End-of-Day report
Timeframe: Mittwoch 22-05-2019 18:00 - Donnerstag 23-05-2019 18:00
Handler: Robert Waldner
Co-Handler: n/a
News
SandboxEscaper Drops Three More Windows Exploits, IE Zero-Day
SandboxEscaper held true to that promise, on Thursday releasing on GitHub the proof-of-concepts (PoCs) for another three Windows LPE flaws, and a sandbox-escape zero-day vulnerability impacting Internet Explorer 11. One of them however turns out to already be patched.
...
Though SandboxEscaper released PoC demos for these last three flaws, researchers have not yet confirmed their validity.
https://threatpost.com/sandboxescaper-more-exploits-ie-zero-day/145010/
IT threat evolution Q1 2019
Zebrocy and GreyEnergy, four zero-day vulnerabilities in Windows, attacks on cryptocurrency exchanges, a very old bug in WinRAR, attacks on smart devices and other events of the first quarter of 2019.
https://securelist.com/it-threat-evolution-q1-2019/90978/
Security baseline (FINAL) for Windows 10 v1903 and Windows Server v1903
Microsoft is pleased to announce the final release of the security configuration baseline settings for Windows 10 version 1903 (a.k.a., -19H1-), and for Windows Server version 1903.
https://blogs.technet.microsoft.com/secguide/2019/05/23/security-baseline-final-for-windows-10-v1903-and-windows-server-v1903/
New Mirai Variant Uses Multiple Exploits to Target Routers and Other Devices
We discovered a new variant of Mirai that uses a total of 13 different exploits, almost all of which have been used in previous Mirai-related attacks. Typical of Mirai variants, it has backdoor and distributed denial-of-service (DDoS) capabilities. However, this case stands out as the first to have used all 13 exploits together in a single campaign
https://blog.trendmicro.com/trendlabs-security-intelligence/new-mirai-variant-uses-multiple-exploits-to-target-routers-and-other-devices/
Jeder dritte RDP-Server Österreichs auf -BlueKeep- anfällig
In einem überraschenden Schritt hat Microsoft vergangene Woche eine kritische Schwachstelle in den eigentlich nicht mehr unterstützten Betriebssystemen Windows XP und Server 2003 behoben. Die Remote Code Execution -BlueKeep- (CVE-2019-0708) in der Fernwartungsfunktion Remote Desktop Service (RDP) ist für entfernte Angreifer direkt ausnutzbar und wird als kritisch eingestuft.
https://www.offensity.com/de/blog/jeder-dritte-rdp-server-oesterreichs-auf-bluekeep-anfaellig/
GetCrypt Ransomware Brute Forces Credentials, Decryptor Released
A new ransomware called GetCrypt is being installed through malvertising campaigns that redirect victims to the RIG exploit kit. ... If you were infected with the GetCrypt Ransomware, it is possible to get your files back for free. All you need is a original unencrypted copy of a file that has been encrypted.
https://www.bleepingcomputer.com/news/security/getcrypt-ransomware-brute-forces-credentials-decryptor-released/
iX 6/2019: Follow-Up zu den Sicherheitsproblemen in Office 365
Auf die von der iX aufgedeckten Sicherheitsproblemen in Office 365 reagierte Microsoft nun - zufriedenstellen konnten die Antworten aber nicht.
https://heise.de/-4429020
Apple behebt Firmwareproblem bei T2-Sicherheitschip
Der Konzern hat ein Zusatzupdate für macOS 10.14.5 freigegeben, das bestimmte MacBook-Pro-Modelle betrifft. Details sind noch rar.
https://heise.de/-4429365
Undurchsichtige Angebote auf retinollift.com und hyaluronicone.com
Auf retinollift.com und hyaluronicone.com werden diverse Beautyprodukte angeboten und auch ein besonderes Tagesangebot als -Today-s Special- beworben. Dieses Spezialangebot enthält eine vermeintlich kostenlose Probe, lediglich der Versand muss per Kreditkarte bezahlt werden. Kurz darauf kommt es aber zu weiteren Abbuchungen, denen die verärgerten Konsument/innen nie bewusst zugestimmt haben.
https://www.watchlist-internet.at/news/undurchsichtige-angebote-auf-retinolliftcom-und-hyaluroniconecom/
Vulnerabilities
WordPress plugin "WP Open Graph" vulnerable to cross-site request forgery
Description: WordPress plugin "WP Open Graph" provided by Custom4Web contains a cross-site request forgery vulnerability (CWE-352).
Impact: If a user views a malicious page while logged in, unintended operations may be performed.
https://jvn.jp/en/jp/JVN33652328/
Vuln: Apache Camel CVE-2019-0188 XML External Entity Injection Vulnerability
Apache Camel is prone to an XML External Entity injection vulnerability.
Attackers can exploit this issue to obtain potentially sensitive information. This may lead to further attacks.
http://www.securityfocus.com/bid/108422
Vuln: QEMU CVE-2019-12247 Integer Overflow Vulnerability
Attackers can exploit this issue to crash the QEMU instance, resulting in a denial-of-service condition. Due to the nature of this issue, code execution may be possible but this has not been confirmed.
http://www.securityfocus.com/bid/108434
WD My Cloud RCE
In this post I-ll explain how I discoverd several vulnerabilities in Western Digital NAS devices and used them together to execute code remotely, as root. To take control of the NAS an attacker needs to be in the same network and know its IP address.
https://bnbdr.github.io/posts/wd/
DoS Vulnerability in RTSP Module of Huawei Smart Phones
There is a DoS vulnerability in RTSP module of some Huawei smart phones. Remote attacker could trick the user into opening a malformed RTSP media stream to exploit this vulnerability. Successful exploit could cause the affected phone abnormal, leading to a DoS condition. ... CVE-2019-5284.
http://www.huawei.com/en/psirt/security-advisories/2019/huawei-sa-20190523-01-smartphone-en
Tcl code injection security exposure
Certain coding practices may allow an attacker to inject arbitrary Tool Command Language (Tcl) commands, which could be executed in the security context of the target Tcl script.
https://support.f5.com/csp/article/K15650046
Security updates for Thursday
Security updates have been issued by Debian (ffmpeg and firefox-esr), openSUSE (bzip2, chromium, and GraphicsMagick), Slackware (curl), SUSE (ucode-intel), and Ubuntu (curl and intel-microcode).
https://lwn.net/Articles/789224/
Synology-SA-19:25 Virtual Machine Manager
A vulnerability allows remote attackers to bypass security constraints via a susceptible version of Virtual Machine Manager.
https://www.synology.com/en-global/support/security/Synology_SA_19_25
cURL: Mehrere Schwachstellen
cURL ist eine Client-Software, die das Austauschen von Dateien mittels mehrerer Protokolle wie z. B. HTTP oder FTP erlaubt.
Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in cURL ausnutzen, um einen Denial of Service Angriff durchzuführen.
http://www.cert-bund.de/advisoryshort/CB-K19-0444
IBM Security Bulletin: IBM API Connect V5 is potentially impacted by a weak cipher (CVE-2019-4256)
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-api-connect-v5-is-potentially-impacted-by-a-weak-cipher-cve-2019-4256/
IBM Security Bulletin: Vulnerability in Apache ActiveMQ Affects IBM Control Center (CVE-2019-0222)
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-vulnerability-in-apache-activemq-affects-ibm-control-center-cve-2019-0222/
IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM MQ and IBM MQ Appliance
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-vulnerabilities-in-ibm-java-runtime-affect-ibm-mq-and-ibm-mq-appliance-3/
IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affects IBM InfoSphere Information Server
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-vulnerabilities-in-ibm-java-sdk-affects-ibm-infosphere-information-server-6/
IBM Security Bulletin: IBM Security Guardium is affected by Oracle MySQL vulnerabilities
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-security-guardium-is-affected-by-oracle-mysql-vulnerabilities/