[CERT-daily] Tageszusammenfassung - 25.04.2023

Tue Apr 25 18:23:47 CEST 2023

=====================
= End-of-Day report =
=====================

Timeframe:   Montag 24-04-2023 18:00 − Dienstag 25-04-2023 18:00
Handler:     Stephan Richter
Co-Handler:  Michael Schlagenhaufer

=====================
=       News        =
=====================

∗∗∗ Intel CPUs vulnerable to new transient execution side-channel attack ∗∗∗
---------------------------------------------
A new side-channel attack impacting multiple generations of Intel CPUs has been discovered, allowing data to be leaked through the EFLAGS register.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/intel-cpus-vulnerable-to-new-transient-execution-side-channel-attack/


∗∗∗ New .NET Malware “WhiteSnake” Targets Python Developers, Uses Tor for C&C Communication ∗∗∗
---------------------------------------------
The JFrog Security Research team recently discovered a new malware payload in the PyPI repository, written in C#. This is uncommon since PyPI is primarily a repository for Python packages, and its codebase consists mostly of Python code, or natively compiled libraries used by Python programs. This finding raised our concerns about the potential for cross-language malware attacks. Our team identified 22 malicious packages, containing the same payload, targeting both Windows and Linux systems[...]
---------------------------------------------
https://jfrog.com/blog/new-malware-targets-python-developers-uses-tor-for-c2-communication/


∗∗∗ Release of a Technical Report into Intel Trust Domain Extensions ∗∗∗
---------------------------------------------
Today, members of Google Project Zero and Google Cloud are releasing a report on a security review of Intels Trust Domain Extensions (TDX). [...] The result of the review was the discovery of 10 confirmed security vulnerabilities which were fixed before the final release of products with the TDX feature. The final report highlights the most interesting of these issues and provides an overview of the features architecture. 5 additional areas were identified for defense-in-depth changes [...]
---------------------------------------------
https://googleprojectzero.blogspot.com/2023/04/technical-report-into-intel-tdx.html


∗∗∗ New high-severity vulnerability (CVE-2023-29552) discovered in the Service Location Protocol (SLP) ∗∗∗
---------------------------------------------
Researchers from Bitsight and Curesec have jointly discovered a high-severity vulnerability — tracked as CVE-2023-29552 — in the Service Location Protocol (SLP), a legacy Internet protocol. Attackers exploiting this vulnerability could leverage vulnerable instances to launch massive Denial-of-Service (DoS) amplification attacks with a factor as high as 2200 times, potentially making it one of the largest amplification attacks ever reported.
---------------------------------------------
https://www.bitsight.com/blog/new-high-severity-vulnerability-cve-2023-29552-discovered-service-location-protocol-slp


∗∗∗ PoC for Pre-Auth RCE in Sophos Web Appliance (CVE-2023-1671) Published ∗∗∗
---------------------------------------------
The cybersecurity community is buzzing with the recent publication of a Proof-of-Concept (PoC) for CVE-2023-1671, a critical code execution vulnerability in Sophos Web Appliance with a CVSS score of 9.8. This high-risk vulnerability, caused by a pre-auth command injection flaw in the warn-proceed handler, poses significant risks to users.
---------------------------------------------
https://securityonline.info/poc-for-pre-auth-rce-in-sophos-web-appliance-cve-2023-1671-published/


∗∗∗ Attackers are logging in instead of breaking in ∗∗∗
---------------------------------------------
Cyberattackers leveraged more than 500 unique tools and tactics in 2022, according to Sophos. The data, analyzed from more than 150 Sophos Incident Response (IR) cases, identified more than 500 unique tools and techniques, including 118 “Living off the Land” binaries (LOLBins). Unlike malware, LOLBins are executables naturally found on operating systems, making them much more difficult for defenders to block when attackers exploit them for malicious activity.
---------------------------------------------
https://www.helpnetsecurity.com/2023/04/25/attacks-dwell-time/


∗∗∗ Gefälschte Facebook-Seite vom Tiergarten Schönbrunn verbreitet Fake-Gewinnspiel ∗∗∗
---------------------------------------------
Die gefälschte Facebook-Seite „ZooPark Wien“ verbreitet ein betrügerisches Gewinnspiel. Im Posting werden 4 Eintrittskarten verlost. Teilnehmer:innen müssen den Beitrag nur mit „Alles Gute zum Geburtstag“ kommentieren. Mit diesem Gewinnspiel versuchen Kriminelle aber an Ihre Kreditkartendaten zu kommen und Sie in eine Abo-Falle zu locken.
---------------------------------------------
https://www.watchlist-internet.at/news/gefaelschte-facebook-seite-vom-tiergarten-schoenbrunn-verbreitet-fake-gewinnspiel/


=====================
=  Vulnerabilities  =
=====================

∗∗∗ CVE-2023-27524: Insecure Default Configuration in Apache Superset Leads to Remote Code Execution ∗∗∗
---------------------------------------------
Apache Superset is an open source data visualization and exploration tool. [...] there are more than 3000 instances of it exposed to the Internet. [...] at least 2000 (two-thirds of all servers) – are running with a dangerous default configuration. As a result, many of these servers are effectively open to the public. Any attacker can “log in” to these servers with administrative privileges, access and modify data connected to these servers, harvest credentials, and execute remote code.
---------------------------------------------
https://www.horizon3.ai/cve-2023-27524-insecure-default-configuration-in-apache-superset-leads-to-remote-code-execution/


∗∗∗ Xen Security Advisory CVE-2022-42335 / XSA-430 - x86 shadow paging arbitrary pointer dereference ∗∗∗
---------------------------------------------
Guests running in shadow mode and having a PCI device passed through may be able to cause Denial of Service and other problems, escalation of privilege cannot be ruled out.
---------------------------------------------
https://xenbits.xen.org/xsa/advisory-430.html


∗∗∗ Zyxel schließt teils kritische Sicherheitslücken in Firewalls und Access Points ∗∗∗
---------------------------------------------
Zyxel hat Warnungen vor Sicherheitslücken in Firewalls und Access Points herausgegeben. Firmware-Updates zum Abdichten der Lecks stehen bereit.
---------------------------------------------
https://heise.de/-8977831


∗∗∗ Security updates for Tuesday ∗∗∗
---------------------------------------------
Security updates have been issued by CentOS (firefox, java-11-openjdk, and thunderbird), Debian (apache2), Fedora (kernel), Oracle (emacs), Red Hat (emacs, haproxy, java-1.8.0-openjdk, kernel, kernel-rt, kpatch-patch, pcs, pki-core:10.6, and qatzip), and SUSE (avahi, cdi-apiserver-container, cdi-cloner-container, cdi- controller-container, cdi-importer-container, cdi-operator-container, cdi- uploadproxy-container, cdi-uploadserver-container, cont, giflib, kernel, kubevirt, virt-api-container, virt-controller-container, virt-handler-container, virt-launcher-container, virt-libguestfs-tools- container, virt-operator-container, ovmf, and protobuf-c).
---------------------------------------------
https://lwn.net/Articles/930128/


∗∗∗ WordPress Plugin "Appointment and Event Booking Calendar for WordPress - Amelia" vulnerable to cross-site scripting ∗∗∗
---------------------------------------------
https://jvn.jp/en/jp/JVN00971105/


∗∗∗ ZDI-23-458: SolarWinds Network Performance Monitor TFTP Link Following Local Privilege Escalation Vulnerability ∗∗∗
---------------------------------------------
http://www.zerodayinitiative.com/advisories/ZDI-23-458/


∗∗∗ ZDI-23-457: SolarWinds Network Performance Monitor ExecuteExternalProgram Command Injection Remote Code Execution Vulnerability ∗∗∗
---------------------------------------------
http://www.zerodayinitiative.com/advisories/ZDI-23-457/


∗∗∗ F5: K000133630 : Intel processor vulnerability CVE-2022-26343 ∗∗∗
---------------------------------------------
https://my.f5.com/manage/s/article/K000133630


∗∗∗ F5: K000133633 : Intel BIOS firmware vulnerability CVE-2022-32231 ∗∗∗
---------------------------------------------
https://my.f5.com/manage/s/article/K000133633


∗∗∗ Multiple Vulnerabilities Patched in Shield Security ∗∗∗
---------------------------------------------
https://www.wordfence.com/blog/2023/04/multiple-vulnerabilities-patched-in-shield-security/


∗∗∗ Belden: 2022-26 Multiple libexpat vulnerabilities in HiOS, Classic, HiSecOS, Wireless BAT-C2, Lite Managed, Edge ∗∗∗
---------------------------------------------
https://assets.belden.com/m/6f2d4e1f6bbaeb54/original/BSECV-2022-26.pdf


∗∗∗ Belden: 2022-29 strongSwan: integer overflow when replacing certificates in cache ∗∗∗
---------------------------------------------
https://assets.belden.com/m/25e4130e915c61a1/original/Belden_Security_Bulletin_BSECV-2022-29_A01.pdf


∗∗∗ [R1] Stand-alone Security Patch Available for Tenable.sc versions 5.22.0, 5.23.1, and 6.0.0: SC-202304.1 ∗∗∗
---------------------------------------------
https://www.tenable.com/security/tns-2023-18


∗∗∗ Nextcloud: Missing brute force protection for passwords of password protected share links ∗∗∗
---------------------------------------------
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-r5wf-xj97-3w7w


∗∗∗ Multiple vulnerabilities in IBM Java SDK and IBM Java Runtime affect Rational Functional Tester ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6985649


∗∗∗ IBM Tivoli Composite Application Manager for Application Diagnostics Installed WebSphere Application Server is vulnerable to cross-site scripting in the Admin Console (CVE-2023-26283) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6985651


∗∗∗ Security Bulletin: IBM® Db2® is vulnerable to a denial of service as the server may crash when using a specially crafted subquery. (CVE-2023-27559)) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6985667


∗∗∗ IBM® Db2® is vulnerable to a denial of service as the server may crash when an Out of Memory occurs. (CVE-2023-26022) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6985669


∗∗∗ IBM® Db2® is vulnerable to a denial of service. Under rare conditions, setting a special register may cause the Db2 server to terminate abnormally. (CVE-2023-25930) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6985677


∗∗∗ IBM® Db2® is vulnerable to a denial of service as the server may crash when compiling a specially crafted SQL query using a LIMIT clause. (CVE-2023-26021) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6985681


∗∗∗ IBM® Db2® is vulnerable to a denial of service as the server may crash when when attempting to use ACR client affinity for unfenced DRDA federation wrappers. (CVE-2023-27555) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6985683


∗∗∗ IBM® Db2® is vulnerable to a denial of service as as it may trap when compiling a variation of an anonymous block. (CVE-2023-29255) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6985687


∗∗∗ IBM® Db2® is vulnerable to remote code execution as a database administrator of one database may execute code or read\/write files from another database within the same instance. (CVE-2023-29257) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6985691


∗∗∗ IBM Maximo Asset Management is vulnerable to cross-site scripting (CVE-2023-27860) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6985679


∗∗∗ Multiple vulnerabilities affect IBM Db2\u00ae Graph ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6985689


∗∗∗ IBM WebSphere Application Server shipped with IBM Security Access Manager for Enterprise Single Sign-On is vulnerable to a denial of service due to IBM HTTP Server (CVE-2023-26281) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6985851


∗∗∗ Docker based datastores for IBM Instana do not currently require authentication ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6959969


∗∗∗ IBM® Engineering Requirements Management DOORS/DWA vulnerabilities fixed in 9.7.2.7 ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6984347


∗∗∗ IBM Safer Payments is vulnerable to OpenSSL Denial of Sevice Attack (CVE-2022-0778) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6985865


∗∗∗ TADDM is vulnerable to a denial of service due to vulnerabilities in Apache HttpClient ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6985905

-- 
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily