[CERT-daily] Tageszusammenfassung - 12.07.2023
Daily end-of-shift report
team at cert.at
Wed Jul 12 19:27:49 CEST 2023
=====================
= End-of-Day report =
=====================
Timeframe: Dienstag 11-07-2023 18:00 − Mittwoch 12-07-2023 18:00
Handler: Michael Schlagenhaufer
Co-Handler: Stephan Richter
=====================
= News =
=====================
∗∗∗ Patchday: Microsoft meldet fünf Zero-Days, teils ohne Update ∗∗∗
---------------------------------------------
Der Juli-Patchday von Microsoft liefert viele Updates: 130 Lücken behandelt das Unternehmen. Darunter fünf Zero-Days. Eine Sicherheitslücke bleibt aber offen.
---------------------------------------------
https://heise.de/-9213685
∗∗∗ Teils kritische Sicherheitslücken in Citrix Secure Access Clients ∗∗∗
---------------------------------------------
Citrix hat Aktualisierungen für die Secure Access Clients veröffentlicht, die teils kritische Schwachstellen ausbessern.
---------------------------------------------
https://heise.de/-9214076
∗∗∗ Update gegen kritische Lücke in FortiOS/FortiProxy ∗∗∗
---------------------------------------------
Fortinet verteilt Sicherheitsupdates für FortiOS/FortiProxy. Sie schließen eine kritische Sicherheitslücke.
---------------------------------------------
https://heise.de/-9214207
∗∗∗ Patchday: Kritische Schwachstellen in Adobe Indesign und Coldfusion abgedichtet ∗∗∗
---------------------------------------------
Der Juli-Patchday von Adobe bringt Sicherheitsupdates für Indesign und Coldfusion. Sie schließen Lücken, die der Hersteller als kritisches Risiko einstuft.
---------------------------------------------
https://heise.de/-9213920
∗∗∗ Kernel-Treiber: Hacker überlisten Windows-Richtlinie durch alte Zertifikate ∗∗∗
---------------------------------------------
Indem sie ihre böswilligen Kerneltreiber mit alten Zertifikaten signierten, konnten Angreifer auf Windows-Systemen Vollzugriff erlangen.
---------------------------------------------
https://www.golem.de/news/kernel-treiber-hacker-ueberlisten-windows-richtlinie-durch-alte-zertifikate-2307-175784.html
∗∗∗ vm2 Project Discontinued ∗∗∗
---------------------------------------------
TL;DR The library contains critical security issues and should not be used for production! The maintenance of the project has been discontinued. Consider migrating your code to isolated-vm.
---------------------------------------------
https://github.com/patriksimek/vm2/blob/master/README.md
∗∗∗ How to Harden WordPress With WP-Config & Avoid Data Exposure ∗∗∗
---------------------------------------------
What is wp-config.php?The wp-config.php file is a powerful core WordPress file that is vital for running your website. It contains important configuration settings for WordPress, including details on where to find the database, login credentials, name and host. This config file is also used to define advanced options for database elements, security keys, and developer options. In this post, we’ll outline some important website hardening recommendations for your wp-config file [...]
---------------------------------------------
https://blog.sucuri.net/2023/07/tips-for-wp-config-how-to-avoid-sensitive-data-exposure.html
∗∗∗ Python-Based PyLoose Fileless Attack Targets Cloud Workloads for Cryptocurrency Mining ∗∗∗
---------------------------------------------
A new fileless attack dubbed PyLoose has been observed striking cloud workloads with the goal of delivering a cryptocurrency miner, new findings from Wiz reveal. "The attack consists of Python code that loads an XMRig Miner directly into memory using memfd, a known Linux fileless technique," security researchers Avigayil Mechtinger, Oren Ofer, and Itamar Gilad said.
---------------------------------------------
https://thehackernews.com/2023/07/python-based-pyloose-fileless-attack.html
∗∗∗ Dissecting a Clever Malware Sample for Optimized Detection and Protection ∗∗∗
---------------------------------------------
As part of our product lineup, we offer security monitoring and malware removal services to our Wordfence Care and Response customers. In case of a security incident, our incident response team will investigate the root cause, find and remove malware from your site, and help with other complications that may arise as a result of [...]
---------------------------------------------
https://www.wordfence.com/blog/2023/07/dissecting-a-clever-malware-sample-for-optimized-detection-and-protection/
∗∗∗ Qbot, Guloader und SpinOk führen Mobile Malware-Ranking an ∗∗∗
---------------------------------------------
Bedrohungsindex von Checkpoint für Juni 2023 zeigt: Qbot ist noch immer die am meisten verbreitete Malware in Deutschland.
---------------------------------------------
https://www.zdnet.de/88410517/qbot-guloader-und-spinok-fuehren-mobile-malware-ranking-an/
∗∗∗ Security Flaws unraveled in Popular QuickBlox Chat and Video Framework could exposed sensitive data of millions ∗∗∗
---------------------------------------------
Check Point Research (CPR) in collaboration with Claroty Team82 uncovered major security vulnerabilities in the popular QuickBlox platform, used for telemedicine, finance and smart IoT devices If exploited, the vulnerabilities could allow threat actors to access applications’ user databases and expose sensitive data of millions. QuickBlox worked closely with Team82 and CPR to address our disclosure and has fixed the vulnerabilities via a new secure architecture design [...]
---------------------------------------------
https://blog.checkpoint.com/security/security-flaws-unraveled-in-popular-quickblox-chat-and-video-framework-could-exposed-sensitive-data-of-millions/
∗∗∗ The Spies Who Loved You: Infected USB Drives to Steal Secrets ∗∗∗
---------------------------------------------
In the first half of 2023, Mandiant Managed Defense has observed a threefold increase in the number of attacks using infected USB drives to steal secrets. Mandiant tracked all of the cases and found that the majority of the incidents could be attributed to several active USB-based operation campaigns affecting both the public and private sectors globally.
---------------------------------------------
https://www.mandiant.com/resources/blog/infected-usb-steal-secrets
∗∗∗ CISA and FBI Release Cybersecurity Advisory on Enhanced Monitoring to Detect APT Activity Targeting Outlook Online ∗∗∗
---------------------------------------------
The Cybersecurity and Infrastructure Security Agency (CISA) and Federal Bureau of Investigation (FBI) have released a joint Cybersecurity Advisory (CSA), Enhanced Monitoring to Detect APT Activity Targeting Outlook Online, to provide guidance to agencies and critical infrastructure organizations on enhancing monitoring in Microsoft Exchange Online environments.
---------------------------------------------
https://www.cisa.gov/news-events/alerts/2023/07/12/cisa-and-fbi-release-cybersecurity-advisory-enhanced-monitoring-detect-apt-activity-targeting
=====================
= Vulnerabilities =
=====================
∗∗∗ FortiOS/FortiProxy - Proxy mode with deep inspection - Stack-based buffer overflow ∗∗∗
---------------------------------------------
A stack-based overflow vulnerability [CWE-124] in FortiOS & FortiProxy may allow a remote attacker to execute arbitrary code or command via crafted packets reaching proxy policies or firewall policies with proxy mode alongside SSL deep packet inspection. Workaround: Disable deep inspection on proxy policies or firewall policies with proxy mode.
---------------------------------------------
https://fortiguard.fortinet.com/psirt/FG-IR-23-183
∗∗∗ FortiAnalyzer & FortiManager - Path traversal in history downloadzip ∗∗∗
---------------------------------------------
An improper limitation of a pathname to a restricted directory (Path Traversal) vulnerability [CWE-23] in FortiAnalyzer and FortiManager management interface may allow a remote and authenticated attacker to retrieve arbitrary files from the underlying filesystem via specially crafted web requests.
---------------------------------------------
https://fortiguard.fortinet.com/psirt/FG-IR-22-471
∗∗∗ FortiExtender - Path Traversal vulnerability ∗∗∗
---------------------------------------------
An improper limitation of a pathname to a restricted directory (Path Traversal) vulnerability [CWE-22] in FortiExtender management interface may allow an unauthenticated and remote attacker to retrieve arbitrary files from the underlying filesystem via specially crafted web requests.
---------------------------------------------
https://fortiguard.fortinet.com/psirt/FG-IR-22-039
∗∗∗ FortiOS - Existing websocket connection persists after deleting API admin ∗∗∗
---------------------------------------------
An insufficient session expiration [CWE-613] vulnerability in FortiOS REST API may allow an attacker to reuse the session of a deleted user, should the attacker manage to obtain the API token.
---------------------------------------------
https://fortiguard.fortinet.com/psirt/FG-IR-23-028
∗∗∗ Interesting Arbitrary File Upload Vulnerability Patched in User Registration WordPress Plugin ∗∗∗
---------------------------------------------
On June 19, 2023, the Wordfence Threat Intelligence team identified and began the responsible disclosure process for an Arbitrary File Upload vulnerability in WPEverest’s User Registration plugin, which is actively installed on more than 60,000 WordPress websites. This vulnerability makes it possible for an authenticated attacker with minimal permissions, such as a subscriber, to upload [...]
---------------------------------------------
https://www.wordfence.com/blog/2023/07/interesting-arbitrary-file-upload-vulnerability-patched-in-user-registration-wordpress-plugin/
∗∗∗ Security updates for Wednesday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (erlang, symfony, thunderbird, and yajl), Fedora (cutter-re, kernel, rizin, and yt-dlp), Red Hat (grafana), SUSE (kernel and python-Django), and Ubuntu (dotnet6, dotnet7 and firefox).
---------------------------------------------
https://lwn.net/Articles/937972/
∗∗∗ ICS Patch Tuesday: Siemens, Schneider Electric Fix 50 Vulnerabilities ∗∗∗
---------------------------------------------
ICS Patch Tuesday: Siemens and Schneider Electric release nine new security advisories and fix 50 vulnerabilities in their industrial products.
---------------------------------------------
https://www.securityweek.com/ics-patch-tuesday-siemens-schneider-electric-fix-50-vulnerabilities/
∗∗∗ Mattermost security updates 7.10.4 / 7.9.6 / 7.8.8 (ESR) released ∗∗∗
---------------------------------------------
We’re informing you about a Mattermost security update, which addresses medium-level severity vulnerabilities. We highly recommend that you apply the update. The security update is available for Mattermost dot releases 7.10.4, 7.9.6 and 7.8.8 (Extended Support Release), for both Team Edition and Enterprise Edition.
---------------------------------------------
https://mattermost.com/blog/mattermost-security-updates-7-10-4-7-9-6-7-8-8-esr-released/
∗∗∗ Windows 7/Server 2008 R2; Server 2012 R2: Updates (11. Juli 2023) ∗∗∗
---------------------------------------------
Zum 11. Juli 2023 wurden diverse Sicherheitsupdates für Windows Server 2008 R2 (im 4. ESU Jahr) sowie für Windows Server 2012/R2 veröffentlicht (die Updates lassen sich ggf. auch noch unter Windows 7 SP1 installieren). Hier ein Überblick über diese Updates
---------------------------------------------
https://www.borncity.com/blog/2023/07/12/windows-7-server-2008-r2-server-2012-r2-updates-11-juli-2023/
∗∗∗ Sandbox Escape ∗∗∗
---------------------------------------------
In vm2 for versions up to 3.9.19, Node.js custom inspect function allows attackers to escape the sandbox and run arbitrary code.
---------------------------------------------
https://github.com//patriksimek/vm2/security/advisories/GHSA-g644-9gfx-q4q4
∗∗∗ Sandbox Escape ∗∗∗
---------------------------------------------
In vm2 for versions up to 3.9.19, Promise handler sanitization can be bypassed, allowing attackers to escape the sandbox and run arbitrary code.
---------------------------------------------
https://github.com//patriksimek/vm2/security/advisories/GHSA-cchq-frgv-rjh5
∗∗∗ Citrix Secure Access client for Ubuntu Security Bulletin for CVE-2023-24492 ∗∗∗
---------------------------------------------
https://support.citrix.com/article/CTX564169/citrix-secure-access-client-for-ubuntu-security-bulletin-for-cve202324492
∗∗∗ Citrix Secure Access client for Windows Security Bulletin for CVE-2023-24491 ∗∗∗
---------------------------------------------
https://support.citrix.com/article/CTX561480/citrix-secure-access-client-for-windows-security-bulletin-for-cve202324491
∗∗∗ Lenovo UDC Vulnerability ∗∗∗
---------------------------------------------
https://support.lenovo.com/product_security/PS500567-LENOVO-UDC-VULNERABILITY
∗∗∗ AMD SEV VM Power Side Channel Security Notice ∗∗∗
---------------------------------------------
https://support.lenovo.com/product_security/PS500569-AMD-SEV-VM-POWER-SIDE-CHANNEL-SECURITY-NOTICE
∗∗∗ AMI MegaRAC SP-X BMC Vulnerabilities ∗∗∗
---------------------------------------------
https://support.lenovo.com/product_security/PS500568-AMI-MEGARAC-SP-X-BMC-VULNERABILITIES
∗∗∗ IBM Security Bulletins ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/bulletin/
∗∗∗ Rockwell Automation Select Communication Modules ∗∗∗
---------------------------------------------
https://www.cisa.gov/news-events/ics-advisories/icsa-23-193-01
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
More information about the Daily
mailing list