[CERT-daily] Tageszusammenfassung - 10.03.2021

Wed Mar 10 18:16:37 CET 2021

=====================
= End-of-Day report =
=====================

Timeframe:   Dienstag 09-03-2021 18:30 − Mittwoch 10-03-2021 18:30
Handler:     Dimitri Robl
Co-Handler:  Robert Waldner

=====================
=       News        =
=====================

∗∗∗ Exchange-Hack: Microsoft-365-Migrationstool durch Textdatei ausgetauscht ∗∗∗
---------------------------------------------
Ein Golem.de-Leser wollte Exchange-Konten des Arbeitgebers auf Microsoft 365 migrieren. Statt des Hilfstools gab es eine Textdatei mit Nachricht.
---------------------------------------------
https://www.golem.de/news/exchange-hack-microsoft-365-migrationstool-durch-textdatei-ausgetauscht-2103-154797-rss.html


∗∗∗ Unauthenticated MQTT endpoints on Linksys Velop routers enable local DoS ∗∗∗
---------------------------------------------
(Edit: this is CVE-2021-1000002)Linksys produces a series of wifi mesh routers under the Velop line. These routers use MQTT to send messages to each other for coordination purposes. In the version I tested against, there was zero authentication on this - anyone on the local network is able to connect to the MQTT interface on a router and send commands.
---------------------------------------------
https://mjg59.dreamwidth.org/56106.html


∗∗∗ Microsoft Exchange Server Vulnerabilities Mitigations – updated March 9, 2021 ∗∗∗
---------------------------------------------
Microsoft previously blogged our strong recommendation that customers upgrade their on-premises Exchange environments to the latest supported version. For customers that are not able to quickly apply updates, we are providing the following alternative mitigation techniques to help Microsoft Exchange customers who need more time to patch their deployments and are willing to make risk and service function trade-offs.
These mitigations are not a remediation if your Exchange servers have already been compromised, nor are they full protection against attack.
---------------------------------------------
https://msrc-blog.microsoft.com:443/2021/03/05/microsoft-exchange-server-vulnerabilities-mitigations-march-2021/


∗∗∗ SharpRDP - PSExec without PSExec, PSRemoting without PowerShell, (Wed, Mar 10th) ∗∗∗
---------------------------------------------
With the amount of remediation folks have these days to catch malicious execution of powershell or the use of tools like psexec, red teams have to be asking themselves - what approach is next for lateral movement after you get that first foothold?
---------------------------------------------
https://isc.sans.edu/diary/rss/27188


∗∗∗ Researchers Unveil New Linux Malware Linked to Chinese Hackers ∗∗∗
---------------------------------------------
Dubbed "RedXOR" by Intezer, the backdoor masquerades as a polkit daemon, with similarities found between the malware and those previously associated with the Winnti Umbrella (or Axiom) threat group such as PWNLNX, XOR.DDOS and Groundhog.
---------------------------------------------
https://thehackernews.com/2021/03/researchers-unveil-new-linux-malware.html


∗∗∗ Unpatched Flaws in Netgear Business Switches Expose Organizations to Attacks ∗∗∗
---------------------------------------------
Security researchers have identified multiple vulnerabilities in ProSAFE Plus JGS516PE and GS116Ev2 business switches from Netgear, the most severe of which could allow a remote, unauthenticated attacker to execute arbitrary code.
---------------------------------------------
https://www.securityweek.com/unpatched-flaws-netgear-business-switches-expose-organizations-attacks


∗∗∗ Targeted HelloKitty Ransomware Attack ∗∗∗
---------------------------------------------
SentinelOne has published a blog post analyzing the HelloKitty ransomware family, which was recently leveraged in a targeted attack against CD Projekt Red. HelloKitty appeared in late 2020 and is relatively rudimentary compared to other ransomware families.
---------------------------------------------
https://exchange.xforce.ibmcloud.com/collection/78d773e3e014982f6b10f60ac705950f


=====================
=  Vulnerabilities  =
=====================

∗∗∗ Microsoft Patch Tuesday - March 2021 ∗∗∗
---------------------------------------------
In their March 2021 security updates, Microsoft list eighty-three CVE numbered vulnerabilities. Of those, ten are rated as Critical with the remainder being rated as Important. Aside from the already well publicized exploitation of the Exchange server vulnerabilities, an Internet Explorer vulnerability is reported as being exploited in the wild.
---------------------------------------------
https://exchange.xforce.ibmcloud.com/collection/c82f6a928a7278759e5eec21b3ecc742


∗∗∗ Patchday Adobe: Schadcode-Lücken in Connect, Creative Cloud und Framemaker ∗∗∗
---------------------------------------------
Der Software-Hersteller Adobe hat in verschiedenen Anwendungen mehrere kritische Sicherheitslücken geschlossen.
---------------------------------------------
https://heise.de/-5076338


∗∗∗ Versionsverwaltung Git 2.30.2. behebt Sicherheitslücke beim Klonen ∗∗∗
---------------------------------------------
Die Schwachstelle ermöglicht unter bestimmten Umständen das Ausführen von Skripten beim Klonen von Repositories.
---------------------------------------------
https://heise.de/-5076502


∗∗∗ SAP-Patchday: Kritische Lücken aus SAP MII und NetWeaver AS für Java beseitigt ∗∗∗
---------------------------------------------
SAP hat unter anderem zwei Sicherheitslücken in Manufacturing Integration and Intelligence (MII) & NetWeaver AS JAVA mit CVSS-Scores nahe der 10 geschlossen.
---------------------------------------------
https://heise.de/-5076543


∗∗∗ Vulnerability Spotlight: Use-after-free vulnerability in 3MF Consortium lib3mf ∗∗∗
---------------------------------------------
3MF Consortium’s lib3mf library is vulnerable to a use-after-free vulnerability that could allow an adversary to execute remote code on the victim machine. The lib3mf library is an open-source implementation of the 3MF file format and standard, mainly used for 3D-printing. An attacker could send a target a specially crafted file to create a use-after-free condition. 
---------------------------------------------
https://blog.talosintelligence.com/2021/03/vuln-spotlight-3mf-lib-.html


∗∗∗ Security updates for Wednesday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (kernel and privoxy), Fedora (libtpms, privoxy, and x11vnc), openSUSE (chromium), Red Hat (.NET 5.0, .NET Core, .NET Core 2.1, .NET Core 3.1, dotnet, and dotnet3.1), SUSE (git, kernel, openssl-1_1, and wpa_supplicant), and Ubuntu (git and openssh).
---------------------------------------------
https://lwn.net/Articles/848973/


∗∗∗ QEMU: Schwachstelle ermöglicht Ausführen von beliebigem Programmcode mit den Rechten des Dienstes ∗∗∗
---------------------------------------------
CB-K21/0250: QEMU: Schwachstelle ermöglicht Ausführen von beliebigem Programmcode mit den Rechten des Dienstes
---------------------------------------------
http://www.cert-bund.de/advisoryshort/CB-K21-0250


∗∗∗ SSA-979775 V1.0: Stack Overflow Vulnerability in SCALANCE and RUGGEDCOM Devices ∗∗∗
---------------------------------------------
https://cert-portal.siemens.com/productcert/txt/ssa-979775.txt


∗∗∗ Security Bulletin: IBM Security Privileged Identity Manager is affected by a denial of service vulnerability (CVE-2020-2781) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-privileged-identity-manager-is-affected-by-a-denial-of-service-vulnerability-cve-2020-2781/


∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Tivoli System Automation for Multiplatforms Jan 2021 CPU (CVE-2020-27221) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-ibm-java-sdk-affect-ibm-tivoli-system-automation-for-multiplatforms-jan-2021-cpu-cve-2020-27221/


∗∗∗ Security Bulletin: IBM Security Guardium Insights is affected by a Go denial of service vulnerability (CVE-2020-7919) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-insights-is-affected-by-a-go-denial-of-service-vulnerability-cve-2020-7919/


∗∗∗ Security Bulletin: IBM SDK, Java Technology Edition Quarterly CPU – Oct 2020 and Jan 2021 ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sdk-java-technology-edition-quarterly-cpu-oct-2020-and-jan-2021/


∗∗∗ Security Bulletin: IBM Security Privileged Identity Manager is affected by a code execution vulnerability (CVE-2020-4464) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-privileged-identity-manager-is-affected-by-a-code-execution-vulnerability-cve-2020-4464/


∗∗∗ Security Bulletin: IBM API Connect is impacted by vulnerabilities in Docker (CVE-2021-21285, CVE-2021-21284) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-api-connect-is-impacted-by-vulnerabilities-in-docker-cve-2021-21285-cve-2021-21284/


∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Cognos Planning (Q12021) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-ibm-java-runtime-affect-ibm-cognos-planning-q12021/


∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Tivoli System Automation Application Manager Oct 2020 CPU (CVE-2020-14782) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-ibm-java-sdk-affect-ibm-tivoli-system-automation-application-manager-oct-2020-cpu-cve-2020-14782/


∗∗∗ Security Bulletin: WebSphere Application Server is vulnerable to a Directory Traversal vulnerability (CVE-2020-5016) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-websphere-application-server-is-vulnerable-to-a-directory-traversal-vulnerability-cve-2020-5016/


∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Tivoli System Automation Application Manager Jan 2021 CPU (CVE-2020-27221) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-ibm-java-sdk-affect-ibm-tivoli-system-automation-application-manager-jan-2021-cpu-cve-2020-27221/


∗∗∗ BIG-IQ DCD vulnerability CVE-2021-22996 ∗∗∗
---------------------------------------------
https://support.f5.com/csp/article/K16352404?utm_source=f5support&utm_medium=RSS


∗∗∗ BIG-IQ HA vulnerability CVE-2021-22995 ∗∗∗
---------------------------------------------
https://support.f5.com/csp/article/K13155201?utm_source=f5support&utm_medium=RSS


∗∗∗ BIG-IQ HA vulnerability CVE-2021-22997 ∗∗∗
---------------------------------------------
https://support.f5.com/csp/article/K34074377?utm_source=f5support&utm_medium=RSS


∗∗∗ F5 TMUI XSS vulnerability CVE-2021-22994 ∗∗∗
---------------------------------------------
https://support.f5.com/csp/article/K66851119?utm_source=f5support&utm_medium=RSS


∗∗∗ BIG-IP MPTCP vulnerability CVE-2021-23003 ∗∗∗
---------------------------------------------
https://support.f5.com/csp/article/K43470422?utm_source=f5support&utm_medium=RSS


∗∗∗ BIG-IP ASM iControl REST vulnerability CVE-2021-23001 ∗∗∗
---------------------------------------------
https://support.f5.com/csp/article/K06440657?utm_source=f5support&utm_medium=RSS


∗∗∗ BIG-IP Advanced WAF and ASM XSS vulnerability CVE-2021-22993 ∗∗∗
---------------------------------------------
https://support.f5.com/csp/article/K55237223?utm_source=f5support&utm_medium=RSS


∗∗∗ BIG-IP TMM vulnerability CVE-2021-23000 ∗∗∗
---------------------------------------------
https://support.f5.com/csp/article/K34441555?utm_source=f5support&utm_medium=RSS


∗∗∗ BIG-IP SNAT vulnerability CVE-2021-22998 ∗∗∗
---------------------------------------------
https://support.f5.com/csp/article/K31934524?utm_source=f5support&utm_medium=RSS


∗∗∗ BIG-IQ HA vulnerability CVE-2021-23005 ∗∗∗
---------------------------------------------
https://support.f5.com/csp/article/K01243064?utm_source=f5support&utm_medium=RSS


∗∗∗ BIG-IP MPTCP vulnerability CVE-2021-23004 ∗∗∗
---------------------------------------------
https://support.f5.com/csp/article/K31025212?utm_source=f5support&utm_medium=RSS


∗∗∗ BIG-IQ XSS vulnerability CVE-2021-23006 ∗∗∗
---------------------------------------------
https://support.f5.com/csp/article/K30585021?utm_source=f5support&utm_medium=RSS


∗∗∗ BIG-IP APM VPN vulnerability CVE-2021-23002 ∗∗∗
---------------------------------------------
https://support.f5.com/csp/article/K71891773?utm_source=f5support&utm_medium=RSS


∗∗∗ TMM buffer-overflow vulnerability CVE-2021-22991 ∗∗∗
---------------------------------------------
https://support.f5.com/csp/article/K56715231?utm_source=f5support&utm_medium=RSS


∗∗∗ TMUI authenticated remote command execution vulnerability CVE-2021-22988 ∗∗∗
---------------------------------------------
https://support.f5.com/csp/article/K70031188?utm_source=f5support&utm_medium=RSS


∗∗∗ Advanced WAF/ASM TMUI authenticated remote command execution vulnerability CVE-2021-22990 ∗∗∗
---------------------------------------------
https://support.f5.com/csp/article/K45056101?utm_source=f5support&utm_medium=RSS


∗∗∗ BIG-IP HTTP/2 vulnerability CVE-2021-22999 ∗∗∗
---------------------------------------------
https://support.f5.com/csp/article/K02333782?utm_source=f5support&utm_medium=RSS


∗∗∗ Appliance mode TMUI authenticated remote command execution vulnerability CVE-2021-22987 ∗∗∗
---------------------------------------------
https://support.f5.com/csp/article/K18132488?utm_source=f5support&utm_medium=RSS


∗∗∗ iControl REST unauthenticated remote command execution vulnerability CVE-2021-22986 ∗∗∗
---------------------------------------------
https://support.f5.com/csp/article/K03009991?utm_source=f5support&utm_medium=RSS


∗∗∗ Advanced WAF/ASM buffer-overflow vulnerability CVE-2021-22992 ∗∗∗
---------------------------------------------
https://support.f5.com/csp/article/K52510511?utm_source=f5support&utm_medium=RSS


∗∗∗ Appliance mode Advanced WAF/ASM TMUI authenticated remote command execution vulnerability CVE-2021-22989 ∗∗∗
---------------------------------------------
https://support.f5.com/csp/article/K56142644?utm_source=f5support&utm_medium=RSS


∗∗∗ glibc vulnerability CVE-2021-3326 ∗∗∗
---------------------------------------------
https://support.f5.com/csp/article/K44945790?utm_source=f5support&utm_medium=RSS

-- 
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily