Tageszusammenfassung - 15.10.2020

End-of-Day report

Timeframe: Mittwoch 14-10-2020 18:00 - Donnerstag 15-10-2020 18:00 Handler: Stephan Richter Co-Handler: n/a

News

Bleedingtooth: Google und Intel warnen vor neuen Bluetooth-Lücken

Laut Google lässt sich über die Sicherheitslücken Code aus der Ferne ausführen. Intel hat sie veröffentlicht, bevor Patches ausgeliefert wurden.

 

https://www.golem.de/news/bleedingtooth-google-und-intel-warnen-vor-neuen-bluetooth-luecken-2010-151526-rss.html


Security Analysis of CHERI ISA

Is it possible to get to a state where memory safety issues would be deterministically mitigated? Our quest to mitigate memory corruption vulnerabilities led us to examine CHERI (Capability Hardware Enhanced RISC Instructions), which provides memory protection features against many exploited vulnerabilities, or in other words, an architectural solution that breaks exploits.

 

https://msrc-blog.microsoft.com:443/2020/10/14/security-analysis-of-cheri-isa/


Magento Phishing Leverages JavaScript For Exfiltration

During a recent investigation, a Magento admin login phishing page was found on a compromised website using the file name wp-order.php. This is an odd file name choice for a Magento phishing page, but nevertheless it successfully loads a legitimate looking Magento 1.x login page.

 

https://blog.sucuri.net/2020/10/magento-phishing-leverages-javascript-for-exfiltration.html


[SANS ISC] Nicely Obfuscated Python RAT

I published the following diary on isc.sans.edu: -Nicely Obfuscated Python RAT-: While hunting, I found an interesting Python script. It matched one of my YARA rules due to the interesting list of imports but the content itself was nicely obfuscated.

 

https://blog.rootshell.be/2020/10/15/sans-isc-nicely-obfuscated-python-rat/


Dockerfile Security Best Practices

Container security is a broad problem space and there are many low hanging fruits one can harvest to mitigate risks. A good starting point is to follow some rules when writing Dockerfiles.

 

https://cloudberry.engineering/article/dockerfile-security-best-practices/


QR code scams are making a comeback

With QR codes being used more as a means to help create a COVID-19 proof environment, were also seeing a comeback of QR codes scams.

 

https://blog.malwarebytes.com/scams/2020/10/qr-code-scams-are-making-a-comeback/


This major criminal hacking group just switched to ransomware attacks

A newly detailed financial cybercrime group has been conducting attacks around the world since 2016 - but now theyve switched to ransomware because its the biggest and easiest pay day.

 

https://www.zdnet.com/article/this-major-criminal-hacking-group-just-switched-to-ransomware-attacks/


New Emotet attacks use fake Windows Update lures

Emotet diversifies arsenal with new lures to trick users into infecting themselves.

 

https://www.zdnet.com/article/new-emotet-attacks-use-fake-windows-update-lures/

Vulnerabilities

Drupal OAuth Server ( OAuth Provider) - Single Sign On ( SSO ) - Moderately critical - SQL Injection - SA-CONTRIB-2020-034

Project: Drupal OAuth Server ( OAuth Provider) - Single Sign On ( SSO ) Date: 2020-October-14 Security risk: Moderately critical 12-25 AC:Basic/A:None/CI:None/II:Some/E:Theoretical/TD:Default Vulnerability: SQL Injection Description: This module enables you login into any OAuth 2.0 compliant application using Drupal credentials. The 8.x branch of the module is vulnerable to SQL injection. Solution: Install the latest version: If you use the Drupal OAuth Server module for Drupal 8.x, upgrade to 8.x-1.1

 

https://www.drupal.org/sa-contrib-2020-034


Juniper Security Bulletins 2020-10

JSA11045 - 2020-10 Security Bulletin: JSA Series: Intel CPUs could allow a local authenticated attacker to obtain sensitive information (CVE-2019-11135)
https://kb.juniper.net/InfoCenter/index/content&id=JSA11045
JSA11046 - 2020-10 Security Bulletin: Junos OS: FreeBSD-SA-20:03.thrmisc: kernel stack data disclosure (CVE-2019-15875)
https://kb.juniper.net/InfoCenter/index/content&id=JSA11046
JSA11047 - 2020-10 Security Bulletin: FreeBSD-SA-19:20.bsnmp : Insufficient message length validation in bsnmp library (CVE-2019-5610)
https://kb.juniper.net/InfoCenter/index/content&id=JSA11047
JSA11048 - 2020-10 Security Bulletin: Junos Space and Junos Space Security Director: Zombie POODLE and GOLDENDOODLE resolved in 20.2R1 release
https://kb.juniper.net/InfoCenter/index/content&id=JSA11048
JSA11049 - 2020-10 Security Bulletin: Junos OS: When a DHCPv6 Relay-Agent is configured upon receipt of a specific DHCPv6 client message, Remote Code Execution may occur. (CVE-2020-1656)
https://kb.juniper.net/InfoCenter/index/content&id=JSA11049
JSA11050 - 2020-10 Security Bulletin: Junos OS: SRX Series: An attacker sending spoofed packets to IPSec peers may cause a Denial of Service. (CVE-2020-1657)
https://kb.juniper.net/InfoCenter/index/content&id=JSA11050
JSA11053 - 2020-10 Security Bulletin: Junos OS: NFX Series: Multiple vulnerabilities resolved in 20.2R1 release
https://kb.juniper.net/InfoCenter/index/content&id=JSA11053
JSA11054 - 2020-10 Security Bulletin: Junos OS: MX Series: Receipt of specific packets can cause services card to restart when DNS filtering is configured. (CVE-2020-1660)
https://kb.juniper.net/InfoCenter/index/content&id=JSA11054
JSA11055 - 2020-10 Security Bulletin: Junos OS: Multiple SQLite vulnerabilities resolved.
https://kb.juniper.net/InfoCenter/index/content&id=JSA11055
JSA11056 - 2020-10 Security Bulletin: Junos OS: jdhcpd process crash when forwarding a malformed DHCP packet. (CVE-2020-1661)
https://kb.juniper.net/InfoCenter/index/content&id=JSA11056
JSA11062 - 2020-10 Security Bulletin: Junos OS: MX series/EX9200 Series: IPv6 DDoS protection does not work as expected. (CVE-2020-1665)
https://kb.juniper.net/InfoCenter/index/content&id=JSA11062
JSA11076 - 2020-10 Security Bulletin: Junos OS: PTX/QFX Series: Kernel Routing Table (KRT) queue stuck after packet sampling a malformed packet when the tunnel-observation mpls-over-udp configuration is enabled. (CVE-2020-1679)
https://kb.juniper.net/InfoCenter/index/content&id=JSA11076
JSA11079 - 2020-10 Security Bulletin: Junos OS: SRX1500, vSRX, SRX4K, NFX150: Denial of service vulnerability executing local CLI command (CVE-2020-1682)
https://kb.juniper.net/InfoCenter/index/content&id=JSA11079


Red Hat JBoss Enterprise Application Platform: Schwachstelle ermöglicht Denial of Service

 

https://www.cert-bund.de/advisoryshort/CB-K20-0992


Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Netcool Agile Service Manager

 

https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-ibm-java-runtime-affect-ibm-netcool-agile-service-manager-5/


Security Bulletin: Vulnerability in Hibernate Validator affects WebSphere Application Server Liberty (CVE-2020-10693)

 

https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-hibernate-validator-affects-websphere-application-server-liberty-cve-2020-10693/


Security Bulletin: Netcool Operations Insight component IBM Network Performance Insight 1.3.1 affected by CVE-2020-14195

 

https://www.ibm.com/blogs/psirt/security-bulletin-netcool-operations-insight-component-ibm-network-performance-insight-1-3-1-affected-by-cve-2020-14195/


Security Bulletin: Multiple vulnerabilities in IBM® SDK, Java- Technology Edition affect IBM Operational Decision Manager

 

https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-ibm-sdk-java-technology-edition-affect-ibm-operational-decision-manager/


Security Bulletin: Security Vulnerabilities in IBM WebSphere Liberty fixed in IBM Security Access Manager Appliance

 

https://www.ibm.com/blogs/psirt/security-bulletin-security-vulnerabilities-in-ibm-websphere-liberty-fixed-in-ibm-security-access-manager-appliance/


Security Bulletin: Netcool Operations Insight component IBM Network Performance Insight 1.3.1 affected by CVE-2020-14062

 

https://www.ibm.com/blogs/psirt/security-bulletin-netcool-operations-insight-component-ibm-network-performance-insight-1-3-1-affected-by-cve-2020-14062/


Security Bulletin: Security Vulnerabilities have been identified in IBM Java Runtime as shipped with Tivoli Federated Identity Manager

 

https://www.ibm.com/blogs/psirt/security-bulletin-security-vulnerabilities-have-been-identified-in-ibm-java-runtime-as-shipped-with-tivoli-federated-identity-manager-2/


Security Bulletin: Vulnerabilities in Apache Struts affect IBM Tivoli Application Dependency Discovery Manager.

 

https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-apache-struts-affect-ibm-tivoli-application-dependency-discovery-manager/


Security Bulletin: Netcool Operations Insight - Cloud Native Event Analytics is affected by an Apache Commons Codec vulnerability

 

https://www.ibm.com/blogs/psirt/security-bulletin-netcool-operations-insight-cloud-native-event-analytics-is-affected-by-an-apache-commons-codec-vulnerability/


Security Bulletin: Security vulnerabilities have been fixed in the IBM Security Access Manager and IBM Security Verify Access products

 

https://www.ibm.com/blogs/psirt/security-bulletin-security-vulnerabilities-have-been-fixed-in-the-ibm-security-access-manager-and-ibm-security-verify-access-products/