[CERT-daily] Tageszusammenfassung - 30.05.2023

Tue May 30 18:31:57 CEST 2023

=====================
= End-of-Day report =
=====================

Timeframe:   Freitag 26-05-2023 18:00 − Dienstag 30-05-2023 18:00
Handler:     Michael Schlagenhaufer
Co-Handler:  Stephan Richter

=====================
=       News        =
=====================

∗∗∗ QBot malware abuses Windows WordPad EXE to infect devices ∗∗∗
---------------------------------------------
The QBot malware operation has started to abuse a DLL hijacking flaw in the Windows 10 WordPad program to infect computers, using the legitimate program to evade detection by security software.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/qbot-malware-abuses-windows-wordpad-exe-to-infect-devices/


∗∗∗ Hot Pixels attack checks CPU temp, power changes to steal data ∗∗∗
---------------------------------------------
A team of researchers at Georgia Tech, the University of Michigan, and Ruhr University Bochum have developed a novel attack called "Hot Pixels," which can retrieve pixels from the content displayed in the targets browser and infer the navigation history.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/hot-pixels-attack-checks-cpu-temp-power-changes-to-steal-data/


∗∗∗ Android apps with spyware installed 421 million times from Google Play ∗∗∗
---------------------------------------------
A new Android malware distributed as an advertisement SDK has been discovered in multiple apps, many previously on Google Play and collectively downloaded over 400 million times.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/android-apps-with-spyware-installed-421-million-times-from-google-play/


∗∗∗ Analyzing Office Documents Embedded Inside PPT (PowerPoint) Files, (Mon, May 29th) ∗∗∗
---------------------------------------------
I was asked how to analyze Office Documents that are embedded inside PPT files. PPT is the "standard" binary format for PowerPoint, it's an olefile. You can analyze it with oledump.py
---------------------------------------------
https://isc.sans.edu/diary/rss/29894


∗∗∗ Malspam pushes ModiLoader (DBatLoader) infection for Remcos RAT, (Tue, May 30th) ∗∗∗
---------------------------------------------
Also known as DBatLoader, ModiLoader is malware that retreives and runs payloads like Formbook, Warzone RAT, Remcos RAT, or other types of malware. Today's diary reviews a ModiLoader infection for Remcos RAT on Monday 2023-05-29.
---------------------------------------------
https://isc.sans.edu/diary/rss/29896


∗∗∗ Beware of the new phishing technique “file archiver in the browser” that exploits zip domains ∗∗∗
---------------------------------------------
“file archiver in the browser” is a new phishing technique that can be exploited by phishers when victims visit a .ZIP domain.
---------------------------------------------
https://securityaffairs.com/146828/cyber-crime/file-archiver-in-the-browser-phishing.html


∗∗∗ Severe Flaw in Google Clouds Cloud SQL Service Exposed Confidential Data ∗∗∗
---------------------------------------------
A new security flaw has been disclosed in the Google Cloud Platforms (GCP) Cloud SQL service that could be potentially exploited to obtain access to confidential data.
---------------------------------------------
https://thehackernews.com/2023/05/severe-flaw-in-google-clouds-cloud-sql.html


∗∗∗ Vorsicht vor Fake-Service-Telefonnummern beim Googeln! ∗∗∗
---------------------------------------------
Die Suche nach einer Service-Telefonnummer stellt sich bei manchen Web-Angeboten als kompliziertes Unterfangen heraus. Deshalb ist es oft einfacher, nicht auf den jeweiligen Unternehmens-Websites sondern direkt über die Suchmaschine nach den Kontaktdaten zu suchen. Doch Vorsicht: Unter echte Kontaktdaten mischen Kriminelle auch Fake-Seiten und -Nummern, über die Ihnen Geld und Daten gestohlen werden. Ein aktuelles Beispiel sind Fake-Nummern der Fluglinie Ryanair!
---------------------------------------------
https://www.watchlist-internet.at/news/vorsicht-vor-fake-service-telefonnummern-beim-googeln/


=====================
=  Vulnerabilities  =
=====================

∗∗∗ OpenSSL 3.0 Series Release Notes [30 May 2023] ∗∗∗
---------------------------------------------
* Mitigate for very slow `OBJ_obj2txt()` performance with gigantic OBJECT IDENTIFIER sub-identities. ([CVE-2023-2650])
* Fixed buffer overread in AES-XTS decryption on ARM 64 bit platforms ([CVE-2023-1255])
* Fixed documentation of X509_VERIFY_PARAM_add0_policy() ([CVE-2023-0466])
* Fixed handling of invalid certificate policies in leaf certificates ([CVE-2023-0465])
* Limited the number of nodes created in a policy tree ([CVE-2023-0464])
---------------------------------------------
https://www.openssl.org/news/openssl-3.0-notes.html


∗∗∗ OpenSSL 1.1.1 Series Release Notes [30th May 2023] ∗∗∗
---------------------------------------------
* Mitigate for very slow `OBJ_obj2txt()` performance with gigantic OBJECT IDENTIFIER sub-identities. (CVE-2023-2650)
* Fixed documentation of X509_VERIFY_PARAM_add0_policy() (CVE-2023-0466)
* Fixed handling of invalid certificate policies in leaf certificates (CVE-2023-0465)
* Limited the number of nodes created in a policy tree ([CVE-2023-0464])
---------------------------------------------
https://www.openssl.org/news/openssl-1.1.1-notes.html


∗∗∗ Sicherheitslücke in Moxa MXsecurity Series gefährdet kritische Infrastrukturen ∗∗∗
---------------------------------------------
Eine kritische Sicherheitslücke in der Netzwerküberwachungslösung MXsecurity bringt Industrieanlagen in Gefahr.
---------------------------------------------
https://heise.de/-9068382


∗∗∗ Angreifer könnten Netzwerkanalysetool Wireshark crashen lassen ∗∗∗
---------------------------------------------
In der aktuellen Wireshark-Version haben die Entwickler mehrere Sicherheitsprobleme gelöst.
---------------------------------------------
https://heise.de/-9069031


∗∗∗ Kollaborations-Suite Nextcloud: Teils hochriskante Lücken geschlossen ∗∗∗
---------------------------------------------
In der Kollaborations-Software Nextcloud klaffen Sicherheitslücken mit teils hohem Risiko. Aktualisierte Software steht bereit.
---------------------------------------------
https://heise.de/-9068654


∗∗∗ VMSA-2023-0011 ∗∗∗
---------------------------------------------
VMware Workspace ONE Access and VMware Identity Manager contain an insecure redirect vulnerability. VMware has evaluated the severity of this issue to be in the Moderate severity range with a maximum CVSSv3 base score of 6.1.        
---------------------------------------------
https://www.vmware.com/security/advisories/VMSA-2023-0011.html


∗∗∗ Many Vulnerabilities Found in PrinterLogic Enterprise Software ∗∗∗
---------------------------------------------
Vulnerabilities identified in PrinterLogic’s enterprise management printer solution could expose organizations to authentication bypass, SQL injection, cross-site scripting (XSS) and other types of attacks.
---------------------------------------------
https://www.securityweek.com/many-vulnerabilities-found-in-printerlogic-enterprise-software/


∗∗∗ Security updates for Monday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (docker-registry, gpac, libraw, libreoffice, rainloop, and sysstat), Fedora (bottles, c-ares, edk2, libssh, microcode_ctl, python-vkbasalt-cli, rust-buffered-reader, rust-nettle, rust-nettle-sys, rust-rpm-sequoia, rust-sequoia-keyring-linter, rust-sequoia-octopus-librnp, rust-sequoia-openpgp, rust-sequoia-policy-config, rust-sequoia-sop, rust-sequoia-sq, rust-sequoia-sqv, rust-sequoia-wot, and xen), SUSE (opera), and Ubuntu (Jhead, linuxptp, and sudo).
---------------------------------------------
https://lwn.net/Articles/933165/


∗∗∗ Security updates for Tuesday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (libssh and sssd), Fedora (microcode_ctl and python3.6), Gentoo (cgal, firefox firefox-bin, openimageio, squashfs-tools, thunderbird thunderbird-bin, tiff, tomcat, webkit-gtk, and xorg-server xwayland), SUSE (c-ares and go1.18-openssl), and Ubuntu (Jhead, node-hawk, node-nth-check, and perl).
---------------------------------------------
https://lwn.net/Articles/933246/


∗∗∗ Advantech WebAccess/SCADA ∗∗∗
---------------------------------------------
https://www.cisa.gov/news-events/ics-advisories/icsa-23-150-01


∗∗∗ Zyxel security advisory for post-authentication command injection vulnerability in NAS products ∗∗∗
---------------------------------------------
https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-post-authentication-command-injection-vulnerability-in-nas-products


∗∗∗ Starlette vulnerable to directory traversal ∗∗∗
---------------------------------------------
https://jvn.jp/en/jp/JVN95981715/


∗∗∗ Technical Advisory – Multiple Vulnerabilities in Faronics Insight (CVE-2023-28344, CVE-2023-28345, CVE-2023-28346, CVE-2023-28347, CVE-2023-28348, CVE-2023-28349, CVE-2023-28350, CVE-2023-28351, CVE-2023-28352, CVE-2023-28353) ∗∗∗
---------------------------------------------
https://research.nccgroup.com/2023/05/30/technical-advisory-multiple-vulnerabilities-in-faronics-insight/


∗∗∗ Memory corruption vulnerability in Mitsubishi PLC could lead to DoS, code execution ∗∗∗
---------------------------------------------
https://blog.talosintelligence.com/vulnerability-in-mitsubishi-plc-could-lead-to-dos-code-execution/


∗∗∗ Vulnerabilities in IBM Java SDK and IBM Java Runtime affects Rational Business Developer ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6998795


∗∗∗ A security vulnerability has been identified in IBM WebSphere Application Server shipped with IBM Case Manager (CVE-2022-39161) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6998811


∗∗∗ A security vulnerability has been identified in IBM WebSphere Application Server shipped with IBM Case Manager (CVE-2023-27554) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6998813


∗∗∗ A security vulnerability has been identified in WebSphere Application Server traditional shipped with IBM Intelligent Operations Center (CVE-2023-24966) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6999091


∗∗∗ A vulnerability exists in the IBM\u00ae SDK, Java\u2122 Technology Edition affecting IBM Tivoli Network Manager (CVE-2023-30441). ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6999115


∗∗∗ Vulnerability in Spring Framework affects IBM Process Mining [CVE-2023-20860] ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6999119


∗∗∗ Apache Commons Text vulnerability affects Netcool Operations Insight [CVE-2022-42889] ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6999133


∗∗∗ A security vulnerability has been identified in WebSphere Application Server traditional shipped with IBM Intelligent Operations Center(CVE-2023-27554) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6999213


∗∗∗ A security vulnerability has been identified in IBM DB2 shipped with IBM Intelligent Operations Center (CVE-2023-29257, CVE-2023-29255, CVE-2023-27555, CVE-2023-26021, CVE-2023-25930, CVE-2023-26022, CV) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6999215


∗∗∗ [All] Expat - CVE-2022-43680 (Publicly disclosed vulnerability) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6999237


∗∗∗ Apache HTTP Server as used by IBM QRadar SIEM is vulnerable to HTTP request splitting attacks (CVE-2023-25690) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6999241


∗∗∗ IBM Copy Services Manager is vulnerable to crypto attack vulnerabilities due to IBM Java 8 vulnerabilities. ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6999269


∗∗∗ IBM Db2 Mirror for i is vulnerable to attacker obtaining sensitive information due to Java string processing in IBM Toolbox for Java (CVE-2022-43928) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6981113

-- 
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily