[CERT-daily] Tageszusammenfassung - 03.08.2023

Daily end-of-shift report team at cert.at
Thu Aug 3 18:17:11 CEST 2023


=====================
= End-of-Day report =
=====================

Timeframe:   Mittwoch 02-08-2023 18:00 − Donnerstag 03-08-2023 18:00
Handler:     Robert Waldner
Co-Handler:  n/a

=====================
=       News        =
=====================

∗∗∗ Fake FlipperZero sites promise free devices after completing offer ∗∗∗
---------------------------------------------
A site impersonating Flipper Devices promises a free Flipper Zero after completing an offer but only leads to shady browser extensions and scam sites.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/fake-flipperzero-sites-promise-free-devices-after-completing-offer/


∗∗∗ Hackers can abuse Microsoft Office executables to download malware ∗∗∗
---------------------------------------------
The list of LOLBAS files - legitimate binaries and scripts present in Windows that can be abused for malicious purposes, will include the main executables for Microsofts Outlook email client and Access database management system.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/hackers-can-abuse-microsoft-office-executables-to-download-malware/


∗∗∗ "Grob fahrlässig": Sicherheitsproblem gefährdet Microsoft-Kunden seit Monaten ∗∗∗
---------------------------------------------
Eine Microsoft seit März bekannte kritische Schwachstelle in Azure AD macht weitere zahllose Organisationen noch heute anfällig für Cyberangriffe.
---------------------------------------------
https://www.golem.de/news/grob-fahrlaessig-sicherheitsproblem-gefaehrdet-microsoft-kunden-seit-monaten-2308-176417.html


∗∗∗ What’s happening in the world of crimeware: Emotet, DarkGate and LokiBot ∗∗∗
---------------------------------------------
In this report, we share our recent crimeware findings: the new DarkGate loader, new LokiBot campaign and new Emotet version delivered via OneNote.
---------------------------------------------
https://securelist.com/emotet-darkgate-lokibot-crimeware-report/110286/


∗∗∗ New Rilide Stealer Version Targets Banking Data and Works Around Google Chrome Manifest V3 ∗∗∗
---------------------------------------------
Trustwave SpiderLabs discovered a new version of the Rilide Stealer extension targeting Chromium-based browsers such as Google Chrome, Microsoft Edge, Brave, and Opera.
---------------------------------------------
https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/new-rilide-stealer-version-targets-banking-data-and-works-around-google-chrome-manifest-v3/


∗∗∗ Exploiting a Flaw in Bitmap Handling in Windows User-Mode Printer Drivers ∗∗∗
---------------------------------------------
In this guest blog from researcher Marcin Wiązowski, he details CVE-2023-21822 – a Use-After-Free (UAF) in win32kfull that could lead to a privilege escalation. The bug was reported through the ZDI program and later patched by Microsoft. Marcin has graciously provided this detailed write-up of the vulnerability, examines how it could be exploited, and a look at the patch Microsoft released to address the bug.
---------------------------------------------
https://www.zerodayinitiative.com/blog/2023/8/1/exploiting-a-flaw-in-bitmap-handling-in-windows-user-mode-printer-drivers


∗∗∗ Hook, Line, and Phishlet: Conquering AD FS with Evilginx ∗∗∗
---------------------------------------------
Recently, I was assigned to a red team engagement, and the client specifically requested a phishing simulation targeting their employees. The organisation utilises AD FS for federated single sign-on and has implemented Multi-Factor Authentication (MFA) as a company-wide policy. [..] Despite my efforts to find a detailed write-up on how to successfully phish a target where AD FS is being used, I couldn’t find a technical post covering this topic. So I saw this as an opportunity to learn
---------------------------------------------
https://research.aurainfosec.io/pentest/hook-line-and-phishlet/


∗∗∗ New Report: Medical Health Care Organizations Highly Vulnerable Due to Improper De-acquisition Processes ∗∗∗
---------------------------------------------
In Security Implications from Improper De-acquisition of Medical Infusion Pumps Heiland performs a physical and technical teardown of more than a dozen medical infusion pumps — devices used to deliver and control fluids directly into a patient’s body. Each of these devices was available for purchase on the secondary market and each one had issues that could compromise their previous organization’s networks.
---------------------------------------------
https://www.rapid7.com/blog/post/2023/08/02/security-implications-improper-deacquisition-medical-infusion-pumps/


∗∗∗ MSMQ QueueJumper (RCE Vulnerability): An In-Depth Technical Analysis ∗∗∗
---------------------------------------------
The security updates released by Microsoft on April 11, 2023, addressed over 90 individual vulnerabilities. Of particular note was CVE-2023-21554, dubbed QueueJumper, a remote code execution vulnerability affecting the Microsoft Message Queueing (MSMQ) service. MSMQ is an optional Windows component that enables applications to exchange messages via message queues that are reachable both locally and remotely.
---------------------------------------------
https://securityintelligence.com/posts/msmq-queuejumper-rce-vulnerability-technical-analysis/


∗∗∗ Google Project Zero - Summary: MTE As Implemented ∗∗∗
---------------------------------------------
In mid-2022, Project Zero was provided with access to pre-production hardware implementing the ARM MTE specification. This blog post series is based on that review, and includes general conclusions about the effectiveness of MTE as implemented, specifically in the context of preventing the exploitation of memory-safety vulnerabilities. Despite its limitations, MTE is still by far the most promising path forward for improving C/C++ software security in 2023.
---------------------------------------------
https://googleprojectzero.blogspot.com/2023/08/summary-mte-as-implemented.html


∗∗∗ Microsoft veröffentlicht TokenTheft-Playbook ∗∗∗
---------------------------------------------
Der Diebstahl von Tokens kann Angreifern den Zugriff auf entsprechende Dienste ermöglichen. Als Folge eines entsprechenden Vorfalls hat Microsoft daher das sogenannte TokenTheft-Playbook veröffentlicht. Es handelt sich um ein Online-Dokument mit zahlreichen Hinweisen für "Cloud-Verantwortliche", die sich um die Sicherheit und den Schutz vor dem Diebstahl von Zugangstokens kümmern müssen.
---------------------------------------------
https://www.borncity.com/blog/2023/08/03/microsoft-verffentlicht-tokentheft-playbook/


∗∗∗ BSI Newsletter SICHER INFORMIERT vom 03.08.2023 ∗∗∗
---------------------------------------------
DSGVO – ein Segen für die IT-Sicherheit, Hersteller beklagen Patch-Müdigkeit, kritische Sicherheitslücke gefährdet Router & das BSI auf der Gamescom
---------------------------------------------
https://www.bsi.bund.de/SharedDocs/Newsletter/DE/BuergerCERT-Newsletter/16_Sicher-Informiert_03-08-2023.html


∗∗∗ How Malicious Android Apps Slip Into Disguise ∗∗∗
---------------------------------------------
Researchers say mobile malware purveyors have been abusing a bug in the Google Android platform that lets them sneak malicious code into benign mobile apps and evade security scanning tools. Google says it has updated its app malware detection mechanisms in response to the new research.
---------------------------------------------
https://krebsonsecurity.com/2023/08/how-malicious-android-apps-slip-into-disguise/


∗∗∗ Watchlist Internet: Bestellen Sie unsere neue Broschüre „Betrug im Internet: So schützen Sie sich“ ∗∗∗
---------------------------------------------
Mit unserer neuen Broschüre „Betrug im Internet“ informieren wir Interessierte zu den Themen Einkaufen im Internet, betrügerische Nachrichten, Schadsoftware, Phishing, Vorschussbetrug und Finanzbetrug. Die kostenlose Broschüre können Sie herunterladen oder bei uns bestellen.
---------------------------------------------
https://www.watchlist-internet.at/news/bestellen-sie-unsere-neue-broschuere-betrug-im-internet-so-schuetzen-sie-sich/


∗∗∗ Reptile Malware Targeting Linux Systems ∗∗∗
---------------------------------------------
Reptile is an open-source kernel module rootkit that targets Linux systems and is publicly available on GitHub. Rootkits are malware that possess the capability to conceal themselves or other malware. They primarily target files, processes, and network communications for their concealment. Reptile’s concealment capabilities include not only its own kernel module but also files, directories, file contents, processes, and network traffic.
---------------------------------------------
https://asec.ahnlab.com/en/55785/


∗∗∗ 2022 Top Routinely Exploited Vulnerabilities ∗∗∗
---------------------------------------------
This advisory provides details on the Common Vulnerabilities and Exposures (CVEs) routinely and frequently exploited by malicious cyber actors in 2022 and the associated Common Weakness Enumeration(s) (CWE). In 2022, malicious cyber actors exploited older software vulnerabilities more frequently than recently disclosed vulnerabilities and targeted unpatched, internet-facing systems.
---------------------------------------------
https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-215a



=====================
=  Vulnerabilities  =
=====================

∗∗∗ Matomo Analytics - Less critical - Cross Site Scripting - SA-CONTRIB-2023-033 ∗∗∗
---------------------------------------------
Security risk: Less critical
Description: This module enables you to add the Matomo web statistics tracking system to your website.The module does not check the Matomo JS code loaded on the website. So a user could configure the module to load JS from a malicious website.This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer matomo" or "administer matomo tag manager" (D8+ only) to access the settings forms where this can be configured.
---------------------------------------------
https://www.drupal.org/sa-contrib-2023-033


∗∗∗ CVE-2023-35082 – Remote Unauthenticated API Access Vulnerability in MobileIron Core 11.2 and older ∗∗∗
---------------------------------------------
A vulnerability has been discovered in MobileIron Core which affects version 11.2 and prior. [..] MobileIron Core 11.2 has been out of support since March 15, 2022. Therefore, Ivanti will not be issuing a patch or any other remediations to address this vulnerability in 11.2 or earlier versions. Upgrading to the latest version of Ivanti Endpoint Manager Mobile (EPMM) is the best way to protect your environment from threats.
---------------------------------------------
https://forums.ivanti.com/s/article/CVE-2023-35082-Remote-Unauthenticated-API-Access-Vulnerability-in-MobileIron-Core-11-2-and-older?language=en_US


∗∗∗ CVE-2023-28130 – Command Injection in Check Point Gaia Portal ∗∗∗
---------------------------------------------
The parameter hostname in the web request /cgi-bin/hosts_dns.tcl is vulnerable for command injection. This can be exploited by any user with a valid session, as long as the user has write permissions on the DNS settings. The injected commands are executed by the user ‘Admin’.
---------------------------------------------
https://pentests.nl/pentest-blog/cve-2023-28130-command-injection-in-check-point-gaia-portal//


∗∗∗ CVE-2023-31928 - XSS vulnerability in Brocade Webtools ∗∗∗
---------------------------------------------
A reflected cross-site scripting (XSS) vulnerability exists in Brocade Webtools PortSetting.html of Brocade Fabric OS version before Brocade Fabric OS v9.2.0 that could allow a remote unauthenticated attacker to execute arbitrary JavaScript code in a target user’s session with the Brocade Webtools application.
---------------------------------------------
https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/22390


∗∗∗ CVE-2023-31927 - An information disclosure in the web interface of Brocade Fabric OS ∗∗∗
---------------------------------------------
An information disclosure in the web interface of Brocade Fabric OS versions before Brocade Fabric OS v9.2.0 and v9.1.1c, could allow a remote unauthenticated attacker to get technical details about the web interface.
---------------------------------------------
https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/22389


∗∗∗ CVE-2023-31926 - Arbitrary File Overwrite using less command ∗∗∗
---------------------------------------------
System files could be overwritten using the less command in Brocade Fabric OS before Brocade Fabric OS v9.1.1c and v9.2.0.
---------------------------------------------
https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/22388


∗∗∗ CVE-2023-31432 - Privilege issues in multiple commands ∗∗∗
---------------------------------------------
Through manipulation of passwords or other variables, using commands such as portcfgupload, configupload, license, myid, a non-privileged user could obtain root privileges in Brocade Fabric OS versions before Brocade Fabric OS v9.1.1c and v9.2.0.
---------------------------------------------
https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/22385


∗∗∗ CVE-2023-31431 - A buffer overflow vulnerability in “diagstatus” command ∗∗∗
---------------------------------------------
A buffer overflow vulnerability in “diagstatus” command in Brocade Fabric OS before Brocade Fabric v9.2.0 and v9.1.1c could allow an authenticated user to crash the Brocade Fabric OS switch leading to a denial of service.
---------------------------------------------
https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/22384


∗∗∗ CVE-2023-31430 - buffer overflow vulnerability in “secpolicydelete” command ∗∗∗
---------------------------------------------
A buffer overflow vulnerability in “secpolicydelete” command in Brocade Fabric OS before Brocade Fabric OS v9.1.1c and v9.2.0 could allow an authenticated privileged user to crash the Brocade Fabric OS switch leading to a denial of service.
---------------------------------------------
https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/22381


∗∗∗ VE-2023-31425 - Privilege escalation via the fosexec command ∗∗∗
---------------------------------------------
A vulnerability in the fosexec command of Brocade Fabric OS after Brocade Fabric OS v9.1.0 and, before Brocade Fabric OS v9.1.1 could allow a local authenticated user to perform privilege escalation to root by breaking the rbash shell. Starting with Fabric OS v9.1.0, “root” account access is disabled.
---------------------------------------------
https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/22407


∗∗∗ CVE-2023-31429 - Vulnerability in multiple commands ∗∗∗
---------------------------------------------
Brocade Fabric OS before Brocade Fabric OS v9.1.1c, v9.2.0 contains a vulnerability when using various commands such as “chassisdistribute”, “reboot”, “rasman”, errmoduleshow, errfilterset, hassiscfgperrthreshold, supportshowcfgdisable and supportshowcfgenable commands that can cause the content of shell interpreted variables to be printed in the terminal.
---------------------------------------------
https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/22408


∗∗∗ CVE-2023-31427 - Knowledge of full path name ∗∗∗
---------------------------------------------
Brocade Fabric OS versions before Brocade Fabric OS v9.1.1c, and v9.2.0 Could allow an authenticated, local user with knowledge of full path names inside Brocade Fabric OS to execute any command regardless of assigned privilege. Starting with Fabric OS v9.1.0, “root” account access is disabled.
---------------------------------------------
https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/22379


∗∗∗ CVE-2023-31428 - CLI allows upload or transfer files of dangerous types ∗∗∗
---------------------------------------------
Brocade Fabric OS before Brocade Fabric OS v9.1.1c, v9.2.0 contains a vulnerability in the command line that could allow a local user to dump files under users home directory using grep.
---------------------------------------------
https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/22380


∗∗∗ Sicherheitsupdates: Angreifer können Aruba-Switches kompromittieren (CVE-2023-3718) ∗∗∗
---------------------------------------------
Bestimmte Switch-Modelle von Aruba sind verwundbar. Die Entwickler haben eine Sicherheitslücke geschlossen.
---------------------------------------------
https://heise.de/-9233677


∗∗∗ Wordfence Intelligence Weekly WordPress Vulnerability Report (July 24, 2023 to July 30, 2023) ∗∗∗
---------------------------------------------
Last week, there were 64 vulnerabilities disclosed in 66 WordPress Plugins and 3 WordPress themes that have been added to the Wordfence Intelligence Vulnerability Database
---------------------------------------------
https://www.wordfence.com/blog/2023/08/wordfence-intelligence-weekly-wordpress-vulnerability-report-july-24-2023-to-july-30-2023/


∗∗∗ Security updates for Thursday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (linux-5.10), Red Hat (.NET 6.0 and iperf3), Slackware (openssl), SUSE (kernel, mariadb, poppler, and python-Django), and Ubuntu (gst-plugins-base1.0, gst-plugins-good1.0, maradns, openjdk-20, and vim).
---------------------------------------------
https://lwn.net/Articles/940335/


∗∗∗ CISA Releases Five Industrial Control Systems Advisories ∗∗∗
---------------------------------------------
- ICSA-23-215-01 Mitsubishi Electric GOT2000 and GOT SIMPLE
- ICSA-23-215-02 Mitsubishi Electric GT and GOT Series Products
- ICSA-23-215-03 TEL-STER TelWin SCADA WebInterface
- ICSA-23-215-04 Sensormatic Electronics VideoEdge
- ICSA-23-208-03 Mitsubishi Electric CNC Series
---------------------------------------------
https://www.cisa.gov/news-events/alerts/2023/08/03/cisa-releases-five-industrial-control-systems-advisories


∗∗∗ Sicherheitsschwachstelle in verschiedenen Canon Inkjet-Druckermodellen (SYSS-2023-011) ∗∗∗
---------------------------------------------
Bei dem Canon Inkjet-Drucker PIXMA TR4550 besteht eine Sicherheitsschwachstelle aufgrund eines unzureichenden Schutzes sensibler Daten.
---------------------------------------------
https://www.syss.de/pentest-blog/sicherheitsschwachstelle-in-verschiedenen-canon-inkjet-druckermodellen-syss-2023-011


∗∗∗ [R1] Nessus Version 10.5.4 Fixes Multiple Vulnerabilities ∗∗∗
---------------------------------------------
Nessus leverages third-party software to help provide underlying functionality. One of the third-party components (OpenSSL) was found to contain vulnerabilities, and updated versions have been made available by the provider.
Out of caution and in line with best practice, Tenable has opted to upgrade these components to address the potential impact of the issues. Nessus 10.5.4 updates OpenSSL to version 3.0.10 to address the identified vulnerabilities.
---------------------------------------------
https://www.tenable.com/security/tns-2023-27


∗∗∗ Mozilla Releases Security Updates for Multiple Products ∗∗∗
---------------------------------------------
Mozilla has released security updates to address vulnerabilities for Firefox 116, Firefox ESR 115.1, Firefox ESR 102.14, Thunderbird 115.1, and Thunderbird 102.14. An attacker could exploit some of these vulnerabilities to take control of an affected system.
---------------------------------------------
https://www.cisa.gov/news-events/alerts/2023/08/02/mozilla-releases-security-updates-multiple-products


∗∗∗ Cisco BroadWorks CommPilot Application Software Cross-Site Scripting Vulnerability ∗∗∗
---------------------------------------------
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-commpilot-xss-jC46sezF


∗∗∗ Cisco Secure Web Appliance Content Encoding Filter Bypass Vulnerability ∗∗∗
---------------------------------------------
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-wsa-bypass-vXvqwzsj


∗∗∗ Cisco Unified Communications Products Arbitrary File Read Vulnerability ∗∗∗
---------------------------------------------
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ucm-file-read-h8h4HEJ3


∗∗∗ CODESYS: Missing Brute-Force protection in CODESYS Development System ∗∗∗
---------------------------------------------
https://cert.vde.com/de/advisories/VDE-2023-023/


∗∗∗ CODESYS: Control runtime system memory and integrity check vulnerabilities (CVE-2022-4046, CVE-2023-28355)) ∗∗∗
---------------------------------------------
https://cert.vde.com/de/advisories/VDE-2023-025/


∗∗∗ CODESYS: Vulnerability in CODESYS Development System allows execution of binaries ∗∗∗
---------------------------------------------
https://cert.vde.com/de/advisories/VDE-2023-021/


∗∗∗ CODESYS: Missing integrity check in CODESYS Development System ∗∗∗
---------------------------------------------
https://cert.vde.com/de/advisories/VDE-2023-022/


∗∗∗ Shelly 4PM Pro four-channel smart switch: Authentication Bypass via an out-of-bounds read vulnerability (CVE-2023-033383) ∗∗∗
---------------------------------------------
https://www.exploitsecurity.io/post/cve-2023-33383-authentication-bypass-via-an-out-of-bounds-read-vulnerability


∗∗∗ CODESYS: Multiple Vulnerabilities in CmpApp CmpAppBP and CmpAppForce ∗∗∗
---------------------------------------------
https://cert.vde.com/de/advisories/VDE-2023-019/

-- 
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily




More information about the Daily mailing list