[CERT-daily] Tageszusammenfassung - 09.02.2024

Daily end-of-shift report team at cert.at
Fri Feb 9 19:14:10 CET 2024


=====================
= End-of-Day report =
=====================

Timeframe:   Donnerstag 08-02-2024 18:00 − Freitag 09-02-2024 18:00
Handler:     Michael Schlagenhaufer
Co-Handler:  Stephan Richter

=====================
=       News        =
=====================

∗∗∗ SonicOS SSL-VPN: Angreifer können Authentifzierung umgehen ∗∗∗
---------------------------------------------
Sonicwall warnt vor einer Sicherheitslücke im SonicOS SSL-VPN, durch die Angreifer die Authentifizierung umgehen können.
---------------------------------------------
https://www.heise.de/-9623611.html


∗∗∗ Sicherheitsupdates: Authentifizierung von Ivanti Connect Secure & Co. defekt ∗∗∗
---------------------------------------------
Angreifer können ohne Anmeldung auf Ivanti Connect Secure, Policy Secure und ZTA Gateway zugreifen.
---------------------------------------------
https://www.heise.de/-9623653.html


∗∗∗ Elastic Stack: Pufferüberlauf ermöglicht Codeschmuggel in Kibana-Komponente ∗∗∗
---------------------------------------------
Der in Kibana integrierte Chromium-Browser verursachte das Problem nur auf bestimmten Plattformen. Updates und eine Übergangslösung stehen bereit.
---------------------------------------------
https://www.heise.de/-9624274.html


∗∗∗ Android XLoader malware can now auto-execute after installation ∗∗∗
---------------------------------------------
A new version of the XLoader Android malware was discovered that automatically executes on devices it infects, requiring no user interaction to launch.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/android-xloader-malware-can-now-auto-execute-after-installation/


∗∗∗ New RustDoor macOS malware impersonates Visual Studio update ∗∗∗
---------------------------------------------
A new Rust-based macOS malware spreading as a Visual Studio update to provide backdoor access to compromised systems uses infrastructure linked to the infamous ALPHV/BlackCat ransomware gang.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/new-rustdoor-macos-malware-impersonates-visual-studio-update/


∗∗∗ Form Tools Remote Code Execution: We Need To Talk About PHP ∗∗∗
---------------------------------------------
To whet your appetite for what we’re going to demonstrate, below is a deep dive into a Local File Inclusion vulnerability which can lead to Remote Code Execution in installations of ‘Form Tools’, an open-source PHP-based application for creating, storing and sharing forms on the Internet, of over 15 year vintage. A short search across open data platforms reveals over 1,000 installations with "we just discovered Shodan"-tier fingerprints.
---------------------------------------------
https://labs.watchtowr.com/form-tools-we-need-to-talk-about-php/


∗∗∗ Juniper Support Portal Exposed Customer Device Info ∗∗∗
---------------------------------------------
Until earlier this week, the support website for networking equipment vendor Juniper Networks was exposing potentially sensitive information tied to customer products, including the exact devices each customer bought, as well as each devices warranty status, service contracts and serial numbers. Juniper said it has since fixed the problem, and that the inadvertent data exposure stemmed from a recent upgrade to its support portal.
---------------------------------------------
https://krebsonsecurity.com/2024/02/juniper-support-portal-exposed-customer-device-info/


∗∗∗ Zahlreiche betrügerische E-Mails im Namen der Österreichischen Gesundheitskasse im Umlauf! ∗∗∗
---------------------------------------------
Derzeit werden der Watchlist Internet zahlreiche E-Mails gemeldet, die Kriminelle im Namen der Österreichischen Gesundheitskasse versenden. Angeblich erhalten die Empfänger:innen eine Rückerstattung durch die Krankenasse. Dazu sollen sie einen Link anklicken und Kreditkartendaten eingeben. Machen Sie das auf keinen Fall, da es sich um eine Phishing-Falle handelt.
---------------------------------------------
https://www.watchlist-internet.at/news/zahlreiche-betruegerische-e-mails-im-namen-der-oesterreichischen-gesundheitskasse-im-umlauf/


∗∗∗ CISA Partners With OpenSSF Securing Software Repositories Working Group to Release Principles for Package Repository Security ∗∗∗
---------------------------------------------
Today, CISA partnered with the Open Source Security Foundation (OpenSSF) Securing Software Repositories Working Group to publish the Principles for Package Repository Security framework. Recognizing the critical role package repositories play in securing open source software ecosystems, this framework lays out voluntary security maturity levels for package repositories.
---------------------------------------------
https://www.cisa.gov/news-events/alerts/2024/02/08/cisa-partners-openssf-securing-software-repositories-working-group-release-principles-package


∗∗∗ Raspberry Robin: Evolving Cyber Threat with Advanced Exploits and Stealth Tactics ∗∗∗
---------------------------------------------
Raspberry Robin leverages new 1-day Local Privilege Escalation (LPE) exploits developed ahead of public knowledge, hinting at either an in-house development capability or access to a sophisticated exploit market.
---------------------------------------------
https://blog.checkpoint.com/security/raspberry-robin-evolving-cyber-threat-with-advanced-exploits-and-stealth-tactics/


∗∗∗ January 2024’s Most Wanted Malware: Major VexTrio Broker Operation Uncovered and Lockbit3 Tops the Ransomware Threats ∗∗∗
---------------------------------------------
Researchers uncovered a large cyber threat distributor known as VexTrio, which serves as a major traffic broker for cybercriminals to distribute malicious content. Meanwhile, LockBit3 topped the list of active ransomware groups and Education was the most impacted industry worldwide
---------------------------------------------
https://blog.checkpoint.com/research/january-2024s-most-wanted-malware-major-vextrio-broker-operation-uncovered-and-lockbit3-tops-the-ransomware-threats/


∗∗∗ Niederlande: Militärnetzwerk über FortiGate gehackt; Volt Typhoon-Botnetz seit 5 Jahren in US-Systemen ∗∗∗
---------------------------------------------
Gerade ist eine Spionageaktion der chinesischen Regierung in einem Computernetzwerk des niederländischen Militärs aufgeflogen. Das Militärnetzwerk wurde über eine Schwachstelle in FortiGate gehackt. Das ist auch für andere Fortinet-Kunden relevant. Und mittlerweile wurde bekannt, dass das mutmaßlich von staatsnahen chinesischen [...]
---------------------------------------------
https://www.borncity.com/blog/2024/02/08/niederlande-militrnetzwerk-ber-fortigate-gehackt-volt-typhoon-botnetz-seit-5-jahren-in-us-systemen/



=====================
=  Vulnerabilities  =
=====================

∗∗∗ Security updates for Friday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (webkit2gtk), Fedora (atril, chromium, gnutls, python-aiohttp, and webkitgtk), Gentoo (libxml2), Mageia (gnutls, gpac, kernel, kernel-linus, microcode, pam, and postfix), Red Hat (container-tools:2.0, container-tools:3.0, container-tools:4.0, container-tools:rhel8, gimp, libmaxminddb, python-pillow, runc, and unbound), SUSE (cosign, netpbm, python, python-Pillow, python3, and python36), and Ubuntu (libde265, linux-gcp, linux-gcp-5.4, and linux-intel-iotg).
---------------------------------------------
https://lwn.net/Articles/961584/


∗∗∗ Kritische Sicherheitslücken in Fortinet FortiOS, Updates verfügbar ∗∗∗
---------------------------------------------
Fortinet hat zwei kritische Security Advisories veröffentlicht. Beide Security Advisories behandeln Sicherheitslücken, die es unauthentifizierten Angreifer:innen erlauben, Code auf betroffenen Geräten auszuführen. Fortinet gibt bezüglich einer dieser Sicherheitslücken an, dass diese potentiell bereits aktiv für Angriffe ausgenutzt wird.
---------------------------------------------
https://cert.at/de/warnungen/2024/2/kritische-sicherheitslucken-in-fortinet-fortios-updates-verfugbar


∗∗∗ Wichtige ESET Produkt-Updates verfügbar (8. Feb. 2024) ∗∗∗
---------------------------------------------
Kurzer, weiterer Informationssplitter für Administratoren, die ESET Endpoint Antivirus/Security unter Windows einsetzen. Der Hersteller hat ein wichtiges Produkt-Update für seine Windows-Produktlinie herausgegeben, welches sofort installiert werden sollte. Das Update behebt eine Schwachstelle, [...]
---------------------------------------------
https://www.borncity.com/blog/2024/02/08/wichtige-eset-produkt-updates-verfgbar-8-feb-2024/


∗∗∗ IBM Security Bulletins ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/bulletin/


∗∗∗ FortiClientEMS - Improper privilege management for site super administrator ∗∗∗
---------------------------------------------
https://fortiguard.fortinet.com/psirt/FG-IR-23-357


∗∗∗ FortiManager - Informative error messages ∗∗∗
---------------------------------------------
https://fortiguard.fortinet.com/psirt/FG-IR-23-268


∗∗∗ FortiNAC - XSS in Show Audit Log ∗∗∗
---------------------------------------------
https://fortiguard.fortinet.com/psirt/FG-IR-23-063


∗∗∗ FortiOS - Format String Bug in fgfmd ∗∗∗
---------------------------------------------
https://fortiguard.fortinet.com/psirt/FG-IR-24-029


∗∗∗ FortiOS - Fortilink lack of certificate validation ∗∗∗
---------------------------------------------
https://fortiguard.fortinet.com/psirt/FG-IR-23-301


∗∗∗ FortiOS - Out-of-bound Write in sslvpnd ∗∗∗
---------------------------------------------
https://fortiguard.fortinet.com/psirt/FG-IR-24-015


∗∗∗ FortiOS & FortiProxy - CVE-2023-44487 - Rapid Reset HTTP/2 vulnerability ∗∗∗
---------------------------------------------
https://fortiguard.fortinet.com/psirt/FG-IR-23-397

-- 
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily




More information about the Daily mailing list