[CERT-daily] Tageszusammenfassung - 28.08.2023

Daily end-of-shift report team at cert.at
Mon Aug 28 18:48:34 CEST 2023


=====================
= End-of-Day report =
=====================

Timeframe:   Freitag 25-08-2023 18:00 − Montag 28-08-2023 18:00
Handler:     Michael Schlagenhaufer
Co-Handler:  Robert Waldner

=====================
=       News        =
=====================

∗∗∗ Update korrigiert Verschlüsselung von Qnap-Betriebssystemen ∗∗∗
---------------------------------------------
Qnap hat aktualisierte Versionen der QTS- und QuTS hero-Betriebssysteme veröffentlicht. Sie korrigieren unter anderem zu schwache Verschlüsselung.
---------------------------------------------
https://heise.de/-9286394


∗∗∗ Stalker-Malware: Whiffy Recon schnüffelt Standort alle 60 Sekunden aus ∗∗∗
---------------------------------------------
Eine Malware namens Whiffy Recon überprüft alle 60 Sekunden den Standort des infizierten Geräts. Es bleibt unklar, wozu.
---------------------------------------------
https://heise.de/-9286754


∗∗∗ Auch Antivirensoftware: Winrar-Schwachstelle betrifft womöglich weitere Programme ∗∗∗
---------------------------------------------
Nachtrag vom 28. August 2023, 17:28 Uhr: Herr Marx wies die Redaktion im Nachhinein darauf hin, dass eine mögliche Ausnutzung von CVE-2023-40477 für die einzelnen Anwendungen individuell beurteilt werden muss. Nicht jedes Programm, das die gefährdete DLL verwendet, macht automatisch Gebrauch von dem problematischen Code.
---------------------------------------------
https://www.golem.de/news/auch-antivirensoftware-winrar-schwachstelle-betrifft-hunderte-weitere-programme-2308-177086.html


∗∗∗ Duolingo: Leck mit 2,6 Millionen Nutzerdatensätze, Prüfung auf Have I been Pwned möglich ∗∗∗
---------------------------------------------
Bei der Sprachlern-App Duolingo bzw. bei deren Anbieter ermöglichten Schwachstellen Benutzerdaten abzuziehen. Jetzt hat Troy Hunt einen Datensatz mit den Informationen zu 2,6 Millionen Duolingo Nutzern in seine Plattform Have I been Pwned integriert.
---------------------------------------------
https://www.borncity.com/blog/2023/08/24/duolingo-leck-mit-26-millionen-nutzerdatenstze-prfung-auf-have-i-been-pawned-mglich/


∗∗∗ Antworten von Microsoft zum Hack der Microsoft Azure-Cloud durch Storm-0588 – Teil 1 ∗∗∗
---------------------------------------------
Ich hatte nach dem Hack der Microsoft Azure Cloud-Infrastruktur durch die mutmaßlich chinesische Gruppe Storm-0588 bei Microsoft Irland konkret nachgefragt, ob persönliche Daten eines meiner Microsoft Konten betroffen seien. Und ich hatte an den Bundesdatenschutzbeauftragten (BfDI), Ulrich Kelber, [...]
---------------------------------------------
https://www.borncity.com/blog/2023/08/26/antworten-von-microsoft-zum-hack-der-microsoft-azure-cloud-durch-storm-0588-teil-1/


∗∗∗ Antworten des Bundesdatenschutzbeauftragten, Ulrich Kelber, zum Hack der Microsoft Azure-Cloud durch Storm-0588 – Teil 2 ∗∗∗
---------------------------------------------
In Teil 1 dieser Artikelreihe hatte die die Antworten Microsofts auf meine konkreten Fragen zum Hack der Microsoft Azure Cloud-Infrastruktur durch die mutmaßlich chinesische Gruppe Storm-0588 wiedergegeben. Ich hatte aber auch einige Fragen an die Presseabteilung des Bundesdatenschutzbeauftragten (BfDI) [...]
---------------------------------------------
https://www.borncity.com/blog/2023/08/26/antworten-des-bundesdatenschutzbeauftragten-ulrich-kelber-zum-hack-der-microsoft-azure-cloud-durch-storm-0588-teil-2/


∗∗∗ PoC for no-auth RCE on Juniper firewalls released ∗∗∗
---------------------------------------------
Researchers have released additional details about the recently patched four vulnerabilities affecting Juniper Networks’ SRX firewalls and EX switches that could allow remote code execution (RCE), as well as a proof-of-concept (PoC) exploit.
---------------------------------------------
https://www.helpnetsecurity.com/2023/08/28/poc-rce-juniper-firewalls/


∗∗∗ Beware the Azure Guest User: How to Detect When a Guest User Account Is Being Exploited ∗∗∗
---------------------------------------------
In Azure environments, guest users are the go-to option when giving access to a user from a different tenant. Often, little effort is invested in keeping guest users safe. However, this could prove to be a costly mistake. It’s actually very important to monitor the third-party applications and identities that have access to your environment, [...]
---------------------------------------------
https://orca.security/resources/blog/detect-guest-user-account-exploited/


∗∗∗ Reply URL Flaw Allowed Unauthorized MS Power Platform API Access ∗∗∗
---------------------------------------------
Cybersecurity experts from Secureworks have revealed a critical vulnerability within Microsoft’s Power Platform, now known as Entra ID. The vulnerability, discovered early this year, involved an abandoned reply URL within the Azure Active Directory (AD) environment, granting unauthorized access to elevated permissions and control within an organization.
---------------------------------------------
https://www.hackread.com/reply-url-flaw-ms-power-platform-api-access/


∗∗∗ KmsdBot Malware Gets an Upgrade: Now Targets IoT Devices with Enhanced Capabilities ∗∗∗
---------------------------------------------
An updated version of a botnet malware called KmsdBot is now targeting Internet of Things (IoT) devices, simultaneously branching out its capabilities and the attack surface. "The binary now includes support for Telnet scanning and support for more CPU architectures," Akamai security researcher Larry W. Cashdollar said in an analysis published this month.
---------------------------------------------
https://thehackernews.com/2023/08/kmsdbot-malware-gets-upgrade-now.html



=====================
=  Vulnerabilities  =
=====================

∗∗∗ D-Link DAP-2622: Various Security Vulnerabilities Reported ∗∗∗
---------------------------------------------
Affected Models: DAP-2622 
Hardware Revision: All A Series Hardware Revisions 
Region: Non-US/CA 
Affected FW: v1.00 & Below 
Fixed FW: v1.10B03R022 Beta-Hotfix
---------------------------------------------
https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10349


∗∗∗ Busybox cpio directory traversal vulnerability (CVE-2023-39810) ∗∗∗
---------------------------------------------
When extracting cpio archives with BusyBox cpio, the cpio archiving tools may write files outside the destination directory and there is no option to prevent this.
---------------------------------------------
https://www.pentagrid.ch/en/blog/busybox-cpio-directory-traversal-vulnerability/


∗∗∗ Sicherheitsupdates: Drupal-Plug-ins mit Schadcode-Lücken ∗∗∗
---------------------------------------------
Wenn bestimmte Plug-ins zum Einsatz kommen, sind mit dem CMS Drupal erstellte Websites attackierbar.
---------------------------------------------
https://heise.de/-9286388


∗∗∗ Security updates for Monday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (chromium, clamav, librsvg, rar, and unrar-nonfree), Fedora (caddy, chromium, and xen), and SUSE (ca-certificates-mozilla, gawk, ghostscript, java-1_8_0-ibm, java-1_8_0-openjdk, php7, qemu, and xen).
---------------------------------------------
https://lwn.net/Articles/942922/


∗∗∗ Sicherheitsschwachstellen im tef-Händlerportal (SYSS-2023-020/-021) ∗∗∗
---------------------------------------------
Im tef-Händlerportal kann über eine Persistent Cross-Site Scripting-Schwachstelle beliebiger Code im Kontext des Benutzers ausgeführt werden.
---------------------------------------------
https://www.syss.de/pentest-blog/sicherheitsschwachstellen-im-tef-haendlerportal-syss-2023-020/-021


∗∗∗ VU#757109: Groupnotes Inc. Videostream Mac client allows for privilege escalation to root account ∗∗∗
---------------------------------------------
https://kb.cert.org/vuls/id/757109


∗∗∗ Vulnerabilities in IBM Java Runtime affect z/Transaction Processing Facility ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7028975


∗∗∗ IBM Java SDK and IBM Java Runtime for IBM i are vulnerable to arbitrary code execution due to an unsafe deserialization flaw (CVE-2022-40609). ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7029160


∗∗∗ IBM MQ Operator and Queue manager container images are vulnerable to multiple vulnerabilities from systemd, libcap, openssl-libs, libxml2, go-toolset, and prometheus-operator ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7029356


∗∗∗ Security vulnerabilities have been identified in IBM DB2 shipped with IBM License Metric Tool v9. ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7029359


∗∗∗ A security vulnerability has been identified in IBM WebSphere Application Server shipped with IBM Rational ClearCase (CVE-2023-35890) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7029364


∗∗∗ A security vulnerability has been identified in IBM HTTP Server shipped with IBM Rational ClearCase [CVE-2023-32342] ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7029362


∗∗∗ A security vulnerability has been identified in IBM WebSphere Application Server shipped with Tivoli Netcool/OMNIbus WebGUI (CVE-2022-40609) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7029361


∗∗∗ Multiple security vulnerabilities has been identified in IBM WebSphere Application Server shipped with Tivoli Netcool/OMNIbus WebGUI - July 2023 CPU ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7029360


∗∗∗ GNU C library (glibc) vulnerability affects (CVE-2015-7547) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/650093


∗∗∗ ISC DHCP vulnerability affects TS4500 Tape Library (CVE-2018-5732) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/650877

-- 
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily




More information about the Daily mailing list