[CERT-daily] Tageszusammenfassung - 28.03.2023

Tue Mar 28 18:41:01 CEST 2023

=====================
= End-of-Day report =
=====================

Timeframe:   Montag 27-03-2023 18:00 − Dienstag 28-03-2023 18:00
Handler:     Robert Waldner
Co-Handler:  Michael Schlagenhaufer

=====================
=       News        =
=====================

∗∗∗ New MacStealer macOS malware steals passwords from iCloud Keychain ∗∗∗
---------------------------------------------
A new info-stealing malware named MacStealer is targeting Mac users, stealing their credentials stored in the iCloud KeyChain and web browsers, cryptocurrency wallets, and potentially sensitive files.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/new-macstealer-macos-malware-steals-passwords-from-icloud-keychain/


∗∗∗ Exchange Online to block emails from vulnerable on-prem servers ∗∗∗
---------------------------------------------
Microsoft is introducing a new Exchange Online security feature that will automatically start throttling and eventually block all emails sent from "persistently vulnerable Exchange servers" 90 days after the admins are pinged to secure them.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/exchange-online-to-block-emails-from-vulnerable-on-prem-servers/


∗∗∗ Cybersecurity Challenges of Power Transformers ∗∗∗
---------------------------------------------
To the best of our knowledge, there is no study in the literature that systematically investigate the cybersecurity challenges against the newly emerged smart transformers. This paper addresses this shortcoming by exploring the vulnerabilities and the attack vectors of power transformers within electricity networks, the possible attack scenarios and the risks associated with these attacks.
---------------------------------------------
https://arxiv.org/abs/2302.13161


∗∗∗ OpenSSL 1.1.1 End of Life ∗∗∗
---------------------------------------------
We are now less than 6 months away from the End Of Life (EOL) date for the OpenSSL 1.1.1 series. Users of OpenSSL 1.1.1 should consider their options and plan any actions they might need to take. [..] OpenSSL 1.1.1 was released on 11th September 2018, and so it will be considered EOL on 11th September 2023. It will no longer be receiving publicly available security fixes after that date.
---------------------------------------------
https://www.openssl.org/blog/blog/2023/03/28/1.1.1-EOL/


∗∗∗ The curl quirk that exposed Burp Suite & Google Chrome ∗∗∗
---------------------------------------------
Although this feature took us (and Chrome) by surprise, it is fully documented so we dont consider it to be a vulnerability in curl itself. It reminds me of server-side template injection, where a sandbox escape can be as easy as reading a manual page everyone else overlooked.
---------------------------------------------
https://portswigger.net/research/the-curl-quirk-that-exposed-burp-suite-amp-google-chrome


∗∗∗ Abo-Falle auf produkttester-werden.org ∗∗∗
---------------------------------------------
Produkttester-werden.org wirbt mit der Möglichkeit, regelmäßig und gratis Produkte testen zu können und dafür bis zu 25 Euro Aufwandsentschädigung zu erhalten. Schon bei der Erstregistrierung werden aber persönliche Daten inklusive IBAN abgefragt, eine Einzugsermächtigung verlangt und ein kostenpflichtiges Abonnement über einen versteckten Kostenhinweis abgeschlossen. Wir raten zu Abstand!
---------------------------------------------
https://www.watchlist-internet.at/news/abo-falle-auf-produkttester-werdenorg/


∗∗∗ Emotet Being Distributed via OneNote ∗∗∗
---------------------------------------------
AhnLab Security Emergency response Center (ASEC) has recently discovered the distribution of Emotet being distributed via OneNote. A spear phishing email as below attached with a OneNote file prompts the reader to open the attachment which contains a malicious script file (JS file). Upon running the OneNote file, it directs the user to click the button to connect to the cloud to open the document.
---------------------------------------------
https://asec.ahnlab.com/en/50564/


=====================
=  Vulnerabilities  =
=====================

∗∗∗ Apple patches everything, including a zero-day fix for iOS 15 users ∗∗∗
---------------------------------------------
Got an older iPhone that cant run iOS 16? Youve got a zero-day to deal with! That super-cool Studio Display monitor needs patching, too.
---------------------------------------------
https://nakedsecurity.sophos.com/2023/03/28/apple-patches-everything-including-a-zero-day-fix-for-ios-15-users/


∗∗∗ FortiOS / FortiProxy - Unauthenticated access to static files containing logging information (CVE-2022-41329) ∗∗∗
---------------------------------------------
An exposure of sensitive information to an unauthorized actor vulnerability in FortiOS and FortiProxy administrative interface may allow an unauthenticated attacker to obtain sensitive logging information on the device via crafted HTTP or HTTPs GET requests.
---------------------------------------------
https://fortiguard.fortinet.com/psirt/FG-IR-22-364


∗∗∗ OpenSSL Security Advisory: Invalid certificate policies in leaf certificates are silently ignored (CVE-2023-0465) ∗∗∗
---------------------------------------------
Severity: Low
Applications that use a non-default option when verifying certificates may be vulnerable to an attack from a malicious CA to circumvent certain checks. nvalid certificate policies in leaf certificates are silently ignored by OpenSSL and other certificate policy checks are skipped for that certificate. [..] Policy processing is disabled by default
---------------------------------------------
https://www.openssl.org/news/secadv/20230328.txt


∗∗∗ [webapps] Moodle LMS 4.0 - Cross-Site Scripting (XSS) ∗∗∗
---------------------------------------------
A Cross Site Scripting (XSS) vulnerability exists in Moodle is a free and open-source Learning Management System (LMS) written in PHP [..]
---------------------------------------------
https://www.exploit-db.com/exploits/51115


∗∗∗ Security updates for Tuesday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (dino-im and runc), Fedora (qemu), Red Hat (firefox), SUSE (chromium, containerd, docker, kernel, and systemd), and Ubuntu (graphicsmagick, linux-azure, linux-gcp, linux-oem-5.14, linux-oem-5.17, linux-oem-6.0, linux-oem-6.1, and node-url-parse).
---------------------------------------------
https://lwn.net/Articles/927548/


∗∗∗ Cisco SD-WAN vManage Software Cluster Mode Cross-Site Request Forgery Vulnerability ∗∗∗
---------------------------------------------
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-vman-csrf-76RDbLEh


∗∗∗ IBM Engineering Workflow Management (EWM) vulnerabilities CVE-2021-41182, CVE-2022-31160, CVE-2021-41184, CVE-2021-41183 ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6966410


∗∗∗ IBM Engineering Workflow Management (EWM) vulnerability CVE-2021-43138 ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6966400


∗∗∗ IBM Engineering Workflow Management (EWM) vulnerabilities CVE-2022-31129, CVE-2022-24785 ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6966418


∗∗∗ IBM Engineering Workflow Management (EWM) vulnerability CVE-2021-21252 ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6966412


∗∗∗ IBM Engineering Workflow Management (EWM) vulnerabilities CVE-2020-28500, CVE-2021-23337, CVE-2020-8203 ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6966416


∗∗∗ IBM Engineering Workflow Management (EWM) vulnerability CVE-2022-24999 ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6966420


∗∗∗ IBM WebSphere Application Server is vulnerable to cross-site scripting in the Admin Console (CVE-2023-26283) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6964836


∗∗∗ A security vulnerability has been identified in IBM WebSphere Application Server Liberty shipped with IBM Tivoli Netcool Impact(CVE-2022-3509, CVE-2022-3171) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6966436


∗∗∗ There is a vulnerability in jQuery UI used by IBM Maximo Asset Management (CVE-2022-31160) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6966428


∗∗∗ Maximo Application Suite is vulnerable to CVE-2022-40897 per setuptools dependency ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6966084


∗∗∗ Maximo Application Suite uses jsonwebtoken package which is vulnerable to CVE-2022-23541, CVE-2022-23539, CVE-2022-23529 and CVE-2022-23540 ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6966434


∗∗∗ IBM Tivoli Netcool Impact is vulnerable to remote code execution from Apache Commons Net (CVE-2021-37533) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6966438


∗∗∗ IBM Tivoli Netcool Impact is vulnerable to denial of service attack due to Apache Commons FileUpload (CVE-2023-24998) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6966440


∗∗∗ There is a vulnerability in jQuery UI used by IBM Maximo Manage application in IBM Maximo Application Suite (CVE-2022-31160) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6966442


∗∗∗ IBM Aspera Cargo 4.2.5 and IBM Aspera Connect 4.2.5 have addressed multiple buffer overflow vulnerabilities (CVE-2023-27286, CVE-2023-27284) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6966588


∗∗∗ A security vulnerability has been identified in IBM HTTP Server shipped with IBM Rational ClearCase [CVE-2023-26281] ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6966600


∗∗∗ A security vulnerability has been identified in IBM HTTP Server shipped with IBM Rational ClearCase [CVE-2023-25690] ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6966602


∗∗∗ A security vulnerability has been identified in IBM WebSphere Application Server shipped with IBM Rational ClearCase (CVE-2023-26283) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6966604


∗∗∗ IBM App Connect Enterprise Certified Container images may be vulnerable to denial of service due to libarchive [CVE-2017-14166] ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6966610


∗∗∗ IBM App Connect Enterprise Certified Container DesignerAuthoring operands that use mapping assistance may be vulnerable to denial of service due to [X-Force 247595] ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6966612


∗∗∗ IBM Cloud Pak for Data System (CPDS) is vulnerable to arbitrary code execution due to Apache Log4j [CVE-2022-23307] ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6966636


∗∗∗ There is a security vulnerability in snakeYAML used by IBM Maximo Data Loader (CVE-2022-41854) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6966646


∗∗∗ There is a security vulnerability in TinyMCE used by IBM Maximo for Civil Infrastructure in Maximo Application Suite (CVE-2022-23494) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6966644


∗∗∗ Vulnerability in jetty-http affects IBM Cloud Pak for Data System 2.0(CPDS 2.0) [CVE-2022-2047] ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6966652

-- 
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily