[CERT-daily] Tageszusammenfassung - 21.04.2023

[Daily end-of-shift report]

=====================
= End-of-Day report =
=====================

Timeframe:   Donnerstag 20-04-2023 18:00 − Freitag 21-04-2023 18:00
Handler:     Michael Schlagenhaufer
Co-Handler:  Robert Waldner

=====================
=       News        =
=====================

∗∗∗ GhostToken Flaw Could Let Attackers Hide Malicious Apps in Google Cloud Platform ∗∗∗
---------------------------------------------
Cybersecurity researchers have disclosed details of a now-patched zero-day flaw in Google Cloud Platform (GCP) that could have enabled threat actors to conceal an unremovable, malicious application inside a victims Google account.
---------------------------------------------
https://thehackernews.com/2023/04/ghosttoken-flaw-could-let-attackers.html


∗∗∗ Kubernetes RBAC Exploited in Large-Scale Campaign for Cryptocurrency Mining ∗∗∗
---------------------------------------------
A large-scale attack campaign discovered in the wild has been exploiting Kubernetes (K8s) Role-Based Access Control (RBAC) to create backdoors and run cryptocurrency miners. "The attackers also deployed DaemonSets to take over and hijack resources of the K8s clusters they attack," cloud security firm Aqua said in a report shared with The Hacker News.
---------------------------------------------
https://thehackernews.com/2023/04/kubernetes-rbac-exploited-in-large.html


∗∗∗ VoIP-Anbieter 3CX: Die doppelte Supply-Chain-Attacke ∗∗∗
---------------------------------------------
Eine Analyse zeigt, dass die Verteilung des kompromittierten VoIP-Clients von 3CX auf einen vorausgehenden Lieferketten-Angriff zurückgeht.
---------------------------------------------
https://heise.de/-8974948


∗∗∗ CVE-2022-29844: A Classic Buffer Overflow on the Western Digital My Cloud Pro Series PR4100 ∗∗∗
---------------------------------------------
This post covers an exploit chain demonstrated by Luca Moro (@johncool__) during Pwn2Own Toronto 2022. At the contest, he used a classic buffer overflow to gain code execution on the My Cloud Pro Series PR4100 Network Attached Storage (NAS) device. He also displayed a nifty message on the device.
---------------------------------------------
https://www.zerodayinitiative.com/blog/2023/4/19/cve-2022-29844-a-classic-buffer-overflow-on-the-western-digital-my-cloud-pro-series-pr4100


∗∗∗ GitHub Announces New Security Improvements ∗∗∗
---------------------------------------------
GitHub this week introduced NPM package provenance and deployment protection rules and announced general availability of private vulnerability reporting.
---------------------------------------------
https://www.securityweek.com/github-announces-new-security-improvements/


∗∗∗ Abandoned WordPress Plugin Abused for Backdoor Deployment ∗∗∗
---------------------------------------------
Attackers are installing the abandoned Eval PHP plugin on compromised WordPress sites to inject PHP code into web pages.
---------------------------------------------
https://www.securityweek.com/abandoned-wordpress-plugin-abused-for-backdoor-deployment/


∗∗∗ Online-Händler:innen aufgepasst: Kriminelle machen Fake-Bestellungen und holen sich per SEPA-Lastschrift das Geld zurück ∗∗∗
---------------------------------------------
Mit vermeintlichen Bestellungen versuchen Kriminelle derzeit an das Geld von Online-Händler:innen zu kommen: Kriminellen bestellen „unabsichtlich“ zu viel, verlangen anschließend den bereits bezahlten Betrag von den Händler:innen zurück. Gleichzeitig nutzen die Betrüger:innen die Funktion der SEPA-Lastschrift, bei der Zahlungsanfechtungen in einem bestimmten Zeitraum automatisch anerkannt werden.
---------------------------------------------
https://www.watchlist-internet.at/news/online-haendlerinnen-aufgepasst-kriminelle-machen-fake-bestellungen-und-holen-sich-per-sepa-lastschrift-das-geld-zurueck/



=====================
=  Vulnerabilities  =
=====================

∗∗∗ WebKitGTK and WPE WebKit Security Advisory WSA-2023-0003 ∗∗∗
---------------------------------------------
CVE identifiers: CVE-2023-25358, CVE-2022-0108, CVE-2022-32885, CVE-2023-27932, CVE-2023-27954, CVE-2023-28205. Several vulnerabilities were discovered in WebKitGTK and WPE WebKit. 
---------------------------------------------
https://webkitgtk.org/security/WSA-2023-0003.html


∗∗∗ VMSA-2023-0007 ∗∗∗
---------------------------------------------
VMware Aria Operations for Logs contains a deserialization vulnerability. VMware has evaluated the severity of this issue to be in the Critical severity range with a maximum CVSSv3 base score of 9.8.
---------------------------------------------
https://www.vmware.com/security/advisories/VMSA-2023-0007.html


∗∗∗ OpenSSL: Input buffer over-read in AES-XTS implementation on 64 bit ARM (CVE-2023-1255) ∗∗∗
---------------------------------------------
Severity: Low Issue summary: The AES-XTS cipher decryption implementation for 64 bit ARM platform contains a bug that could cause it to read past the input buffer, leading to a crash.
---------------------------------------------
https://www.openssl.org/news/secadv/20230420.txt


∗∗∗ Kritische Lücken bedrohen Cisco Industrial Network Director und Modeling Labs ∗∗∗
---------------------------------------------
Es gibt wichtige Sicherheitsupdates für mehrere Cisco-Produkte. Zwei Schwachstellen gelten als kritisch.
---------------------------------------------
https://heise.de/-8975027


∗∗∗ Security updates for Friday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (golang-1.11 and libxml2), Fedora (chromium, dr_libs, frr, ruby, and runc), Oracle (java-11-openjdk and java-17-openjdk), Red Hat (emacs, httpd and mod_http2, kpatch-patch, and webkit2gtk3), SUSE (libmicrohttpd, nodejs16, ovmf, and wireshark), and Ubuntu (kauth and patchelf).
---------------------------------------------
https://lwn.net/Articles/929828/


∗∗∗ CISA Adds Three Known Exploited Vulnerabilities to Catalog ∗∗∗
---------------------------------------------
https://www.cisa.gov/news-events/alerts/2023/04/21/cisa-adds-three-known-exploited-vulnerabilities-catalog


∗∗∗ IBM InfoSphere DataStage Flow Designer is vulnerable to Server-Side Request Forgery ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6509084


∗∗∗ Python is vulnerable to CVE-2022-26488 used in IBM Maximo Application Suite ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6985049


∗∗∗ iText.jar in Tom Sawyer Perspective is vulnerable to XML External Entity ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6985225

-- 
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily