[CERT-daily] Tageszusammenfassung - 02.03.2023

Daily end-of-shift report team at cert.at
Thu Mar 2 18:15:24 CET 2023


=====================
= End-of-Day report =
=====================

Timeframe:   Mittwoch 01-03-2023 18:00 − Donnerstag 02-03-2023 18:00
Handler:     Robert Waldner
Co-Handler:  n/a

=====================
=       News        =
=====================

∗∗∗ YARA: Detect The Unexpected ..., (Thu, Mar 2nd) ∗∗∗
---------------------------------------------
He has strings to detected any embedded file, and strings to detect embedded PNG files, JPEG files, ...
So, in YARA, how can you use this to detect OneNote files that contain embedded files, but are not images? The trick is to count and compare string occurrences.
---------------------------------------------
https://isc.sans.edu/diary/rss/29598


∗∗∗ SysUpdate Malware Strikes Again with Linux Version and New Evasion Tactics ∗∗∗
---------------------------------------------
The threat actor known as Lucky Mouse has developed a Linux version of a malware toolkit called SysUpdate, expanding on its ability to target devices running the operating system.
---------------------------------------------
https://thehackernews.com/2023/03/sysupdate-malware-strikes-again-with.html


∗∗∗ This Hacker Tool Can Pinpoint a DJI Drone Operators Exact Location ∗∗∗
---------------------------------------------
Every DJI quadcopter broadcasts its operators position via radio—unencrypted. Now, a group of researchers has learned to decode those coordinates.
---------------------------------------------
https://www.wired.com/story/dji-droneid-operator-location-hacker-tool/


∗∗∗ Helping Cyber Defenders “Decide” to Use MITRE ATT&CK ∗∗∗
---------------------------------------------
Since the Cybersecurity and Infrastructure Security Agency (CISA) announced its first edition of Best Practices for MITRE ATT&CK Mapping nearly two years ago, the ATT&CK framework has evolved, expanded, and improved its ability to support more than just optimized cyber threat intelligence to the cybersecurity community. To match these advances, CISA recently published a second edition of our mapping guide and today announces a new accompaniment to the guide, CISA’s Decider tool. 
---------------------------------------------
https://www.cisa.gov/news-events/news/helping-cyber-defenders-decide-use-mitre-attck


∗∗∗ Application SecurityCase StudiesCloud Native SecurityVulnerabilities Gitpod remote code execution 0-day vulnerability via WebSockets ∗∗∗
---------------------------------------------
This article walks us through a current Snyk Security Labs research project focusing on cloud based development environments (CDEs) — which resulted in a full workspace takeover on the Gitpod platform and extended to the user’s SCM account. The issues here have been responsibly disclosed to Gitpod and were resolved within a single working day
---------------------------------------------
https://snyk.io/blog/gitpod-remote-code-execution-vulnerability-websockets/


∗∗∗ CISA Red Team Shares Key Findings to Improve Monitoring and Hardening of Networks ∗∗∗
---------------------------------------------
The Cybersecurity and Infrastructure Security Agency (CISA) is releasing this Cybersecurity Advisory (CSA) detailing activity and key findings from a recent CISA red team assessment—in coordination with the assessed organization—to provide network defenders recommendations for improving their organizations cyber posture.
---------------------------------------------
https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-059a


∗∗∗ Tainted Love: A Systematic Review of Online Romance Fraud. (arXiv:2303.00070v1 [cs.HC]) ∗∗∗
---------------------------------------------
Romance fraud involves cybercriminals engineering a romantic relationship ononline dating platforms. It is a cruel form of cybercrime whereby victims areleft heartbroken, often facing financial ruin. We characterise the literarylandscape on romance fraud, advancing the understanding of researchers andpractitioners by systematically reviewing and synthesising contemporaryqualitative and quantitative evidence.
---------------------------------------------
http://arxiv.org/abs/2303.00070


∗∗∗ Dishing Out DoS: How to Disable and Secure the Starlink User Terminal. (arXiv:2303.00582v1 [cs.CR]) ∗∗∗
---------------------------------------------
Satellite user terminals are a promising target for adversaries seeking totarget satellite communication networks. Despite this, many protectionscommonly found in terrestrial routers are not present in some user terminals.As a case study we audit the attack surface presented by the Starlinkrouters admin interface, using fuzzing to uncover a denial of service attackon the Starlink user terminal. 
---------------------------------------------
http://arxiv.org/abs/2303.00582



=====================
=  Vulnerabilities  =
=====================

∗∗∗ Group control for forums - Critical - Access bypass - SA-CONTRIB-2023-008 ∗∗∗
---------------------------------------------
Project: Group control for forums
Security risk: Critical 
Description: This module enables you to associate Forums as Group 1.x content and use Group access permissions. Previous versions of the module incorrectly set node access on creation, and did not correctly restrict access to lists of forum topics. Solution: Install the latest version
---------------------------------------------
https://www.drupal.org/sa-contrib-2023-008


∗∗∗ Thunder - Moderately critical - Access bypass - SA-CONTRIB-2023-007 ∗∗∗
---------------------------------------------
Project: Thunder
Security risk: Moderately critical
Description: Thunder is a Drupal distribution for professional publishing. The thunder distribution ships the thunder_gqls module which provides a graphql interface.The module doesnt sufficiently check access when serving user data via graphql leading to an access bypass vulnerability
---------------------------------------------
https://www.drupal.org/sa-contrib-2023-007


∗∗∗ Security updates for Thursday ∗∗∗
---------------------------------------------
Security updates have been issued by CentOS (git), Debian (spip), Fedora (epiphany), Mageia (binwalk, chromium-browser-stable, crmsh, emacs, libraw, libtiff, nodejs, pkgconf, tar, and vim), Oracle (kernel and systemd), SUSE (emacs, kernel, nrpe, and rubygem-activerecord-4_2), and Ubuntu (c-ares, git, postgresql-12, postgresql-14, and sox).
---------------------------------------------
https://lwn.net/Articles/924922/


∗∗∗ Kritische Sicherheitslücken in ArubaOS - Updates teilweise verfügbar ∗∗∗
---------------------------------------------
Da Angreifende auf betroffenen Geräten beliebigen Code ausführen können, sind alle auf diesen Geräten befindlichen und darüber erreichbaren Daten gefährdet. Da es sich um Netzwerkkomponenten handelt, sind auch Szenarien denkbar wo darüber fliessende Daten gelesen, beeinträchtigt und/oder verändert werden können.
---------------------------------------------
https://cert.at/de/warnungen/2023/3/kritische-sicherheitslucken-in-arubaos-updates-teilweise-verfugbar


∗∗∗ Better Social Sharing Buttons - Less critical - Cross Site Scripting - SA-CONTRIB-2023-006 ∗∗∗
---------------------------------------------
https://www.drupal.org/sa-contrib-2023-006


∗∗∗ ABB: Improper authentication vulnerability in S+ Operations (CVE ID: CVE-2023-0228) ∗∗∗
---------------------------------------------
https://search.abb.com/library/Download.aspx?Action=Launch&DocumentID=7PAA006722


∗∗∗ IBM Cognos Command Center is affected but not classified as vulnerable by a remote code execution in Spring Framework (CVE-2022-22965) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6590487


∗∗∗ IBM Maximo Asset Management is vulnerable to stored cross-site scripting (CVE-2022-35645) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6959353


∗∗∗ IBM Maximo Manage application in IBM Maximo Application Suite is vulnerable to stored cross-site scripting (CVE-2022-35645) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6959355


∗∗∗ IBM Spectrum Symphony is vulnerable to Host header injection ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6959369


∗∗∗ IBM Planning Analytics Workspace is affected by vulnerabilties (CVE-2022-43548, CVE-2020-7676, CVE-2021-42550, CVE-2021-38561, CVE-2022-32149) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6957836


∗∗∗ There is a vulnerability in Apache SOAP used by IBM Maximo Asset Management (CVE-2022-40705) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6959357


∗∗∗ There is a security vulnerability in Apache SOAP used by IBM Maximo Manage application in IBM Maximo Application Suite (CVE-2022-40705) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6959359


∗∗∗ Persistent cross-site scripting vulnerability affect IBM Business Automation Workflow - CVE-2023-22860 ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6958691


∗∗∗ Vulnerability in bind affects IBM Integrated Analytics System [CVE-2022-2795] ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6959567


∗∗∗ IBM Cloud Pak for Network Automation v2.4.4 fixes multiple security vulnerabilities ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6959583


∗∗∗ There is a vulnerability in Eclipse Jetty used by IBM Maximo Asset Management (CVE-2022-2047) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6959601


∗∗∗ IBM SDK, Java Technology Edition Quarterly CPU - Oct 2022 - Includes Oracle October 2022 CPU and IBM Java - OpenJ9 CVE-2022-3676 ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6959625


∗∗∗ IBM Security Guardium is affected by the following vulnerabilities [CVE-2022-39166, CVE-2022-34917, CVE-2022-42889] ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6848317


∗∗∗ IBM Security Guardium is affected by a redshift-jdbc42-2.0.0.3.jar vulnerability (CVE-2022-41828) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6956299


∗∗∗ Operations Dashboard is vulnerable to denial of service and response splitting due to vulnerabilities in Netty (CVE-2022-41881 and CVE-2022-41915) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6959639

-- 
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily




More information about the Daily mailing list