[CERT-daily] Tageszusammenfassung - 19.04.2023

Wed Apr 19 18:30:44 CEST 2023

=====================
= End-of-Day report =
=====================

Timeframe:   Dienstag 18-04-2023 18:00 − Mittwoch 19-04-2023 18:00
Handler:     Stephan Richter
Co-Handler:  n/a

=====================
=       News        =
=====================

∗∗∗ Critical Patch Update: Oracle kümmert sich um 433 Sicherheitslücken ∗∗∗
---------------------------------------------
Der Softwarehersteller Oracle hat für seine Anwendungen zahlreiche Sicherheitsupdates veröffentlicht. Einige Lücken gelten als kritisch.
---------------------------------------------
https://heise.de/-8971485


∗∗∗ Sicherheitsupdates: Dell sichert seit 2022 verwundbare Laptops erst jetzt ab ∗∗∗
---------------------------------------------
BIOS-Updates für unter anderem Dell-Modelle der Alienware- und Inspiron-Serien schließen zwei Sicherheitslücken.
---------------------------------------------
https://heise.de/-8971821


∗∗∗ Wenn alte Router Firmengeheimnisse preisgeben ∗∗∗
---------------------------------------------
Bei der Stilllegung ihrer alten Hardware schütten viele Unternehmen das Kind mit dem Bade aus.
---------------------------------------------
https://www.welivesecurity.com/deutsch/2023/04/18/wenn-alte-router-firmengeheimnisse-preisgeben/


∗∗∗ Hackers actively exploit critical RCE bug in PaperCut servers ∗∗∗
---------------------------------------------
Print management software developer PaperCut is warning customers to update their software immediately, as hackers are actively exploiting flaws to gain access to vulnerable servers.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/hackers-actively-exploit-critical-rce-bug-in-papercut-servers/


∗∗∗ Zaraza Bot Targets Google Chrome to Extract Login Credentials ∗∗∗
---------------------------------------------
The data-stealing malware threatens the cyber safety of individual and organizational privacy by infecting a range of Web browsers.
---------------------------------------------
https://www.darkreading.com/remote-workforce/zaraza-bot-targets-google-chrome-extract-login-credentials


∗∗∗ SecurePwn Part 1: Bypassing SecurePoint UTM’s Authentication (CVE-2023-22620) ∗∗∗
---------------------------------------------
While working on a recent customer penetration test, I discovered two fascinating and somewhat weird bugs in SecurePoint’s UTM firewall solution. The first one, aka CVE-2023-22620, is rated critical for an attacker to bypass the entire authentication and gain access to the firewall’s administrative panel. [...] The second one, aka CVE-2023-22897 is a heartbleed-like bug that allows the leaking of remote memory contents and is discussed in a second blog post.
---------------------------------------------
https://www.rcesecurity.com/2023/04/securepwn-part-1-bypassing-securepoint-utms-authentication-cve-2023-22620/


∗∗∗ SecurePwn Part 2: Leaking Remote Memory Contents (CVE-2023-22897) ∗∗∗
---------------------------------------------
While my last finding affecting SecurePoint’s UTM was quite interesting already, I was hit by a really hard OpenSSL Heartbleed flashback with this one. [...] I’ve responsibly coordinated both vulnerabilities with the vendor SecurePoint and notified them about both issues on 5th January 2023. They did an amazing job acknowledging the vulnerability and providing a fix within a single business day. I barely see (hardware) vendors reacting so fast. Well done!
---------------------------------------------
https://www.rcesecurity.com/2023/04/securepwn-part-2-leaking-remote-memory-contents-cve-2023-22897/


∗∗∗ Threat Actors Rapidly Adopt Web3 IPFS Technology ∗∗∗
---------------------------------------------
Web3 technologies are seeing widespread adoption — including by TAs. We discuss Web3 technology InterPlanetary File System (IPFS), and malicious use of it.
---------------------------------------------
https://unit42.paloaltonetworks.com/ipfs-used-maliciously/


∗∗∗ Play Ransomware Group Using New Custom Data-Gathering Tools ∗∗∗
---------------------------------------------
Tools allow attackers to harvest data typically locked by the operating system.
---------------------------------------------
https://symantec-enterprise-blogs.security.com/threat-intelligence/play-ransomware-volume-shadow-copy


∗∗∗ Raspberry Robin: Anti-Evasion How-To & Exploit Analysis ∗∗∗
---------------------------------------------
During the last year, Raspberry Robin has evolved to be one of the most distributed malware currently active. During this time, it is likely to be used by many actors to distribute their own malware such as IcedID, Clop ransomware and more.
---------------------------------------------
https://research.checkpoint.com/2023/raspberry-robin-anti-evasion-how-to-exploit-analysis/


∗∗∗ Breaking Docker Named Pipes SYSTEMatically: Docker Desktop Privilege Escalation – Part 2 ∗∗∗
---------------------------------------------
In the previous blog post, we described how the Docker research started and showed how we could gain a full privilege escalation through a vulnerability in Docker Desktop. In this follow-up blog [...]
---------------------------------------------
https://www.cyberark.com/resources/threat-research-blog/breaking-docker-named-pipes-systematically-docker-desktop-privilege-escalation-part-2


∗∗∗ DDosia Project: How NoName057(16) is trying to improve the efficiency of DDoS attacks ∗∗∗
---------------------------------------------
NoName057(16) is still conducting DDoS attacks on the websites of institutions and companies in European countries. The new Go variant of bots implemented an authentication mechanism to communicate with C2 servers and their proxies. Moreover, the mechanism also provides IP address blocklisting, presumably to hinder the tracking of the project.
---------------------------------------------
https://decoded.avast.io/martinchlumecky/ddosia-project-how-noname05716-is-trying-to-improve-the-efficiency-of-ddos-attacks/


=====================
=  Vulnerabilities  =
=====================

∗∗∗ Webbrowser: Neue Zero-Day-Lücke in Google Chrome ∗∗∗
---------------------------------------------
Im Webbrowser Chrome greifen Cyberkriminelle eine neue Zero-Day-Lücke in freier Wildbahn an. Google verteilt Software-Updates, um die Lücke zu schließen.
---------------------------------------------
https://heise.de/-8971427


∗∗∗ Security updates for Wednesday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (asterisk), Fedora (lldpd and openssh), Red Hat (curl, kernel, and openvswitch2.13), SUSE (compat-openssl098, glib2, grafana, helm, libgit2, openssl, and openssl-1_1), and Ubuntu (linux, linux-aws, linux-aws-5.15, linux-azure, linux-azure-5.15, linux-azure-fde, linux-gcp, linux-gcp-5.15, linux-gke, linux-gke-5.15, linux-gkeop, linux-ibm, linux-kvm, linux-lowlatency, linux-lowlatency-hwe-5.15, linux-oracle, linux-oracle-5.15, linux-raspi, linux, linux-aws, linux-azure, linux-gcp, linux-hwe-5.19, linux-kvm, linux-lowlatency, linux-oracle, linux-raspi, and vim).
---------------------------------------------
https://lwn.net/Articles/929533/


∗∗∗ Research by Positive Technologies helps to fix vulnerabilities in Nokia NetAct network management system ∗∗∗
---------------------------------------------
Nokia has fixed five vulnerabilities in Nokia NetAct found by Positive Technologies experts Vladimir Razov and Alexander Ustinov. Nokia NetAct is used by more than 500 communications service providers to monitor and control telecommunication networks, base stations, and other systems. The vendor was notified of the threat as part of standard responsible disclosure and has fixed the vulnerabilities in new versions of the software.
---------------------------------------------
https://www.ptsecurity.com/ww-en/about/news/research-by-positive-technologies-helps-to-fix-vulnerabilities-in-nokia-netact-network-management-system


∗∗∗ WordPress plugin "LIQUID SPEECH BALLOON” vulnerable to cross-site request forgery ∗∗∗
---------------------------------------------
https://jvn.jp/en/jp/JVN99657911/


∗∗∗ Oracle Critical Patch Update Advisory - April 2023 ∗∗∗
---------------------------------------------
https://www.oracle.com/security-alerts/cpuapr2023.html


∗∗∗ K000133390 : Apache Tomcat vulnerability CVE-2022-45143 ∗∗∗
---------------------------------------------
https://my.f5.com/manage/s/article/K000133390


∗∗∗ K000133547 : Python urllib3 vulnerability CVE-2020-26137 ∗∗∗
---------------------------------------------
https://my.f5.com/manage/s/article/K000133547


∗∗∗ IBM Security Bulletins ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/bulletin/

-- 
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily