[CERT-daily] Tageszusammenfassung - 11.08.2023
Daily end-of-shift report
team at cert.at
Fri Aug 11 18:41:34 CEST 2023
=====================
= End-of-Day report =
=====================
Timeframe: Donnerstag 10-08-2023 18:00 − Freitag 11-08-2023 18:00
Handler: Robert Waldner
Co-Handler: Michael Schlagenhaufer
=====================
= News =
=====================
∗∗∗ Gafgyt malware exploits five-years-old flaw in EoL Zyxel router ∗∗∗
---------------------------------------------
Fortinet has issued an alert warning that the Gafgyt botnet malware is actively trying to exploit a vulnerability in the end-of-life Zyxel P660HN-T1A router in thousands of daily attacks.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/gafgyt-malware-exploits-five-years-old-flaw-in-eol-zyxel-router/
∗∗∗ Nutzerdaten in Gefahr: Microsoft Onedrive als Werkzeug für Ransomware-Angriffe ∗∗∗
---------------------------------------------
Onedrive soll die Daten von Windows-Nutzern eigentlich vor Ransomware-Angriffen schützen. Effektiv ist das aber offenbar nicht immer.
---------------------------------------------
https://www.golem.de/news/nutzerdaten-in-gefahr-microsoft-onedrive-als-werkzeug-fuer-ransomware-angriffe-2308-176674.html
∗∗∗ 16 New CODESYS SDK Flaws Expose OT Environments to Remote Attacks ∗∗∗
---------------------------------------------
A set of 16 high-severity security flaws have been disclosed in the CODESYS V3 software development kit (SDK) that could result in remote code execution and denial-of-service under specific conditions, posing risks to operational technology (OT) environments. The flaws, tracked from CVE-2022-47378 through CVE-2022-47393 and dubbed CoDe16, carry a CVSS score of 8.8 with the exception of CVE-2022-47391, which has a severity rating of 7.5. Twelve of the flaws are buffer overflow vulnerabilities.
---------------------------------------------
https://thehackernews.com/2023/08/15-new-codesys-sdk-flaws-expose-ot.html
∗∗∗ When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability ∗∗∗
---------------------------------------------
While the SugarCRM CVE-2023-22952 zero-day authentication bypass and remote code execution vulnerability might seem like a typical exploit, there’s actually more for defenders to be aware of. [..] This article maps out various attacks against AWS environments following the MITRE ATT&CK Matrix framework, wrapping up with multiple prevention mechanisms an organization can put in place to protect themselves. Some of these protections include taking advantage of controls and services provided by AWS, cloud best practices, and ensuring sufficient data retention to catch the full attack.
---------------------------------------------
https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat/
∗∗∗ Lexmark Command Injection Vulnerability ZDI-CAN-19470 Pwn2Own Toronto 2022 ∗∗∗
---------------------------------------------
In December 2022, we competed at our first pwn2own. We were able to successfully exploit the Lexmark MC3224i using a command injection 0-day. This post will detail the process we used to discover, weaponize, and have some fun with this vulnerability.
---------------------------------------------
https://www.horizon3.ai/lexmark-command-injection-vulnerability-zdi-can-19470-pwn2own-toronto-2022/
∗∗∗ Theres a good chance your VPN is vulnerable to privacy-menacing TunnelCrack attack ∗∗∗
---------------------------------------------
A couple of techniques collectively known as TunnelCrack can, in the right circumstances, be used by snoops to force victims network traffic to go outside their encrypted VPNs, it was demonstrated this week. [..] Their co-authored Usenix-accepted paper [PDF] has all the details. The researchers said they tested more than 60 VPN clients, and found that "all VPN apps" on iOS are vulnerable. Android appears to be most secure of the bunch.
---------------------------------------------
https://www.theregister.com/2023/08/10/tunnelcrack_vpn/
∗∗∗ Site Takeover via SCCM’s AdminService API ∗∗∗
---------------------------------------------
tl:dr: The SCCM AdminService API is vulnerable to NTLM relaying and can be abused for SCCM site takeover.
---------------------------------------------
https://posts.specterops.io/site-takeover-via-sccms-adminservice-api-d932e22b2bf
∗∗∗ A-Z: OPNsense - Penetration Test ∗∗∗
---------------------------------------------
We reported found vulnerabilities to OPNsense maintainers and we really want to thank them for a great response. They handled the whole process very professionally, quickly prepared effective patches for many vulnerabilities and included them in the newest release - OPNsense 23.7 “Restless Roadrunner”. Also, they provided us with reasoning behind decision to not patch some of them right now.
---------------------------------------------
https://logicaltrust.net/blog/2023/08/opnsense.html
∗∗∗ Lesetipp: Wenn der Microsoft Defender zum Angreifer wird ∗∗∗
---------------------------------------------
Forscher haben spannende Details zu einer im April gefixten Lücke im Defender-Signaturupdateprozess veröffentlicht. Sie sehen Potenzial für künftige Angriffe.
---------------------------------------------
https://heise.de/-9241230
∗∗∗ Samsonite-Gewinnspiel auf Facebook führt in teure Abo-Falle! ∗∗∗
---------------------------------------------
Die betrügerische Facebook-Seite „Koffer-Paradies“ verbreitet derzeit ein Gewinnspiel, das in eine teure Abo-Falle führt. Versprochen wird ein Koffer der Marke Samsonite. Achtung! Wer mitspielt, erhält keinen Gewinn, sondern soll monatlich 70 Euro an Kriminelle bezahlen.
---------------------------------------------
https://www.watchlist-internet.at/news/samsonite-gewinnspiel-auf-facebook-fuehrt-in-teure-abo-falle/
∗∗∗ Phishing über Amazon Web Services ∗∗∗
---------------------------------------------
Sicherheitsforscher von Check Point haben vor einiger Zeit einen weiteren Dienst entdeckt, der für fortschrittliche Phishing-Kampagnen von Hackern missbraucht wird. Diesmal erfolgt der Missbrauch für Phishing-Kampagnen über die Amazon Web Services (AWS). . Das Programm wird zum Versenden von Phishing-E-Mails genutzt, um diesen einen täuschend echten Anstrich zu geben.
---------------------------------------------
https://www.borncity.com/blog/2023/08/11/phishing-ber-amazon-web-services/
=====================
= Vulnerabilities =
=====================
∗∗∗ AMD and Intel CPU security bugs bring Linux patches ∗∗∗
---------------------------------------------
Its not really a Linux problem, but as is so often the case, Linux kernel developers have to clean up after AMD and Intel. It happened again with the chipmakers latest CPU vulnerabilities: AMD Inception and Intel Downfall. To fix these, Linux creator Linus Torvalds has released a new set of patches. Oddly, both are speculative side-channel attacks, which can lead to privileged data leakage to unprivileged processes.
---------------------------------------------
https://www.zdnet.com/article/amd-and-intel-cpu-security-bugs-bring-linux-patches/
∗∗∗ Statischer Schlüssel in Dell Compellent leakt Zugangsdaten für VMware vCenter ∗∗∗
---------------------------------------------
Aufgrund einer Schwachstelle in Dells Compellent Integration Tools for VMware (CITV) können Angreifer Log-in-Daten entschlüsseln.
---------------------------------------------
https://heise.de/-9241495
∗∗∗ Security updates for Friday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (intel-microcode, kernel, and php-dompdf), Fedora (linux-firmware, OpenImageIO, and php), Oracle (aardvark-dns, kernel, linux-firmware, python-flask, and python-werkzeug), SUSE (container-suseconnect, go1.19, gstreamer-plugins-bad, gstreamer-plugins-base, gstreamer-plugins-good, java-11-openjdk, kernel-firmware, kubernetes1.24, openssl-1_1, poppler, python-scipy, qatengine, ucode-intel, util-linux, and vim), and Ubuntu (dotnet6, dotnet7, php-dompdf, and velocity-tools).
---------------------------------------------
https://lwn.net/Articles/941271/
∗∗∗ IBM Operational Decision Manager July 2023 - Multiple CVEs ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7014699
∗∗∗ IBM InfoSphere Global Name Management Vulnerable to CVE-2023-30441 ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7025193
∗∗∗ App Connect Professional is affected by Bouncy Castle vulnerability. ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7025330
∗∗∗ Multiple Linux Kernel vulnerabilities may affect IBM Elastic Storage System ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7025344
∗∗∗ Vulnerability in the Flask repo may affect affect IBM Elastic Storage System (CVE-2023-30861) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7025351
∗∗∗ Multiple vulnerabilities in the werkzeug repo affect IBM Elastic Storage System ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7025349
∗∗∗ A vulnerability in IBM WebSphere Application Server Liberty affects IBM Storage Scale packaged in IBM Elastic Storage Server (CVE-2023-24998) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7025354
∗∗∗ Multiple vulnerabilities may affect CICS Transaction Gateway for Multiplatforms and CICS Transaction Gateway Desktop Edition. ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7025446
∗∗∗ Multiple vulnerabilities may affect CICS Transaction Gateway for Multiplatforms and CICS Transaction Gateway Desktop Edition. ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7025170
∗∗∗ IBM TXSeries for Multiplatforms Web Services is vulnerable to Slowloris attack which is a type of denial-of-service (DoS) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7025476
∗∗∗ A vulnerability has been identified in IBM WebSphere Application Server shipped with IBM Business Automation Workflow (CVE-2022-40609) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7024675
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
More information about the Daily
mailing list