[CERT-daily] Tageszusammenfassung - 17.08.2023

[Daily end-of-shift report]

=====================
= End-of-Day report =
=====================

Timeframe:   Mittwoch 16-08-2023 18:00 − Donnerstag 17-08-2023 18:00
Handler:     Robert Waldner
Co-Handler:  n/a

=====================
=       News        =
=====================

∗∗∗ Triple Extortion Ransomware and the Cybercrime Supply Chain ∗∗∗
---------------------------------------------
Ransomware attacks continue to grow both in sophistication and quantity. 2023 has already seen more ransomware attacks involving data exfiltration and extortion than all of 2022, an increasing trend we expect to continue.
This article will explore the business model of ransomware groups and the complex cybercrime ecosystem that has sprung up around them.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/triple-extortion-ransomware-and-the-cybercrime-supply-chain/


∗∗∗ New Apple iOS 16 Exploit Enables Stealthy Cellular Access Under Fake Airplane Mode ∗∗∗
---------------------------------------------
The method "tricks the victim into thinking their devices Airplane Mode works when in reality the attacker (following successful device exploit) has planted an artificial Airplane Mode which edits the UI to display Airplane Mode icon and cuts internet connection to all apps except the attacker application," [..]
---------------------------------------------
https://thehackernews.com/2023/08/new-apple-ios-16-exploit-enables.html


∗∗∗ CISA Releases JCDC Remote Monitoring and Management (RMM) Cyber Defense Plan ∗∗∗
---------------------------------------------
This plan addresses systemic risks facing the exploitation of RMM software. Cyber threat actors can gain footholds via RMM software into managed service providers (MSPs) or manage security service providers (MSSPs) servers and, by extension, can cause cascading impacts for the small and medium-sized organizations that are MSP/MSSP customers.
---------------------------------------------
https://www.cisa.gov/news-events/alerts/2023/08/16/cisa-releases-jcdc-remote-monitoring-and-management-rmm-cyber-defense-plan


∗∗∗ Angreifer attackieren Citrix ShareFile ∗∗∗
---------------------------------------------
Die US-Behörde [CISA] hat die "kritische" Sicherheitslücke (CVE-2023-24489) in ihren Katalog bekannter ausgenutzter Sicherheitslücken eingetragen. In welchem Umfang die Attacken ablaufen, ist derzeit nicht bekannt. [..] Die Lücke ist seit Juni 2023 bekannt. Seitdem gibt es auch die gepatchte Version 5.11.24.
---------------------------------------------
https://www.heise.de/news/Jetzt-patchen-Angreifer-attackieren-Citrix-ShareFile-9247830.html


∗∗∗ Wordfence Intelligence Weekly WordPress Vulnerability Report (August 7, 2023 to August 13, 2023) ∗∗∗
---------------------------------------------
Last week, there were 86 vulnerabilities disclosed in 68 WordPress Plugins and 3 WordPress themes that have been added to the Wordfence Intelligence Vulnerability Database [..]
Patch Status :
- Unpatched 25
- Patched 61
---------------------------------------------
https://www.wordfence.com/blog/2023/08/wordfence-intelligence-weekly-wordpress-vulnerability-report-august-7-2023-to-august-13-2023/


∗∗∗ Phishing-Kampagne zielt auf Zimbra-Nutzer ab ∗∗∗
---------------------------------------------
Die Kampagne ist seit mindestens April 2023 aktiv und dauert laut Security-Forschern von ESET an.
---------------------------------------------
https://www.zdnet.de/88411237/phishing-kampagne-zielt-auf-zimbra-nutzer-ab/



=====================
=  Vulnerabilities  =
=====================

∗∗∗ PAN-SA-2023-0004 Informational Bulletin: Impact of TunnelCrack Vulnerabilities (CVE-2023-36671 CVE-2023-36672 CVE-2023-35838 CVE-2023-36673) ∗∗∗
---------------------------------------------
LocalNet attack is only applicable to GlobalProtect Agent configurations that allow direct access to the local network setting in the Split Tunnel tab on the firewall configuration. ServerIP attack is relevant only to PAN-OS firewall configurations with a GlobalProtect gateway enabled. You can verify whether you have a GlobalProtect portal or gateway configured by checking for entries in Network > GlobalProtect > Gateways from the web interface.
---------------------------------------------
https://security.paloaltonetworks.com/PAN-SA-2023-0004


∗∗∗ ClamAV 1.1.1, 1.0.2, 0.103.9 patch versions published ∗∗∗
---------------------------------------------
- CVE-2023-20197 Fixed a possible denial of service vulnerability in the HFS+ file parser.
- CVE-2023-20212 Fixed a possible denial of service vulnerability in the AutoIt file parser. This issue affects versions 1.0.1 and 1.0.0. This issue does not affect version 1.1.0.
ClamAV 0.105 and 0.104 have reached end-of-life according to the ClamAV’s End of Life (EOL) policy and will not be patched.
---------------------------------------------
https://blog.clamav.net/2023/07/2023-08-16-releases.html


∗∗∗ Parsec Remote Desktop App is prone to a local elevation of privilege due to a logical flaw in its code integrity verification process ∗∗∗
---------------------------------------------
By exploiting this race condition, a local attacker could swap out the officially signed Parsec DLL with a DLL that they created, which would subsequently be executed as the SYSTEM user as described in CVE-2023-37250. The vulnerability applies to a "Per User" installation as opposed to a "Shared User". There is an update that has been made available.
---------------------------------------------
https://kb.cert.org/vuls/id/287122


∗∗∗ TYPO3-EXT-SA-2023-007: Broken Access Control in extension "hCaptcha for EXT:form" (hcaptcha) ∗∗∗
---------------------------------------------
The extension fails to check the requirement of the captcha field in submitted form data allowing a remote user to bypass the captcha check. [..] An updated version 2.1.2 is available
---------------------------------------------
https://typo3.org/security/advisory/typo3-ext-sa-2023-007


∗∗∗ Varnish Enterprise/Cache: Base64 decoding vulnerability in vmod-digest ∗∗∗
---------------------------------------------
The potential outcome of the vulnerability can be both authentication bypass and information disclosure, however the exact attack surface will depend on the particular VCL configuration in use. [..]
Affected software versions:
- vmod-digest shipped with Varnish Enterprise 6.0 series up to and including 6.0.11r4.
- vmod-digest for Varnish Cache 6.0 LTS built on upstream source code prior to 2023-08-17.
- vmod-digest for Varnish Cache trunk built on upstream source code prior to 2023-08-17.
---------------------------------------------
https://docs.varnish-software.com/security/VSV00012/


∗∗∗ IP-Telefonie: Schwachstellen in der Provisionierung von Zoom und Audiocodes​ ∗∗∗
---------------------------------------------
Der Security-Experte Moritz Abrell von SySS hat Schwachstellen bei der IP-Telefonie mithilfe des Zoom Zero Touch Provisioning-Prozesses in Kombination mit Audiocodes 400HD Telefonen entdeckt. [..] Angreifer könnten gemäß den Darstellungen Gesprächsinhalte mithören, ein Botnetz aus infizierten Geräten bilden oder auf Basis der Kompromittierung der Endgeräte die Netzwerke attackieren, in denen diese betrieben werden.
---------------------------------------------
https://www.heise.de/news/IP-Telefonie-Schwachstellen-in-der-Provisionierung-von-Zoom-und-Audiocodes-9247685.html


∗∗∗ Synology-SA-23:11 Synology Camera ∗∗∗
---------------------------------------------
A vulnerability allows remote attackers to execute arbitrary code via a susceptible version of Synology Camera BC500 Firmware and Synology Camera TC500 Firmware.
Solution: Upgrade to 1.0.5-0185 or above.
Workaround: Setting up firewall rules to allow only trusted clients to connect can be used as a temporary mitigation.
---------------------------------------------
https://www.synology.com/en-global/security/advisory/Synology_SA_23_11


∗∗∗ CISA Releases Three Industrial Control Systems Advisories ∗∗∗
---------------------------------------------
- ICSA-23-229-01 ICONICS and Mitsubishi Electric Products: CVE-2022-3602, CVE-2022-3786, CVE-2022-4203, CVE-2022-4304, CVE-2022-4450, CVE-2023-0401
- ICSA-23-229-03 Schnieder Electric PowerLogic ION7400 PM8000 ION9000 Power Meters: CVE-2022-46680
- ICSA-23-229-04 Walchem Intuition 9: CVE-2022-3602, CVE-2022-3786, CVE-2022-4203, CVE-2022-4304, CVE-2022-4450, CVE-2023-0401
---------------------------------------------
https://www.cisa.gov/news-events/alerts/2023/08/17/cisa-releases-three-industrial-control-systems-advisories


∗∗∗ Privilege Escalation in IBM Spectrum Virtualize ∗∗∗
---------------------------------------------
Im Rahmen einer oberflächlichen Sicherheitsprüfung stellte Certitude zwei Schwachstellen in der Firmware der IBM Spectrum Virtualize Storage-Lösung fest. Eine der Schwachstellen erlaubt es einem Benutzer der Administrationsschnittstelle, der nur über eingeschränkte Berechtigungen verfügt, beliebigen Code auszuführen.
---------------------------------------------
https://certitude.consulting/blog/de/privilege-escalation-in-ibm-spectrum-virtualize-de/


∗∗∗ Atlassian Releases Security Update for Confluence Server and Data Center ∗∗∗
---------------------------------------------
Atlassian has released its security bulletin for August 2023 to address a vulnerability in Confluence Server and Data Center, CVE-2023-28709. A remote attacker can exploit this vulnerability to cause a denial-of-service condition.CISA encourages users and administrators to review Atlassian’s August 2003 Security Bulletin and apply the necessary update.
---------------------------------------------
https://www.cisa.gov/news-events/alerts/2023/08/17/atlassian-releases-security-update-confluence-server-and-data-center


∗∗∗ Cisco Integrated Management Controller Cross-Site Scripting Vulnerability ∗∗∗
---------------------------------------------
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cimc-xss-UMYtYEtr


∗∗∗ Cisco Umbrella Virtual Appliance Undocumented Support Tunnel Vulnerability ∗∗∗
---------------------------------------------
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-umbrella-tunnel-gJw5thgE


∗∗∗ Cisco Unified Contact Center Express Finesse Portal Web Cache Poisoning Vulnerability ∗∗∗
---------------------------------------------
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-uccx-wcp-JJeqDT3S


∗∗∗ Cisco ThousandEyes Enterprise Agent Virtual Appliance Privilege Escalation Vulnerability ∗∗∗
---------------------------------------------
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-thoueye-privesc-NVhHGwb3


∗∗∗ Cisco ThousandEyes Enterprise Agent Virtual Appliance Privilege Escalation Vulnerability ∗∗∗
---------------------------------------------
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-te-va-priv-esc-PUdgrx8E


∗∗∗ Cisco Prime Infrastructure and Evolved Programmable Network Manager Stored Cross-Site Scripting Vulnerability ∗∗∗
---------------------------------------------
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-pi-epnm-storedxss-tTjO62r


∗∗∗ Cisco Prime Infrastructure and Evolved Programmable Network Manager Cross-Site Scripting Vulnerabilities ∗∗∗
---------------------------------------------
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-pi-epnm-BFjSRJP5


∗∗∗ Cisco Intersight Private Virtual Appliance Command Injection Vulnerabilities ∗∗∗
---------------------------------------------
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ivpa-cmdinj-C5XRbbOy


∗∗∗ Cisco Identity Services Engine Device Credential Information Disclosure Vulnerability ∗∗∗
---------------------------------------------
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ise-credentials-tkTO3h3


∗∗∗ Cisco IP Phone 6800, 7800, and 8800 Series with Multiplatform Firmware Cross-Site Request Forgery Vulnerability ∗∗∗
---------------------------------------------
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ipphone-csrf-HOCmXW2c


∗∗∗ Cisco Intersight Virtual Appliance Unauthenticated Port Forwarding Vulnerability ∗∗∗
---------------------------------------------
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-intersight-forward-C45ncgqb


∗∗∗ Cisco Expressway Series and Cisco TelePresence Video Communication Server Command Injection Vulnerability ∗∗∗
---------------------------------------------
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-expressway-injection-X475EbTQ


∗∗∗ Cisco Duo Device Health Application for Windows Arbitrary File Write Vulnerability ∗∗∗
---------------------------------------------
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-duo-dha-filewrite-xPMBMZAK


∗∗∗ Cisco Unified Communications Manager SQL Injection Vulnerability ∗∗∗
---------------------------------------------
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cucm-injection-g6MbwH2


∗∗∗ Cisco Unified Communications Products Cross-Site Scripting Vulnerability ∗∗∗
---------------------------------------------
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cucm-imp-xss-QtT4VdsK


∗∗∗ ClamAV HFS+ File Scanning Infinite Loop Denial of Service Vulnerability ∗∗∗
---------------------------------------------
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-clamav-rNwNEEee


∗∗∗ ClamAV AutoIt Module Denial of Service Vulnerability ∗∗∗
---------------------------------------------
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-clamav-dos-FTkhqMWZ


∗∗∗ Vulnerability in Apache Tomcat Server (CVE-2023-28709 ) affects Power HMC ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7005499


∗∗∗ IBM Security Guardium is affected by Using Components with Known Vulnerabilities [CVE-2018-8909, CVE-2021-41100 and CVE-2021-41119] ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7027854


∗∗∗ IBM Security Guardium is affected by a Command injection in CLI vulnerability [CVE-2023-35893] ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7027853


∗∗∗ IBM Security Guardium is affected by several vulnerabilities ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7007815


∗∗∗ Vulnerability in IBM Java SDK and IBM Java Runtime affect Rational Functional Tester ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7027855


∗∗∗ IBM Security Guardium is affected by a multiple vulnerabilities (CVE-2023-22809, CVE-2019-12490, CVE-2023-0041) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7000021


∗∗∗ IBM Security Guardium is affected by multiple Oracle\u00ae MySQL vulnerabilities ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6981105


∗∗∗ IBM Security Guardium is affected by a denial of service vulnerability in MIT keb5 (CVE-2022-42898) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6981101


∗∗∗ Security Vulnerabilities affect IBM Cloud Pak for Data - Python (CVE-2019-20907) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6380954


∗∗∗ Security Vulnerabilities affect IBM Cloud Pak for Data - Golang (CVE-2020-24553) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6380968


∗∗∗ Security Vulnerabilities in GNU glibc affect IBM Cloud Pak for Data - GNU glibc (CVE-2020-1751) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6381220


∗∗∗ Vulnerability in IBM JDK (CVE-2022-40609 ) affects Power HMC ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7027898


∗∗∗ IBM WebSphere Application Server Liberty, which is bundled with IBM Cloud Pak for Applications, is vulnerable to a denial of service (CVE-2023-38737) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7027921


∗∗∗ IBM WebSphere Application Server Liberty, which is bundled with IBM WebSphere Hybrid Edition, is vulnerable to a denial of service (CVE-2023-38737) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7027919

-- 
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily