[CERT-daily] Tageszusammenfassung - 29.03.2023

Daily end-of-shift report team at cert.at
Wed Mar 29 18:33:25 CEST 2023


=====================
= End-of-Day report =
=====================

Timeframe:   Dienstag 28-03-2023 18:00 − Mittwoch 29-03-2023 18:00
Handler:     Michael Schlagenhaufer
Co-Handler:  Robert Waldner

=====================
=       News        =
=====================

∗∗∗ WiFi protocol flaw allows attackers to hijack network traffic ∗∗∗
---------------------------------------------
Cybersecurity researchers have discovered a fundamental security flaw in the design of the IEEE 802.11 WiFi protocol standard, allowing attackers to trick access points into leaking network frames in plaintext form.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/wifi-protocol-flaw-allows-attackers-to-hijack-network-traffic/


∗∗∗ H26Forge: Mehrheit der Video-Decoder wohl systematisch angreifbar ∗∗∗
---------------------------------------------
Immer wieder sorgen Bugs in Video-Decodern für Sicherheitslücken bis hin zu Zero Days. Wissenschaftler zeigen nun eine riesige Angriffsfläche.
---------------------------------------------
https://www.golem.de/news/h26forge-mehrheit-der-video-decoder-wohl-systematisch-angreifbar-2303-173055.html


∗∗∗ Network Data Collector Placement Makes a Difference, (Tue, Mar 28th) ∗∗∗
---------------------------------------------
A previous diary [1] described processing some local PCAP data with Zeek. This data was collected using tcpdump on a DShield Honeypot. When looking at the Zeek connection logs, the connection state information was unexpected. To help understand why, we will compare data from different locations on the network and process the data in a similar way. This will help narrow down where the discrepancies might be coming from, or at least where they are not coming from.
---------------------------------------------
https://isc.sans.edu/diary/rss/29664


∗∗∗ MacStealer: Mac-Malware will Passwörter und Krypto-Wallets klauen ∗∗∗
---------------------------------------------
Eine im Dark Web günstig angebotene Malware soll sensible Daten von Macs extrahieren und über den Messenger Telegram an Angreifer übermitteln.
---------------------------------------------
https://heise.de/-8153293


∗∗∗ Remote PowerShell: Einfallstor bei Exchange Online jetzt mit Gnadenfrist ∗∗∗
---------------------------------------------
Ein halbes Jahr länger bleibt Administratoren, bis sie sich von ihren unsicheren PowerShell-cmdlets für Exchange Online verabschieden müssen.
---------------------------------------------
https://heise.de/-8186790


∗∗∗ Kriminelle erfinden Behörden wie „finanzaufsichtsbehoerde.com“ für Authority-Scams ∗∗∗
---------------------------------------------
Um ihren Opfern das Geld aus der Tasche zu ziehen, greifen Kriminelle häufig zu kreativen Methoden. Aktuell erfinden sie Behörden wie zum Beispiel auf „finanzaufsichtsbehoerde.com“ und „betrugsdezernat.com“ oder imitieren echte Behörden und Institutionen. Egal, was man Ihnen hier verspricht, übermitteln Sie keine Daten und bezahlen Sie kein Geld an derartige Plattformen!
---------------------------------------------
https://www.watchlist-internet.at/news/kriminelle-erfinden-behoerden-wie-finanzaufsichtsbehoerdecom-fuer-authority-scams/


∗∗∗ Spyware vendors use 0-days and n-days against popular platforms ∗∗∗
---------------------------------------------
[...] In this blog, we’re sharing details about two distinct campaigns we’ve recently discovered which used various 0-day exploits against Android, iOS and Chrome and were both limited and highly targeted. The 0-day exploits were used alongside n-day exploits and took advantage of the large time gap between the fix release and when it was fully deployed on end-user devices. Our findings underscore the extent to which commercial surveillance vendors have proliferated capabilities historically only used by governments with the technical expertise to develop and operationalize exploits.
---------------------------------------------
https://blog.google/threat-analysis-group/spyware-vendors-use-0-days-and-n-days-against-popular-platforms/


∗∗∗ Active Exploitation of IBM Aspera Faspex CVE-2022-47986 ∗∗∗
---------------------------------------------
Rapid7 is aware of at least one incident where a customer was compromised via CVE-2022-47986. We strongly recommend patching on an emergency basis.
---------------------------------------------
https://www.rapid7.com/blog/post/2023/03/28/etr-active-exploitation-of-ibm-aspera-faspex-cve-2022-47986/


∗∗∗ New OpcJacker Malware Distributed via Fake VPN Malvertising ∗∗∗
---------------------------------------------
We discovered a new malware, which we named “OpcJacker” (due to its opcode configuration design and its cryptocurrency hijacking ability), that has been distributed in the wild since the second half of 2022.
---------------------------------------------
https://www.trendmicro.com/en_us/research/23/c/new-opcjacker-malware-distributed-via-fake-vpn-malvertising.html


∗∗∗ In eigener Sache: CERT.at sucht Verstärkung ∗∗∗
---------------------------------------------
Für unsere täglichen Routineaufgaben suchen wir derzeit 1 Berufsein- oder -umsteiger:in mit ausgeprägtem Interesse an IT-Security, welche:r uns bei den täglich anfallenden Standard-Aufgaben unterstützt. Details finden sich auf unserer Jobs-Seite.
---------------------------------------------
https://cert.at/de/blog/2023/3/in-eigener-sache-certat-sucht-verstarkung-20230328



=====================
=  Vulnerabilities  =
=====================

∗∗∗ Security updates for Wednesday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (unbound and xorg-server), Fedora (stellarium), Oracle (kernel), SUSE (apache2, oracleasm, python-Werkzeug, rubygem-loofah, sudo, and tomcat), and Ubuntu (git, kernel, and linux-hwe-5.19).
---------------------------------------------
https://lwn.net/Articles/927666/


∗∗∗ Multiple Vulnerabilities in Rocket Software UniRPC server (Fixed) ∗∗∗
---------------------------------------------
In early 2023, Rapid7 discovered several vulnerabilities in Rocket Software UniData UniRPC. We worked with the company to fix issues and coordinate this disclosure.
---------------------------------------------
https://www.rapid7.com/blog/post/2023/03/29/multiple-vulnerabilities-in-rocket-software-unirpc-server-fixed/


∗∗∗ [R1] Stand-alone Security Patches Available for Tenable.sc versions 5.22.0, 5.23.1, and 6.0.0: SC-202303.2 ∗∗∗
---------------------------------------------
[R1] Stand-alone Security Patches Available for Tenable.sc versions 5.22.0, 5.23.1, and 6.0.0: SC-202303.2Arnie CabralTue, 03/28/2023 - 11:10 Tenable.sc leverages third-party software to help provide underlying functionality. One of the third-party components in use (Apache) was found to contain vulnerabilities, and updated versions have been made available by the providers.
---------------------------------------------
https://www.tenable.com/security/tns-2023-17


∗∗∗ Security Advisory 2023-02 for PowerDNS Recursor up to and including 4.6.5, 4.7.4 and 4.8.3 ∗∗∗
---------------------------------------------
Hello, Today we have released PowerDNS Recursor 4.6.6, 4.7.5 and 4.8.4 due to a low severity security issue found. Please find the full text of the advisory below. The 4.6, 4.7 and 4.8 changelogs are available. The 4.6.6 (signature), 4.7.5 (signature) and 4.8.4 (signature) tarballs are available from our download server. Patches are available at patches.
---------------------------------------------
https://blog.powerdns.com/2023/03/29/security-advisory-2023-02-for-powerdns-recursor-up-to-and-including-4-6-5-4-7-4-and-4-8-3/


∗∗∗ IBM Security Bulletins 2023-03-29 ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/bulletin/


∗∗∗ K000133135: NGINX Agent vulnerability CVE-2023-1550 ∗∗∗
---------------------------------------------
https://my.f5.com/manage/s/article/K000133135


∗∗∗ Security Vulnerabilities fixed in Thunderbird 102.9.1 ∗∗∗
---------------------------------------------
https://www.mozilla.org/en-US/security/advisories/mfsa2023-12/


∗∗∗ Buffer Overflow Vulnerabilities in Samba ∗∗∗
---------------------------------------------
https://www.qnap.com/en-us/security-advisory/QSA-23-02


∗∗∗ Buffer Overflow Vulnerability in Samba ∗∗∗
---------------------------------------------
https://www.qnap.com/en-us/security-advisory/QSA-23-03


∗∗∗ Vulnerabilities in QTS, QuTS hero, QuTScloud, and QVP ∗∗∗
---------------------------------------------
https://www.qnap.com/en-us/security-advisory/QSA-23-06


∗∗∗ Vulnerability in QTS, QuTS hero, QuTScloud, QVP, and QVR ∗∗∗
---------------------------------------------
https://www.qnap.com/en-us/security-advisory/QSA-23-10


∗∗∗ Vulnerability in sudo ∗∗∗
---------------------------------------------
https://www.qnap.com/en-us/security-advisory/QSA-23-11


∗∗∗ Multiple Vulnerabilities in OpenSSL ∗∗∗
---------------------------------------------
https://www.qnap.com/en-us/security-advisory/QSA-23-15


∗∗∗ Sielco Analog FM Transmitter 2.12 id Cookie Brute Force Session Hijacking ∗∗∗
---------------------------------------------
https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5758.php


∗∗∗ Sielco Analog FM Transmitter 2.12 Cross-Site Request Forgery ∗∗∗
---------------------------------------------
https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5757.php


∗∗∗ Sielco Analog FM Transmitter 2.12 Improper Access Control Change Admin Password ∗∗∗
---------------------------------------------
https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5756.php


∗∗∗ Sielco Analog FM Transmitter 2.12 Remote Privilege Escalation ∗∗∗
---------------------------------------------
https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5755.php

-- 
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily




More information about the Daily mailing list