[CERT-daily] Tageszusammenfassung - 09.08.2024

Fri Aug 9 18:14:40 CEST 2024

=====================
= End-of-Day report =
=====================

Timeframe:   Donnerstag 08-08-2024 18:00 − Freitag 09-08-2024 18:00
Handler:     Robert Waldner
Co-Handler:  n/a

=====================
=       News        =
=====================

∗∗∗ Malware force-installs Chrome extensions on 300,000 browsers, patches DLLs ∗∗∗
---------------------------------------------
An ongoing and widespread malware campaign force-installed malicious Google Chrome and Microsoft Edge browser extensions in over 300,000 browsers, modifying the browsers executables to hijack homepages and steal browsing history.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/malware-force-installs-chrome-extensions-on-300-000-browsers-patches-dlls/


∗∗∗ ‘Sinkclose’ Flaw in Hundreds of Millions of AMD Chips Allows Deep, Virtually Unfixable Infections ∗∗∗
---------------------------------------------
Researchers warn that a bug in AMD’s chips would allow attackers to root into some of the most privileged portions of a computer—and that it has persisted in the company’s processors for decades.
---------------------------------------------
https://www.wired.com/story/amd-chip-sinkclose-flaw/


∗∗∗ Windows Server durch PoC-Exploit für CVE-2024-38077 gefährdet ∗∗∗
---------------------------------------------
Nochmals ein Nachgang zum Juli 2024-Patchday, bei dem Microsoft die Schwachstelle CVE-2024-38077 im Windows-Remotedesktop-Lizenzierungsdienst (RDL) von Windows Server geschlossen hat. [..] es wurde ein Proof of Concept (PoC) für diese Schwachstelle veröffentlicht.
---------------------------------------------
https://www.borncity.com/blog/2024/08/09/windows-server-durch-poc-exploit-fr-cve-2024-38077-gefhrdet/


∗∗∗ How Hackers Extracted the ‘Keys to the Kingdom’ to Clone HID Keycards ∗∗∗
---------------------------------------------
[HID]s actually known about the vulnerabilities [..] since sometime in 2023, when it was first informed about the technique by another security researcher [..] HID warned customers about the existence of a vulnerability that would allow hackers to clone keycards in an advisory in January, which includes recommendations about how customers can protect themselves—but it offered no software update at that time.
---------------------------------------------
https://www.wired.com/story/hid-keycard-authentication-key-vulnerability/


∗∗∗ ICANN reserves .internal for private use at the DNS level ∗∗∗
---------------------------------------------
The Internet Corporation for Assigned Names and Numbers (ICANN) has agreed to reserve the .internal top-level domain so it can become the equivalent to using the 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16 IPv4 address blocks for internal networks. Those blocks are reserved for private use by the Internet Assigned Numbers Authority, which requires they never appear on the public internet.
---------------------------------------------
https://www.theregister.com/2024/08/08/dot_internal_ratified/


∗∗∗ New attack against the [Linux kernel] SLUB allocator ∗∗∗
---------------------------------------------
Researchers from Graz University of Technology have published details of a new attack on the Linux kernel called SLUBstack. The attack uses timing information to turn an ability to trigger use-after-free or double-free bugs into the ability to overwrite page tables, and thence into the ability to read and write arbitrary areas of memory. The good news is that this attack does require an existing bug to be usable; the bad news is that the kernel regularly sees bugs of this kind.
---------------------------------------------
https://lwn.net/Articles/984984/


∗∗∗ Fake-Videos: Van der Bellen & Assinger werben nicht für Investmentplattformen ∗∗∗
---------------------------------------------
Derzeit erleben wir erneut eine Welle von Deepfake-Videos, in denen österreichische Prominente auf Facebook und Instagram für Investmentplattformen werben. Lassen Sie sich nicht täuschen: Weder Bundespräsident Alexander van der Bellen noch TV-Moderator Armin Assinger sind plötzlich Finanzexperten, die eine Investmentplattform entwickelt haben. Die Plattformen sind betrügerisch und die Videos wurden von Kriminellen erstellt.
---------------------------------------------
https://www.watchlist-internet.at/news/fake-videos-van-der-bellen-assinger-werben-nicht-fuer-investmentplattformen/


∗∗∗ Confusion Attacks: Exploiting Hidden Semantic Ambiguity in Apache HTTP Server! ∗∗∗
---------------------------------------------
This article explores architectural issues within the Apache HTTP Server, highlighting several technical debts within Httpd, including 3 types of Confusion Attacks, 9 new vulnerabilities, 20 exploitation techniques, and over 30 case studies. [..] These vulnerabilities were reported through the official security mailing list and were addressed by the Apache HTTP Server in the 2.4.60 update published on 2024-07-01.
---------------------------------------------
https://devco.re/blog/2024/08/09/confusion-attacks-exploiting-hidden-semantic-ambiguity-in-apache-http-server-en/


∗∗∗ Best Practices for Cisco Device Configuration ∗∗∗
---------------------------------------------
In recent incidents, CISA has seen malicious cyber actors acquire system configuration files by leveraging available protocols or software on devices, such as abusing the legacy Cisco Smart Install feature. CISA recommends organizations disable Smart Install and review NSA’s Smart Install Protocol Misuse advisory and Network Infrastructure Security Guide for configuration guidance.
---------------------------------------------
https://www.cisa.gov/news-events/alerts/2024/08/08/best-practices-cisco-device-configuration


∗∗∗ Sicherheitsforscher verwandeln Sonos-One-Lautsprecher in Wanze ∗∗∗
---------------------------------------------
Angreifer können über das eingebaute Mikrofon von Sonos-One-Lautsprechern Gespräche mitschneiden. Mittlerweile ist das Sicherheitsproblem gelöst.
---------------------------------------------
https://heise.de/-9830061


=====================
=  Vulnerabilities  =
=====================

∗∗∗ Schwachstellen in 1Password gefährden MacOS-Nutzer [CVE-2024-42218, CVE-2024-42219] ∗∗∗
---------------------------------------------
In 1Password 8 für Mac klaffen zwei Sicherheitslücken, die es Angreifern ermöglichen, Tresorelemente von MacOS-Nutzern abzugreifen. [..] Damit ein Angriff gelingt, muss ein Angreifer allerdings bei beiden Lücken bereits in der Lage sein, auf dem Zielsystem eine eigene Software auszuführen.
---------------------------------------------
https://www.golem.de/news/datenabfluss-moeglich-schwachstellen-in-1password-gefaehrden-macos-nutzer-2408-187895.html


∗∗∗ Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability [CVE-2024-38219] ∗∗∗
---------------------------------------------
Successful exploitation of this vulnerability requires an attacker to gather information specific to the environment and take additional actions prior to exploitation to prepare the target environment. Fxied in Microsoft Edge Version 127.0.2651.98 released 8/8/2024.
---------------------------------------------
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-38219


∗∗∗ Microsoft Edge (HTML-based) Memory Corruption Vulnerability [CVE-2024-38218] ∗∗∗
---------------------------------------------
The word Remote in the title refers to the location of the attacker. This type of exploit is sometimes referred to as Arbitrary Code Execution (ACE). The attack itself is carried out locally. This means an attacker or victim needs to execute code from the local machine to exploit the vulnerability. Fixed in Microsoft Edge Version 127.0.2651.98 released 8/8/2024.
---------------------------------------------
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-38218


∗∗∗ Multiple vulnerabilities in LogSign ∗∗∗
---------------------------------------------
https://www.zerodayinitiative.com/advisories/ZDI-24-1102/
http://www.zerodayinitiative.com/advisories/ZDI-24-1103/
http://www.zerodayinitiative.com/advisories/ZDI-24-1104/
https://www.zerodayinitiative.com/advisories/ZDI-24-1105/
https://www.zerodayinitiative.com/advisories/ZDI-24-1106/
---------------------------------------------
https://support.logsign.net/hc/en-us/articles/20617133769362-07-08-2024-Version-6-4-23-Release-Notes


∗∗∗ PostgreSQL relation replacement during pg_dump executes arbitrary SQL [CVE-2024-7348] ∗∗∗
---------------------------------------------
Time-of-check Time-of-use (TOCTOU) race condition in pg_dump in PostgreSQL allows an object creator to execute arbitrary SQL functions as the user running pg_dump, which is often a superuser. The attack involves replacing another relation type with a view or foreign table. The attack requires waiting for pg_dump to start, but winning the race condition is trivial if the attacker retains an open transaction. Versions before PostgreSQL 16.4, 15.8, 14.13, 13.16, and 12.20 are affected.
---------------------------------------------
https://www.postgresql.org/support/security/CVE-2024-7348/


∗∗∗ Security updates for Friday ∗∗∗
---------------------------------------------
Security updates have been issued by AlmaLinux (httpd, kernel, kernel-rt, and libtiff), Debian (postgresql-13, postgresql-15, and thunderbird), Fedora (frr, thunderbird, vim, and xrdp), Gentoo (Librsvg, Nautilus, ncurses, Percona XtraBackup, QEMU, and re2c), Red Hat (httpd, kernel, kernel-rt, openssl, and python-setuptools), SUSE (bind, ffmpeg-4, kubernetes1.23, kubernetes1.24, python-Django, and python3-Twisted), and Ubuntu (linux, linux-aws, linux-aws-5.4, linux-gcp, linux-gcp-5.4, linux-gkeop, linux-hwe-5.4, linux-ibm, linux-ibm-5.4, linux-iot, linux-kvm, linux-raspi, linux-xilinx-zynqmp, linux, linux-aws, linux-gcp, linux-gcp-5.15, linux-gke, linux-gkeop, linux-intel-iotg, linux-intel-iotg-5.15, linux-kvm, linux-lowlatency, linux-lowlatency-hwe-5.15, linux-nvidia, linux, linux-aws, linux-gcp, linux-gke, linux-ibm, linux-nvidia, linux-nvidia-6.8, linux-oem-6.8, linux-nvidia-lowlatency, linux-oracle, linux-oracle, linux-oracle-5.4, salt.
---------------------------------------------
https://lwn.net/Articles/984966/


∗∗∗ New FileSender 2.49 release with major changes ∗∗∗
---------------------------------------------
We are happy to announce the release of FileSender 2.49. This new release includes security updates that you should install. Also, it offers a few features and improvements, as well as many bug fixes.
---------------------------------------------
https://connect.geant.org/2024/08/08/new-filesender-2-49-release-with-major-changes


∗∗∗ 0.0.0.0 Day-Schwachstelle ermöglicht seit 18 Jahren Angriffe auf Browser ∗∗∗
---------------------------------------------
Sicherheitsforscher haben offen gelegt, dass Hacker einen seit 18 Jahren bekannten, alten Fehler in Safari, Chrome und Firefox ausgenutzt haben, um in private Netzwerke einzudringen. Die als "0.0.0.0 Day" bezeichnete Sicherheitslücke ermöglicht es böswilligen Websites, die Browsersicherheit zu umgehen und mit Diensten zu interagieren, die im lokalen Netzwerk einer Organisation laufen. Dies kann zu unautorisiertem Zugriff und Remotecodeausführung auf lokalen Diensten durch Angreifer außerhalb des Netzwerks führen. Die Browserhersteller beginnen nun, diese Adresse zu blockieren.
---------------------------------------------
https://www.borncity.com/blog/2024/08/09/0-0-0-0-day-schwachstelle-ermglicht-seit-18-jahren-angriffe-auf-browser/


∗∗∗ RaonSecure Product Security Advisory ∗∗∗
---------------------------------------------
Overview RaonSecure has released an update to address a vulnerability in their products. Users of affected versions are advised to update to the latest version. Affected Products TouchEn nxKey version: ~ 1.0.0.87 (included)
---------------------------------------------
https://asec.ahnlab.com/en/82372/


∗∗∗ LibreOffice: Ability to trust not validated macro signatures removed in high security mode [CVE-2024-6472] ∗∗∗
---------------------------------------------
https://www.libreoffice.org/about-us/security/advisories/CVE-2024-6472


∗∗∗ IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data is vulnerable to multiple Vim-minimal Package Issues ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7164174


∗∗∗ Multiple security vulnerabilities are addressed with IBM Cloud Pak for Business Automation iFixes for July 2024. ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7161907


∗∗∗ Multiple vulnerabilities in IBM Business Automation Workflow Machine Learning Server are addressed with 24.0.0-IF001 ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7164164


∗∗∗ IBM Cloud Pak for Data is vulnerable to unknown impact and attack vector due to Python certifi ( CVE-2022-23491 ) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7164180


∗∗∗ IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data is vulnerable to multiple Base OS issues ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7164175


∗∗∗ IBM Cloud Pak for Data is vulnerable to session hijacking due to Node.js passport module ( CVE-2022-25896 ) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7164201


∗∗∗ IBM Cloud Pak for Data is vulnerable to denial of service due to Node.js http-cache-semantics module ( CVE-2022-25881 ) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7164225


∗∗∗ IBM Cloud Pak for Data is vulnerable to denial of service due to Node.js cookiejar module ( CVE-2022-25901 ) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7164200


∗∗∗ IBM Cloud Pak for Data is vulnerable to cross-site scripting due to Jinja2 ( CVE-2024-34064 ) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7164204


∗∗∗ IBM Cloud Pak for Data is vulnerable to denial of service due to Pallets Werkzeug ( CVE-2023-46136 ) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7164208


∗∗∗ IBM Cloud Pak for Data is vulnerable to denial of service due to Express.js ( CVE-2022-24999 ) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7164217


∗∗∗ IBM Cloud Pak for Data is vulnerable to several issues due to the go compiler ( CVE-2022-41724 CVE-2021-34558 ) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7164255


∗∗∗ IBM Cloud Pak for Data is vulnerable to denial of service due to Rack ( CVE-2024-26146 ) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7164274


∗∗∗ IBM Cloud Pak for Data is vulnerable to exposing sensitive information due to Masterminds GoUtils ( CVE-2021-4238 ) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7164234


∗∗∗ IBM Cloud Pak for Data is vulnerable to denial of service due to Node.js semver ( CVE-2022-25883 ) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7164266


∗∗∗ IBM Cloud Pak for Data is vulnerable to regular expression denial of service due to Rack ( CVE-2023-27539 ) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7164269


∗∗∗ This Power System update is being released to address CVE-2024-41660 ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7163146


∗∗∗ IBM Aspera Shares improved security for user session handling (CVE-2023-38018) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7164325


∗∗∗ The IBM Engineering Lifecycle Engineering product using the -Xgc:concurrentScavenge option on IBM Z is vulnerable to Buffer overflow in GC ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7164658


∗∗∗ The IBM Engineering Lifecycle Engineering product using IBM WebSphere Application Server is vulnerable to cross-site scripting (CVE-2024-35153) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7164651


∗∗∗ The IBM Engineering Lifecycle Engineering product using IBM WebSphere Application Server is vulnerable to remote code execution (CVE-2024-35154) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7164649


∗∗∗ The IBM Engineering Lifecycle Engineering product using IBM WebSphere Application Server is vulnerable to identity spoofing (CVE-2024-37532) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7164653


∗∗∗ IBM Sterling Connect:Direct Web Service is affected by Java JWT vulnerability ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7164709


∗∗∗ There is a vulnerability in commons-compress-1.21.jar used by IBM Maximo Manage application in IBM Maximo Application Suite (CVE-2024-25710, CVE-2024-26308) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7164810


∗∗∗ There is a vulnerability in commons-compress-1.21.jar used by IBM Maximo Asset Management application (CVE-2024-25710, CVE-2024-26308) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7164809


∗∗∗ Maximo Application Suite - IBM WebSphere Application Server Liberty is vulnerable to CVE-2024-27268 used in IBM Maximo Application Suite - Monitor Component ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7164814


∗∗∗ Maximo Application Suite - IBM WebSphere Application Server Liberty is vulnerable to CVE-2024-22354 used in IBM Maximo Application Suite - Monitor Component ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7164813


∗∗∗ Maximo Application Suite - IBM WebSphere Application Server Liberty is vulnerable to CVE-2023-51775 a denial of service due to jose4j ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7164812


∗∗∗ Maximo Application Suite - IBM WebSphere Application Server Liberty is vulnerable to multiple CVEs used in IBM Maximo Application Suite - Monitor Component ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7164811


∗∗∗ Multiple Vulnerabilities in XCC affect IBM Cloud Pak System ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7147906

-- 
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily