[CERT-daily] Tageszusammenfassung - 13.04.2023
Daily end-of-shift report
team at cert.at
Thu Apr 13 18:52:22 CEST 2023
=====================
= End-of-Day report =
=====================
Timeframe: Mittwoch 12-04-2023 18:00 − Donnerstag 13-04-2023 18:00
Handler: Stephan Richter
Co-Handler: Michael Schlagenhaufer
=====================
= News =
=====================
∗∗∗ (Gepatchte aber dennoch) üble Sicherheitslücke in (einer optionalen Komponente von) Microsoft Windows ∗∗∗
---------------------------------------------
Es entbehrt nicht einer gewissen Ironie, dass die meisten Blogeinträge, welche sich in den letzten Monaten mit Sicherheitslücken in Produkten von Microsoft beschäftigt haben, von dem Mitarbeiter des CERT stammen, dessen Kenntnisse rund um Windows, Office und den ganzen Rest wohl mit Abstand am schwächsten sind - und damit herzlich willkommen zu einem weiteren Beitrag, welcher diese Kriterien vollständig erfüllt.
---------------------------------------------
https://cert.at/de/blog/2023/4/gepatchte-aber-dennoch-uble-sicherheitslucke-in-einer-optionalen-komponente-von-microsoft-windows
∗∗∗ NTP-Schwachstelle: Offenbar weniger bedrohlich als zunächst vermutet ∗∗∗
---------------------------------------------
Entwarnung: Nach der BSI-Warnung vor einer kritischen Lücke in NTP kommen IT-Experten bei der Analyse auf eine geringere Bedrohung. NTP will Patches liefern.
---------------------------------------------
https://heise.de/-8949340
∗∗∗ Uncommon infection methods—part 2 ∗∗∗
---------------------------------------------
Kaspersky researchers discuss infection methods used by Mirai-based RapperBot, Rhadamantys stealer, and CUEMiner: smart brute forcing, malvertising, and distribution through BitTorrent and OneDrive.
---------------------------------------------
https://securelist.com/crimeware-report-uncommon-infection-methods-2/109522/
∗∗∗ New Python-Based "Legion" Hacking Tool Emerges on Telegram ∗∗∗
---------------------------------------------
An emerging Python-based credential harvester and a hacking tool named Legion is being marketed via Telegram as a way for threat actors to break into various online services for further exploitation.
---------------------------------------------
https://thehackernews.com/2023/04/new-python-based-legion-hacking-tool.html
∗∗∗ Indirect Prompt Injection Threats ∗∗∗
---------------------------------------------
If allowed by the user, Bing Chat can see currently open websites. We show that an attacker can plant an injection in a website the user is visiting, which silently turns Bing Chat into a Social Engineer who seeks out and exfiltrates personal information. The user doesnt have to ask about the website or do anything except interact with Bing Chat while the website is opened in the browser.
---------------------------------------------
https://greshake.github.io/
∗∗∗ Malware Disguised as Document from Ukraines Energoatom Delivers Havoc Demon Backdoor ∗∗∗
---------------------------------------------
[...] FortiGuard Labs has encountered a malicious spoofed document pretending to be from the Ukrainian company, Energoatom, a state-owned enterprise that operates Ukraine’s nuclear power plants. [...] Aside from highlighting the technical details of this latest multi-staged attack [...] this article also discusses some strange artifacts that make us think this could be a work-in-progress or part of a red-team exercise.
---------------------------------------------
https://www.fortinet.com/blog/threat-research/malware-disguised-as-document-ukraine-energoatom-delivers-havoc-demon-backdoor
∗∗∗ BSI-Studie: Gängige Mikrocontroller sind für Hardware-Angriffe anfällig ∗∗∗
---------------------------------------------
Bei Hardware-Sicherheitstoken und Krypto-Wallets, smarten Schlössern und Kassensystemen haben Hacker leichtes Spiel, warnen Fraunhofer-Forscher im BSI-Auftrag.
---------------------------------------------
https://heise.de/-8949244
∗∗∗ Vorsicht vor Fake Urlaubsangeboten! ∗∗∗
---------------------------------------------
Die Urlaubszeit rückt langsam aber sicher näher, das treibt auch Kriminelle auf den Plan. Betrügerische Anbieter wie Kofi Vermittlung (kofireisen.com) versuchen Sie mit angeblich günstigen Angeboten abzuzocken! Achten Sie bei der Urlaubsbuchung auf folgende Warnsignale für entspannte Ferien statt einer Kostenfalle!
---------------------------------------------
https://www.watchlist-internet.at/news/vorsicht-vor-fake-urlaubsangeboten/
∗∗∗ Vice Society: A Tale of Victim Data Exfiltration via PowerShell, aka Stealing off the Land ∗∗∗
---------------------------------------------
The Vice Society ransomware gang exfiltrated victim network data using a custom Microsoft PowerShell script. We dissect how each function of it works.
---------------------------------------------
https://unit42.paloaltonetworks.com/vice-society-ransomware-powershell/
=====================
= Vulnerabilities =
=====================
∗∗∗ Softwareentwicklung: Jenkins-Plug-ins verwundbar, viele Updates stehen noch aus ∗∗∗
---------------------------------------------
Software-Entwicklungsumgebungen mit Jenkins sind attackierbar. Bislang sind nur wenige betroffene Plug-ins abgesichert.
---------------------------------------------
https://heise.de/-8949204
∗∗∗ Sicherheitsupdates: Netzwerkanalysetool Wireshark anfällig für DoS-Attacken ∗∗∗
---------------------------------------------
Die Wireshark-Entwickler haben zwei neue Versionen des Tools veröffentlicht. Darin haben sie unter anderem drei Sicherheitslücken geschlossen.
---------------------------------------------
https://heise.de/-8949661
∗∗∗ Security updates for Thursday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (chromium, firefox-esr, lldpd, and zabbix), Fedora (ffmpeg, firefox, pdns-recursor, polkit, and thunderbird), Oracle (kernel and nodejs:14), Red Hat (nodejs:14, openvswitch2.17, openvswitch3.1, and pki-core:10.6), Slackware (mozilla), SUSE (nextcloud-desktop), and Ubuntu (exo, linux, linux-kvm, linux-lts-xenial, linux-aws, smarty3, and thunderbird).
---------------------------------------------
https://lwn.net/Articles/928976/
∗∗∗ Windows 7/Server 2008 R2; Server 2012 R2: Updates (11. April 2023) ∗∗∗
---------------------------------------------
Zum 11. April 2023 wurden diverse Sicherheitsupdates für Windows Server 2008 R2 (im 4. ESU Jahr) sowie für Windows Server 2012/R2 veröffentlicht (die Updates lassen sich ggf. auch noch unter Windows 7 SP1).
---------------------------------------------
https://www.borncity.com/blog/2023/04/13/windows-7-server-2008-r2-server-2012-r2-updates-11-april-2023/
∗∗∗ Patchday: Microsoft Office Updates (11. April 2023) ∗∗∗
---------------------------------------------
Am 11. April 2023 (zweiter Dienstag im Monat, Microsoft Patchday) hat Microsoft mehrere sicherheitsrelevante Updates für noch unterstützte Microsoft Office Versionen und andere Produkte veröffentlicht. Mit dem April 2023-Patchday endet der Support für Office 2013.
---------------------------------------------
https://www.borncity.com/blog/2023/04/13/patchday-microsoft-office-updates-11-april-2023/
∗∗∗ Drupal: Protected Pages - Critical - Access bypass - SA-CONTRIB-2023-013 ∗∗∗
---------------------------------------------
https://www.drupal.org/sa-contrib-2023-013
∗∗∗ Critical Vulnerability in Hikvision Storage Solutions Exposes Video Security Data ∗∗∗
---------------------------------------------
https://www.securityweek.com/critical-vulnerability-in-hikvision-storage-solutions-exposes-video-security-data/
∗∗∗ Mattermost security updates 7.9.2 / 7.8.3 (ESR) / 7.7.4 / 7.1.8 (ESR) released ∗∗∗
---------------------------------------------
https://mattermost.com/blog/mattermost-security-updates-7-9-2-7-8-3-esr-7-7-4-7-1-8-esr-released/
∗∗∗ Multiple Vulnerabilities in the Autodesk® AutoCAD® Desktop Software ∗∗∗
---------------------------------------------
https://www.autodesk.com/trust/security-advisories/adsk-sa-2023-0005
∗∗∗ MISP 2.4.170 released with new features, workflow improvements and bugs fixed ∗∗∗
---------------------------------------------
https://github.com/MISP/MISP/releases/tag/v2.4.170
∗∗∗ CVE-2023-0004 PAN-OS: Local File Deletion Vulnerability (Severity: MEDIUM) ∗∗∗
---------------------------------------------
https://security.paloaltonetworks.com/CVE-2023-0004
∗∗∗ CVE-2023-0005 PAN-OS: Exposure of Sensitive Information Vulnerability (Severity: MEDIUM) ∗∗∗
---------------------------------------------
https://security.paloaltonetworks.com/CVE-2023-0005
∗∗∗ CVE-2023-0006 GlobalProtect App: Local File Deletion Vulnerability (Severity: MEDIUM) ∗∗∗
---------------------------------------------
https://security.paloaltonetworks.com/CVE-2023-0006
∗∗∗ Spring Framework 6.0.8, 5.3.27 and 5.2.24.RELEASE fix cve-2023-20863 ∗∗∗
---------------------------------------------
https://spring.io/blog/2023/04/13/spring-framework-6-0-8-5-3-27-and-5-2-24-release-fix-cve-2023-20863
∗∗∗ B. Braun Battery Pack SP with Wi-Fi ∗∗∗
---------------------------------------------
https://www.cisa.gov/news-events/ics-medical-advisories/icsma-23-103-01
∗∗∗ DataPower Operations Dashboard vulnerable to multiple CVEs ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6983234
∗∗∗ AIX is vulnerable to arbitrary command execution due to invscout (CVE-2023-28528) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6983232
∗∗∗ AIX is vulnerable to arbitrary command execution (CVE-2023-26286) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6983236
∗∗∗ Multiple Security Vulnerabilities may affect IBM Robotic Process Automation for Cloud Pak. ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6983270
∗∗∗ A CVE-2021-28165 vulnerability in Eclipse Jetty affects IBM Process Designer 8.5.7 shipped with IBM Business Automation Workflow ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6983272
∗∗∗ Multiple security vulnerabilities has been identified in IBM WebSphere Application Server shipped with Tivoli Netcool\/OMNIbus WebGUI - January 2023 CPU plus deferred CVE-2022-21426 ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6983454
∗∗∗ A security vulnerability has been identified in IBM WebSphere Application Server shipped with Tivoli Netcool\/OMNIbus WebGUI (CVE-2023-24998) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6983456
∗∗∗ IBM Maximo Asset Management is vulnerable to HTML injection (CVE-2023-27864) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6983460
∗∗∗ IBM Security Verify Governance is vulnerable to remote attacks to execute arbitrary code on the system [CVE-2013-4521, CVE-2013-2165 and CVE-2018-14667] ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6983480
∗∗∗ IBM Security Verify Governance is vulnerable to a denial of service caused by multiple vulnerabilities. ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6983482
∗∗∗ IBM App Connect Enterprise Certified Container DesignerAuthoring operands may be vulnerable to denial of service due to [CVE-2022-37603] ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6983484
∗∗∗ A security vulnerability has been identified in IBM WebSphere Application Server and IBM WebSphere Application Server Liberty profile shipped with IBM Business Automation Workflow (CVE-2023-24998) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6983486
∗∗∗ A vulnerability has been identified in IBM WebSphere Application Server Liberty profile shipped with IBM Business Automation Workflow (CVE-2023-0482) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6983490
∗∗∗ A vulnerability has been identified in IBM WebSphere Application Server traditional and Liberty profile shipped with IBM Business Automation Workflow (IBM\u00ae Java SDK CPU January 2023) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6983492
∗∗∗ AIX is vulnerable to arbitrary command execution (CVE-2023-26286) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6983236
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
More information about the Daily
mailing list