[CERT-daily] Tageszusammenfassung - 07.02.2023
Daily end-of-shift report
team at cert.at
Tue Feb 7 18:40:08 CET 2023
=====================
= End-of-Day report =
=====================
Timeframe: Montag 06-02-2023 18:00 − Dienstag 07-02-2023 18:00
Handler: Robert Waldner
Co-Handler: n/a
=====================
= News =
=====================
∗∗∗ Researcher breaches Toyota supplier portal with info on 14,000 partners ∗∗∗
---------------------------------------------
The issues were responsibly disclosed to Toyota on November 3, 2022, and the Japanese car maker confirmed they had been fixed by November 23, 2022.
EatonWorks published a detailed writeup about the discoveries today after 90 days disclosure process had passed.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/researcher-breaches-toyota-supplier-portal-with-info-on-14-000-partners/
∗∗∗ APIs Used by Bots to Detect Public IP address, (Mon, Feb 6th) ∗∗∗
---------------------------------------------
Many of the bots I am observing attempt to detect the infected system&#;x26;#;39;s public ("WAN") IP address. Most of these systems are assumed to be behind NAT. To detect the external IP address, these bots use various public APIs. It may be helpful to detect these requests. Many use unique host names. This will make detecting the request in DNS logs easy even if TLS is not intercepted.
---------------------------------------------
https://isc.sans.edu/diary/rss/29516
∗∗∗ Android Security Bulletin—February 2023 ∗∗∗
---------------------------------------------
The Android Security Bulletin contains details of security vulnerabilities affecting Android devices. Security patch levels of 2023-02-05 or later address all of these issues. [..] The most severe of these issues is a high security vulnerability in the Framework component that could lead to local escalation of privilege with no additional execution privileges needed.
---------------------------------------------
https://source.android.com/docs/security/bulletin/2023-02-01
∗∗∗ Discovering a weakness leading to a partial bypass of the login rate limiting in the AWS Console ∗∗∗
---------------------------------------------
AWS applies a rate limit to authentication requests made to the AWS Console, in an effort to prevent brute-force and credential stuffing attacks. In this post, we discuss a weakness we discovered in the AWS Console authentication flow that allowed us to partially bypass this rate limit and continuously attempt more than 280 passwords per minute (4.6 per second). The weakness was since mitigated by AWS.
---------------------------------------------
https://securitylabs.datadoghq.com/articles/aws-console-rate-limit-bypass/
∗∗∗ Smishing: Vorsicht vor Fake Magenta-SMS ∗∗∗
---------------------------------------------
Momentan sind vermehrt gefälschte Magenta-SMS im Umlauf. In der Nachricht wird behauptet, dass Ihre Rechnung nicht beglichen werden konnte. Klicken Sie nicht auf den Link – dieser führt zu einer gefälschten Magenta-Seite, wo Kriminelle Ihre Daten und Ihr Geld stehlen.
---------------------------------------------
https://www.watchlist-internet.at/news/smishing-vorsicht-vor-diesem-fake-magenta-sms/
∗∗∗ Saferinternet.at-Studie: Jugendliche und Falschinformationen im Internet ∗∗∗
---------------------------------------------
Anlässlich des heutigen Safer Internet Day führte Saferinternet.at eine Studie zum Thema „Jugendliche und Falschinformationen im Internet“ durch. Die Studienergebnisse zeigen, dass Österreichs Jugendliche beim Umgang mit Informationen im Internet in einem Dilemma stecken: Die Jugendlichen informieren sich zu Alltagsthemen vor allem über soziale Medien, vertrauen den dort bezogenen Informationen jedoch kaum.
---------------------------------------------
https://www.watchlist-internet.at/news/studie-jugendliche-und-falschinformationen-im-internet/
∗∗∗ Safer Internet Day: FAQ Internetsicherheit für Kinder und Jugendliche ∗∗∗
---------------------------------------------
Im Internet lauern für Heranwachsende viele Gefahren, die sie noch nicht einschätzen können. Mit Wissensvermittlung und Tools können sie geschützt werden.
---------------------------------------------
https://heise.de/-7333482
∗∗∗ This notorious ransomware has now found a new target ∗∗∗
---------------------------------------------
The authors of Clop ransomware are experimenting with a Linux variant - a warning that multiple different platforms are in the sights of cyber extortionists.
---------------------------------------------
https://www.zdnet.com/article/this-notorious-ransomware-is-now-targeting-linux-systems-too/#ftag=RSSbaffb68
=====================
= Vulnerabilities =
=====================
∗∗∗ ZDI-23-094: Netatalk dsi_writeinit Heap-based Buffer Overflow Remote Code Execution Vulnerability ∗∗∗
---------------------------------------------
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Netatalk. Authentication is not required to exploit this vulnerability.
---------------------------------------------
http://www.zerodayinitiative.com/advisories/ZDI-23-094/
∗∗∗ TYPO3-CORE-SA-2023-001: Persisted Cross-Site Scripting in Frontend Rendering ∗∗∗
---------------------------------------------
Subcomponent: Frontend Rendering (ext:frontend, ext:core)
Affected Versions: 8.7.0-8.7.50, 9.0.0-9.5.39, 10.0.0-10.4.34, 11.0.0-11.5.22, 12.0.0-12.1.3
Severity: High
References: CVE-2023-24814, CWE-79
---------------------------------------------
https://typo3.org/security/advisory/typo3-core-sa-2023-001
∗∗∗ Multiple DMS XSS (CVE-2022-47412 through CVE-20222-47419) ∗∗∗
---------------------------------------------
Through the course of routine security testing and analysis, Rapid7 has discovered several issues in on-premises installations of open source and freemium Document Management System (DMS) offerings from four vendors. ONLYOFFICE, OpenKM, LogicalDOC, Mayan
[..] Unfortunately, none of these vendors were able to respond to Rapid7's disclosure outreach
---------------------------------------------
https://www.rapid7.com/blog/post/2023/02/07/multiple-dms-xss-cve-2022-47412-through-cve-20222-47419/
∗∗∗ OpenSSL Security Advisory [7th February 2023] ∗∗∗
---------------------------------------------
* Severity: High - X.400 address type confusion in X.509 GeneralName (CVE-2023-0286): [...] this vulnerability is most likely to only affect applications which have implemented their own functionality for retrieving CRLs over a network.
* Severity: Moderate - CVE-2022-4304, CVE-2022-4203, CVE-2023-0215, CVE-2022-4450, CVE-2023-0216, CVE-2023-0217, CVE-2023-0401
---------------------------------------------
https://www.openssl.org/news/secadv/20230207.txt
∗∗∗ Dateiübertragungslösung: Zero-Day-Lücke in GoAnywhere-MFT-Servern ∗∗∗
---------------------------------------------
Angreifer haben es derzeit auf Server mit GoAnywhere MFT abgesehen. Bislang gibt es kein Sicherheitsupdate. Eine temporäre Übergangslösung sichert Systeme ab.
---------------------------------------------
https://heise.de/-7487393
∗∗∗ VMSA-2023-0003 ∗∗∗
---------------------------------------------
CVSSv3 Range: 7.8
CVE(s): CVE-2023-20854
Synopsis: VMware Workstation update addresses an arbitrary file deletion vulnerability (CVE-2023-20854)
---------------------------------------------
https://www.vmware.com/security/advisories/VMSA-2023-0003.html
∗∗∗ Security updates for Tuesday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (graphite-web, openjdk-11, webkit2gtk, wpewebkit, and xorg-server), Mageia (advancecomp, apache, dojo, git, java/timezone, libtiff, libxpm, netatalk, nodejs-minimist, opusfile, python-django, python-future, python-mechanize, ruby-sinatra, sofia-sip, thunderbird, and tigervnc), Oracle (git and thunderbird), Red Hat (git, libksba, rh-git227-git, rh-nodejs14-nodejs and rh-nodejs14-nodejs-nodemon, and thunderbird), SUSE (apache2, nginx, php8-pear, redis, rubygem-activesupport-5_1, rubygem-rack, sssd, xorg-x11-server, and xwayland), and Ubuntu (tmux).
---------------------------------------------
https://lwn.net/Articles/922519/
∗∗∗ Ichiran App vulnerable to improper server certificate verification ∗∗∗
---------------------------------------------
https://jvn.jp/en/jp/JVN11257333/
∗∗∗ Cisco IOx Application Hosting Environment Command Injection Vulnerability ∗∗∗
---------------------------------------------
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iox-8whGn5dL?vs_f=Cisco%20Security%20Advisory&vs_cat=Security%20Intelligence&vs_type=RSS&vs_p=Cisco%20IOx%20Application%20Hosting%20Environment%20Command%20Injection%20Vulnerability&vs_k=1
∗∗∗ EnOcean SmartServer ∗∗∗
---------------------------------------------
https://us-cert.cisa.gov/ics/advisories/icsa-23-037-01
∗∗∗ IBM Security Verify Governance, Identity Manager software component is affected by a vulnerabilitiy CVE-2023-23477 ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6953461
∗∗∗ Multiple Vulnerabilities in IBM\u00ae Java SDK affect IBM WebSphere Application Server and IBM WebSphere Application Server Liberty due to the October 2022 CPU ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6839565
∗∗∗ A security vulnerability has been identified in IBM WebSphere Application Server shipped with Tivoli Netcool\/OMNIbus WebGUI (CVE-2023-23477) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6953483
∗∗∗ A vulnerability has been identified in IBM WebSphere Application Server shipped with IBM Buinses Automation Workflow (CVE-2023-23477) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6953497
∗∗∗ Denial of Service vulnerability affects IBM Business Automation Workflow - CVE-2022-25887 ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6952745
∗∗∗ A vulnerability has been identified in IBM WebSphere Application Server shipped with IBM Business Automation Workflow (CVE-2023-23477) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6953497
∗∗∗ Apache POI is vulnerable to a denial of service, caused by an out of memory exception flaw in the HMEF package(CVE-2022-26336) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6953525
∗∗∗ Multiple vulnerabilities in IBM Java SDK affect IBM Tivoli System Automation Application Manager Oct 2022 CPU (CVE-2022-21628, CVE-2022-21626, CVE-2022-21624, CVE-2022-21619) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6953557
∗∗∗ Multiple vulnerabilities in IBM Java SDK affect IBM Tivoli System Automation for Multiplatforms Oct 2022 CPU (CVE-2022-21628, CVE-2022-21626, CVE-2022-21624, CVE-2022-21619) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6953559
∗∗∗ IBM Java SDK and IBM Java Runtime for IBM i are vulnerable to bypassing security restrictions, denial of service attacks, and data integrity impacts due to multiple vulnerabilities. ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6953579
∗∗∗ IBM Sterling Connect:Direct for Microsoft Windows is vulnerable to denial of service due to IBM Runtime Environment Java Technology Edition (CVE-2022-21626) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6953583
∗∗∗ IBM Sterling Connect:Direct for Microsoft Windows is vulnerable to denial of service due to FasterXML jackson-databind (CVE-2022-42003) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6953587
∗∗∗ IBM Sterling Connect:Direct for Microsoft Windows is vulnerable to denial of service due to FasterXML jackson-databind (CVE-2022-42004) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6953589
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
More information about the Daily
mailing list