[CERT-daily] Tageszusammenfassung - 11.06.2024

Tue Jun 11 18:58:34 CEST 2024

=====================
= End-of-Day report =
=====================

Timeframe:   Montag 10-06-2024 18:00 − Dienstag 11-06-2024 18:00
Handler:     Thomas Pribitzer
Co-Handler:  Michael Schlagenhaufer

=====================
=       News        =
=====================

∗∗∗ Gitloker attacks abuse GitHub notifications to push malicious oAuth apps ∗∗∗
---------------------------------------------
Threat actors impersonate GitHubs security and recruitment teams in phishing attacks to hijack repositories using malicious OAuth apps in an ongoing extortion campaign wiping compromised repos.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/gitloker-attacks-abuse-github-notifications-to-push-malicious-oauth-apps/


∗∗∗ Arm warns of actively exploited flaw in Mali GPU kernel drivers ∗∗∗
---------------------------------------------
Arm has issued a security bulletin warning of a memory-related vulnerability in Bifrost and Valhall GPU kernel drivers that is being exploited in the wild.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/arm-warns-of-actively-exploited-flaw-in-mali-gpu-kernel-drivers/


∗∗∗ QR code SQL injection and other vulnerabilities in a popular biometric terminal ∗∗∗
---------------------------------------------
The report analyzes the security properties of a popular biometric access control terminal made by ZkTeco and describes vulnerabilities found in it.
---------------------------------------------
https://securelist.com/biometric-terminal-vulnerabilities/112800/


∗∗∗ A Brief History of SmokeLoader, Part 1 ∗∗∗
---------------------------------------------
In May 2024, Zscaler ThreatLabz technical analysis of SmokeLoader supported an international law enforcement action known as Operation Endgame, which remotely disinfected tens of thousands of infections. In the process of providing assistance to law enforcement for the operation, ThreatLabz has documented SmokeLoader for nearly all known versions. In this two-part blog series, we explore the evolution of SmokeLoader.
---------------------------------------------
https://www.zscaler.com/blogs/security-research/brief-history-smokeloader-part-1


∗∗∗ „Hallo Mama/Hallo Papa“-Nachrichten zielen auf persönliche Fotos ∗∗∗
---------------------------------------------
Vorsicht, wenn Ihr Kind plötzlich von einer unbekannten Nummer schreibt und behauptet, dies sei nun die neue Nummer. Dahinter stecken Kriminelle, die Ihnen Geld stehlen wollen. Außerdem bittet „Ihr Kind“ um die Zusendung von persönlichen Fotos. Diese werden von den Kriminellen vermutlich für weitere Betrugsmaschen missbraucht.
---------------------------------------------
https://www.watchlist-internet.at/news/hallo-mama-hallo-papa-nachrichten-zielen-auf-persoenliche-fotos/


∗∗∗ Enumerating System Management Interrupts ∗∗∗
---------------------------------------------
System Management Interrupts (SMI) provide a mechanism for entering System Management Mode (SMM) which primarily implements platform-specific functions related to power management. SMM is a privileged execution mode with access to the complete physical memory of the system, and to which the operating system has no visibility.
---------------------------------------------
https://research.nccgroup.com/2024/06/10/enumerating-system-management-interrupts/


∗∗∗ BIOS-Update 01.17.00 macht HP Probooks 445 G7 und 455 G7 komplett unbrauchbar ∗∗∗
---------------------------------------------
Hewlett Packard (HP) hat eine kaputte BIOS-Version veröffentlicht, die Notebooks der Modelle HP Probook 445 G7 455 G7 aus dem Jahr 2020 zum teuren Briefbeschwerer machen. [..] Dieses BIOS 01.17.00.Update soll eine kritische Sicherheitslücke schließen, was auch so vom Support Assistant als kritisches Update gelistet wurde, welches man möglichst schnell installieren sollte.
---------------------------------------------
https://www.borncity.com/blog/2024/06/11/bios-update-01-17-00-macht-hp-probooks-445-g7-und-455-g7-komplett-unbrauchbar/


=====================
=  Vulnerabilities  =
=====================

∗∗∗ Netgear WNR614 flaws allow device takeover, no fix available ∗∗∗
---------------------------------------------
Researchers found half a dozen vulnerabilities of varying severity impacting Netgear WNR614 N300, a budget-friendly router that proved popular among home users and small businesses.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/netgear-wnr614-flaws-allow-device-takeover-no-fix-available/


∗∗∗ (0Day) Microsoft Windows Incorrect Permission Assignment Information Disclosure Vulnerability ∗∗∗
---------------------------------------------
This vulnerability allows local attackers to disclose sensitive information or to create a denial-of-service condition on affected installations of Microsoft Windows. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. Furthermore, the vulnerable behavior occurs only in certain hardware configurations. [..] Mitigation: Given the nature of the vulnerability, the only salient mitigation strategy is to restrict interaction with the application.
---------------------------------------------
https://www.zerodayinitiative.com/advisories/ZDI-24-598/


∗∗∗ Security updates for Tuesday ∗∗∗
---------------------------------------------
Security updates have been issued by AlmaLinux (ruby:3.3), Fedora (efifs, libvirt, podman-tui, prometheus-podman-exporter, and strongswan), Red Hat (firefox, idm:DL1, ipa, nghttp2, and thunderbird), SUSE (aws-nitro-enclaves-cli, cdi-apiserver-container, cdi-cloner-container, cdi- controller-container, cdi-importer-container, cdi-operator-container, cdi- uploadproxy-container, cdi-uploadserver-container, containerized-data-importer, frr, glibc, go1.21, go1.22, gstreamer-plugins-base, kernel, kernel-firmware-nvidia-gspx-G06, nvidia-open- driver-G06-signed, libxml2, mariadb, poppler, python-Brotli, python-docker, python-idna, rmt-server, skopeo, sssd, unbound, unrar, util-linux, and webkit2gtk3), and Ubuntu (giflib, libphp-adodb, linux-gkeop, linux-gkeop-5.15, linux-kvm, linux-laptop, linux-oem-6.8, nodejs, and tiff).
---------------------------------------------
https://lwn.net/Articles/977939/


∗∗∗ CVE-2024-28995: Trivially Exploitable Information Disclosure Vulnerability in SolarWinds Serv-U ∗∗∗
---------------------------------------------
On June 5, 2024, SolarWinds disclosed CVE-2024-28995, a high-severity directory traversal vulnerability affecting the Serv-U file transfer server. Successful exploitation of the vulnerability allows unauthenticated attackers to read sensitive files on the host.
---------------------------------------------
https://www.rapid7.com/blog/post/2024/06/11/etr-cve-2024-28995-trivially-exploitable-information-disclosure-vulnerability-in-solarwinds-serv-u/


∗∗∗ SAP liefert am Patchday Sicherheitskorrekturen für zwei hochriskante Lücken ∗∗∗
---------------------------------------------
SAP warnt zum Juni-Patchday vor zehn neuen Sicherheitslücken. Aktualisierungen zum Abdichten der Lecks stehen bereit.
---------------------------------------------
https://heise.de/-9757338


∗∗∗ Avast Antivirus: Angreifer können Rechte durch Schwachstelle ausweiten ∗∗∗
---------------------------------------------
Avast Antivirus ermöglichte bösartigen Akteuren aufgrund einer Sicherheitslücke, ihre Rechte im System auszuweiten. Aktualisierte Software ist verfügbar und sollte idealerweise bereits mittels automatischem Update-Mechanismus verteilt worden sein. In der Auflistung der Sicherheitsmitteilungen von Norton (unter dieser Gen Digital Inc.-Marke sind Avast-, Avira-, AVG- und Norton Security-Produkte inzwischen gruppiert) findet sich nichts zu dieser Lücke, jedoch hat NortonLifeLock als CNA einen entsprechenden CVE-Eintrag erstellt. 
---------------------------------------------
https://heise.de/-9757748


∗∗∗ Citrix: XenServer and Citrix Hypervisor Security Update for CVE-2024-5661 ∗∗∗
---------------------------------------------
https://support.citrix.com/article/CTX677100/xenserver-and-citrix-hypervisor-security-update-for-cve20245661


∗∗∗ Mozilla: Security Vulnerabilities fixed in Firefox 127 ∗∗∗
---------------------------------------------
https://www.mozilla.org/en-US/security/advisories/mfsa2024-25/


∗∗∗ Phoenix Contact: Unbounded growth of OpenSSL session cache in multiple FL MGUARD devices ∗∗∗
---------------------------------------------
https://cert.vde.com/de/advisories/VDE-2024-029/


∗∗∗ Mitsubishi Electric CC-Link IE TSN Industrial Managed Switch ∗∗∗
---------------------------------------------
https://www.cisa.gov/news-events/ics-advisories/icsa-24-158-03


∗∗∗ AVEVA PI Asset Framework Client ∗∗∗
---------------------------------------------
https://www.cisa.gov/news-events/ics-advisories/icsa-24-163-03


∗∗∗ AVEVA PI Web API ∗∗∗
---------------------------------------------
https://www.cisa.gov/news-events/ics-advisories/icsa-24-163-02


∗∗∗ Rockwell Automation ControlLogix, GuardLogix, and CompactLogix ∗∗∗
---------------------------------------------
https://www.cisa.gov/news-events/ics-advisories/icsa-24-163-01


∗∗∗ Intrado 911 Emergency Gateway ∗∗∗
---------------------------------------------
https://www.cisa.gov/news-events/ics-advisories/icsa-24-163-04


∗∗∗ MicroDicom DICOM Viewer ∗∗∗
---------------------------------------------
https://www.cisa.gov/news-events/ics-medical-advisories/icsma-24-163-01


∗∗∗ SSA-900277 V1.0: MODEL File Parsing Vulnerability in Tecnomatix Plant Simulation before V2302.0012 and V2024.0001 ∗∗∗
---------------------------------------------
https://cert-portal.siemens.com/productcert/html/ssa-900277.html


∗∗∗ SSA-879734 V1.0: Multiple Vulnerabilities in SCALANCE XM-400/XR-500 before V6.6.1 ∗∗∗
---------------------------------------------
https://cert-portal.siemens.com/productcert/html/ssa-879734.html


∗∗∗ SSA-771940 V1.0: X_T File Parsing Vulnerabilities in Teamcenter Visualization and JT2Go ∗∗∗
---------------------------------------------
https://cert-portal.siemens.com/productcert/html/ssa-771940.html


∗∗∗ SSA-690517 V1.0: Multiple Vulnerabilities in SCALANCE W700 802.11 AX Family ∗∗∗
---------------------------------------------
https://cert-portal.siemens.com/productcert/html/ssa-690517.html


∗∗∗ SSA-625862 V1.0: Multiple Vulnerabilities in Third-Party Components in SIMATIC CP 1542SP-1 and CP 1543SP-1 before V2.3 ∗∗∗
---------------------------------------------
https://cert-portal.siemens.com/productcert/html/ssa-625862.html


∗∗∗ SSA-620338 V1.0: Buffer Overflow Vulnerability in SICAM AK3 / BC / TM ∗∗∗
---------------------------------------------
https://cert-portal.siemens.com/productcert/html/ssa-620338.html


∗∗∗ SSA-540640 V1.0: Improper Privilege Management Vulnerability in Mendix Runtime ∗∗∗
---------------------------------------------
https://cert-portal.siemens.com/productcert/html/ssa-540640.html


∗∗∗ SSA-481506 V1.0: Information Disclosure Vulnerability in SIMATIC S7-200 SMART Devices ∗∗∗
---------------------------------------------
https://cert-portal.siemens.com/productcert/html/ssa-481506.html


∗∗∗ SSA-341067 V1.0: Multiple vulnerabilities in third-party components in ST7 ScadaConnect before V1.1 ∗∗∗
---------------------------------------------
https://cert-portal.siemens.com/productcert/html/ssa-341067.html


∗∗∗ SSA-337522 V1.0: Multiple Vulnerabilities in TIM 1531 IRC before V2.4.8 ∗∗∗
---------------------------------------------
https://cert-portal.siemens.com/productcert/html/ssa-337522.html


∗∗∗ SSA-319319 V1.0: Denial of Service Vulnerability in TIA Administrator ∗∗∗
---------------------------------------------
https://cert-portal.siemens.com/productcert/html/ssa-319319.html


∗∗∗ SSA-238730 V1.0: Out-of-Bounds Write Vulnerabilities in SITOP UPS1600 before V2.5.4 ∗∗∗
---------------------------------------------
https://cert-portal.siemens.com/productcert/html/ssa-238730.html


∗∗∗ SSA-196737 V1.0: Multiple Vulnerabilities in SINEC Traffic Analyzer before V1.2 ∗∗∗
---------------------------------------------
https://cert-portal.siemens.com/productcert/html/ssa-196737.html


∗∗∗ SSA-024584 V1.0: Authentication Bypass Vulnerability in PowerSys before V3.11 ∗∗∗
---------------------------------------------
https://cert-portal.siemens.com/productcert/html/ssa-024584.html


∗∗∗ Fortinet: Blind SQL Injection ∗∗∗
---------------------------------------------
https://fortiguard.fortinet.com/psirt/FG-IR-24-128


∗∗∗ Fortinet: Buffer overflow in fgfmd ∗∗∗
---------------------------------------------
https://fortiguard.fortinet.com/psirt/FG-IR-24-036


∗∗∗ Fortinet: FortiOS/FortiProxy - XSS in reboot page ∗∗∗
---------------------------------------------
https://fortiguard.fortinet.com/psirt/FG-IR-23-471


∗∗∗ Fortinet: FortiSOAR is vulnerable to sql injection in Event Auth API via uuid parameter ∗∗∗
---------------------------------------------
https://fortiguard.fortinet.com/psirt/FG-IR-23-495


∗∗∗ Fortinet: Multiple buffer overflows in diag npu command ∗∗∗
---------------------------------------------
https://fortiguard.fortinet.com/psirt/FG-IR-23-460


∗∗∗ Fortinet: Stack buffer overflow on bluetooth write feature ∗∗∗
---------------------------------------------
https://fortiguard.fortinet.com/psirt/FG-IR-23-356


∗∗∗ Fortinet: TunnelVision - CVE-2024-3661 ∗∗∗
---------------------------------------------
https://fortiguard.fortinet.com/psirt/FG-IR-24-170


∗∗∗ Fortinet: Weak key derivation for backup file ∗∗∗
---------------------------------------------
https://fortiguard.fortinet.com/psirt/FG-IR-23-423

-- 
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily