[CERT-daily] Tageszusammenfassung - 16.06.2023

Daily end-of-shift report team at cert.at
Fri Jun 16 18:10:27 CEST 2023


=====================
= End-of-Day report =
=====================

Timeframe:   Donnerstag 15-06-2023 18:00 − Freitag 16-06-2023 18:00
Handler:     Robert Waldner
Co-Handler:  n/a

=====================
=       News        =
=====================

∗∗∗ Another RAT Delivered Through VBS, (Fri, Jun 16th) ∗∗∗
---------------------------------------------
VBS looks popular these days. After the last Didier's diary, I found another interesting script. It started with an email that referenced a fake due invoice. The invoice icon pointed to a URL. Usually, such URLs display a fake login page asking for credentials. Not this time.
---------------------------------------------
https://isc.sans.edu/diary/rss/29956


∗∗∗ Demystifying Website Hacktools: Types, Threats, and Detection ∗∗∗
---------------------------------------------
When we think about website malware, visible infection symptoms most often come to mind: unwanted ads or pop-ups, redirects to third party sites, or spam keywords in search results. However, in some cases these very symptoms are the results of hacktools, a diverse and often insidious category of software designed to exploit vulnerabilities and compromise website security.
---------------------------------------------
https://blog.sucuri.net/2023/06/demystifying-website-hacktools-types-threats-and-detection.html


∗∗∗ ChamelDoH: New Linux Backdoor Utilizing DNS-over-HTTPS Tunneling for Covert CnC ∗∗∗
---------------------------------------------
The threat actor known as ChamelGang has been observed using a previously undocumented implant to backdoor Linux systems, marking a new expansion of the threat actors capabilities.The malware, dubbed ChamelDoH by Stairwell, is a C++-based tool for communicating via DNS-over-HTTPS (DoH) tunneling.
---------------------------------------------
https://thehackernews.com/2023/06/chameldoh-new-linux-backdoor-utilizing.html



=====================
=  Vulnerabilities  =
=====================

∗∗∗ FortiOS & FortiProxy: authenticated user null pointer dereference in SSL-VPN ∗∗∗
---------------------------------------------
A NULL pointer dereference vulnerability in SSL-VPN may allow an authenticated remote attacker to trigger a crash of the SSL-VPN service via crafted requests.
CVE: CVE-2023-33306
---------------------------------------------
https://fortiguard.fortinet.com/psirt/FG-IR-23-015


∗∗∗ Microsoft ODBC and OLE DB Remote Code Execution Vulnerability ∗∗∗
---------------------------------------------
An attacker could exploit the vulnerability by tricking an authenticated user into attempting to connect to a malicious SQL server via a connection driver (for example: ODBC and / or OLEDB as applicable).
---------------------------------------------
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-29349


∗∗∗ Microsoft OLE DB Remote Code Execution Vulnerability ∗∗∗
---------------------------------------------
An attacker could exploit the vulnerability by tricking an authenticated user into attempting to connect to a malicious SQL server via OLEDB, which could result in the server receiving a malicious networking packet. This could allow the attacker to execute code remotely on the client.
---------------------------------------------
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-32028


∗∗∗ Security updates for Friday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (chromium, openjdk-17, and wireshark), Fedora (iniparser, mariadb, mingw-glib2, perl-HTML-StripScripts, php, python3.7, and syncthing), Oracle (.NET 6.0, c-ares, kernel, nodejs, and python3.9), Slackware (libX11), SUSE (amazon-ssm-agent and chromium), and Ubuntu (gsasl, libx11, and sssd).
---------------------------------------------
https://lwn.net/Articles/934939/


∗∗∗ Mattermost security updates 7.10.3 / 7.9.5 / 7.8.7 (ESR) released ∗∗∗
---------------------------------------------
We’re informing you about a Mattermost security update, which addresses low- to medium-level severity vulnerabilities.
---------------------------------------------
https://mattermost.com/blog/mattermost-security-updates-7-10-3-7-9-5-7-8-7-esr-released/


∗∗∗ Weitere kritische Sicherheitslücke in MOVEit Transfer - Workaround und Patches verfügbar ∗∗∗
---------------------------------------------
In MOVEit Transfer wurde eine weitere kritische Sicherheitslücke entdeckt. Auswirkungen Da es sich um eine SQL-Injection - Schwachstelle handelt, ist davon auszugehen dass alle auf betroffenen Systemen hinterlegten Daten gefährdet sind. 
---------------------------------------------
https://cert.at/de/warnungen/2023/6/weitere-kritische-sicherheitslucke-in-moveit-transfer-workaround-und-patches-verfugbar


∗∗∗ CISA Releases Fourteen Industrial Control Systems Advisories ∗∗∗
---------------------------------------------
* SUBNET PowerSYSTEM Center
* Advantech WebAccessSCADA
* Siemens SICAM Q200 Devices
* Siemens SIMOTION
* Siemens SIMATIC WinCC
* Siemens TIA Portal
* Siemens SIMATIC WinCC V7
* Siemens SIMATIC STEP 7 and Derived Products
* Siemens Solid Edge
* Siemens SIMATIC S7-1500 TM MFP BIOS
* Siemens SIMATIC S7-1500 TM MFP Linux Kernel
* Siemens SINAMICS Medium Voltage Products
* Siemens SICAM A8000 Devices
* Siemens Teamcenter Visualization and JT2Go
---------------------------------------------
https://www.cisa.gov/news-events/alerts/2023/06/15/cisa-releases-fourteen-industrial-control-systems-advisories

∗∗∗ Multiple vulnerabilities in Panasonic AiSEG2 ∗∗∗
---------------------------------------------
https://jvn.jp/en/jp/JVN19748237/


∗∗∗ ZDI-23-879: (0Day) Ashlar-Vellum Cobalt AR File Parsing Out-Of-Bounds Read Remote Code Execution Vulnerability ∗∗∗
---------------------------------------------
http://www.zerodayinitiative.com/advisories/ZDI-23-879/


∗∗∗ ZDI-23-878: (0Day) Ashlar-Vellum Cobalt AR File Parsing Uninitialized Memory Remote Code Execution Vulnerability ∗∗∗
---------------------------------------------
http://www.zerodayinitiative.com/advisories/ZDI-23-878/


∗∗∗ ZDI-23-877: (0Day) Ashlar-Vellum Cobalt IGS File Parsing Out-Of-Bounds Read Remote Code Execution Vulnerability ∗∗∗
---------------------------------------------
http://www.zerodayinitiative.com/advisories/ZDI-23-877/


∗∗∗ ZDI-23-876: (0Day) Ashlar-Vellum Cobalt XE File Parsing Uninitialized Memory Remote Code Execution Vulnerability ∗∗∗
---------------------------------------------
http://www.zerodayinitiative.com/advisories/ZDI-23-876/


∗∗∗ ZDI-23-875: (0Day) Ashlar-Vellum Cobalt XE File Parsing Uninitialized Memory Remote Code Execution Vulnerability ∗∗∗
---------------------------------------------
http://www.zerodayinitiative.com/advisories/ZDI-23-875/


∗∗∗ ZDI-23-874: (0Day) Ashlar-Vellum Cobalt XE File Parsing Untrusted Pointer Dereference Remote Code Execution Vulnerability ∗∗∗
---------------------------------------------
http://www.zerodayinitiative.com/advisories/ZDI-23-874/


∗∗∗ ZDI-23-873: (0Day) Ashlar-Vellum Cobalt Stack-based Buffer Overflow Remote Code Execution Vulnerability ∗∗∗
---------------------------------------------
http://www.zerodayinitiative.com/advisories/ZDI-23-873/


∗∗∗ ZDI-23-872: (0Day) Ashlar-Vellum Cobalt Heap-based Buffer Overflow Remote Code Execution Vulnerability ∗∗∗
---------------------------------------------
http://www.zerodayinitiative.com/advisories/ZDI-23-872/


∗∗∗ ZDI-23-871: (0Day) Ashlar-Vellum Cobalt Untrusted Pointer Dereference Remote Code Execution Vulnerability ∗∗∗
---------------------------------------------
http://www.zerodayinitiative.com/advisories/ZDI-23-871/


∗∗∗ ZDI-23-870: (0Day) Ashlar-Vellum Cobalt Uninitialized Memory Remote Code Execution Vulnerability ∗∗∗
---------------------------------------------
http://www.zerodayinitiative.com/advisories/ZDI-23-870/


∗∗∗ ZDI-23-869: (0Day) Ashlar-Vellum Cobalt Untrusted Pointer Dereference Remote Code Execution Vulnerability ∗∗∗
---------------------------------------------
http://www.zerodayinitiative.com/advisories/ZDI-23-869/


∗∗∗ ZDI-23-868: (0Day) Ashlar-Vellum Graphite VC6 File Parsing Out-Of-Bounds Write Remote Code Execution Vulnerability ∗∗∗
---------------------------------------------
http://www.zerodayinitiative.com/advisories/ZDI-23-868/


∗∗∗ ZDI-23-867: (0Day) Ashlar-Vellum Graphite VC6 File Parsing Out-Of-Bounds Write Remote Code Execution Vulnerability ∗∗∗
---------------------------------------------
http://www.zerodayinitiative.com/advisories/ZDI-23-867/


∗∗∗ ZDI-23-866: (0Day) Ashlar-Vellum Graphite VC6 File Parsing Stack-based Buffer Overflow Remote Code Execution Vulnerability ∗∗∗
---------------------------------------------
http://www.zerodayinitiative.com/advisories/ZDI-23-866/


∗∗∗ ZDI-23-865: (0Day) Ashlar-Vellum Cobalt Out-Of-Bounds Write Remote Code Execution Vulnerability ∗∗∗
---------------------------------------------
http://www.zerodayinitiative.com/advisories/ZDI-23-865/


∗∗∗ ZDI-23-864: (0Day) Ashlar-Vellum Cobalt Out-Of-Bounds Access Remote Code Execution Vulnerability ∗∗∗
---------------------------------------------
http://www.zerodayinitiative.com/advisories/ZDI-23-864/


∗∗∗ ZDI-23-863: (0Day) Ashlar-Vellum Cobalt Out-Of-Bounds Read Remote Code Execution Vulnerability ∗∗∗
---------------------------------------------
http://www.zerodayinitiative.com/advisories/ZDI-23-863/


∗∗∗ ZDI-23-862: (0Day) Ashlar-Vellum Cobalt CO File Parsing Stack-based Buffer Overflow Remote Code Execution Vulnerability ∗∗∗
---------------------------------------------
http://www.zerodayinitiative.com/advisories/ZDI-23-862/


∗∗∗ ZDI-23-861: (0Day) Ashlar-Vellum Cobalt CO File Parsing Untrusted Pointer Dereference Remote Code Execution Vulnerability ∗∗∗
---------------------------------------------
http://www.zerodayinitiative.com/advisories/ZDI-23-861/


∗∗∗ ZDI-23-860: (0Day) Ashlar-Vellum Cobalt XE File Parsing Untrusted Pointer Dereference Remote Code Execution Vulnerability ∗∗∗
---------------------------------------------
http://www.zerodayinitiative.com/advisories/ZDI-23-860/


∗∗∗ ZDI-23-859: (0Day) Ashlar-Vellum Cobalt CO File Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability ∗∗∗
---------------------------------------------
http://www.zerodayinitiative.com/advisories/ZDI-23-859/


∗∗∗ CVE-2023-32027 Microsoft ODBC Driver for SQL Server Remote Code Execution Vulnerability ∗∗∗
---------------------------------------------
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-32027


∗∗∗ CVE-2023-29356 Microsoft ODBC Driver for SQL Server Remote Code Execution Vulnerability ∗∗∗
---------------------------------------------
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-29356


∗∗∗ CVE-2023-32025 Microsoft ODBC Driver for SQL Server Remote Code Execution Vulnerability ∗∗∗
---------------------------------------------
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-32025


∗∗∗ CVE-2023-32026 Microsoft ODBC Driver for SQL Server Remote Code Execution Vulnerability ∗∗∗
---------------------------------------------
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-32026


∗∗∗ Multiple vulnerabilities in Curl affect PowerSC ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7004263


∗∗∗ There is a security vulnerability in AWS SDK for Java used by Maximo Asset Management (CVE-2022-31159) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7002345


∗∗∗ IBM SPSS Modeler is vulnerabile to SSL private key exposure (CVE-2023-33842) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7004299


∗∗∗ Vulnerability of xmlbeans-2.6.0.jar has affected APM DataPower agent. ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7004599


∗∗∗ Vulnerabilities of Apache commons codec (commons-codec-1.6.jar) have affected APM NetApp Storage and APM File Gateway Agent ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7004597


∗∗∗ IBM Cloud Pak for Security includes components with multiple known vulnerabilities ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7004655


∗∗∗ IBM Cloud Pak for Security includes components with multiple known vulnerabilities ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7004653

-- 
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily




More information about the Daily mailing list