[CERT-daily] Tageszusammenfassung - 19.12.2022
Daily end-of-shift report
team at cert.at
Mon Dec 19 18:28:19 CET 2022
=====================
= End-of-Day report =
=====================
Timeframe: Freitag 16-12-2022 18:00 − Montag 19-12-2022 18:00
Handler: Robert Waldner
Co-Handler: Michael Schlagenhaufer
=====================
= News =
=====================
∗∗∗ Infostealer Malware with Double Extension, (Sun, Dec 18th) ∗∗∗
---------------------------------------------
Got this file attachment this week pretending to be from HSBC Global Payments and Cash Management. The attachment payment_copy.pdf.z is a rar archive, kind of unusual with this type of file archive but when extracted, it comes out as a double extension with pdf.exe. The file is a trojan infostealer and detected by multiple scanning engines.
---------------------------------------------
https://isc.sans.edu/diary/rss/29354
∗∗∗ Day 3 — Next Level Font Obfuscation ∗∗∗
---------------------------------------------
Today I learned how to obfuscate text using custom fonts. I made a program to automatically create deceptive fonts to demonstrate their danger. Using a custom font, I was able to make a letter look like a different letter to trick a plagiarism checker while still being human-readable.
---------------------------------------------
https://medium.com/@doctoreww/day-3-next-level-font-obfuscation-7a6cd978c7a5
∗∗∗ Venom ∗∗∗
---------------------------------------------
Venom is a C++ library that is meant to give an alternative way to communicate, instead of creating a socket that could be traced back to the process, it creates a new "hidden" (there is no window shown) detached edge process (edge was chosen because it is a browser that is installed on every Windows 10+ and wont raise suspicious) and stealing one of its sockets to perform the network operations.
---------------------------------------------
https://github.com/Idov31/Venom
∗∗∗ Exploiting API Framework Flexibility ∗∗∗
---------------------------------------------
The modern frameworks are often very flexible with what they accept, and will happily treat a POST with a JSON body as interchangeable with a URL encoded body, or even with query parameters. Due to this, an unexploitable JSON XSS vector can sometimes be made exploitable by flipping it to one of these alternative approaches.
---------------------------------------------
https://attackshipsonfi.re/p/exploiting-api-framework-flexibility
∗∗∗ Fake Shops und Phishing-SMS: Die Betrugsmaschen im Online-Weihnachtsgeschäft ∗∗∗
---------------------------------------------
Weihnachten bedeutet auch wieder Hochsaison für Betrüger, die mit gefälschten Shops und irreführenden SMS auf das Geld ihrer Opfer aus sind.
---------------------------------------------
https://www.derstandard.at/story/2000141845543/fake-shops-und-phishing-sms-die-betrugsmaschen-im-online-weihnachtsgeschaeft
∗∗∗ BSI legt 19 IT-Grundschutz-Bausteine als Final Draft vor ∗∗∗
---------------------------------------------
Kurzer Hinweis für Administratoren und IT-Dienstleister, die im Unternehmensumfeld aktiv sind. Das Bundesamt für Sicherheit in der Informationstechnik (BSI) hat diese Woche 19 sogenannte IT-Grundschutz-Bausteine als sogenannte Final Drafts vorgelegt. Das reicht von .NET über Active Directory Domain Services bis hin zu Windows Server.
---------------------------------------------
https://www.borncity.com/blog/2022/12/18/bsi-legt-19-it-grundschutz-bausteine-als-final-draft-vor/
=====================
= Vulnerabilities =
=====================
∗∗∗ Cisco Security Advisories 2022-12-16 - 2022-12-18 ∗∗∗
---------------------------------------------
Cisco has updated 9 security advisories: (1x Critical, 5x High, 3x Medium)
---------------------------------------------
https://sec.cloudapps.cisco.com/security/center/Search.x?publicationTypeIDs=1&lastPublishedStartDate=2022%2F12%2F15&lastPublishedEndDate=2022%2F12%2F17
∗∗∗ HP kümmert sich mit BIOS-Updates um Schadcode-Lücken ∗∗∗
---------------------------------------------
Sicherheitsupdates schließen mehrere Schwachstellen in HP-Computern. Einige Lücken betreffen ausschließlich AMD-Systeme.
---------------------------------------------
https://heise.de/-7398783
∗∗∗ Security updates for Monday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (chromium and thunderbird), Fedora (keylime, libarchive, libtasn1, pgadmin4, rubygem-nokogiri, samba, thunderbird, wireshark, and xorg-x11-server-Xwayland), Gentoo (curl, libreoffice, nss, unbound, and virtualbox), Mageia (advancecomp, couchdb, firefox, freerdp, golang, heimdal, kernel, kernel linus, krb5, leptonica, libetpan, python-slixmpp, thunderbird, and xfce4-settings), Oracle (firefox, nodejs:16, and thunderbird), Scientific Linux (firefox and thunderbird), Slackware (samba), SUSE (chromium and kernel), and Ubuntu (linux-oem-5.17).
---------------------------------------------
https://lwn.net/Articles/918203/
∗∗∗ Synology-SA-22:24 Samba AD DC ∗∗∗
---------------------------------------------
Multiple vulnerabilities allow remote attackers or remote authenticated users to bypass security constraint via a susceptible version of Synology Directory Server.
---------------------------------------------
https://www.synology.com/en-global/support/security/Synology_SA_22_24
∗∗∗ Citrix Hypervisor Security Bulletin for CVE-2022-3643, CVE-2022-42328 & CVE-2022-42329 ∗∗∗
---------------------------------------------
Several security issues have been identified in Citrix Hypervisor 8.2 LTSR CU1, each of which may allow a privileged user in a guest VM to cause the host to become unresponsive or crash.
---------------------------------------------
https://support.citrix.com/article/CTX473048/citrix-hypervisor-security-bulletin-for-cve20223643-cve202242328-cve202242329
∗∗∗ Zenphoto vulnerable to cross-site scripting ∗∗∗
---------------------------------------------
https://jvn.jp/en/jp/JVN06093462/
∗∗∗ Corel Roxio Creator LJB starts a program with an unquoted file path ∗∗∗
---------------------------------------------
https://jvn.jp/en/jp/JVN13075438/
∗∗∗ ZDI-22-1681: Autodesk 3DS Max SKP File Parsing Use-After-Free Remote Code Execution Vulnerability ∗∗∗
---------------------------------------------
http://www.zerodayinitiative.com/advisories/ZDI-22-1681/
∗∗∗ DLL Search Order Hijacking Vulnerability in the DWG TrueView™ Desktop Software ∗∗∗
---------------------------------------------
https://www.autodesk.com/trust/security-advisories/adsk-sa-2022-0024
∗∗∗ Vulnerabilities in PHP may affect IBM Spectrum Sentinel Anomaly Scan Engine (CVE-2021-21703, CVE-2021-21708, CVE-2021-21707, CVE-2022-31629, CVE-2022-31628) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6845928
∗∗∗ IBM Cognos Analytics has addressed multiple vulnerabilities (CVE-2021-29469, CVE-2022-39160, CVE-2022-38708, CVE-2022-42003, CVE-2022-42004, CVE-2022-43883, CVE-2022-43887, CVE-2022-25647, CVE-2022-36364) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6841801
∗∗∗ IBM DataPower Gateway vulnerable to HTTP request smuggling (CVE-2022-35256) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6848587
∗∗∗ IBM DataPower Gateway potentially affected by CPU side-channel (CVE-2022-21166) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6848585
∗∗∗ IBM DataPower Gateway subject to a memory leak in TCP source port generation (CVE-2022-1012) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6848583
∗∗∗ IBM DataPower Gateway vulnerable to network state information leakage (CVE-2021-20322, CVE-2021-45485, CVE-2021-45486) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6848577
∗∗∗ UDP source port randomization flaw in IBM DataPower Gateway (CVE-2020-25705) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6848581
∗∗∗ Multiple vulnerabilities in IBM Java Runtime affect Rational Directory Server (Tivoli) & Rational Directory Administrator ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6848847
∗∗∗ IBM i Modernization Engine for Lifecycle Integration is vulnerable to multiple vulnerabilities ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6848879
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
More information about the Daily
mailing list