[CERT-daily] Tageszusammenfassung - 15.06.2023

Thu Jun 15 18:31:06 CEST 2023

=====================
= End-of-Day report =
=====================

Timeframe:   Mittwoch 14-06-2023 18:00 − Donnerstag 15-06-2023 18:00
Handler:     Robert Waldner
Co-Handler:  Stephan Richter

=====================
=       News        =
=====================

∗∗∗ Microsoft: Windows Kernel CVE-2023-32019 fix is disabled by default ∗∗∗
---------------------------------------------
Microsoft has released an optional fix to address a Kernel information disclosure vulnerability affecting systems running multiple Windows versions, including the latest Windows 10, Windows Server, and Windows 11 releases.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/microsoft-windows-kernel-cve-2023-32019-fix-is-disabled-by-default/


∗∗∗ Chinese UNC4841 Group Exploits Zero-Day Flaw in Barracuda Email Security Gateway ∗∗∗
---------------------------------------------
A suspected China-nexus threat actor dubbed UNC4841 has been linked to the exploitation of a recently patched zero-day flaw in Barracuda Email Security Gateway (ESG) appliances since October 2022."UNC4841 is an espionage actor behind this wide-ranging campaign in support of the Peoples Republic of China," Google-owned Mandiant said in a new report published today, [...]
---------------------------------------------
https://thehackernews.com/2023/06/chinese-unc4841-group-exploits-zero-day.html


∗∗∗ Hardware Hacking to Bypass BIOS Passwords ∗∗∗
---------------------------------------------
This article serves as a beginner’s hardware hacking journey, performing a BIOS password bypass on Lenovo laptops. We identify what the problem is, how to identify a vulnerable chip, how to bypass a vulnerable chip, and finally, analyse why this attack works and ways that it can be prevented.
---------------------------------------------
https://blog.cybercx.co.nz/bypassing-bios-password


∗∗∗ Reverse Engineering Terminator aka Zemana AntiMalware/AntiLogger Driver ∗∗∗
---------------------------------------------
Recently, a threat actor (TA) known as SpyBot posted a tool, on a Russian hacking forum, that can terminate any antivirus/Endpoint Detection & Response (EDR/XDR) software. [..] While I’ve seen a lot of material from the defensive community (they were fast on this one) about the detection mechanism, IOCs, prevention policies and intelligence, I feel some other, perhaps more interesting vulnerable code paths in this driver were not explored nor discussed.
---------------------------------------------
https://voidsec.com/reverse-engineering-terminator-aka-zemana-antimalware-antilogger-driver/


∗∗∗ Sicherheitsupdates: Attacken auf Pixel-Smartphones von Google gesichtet ∗∗∗
---------------------------------------------
Google hat etliche Sicherheitslücken in Pixel-Smartphones mit Android 13 geschlossen. Eine Lücke gilt als kritisch.
---------------------------------------------
https://heise.de/-9188302


∗∗∗ Eset schließt Sicherheitslücken in Virenscannern für Linux und Mac ∗∗∗
---------------------------------------------
Aufgrund einer hochriskanten Sicherheitslücke in Esets Virenschutz für Linux und Mac können Angreifer ihre Rechte ausweiten. Updates stehen bereit.
---------------------------------------------
https://heise.de/-9188823


∗∗∗ Kritisches Leck: Codeschmuggel auf mehr als 50 HP Laserjet MFP-Modelle möglich ∗∗∗
---------------------------------------------
HP warnt vor einer kritischen Sicherheitslücke in mehr als 50 HP (Enterprise) Laserjet MFP-Modellen. Angreifer aus dem Netz können Schadcode einschleusen.
---------------------------------------------
https://heise.de/-9188162


∗∗∗ WhatsApp Backups im Visier von Android GravityRAT ∗∗∗
---------------------------------------------
ESET-Forscher analysierten eine aktualisierte Version der Android-Spyware GravityRAT, die WhatsApp-Backup-Dateien stiehlt und Befehle zum Löschen von Dateien empfangen kann.
---------------------------------------------
https://www.welivesecurity.com/deutsch/2023/06/15/whatsapp-backups-im-visier-von-android-gravityrat/


∗∗∗ Android Malware Impersonates ChatGPT-Themed Applications ∗∗∗
---------------------------------------------
Android malware posing as ChatGPT-themed apps targets mobile users. We report on instances of this attack vector, identifying two distinct types.
---------------------------------------------
https://unit42.paloaltonetworks.com/android-malware-poses-as-chatgpt/


∗∗∗ Unternehmen von LinkedIn-Betrugsfällen betroffen ∗∗∗
---------------------------------------------
Beliebteste Betrugsform sind Kontaktanfragen von einer unbekannten Person mit einem verdächtigen Link in der Nachricht.
---------------------------------------------
https://www.zdnet.de/88409942/unternehmen-von-linkedin-betrugsfaellen-betroffen/


∗∗∗ CISA and NSA Release Joint Guidance on Hardening Baseboard Management Controllers (BMCs) ∗∗∗
---------------------------------------------
Today, CISA, together with the National Security Agency (NSA), released a Cybersecurity Information Sheet (CSI), highlighting threats to Baseboard Management Controller (BMC) implementations and detailing actions organizations can use to harden them. BMCs are trusted components designed into a computers hardware that operate separately from the operating system (OS) and firmware to allow for remote management and control, even when the system is shut down.
---------------------------------------------
https://www.cisa.gov/news-events/alerts/2023/06/14/cisa-and-nsa-release-joint-guidance-hardening-baseboard-management-controllers-bmcs


∗∗∗ Gut gemachter Phishing-Versuch mit Malware im Namen Microsofts ∗∗∗
---------------------------------------------
Ein Blog-Leser hat mich auf einen gut gemachten Phishing-Versuch per E-Mail aufmerksam gemacht, der das Thema Multifactor-Authentifizierung (MFA) aufgreift. Dabei wird suggeriert, dass die Mail von Microsoft selbst stammt (es wird eine Sub-Domain von Microsoft benutzt) und die Leute agieren [...]
---------------------------------------------
https://www.borncity.com/blog/2023/06/15/gut-gemachter-phishing-versuch-mit-malware-im-namen-microsofts/


∗∗∗ Hijacking S3 Buckets: New Attack Technique Exploited in the Wild by Supply Chain Attackers ∗∗∗
---------------------------------------------
Without altering a single line of code, attackers poisoned the NPM package “bignum” by hijacking the S3 bucket serving binaries necessary for its function and replacing them with malicious ones.
---------------------------------------------
https://checkmarx.com/blog/hijacking-s3-buckets-new-attack-technique-exploited-in-the-wild-by-supply-chain-attackers/


=====================
=  Vulnerabilities  =
=====================

∗∗∗ ZDI-23-858: (0Day) Pulse Secure Client SetupService Directory Traversal Local Privilege Escalation Vulnerability ∗∗∗
---------------------------------------------
This vulnerability allows local attackers to escalate privileges on affected installations of Pulse Secure Client. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.
---------------------------------------------
https://www.zerodayinitiative.com/advisories/ZDI-23-858/


∗∗∗ Security updates for Thursday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (webkit2gtk), Fedora (python-django-filter and qt), Mageia (cups, firefox/nss, httpie, thunderbird, and webkit2), Red Hat (.NET 6.0, .NET 7.0, c-ares, firefox, jenkins and jenkins-2-plugins, nodejs, nodejs:18, python3, python3.11, python3.9, and thunderbird), Scientific Linux (firefox and thunderbird), SUSE (frr, opensc, python3, and rekor), and Ubuntu (c-ares, glib2.0, libcap2, linux-intel-iotg-5.15, pano13, and requests).
---------------------------------------------
https://lwn.net/Articles/934802/


∗∗∗ Vulnerabilities in Samba ∗∗∗
---------------------------------------------
The Samba Team has released security updates to address vulnerabilities in multiple versions of Samba, including vulnerabilities related to RC4 encryption. If exploited, some of these vulnerabilities allow an attacker to take control of an affected system.
---------------------------------------------
https://www.qnap.com/en-us/security-advisory/QSA-23-05


∗∗∗ Windows PowerShell PS1 Trojan File RCE ∗∗∗
---------------------------------------------
https://cxsecurity.com/issue/WLB-2023060031


∗∗∗ Office Hours - Moderately critical - Cross Site Scripting - SA-CONTRIB-2023-020 ∗∗∗
---------------------------------------------
https://www.drupal.org/sa-contrib-2023-020


∗∗∗ CVE-2023-0010 PAN-OS: Reflected Cross-Site Scripting (XSS) Vulnerability in Captive Portal Authentication (Severity: MEDIUM) ∗∗∗
---------------------------------------------
https://security.paloaltonetworks.com/CVE-2023-0010


∗∗∗ CVE-2023-0009 GlobalProtect App: Local Privilege Escalation (PE) Vulnerability (Severity: MEDIUM) ∗∗∗
---------------------------------------------
https://security.paloaltonetworks.com/CVE-2023-0009


∗∗∗ IBM Sterling Partner Engagement Manager is vulnerable to CSS injection due to Swagger UI (CVE-2019-17495) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7004151


∗∗∗ IBM Sterling Partner Engagement Manager vulnerable to buffer overflow due to OpenJDK (CVE-2023-2597) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7004153


∗∗∗ IBM Sterling Connect:Direct for Microsoft Windows is vulnerable to remote sensitive information exposure due to IBM GSKit (CVE-2023-32342) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7004175


∗∗∗ A security vulnerability has been identified in IBM HTTP Server shipped with IBM Rational ClearCase [CVE-2022-39161] ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7004183


∗∗∗ Multiple security vulnerabilities have been identified in IBM WebSphere Application Server shipped with IBM Rational ClearCase ( CVE-2023-24966, CVE-2022-39161, CVE-2023-27554, CVE-2023-24998) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7004187


∗∗∗ A vulnerability in IBM WebSphere Application Server Liberty affects IBM Storage Scale (CVE-2023-24998) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7004199


∗∗∗ IBM MQ Operator and Queue manager container images are vulnerable to multiple vulnerabilities from Kubernetes, curl and systemd ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7004197


∗∗∗ IBM MQ Operator and Queue manager container images are vulnerable to multiple vulnerabilities from curl, go and apr-util ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6999605

-- 
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily