[CERT-daily] Tageszusammenfassung - 17.11.2023

Fri Nov 17 18:13:20 CET 2023

=====================
= End-of-Day report =
=====================

Timeframe:   Donnerstag 16-11-2023 18:00 − Freitag 17-11-2023 18:00
Handler:     Thomas Pribitzer
Co-Handler:  Robert Waldner

=====================
=       News        =
=====================

∗∗∗ MySQL servers targeted by Ddostf DDoS-as-a-Service botnet ∗∗∗
---------------------------------------------
MySQL servers are being targeted by the Ddostf malware botnet to enslave them for a DDoS-as-a-Service platform whose firepower is rented to other cybercriminals.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/mysql-servers-targeted-by-ddostf-ddos-as-a-service-botnet/


∗∗∗ Beyond -n: Optimizing tcpdump performance, (Thu, Nov 16th) ∗∗∗
---------------------------------------------
If you ever had to acquire packets from a network, you probably used tcpdump. Other tools (Wireshark, dumpcap, snort...) can do the same thing, but none is as widely used as tcpdump. tcpdump is simple to use, fast, and universally available (and free!).
---------------------------------------------
https://isc.sans.edu/diary/rss/30408


∗∗∗ Beware: Malicious Google Ads Trick WinSCP Users into Installing Malware ∗∗∗
---------------------------------------------
Threat actors are leveraging manipulated search results and bogus Google ads that trick users who are looking to download legitimate software such as WinSCP into installing malware instead.Cybersecurity company Securonix is tracking the ongoing activity under the name SEO#LURKER.
---------------------------------------------
https://thehackernews.com/2023/11/beware-malicious-google-ads-trick.html


∗∗∗ Understanding the Phobos affiliate structure and activity ∗∗∗
---------------------------------------------
Cisco Talos identified the most prolific Phobos variants, TTPs and affiliate structure, based on their activity and analysis of over 1,000 samples from VirusTotal dating back to 2019. We assess with moderate confidence Eking, Eight, Elbie, Devos and Faust are the most common variants
---------------------------------------------
https://blog.talosintelligence.com/understanding-the-phobos-affiliate-structure/


∗∗∗ ALPHV (BlackCat) Ransomware Gang Uses Google Ads for Targeted Victims ∗∗∗
---------------------------------------------
Researchers noted that ALPHV/BlackCat threat actors gain initial access to their target’s IT networks through three methods. These include exploiting stolen or compromised login credentials to gain unauthorized access, exploiting vulnerabilities in remote management/monitoring tools to access IT systems, and browser-based attacks in which users are tricked into visiting malicious websites that deliver malware or malicious links in emails or social media posts.
---------------------------------------------
https://www.hackread.com/alphv-blackcat-ransomware-gang-google-ads/


∗∗∗ CISA Releases The Mitigation Guide: Healthcare and Public Health (HPH) Sector ∗∗∗
---------------------------------------------
Today, CISA released the Mitigation Guide: Healthcare and Public Health (HPH) Sector as a supplemental companion to the HPH Cyber Risk Summary, published July 19, 2023. This guide provides defensive mitigation strategy recommendations and best practices to combat pervasive cyber threats affecting this critical infrastructure sector.
---------------------------------------------
https://www.cisa.gov/news-events/alerts/2023/11/17/cisa-releases-mitigation-guide-healthcare-and-public-health-hph-sector


=====================
=  Vulnerabilities  =
=====================

∗∗∗ Bildbearbeitung: Angreifer können Gimp Schadcode unterjubeln ∗∗∗
---------------------------------------------
Die freie Open-Source-Bildbearbeitung Gimp ist in Version 2.10.36 erschienen. Sie schließt Sicherheitslücken, die Codeschmuggel erlauben.
---------------------------------------------
https://www.heise.de/news/Bildbearbeitung-Angreifer-koennen-Gimp-Schadcode-unterjubeln-9531394.html


∗∗∗ FortiNet flickt schwere Sicherheitslücken in FortiOS und anderen Produkten ∗∗∗
---------------------------------------------
Neben FortiOS und FortiClient sind auch FortiSIEM, FortiWLM und weitere von zum Teil kritischen Security-Fehlern betroffen. Admins sollten patchen.
---------------------------------------------
https://www.heise.de/news/FortiNet-flickt-schwere-Sicherheitsluecken-in-FortiOS-und-anderen-Produkten-9529075.html


∗∗∗ Anonymisierendes Linux: Tails 5.19.1 behebt Tor-Lücke, Audit-Ergebnisse sind da ∗∗∗
---------------------------------------------
Ein offenbar aus der Ferne ausnutzbarer Bug in Tor führte zum neuerlichen Update. Die Ergebnisse der kürzlichen Sicherheitsprüfung hingegen sind positiv.
---------------------------------------------
https://www.heise.de/news/Anonymisierendes-Linux-Tails-5-19-1-behebt-Tor-Luecke-Audit-Ergebnisse-sind-da-9532403.html


∗∗∗ Security updates for Friday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (webkit2gtk), Fedora (microcode_ctl, pack, and tigervnc), Slackware (gimp), SUSE (frr, gcc13, go1.20, go1.20-openssl, go1.21, go1.21-openssl, libnbd, libxml2, python-Pillow, python-urllib3, and xen), and Ubuntu (intel-microcode and openvpn).
---------------------------------------------
https://lwn.net/Articles/951801/


∗∗∗ Over a Dozen Exploitable Vulnerabilities Found in AI/ML Tools ∗∗∗
---------------------------------------------
Since August 2023, members of the Huntr bug bounty platform for artificial intelligence (AI) and machine learning (ML) have uncovered over a dozen vulnerabilities exposing AI/ML models to system takeover and sensitive information theft.
Identified in tools with hundreds of thousands or millions of downloads per month, such as H2O-3, MLflow, and Ray, these issues potentially impact the entire AI/ML supply chain
---------------------------------------------
https://www.securityweek.com/over-a-dozen-exploitable-vulnerabilities-found-in-ai-ml-tools/


∗∗∗ [R1] Nessus Agent Version 10.4.4 Fixes One Vulnerability ∗∗∗
---------------------------------------------
An arbitrary file write vulnerability exists where an authenticated attacker with privileges on the managing application could alter Nessus Rules variables to overwrite arbitrary files on the remote host, which could lead to a denial of service condition.
---------------------------------------------
https://www.tenable.com/security/tns-2023-41


∗∗∗ [R1] Nessus Version 10.6.3 Fixes One Vulnerability ∗∗∗
---------------------------------------------
An arbitrary file write vulnerability exists where an authenticated, remote attacker with administrator privileges on the Nessus application could alter Nessus Rules variables to overwrite arbitrary files on the remote host, which could lead to a denial of service condition.
---------------------------------------------
https://www.tenable.com/security/tns-2023-40


∗∗∗ [R1] Nessus Version 10.5.7 Fixes One Vulnerability ∗∗∗
---------------------------------------------
An arbitrary file write vulnerability exists where an authenticated, remote attacker with administrator privileges on the Nessus application could alter Nessus Rules variables to overwrite arbitrary files on the remote host, which could lead to a denial of service condition.
---------------------------------------------
https://www.tenable.com/security/tns-2023-39


∗∗∗ Juniper Releases Security Advisory for Juniper Secure Analytics ∗∗∗
---------------------------------------------
Juniper released a security advisory to address multiple vulnerabilities affecting Juniper Secure Analytics. A cyber threat actor could exploit one of these vulnerabilities to take control of an affected system.CISA encourages users and administrators to review the Juniper advisory JSA74298 and apply the necessary updates.
---------------------------------------------
https://www.cisa.gov/news-events/alerts/2023/11/17/juniper-releases-security-advisory-juniper-secure-analytics


∗∗∗ ZDI-23-1716: Luxion KeyShot Viewer KSP File Parsing Memory Corruption Remote Code Execution Vulnerability ∗∗∗
---------------------------------------------
http://www.zerodayinitiative.com/advisories/ZDI-23-1716/


∗∗∗ SVD-2023-1107: November 2023 Splunk Universal Forwarder Third-Party Updates ∗∗∗
---------------------------------------------
https://advisory.splunk.com//advisories/SVD-2023-1107


∗∗∗ SVD-2023-1106: November 2023 Third-Party Package Updates in Splunk Enterprise ∗∗∗
---------------------------------------------
https://advisory.splunk.com//advisories/SVD-2023-1106


∗∗∗ SVD-2023-1105: November 2023 Third Party Package updates in Splunk Enterprise ∗∗∗
---------------------------------------------
https://advisory.splunk.com//advisories/SVD-2023-1105


∗∗∗ SVD-2023-1104: Remote code execution (RCE) in Splunk Enterprise through Insecure XML Parsing ∗∗∗
---------------------------------------------
https://advisory.splunk.com//advisories/SVD-2023-1104


∗∗∗ SVD-2023-1103: Cross-site Scripting (XSS) on “Show Syntax Highlighted” View in Search Page ∗∗∗
---------------------------------------------
https://advisory.splunk.com//advisories/SVD-2023-1103


∗∗∗ SVD-2023-1102: Third Party Package Update in Splunk Add-on for Google Cloud Platform ∗∗∗
---------------------------------------------
https://advisory.splunk.com//advisories/SVD-2023-1102


∗∗∗ SVD-2023-1101: Third Party Package Update in Splunk Add-on for Amazon Web Services ∗∗∗
---------------------------------------------
https://advisory.splunk.com//advisories/SVD-2023-1101


∗∗∗ IBM Watson Assistant for IBM Cloud Pak for Data is vulnerable to multiple Node.js vulnerabilities ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7077733


∗∗∗ IBM Watson Assistant for IBM Cloud Pak for Data is vulnerable to Apache Ivy information disclosure vulnerabilitiy [CVE-2023-46751] ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7077734


∗∗∗ IBM Watson Assistant for IBM Cloud Pak for Data is vulnerable to libssh denial of service vulnerability [CVE-2023-3603] ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7077736


∗∗∗ IBM Watson Assistant for IBM Cloud Pak for Data is vulnerable to snappy-java information disclosure vulnerabilitiy [CVE-2023-43642] ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7077735


∗∗∗ IBM Watson Assistant for IBM Cloud Pak for Data is vulnerable to libssh denial of service vulnerability [CVE-2023-3603] ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7077739


∗∗∗ IBM QRadar SIEM contains multiple vulnerabilities ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7070736


∗∗∗ IBM Storage Fusion may be vulnerable to Unauthorized requests (SSRF), Improper path traversal, via k8s.io\/apimachinery, k8s.io\/apiserver (CVE-2022-3172, CVE-2022-3162) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7077936


∗∗∗ InfoSphere Information Server is vulnerable due to improper access control (CVE-2023-40363) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7070742


∗∗∗ IBM InfoSphere Information Server is affected by a vulnerability in Eclipse Jetty (CVE-2023-26049) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7070740


∗∗∗ IBM Storage Fusion may be vulnerable to Denial of Service via use of golang.org\/x\/net, x\/crypto, and x\/text (CVE-2022-30633, CVE-2022-27664, CVE-2022-28131, CVE-2022-41721, CVE-2021-43565, CVE-2022-27191, CVE-2022-32149) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7077942


∗∗∗ IBM Planning Analytics is affected by vulnerabilities in IBM Java, IBM Websphere Application Server Liberty and IBM GSKit ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7070140


∗∗∗ IBM Storage Fusion may be vulnerable to Denial of Service via use of openshift\/machine-api-operator, openshift\/machine-config-operator (CVE-2020-28851, CVE-2020-28852, CVE-2021-44716) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7077938


∗∗∗ IBM Storage Fusion may be vulnerable to Injection, Regular Expression Denial of Service (ReDoS), and Arbitrary Code Execution and via use of postcss, semver, babel-traverse (CVE-2023-45133, CVE-2022-25883, CVE-2023-44270) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7077947


∗∗∗ Java SE issues disclosed in the Oracle October 2023 Critical Patch Update plus CVE-2023-5676 ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7078433


∗∗∗ IBM Security SOAR is using a component with multiple known vulnerabilities ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7063706


∗∗∗ IBM MQ Operator and Queue manager container images are vulnerable to libcurl vulnerabilities (CVE-2023-38546, CVE-2023-38545) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7077530


∗∗∗ IBM Sterling B2B Integrator is vulnerable to cross-site scripting (CVE-2022-43578) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6957156


∗∗∗ Watson Machine Learning Accelerator on Cloud Pak for Data is affected by multiple vulnerabilities in Grafana ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7078751


∗∗∗ Multiple Vulnerabilities in IBM\u00ae Java SDK affect IBM WebSphere Application Server and IBM WebSphere Application Server Liberty due to the October 2023 CPU ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7078745


∗∗∗ Red Lion Sixnet RTUs ∗∗∗
---------------------------------------------
https://www.cisa.gov/news-events/ics-advisories/icsa-23-320-01

-- 
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily