[CERT-daily] Tageszusammenfassung - 25.07.2023

Tue Jul 25 18:18:13 CEST 2023

=====================
= End-of-Day report =
=====================

Timeframe:   Montag 24-07-2023 18:00 − Dienstag 25-07-2023 18:00
Handler:     Robert Waldner
Co-Handler:  n/a

=====================
=       News        =
=====================

∗∗∗ Casbaneiro Banking Malware Goes Under the Radar with UAC Bypass Technique ∗∗∗
---------------------------------------------
The financially motivated threat actors behind the Casbaneiro banking malware family have been observed making use of a User Account Control (UAC) bypass technique to gain full administrative privileges on a machine, a sign that the threat actor is evolving their tactics to avoid detection and execute malicious code on compromised assets.
---------------------------------------------
https://thehackernews.com/2023/07/casbaneiro-banking-malware-goes-under.html


∗∗∗ Rooting the Amazon Echo Dot ∗∗∗
---------------------------------------------
Thanks to a debug feature implemented by Lab126 (Amazons hardware development company) it is now possible to obtain a tethered root on the device. Thanks to strong security practices enforced by the company such as a chain of trust from the beginning of the boot process, this should not be a major issue.
---------------------------------------------
https://dragon863.github.io/blog/echoroot.html


∗∗∗ Will the real Citrix CVE-2023-3519 please stand up? ∗∗∗
---------------------------------------------
While the most recent Citrix Security Advisory identifies CVE-2023-3519 as the only vulnerability resulting in unauthenticated remote code execution, there are at least two vulnerabilities that were patched during the most recent version upgrade.
---------------------------------------------
https://www.greynoise.io/blog/will-the-real-citrix-cve-2023-3519-please-stand-up


∗∗∗ Forthcoming OpenSSL Releases ∗∗∗
---------------------------------------------
The OpenSSL project team would like to announce the forthcoming release of OpenSSL versions 3.1.2, 3.0.10 and 1.1.1v. These releases will be made available on Tuesday 1st August 2023 between 1300-1700 UTC. These are security-fix releases. The highest severity issue fixed in each of these three releases is Low
---------------------------------------------
https://mta.openssl.org/pipermail/openssl-announce/2023-July/000266.html


∗∗∗ Phishing-Alarm: Unsere Liste mit aktuellen Phishing-Nachrichten ∗∗∗
---------------------------------------------
In Phishing-Nachrichten fordern Kriminelle per E-Mail oder SMS dazu auf, Links zu folgen oder Dateianhänge zu öffnen. So versuchen Kriminelle an Ihre Login-, Bank- oder Kreditkartendaten zu kommen. Jeden Tag werden uns zahlreiche Phishing-Nachrichten gemeldet. Sobald wir neue Phishing-Nachrichten entdecken, ergänzen wir sie in unserem Phishing-Alarm!
---------------------------------------------
https://www.watchlist-internet.at/news/phishing-alarm-unsere-liste-mit-aktuellen-phishing-nachrichten/


=====================
=  Vulnerabilities  =
=====================

∗∗∗ Atlassian Releases Patches for Critical Flaws in Confluence and Bamboo ∗∗∗
---------------------------------------------
Atlassian has released updates to address three security flaws impacting its Confluence Server, Data Center, and Bamboo Data Center products that, if successfully exploited, could result in remote code execution on susceptible systems.
- CVE-2023-22505 (CVSS score: 8.0) - RCE (Remote Code Execution) in Confluence Data Center and Server (Fixed in versions 8.3.2 and 8.4.0)
- CVE-2023-22508 (CVSS score: 8.5) - RCE (Remote Code Execution) in Confluence Data Center and Server (Fixed in versions 7.19.8 and 8.2.0)
- CVE-2023-22506 (CVSS score: 7.5) - Injection, RCE (Remote Code Execution) in Bamboo (Fixed in versions 9.2.3 and 9.3.1)
---------------------------------------------
https://thehackernews.com/2023/07/atlassian-releases-patches-for-critical.html


∗∗∗ CVE-2023-35078 - Remote Unauthenticated API Access Vulnerability (CVSS: 10.0) ∗∗∗
---------------------------------------------
A vulnerability has been discovered in Ivanti Endpoint Manager Mobile (EPMM), formerly known as MobileIron Core. This vulnerability impacts all supported versions – Version 11.4 releases 11.10, 11.9 and 11.8. Older versions/releases are also at risk. [..] Upon learning of the vulnerability, we immediately mobilized resources to fix the problem and have a patch available now.
---------------------------------------------
https://forums.ivanti.com/s/article/CVE-2023-35078-Remote-unauthenticated-API-access-vulnerability?language=en_US


∗∗∗ F5 Security Advisory K000135555: Java vulnerabilities CVE-2020-2756 and CVE-2020-2757 ∗∗∗
---------------------------------------------
This vulnerability may allow an attacker with network access to compromise the affected component. Successful exploit can result in unauthorized ability to cause a partial denial-of-service (DoS) of the affected component. BIG-IP and BIG-IQ Versions known to be vulnerable: BIG-IP (all modules) 13.x-17.x, BIG-IQ Centralized Management 8.0.0-8.3.0
---------------------------------------------
https://my.f5.com/manage/s/article/K000135555


∗∗∗ Citrix Hypervisor Security Update for CVE-2023-20593 ∗∗∗
---------------------------------------------
AMD has released updated microcode to address an issue with certain AMD CPUs. Although this is not an issue in the Citrix Hypervisor product itself, we have released a hotfix that includes this microcode to mitigate this CPU hardware issue.
---------------------------------------------
https://support.citrix.com/article/CTX566835/citrix-hypervisor-security-update-for-cve202320593


∗∗∗ Xen Security Advisory XSA-433 x86/AMD: Zenbleed ∗∗∗
---------------------------------------------
This issue can be mitigated by disabling AVX, either by booting Xen with `cpuid=no-avx` on the command line, or by specifying `cpuid="host:avx=0"` in the vm.cfg file of all untrusted VMs. However, this will come with a significant impact on the system and is not recommended for anyone able to deploy the microcode or patch described below. [..] In cases where microcode is not available, the appropriate attached patch updates Xen to use a control register to avoid the issue.
---------------------------------------------
https://xenbits.xen.org/xsa/advisory-433.html


∗∗∗ VMWare VMSA-2023-0016 (CVE-2023-20891) ∗∗∗
---------------------------------------------
CVSSv3 Range: 6.5
Synopsis: VMware Tanzu Application Service for VMs and Isolation Segment updates address information disclosure vulnerability
Known Attack Vectors: A malicious non-admin user who has access to the platform system audit logs can access hex encoded CF API admin credentials and can push new malicious versions of an application. In a default deployment non-admin users do not have access to the platform system audit logs.
---------------------------------------------
https://www.vmware.com/security/advisories/VMSA-2023-0016.html


∗∗∗ TYPO3 12.4.4 and 11.5.30 security releases published ∗∗∗
---------------------------------------------
All versions are security releases and contain important security fixes - read the corresponding security advisories:
- TYPO3-CORE-SA-2023-002: By-passing Cross-Site Scripting Protection in HTML Sanitizer (CVE-2023-38500)
- TYPO3-CORE-SA-2023-003: Information Disclosure due to Out-of-scope Site Resolution (CVE-2023-38499)
- TYPO3-CORE-SA-2023-004: Cross-Site Scripting in CKEditor4 WordCount Plugin (CVE-2023-37905)
---------------------------------------------
https://typo3.org/article/typo3-1244-and-11530-security-releases-published


∗∗∗ Lücken gestopft: Apple bringt iOS 16.6, macOS 13.5, watchOS 9.6 und tvOS 16.6 ∗∗∗
---------------------------------------------
Fehlerbehebungen und vor allem sicherheitsrelevante Fixes liefern frische Apple-Updates vom Montagabend. Es gab auch Zero-Day-Löcher.
---------------------------------------------
https://heise.de/-9225677


∗∗∗ Security updates for Tuesday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (python-git and renderdoc), Red Hat (edk2, kernel, kernel-rt, and kpatch-patch), Slackware (kernel), SUSE (firefox, libcap, openssh, openssl-1_1, python39, and zabbix), and Ubuntu (cinder, ironic, nova, python-glance-store, python-os-brick, frr, graphite-web, and openssh).
---------------------------------------------
https://lwn.net/Articles/939179/


∗∗∗ Security Vulnerabilities fixed in Thunderbird 102.13.1 ∗∗∗
---------------------------------------------
CVE-2023-3417: File Extension Spoofing using the Text Direction Override Character
ilenames.
An email attachment could be incorrectly shown as being a document file, while in fact it was an executable file. Newer versions of Thunderbird will strip the character and show the correct file extension.
---------------------------------------------
https://www.mozilla.org/en-US/security/advisories/mfsa2023-28/


∗∗∗ Spring Security 5.6.12, 5.7.10, 5.8.5, 6.0.5, and 6.1.2 are available now, including fixes for CVE-2023-34034 and CVE-2023-34035 ∗∗∗
---------------------------------------------
Those versions fix the following CVEs:
- CVE-2023-34034: WebFlux Security Bypass With Un-Prefixed Double Wildcard Pattern
- CVE-2023-34035: Authorization rules can be misconfigured when using multiple servlets
---------------------------------------------
https://spring.io/blog/2023/07/24/spring-security-5-6-12-5-7-10-5-8-5-6-0-5-and-6-1-2-are-available-now


∗∗∗ CISA Releases Four Industrial Control Systems Advisories ∗∗∗
---------------------------------------------
CISA released four Industrial Control Systems (ICS) advisories on July 25, 2023. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS.
- ICSA-23-206-01 AXIS A1001
- ICSA-23-206-02 Rockwell Automation ThinManager ThinServer
- ICSA-23-206-03 Emerson ROC800 Series RTU and DL8000 Preset Controller
- ICSA-23-206-04 Johnson Controls IQ Wifi 6
---------------------------------------------
https://www.cisa.gov/news-events/alerts/2023/07/25/cisa-releases-four-industrial-control-systems-advisories


∗∗∗ 2023-07-24: Cyber Security Advisory - ABB Ability Zenon directory permission and internal issues ∗∗∗
---------------------------------------------
https://search.abb.com/library/Download.aspx?DocumentID=2NGA001801&LanguageCode=en&DocumentPartId=&Action=Launch


∗∗∗ AMD Cross-Process Information Leak ∗∗∗
---------------------------------------------
http://support.lenovo.com/product_security/PS500571-AMD-CROSS-PROCESS-INFORMATION-LEAK


∗∗∗ [R1] Stand-alone Security Patch Available for Security Center versions 6.0.0, 6.1.0 and 6.1.1: SC-202307.1-6.x ∗∗∗
---------------------------------------------
https://www.tenable.com/security/tns-2023-26


∗∗∗ [R1] Stand-alone Security Patch Available for Security Center version 5.23.1: SC-202307.1-5.23.1 ∗∗∗
---------------------------------------------
https://www.tenable.com/security/tns-2023-25


∗∗∗ OAuthlib is vulnerable to CVE-2022-36087 used in IBM Maximo Application Suite - Monitor Component ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7014235


∗∗∗ SnakeYaml is vulnerable to security CVEs used in IBM Maximo Application Suite - Monitor Component ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7014243


∗∗∗ Node.js http-cache-semantics module is vulnerable to CVE-2022-25881 used in IBM Maximo Application Suite - Monitor Component ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7014237


∗∗∗ Wekzeug is vulnerable to CVE-2023-25577 and CVE-2023-23934 used in IBM Maximo Application Suite - Monitor Component ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7014239


∗∗∗ Cisco node-jose is vulnerable to CVE-2023-25653 used in IBM Maximo Application Suite - Monitor Component ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7014241


∗∗∗ Apache Commons FileUpload and Tomcat are vulnerable to CVE-2023-24998 used in IBM Maximo Application Suite - Monitor Component ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7014245


∗∗∗ Xml2js is vulnerable to CVE-2023-0842 used in IBM Maximo Application Suite - Monitor Component ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7014247


∗∗∗ Flask is vulnerable to CVE-2023-30861 used in IBM Maximo Application Suite - Monitor Component ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7014251


∗∗∗ Apache Commons Codec is vulnerable to PRISMA-2021-0055 used in IBM Maximo Application Suite - Monitor Component ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7014255


∗∗∗ IBM QRadar Wincollect is vulnerable to using components with known vulnerabilities ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7014253


∗∗∗ IBM GSKit as shipped with IBM Security Verify Access has fixed a reported vulnerability (CVE-2023-32342) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7014259


∗∗∗ IBM Security Verify Access product is vulnerable to Open Redirects (AAC module ) (CVE-2023-30433) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7012613


∗∗∗ Postgresql JDBC drivers shipped with IBM Security Verify Access have a vulnerability (CVE-2022-41946) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7014261


∗∗∗ json-20220320.jar is vulnerable to CVE-2022-45688 used in IBM Maximo Application Suite ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7014269


∗∗∗ Apache Kafka is vulnerable to CVE-2022-34917 and CVE-2023-25194 used in IBM Maximo Application Suite - Monitor Component ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7014273


∗∗∗ Netplex json-smart-v2 is vulnerable to CVE-2023-1370 used in IBM Maximo Application Suite - Monitor Component ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7014271


∗∗∗ Netty is vulnerable to CVE-2022-41915 used in IBM Maximo Application Suite - Monitor Component ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7014281


∗∗∗ VMware Tanzu Spring Security is vulnerable to CVE-2022-31692 and CVE-2023-20862 used in IBM Maximo Application Suite - Monitor Component ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7014361


∗∗∗ VMware Tanzu Spring Framework is vulnerable to CVE-2023-20861 and CVE-2023-20863 used in IBM Maximo Application Suite - Monitor Component ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7014353


∗∗∗ Netty is vulnerable to CVE-2023-34462 used in IBM Maximo Application Suite - Monitor Component ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7014357


∗∗∗ VMware Tanzu Spring Framework is vulnerable to CVE-2023-20860 used in IBM Maximo Application Suite - Monitor Component ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7014363


∗∗∗ Apache Commons FileUpload and Apache Tomcat are vulnerable to CVE-2023-24998, CVE-2022-45143, and CVE-2023-28708 used in IBM Maximo Application Suite - Monitor Component ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7014365


∗∗∗ VMware Tanzu Spring Boot is vulnerable to CVE-2023-20883 used in IBM Maximo Application Suite - Monitor Component ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7014369


∗∗∗ Vulnerabilities in Node.js affects IBM Voice Gateway ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7013909


∗∗∗ Python-requests is vulnerable to CVE-2023-32681 used in IBM Maximo Application Suite - Monitor Component ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7014371


∗∗∗ Google Guava is vulnerable to CVE-2023-2976 used in IBM Maximo Application Suite - Monitor Component ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7014373


∗∗∗ Snappy-java is vulnerable to security CVEs used in IBM Maximo Application Suite - Monitor Component ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7014375


∗∗∗ The Bouncy Castle Crypto Package For Java is vulnerable to CVE-2023-33201 used in IBM Maximo Application Suite - Monitor Component ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7014377


∗∗∗ Multiple vulnerabilities affect IBM Data Virtualization on Cloud Pak for Data ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7014379


∗∗∗ Vulnerabilities in Python, OpenSSH, Golang Go, Minio and Redis may affect IBM Spectrum Protect Plus Container backup and restore for Kubernetes and OpenShift ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7011697


∗∗∗ Multiple vulnerabilities in Apache Log4j affects IBM Security Access Manager for Enterprise Single Sign-On ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7014395


∗∗∗ IBM Event Streams is affected by multiple Golang Go vulnerabilities ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7014403


∗∗∗ IBM WebSphere Application Server, used in IBM Security Verify Governance Identity Manager, could provide weaker than expected security (CVE-2023-35890) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7014401


∗∗∗ The IBM\u00ae Engineering System Design Rhapsody products on IBM Jazz Technology contains additional security fixes for X-Force ID 220800 and CVE-2017-12626 ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7014413


∗∗∗ A security vulnerability has been identified in IBM DB2 shipped with IBM Intelligent Operations Center(CVEs - Remediation\/Fixes) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7014429


∗∗∗ Multiple vulnerabilities affect IBM Data Virtualization on Cloud Pak for Data ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7014379


∗∗∗ IBM App Connect Enterprise Certified Container Dashboard operands are vulnerable to arbitrary code execution due to [CVE-2022-28805] ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7014459


∗∗∗ IBM App Connect Enterprise Certified Container Dashboard operands are vulnerable to denial of service due to [CVE-2021-27212] ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7014457


∗∗∗ IBM App Connect Enterprise Certified Container IntegrationServer operands are vulnerable to denial of service due to [CVE-2022-21349] ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7014455


∗∗∗ IBM App Connect Enterprise Certified Container Dashboard operands are vulnerable to denial of service and loss of confidentiality due to multiple vulnerabilities ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7014451


∗∗∗ IBM App Connect Enterprise Certified Container operands are vulnerable to denial of service due to [CVE-2022-40897] ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7014453


∗∗∗ A security vulnerability has been identified in IBM WebSphere Application Server shipped with IBM Tivoli System Automation Application Manager (CVE-2023-24966) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7014473


∗∗∗ IBM WebSphere Application Server traditional is vulnerable to spoofing when using Web Server Plug-ins (CVE-2022-39161) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7014475


∗∗∗ Multiple vulnerabilities in IBM Java SDK affect IBM Decision Optimization for IBM Cloud Private for Data (ICP4Data) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/876830


∗∗∗ Watson Query potentially exposes adminstrators key under some conditions due to CVE-2022-22410 ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6569235


∗∗∗ Security Vulnerabilities affect IBM Cloud Pak for Data - OpenSSL ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6453431

-- 
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily