[CERT-daily] Tageszusammenfassung - 19.05.2023
Daily end-of-shift report
team at cert.at
Fri May 19 18:45:18 CEST 2023
=====================
= End-of-Day report =
=====================
Timeframe: Mittwoch 17-05-2023 18:00 − Freitag 19-05-2023 18:00
Handler: Michael Schlagenhaufer
Co-Handler: Stephan Richter
=====================
= News =
=====================
∗∗∗ Attacken könnten bevorstehen: Kritische Root-Lücken bedrohen Cisco-Switches ∗∗∗
---------------------------------------------
Cisco hat unter anderem mehrere kritische Sicherheitslücken in verschiedenen Small-Business-Switches geschlossen. Aber nicht alle Modelle bekommen Updates.
---------------------------------------------
https://heise.de/-9059775
∗∗∗ Passwortmanager KeePass: Sicherheitsforscher liest Master-Passwort aus ∗∗∗
---------------------------------------------
Einem Sicherheitsforscher ist es gelungen, Master-Passwörter von KeePass auszulesen. Entsprechende Angriffe sind allerdings aufwendig.
---------------------------------------------
https://heise.de/-9059945
∗∗∗ Zero-Days und mehr: Ein Blick auf Apples jüngste Sicherheitspatches ∗∗∗
---------------------------------------------
iOS 16.5, macOS 13.4 und die anderen Updates patchen wie üblich auch Sicherheitsfehler. Auch bereits ausgenutzte Fehler sind dabei.
---------------------------------------------
https://heise.de/-9059799
∗∗∗ Malware infizierte fast 10 Millionen Android-Handys ∗∗∗
---------------------------------------------
Zahlreiche Smartphones wurden mit vorinstallierter, schädlicher Software ausgeliefert.
---------------------------------------------
https://futurezone.at/produkte/android-schadsoftware-infiziert-10-millionen-handys-geraete/402455433
∗∗∗ MalasLocker ransomware targets Zimbra servers, demands charity donation ∗∗∗
---------------------------------------------
A new ransomware operation is hacking Zimbra servers to steal emails and encrypt files. However, instead of demanding a ransom payment, the threat actors claim to require a donation to charity to provide an encryptor and prevent data leaking.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/malaslocker-ransomware-targets-zimbra-servers-demands-charity-donation/
∗∗∗ Hackers target vulnerable Wordpress Elementor plugin after PoC released ∗∗∗
---------------------------------------------
Hackers are now actively probing for vulnerable Essential Addons for Elementor plugin versions on thousands of WordPress websites in massive Internet scans, attempting to exploit a critical account password reset flaw disclosed earlier in the month.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/hackers-target-vulnerable-wordpress-elementor-plugin-after-poc-released/
∗∗∗ Playing for the Wrong Team: Dangerous Functionalities in Microsoft Teams Enable Phishing and Malware Delivery by Attackers ∗∗∗
---------------------------------------------
Microsoft is a major productivity partner for many organizations and enterprises. These organizations widely trust Microsoft Office’s suite of products as a reliable foundation for their daily cloud ecosystem needs. However, as Proofpoint has shown in the past, this migration to the cloud also introduces new kinds of threats.
---------------------------------------------
https://www.proofpoint.com/us/blog/threat-insight/dangerous-functionalities-in-microsoft-teams-enable-phishing
∗∗∗ RATs found hiding in the npm attic ∗∗∗
---------------------------------------------
ReversingLabs researchers discovered two malicious packages that contained TurkoRat, an open source infostealer that lurked on npm for two months before being detected.
---------------------------------------------
https://www.reversinglabs.com/blog/rats-found-hiding-in-the-npm-attic
∗∗∗ The Paillier Cryptosystem with Applications to Threshold ECDSA ∗∗∗
---------------------------------------------
You may have heard of RSA (b. 1977), but have you heard of its cousin, Paillier (b. 1999)? In this post, we provide a close look at the Paillier homomorphic encryption scheme [Paillier1999], what it offers, how it’s used in complex protocols, and how to implement it securely.
---------------------------------------------
https://research.nccgroup.com/2023/05/19/the-paillier-cryptosystem-with-applications-to-threshold-ecdsa/
∗∗∗ All your building are belong to us ∗∗∗
---------------------------------------------
TL;DR: Building Management Systems (BMS) bring new risks to businesses that haven’t had previous experience of securing Operational Technology (OT). While there might not be direct financial gain from hacking BMS, these systems can be a soft target for attackers to pivot into your business operations. IoT offerings in this space can help manage risk within your networks, but can also provide unintended access to sensitive information.
---------------------------------------------
https://www.pentestpartners.com/security-blog/all-your-building-are-belong-to-us/
∗∗∗ CVE-2023-20869/20870: Exploiting VMware Workstation at Pwn2Own Vancouver ∗∗∗
---------------------------------------------
This post covers an exploit chain demonstrated by Nguyễn Hoàng Thạch (@hi_im_d4rkn3ss) of STAR Labs SG Pte. Ltd. during the Pwn2Own Vancouver event in 2023. During the contest, he used an uninitialized variable bug and a stack-based buffer overflow in VMware to escalate from a guest OS to execute code on the underlying hypervisor.
---------------------------------------------
https://www.thezdi.com/blog/2023/5/17/cve-2023-2086920870-exploiting-vmware-workstation-at-pwn2own-vancouver
∗∗∗ VSCode Security: Malicious Extensions Detected- More Than 45,000 Downloads- PII Exposed, and Backdoors Enabled ∗∗∗
---------------------------------------------
Highlights: CloudGuard Spectral detected malicious extensions on the VSCode marketplace Users installing these extensions were enabling attackers to steal PII records and to set remote shell to their machines Once detected, we’ve alerted VSCode on these extensions. Soon after notification, they were removed by the VSCode marketplace team. VSCode (short for Visual Studio Code) is a popular and free source code editor developed by Microsoft.
---------------------------------------------
https://blog.checkpoint.com/securing-the-cloud/malicious-vscode-extensions-with-more-than-45k-downloads-steal-pii-and-enable-backdoors/
∗∗∗ Visualizing QakBot Infrastructure ∗∗∗
---------------------------------------------
This blog post seeks to draw out some high-level trends and anomalies based on our ongoing tracking of QakBot command and control (C2) infrastructure. By looking at the data with a broader scope, we hope to supplement other research into this particular threat family, which in general focuses on specific infrastructure elements; e.g., daily alerting on active C2 servers.
---------------------------------------------
https://www.team-cymru.com/post/visualizing-qakbot-infrastructure
=====================
= Vulnerabilities =
=====================
∗∗∗ File Chooser Field - Moderately critical - Server Side Request Forgery, Information Disclosure - SA-CONTRIB-2023-015 ∗∗∗
---------------------------------------------
The File Chooser Field allows users to upload files using 3rd party plugins such as Google Drive and Dropbox. This module fails to validate user input sufficiently which could under certain circumstances lead to a Server Side Request Forgery (SSRF) vulnerability [...]
---------------------------------------------
https://www.drupal.org/sa-contrib-2023-015
∗∗∗ SECURITY BULLETIN: May 2023 Security Bulletin for Trend Micro Apex Central ∗∗∗
---------------------------------------------
Trend Micro has released a new build for Trend Micro Apex Central that resolves several known vulnerabilities.
---------------------------------------------
https://success.trendmicro.com/dcx/s/solution/000293107?language=en_US
∗∗∗ SECURITY BULLETIN: May 2023 Security Bulletin for Trend Micro Apex One ∗∗∗
---------------------------------------------
Trend Micro has released a new Critical Patch (CP) for Trend Micro Apex One and Trend Micro Apex One as a Service that resolves several known vulnerabilities.
---------------------------------------------
https://success.trendmicro.com/dcx/s/solution/000293108?language=en_US
∗∗∗ Cisco Security Advisories 2023-05-17 ∗∗∗
---------------------------------------------
Cisco has published 9 security advisories: (1x Critical, 8x Medium)
---------------------------------------------
https://sec.cloudapps.cisco.com/security/center/Search.x?publicationTypeIDs=1&firstPublishedStartDate=2023%2F05%2F17&firstPublishedEndDate=2023%2F05%2F17
∗∗∗ CISA Releases Five Industrial Control Systems Advisories ∗∗∗
---------------------------------------------
* ICSA-23-138-04 Johnson Controls OpenBlue Enterprise Manager Data Collector * ICSA-23-138-03 Hitachi Energy’s MicroSCADA Pro/X SYS600 Products * ICSA-23-138-02 Mitsubishi Electric MELSEC WS Series * ICSA-23-138-01 Carlo Gavazzi Powersoft * ICSA-20-051-02 Rockwell Automation FactoryTalk Diagnostics (Update B)
---------------------------------------------
https://www.cisa.gov/news-events/alerts/2023/05/18/cisa-releases-five-industrial-control-systems-advisories
∗∗∗ Security updates for Thursday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (chromium and libapache2-mod-auth-openidc), Fedora (clevis-pin-tpm2, greetd, keyring-ima-signer, libkrun, mirrorlist-server, nispor, nmstate, qt5-qtbase, rust-afterburn, rust-below, rust-bodhi-cli, rust-cargo-c, rust-coreos-installer, rust-fedora-update-feedback, rust-git-delta, rust-gst-plugin-reqwest, rust-pore, rust-rpm-sequoia, rust-sequoia-octopus-librnp, rust-sequoia-policy-config, rust-sequoia-sq, rust-sevctl, rust-tealdeer, and rust-ybaas), Oracle (apr-util, curl, emacs, firefox, kernel, libreswan, mysql, nodejs and nodejs-nodemon, openssh, thunderbird, and webkit2gtk3), Red Hat (apr-util, emacs, firefox, git, jenkins and jenkins-2-plugins, kernel, kpatch-patch, and thunderbird), Scientific Linux (apr-util, firefox, and thunderbird), Slackware (curl), SUSE (cups-filters, curl, java-1_8_0-openjdk, kernel, mysql-connector-java, and ovmf), and Ubuntu (cups-filters, git, linux-gcp-4.15, linux-oracle, linux-raspi, node-minimatch, ruby2.3, ruby2.5, ruby2.7, and runc).
---------------------------------------------
https://lwn.net/Articles/932371/
∗∗∗ Security updates for Friday ∗∗∗
---------------------------------------------
Security updates have been issued by Fedora (cups-filters, kitty, mingw-LibRaw, nispor, rust-ybaas, and rust-yubibomb), Mageia (kernel-linus), Red Hat (jenkins and jenkins-2-plugins), SUSE (openvswitch and ucode-intel), and Ubuntu (linux-azure, linux-azure-4.15, linux-gcp, linux-gcp-5.15, linux-gke, linux-gke-5.15, linux-gkeop, linux-oracle-5.15, linux-ibm, linux-oracle, and linux-oem-6.0).
---------------------------------------------
https://lwn.net/Articles/932464/
∗∗∗ Path Traversal in SymBox, SymOS (SYSS-2023-014) ∗∗∗
---------------------------------------------
Das Webinterface von SymBox, SymOS ermöglicht ein Path Traversal, wodurch Zugriff auf Systemdateien außerhalb des Web Root erlangt werden kann.
---------------------------------------------
https://www.syss.de/pentest-blog/path-traversal-in-symbox-symos-syss-2023-014
∗∗∗ Spring Boot available now, fixing CVE-2023-20883 ∗∗∗
---------------------------------------------
https://spring.io/security/cve-2023-20883
∗∗∗ Mattermost security updates 7.10.1 / 7.9.4 / 7.8.5 (ESR) released ∗∗∗
---------------------------------------------
https://mattermost.com/blog/mattermost-security-updates-7-10-1-7-9-4-7-8-5-esr-released/
∗∗∗ CPE2023-002 Vulnerabilities of IJ Network Tool regarding Wi-Fi connection setup – 18 May 2023 ∗∗∗
---------------------------------------------
https://www.canon-europe.com/support/product-security-latest-news/
∗∗∗ IBM Security Bulletins ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/bulletin/
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
More information about the Daily
mailing list