End-of-Day report
Timeframe: Montag 17-08-2020 18:00 - Dienstag 18-08-2020 18:00
Handler: Robert Waldner
Co-Handler: n/a
News
Cryptojacking worm steals AWS credentials from Docker systems
According to researchers at Cado Security this is the first-ever worm that comes with AWS credential theft functionality on top of run-of-the-mill cryptomining modules. This botnet uses already infected servers to execute an open-source masscan IP port scanner instance that scans for exposed Docker APIs (and Kubernetes systems as later discovered), installing itself in new containers on any misconfigured servers it finds.
https://www.bleepingcomputer.com/news/security/cryptojacking-worm-steals-aws-credentials-from-docker-systems/
E-Mail: Gefährliche Mailto-Links können Daten stehlen
Dieses Feature für Dateianhänge ist nicht Teil der Standardspezifikation für Mailto-Links. Es handelt sich um eine inoffizielle Erweiterung, die von einigen Mailprogrammen genutzt wird. Laut der Veröffentlichung wird das Feature in Kmail und Evolution unterstützt, die Standardmailprogramme der Linux-Desktopumgebungen KDE und Gnome. Auch IBM Notes unterstützen das Feature. Thunderbird ist zwar selbst nicht betroffen, kann aber verwundbar sein, wenn die Verarbeitung der Mailto-Links über das Tool xdg-open erfolgt.
https://www.golem.de/news/e-mail-gefaehrliche-mailto-links-koennen-daten-stehlen-2008-150326-rss.html
Pre-announcement of five BIND security issues scheduled for disclosure 20 August 2020
We therefore are writing to inform you that the August BIND maintenance releases that will be released on Thursday, 20 August, contain patches for five separate vulnerabilities. Further details about the vulnerabilities will be publicly disclosed at the time the releases are published on Thursday.
https://lists.isc.org/pipermail/bind-announce/2020-August/001161.html
Online- Anlagen- und Investitionsbetrug floriert
Laufend treten von Investitionsbetrug betroffene Konsumentinnen und Konsumenten an die Watchlist Internet heran. Die Methoden der Kriminellen sind dabei fast immer die gleichen. Erfundene Werbeschaltungen, hohe Gewinnversprechen und persönliche Betreuung verleiten die Opfer zu großen Investitionen. Im Endergebnis führt dies zu mitunter existenzbedrohenden Schadenssummen.
https://www.watchlist-internet.at/news/online-anlagen-und-investitionsbetrug-floriert/
Vulnerabilities
Rocket.Chat Cross-Site Scripting leading to Remote Code Execution CVE-2020-15926
A malicious user can send a specially crafted message either to a channel or in a direct message to another user which will result in executing JavaScript in the victim's browser or inside the desktop client when the victim will use the 'Reply in Thread' functionality. In the case of desktop clients cross-site scripting (XSS) vulnerability leads to a remote code execution (RCE)
https://blog.redteam.pl/2020/08/rocket-chat-xss-rce-cve-2020-15926.html
Security updates for Tuesday
Security updates have been issued by Debian (sane-backends), Fedora (kernel, LibRaw, and wob), openSUSE (balsa, hylafax+, postgresql, postgresql96, postgresql10, postgresql12, and postgresql96, postgresql10 and postgresql12), Oracle (.NET Core 3.1), Red Hat (bash and bind), SUSE (dovecot23, firefox, fwupd, postgresql10, postgresql12, python-azure-agent, and zabbix), and Ubuntu (ark, gnome-shell, libonig, linux, linux-aws, linux-kvm, linux-lts-xenial, linux-raspi2, linux-snapdragon, linux-gke-5.0, linux-oem-osp1 and software-properties).
https://lwn.net/Articles/829030/
Vulnerability Allowing Full Server Takeover Found in Concrete5 CMS
The issue was identified in Concrete5 version 8.5.2, which essentially allowed an attacker to modify site configuration and upload a PHP file onto the server, thus gaining arbitrary command execution capabilities.
https://www.securityweek.com/vulnerability-allowing-full-server-takeover-found-concrete5-cms
Citrix Application Delivery Controller, Citrix Gateway, and Citrix SD-WAN WANOP appliance Security Update
Multiple vulnerabilities have been discovered in Citrix ADC-(formerly known as NetScaler ADC), Citrix Gateway-(formerly known as NetScaler Gateway)-and Citrix SD-WAN WANOP appliance models 4000-WO, 4100-WO, 5000-WO, and 5100-WO. These vulnerabilities,-if exploited,-could result in-a number of-security issues-
https://support.citrix.com/article/CTX276688
Security Bulletin: Vulnerabilities in IBM Java SDK affect IBM WebSphere Cast Iron Solution & App Connect Professional
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-ibm-java-sdk-affect-ibm-websphere-cast-iron-solution-app-connect-professional/
Security Bulletin: A vulnerability in IBM Java Runtime affects IBM Installation Manager and IBM Packaging Utility
https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-java-runtime-affects-ibm-installation-manager-and-ibm-packaging-utility-2/
Security Bulletin: Publicly disclosed vulnerability from Kernel affects IBM Netezza Host Management
https://www.ibm.com/blogs/psirt/security-bulletin-publicly-disclosed-vulnerability-from-kernel-affects-ibm-netezza-host-management-2/
Security Bulletin: IBM Elastic Storage Server is affected by a vulnerability where an unprivileged user could execute commands as root ( CVE-2020-4273)
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-elastic-storage-server-is-affected-by-a-vulnerability-where-an-unprivileged-user-could-execute-commands-as-root-cve-2020-4273/
Security Bulletin: A vulnerability in IBM Java Runtime affects IBM Installation Manager and IBM Packaging Utility
https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-java-runtime-affects-ibm-installation-manager-and-ibm-packaging-utility/
Security Bulletin: IBM Elastic Storage Server GUI is affected by verbose error messages being displayed.
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-elastic-storage-server-gui-is-affected-by-verbose-error-messages-being-displayed/
Security Bulletin: Vulnerabilities in Apache Tomcat affects IBM Platform Symphony
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-apache-tomcat-affects-ibm-platform-symphony-3/
Security Bulletin: Incorrect permissions on IBM Spectrum Protect Plus agent files (CVE-2020-4631)
https://www.ibm.com/blogs/psirt/security-bulletin-incorrect-permissions-on-ibm-spectrum-protect-plus-agent-files-cve-2020-4631-3/
Security Bulletin: A vulnerability in an older version of a Batik plugin that is included in IBM Installation Manager and IBM Packaging Utility
https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-an-older-version-of-a-batik-plugin-that-is-included-in-ibm-installation-manager-and-ibm-packaging-utility/
Security Bulletin: A vulnerability has been identified in IBM Elastic Storage Server GUI where an unauthorised user can execute commands (CVE-2020-4348)
https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-has-been-identified-in-ibm-elastic-storage-server-gui-where-an-unauthorised-user-can-execute-commands-cve-2020-4348/