLL file.  After other researchers reported they were receiving Word documents, I tried a few hours later and received a Word document instead.
---------------------------------------------
https://isc.sans.edu/diary/rss/27618


∗∗∗ Sicherheitsupdates: Admin-Lücke bedroht Cisco Business Process Automation ∗∗∗
---------------------------------------------
Der Netzwerkausrüster Cisco hat für verschiedene Produkte Patches veröffentlicht, die mehrere Sicherheitslücken schließen.
---------------------------------------------
https://heise.de/-6133522


∗∗∗ ZLoader Adopts New Macro-Related Delivery Technique in Recent Attacks ∗∗∗
---------------------------------------------
The ZLoader malware family has switched to a new delivery mechanism in recent spam campaigns, fetching malicious code only after the initial attachment has been opened, McAfee reports.
---------------------------------------------
https://www.securityweek.com/zloader-adopts-new-macro-related-delivery-technique-recent-attacks


∗∗∗ CVE-2021-28474: SharePoint Remote Code Execution via Server-Side Control Interpretation Conflict ∗∗∗
---------------------------------------------
In May of 2021, Microsoft released a patch to correct CVE-2021-28474, a remote code execution bug in supported versions of Microsoft SharePoint Server. This bug was reported to ZDI by an anonymous researcher and is also known as ZDI-21-574. This blog takes a deeper look at the root cause of this vulnerability.
---------------------------------------------
https://www.thezdi.com/blog/2021/7/7/cve-2021-28474-sharepoint-remote-code-execution-via-server-side-control-interpretation-conflict


∗∗∗ Ransomwhere project wants to create a database of past ransomware payments ∗∗∗
---------------------------------------------
A new website launched this week wants to create a crowdfunded, free, and open database of past ransomware payments in the hopes of expanding visibility into the broader picture of the ransomware ecosystem.
---------------------------------------------
https://therecord.media/ransomwhere-project-wants-to-create-a-database-of-past-ransomware-payments/


=====================
=  Vulnerabilities  =
=====================

∗∗∗ Security updates for Friday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (apache2 and scilab), Fedora (chromium and perl-Mojolicious), Gentoo (inspircd, redis, and wireshark), and Mageia (fluidsynth, glib2.0, gnome-shell, grub2, gupnp, hivex, libupnp, redis, and zstd).
---------------------------------------------
https://lwn.net/Articles/862299/


∗∗∗ Rockwell Automation MicroLogix 1100 ∗∗∗
---------------------------------------------
This advisory contains mitigations for an Improper Input Validation vulnerability in Rockwell Automation MicroLogix 1100.
---------------------------------------------
https://us-cert.cisa.gov/ics/advisories/icsa-21-189-01


∗∗∗ MDT AutoSave ∗∗∗
---------------------------------------------
This advisory contains mitigations for Inadequate Encryption Strength, SQL Injection, Relative Path Traversal, Command Injection, Uncontrolled Search Path Element, Generation of Error Message Containing Sensitive Information, and Unrestricted Upload of File with Dangerous Type in MDT Software in MDT Autosave Products.
---------------------------------------------
https://us-cert.cisa.gov/ics/advisories/icsa-21-189-02


∗∗∗ Vulnerabilities in CODESYS V2 runtime systems ∗∗∗
---------------------------------------------
BOSCH-SA-475180: The control systems SYNAX, Visual Motion, IndraLogic, IndraMotion MTX, IndraMotion MLC and IndraMotion MLD contain PLC technology from CODESYS GmbH. The manufacturer CODESYS GmbH published a security bulletin (1) about a weakness in the protocol for the communication between the PLC runtime and clients. By exploiting the vulnerability, attackers can send crafted communication packets which may result in a denial of service condition or allow in worst case remote code execution.
---------------------------------------------
https://psirt.bosch.com/security-advisories/bosch-sa-475180.html


∗∗∗ voidtools "Everything" vulnerable to HTTP header injection ∗∗∗
---------------------------------------------
https://jvn.jp/en/jp/JVN68971465/


∗∗∗ Apache Pulsar vulnerability CVE-2021-22160 ∗∗∗
---------------------------------------------
https://support.f5.com/csp/article/K68146245


∗∗∗ Apache vulnerability CVE-2021-30641 ∗∗∗
---------------------------------------------
https://support.f5.com/csp/article/K13815051


∗∗∗ Advisory: Denial of service vulnerability on Automation Runtime webserver ∗∗∗
---------------------------------------------
https://www.br-automation.com/downloads_br_productcatalogue/assets/1625405588264-en-original-1.0.pdf


∗∗∗ Security Bulletin: IBM has announced a release for IBM Security Identity Governance and Intelligence in response to a security vulnerability (CVE-2020-4590) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-has-announced-a-release-for-ibm-security-identity-governance-and-intelligence-in-response-to-a-security-vulnerability-cve-2020-4590-2/


∗∗∗ Security Bulletin: IBM has announced a release for IBM Security Identity Governance and Intelligence in response to a security vulnerability (CVE-2019-17006, CVE-2019-17023, CVE-2020-12403) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-has-announced-a-release-for-ibm-security-identity-governance-and-intelligence-in-response-to-a-security-vulnerability-cve-2019-17006-cve-2019-17023-cve-2020-12403-2/


∗∗∗ Security Bulletin: IBM InfoSphere Information Server is vulnerable to SQL injection ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-infosphere-information-server-is-vulnerable-to-sql-injection/


∗∗∗ Security Bulletin: IBM InfoSphere Information Server is vulnerable to a denial of service vulnerability in Angular.js ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-infosphere-information-server-is-vulnerable-to-a-denial-of-service-vulnerability-in-angular-js/


∗∗∗ Security Bulletin: IBM has announced a release for IBM Security Identity Governance and Intelligence in response to a security vulnerability (CVE-2020-11868, CVE-2020-13817) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-has-announced-a-release-for-ibm-security-identity-governance-and-intelligence-in-response-to-a-security-vulnerability-cve-2020-11868-cve-2020-13817-2/


∗∗∗ Security Bulletin: IBM InfoSphere Information Server is affected by multiple vulnerabilities in Apache Solr ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-infosphere-information-server-is-affected-by-multiple-vulnerabilities-in-apache-solr/


∗∗∗ Security Bulletin: IBM has announced a release for IBM Security Identity Governance and Intelligence in response to a security vulnerability (CVE-2020-14579, CVE-2020-14578, CVE-2020-14577) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-has-announced-a-release-for-ibm-security-identity-governance-and-intelligence-in-response-to-a-security-vulnerability-cve-2020-14579-cve-2020-14578-cve-2020-14577-2/


∗∗∗ Security Bulletin: IBM has announced a release for IBM Security Identity Governance and Intelligence in response to a security vulnerability (CVE-2020-14782) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-has-announced-a-release-for-ibm-security-identity-governance-and-intelligence-in-response-to-a-security-vulnerability-cve-2020-14782-2/


∗∗∗ Security Bulletin: IBM has announced a release for IBM Security Identity Governance and Intelligence in response to a security vulnerability (CVE-2020-10531) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-has-announced-a-release-for-ibm-security-identity-governance-and-intelligence-in-response-to-a-security-vulnerability-cve-2020-10531-2/


∗∗∗ Security Bulletin: IBM InfoSphere Information Analyzer is vulnerable to cross-site scripting. ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-infosphere-information-analyzer-is-vulnerable-to-cross-site-scripting/

-- 
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily