[CERT-daily] Tageszusammenfassung - 13.12.2022

Daily end-of-shift report team at cert.at
Tue Dec 13 18:56:49 CET 2022


=====================
= End-of-Day report =
=====================

Timeframe:   Montag 12-12-2022 18:00 − Dienstag 13-12-2022 18:00
Handler:     Stephan Richter
Co-Handler:  Robert Waldner

=====================
=       News        =
=====================

∗∗∗ Amazon ECR Public Gallery flaw could have wiped or poisoned any image ∗∗∗
---------------------------------------------
The researcher reported the vulnerability to AWS Security on November 15, 2022, and Amazon rolled out a fix in under 24 hours.
While there are no signs of this flaw being abused in the wild, threat actors could have used it in massive-scale supply chain attacks against many users.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/amazon-ecr-public-gallery-flaw-could-have-wiped-or-poisoned-any-image/


∗∗∗ IIS modules: The evolution of web shells and how to detect them ∗∗∗
---------------------------------------------
This blog aims to provide further guidance on detecting malicious IIS modules and other capabilities that you can use during your own incident response investigations. 
---------------------------------------------
https://www.microsoft.com/en-us/security/blog/2022/12/12/iis-modules-the-evolution-of-web-shells-and-how-to-detect-them/


∗∗∗ A Deep Dive into BianLian Ransomware ∗∗∗
---------------------------------------------
BianLian ransomware is a Golang malware that performed targeted attacks across multiple industries in 2022. The ransomware employed anti-analysis techniques consisting of API calls that would likely crash some sandboxes/automated analysis systems. The malware targets all drives identified on the machine and deletes itself after the encryption is complete.
---------------------------------------------
https://resources.securityscorecard.com/research/bian-lian-deep-dive


∗∗∗ New Python-Based Backdoor Targeting VMware ESXi Servers ∗∗∗
---------------------------------------------
Security researchers with Juniper Networks’ Threat Labs warn of a new Python-based backdoor targeting VMware ESXi virtualization servers. The targeted servers were impacted by known security defects (such as CVE-2019-5544 and CVE-2020-3992) that were likely used for initial compromise, but what caught the researchers’ attention was the simplicity, persistence, and capabilities of the deployed backdoor.
---------------------------------------------
https://www.securityweek.com/new-python-based-backdoor-targeting-vmware-esxi-servers


∗∗∗ What’s My Name Again? Reolink camera command injection ∗∗∗
---------------------------------------------
TL;DR Research on Reolink’s RLC-520A smart motion detection camera has turned up an authenticated command injection vulnerability. Exploiting this vulnerability with an injected system command can render the device useless.
---------------------------------------------
https://www.pentestpartners.com/security-blog/whats-my-name-again-reolink-camera-command-injection/


∗∗∗ Aktuelle Welle an DDoS Angriffen auf staatsnahe und kritische Infrastruktur in Österreich ∗∗∗
---------------------------------------------
Seit ca. zwei Wochen sehen sich vermehrt österreichische staatliche/staatsnahe Organisationen sowie Unternehmen der kritischen Infrastruktur mit DDoS Angriffen konfrontiert. Die genauen Hintergründe und Motive der Attacken sind uns zurzeit nicht bekannt. Die Täter:innen greifen hierbei zu verschiedenen Methoden und versuchen auch, sich an getroffene Gegenmaßnahmen anzupassen.
---------------------------------------------
https://cert.at/de/aktuelles/2022/12/aktuelle-welle-an-ddos-angriffen-auf-staatsnahe-und-kritische-infrastruktur-in-osterreich


∗∗∗ REPORT: A new trick from Facebook scammers and Sharkbot Android malware returns ∗∗∗
---------------------------------------------
A new wave of scams utilizes Facebook’s tagging feature to trick Page owners into believing they’ve violated Facebook’s terms and conditions. Several variations of the attack exist, but all lead to phishing sites designed to steal Page owner’s credentials.
---------------------------------------------
https://blog.f-secure.com/f-alert-report-a-new-trick-from-facebook-scammers-and-sharkbot-android-malware-returns/



=====================
=  Vulnerabilities  =
=====================

∗∗∗ Redmine vulnerable to cross-site scripting ∗∗∗
---------------------------------------------
Redmine contains a cross-site scripting vulnerability.
---------------------------------------------
https://jvn.jp/en/jp/JVN60211811/


∗∗∗ Announcing TYPO3 12.1.1 [12.1.2], 11.5.20 and 10.4.33 security releases ∗∗∗
---------------------------------------------
today weve released TYPO3 12.1.1, 11.5.20 LTS and 10.4.33 LTS, which are ready for you to download. All versions are security releases and contain important security fixes [unfortunately TYPO3 v12.1.1 contained a regression, which has been fixed in TYPO3 v12.1.2.]
---------------------------------------------
https://lists.typo3.org/pipermail/typo3-announce/2022/000523.html


∗∗∗ Vulnerabilities in multiple third party TYPO3 CMS extensions ∗∗∗
---------------------------------------------
several vulnerabilities have been found in the following third party TYPO3 extensions:
 * "Change password for frontend users" (fe_change_pwd)
 * "Newsletter subscriber management" (fp_newsletter)
 * "Master-Quiz" (fp_masterquiz)
For further information on the issues, please read the related advisories TYPO3-EXT-SA-2022-016, TYPO3-EXT-SA-2022-017 and TYPO3-EXT-SA-2022-018 which were published today
---------------------------------------------
https://lists.typo3.org/pipermail/typo3-announce/2022/000524.html


∗∗∗ OpenSSL: X.509 Policy Constraints Double Locking (CVE-2022-3996) ∗∗∗
---------------------------------------------
Severity: Low
If an X.509 certificate contains a malformed policy constraint and policy processing is enabled, then a write lock will be taken twice recursively. On some operating systems (most widely: Windows) this results in a denial of service when the affected process hangs. Policy processing being enabled on a publicly facing server is not considered to be a common setup.
---------------------------------------------
https://www.openssl.org/news/secadv/20221213.txt


∗∗∗ Patchday SAP: 14 neue Sicherheitsmeldungen im Dezember ∗∗∗
---------------------------------------------
Zum Jahresende behandelt SAP in 14 Sicherheitsnotizen Schwachstellen in der Software des Unternehmens. IT-Verantwortliche sollten die Updates rasch anwenden.
---------------------------------------------
https://heise.de/-7392718


∗∗∗ Jetzt patchen! Kritische Zero-Day-Lücke in FortiOS wird angegriffen ∗∗∗
---------------------------------------------
Fortinet meldet eine kritische Sicherheitslücke in FortiOS. Cyberkriminelle missbrauchen diese bereits für Angriffe. Updates stehen bereit.
---------------------------------------------
https://heise.de/-7392455


∗∗∗ VMSA-2022-0031 ∗∗∗
---------------------------------------------
Synopsis: VMware vRealize Network Insight (vRNI) updates address command injection and directory traversal security vulnerabilities (CVE-2022-31702, CVE-2022-31703)    
---------------------------------------------
https://www.vmware.com/security/advisories/VMSA-2022-0031.html


∗∗∗ VMSA-2022-0033 ∗∗∗
---------------------------------------------
Synopsis: VMware ESXi, Workstation, and Fusion updates address a heap out-of-bounds write vulnerability (CVE-2022-31705)    
---------------------------------------------
https://www.vmware.com/security/advisories/VMSA-2022-0033.html


∗∗∗ Security updates for Tuesday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (node-tar and pngcheck), SUSE (colord, containerd, and tiff), and Ubuntu (containerd, linux-azure, linux-azure, linux-azure-5.4, linux-oem-5.17, and vim).
---------------------------------------------
https://lwn.net/Articles/917749/


∗∗∗ Security Vulnerabilities fixed in Thunderbird 102.6 ∗∗∗
---------------------------------------------
In general, these flaws cannot be exploited through email in the Thunderbird product because scripting is disabled when reading mail, but are potentially risks in browser or browser-like contexts.
---------------------------------------------
https://www.mozilla.org/en-US/security/advisories/mfsa2022-53/


∗∗∗ Security Vulnerabilities fixed in Firefox ESR 102.6 ∗∗∗
---------------------------------------------
CVE-2022-46880: Use-after-free in WebGL
CVE-2022-46872: Arbitrary file read from a compromised content process
CVE-2022-46881: Memory corruption in WebGL
CVE-2022-46874: Drag and Dropped Filenames could have been truncated to malicious extensions
CVE-2022-46875: Download Protections were bypassed by .atloc and .ftploc files on Mac OS
CVE-2022-46882: Use-after-free in WebGL
CVE-2022-46878: Memory safety bugs fixed in Firefox 108 and Firefox ESR 102.6
---------------------------------------------
https://www.mozilla.org/en-US/security/advisories/mfsa2022-52/


∗∗∗ Security Vulnerabilities fixed in Firefox 108 ∗∗∗
---------------------------------------------
CVE-2022-46871: libusrsctp library out of date
CVE-2022-46872: Arbitrary file read from a compromised content process
CVE-2022-46873: Firefox did not implement the CSP directive unsafe-hashes
CVE-2022-46874: Drag and Dropped Filenames could have been truncated to malicious extensions
CVE-2022-46875: Download Protections were bypassed by .atloc and .ftploc files on Mac OS
CVE-2022-46877: Fullscreen notification bypass
CVE-2022-46878: Memory safety bugs fixed in Firefox 108 and Firefox ESR 102.6
CVE-2022-46879: Memory safety bugs fixed in Firefox 108
---------------------------------------------
https://www.mozilla.org/en-US/security/advisories/mfsa2022-51/


∗∗∗ Citrix ADC and Citrix Gateway Security Bulletin for CVE-2022-27518 ∗∗∗
---------------------------------------------
A vulnerability has been discovered in Citrix Gateway and Citrix ADC, listed below, that, if exploited, could allow an unauthenticated remote attacker to perform arbitrary code execution on the appliance.
CVE-ID: CVE-2022-27518
---------------------------------------------
https://support.citrix.com/article/CTX474995/citrix-adc-and-citrix-gateway-security-bulletin-for-cve202227518


∗∗∗ Privilege Escalation Schwachstellen (UNIX Insecure File Handling) in SAP® Host Agent (saposcol) ∗∗∗
---------------------------------------------
Due to insecure file handling issues of the SAP® Host Agent, a local attacker can exploit the helper binary saposcol to escalate privileges on UNIX systems. Successful exploitation leads to full system compromise with root access.
---------------------------------------------
https://sec-consult.com/de/vulnerability-lab/advisory/privilege-escalation-schwachstelle-unix-insecure-file-handling-sap-saposcol/


∗∗∗ ICS Advisory (ICSA-22-347-03): Contec CONPROSSYS HMI System (CHS) ∗∗∗
---------------------------------------------
https://www.cisa.gov/uscert/ics/advisories/icsa-22-347-03


∗∗∗ ICS Advisory (ICSA-22-347-02): Schneider Electric APC Easy UPS Online ∗∗∗
---------------------------------------------
https://www.cisa.gov/uscert/ics/advisories/icsa-22-347-02


∗∗∗ ICS Advisory (ICSA-22-347-01): ICONICS and Mitsubishi Electric Products ∗∗∗
---------------------------------------------
https://www.cisa.gov/uscert/ics/advisories/icsa-22-347-01


∗∗∗ Wiesemann & Theis multiple products prone to web interface vulnerability ∗∗∗
---------------------------------------------
https://cert.vde.com/de/advisories/VDE-2022-057/


∗∗∗ Festo: Vulnerable WIBU-SYSTEMS CodeMeter Runtime in multiple products ∗∗∗
---------------------------------------------
https://cert.vde.com/de/advisories/VDE-2022-038/


∗∗∗ A vulnerability in IBM WebSphere Application Server Liberty affects IBM Spectrum Scale packaged in IBM Elastic Storage Server ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6847315


∗∗∗ AIX is vulnerable to a denial of service due to libxml2 (CVE-2022-29824) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6619729


∗∗∗ IBM QRadar Network Packet Capture has released 7.3.1 Patch 1, and 7.2.8 Patch 1 in response to the vulnerabilities known as Spectre and Meltdown. ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/571419


∗∗∗ Multiple vulnerabilities in IBM Java SDK affect IBM Tivoli Netcool Impact (CVE-2021-41041, CVE-2022-3676) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6847341


∗∗∗ Multiple vulnerabilities in IBM Java SDK affect IBM Tivoli Netcool Impact ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6847351


∗∗∗ Multiple vulnerabilities have been identified in IBM WebSphere Application Server Liberty shipped with IBM Tivoli Netcool Impact (CVE-2022-24839, CVE-2022-37734, CVE-2022-34165) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6847349


∗∗∗ Multiple vulnerabilities have been identified in Smack API shipped with IBM Tivoli Netcool Impact (CVE-2014-0363, CVE-2014-0364) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6847337


∗∗∗ Multiple Linux Kernel vulnerabilities may affect IBM Elastic Storage System ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6847563


∗∗∗ WebSphere Application Server is vulnerable to SOAPAction spoofing when processing JAX-WS Web Services requests which affects Content Collector for Email ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6847593


∗∗∗ Content Collector for Email is affected by a vulnerability found in embedded WebSphere Application Server ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6847591


∗∗∗ Content Collector for Email is affected by a vulnerability found in embedded WebSphere Application Server ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6847587


∗∗∗ Content Collector for Email is affected by a vulnerability found in embedded WebSphere Application Server ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6847595


∗∗∗ Vulnerability in OAuthlib affects IBM Spectrum Protect Plus Container backup and restore for Kubernetes and OpenShift (CVE-2022-36087) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6842215


∗∗∗ Vulnerabilities in Redis affect IBM Spectrum Protect Plus Container backup and restore for Kubernetes and OpenShift (CVE-2022-24736, CVE-2022-24735) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6842235

-- 
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily




More information about the Daily mailing list