[CERT-daily] Tageszusammenfassung - 19.01.2022

[Daily end-of-shift report]

=====================
= End-of-Day report =
=====================

Timeframe:   Dienstag 18-01-2022 18:00 − Mittwoch 19-01-2022 18:00
Handler:     Robert Waldner
Co-Handler:  Stephan Richter

=====================
=       News        =
=====================

∗∗∗ 0.0.0.0 in Emotet Spambot Traffic, (Wed, Jan 19th) ∗∗∗
---------------------------------------------
[..] Emotet uses IP address 0.0.0.0 in spambot traffic, possibly attempting to hide the actual IP address of an Emotet-infected host. This ISC diary reviews the spoofed 0.0.0.0 address used in a recent Emotet infection from Tuesday 2022-01-18.
---------------------------------------------
https://isc.sans.edu/diary/rss/28254


∗∗∗ Project Zero: Zooming in on Zero-click Exploits ∗∗∗
---------------------------------------------
In the past, I hadn’t prioritized reviewing Zoom because I believed that any attack against a Zoom client would require multiple clicks from a user. However, a zero-click attack against the Windows Zoom client was recently revealed at Pwn2Own, showing that it does indeed have a fully remote attack surface. The following post details my investigation into Zoom.
---------------------------------------------
https://googleprojectzero.blogspot.com//2022/01/zooming-in-on-zero-click-exploits.html


∗∗∗ Introducing TREVORproxy and TREVORspray 2.0 - Increasing the Speed and Effectiveness of Password Sprays ∗∗∗
---------------------------------------------
Classically, password spraying has been the single lowest-effort and highest-yield technique for gaining an initial foothold in an organization. [...] But alas, with increasing Multi-Factor coverage and defensive countermeasures like Smart Lockout, password spraying is becoming more and more of a chore. [...] When I set out to write these tools, the biggest problem I wanted to solve was Smart Lockout. Smart Lockout tries to lock out attackers without locking out legitimate users. So basically,
---------------------------------------------
https://blog.blacklanternsecurity.com/p/introducing-trevorproxy-and-trevorspray


∗∗∗ Betrügerische Geldversprechen auf Instagram ∗∗∗
---------------------------------------------
Kriminelle richten sich mit ihren betrügerischen Anfragen insbesondere an junge Frauen und Männer. Sie versprechen ihnen hohe Geldbeträge für anzügliche Fotos oder spielen vor, an der Finanzierung des Lifestyles der betroffenen Personen interessiert zu sein. Wer solche Angebote bekommt, sollte unbedingt Abstand nehmen. Denn es handelt sich um einen Vorschussbetrug, bei dem vorab Zahlungen verlangt werden.
---------------------------------------------
https://www.watchlist-internet.at/news/betruegerische-geldversprechen-auf-instagram/


∗∗∗ The Perfect Cyber Crime ∗∗∗
---------------------------------------------
[..] what if criminals were able to acquire large amounts of victims’ credentials without infecting any victim, without the need to build or purchase anything, and without the risk of getting caught? We recently set out to explore this topic and validate our theory that this type of “perfect crime” could be a new reality in cyber security. In this blog, we’ll explain how we were able to obtain large amounts of sensitive data using Google’s VirusTotal service in combination with other known malware services and hacker forums.
---------------------------------------------
https://safebreach.com/blog/2022/the-perfect-cyber-crime/


∗∗∗ CVE-2022-21661: Exposing Database Info via WordPress SQL Injection ∗∗∗
---------------------------------------------
In October of this year, we received a report from ngocnb and khuyenn from GiaoHangTietKiem JSC covering a SQL injection vulnerability in WordPress. The bug could allow an attacker to expose data stored in a connected database. This vulnerability was recently addressed as CVE-2022-21661 (ZDI-22-220). This blog covers the root cause of the bug and looks at how the WordPress team chose to address it.
---------------------------------------------
https://www.thezdi.com/blog/2022/1/18/cve-2021-21661-exposing-database-info-via-wordpress-sql-injection



=====================
=  Vulnerabilities  =
=====================

∗∗∗ WordPress Plugin WP Visitor Statistics 4.7 SQL Injection ∗∗∗
---------------------------------------------
The plugin does not properly sanitise and escape the refUrl in the refDetails AJAX action, available to any authenticated user, which could allow users with a role as low as subscriber to perform SQL injection attacks
CVE: CVE-2021-24750
---------------------------------------------
https://cxsecurity.com/issue/WLB-2022010098


∗∗∗ Oracle Critical Patch Update Advisory - January 2022 ∗∗∗
---------------------------------------------
This Critical Patch Update contains 497 new security patches across the (Anm.: 165) product families listed below.
---------------------------------------------
https://www.oracle.com/security-alerts/cpujan2022.html


∗∗∗ The ace(r) up your sleeve! Privilege Escalation vulnerability in Acer Care Center (CVE-2021-45975) ∗∗∗
---------------------------------------------
Acer ships most of the laptop it sells with a software suite called Care Center Service installed. In versions up to 4.00.3038 included, one of the suite’s programs is an executable named ListCheck.exe, which runs at logon with the highest privilege available and suffers from a phantom DLL hijacking. This can lead to a privilege escalation when an administrator logs in.
---------------------------------------------
https://aptw.tf/2022/01/20/acer-care-center-privesc.html


∗∗∗ Sicherheitsupdate: Mediaplayer Nvidia Shield TV für Schadcode-Attacke anfällig ∗∗∗
---------------------------------------------
Die Entwickler haben mehrere Lücken in der Android-Version für Nvidia Shield TV geschlossen. Insgesamt gilt das Risiko als hoch.
---------------------------------------------
https://heise.de/-6332144


∗∗∗ Security updates for Wednesday ∗∗∗
---------------------------------------------
Security updates have been issued by CentOS (firefox, gegl, kernel, and thunderbird), Debian (nvidia-graphics-drivers), Fedora (btrbk and thefuck), Mageia (clamav, kernel, kernel-linus, vim, and wpa_supplicant), openSUSE (java-1_8_0-ibm, jawn, nodejs12, nodejs14, SDL2, and virglrenderer), Red Hat (gegl, gegl04, java-17-openjdk, and kernel-rt), Scientific Linux (gegl and httpd), SUSE (apache2, firefox, java-1_7_1-ibm, java-1_8_0-ibm, libvirt, nodejs12, nodejs14, openstack-monasca-agent, spark, spark-kit, zookeeper, python-Django, python-Django1, python-numpy, virglrenderer), Ubuntu (byobu, clamav, ruby2.3, ruby2.5, ruby2.7).
---------------------------------------------
https://lwn.net/Articles/881810/


∗∗∗ Cisco Redundancy Configuration Manager for Cisco StarOS Software Multiple Vulnerabilities ∗∗∗
---------------------------------------------
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-rcm-vuls-7cS3Nuq


∗∗∗ Cisco Webex Meetings Cross-Site Scripting Vulnerability ∗∗∗
---------------------------------------------
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-webex-xss-FmbPu2pe


∗∗∗ Multiple Cisco Products Snort Modbus Denial of Service Vulnerability ∗∗∗
---------------------------------------------
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-snort-dos-9D3hJLuj


∗∗∗ Multiple Cisco Products CLI Command Injection Vulnerability ∗∗∗
---------------------------------------------
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cli-cmdinj-4MttWZPB


∗∗∗ ConfD CLI Command Injection Vulnerability ∗∗∗
---------------------------------------------
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-confdcli-cmdinj-wybQDSSh


∗∗∗ Security Advisory - Release of Invalid Pointer Vulnerability in OptiX OSN 9800 U32 Product ∗∗∗
---------------------------------------------
http://www.huawei.com/en/psirt/security-advisories/2022/huawei-sa-20220112-01-invalid-en


∗∗∗ Security Advisory - Information Exposure Vulnerability on Several Huawei Products ∗∗∗
---------------------------------------------
http://www.huawei.com/en/psirt/security-advisories/2022/huawei-sa-20220112-01-infodis-en


∗∗∗ Security Bulletin: Vulnerabilities in Apache Log4j affect IBM App Connect Enterprise V11, V12 and IBM Integration Bus V10 (CVE-2021-44832) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-apache-log4j-affect-ibm-app-connect-enterprise-v11-v12-and-ibm-integration-bus-v10-cve-2021-44832-2/


∗∗∗ Security Bulletin: Oracle Database Server Vulnerability Affects IBM Emptoris Strategic Supply Management Platform (CVE-2021-35619) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-oracle-database-server-vulnerability-affects-ibm-emptoris-strategic-supply-management-platform-cve-2021-35619/


∗∗∗ Security Bulletin: Vulnerability in Apache Log4j affects IBM Cloud Private (CVE-2021-45046) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-log4j-affects-ibm-cloud-private-cve-2021-45046-3/


∗∗∗ Security Bulletin: Oracle Database Server Vulnerability Affects IBM Emptoris Program Management (CVE-2021-35619) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-oracle-database-server-vulnerability-affects-ibm-emptoris-program-management-cve-2021-35619/


