[CERT-daily] Tageszusammenfassung - 05.09.2023

Tue Sep 5 18:29:06 CEST 2023

=====================
= End-of-Day report =
=====================

Timeframe:   Montag 04-09-2023 18:00 − Dienstag 05-09-2023 18:00
Handler:     Robert Waldner
Co-Handler:  n/a

=====================
=       News        =
=====================

∗∗∗ Hackers exploit MinIO storage system to breach corporate networks ∗∗∗
---------------------------------------------
Hackers are exploiting two recent MinIO vulnerabilities to breach object storage systems and access private information, execute arbitrary code, and potentially take over servers.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/hackers-exploit-minio-storage-system-to-breach-corporate-networks/


∗∗∗ DarkGate Malware Activity Spikes as Developer Rents Out Malware to Affiliates ∗∗∗
---------------------------------------------
A new malspam campaign has been observed deploying an off-the-shelf malware called DarkGate."The current spike in DarkGate malware activity is plausible given the fact that the developer of the malware has recently started to rent out the malware to a limited number of affiliates," Telekom Security said in a report published last week.
---------------------------------------------
https://thehackernews.com/2023/08/darkgate-malware-activity-spikes-as.html


∗∗∗ New Python Variant of Chaes Malware Targets Banking and Logistics Industries ∗∗∗
---------------------------------------------
Banking and logistics industries are under the onslaught of a reworked variant of a malware called Chaes."It has undergone major overhauls: from being rewritten entirely in Python, which resulted in lower detection rates by traditional defense systems, to a comprehensive redesign and an enhanced communication protocol," Morphisec said in a new detailed technical write-up [..]
---------------------------------------------
https://thehackernews.com/2023/09/new-python-variant-of-chaes-malware.html


∗∗∗ New BLISTER Malware Update Fuelling Stealthy Network Infiltration ∗∗∗
---------------------------------------------
An updated version of a malware loader known as BLISTER is being used as part of SocGholish infection chains to distribute an open-source command-and-control (C2) framework called Mythic.“New BLISTER update includes keying feature that allows for precise targeting of victim networks and lowers exposure within VM/sandbox environments,” Elastic Security Labs researchers [..]
---------------------------------------------
https://thehackernews.com/2023/09/new-blister-malware-update-fuelling.html


∗∗∗ Nascent Malware Campaign Targets npm, PyPI, and RubyGems Developers ∗∗∗
---------------------------------------------
Python Malware: On the morning of September 3, 2023, our automated platform notified us of the first package in this campaign: kwxiaodian [..] This follows a common pattern we see across many early campaigns and one we witnessed a few weeks back [..] Obfuscated Javascript Packages: At roughly the same time, we received notifications about malicious package publications on npm. Rubygems Package: The Rubygems package follows similar patterns to both the PyPI and npm packages.
---------------------------------------------
https://blog.phylum.io/malware-campaign-targets-npm-pypi-and-rubygems-developers/


∗∗∗ Common usernames submitted to honeypots ∗∗∗
---------------------------------------------
Based on reader feedback, I decided to take a look at usernames submitted to honeypots. The usernames that are seen on a daily basis look very familiar. [..] I exported the username data from my honeypot, which is a little over 16 months of data
---------------------------------------------
https://isc.sans.edu/diary/rss/30188


∗∗∗ Uncovering Web Cache Deception: A Missed Vulnerability in the Most Unexpected Places ∗∗∗
---------------------------------------------
During the assessment of the target application, it was observed that the server had implemented restrictions to prevent Web Cache Deception attacks on API/Web endpoints that had session tokens or data in the response. Unfortunately, the same precautions were not implemented on the /404 page or any /nonexistingurl. We discovered that the response for any endpoint that doesnt exist contained PII information without any cache controls in place.
---------------------------------------------
https://blog.agilehunt.com/blogs/security/web-cache-deception-attack-on-404-page-exposing-pii-data-to-unauthenticated-users


∗∗∗ Whats in a name? [..] The .kids TLD is not alright ∗∗∗
---------------------------------------------
Cisco Talos successfully registered the domain name: your-dns-needs-immediate-attention.kids. Talos set up an internet server to log all activity related to this name, and immediately we received a barrage of HTTP requests from systems running Microsoft’s “System Center Configuration Manager.” [..] we were able to masquerade as a trusted system. Networks using .kids names could be tricked into trusting our system to relay internal mail, dictate configuration management settings, and more.
---------------------------------------------
https://blog.talosintelligence.com/whats-in-a-name/


∗∗∗ Inconsistencies in the Common Vulnerability Scoring System (CVSS) ∗∗∗
---------------------------------------------
The goal of CVSS is to provide comparable scores across different evaluators. However, previous works indicate that CVSS might not reach this goal: If a vulnerability is evaluated by several analysts, their scores often differ. This raises the following questions: Are CVSS evaluations consistent? Which factors influence CVSS assessments? We systematically investigate these questions in an online survey with 196 CVSS users.
---------------------------------------------
https://www.schneier.com/blog/archives/2023/09/inconsistencies-in-the-common-vulnerability-scoring-system-cvss.html


∗∗∗ CVE-2023-4634 - Tricky Unauthenticated RCE on Wordpress Media Library Assistant Plugin using a good old Imagick ∗∗∗
---------------------------------------------
As discussed in many of our articles, you already know that WordPress and related plugins are taking up a large space in the global attack surface [..] The vulnerability described below is a perfect example
---------------------------------------------
https://patrowl.io/blog-wordpress-media-library-rce-cve-2023-4634/


∗∗∗ When URL parsers disagree (CVE-2023-38633) ∗∗∗
---------------------------------------------
Discovery and walkthrough of CVE-2023-38633 in librsvg, when two URL parser implementations (Rust and Glib) disagree on file scheme parsing leading to path traversal.
---------------------------------------------
https://www.canva.dev/blog/engineering/when-url-parsers-disagree-cve-2023-38633/


∗∗∗ Vorsicht vor betrügerischen PayPal-Anrufen ∗∗∗
---------------------------------------------
Ihr Telefon klingelt. Sie heben ab und eine Tonbandstimme meldet sich: „Hallo, hier ist PayPal. Sie haben soeben 738 Euro überwiesen. Um den Zahlvorgang abzubrechen, drücken Sie die 1.“ Drücken Sie keinesfalls die 1, hierbei handelt es sich um eine Betrugsmasche. Legen Sie auf!
---------------------------------------------
https://www.watchlist-internet.at/news/vorsicht-vor-betruegerischen-paypal-anrufen/


=====================
=  Vulnerabilities  =
=====================

∗∗∗ ASUS routers vulnerable to critical remote code execution flaws ∗∗∗
---------------------------------------------
Three critical-severity remote code execution vulnerabilities impact ASUS RT-AX55, RT-AX56U_V2, and RT-AC86U routers, potentially allowing threat actors to hijack devices if security updates are not installed.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/asus-routers-vulnerable-to-critical-remote-code-execution-flaws/


∗∗∗ Multiple vulnerabilities in F-RevoCRM ∗∗∗
---------------------------------------------
* An attacker who can access the product may execute an arbitrary OS command on the server where the product is running - CVE-2023-41149
* An arbitrary script may be executed on the web browser of the user who is using the product - CVE-2023-41150
---------------------------------------------
https://jvn.jp/en/jp/JVN78113802/


∗∗∗ Festo: MSE6-C2M/D2M/E2M Incomplete User Documentation of Remote Accessible Functions (CVE-2023-3634) ∗∗∗
---------------------------------------------
Festo developed the products according to the respective state of the art. As a result, the protocols used no longer fully meet todays security requirements. The products are designed and developed for use in sealed-off (industrial) networks. If the network is not adequately sealed off, unauthorized access to the product can cause damage or malfunctions, particularly Denial of Service (DoS) or loss of integrity. Remediation: Update of user documentation in next product version.
---------------------------------------------
https://cert.vde.com/de/advisories/VDE-2023-020/


∗∗∗ 9 Vulnerabilities Patched in SEL Power System Management Products ∗∗∗
---------------------------------------------
Researchers at industrial cybersecurity firm Nozomi Networks have analyzed the company’s SEL-5030 acSELerator QuickSet and SEL-5037 Grid Configurator, software products designed to allow engineers and technicians to configure and manage devices for power system protection, control, metering and monitoring, and to create and deploy settings for SEL power system devices. Nozomi researchers discovered a total of nine vulnerabilities, including four that have been assigned a ‘high severity’ rating
---------------------------------------------
https://www.securityweek.com/9-vulnerabilities-patched-in-sel-power-system-management-products/


∗∗∗ CISA Releases Two Industrial Control Systems Advisories ∗∗∗
---------------------------------------------
* ICSA-23-248-01 Fujitsu Limited Real-time Video Transmission Gear IP series: CVE-2023-38433
* ICSMA-23-248-01 Softneta MedDream PACS Premium: CVE-2023-40150, CVE-2023-39227
---------------------------------------------
https://www.cisa.gov/news-events/alerts/2023/09/05/cisa-releases-two-industrial-control-systems-advisories


∗∗∗ AVM: Fritzbox-Firmware 7.57 und 7.31 stopfen Sicherheitsleck ∗∗∗
---------------------------------------------
AVM hat für zahlreiche Fritzboxen die Firmware 7.57 und 7.31 veröffentlicht. Es handelt sich um ein Stabilitäts- und Sicherheitsupdate.
---------------------------------------------
https://heise.de/-9294758


∗∗∗ Xen XSA-437: arm32: The cache may not be properly cleaned/invalidated ∗∗∗
---------------------------------------------
A malicious guest may be able to read sensitive data from memory that previously belonged to another guest.
CVE ID: CVE-2023-34321
---------------------------------------------
https://xenbits.xen.org/xsa/advisory-437.html


∗∗∗ Security updates for Tuesday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (file and thunderbird), Fedora (exercism, libtommath, moby-engine, and python-pyramid), Oracle (cups and kernel), Red Hat (firefox, kernel, kernel-rt, kpatch-patch, and thunderbird), SUSE (amazon-ecs-init, buildah, busybox, djvulibre, exempi, firefox, gsl, keylime, kubernetes1.18, php7, and sccache), and Ubuntu (docker-registry and linux-azure-5.4).
---------------------------------------------
https://lwn.net/Articles/943584/


∗∗∗ IBM UrbanCode Build is vulnerable to CVE-2023-24998 ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7030594


∗∗∗ IBM UrbanCode Build is vulnerable to CVE-2023-28708 ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7030596


∗∗∗ Vulnerabilities found in batik-all-1.7.jar, batik-dom-1.7.jar which is shipped with IBM Intelligent Operations Center(CVE-2018-8013, CVE-2017-5662, CVE-2015-0250) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7030598


∗∗∗ Due to use of FasterXML Jackson-databind, IBM Cloud Pak for Multicloud Management Monitoring is vulnerable to a denial of service. ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7030601


∗∗∗ Due to use of Kafka, IBM Cloud Pak for Multicloud Management Monitoring could allow a remote attacker to obtain sensitive information. ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7030604


∗∗∗ Due to use of Spark from Hadoop, IBM Cloud Pak for Multicloud Management Monitoring could allow a remote attacker to traverse directories on the system. ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7030603


∗∗∗ Due to use of Apache Cassandra , IBM Cloud Pak for Multicloud Management Monitoring is vulnerable to an authenticated attacker to gaining elevated privileges. ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7030602


∗∗∗ Due to use of IBM WebSphere Application Server Liberty, IBM Cloud Pak for Multicloud Management Monitoring is vulnerable to multiple vulnerabilities. ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7030610


∗∗∗ Multiple vulnerabilities in IBM Java SDK affect WebSphere Service Registry and Repository due to July 2023 CPU ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7030605


∗∗∗ Due to use of NodeJS, IBM Cloud Pak for Multicloud Management Monitoring is vulnerable to multiple security vulnerabilities. ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7030612


∗∗∗ A security vulnerability has been identified in IBM SDK, Java Technology Edition shipped with IBM Tivoli Business Service Manager (CVE-2022-40609) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7030613


∗∗∗ Vulnerabilities in IBM Java SDK and IBM Java Runtime affect Rational Performance Tester ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7030614


∗∗∗ Vulnerabilities in IBM Java SDK and IBM Java Runtime affect Rational Service Tester ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7030615


∗∗∗ Vulnerability found in commons-io-1.3.1.jar which is shipped with IBM Intelligent Operations Center(CVE-2021-29425) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7030617


∗∗∗ Vulnerabilities found in poi-ooxml-3.9.jar which is shipped with IBM Intelligent Operations Center(CVE-2017-5644, CVE-2019-12415, CVE-2014-3574, CVE-2014-3529) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7030627


∗∗∗ Vulnerability found in pdfbox-1.8.1.jar which is shipped with IBM Intelligent Operations Center(220742, CVE-2018-11797, CVE-2016-2175) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7030626


∗∗∗ Vulnerabilities found in poi-3.9.jar, poi-scratchpad-3.9.jar which is shipped with IBM Intelligent Operations Center(CVE-2017-12626, CVE-2014-9527) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7030629


∗∗∗ Vulnerabilities found in jackson-mapper-asl-1.9.13.jar which is shipped with IBM Intelligent Operations Center(CVE-2019-10202, CVE-2019-10172) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7030623


∗∗∗ Multiple Vulnerabilities found in Turf.js which is shipped with IBM Intelligent Operations Center(CVE-2020-15168, CVE-2022-0235) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7030624


∗∗∗ Vulnerability found in fontbox-1.8.1.jarr which is shipped with IBM Intelligent Operations Center(CVE-2018-8036) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7030622


∗∗∗ Vulnerabilities found in cxf-rt-transports-http-3.0.3.jar which is shipped with IBM Intelligent Operations Center(CVE-2016-6812, CVE-2018-8039, CVE-2020-13954) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7030618


∗∗∗ Vulnerability found in fop-1.1.jar which is shipped with IBM Intelligent Operations Center(CVE-2017-5661) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7030621


∗∗∗ Multiple Vulnerabilities found in Turf.js which is shipped with IBM Intelligent Operations Center(CVE-2021-44906, CVE-2020-7598) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7030625


∗∗∗ Vulnerability found in dom4j-1.6.1.jar which is shipped with IBM Intelligent Operations Center(CVE-2018-1000632) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7030619


∗∗∗ Vulnerability found in commons-codec-1.5.jar which is shipped with IBM Intelligent Operations Center(177835) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7030616


∗∗∗ IBM MQ is affected by a denial of service vulnerability in OpenSSL (CVE-2023-2650) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7027922


∗∗∗ Multiple vulnerabilities found in IBM Java which is shipped with IBM Intelligent Operations Center(CVE-2022-21628, CVE-2022-21626, CVE-2022-21624, CVE-2022-21619) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7030632


∗∗∗ A Vulnerability found in IBM Java which is shipped with IBM Intelligent Operations Center(CVE-2022-3676) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7030634


∗∗∗ Vulnerability found in dom4j-1.6.1.jar which is shipped with IBM Intelligent Operations Center(CVE-2020-10683) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7030636


∗∗∗ Vulnerability found in xmlgraphics-commons-1.5.jar which is shipped with IBM Intelligent Operations Center(CVE-2020-11988) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7030630


∗∗∗ Multiple Vulnerabilities found in IBM DB2 which is shipped with IBM Intelligent Operations Center(CVE-2022-43929, CVE-2022-43927, CVE-2014-3577, CVE-2022-43930) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7030638


∗∗∗ Vulnerabilities found in batik-bridge-1.7.jar which is shipped with IBM Intelligent Operations Center(CVE-2022-40146, CVE-2022-38648, CVE-2022-38398) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7030631


∗∗∗ Vulnerability found in cxf-core-3.5.4.jar which is shipped with IBM Intelligent Operations Center(CVE-2022-46364) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7030633


∗∗∗ Vulnerability found in cxf-rt-transports-http-3.5.3.jar which is shipped with IBM Intelligent Operations Center(CVE-2022-46363) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7030635


∗∗∗ Vulnerability found in commons-net-1.4.1.jar which is shipped with IBM Intelligent Operations Center(CVE-2021-37533) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7030637


∗∗∗ A vulnerability found in IBM Java which is shipped with IBM Intelligent Operations Center(CVE-2022-21426) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7030641


∗∗∗ Vulnerabilities found in jackson-mapper-asl which is shipped with IBM Intelligent Operations Center(CVE-2019-10172, CVE-2019-10202) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7030639


∗∗∗ Multiple vulnerabilities found in IBM Java which is shipped with IBM Intelligent Operations Center(CVE-2023-21830, CVE-2023-21843) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7030640


∗∗∗ A vulnerability found in IBM WebSphere Application Server Liberty which is shipped with IBM Intelligent Operations Center(CVE-2023-24998) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7030642


∗∗∗ A vulnerability found in IBM Java which is shipped with IBM Intelligent Operations Center(CVE-2023-30441) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7030643


∗∗∗ A vulnerability found in IBM Java which is shipped with IBM Intelligent Operations Center(CVE-2022-40609) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7030644


∗∗∗ Multiple Angular vulnerabilities affects IBM Tivoli Business Service Manager (CVE-2023-26116, CVE-2023-26117, CVE-2023-26118, CVE-2022-25869, CVE-2022-25844) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7030667


∗∗∗ IBM SDK, Java Technology Edition, Security Update August 2023 ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7030664


∗∗∗ Multiple vulnerabilities in IBM Java SDK affect IBM Tivoli Business Service Manager (CVE-2023-22045, CVE-2023-22049) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7030666

-- 
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily