[CERT-daily] Tageszusammenfassung - 04.12.2023

Daily end-of-shift report team at cert.at
Mon Dec 4 18:48:25 CET 2023


=====================
= End-of-Day report =
=====================

Timeframe:   Freitag 01-12-2023 18:00 − Montag 04-12-2023 18:00
Handler:     Robert Waldner
Co-Handler:  Michael Schlagenhaufer

=====================
=       News        =
=====================

∗∗∗ LogoFAIL: UEFI Vulnerabilities Expose Devices to Stealth Malware Attacks ∗∗∗
---------------------------------------------
The Unified Extensible Firmware Interface (UEFI) code from various independent firmware/BIOS vendors (IBVs) has been found vulnerable to potential attacks through high-impact flaws in image parsing libraries embedded into the firmware.
---------------------------------------------
https://thehackernews.com/2023/12/logofail-uefi-vulnerabilities-expose.html


∗∗∗ New P2PInfect Botnet MIPS Variant Targeting Routers and IoT Devices ∗∗∗
---------------------------------------------
Cybersecurity researchers have discovered a new variant of an emerging botnet called P2PInfect thats capable of targeting routers and IoT devices.
---------------------------------------------
https://thehackernews.com/2023/12/new-p2pinfect-botnet-mips-variant.html


∗∗∗ Advisory on IRGC-Affiliated Cyber Actors Exploiting PLCs ∗∗∗
---------------------------------------------
Today, CISA, (FBI), (NSA), (EPA), and (INCD) released a joint Cybersecurity Advisory (CSA) IRGC-Affiliated Cyber Actors Exploit PLCs in Multiple Sectors in response to the active exploitation of Unitronics programmable logic controllers (PLCs) in multiple sectors.
---------------------------------------------
https://www.cisa.gov/news-events/alerts/2023/12/01/cisa-and-partners-release-joint-advisory-irgc-affiliated-cyber-actors-exploiting-plcs


∗∗∗ Phishing-Angriffe: Betrüger missbrauchen Hotelbuchungsplattform booking.com ∗∗∗
---------------------------------------------
Mit auf Datendiebstahl spezialisierte Malware griffen Cyberkriminelle zunächst Hotelmitarbeiter an und verschickten dann über Booking betrügerische Mails.
---------------------------------------------
https://www.heise.de/-9547507


∗∗∗ Update your iPhones! Apple fixes two zero-days in iOS ∗∗∗
---------------------------------------------
Apple has released an emergency security update for two zero-day vulnerabilities which may have already been exploited.
---------------------------------------------
https://www.malwarebytes.com/blog/news/2023/12/update-your-iphones-apple-fixes-two-zero-days-in-ios


∗∗∗ PSA: Fake CVE-2023-45124 Phishing Scam Tricks Users Into Installing Backdoor Plugin ∗∗∗
---------------------------------------------
The Wordfence Threat Intelligence Team has recently been informed of a phishing campaign targeting WordPress users. The Phishing email claims to be from the WordPress team and warns of a Remote Code Execution vulnerability on the user’s site with an identifier of CVE-2023-45124, which is not currently a valid CVE.
---------------------------------------------
https://www.wordfence.com/blog/2023/12/psa-fake-cve-2023-45124-phishing-scam-tricks-users-into-installing-backdoor-plugin/


∗∗∗ Vorsicht vor gefälschter Microsoft-Sicherheitswarnung ∗∗∗
---------------------------------------------
Beim Surfen im Internet poppt plötzlich eine Sicherheitswarnung auf: „Aus Sicherheitsgründen wurde das Gerät blockiert. Windows-Support Anrufen“. Zusätzlich wird eine Computerstimme abgespielt, die Ihnen erklärt, dass Ihre Kreditkarten- und Facebookdaten sowie persönliche Daten an Hacker weitergegeben werden. Für technische Unterstützung sollen Sie eine Nummer anrufen.
---------------------------------------------
https://www.watchlist-internet.at/news/vorsicht-vor-gefaelschter-microsoft-sicherheitswarnung/


∗∗∗ Zyxel warnt vor kritischen Sicherheitslücken in NAS-Geräten ∗∗∗
---------------------------------------------
Betreibt jemand ein Zyxel NAS in seiner Umgebung? Der taiwanesische Hersteller hat gerade vor mehreren Schwachstellen in der Firmware dieser Geräte gewarnt. Drei kritische Schwachstellen ermöglichen es einem nicht authentifizierten Angreifer Betriebssystembefehle auf anfälligen NAS-Geräten (Network-Attached Storage) auszuführen.
---------------------------------------------
https://www.borncity.com/blog/2023/12/02/zyxel-warnt-vor-kritischen-sicherheitslcken-in-nas-gerten/



=====================
=  Vulnerabilities  =
=====================

∗∗∗ SQUID-2023:7 Denial of Service in HTTP Message Processing ∗∗∗
---------------------------------------------
Due to a Buffer Overread bug Squid is vulnerable to a Denial of Service attack against Squid HTTP Message processing[..] This problem allows a remote attacker to perform Denial of Service when sending easily crafted HTTP Messages.
---------------------------------------------
https://github.com/squid-cache/squid/security/advisories/GHSA-8w9r-p88v-mmx9


∗∗∗ SQUID-2023:8 Denial of Service in Helper Process management ∗∗∗
---------------------------------------------
Due to an Incorrect Check of Function Return Value bug Squid is vulnerable to a Denial of Service attack against its Helper process management. [..] This problem allows a trusted client or remote server to perform a Denial of Service attack when the Squid proxy is under load.
---------------------------------------------
https://github.com/squid-cache/squid/security/advisories/GHSA-xggx-9329-3c27


∗∗∗ SQUID-2023:9 Denial of Service in HTTP Collapsed Forwarding ∗∗∗
---------------------------------------------
Due to a Use-After-Free bug Squid is vulnerable to a Denial of Service attack against collapsed forwarding [..] This problem allows a remote client to perform Denial of Service attack on demand when Squid is configured with collapsed forwarding.
---------------------------------------------
https://github.com/squid-cache/squid/security/advisories/GHSA-rj5h-46j6-q2g5


∗∗∗ GitLab Security Release: 16.6.1, 16.5.3, 16.4.3 ∗∗∗
---------------------------------------------
These versions contain important security fixes, and we strongly recommend that all GitLab installations be upgraded to one of these versions immediately. GitLab.com is already running the patched version. CVE IDs: CVE-2023-6033, CVE-2023-6396, CVE-2023-3949, CVE-2023-5226, CVE-2023-5995, CVE-2023-4912, CVE-2023-4317, CVE-2023-3964, CVE-2023-4658, CVE-2023-3443
---------------------------------------------
https://about.gitlab.com/releases/2023/11/30/security-release-gitlab-16-6-1-released/


∗∗∗ Technical Advisory: Sonos Era 100 Secure Boot Bypass Through Unchecked setenv() call ∗∗∗
---------------------------------------------
Sonos Era 100 is a smart speaker released in 2023. A vulnerability exists in the U-Boot component of the firmware which would allow for persistent arbitrary code execution with Linux kernel privileges. This vulnerability could be exploited either by an attacker with physical access to the device, or by obtaining write access to the flash memory through a separate runtime vulnerability. [..] Sonos state an update was released on 2023-11-15 which remediated the issue.
---------------------------------------------
https://research.nccgroup.com/2023/12/04/technical-advisory-sonos-era-100-secure-boot-bypass-through-unchecked-setenv-call/


∗∗∗ Update ASAP! Critical Unauthenticated Arbitrary File Upload in MW WP Form Allows Malicious Code Execution ∗∗∗
---------------------------------------------
In this blog post, we detailed an Arbitrary File Upload vulnerability within the MW WP Form plugin affecting versions 5.0.1 and earlier. This vulnerability allows unauthenticated threat actors to upload arbitrary files, including PHP backdoors, and execute those files on the server. The vulnerability has been fully addressed in version 5.0.2 of the plugin. [..] CVE ID: CVE-2023-6316 / CVSS Score: 9.8 (Critical)
---------------------------------------------
https://www.wordfence.com/blog/2023/12/update-asap-critical-unauthenticated-arbitrary-file-upload-in-mw-wp-form-allows-malicious-code-execution/


∗∗∗ Security updates for Monday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (amanda, ncurses, nghttp2, opendkim, rabbitmq-server, and roundcube), Fedora (golang-github-openprinting-ipp-usb, kernel, kernel-headers, kernel-tools, and samba), Mageia (audiofile, galera, libvpx, and virtualbox), Oracle (kernel and postgresql:13), SUSE (openssl-3, optipng, and python-Pillow), and Ubuntu (firefox).
---------------------------------------------
https://lwn.net/Articles/953702/


∗∗∗ Ruckus Access Point vulnerable to cross-site scripting ∗∗∗
---------------------------------------------
https://jvn.jp/en/jp/JVN45891816/


∗∗∗ IBM Security Bulletins ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/bulletin/

-- 
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily




More information about the Daily mailing list