∗∗∗ Security Bulletin: Apache Log4j vulnerability may affect IBM Sterling B2B Integrator (CVE-2021-44228) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-apache-log4j-vulnerability-may-affect-ibm-sterling-b2b-integrator-cve-2021-44228-5/


∗∗∗ Security Bulletin: Oracle Database Server Vulnerability Affects IBM Emptoris Contract Management (CVE-2021-35619) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-oracle-database-server-vulnerability-affects-ibm-emptoris-contract-management-cve-2021-35619/


∗∗∗ Security Bulletin: Apache Log4j Vulnerability Affects IBM Sterling B2B Integrator (CVE-2021-45105, CVE-2021-45046) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-apache-log4j-vulnerability-affects-ibm-sterling-b2b-integrator-cve-2021-45105-cve-2021-45046-7/


∗∗∗ Security Bulletin: Apache Log4j vulnerability affects IBM Cloud Pak for Multicloud Management (CVE-2021-44832) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-apache-log4j-vulnerability-affects-ibm-cloud-pak-for-multicloud-management-cve-2021-44832/


∗∗∗ Security Bulletin: Apache Log4j Vulnerability Affects IBM Sterling File Gateway (CVE-2021-44228) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-apache-log4j-vulnerability-affects-ibm-sterling-file-gateway-cve-2021-44228-6/


∗∗∗ Security Bulletin: Vulnerability in Apache Log4j affects IBM Cloud Private (CVE-2021-45105) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-log4j-affects-ibm-cloud-private-cve-2021-45105-3/


∗∗∗ Security Bulletin: Oracle Database Server Vulnerability Affects IBM Emptoris Supplier Lifecycle Management (CVE-2021-35619) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-oracle-database-server-vulnerability-affects-ibm-emptoris-supplier-lifecycle-management-cve-2021-35619/


∗∗∗ Security Bulletin: Vulnerability in Apache Log4j affects IBM Cloud Private (CVE-2021-44228) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-log4j-affects-ibm-cloud-private-cve-2021-44228-4/


∗∗∗ Security Bulletin: IBM TRIRIGA Connector for Esri ArcGIS Indoors a component of IBM TRIRIGA Portfolio Data Manager is vulnerable to denial of service and arbitrary code execution due to Apache Log4j (CVE-2021-45105 and CVE-2021-45046) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-tririga-connector-for-esri-arcgis-indoors-a-component-of-ibm-tririga-portfolio-data-manager-is-vulnerable-to-denial-of-service-and-arbitrary-code-execution-due-to-apache-log4j/


∗∗∗ Security Bulletin: Due to use of Apache Log4j, IBM Cloud PAK for Watson AI Ops is vulnerable to arbitrary code execution (CVE-2021-45046) and denial of service (CVE-2021-45105) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-due-to-use-of-apache-log4j-ibm-cloud-pak-for-watson-ai-ops-is-vulnerable-to-arbitrary-code-execution-cve-2021-45046-and-denial-of-service-cve-2021-45105/


∗∗∗ Security Bulletin: IBM WebSphere Application Server Liberty is vulnerable to an Information Disclosure (CVE-2022-22310) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-websphere-application-server-liberty-is-vulnerable-to-an-information-disclosure-cve-2022-22310/


∗∗∗ Security Bulletin: Apache Log4j Vulnerability Affects IBM Sterling File Gateway (CVE-2021-45105, CVE-2021-45046) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-apache-log4j-vulnerability-affects-ibm-sterling-file-gateway-cve-2021-45105-cve-2021-45046-7/


∗∗∗ Security Bulletin: Oracle Database Server Vulnerability Affects IBM Emptoris Sourcing (CVE-2021-35619) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-oracle-database-server-vulnerability-affects-ibm-emptoris-sourcing-cve-2021-35619/


∗∗∗ Security Bulletin: Log4j vulnerability affects IBM Cloud Pak for Data System 1.0 ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-log4j-vulnerability-affects-ibm-cloud-pak-for-data-system-1-0-3/


∗∗∗ An update on the Apache Log4j 2.x vulnerabilities ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/an-update-on-the-apache-log4j-cve-2021-44228-vulnerability/


∗∗∗ K61112120: BIG-IP ASM and Advanced WAF TMUI vulnerability CVE-2022-23031 ∗∗∗
---------------------------------------------
https://support.f5.com/csp/article/K61112120


∗∗∗ K96924184: F5 HTTP profile vulnerability CVE-2022-23022 ∗∗∗
---------------------------------------------
https://support.f5.com/csp/article/K96924184


∗∗∗ K82793463: BIG-IP MRF Diameter vulnerability CVE-2022-23019 ∗∗∗
---------------------------------------------
https://support.f5.com/csp/article/K82793463


∗∗∗ K41503304: Advanced WAF, BIG-IP ASM, and NGINX App Protect attack signature bypass security exposure ∗∗∗
---------------------------------------------
https://support.f5.com/csp/article/K41503304


∗∗∗ K53442005: BIG-IP VE vulnerability CVE-2022-23030 ∗∗∗
---------------------------------------------
https://support.f5.com/csp/article/K53442005


∗∗∗ K16101409: BIG-IP AFM vulnerability CVE-2022-23028 ∗∗∗
---------------------------------------------
https://support.f5.com/csp/article/K16101409


∗∗∗ K28042514: BIG-IP TMM and DNS profile vulnerability CVE-2022-23017 ∗∗∗
---------------------------------------------
https://support.f5.com/csp/article/K28042514


∗∗∗ K91013510: SSL Forward Proxy vulnerability CVE-2022-23016 ∗∗∗
---------------------------------------------
https://support.f5.com/csp/article/K91013510


∗∗∗ K08476614: BIG-IP Client SSL profile vulnerability CVE-2022-23015 ∗∗∗
---------------------------------------------
https://support.f5.com/csp/article/K08476614


∗∗∗ K17514331: BIG-IP TMM vulnerability CVE-2022-23020 ∗∗∗
---------------------------------------------
https://support.f5.com/csp/article/K17514331


∗∗∗ K93526903: BIG-IP APM portal access vulnerability CVE-2022-23014 ∗∗∗
---------------------------------------------
https://support.f5.com/csp/article/K93526903


∗∗∗ K30525503: BIG-IP APM Edge Client proxy vulnerability CVE-2022-23032 ∗∗∗
---------------------------------------------
https://support.f5.com/csp/article/K30525503


∗∗∗ K54892865: BIG-IP AFM vulnerability CVE-2022-23024 ∗∗∗
---------------------------------------------
https://support.f5.com/csp/article/K54892865


∗∗∗ K29500533: TMUI XSS vulnerability CVE-2022-23013 ∗∗∗
---------------------------------------------
https://support.f5.com/csp/article/K29500533


∗∗∗ K50343028: BIG-IP FastL4 profile vulnerability CVE-2022-23029 ∗∗∗
---------------------------------------------
https://support.f5.com/csp/article/K50343028


∗∗∗ K68755210: BIG-IP SYN Cookie Protection vulnerability CVE-2022-23011 ∗∗∗
---------------------------------------------
https://support.f5.com/csp/article/K68755210


∗∗∗ K26310765: HTTP/2 profile vulnerability CVE-2022-23012 ∗∗∗
---------------------------------------------
https://support.f5.com/csp/article/K26310765


∗∗∗ K34360320: BIG-IP FastL4 vulnerability CVE-2022-23010 ∗∗∗
---------------------------------------------
https://support.f5.com/csp/article/K34360320


∗∗∗ K30911244: Advanced WAF, BIG-IP ASM, and NGINX App Protect attack signature check failure ∗∗∗
---------------------------------------------
https://support.f5.com/csp/article/K30911244


∗∗∗ K17514331: BIG-IP TMM vulnerability CVE-2022-23020 ∗∗∗
---------------------------------------------
https://support.f5.com/csp/article/K17514331


∗∗∗ K41415626: Transparent DNS Cache can consume excessive resources ∗∗∗
---------------------------------------------
https://support.f5.com/csp/article/K41415626


∗∗∗ K44110411: BIG-IP SIP ALG vulnerability CVE-2022-23025 ∗∗∗
---------------------------------------------
https://support.f5.com/csp/article/K44110411


∗∗∗ K08402414: BIG-IP ASM and Advanced WAF REST API endpoint vulnerability CVE-2022-23026 ∗∗∗
---------------------------------------------
https://support.f5.com/csp/article/K08402414


∗∗∗ K11742742: iControl REST vulnerability CVE-2022-23023 ∗∗∗
---------------------------------------------
https://support.f5.com/csp/article/K11742742


∗∗∗ K30573026: BIG-IP virtual server with FastL4 profile vulnerability CVE-2022-23027 ∗∗∗
---------------------------------------------
https://support.f5.com/csp/article/K30573026


∗∗∗ K24358905: BIG-IP AFM virtual server vulnerability CVE-2022-23018 ∗∗∗
---------------------------------------------
https://support.f5.com/csp/article/K24358905


∗∗∗ Multiple vulnerabilities in Bosch AMC2 (Access Modular Controller) ∗∗∗
---------------------------------------------
https://psirt.bosch.com/security-advisories/bosch-sa-940448-bt.html

-- 
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily