[CERT-daily] Tageszusammenfassung - 18.01.2024

Thu Jan 18 18:23:59 CET 2024

=====================
= End-of-Day report =
=====================

Timeframe:   Mittwoch 17-01-2024 18:00 − Donnerstag 18-01-2024 18:00
Handler:     Thomas Pribitzer
Co-Handler:  Robert Waldner

=====================
=       News        =
=====================

∗∗∗ Missbrauch möglich: Whatsapp lässt fremde Nutzer Geräteinformationen abgreifen ∗∗∗
---------------------------------------------
Anhand ihrer Rufnummer lässt sich zum Beispiel feststellen, wie viele Geräte eine Zielperson mit Whatsapp verwendet und wann sie diese wechselt.
---------------------------------------------
https://www.golem.de/news/missbrauch-moeglich-whatsapp-laesst-fremde-nutzer-geraeteinformationen-abgreifen-2401-181313.html


∗∗∗ New Microsoft Incident Response guides help security teams analyze suspicious activity ∗∗∗
---------------------------------------------
Today Microsoft Incident Response are proud to introduce two one-page guides to help security teams investigate suspicious activity in Microsoft 365 and Microsoft Entra. These guides contain the artifacts that Microsoft Incident Response hunts for and uses daily to provide our customers with evidence of Threat Actor activity in their tenant.
---------------------------------------------
https://www.microsoft.com/en-us/security/blog/2024/01/17/new-microsoft-incident-response-guides-help-security-teams-analyze-suspicious-activity/


∗∗∗ More Scans for Ivanti Connect "Secure" VPN. Exploits Public, (Thu, Jan 18th) ∗∗∗
---------------------------------------------
Exploits around the Ivanti Connect "Secure" VPN appliance, taking advantage of CVE-2023-46805, continue evolving. Late on Tuesday, more details became public, particularly the blog post by Rapid7 explaining the underlying vulnerability in depth.
---------------------------------------------
https://isc.sans.edu/diary/rss/30568


∗∗∗ PixieFail UEFI Flaws Expose Millions of Computers to RCE, DoS, and Data Theft ∗∗∗
---------------------------------------------
Multiple security vulnerabilities have been disclosed in the TCP/IP network protocol stack of an open-source reference implementation of the Unified Extensible Firmware Interface (UEFI) specification used widely in modern computers.Collectively dubbed PixieFail by Quarkslab, the nine issues reside in the TianoCore EFI Development Kit II (EDK II) and could be exploited to
---------------------------------------------
https://thehackernews.com/2024/01/pixiefail-uefi-flaws-expose-millions-of.html


∗∗∗ MFA Spamming and Fatigue: When Security Measures Go Wrong ∗∗∗
---------------------------------------------
MFA spamming refers to the malicious act of inundating a target user's email, phone, or other registered devices with numerous MFA prompts or confirmation codes. The objective behind this tactic is to overwhelm the user with notifications, in the hopes that they will inadvertently approve an unauthorized login. To execute this attack, hackers require the target victim's account credentials (username and password) to initiate the login process and trigger the MFA notifications.
---------------------------------------------
https://thehackernews.com/2024/01/mfa-spamming-and-fatigue-when-security.html


∗∗∗ Russian COLDRIVER Hackers Expand Beyond Phishing with Custom Malware ∗∗∗
---------------------------------------------
[..] COLDRIVER has been observed evolving its tradecraft to go beyond credential harvesting to deliver its first-ever custom malware written in the Rust programming language.Googles Threat Analysis Group (TAG), which shared details of the latest activity, said the attack chains leverage PDFs as decoy documents to trigger the infection sequence.
---------------------------------------------
https://thehackernews.com/2024/01/russian-coldriver-hackers-expand-beyond.html


∗∗∗ Daten aus GPU belauscht: KI-Sicherheitslücke bei Apple Silicon, AMD und Qualcomm ∗∗∗
---------------------------------------------
Sicherheitsforscher haben ein Problem in den Grafikkernen älterer iPhones und Macs entdeckt, außerdem bei AMD und Qualcomm. Apple patcht – teilweise.
---------------------------------------------
https://heise.de/-9600829


∗∗∗ Exploring malicious Windows drivers (Part 1): Introduction to the kernel and drivers ∗∗∗
---------------------------------------------
Malicious drivers are difficult to detect and successfully leveraging one can give an attacker full access to a system.
---------------------------------------------
https://blog.talosintelligence.com/exploring-malicious-windows-drivers-part-1-introduction-to-the-kernel-and-drivers/


∗∗∗ Critical vulnerability in ManageEngine could lead to file creation, dozens of other vulnerabilities disclosed by Talos to start 2024 ∗∗∗
---------------------------------------------
Cisco Talos’ Vulnerability Research team has disclosed dozens of vulnerabilities over the past month, including more than 30 advisories in GTKWave and a critical vulnerability in ManageEngine OpManager. 
Cisco ASIG also recently discovered an information disclosure vulnerability in DuoUniversalKeycloakAuthenticator [..] There are also multiple vulnerabilities in AVideo [..]
All the vulnerabilities mentioned in this blog post have been patched by their respective vendors
---------------------------------------------
https://blog.talosintelligence.com/vulnerability-roundup-jan-17-2024/


=====================
=  Vulnerabilities  =
=====================

∗∗∗ Drupal core - Moderately critical - Denial of Service - SA-CORE-2024-001 ∗∗∗
---------------------------------------------
The Comment module allows users to reply to comments. In certain cases, an attacker could make comment reply requests that would trigger a denial of service (DOS).
Sites that do not use the Comment module are not affected.
---------------------------------------------
https://www.drupal.org/sa-core-2024-001


∗∗∗ MOVEit Transfer: Updates gegen DOS-Lücke ∗∗∗
---------------------------------------------
Updates für MOVEit Transfer dichten Sicherheitslecks ab, durch die Angreifer Rechenfehler provozieren oder den Dienst lahmlegen können.
---------------------------------------------
https://heise.de/-9601492


∗∗∗ Trend Micro: Sicherheitslücken in Security-Agents ermöglichen Rechteausweitung ∗∗∗
---------------------------------------------
Trend Micro warnt vor Sicherheitslücken in den Security-Agents, durch die Angreifer ihre Rechte ausweiten können. Software-Updates stehen bereit.
---------------------------------------------
https://heise.de/-9601595


∗∗∗ Nextcloud: Lücken in Apps gefährden Nutzerkonten und Datensicherheit ∗∗∗
---------------------------------------------
In mehreren Erweiterungen, etwa zur Lastverteilung, zur Anmeldung per OAuth und ZIP-Download, klaffen Löcher. Updates sind bereits verfügbar.
---------------------------------------------
https://heise.de/-9601589


∗∗∗ 2024-01 Security Bulletin: Junos OS and Junos OS Evolved: rpd process crash due to BGP flap on NSR-enabled devices (CVE-2024-21585) ∗∗∗
---------------------------------------------
An Improper Handling of Exceptional Conditions vulnerability in BGP session processing of Juniper Networks Junos OS and Junos OS Evolved allows an unauthenticated network-based attacker, using specific timing outside the attacker's control, to flap BGP sessions and cause the routing protocol daemon (rpd) process to crash and restart, leading to a Denial of Service (DoS) condition. Continued BGP session flapping will create a sustained Denial of Service (DoS) condition.
---------------------------------------------
https://supportportal.juniper.net/s/article/2024-01-Security-Bulletin-Junos-OS-and-Junos-OS-Evolved-rpd-process-crash-due-to-BGP-flap-on-NSR-enabled-devices-CVE-2024-21585


∗∗∗ 2024-01 Security Bulletin: JSA Series: Multiple vulnerabilities resolved ∗∗∗
---------------------------------------------
Multiple vulnerabilities have been resolved in Juniper Secure Analytics in 7.5.0 UP7 IF04.
---------------------------------------------
https://supportportal.juniper.net/s/article/2024-01-Security-Bulletin-JSA-Series-Multiple-vulnerabilities-resolved


∗∗∗ Oracle Releases Critical Patch Update Advisory for January 2024 ∗∗∗
---------------------------------------------
Oracle released its Critical Patch Update Advisory for January 2024 to address vulnerabilities in multiple products. A cyber threat actor could exploit some of these vulnerabilities to take control of an affected system.
---------------------------------------------
https://www.cisa.gov/news-events/alerts/2024/01/18/oracle-releases-critical-patch-update-advisory-january-2024


∗∗∗ Multiple Dahua Technology products vulnerable to authentication bypass ∗∗∗
---------------------------------------------
https://jvn.jp/en/jp/JVN83655695/


∗∗∗ There is a vulnerability in batik-all-1.15.jar used by IBM Maximo Manage application in IBM Maximo Application Suite (CVE-2022-44730 and CVE-2022-44729) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7107742


∗∗∗ IBM Maximo Manage is vulnerable to attack due to Eclipse Jetty ( IBM X-Force ID 261776) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7107716


∗∗∗ There is a vulnerability in CSRF Token used by IBM Maximo Manage application in IBM Maximo Application Suite (CVE-2023-47718) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7107740


∗∗∗ IBM Asset Data Dictionary Component uses bcprov-jdk18on-1.72.jar which is vulnerable to CVE-2023-33201 and CVE-2023-33202 ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7108953


∗∗∗ IBM Maximo Application Suite and IBM Maximo Application Suite - IoT Component uses Werkzeug-2.2.3-py3-none-any.whl which is vulnerable to CVE-2023-46136 ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7108960


∗∗∗ IBM Asset Data Dictionary Component uses netty-codec-http2-4.1.94, netty-handler-4.1.86 and netty-handler-4.1.92 which is vulnerable to CVE-2023-44487 and CVE-2023-34462 ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7108959


∗∗∗ IBM Storage Ceph is vulnerable to Use After Free in the RHEL UBI (CVE-2023-4813) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7108974


∗∗∗ IBM Storage Ceph is vulnerable to Cross Site Scripting in Grafana (CVE-2022-39324) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7108973


∗∗∗ AVEVA PI Server ∗∗∗
---------------------------------------------
https://www.cisa.gov/news-events/ics-advisories/icsa-24-018-01

-- 
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily