[CERT-daily] Tageszusammenfassung - 02.11.2023
Daily end-of-shift report
team at cert.at
Thu Nov 2 18:37:16 CET 2023
=====================
= End-of-Day report =
=====================
Timeframe: Dienstag 31-10-2023 18:00 − Donnerstag 02-11-2023 18:00
Handler: Michael Schlagenhaufer
Co-Handler: Stephan Richter
=====================
= News =
=====================
∗∗∗ New CVSS 4.0 vulnerability severity rating standard released ∗∗∗
---------------------------------------------
The Forum of Incident Response and Security Teams (FIRST) has officially released CVSS v4.0, the next generation of its Common Vulnerability Scoring System standard, eight years after CVSS v3.0, the previous major version.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/new-cvss-40-vulnerability-severity-rating-standard-released/
∗∗∗ Nur zwei wurden gepatcht: Schwachstellen in 34 Treibern gefährden Windows-Systeme ∗∗∗
---------------------------------------------
Sicherheitsforscher der VMware Threat Analysis Unit (Tau) haben Schwachstellen in insgesamt 34 verschiedenen Windows-Gerätetreibern identifiziert. Böswillige Akteure können Firmwares gezielt manipulieren und sich auf Zielsystemen höhere Rechte verschaffen. "Alle Treiber geben Nicht-Admin-Benutzern volle Kontrolle über die Geräte", erklären die Forscher in ihrem Bericht.
---------------------------------------------
https://www.golem.de/news/nur-zwei-wurden-gepatcht-schwachstellen-in-34-treibern-gefaehrden-windows-systeme-2311-179046.html
∗∗∗ Windows 11, version 23H2 security baseline ∗∗∗
---------------------------------------------
This release includes several changes to further assist in the security of enterprise customers. Changes have been made to provide additional protections to the local admin account, Microsoft Defender Antivirus updates, and a new setting in response to an MSRC bulletin.
---------------------------------------------
https://techcommunity.microsoft.com/t5/microsoft-security-baselines/windows-11-version-23h2-security-baseline/ba-p/3967618
∗∗∗ Moderne Telefonbetrüger: Wie Betrüger Geld mit nur einem Telefonanruf stehlen ∗∗∗
---------------------------------------------
In diesem Blogbeitrag wird eine Schwachstelle in einer Bankanwendung beschrieben, die es Angreifern ermöglicht, unbemerkt Geldtransaktionen von bis zu 5.000 € im Namen anderer Benutzer durchzuführen. Darüber hinaus werden weitere mögliche Angriffsszenarien beschrieben, mit denen persönliche Informationen abgegriffen werden können.
---------------------------------------------
https://sec-consult.com/de/blog/detail/moderne-telefonbetrueger-wie-betrueger-geld-mit-nur-einem-telefonanruf-stehlen/
∗∗∗ Jetzt patchen! Attacken auf BIG-IP-Appliances beobachtet ∗∗∗
---------------------------------------------
F5 warnt vor Angriffen auf BIG-IP-Appliances. Sicherheitspatches stehen bereit. Eine Lücke gilt als kritisch.
---------------------------------------------
https://www.heise.de/-9350108
∗∗∗ Sicherheitslücken: Angreifer können Cisco-Firewalls manipulieren ∗∗∗
---------------------------------------------
Mehrere Schwachstellen gefährden unter anderem Cisco Firepower und Identity Services Engine. Patches sind verfügbar.
---------------------------------------------
https://www.heise.de/-9351087
∗∗∗ MITRE ATT&CK v14 released ∗∗∗
---------------------------------------------
MITRE has released MITRE ATT&CK v14, the newest iteration of its popular investigation framework / knowledge base of tactics and techniques employed by cyber attackers. MITRE ATT&CK v14 ATT&CK’s goal is to catalog and categorize behaviors of cyber adversaries in real-world attacks.
---------------------------------------------
https://www.helpnetsecurity.com/2023/11/02/mitre-attck-v14/
∗∗∗ Unveiling the Dark Side: A Deep Dive into Active Ransomware Families ∗∗∗
---------------------------------------------
This series will focus on TTP’s deployed by four ransomware families recently observed during NCC Group’s incident response engagements.
---------------------------------------------
https://research.nccgroup.com/2023/10/31/unveiling-the-dark-side-a-deep-dive-into-active-ransomware-families/
∗∗∗ Wer hat Mozi getötet? IoT-Zombie-Botnetz wurde endlich zu Grabe tragen ∗∗∗
---------------------------------------------
Wie ESET Research einen Kill-Switch gefunden hat, der dazu benutzt wurde, eines der am weitesten verbreiteten Botnets auszuschalten.
---------------------------------------------
https://www.welivesecurity.com/de/eset-research/wer-hat-mozi-getotet-iot-zombie-botnetz-wurde-endlich-zu-grabe-tragen/
∗∗∗ Kostenlose Webinar-Reihe „Schutz im Internet“ ∗∗∗
---------------------------------------------
In Kooperation mit der Arbeiterkammer Oberösterreich veranstaltet das ÖIAT (Österreichisches Institut für angewandte Telekommunikation) eine kostenlose Webinar-Reihe zu Themen wie Online-Shopping, Internet-Betrug und Identitätsdiebstahl!
---------------------------------------------
https://www.watchlist-internet.at/news/kostenlose-webinar-reihe-schutz-im-internet/
∗∗∗ Drupal 9 is end of life - PSA-2023-11-01 ∗∗∗
---------------------------------------------
Drupal 9 relies on several other software projects, including Symfony, CKEditor, and Twig. With Symfony 4's end of life, CKEditor 4's end of life, and Twig 2's end of life all coming up soon, Drupal 9 went end of life on November 1st, 2023. There will be no further releases of Drupal 9.
---------------------------------------------
https://www.drupal.org/psa-2023-11-01
∗∗∗ Warning Against Infostealer Infections Upon Executing Legitimate EXE Files (DLL Hijacking) ∗∗∗
---------------------------------------------
Caution is advised as an Infostealer that prompts the execution of legitimate EXE files is actively being distributed. The threat actor is distributing a legitimate EXE file with a valid signature and a malicious DLL compressed in the same directory. The EXE file itself is legitimate, but when executed in the same directory as the malicious DLL, it automatically runs that malicious DLL. This technique is called DLL hijacking and is often used in the distribution of malware.
---------------------------------------------
https://asec.ahnlab.com/en/58319/
∗∗∗ Attackers use JavaScript URLs, API forms and more to scam users in popular online game “Roblox” ∗∗∗
---------------------------------------------
Where there is a potential for profit there are also people trying to scam others. “Roblox” users can be targeted by scammers (known as “beamers” by “Roblox” players) who attempt to steal valuable items or Robux from other players. This can sometimes be made easier for the scammers because of “Roblox's” young user base. Nearly half of the game’s 65 million users are under the age of 13 who may not be as adept at spotting scams.
---------------------------------------------
https://blog.talosintelligence.com/roblox-scam-overview/
∗∗∗ Suspected Exploitation of Apache ActiveMQ CVE-2023-46604 ∗∗∗
---------------------------------------------
Beginning Friday, October 27, Rapid7 Managed Detection and Response (MDR) identified suspected exploitation of Apache ActiveMQ CVE-2023-46604 in two different customer environments. In both instances, the adversary attempted to deploy ransomware binaries on target systems in an effort to ransom the victim organizations. Based on the ransom note and available evidence, we attribute the activity to the HelloKitty ransomware family, whose source code was leaked on a forum in early October. Rapid7 observed similar indicators of compromise across the affected customer environments, both of which were running outdated versions of Apache ActiveMQ.
---------------------------------------------
https://www.rapid7.com/blog/post/2023/11/01/etr-suspected-exploitation-of-apache-activemq-cve-2023-46604/
=====================
= Vulnerabilities =
=====================
∗∗∗ Unpatched Powerful SSRF in Exchange OWA – Getting Response Through Attachments ∗∗∗
---------------------------------------------
As the attacker can abuse this SSRF to retrieve the content of the response, I thought it was a good finding. However, Microsoft did not agree [...] In short: this may get fixed or it may not. If they decide to fix it, the patch may appear in 1 year or in 3 years. In general, we know nothing. Accordingly, we informed Microsoft of our intention to publish this vulnerability as a 0-day advisory and a blog post. As we consider this issue potentially dangerous, we want organizations to be aware of the threat. For this reason, we are providing a PoC HTTP Request to be used for filtering and/or monitoring.
---------------------------------------------
https://www.thezdi.com/blog/2023/11/1/unpatched-powerful-ssrf-in-exchange-owa-getting-response-through-attachments
∗∗∗ Cisco Security Advisories ∗∗∗
---------------------------------------------
Cisco has released 24 new and 4 updated Security Advisories (2x Critical, 11x High, 15x Medium)
---------------------------------------------
https://sec.cloudapps.cisco.com/security/center/Search.x?publicationTypeIDs=1&lastPublishedStartDate=2023%2F10%2F30&lastPublishedEndDate=2023%2F11%2F02&limit=50
∗∗∗ Critical PHPFox RCE Vulnerability Risked Social Networks ∗∗∗
---------------------------------------------
Heads up, phpFox users! A critical remote code execution vulnerability existed in the phpFox service that allowed community takeovers [...] The researcher urged all phpFox users to update to the latest phpFox release (version 4.8.14 or later) to receive the security fix.
---------------------------------------------
https://latesthackingnews.com/2023/10/30/critical-phpfox-rce-vulnerability-risked-social-networks/
∗∗∗ Webbrowser: Google Chrome bessert 15 Schwachstellen aus und kann HTTPS-Upgrades ∗∗∗
---------------------------------------------
Google hat den Webbrowser Chrome in Version 119 veröffentlicht. Sie schließt 15 Sicherheitslücken und etabliert den HTTPS-Upgrade-Mechanismus.
---------------------------------------------
https://www.heise.de/-9349956
∗∗∗ Sicherheitsupdates Nvidia: GeForce-Treiberlücken gefährden PCs ∗∗∗
---------------------------------------------
Nvidias Entwickler haben im Grafikkartentreiber und der VGPU-Software mehrere Sicherheitslücken geschlossen.
---------------------------------------------
https://www.heise.de/-9351600
∗∗∗ Solarwinds Platform 2023.4 schließt Codeschmuggel-Lücken ∗∗∗
---------------------------------------------
Solarwinds hat das Platform-Update auf Version 2023.4 veröffentlicht. Neben diversen Fehlerkorrekturen schließt es auch Sicherheitslücken.
---------------------------------------------
https://www.heise.de/-9351584
∗∗∗ VMSA-2023-0025 ∗∗∗
---------------------------------------------
An open redirect vulnerability in VMware Workspace ONE UEM console was responsibly reported to VMware. Updates are available to remediate this vulnerability in affected VMware products. (CVE-2023-20886)
---------------------------------------------
https://www.vmware.com/security/advisories/VMSA-2023-0025.html
∗∗∗ Security updates for Wednesday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (h2o, open-vm-tools, pmix, and zookeeper), Gentoo (GitPython), Oracle (firefox, java-11-openjdk, java-17-openjdk, libguestfs-winsupport, nginx:1.22, and thunderbird), Red Hat (samba), SUSE (container-suseconnect, libsndfile, and slurm), and Ubuntu (krb5, linux, linux-aws, linux-aws-5.15, linux-azure, linux-azure-5.15, linux-azure-fde, linux-azure-fde-5.15, linux-gcp, linux-gcp-5.15, linux-gkeop, linux-gkeop-5.15, linux-hwe-5.15, linux-ibm, linux-ibm-5.15, linux-kvm, linux-lowlatency, linux-lowlatency-hwe-5.15, linux-nvidia, linux-oracle, linux-oracle-5.15, linux, linux-aws, linux-aws-5.4, linux-azure, linux-azure-5.4, linux-bluefield, linux-gcp, linux-gcp-5.4, linux-gkeop, linux-hwe-5.4, linux-ibm, linux-ibm-5.4, linux-kvm, linux-oracle, linux-oracle-5.4, linux-raspi, linux-raspi-5.4, linux-xilinx-zynqmp, linux, linux-aws, linux-aws-6.2, linux-azure, linux-azure-6.2, linux-azure-fde-6.2, linux-gcp, linux-gcp-6.2, linux-hwe-6.2, linux-kvm, linux-lowlatency, linux-lowlatency-hwe-6.2, linux-oracle, linux-raspi, linux-starfive, linux-laptop, linux-nvidia-6.2, linux-oem-6.1, linux-raspi, open-vm-tools, and xorg-server).
---------------------------------------------
https://lwn.net/Articles/949612/
∗∗∗ Security updates for Thursday ∗∗∗
---------------------------------------------
Security updates have been issued by Gentoo (Netatalk), Oracle (firefox), Red Hat (.NET 6.0, .NET 6.0, .NET 7.0, binutils, and qemu-kvm), SUSE (gcc13, tomcat, and xorg-x11-server), and Ubuntu (axis, libvpx, linux-starfive, thunderbird, and xrdp).
---------------------------------------------
https://lwn.net/Articles/949820/
∗∗∗ [R1] Nessus Version 10.5.6 Fixes Multiple Vulnerabilities ∗∗∗
---------------------------------------------
https://www.tenable.com/security/tns-2023-36
∗∗∗ [R1] Nessus Agent Version 10.4.3 Fixes Multiple Vulnerabilities ∗∗∗
---------------------------------------------
https://www.tenable.com/security/tns-2023-38
∗∗∗ [R1] Nessus Version 10.6.2 Fixes Multiple Vulnerabilities ∗∗∗
---------------------------------------------
https://www.tenable.com/security/tns-2023-37
∗∗∗ Drupal: Paragraphs admin - Moderately critical - - SA-CONTRIB-2023-049 ∗∗∗
---------------------------------------------
https://www.drupal.org/sa-contrib-2023-049
∗∗∗ Open Exchange: 2023-08-01: OXAS-ADV-2023-0004 ∗∗∗
---------------------------------------------
https://documentation.open-xchange.com/security/advisories/txt/oxas-adv-2023-0004.txt
∗∗∗ IBM Security Bulletin ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/bulletin/
∗∗∗ Weintek EasyBuilder Pro ∗∗∗
---------------------------------------------
https://www.cisa.gov/news-events/ics-advisories/icsa-23-306-05
∗∗∗ Schneider Electric SpaceLogic C-Bus Toolkit ∗∗∗
---------------------------------------------
https://www.cisa.gov/news-events/ics-advisories/icsa-23-306-06
∗∗∗ Franklin Fueling System TS-550 ∗∗∗
---------------------------------------------
https://www.cisa.gov/news-events/ics-advisories/icsa-23-306-04
∗∗∗ Red Lion Crimson ∗∗∗
---------------------------------------------
https://www.cisa.gov/news-events/ics-advisories/icsa-23-306-01
∗∗∗ Mitsubishi Electric MELSEC iQ-F Series CPU Module ∗∗∗
---------------------------------------------
https://www.cisa.gov/news-events/ics-advisories/icsa-23-306-02
∗∗∗ Mitsubishi Electric MELSEC Series ∗∗∗
---------------------------------------------
https://www.cisa.gov/news-events/ics-advisories/icsa-23-306-03
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
More information about the Daily
mailing list