[CERT-daily] Tageszusammenfassung - 20.07.2023
Daily end-of-shift report
team at cert.at
Thu Jul 20 20:04:29 CEST 2023
=====================
= End-of-Day report =
=====================
Timeframe: Mittwoch 19-07-2023 18:00 − Donnerstag 20-07-2023 18:00
Handler: Michael Schlagenhaufer
Co-Handler: n/a
=====================
= News =
=====================
∗∗∗ Citrix-Zero-Days: Angriffsspuren auf Netscaler ADC und Gateway aufspüren ∗∗∗
---------------------------------------------
Vor der Verfügbarkeit von Updates wurden CItrix-Lücken bereits in freier Wildbahn angegriffen. Daher ist eine Überprüfung auf Angriffsspuren sinnvoll.
---------------------------------------------
https://heise.de/-9221655
∗∗∗ Microsoft Relents, Offers Free Critical Logging to All 365 Customers ∗∗∗
---------------------------------------------
Industry pushback prompts Microsoft to drop premium pricing for access to cloud logging data.
---------------------------------------------
https://www.darkreading.com/application-security/microsoft-relents-offers-free-key-logging-365-customers
∗∗∗ Docker Hub images found to expose secrets and private keys ∗∗∗
---------------------------------------------
Numerous Docker images shared on Docker Hub are exposing sensitive data, according to a study conducted by researchers at the German university RWTH Aachen. Needless to say, this poses a significant security risk.
---------------------------------------------
https://www.malwarebytes.com/blog/news/2023/07/docker-hub-images-found-to-expose-secrets-and-private-keys
∗∗∗ Vorab bezahlen, um arbeiten zu können? Finger weg von Jobs der Nice Tech GmbH ∗∗∗
---------------------------------------------
Auf nice102.com, nice02.com, unice688.com, nicetechmax.com und vermutlich zahlreichen weiteren Domains betreibt die Nice Tech GmbH ein undurchsichtiges Pyramidensystem, bei dem Sie angeblich Geld von zu Hause aus verdienen können. Die Aufgabenbeschreibungen sind aber äußerst vage, um loslegen zu können, sollen Sie vorab Geld bezahlen und das meiste Geld gibt es für die Anwerbung neuer Mitglieder.
---------------------------------------------
https://www.watchlist-internet.at/news/vorab-bezahlen-um-arbeiten-zu-koennen-finger-weg-von-jobs-der-nice-tech-gmbh/
∗∗∗ P2PInfect: The Rusty Peer-to-Peer Self-Replicating Worm ∗∗∗
---------------------------------------------
A novel peer-to-peer worm written in Rust is uniquely scalable. It targets open-source database Redis and can infect multiple platforms.
---------------------------------------------
https://unit42.paloaltonetworks.com/peer-to-peer-worm-p2pinfect/
∗∗∗ Announcing New DMARC Policy Handling Defaults for Enhanced Email Security ∗∗∗
---------------------------------------------
For our consumer service (live.com / outlook.com / hotmail.com), we have changed our DMARC policy handling to honor the sender’s DMARC policy. If an email fails DMARC validation and the sender’s policy is set to p=reject or p=quarantine, we will reject the email.
---------------------------------------------
https://techcommunity.microsoft.com/t5/exchange-team-blog/announcing-new-dmarc-policy-handling-defaults-for-enhanced-email/ba-p/3878883
∗∗∗ The SOC Toolbox: Analyzing AutoHotKey compiled executables ∗∗∗
---------------------------------------------
A quick post on how to extract AutoHotKey scripts from an AutoHotKey script compiled executable.
---------------------------------------------
https://blog.nviso.eu/2023/07/20/the-soc-toolbox-analyzing-autohotkey-compiled-executables/
∗∗∗ Escalating Privileges via Third-Party Windows Installers ∗∗∗
---------------------------------------------
In this blog post, we will share how Mandiant’s red team researches and exploits zero-day vulnerabilities in third-party Windows Installers, what software developers should do to reduce risk of exploitation, and introduce a new tool to simplify enumeration of cached Microsoft Software Installer (MSI).
---------------------------------------------
https://www.mandiant.com/resources/blog/privileges-third-party-windows-installers
=====================
= Vulnerabilities =
=====================
∗∗∗ VMware Tanzu Spring: Update schließt kritische Lücke ∗∗∗
---------------------------------------------
Aktualisierte Versionen von VMware Tanzu Spring schließen Sicherheitslücken. Eine davon gilt als kritisch.
---------------------------------------------
https://heise.de/-9221869
∗∗∗ CVE-2023-38205: Adobe ColdFusion Access Control Bypass [FIXED] ∗∗∗
---------------------------------------------
Rapid7 discovered that the initial patch for CVE-2023-29298 (Adobe ColdFusion access control bypass vulnerability) did not successfully remediate the issue.
---------------------------------------------
https://www.rapid7.com/blog/post/2023/07/19/cve-2023-38205-adobe-coldfusion-access-control-bypass-fixed/
∗∗∗ Wordfence Intelligence Weekly WordPress Vulnerability Report (July 10, 2023 to July 16, 2023) ∗∗∗
---------------------------------------------
Last week, there were 69 vulnerabilities disclosed in 68 WordPress Plugins and 1 WordPress themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 29 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected.
---------------------------------------------
https://www.wordfence.com/blog/2023/07/wordfence-intelligence-weekly-wordpress-vulnerability-report-july-10-2023-to-july-16-2023/
∗∗∗ Security updates for Thursday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (chromium), Fedora (sysstat), Gentoo (openssh), Mageia (firefox/nss, kernel, kernel-linus, maven, mingw-nsis, mutt/neomutt, php, qt4/qtsvg5, and texlive), Red Hat (java-1.8.0-openjdk, java-11-openjdk, java-17-openjdk, and kpatch-patch), Slackware (curl and openssh), SUSE (curl, grafana, kernel, mariadb, MozillaFirefox, MozillaFirefox-branding-SLE, poppler, python-Flask, python310, samba, SUSE Manager Client Tools, and texlive), and Ubuntu (curl, ecdsautils, and samba).
---------------------------------------------
https://lwn.net/Articles/938711/
∗∗∗ Apache OpenMeetings Wide Open to Account Takeover, Code Execution ∗∗∗
---------------------------------------------
Researcher discovers vulnerabilities in the open source Web application, which were fixed in the latest Apache OpenMeeting update.
---------------------------------------------
https://www.darkreading.com/remote-workforce/apache-openmeetings-account-takeover-code-execution
∗∗∗ CVE-2023-38408: Remote Code Execution in OpenSSH's forwarded ssh-agent ∗∗∗
---------------------------------------------
In this advisory, we present our research, experiments, reproducible results, and further ideas to exploit this "dlopen() then dlclose()" primitive. We will also publish the source code of our crude fuzzer at https://www.qualys.com/research/security-advisories/.
---------------------------------------------
https://www.qualys.com/2023/07/19/cve-2023-38408/rce-openssh-forwarded-ssh-agent.txt
∗∗∗ Sicherheitsschwachstellen in Omnis Studio (SYSS-2023-005/-006) ∗∗∗
---------------------------------------------
Implementierungsfehler erlauben Angreifern, private Omnis-Bibliotheken und gesperrte Klassen im Omnis Studio Browser zu öffnen und zu bearbeiten.
---------------------------------------------
https://www.syss.de/pentest-blog/sicherheitsschwachstellen-in-omnis-studio-syss-2023-005/-006
∗∗∗ TP-LINK TL-WR840N: Schwachstelle ermöglicht Stack Buffer Overflow DOS ∗∗∗
---------------------------------------------
In der Firmware des TP-Link Routers TP-LINK TL-WR840N gibt es eine Schwachstelle, die es einem Remote-Angreifer ermöglicht, einen Stack Buffer Overflow DOS-Angriff durchzuführen. TP-Link will keinen Sicherheitshinweis dazu veröffentlichen, hat aber eine neue Firmware (TL-WR840N(KR)_V6.2_230702) auf dieser Webseite bereitgestellt.
---------------------------------------------
https://www.borncity.com/blog/2023/07/20/tp-link-tl-wr84-schwachstelle-ermglicht-stack-buffer-overflow-dos/
∗∗∗ Cisco BroadWorks Privilege Escalation Vulnerability ∗∗∗
---------------------------------------------
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-bw-priv-esc-qTgUZOsQ
∗∗∗ Cisco Small Business SPA500 Series IP Phones Web UI Vulnerabilities ∗∗∗
---------------------------------------------
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-spa-web-multi-7kvPmu2F
∗∗∗ IBM Security Guardium is affected by several vulnerabilities ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7007815
∗∗∗ IBM Db2 Web Query for i is vulnerable to arbitrary code execution due to SnakeYaml [CVE-2022-1471] ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7013297
∗∗∗ IBM Cognos Analytics has addressed multiple vulnerabilities (CVE-2023-28530, XFID: 212233, CVE-2022-24999, CVE-2023-28530, CVE-2023-25929) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7012621
∗∗∗ IBM Workload Scheduler is potentially affected by multiple vulnerabilities in OpenSSL (CVE-2022-4304, CVE-2023-0215, CVE-2023-0286) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7003501
∗∗∗ IBM App Connect Enterprise Certified Container Dashboard operands are vulnerable to security restrictions bypass due to [CVE-2022-32221], [CVE-2023-27533], [CVE-2023-28322] ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7013517
∗∗∗ Security Vulnerabilities in hazelcast client affect IBM Voice Gateway ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7013527
∗∗∗ IBM InfoSphere Information Server is affected by a vulnerability in VMware Tanzu Spring Framework (CVE-2023-20863) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7003899
∗∗∗ IBM InfoSphere Information Server is affected by a vulnerability in VMware Tanzu Spring Security (CVE-2023-20862) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7003901
∗∗∗ IBM Watson Assistant for IBM Cloud Pak for Data is vulnerable to VMware Tanzu Spring Framework denial of service vulnerabilitiy [CVE-2023-20863] ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7012251
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
More information about the Daily
mailing list