[CERT-daily] Tageszusammenfassung - 12.06.2023

Mon Jun 12 19:04:35 CEST 2023

=====================
= End-of-Day report =
=====================

Timeframe:   Freitag 09-06-2023 18:00 − Montag 12-06-2023 18:00
Handler:     Robert Waldner
Co-Handler:  Stephan Richter

=====================
=       News        =
=====================

∗∗∗ Fortinet: SSL-VPN-Lücke ermöglicht Codeschmuggel ∗∗∗
---------------------------------------------
Fortinet hat Updates für das FortiOS-Betriebssystem veröffentlicht. Sie schließen eine Sicherheitslücke im SSL-VPN, die das Einschleusen von Schadcode erlaubt.
---------------------------------------------
https://heise.de/-9184284


∗∗∗ Passwort-Manager Bitwarden: Biometrischer Schlüssel war für alle lesbar ∗∗∗
---------------------------------------------
Der Passwort-Manager Bitwarden unterstützt die Authentifizierung mit Windows Hello. Bis vor kurzem war der biometrische Schlüssel in Windows für alle auslesbar.
---------------------------------------------
https://heise.de/-9184586


∗∗∗ New MOVEit Vulnerabilities Found as More Zero-Day Attack Victims Come Forward ∗∗∗
---------------------------------------------
Researchers discover new MOVEit vulnerabilities related to the zero-day, just as more organizations hit by the attack are coming forward.
---------------------------------------------
https://www.securityweek.com/new-moveit-vulnerabilities-found-as-more-zero-day-attack-victims-come-forward/


∗∗∗ Exploit released for MOVEit RCE bug used in data theft attacks ∗∗∗
---------------------------------------------
Horizon3 security researchers have released proof-of-concept (PoC) exploit code for a remote code execution (RCE) bug in the MOVEit Transfer managed file transfer (MFT) solution abused by the Clop ransomware gang in data theft attacks.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/exploit-released-for-moveit-rce-bug-used-in-data-theft-attacks/


∗∗∗ Strava heatmap feature can be abused to find home addresses ∗∗∗
---------------------------------------------
Researchers at the North Carolina State University Raleigh have discovered a privacy risk in the Strava apps heatmap feature that could lead to identifying users home addresses.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/strava-heatmap-feature-can-be-abused-to-find-home-addresses/


∗∗∗ Sneaky DoubleFinger loads GreetingGhoul targeting your cryptocurrency ∗∗∗
---------------------------------------------
Kaspersky researchers share insight into multistage DoubleFinger loader attack delivering GreetingGhoul cryptocurrency stealer and Remcos RAT.
---------------------------------------------
https://securelist.com/doublefinger-loader-delivering-greetingghoul-cryptocurrency-stealer/109982/


∗∗∗ Researchers Uncover Publisher Spoofing Bug in Microsoft Visual Studio Installer ∗∗∗
---------------------------------------------
Security researchers have warned about an "easily exploitable" flaw in the Microsoft Visual Studio installer that could be abused by a malicious actor to impersonate a legitimate publisher and distribute malicious extensions."A threat actor could impersonate a popular publisher and issue a malicious extension to compromise a targeted system," Varonis researcher Dolev Taler said.
---------------------------------------------
https://thehackernews.com/2023/06/researchers-uncover-publisher-spoofing.html


∗∗∗ Bypassing Android Biometric Authentication ∗∗∗
---------------------------------------------
Cryptography and authentication issues are not only present in apps with a low number of downloads, but also in very popular apps. Furthermore, this affects also apps that aim to provide a high level of data protection, since they handle sensitive data that should be kept safe. [..] However, it is important to stress that to be able to perform a bypass, an attacker needs root permissions on the device of the victim or is able to talk the victim into installing a modified version of an app [..]
---------------------------------------------
https://sec-consult.com/blog/detail/bypassing-android-biometric-authentication/


∗∗∗ Circumventing inotify Watchdogs ∗∗∗
---------------------------------------------
Recently I’ve been building rudimentary file monitoring tools to get better at Golang, and build faux-watchdog programs for research at Arch Cloud Labs. Through this experimentation, I’ve identified some interesting gaps in the inotify subsystem that are new to me, but are well documented in the Linux man pages. This blog post will explore how to circumvent read detections implemented by inotify.
---------------------------------------------
https://www.archcloudlabs.com/projects/inotify/


∗∗∗ Every Signature is Broken: On the Insecurity of Microsoft Office’s OOXML Signatures ∗∗∗
---------------------------------------------
We are the first to provide an in-depth analysis of Office Open XML (OOXML) Signatures, the Ecma/ISO standard that all Microsoft Office applications use. Our analysis reveals major discrepancies between the structure of office documents and the way digital signatures are verified. These discrepancies lead to serious security flaws in the specification and in the implementation. As a result, we discovered five new attack classes.
---------------------------------------------
https://www.usenix.org/system/files/sec23summer_235-rohlmann-prepub.pdf


∗∗∗ Defeating Windows DEP With A Custom ROP Chain ∗∗∗
---------------------------------------------
This article explains how to write a custom ROP (Return Oriented Programming) chain to bypass Data Execution Prevention (DEP) on a Windows 10 system. DEP makes certain parts of memory (e.g., the stack) used by an application non-executable. This means that overwriting EIP with a “JMP ESP” (or similar) instruction and then freely executing [...]
---------------------------------------------
https://research.nccgroup.com/2023/06/12/defeating-windows-dep-with-a-custom-rop-chain/


∗∗∗ Instagram: Vorsicht vor gefälschter „Meta“-Nachricht ∗∗∗
---------------------------------------------
Ein Fake-Profil von Meta schreibt Ihnen auf Instagram. Angeblich haben Sie gegen das Urheberrecht verstoßen. Sie werden aufgefordert, ein Widerrufsformular auszufüllen, sonst wird das Konto gesperrt. Der Link zum Formular befindet sich gleich in der Nachricht. Vorsicht: Diese Nachricht ist Fake. Kriminelle stehlen Ihre Zugangsdaten und erpressen Sie im Anschluss.
---------------------------------------------
https://www.watchlist-internet.at/news/instagram-vorsicht-vor-gefaelschter-meta-nachricht/


∗∗∗ Varonis warnt vor nicht mehr genutzten Salesforce-Sites ∗∗∗
---------------------------------------------
Sicherheitsforscher von Varonis sind auf ein Problem in Verbindung mit Salesforce-Sites gestoßen, die verwaist sind und nicht mehr genutzt werden. Die Sicherheitsforscher der Varonis Threat Labs haben entdeckt, dass unsachgemäß deaktivierte Salesforce-Sites, sogenannte Ghost Sites, weiterhin aktuelle Daten abrufen und für Angreifer zugänglich sind: Durch Manipulation des Host-Headers können Cyberkriminelle Zugang zu sensiblen personenbezogenen Daten und Geschäftsinformationen erhalten.
---------------------------------------------
https://www.borncity.com/blog/2023/06/10/varonis-warnt-vor-nicht-mehr-genutzten-salesforce-sites/


∗∗∗ OAuth2 Security Best Current Practices ∗∗∗
---------------------------------------------
Die IETF hat zum 6. Juni 2023 ein Dokument "OAuth2 Security Best Current Practices" aktualisiert. Das Dokument beschreibt die derzeit beste Sicherheitspraxis für OAuth 2.0. Es aktualisiert und erweitert das OAuth 2.0-Sicherheitsbedrohungsmodell.
---------------------------------------------
https://www.borncity.com/blog/2023/06/11/oauth2-security-best-current-practices/


=====================
=  Vulnerabilities  =
=====================

∗∗∗ Cisco AnyConnect Secure Mobility Client Software for Windows and Cisco Secure Client Software for Windows Privilege Escalation Vulnerability ∗∗∗
---------------------------------------------
A vulnerability in the client update process of Cisco AnyConnect Secure Mobility Client Software for Windows and Cisco Secure Client Software for Windows could allow a low-privileged, authenticated, local attacker to elevate privileges to those of SYSTEM. The client update process is executed after a successful VPN connection is established.
---------------------------------------------
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ac-csc-privesc-wx4U4Kw


∗∗∗ Security updates for Monday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (pypdf2 and thunderbird), Fedora (chromium, dbus, mariadb, matrix-synapse, sympa, and thunderbird), Scientific Linux (python and python3), SUSE (chromium, gdb, and openldap2), and Ubuntu (jupyter-core, requests, sssd, and vim).
---------------------------------------------
https://lwn.net/Articles/934456/


∗∗∗ WordPress Theme Workreap 2.2.2 Unauthenticated Upload Leading to Remote Code Execution ∗∗∗
---------------------------------------------
https://cxsecurity.com/issue/WLB-2023060012


∗∗∗ ASUS Router RT-AX3000 vulnerable to using sensitive cookies without Secure attribute ∗∗∗
---------------------------------------------
https://jvn.jp/en/jp/JVN34232595/


∗∗∗ Security Vulnerabilities fixed in Thunderbird 102.12 ∗∗∗
---------------------------------------------
https://www.mozilla.org/en-US/security/advisories/mfsa2023-21/


∗∗∗ This Power System update is being released to address CVE-2023-25683 ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7002721


∗∗∗ IBM Content Navigator is vulnerable to DoS due to Apache Commons FileUpload (CVE-2023-24998) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7002807


∗∗∗ IBMid credentials may be exposed when directly downloading code onto IBM SAN Volume Controller, IBM Storwize, IBM FlashSystem and IBM Spectrum Virtualize products [CVE-2023-27870] ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6985697


∗∗∗ Vulnerability in requests-2.27.1.tar.gz affects IBM Integrated Analytics System [CVE-2023-32681] ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7003185


∗∗∗ Vulnerability in bottle-0.12.16 affects IBM Integrated Analytics System [CVE-2020-28473] ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7003195


∗∗∗ Vulnerability in bottle-0.12.16 affects IBM Integrated Analytics System [CVE-2022-31799] ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7003201


∗∗∗ Vulnerability in certifi-2018.4.16 affects IBM Integrated Analytics System [ CVE-2022-23491] ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7003205


∗∗∗ IBM Cloud Kubernetes Service is affected by two containerd security vulnerabilities (CVE-2023-28642) (CVE-2023-27561) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7001317


∗∗∗ Multiple vulnerabilities in IBM DB2 affect IBM Operations Analytics Predictive Insights ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7000903


∗∗∗ IBM WebSphere Application Server Liberty, which is bundled with IBM Cloud Pak for Applications, is vulnerable to a denial of service due to GraphQL Java (CVE-2023-28867) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7003247


∗∗∗ IBM WebSphere Application Server Liberty, which is bundled with IBM WebSphere Hybrid Edition, is vulnerable to a denial of service due to GraphQL Java (CVE-2023-28867) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7003245


∗∗∗ IBM App Connect Enterprise Certified Container operands that use the Snowflake connector are vulnerable to arbitrary code execution due to [CVE-2023-34232] ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7003259


∗∗∗ IBM Sterling Connect:Direct for Microsoft Windows is vulnerable to arbitrary code execution due to PostgreSQL (CVE-2023-2454) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7003279

-- 
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily