End-of-Day report
Timeframe: Montag 07-09-2020 18:00 - Dienstag 08-09-2020 18:00
Handler: Thomas Pribitzer
Co-Handler: Stephan Richter
News
Windows 10 themes can be abused to steal Windows accounts
Specially crafted Windows 10 themes and theme packs can be used in Pass-the-Hash attacks to steal Windows account credentials from unsuspecting users.
https://www.bleepingcomputer.com/news/microsoft/windows-10-themes-can-be-abused-to-steal-windows-accounts/
Office: About OLE and ZIP Files, (Mon, Sep 7th)
A reader asked if a particular Emotet sample was a malformed ZIP file. It is not, and I will explain why you might think it is in this diary entry.
https://isc.sans.edu/diary/rss/26540
Japan, France, New Zealand Warn of Sudden Uptick in Emotet Trojan Attacks
Cybersecurity agencies across Asia and Europe have issued multiple security alerts regarding the resurgence of email-based Emotet malware attacks targeting businesses in France, Japan, and New Zealand.
https://thehackernews.com/2020/09/emotet-malware-attack.html
Was sind Tech-Support Scams? Und: Wie Sie sich davor schützen!
Ein Tech-Support Scam ist eine Betrugsmasche, wo sich Kriminelle als Service-MitarbeiterInnen von Microsoft oder Apple ausgeben und ein Computerproblem vortäuschen. Die Kontaktaufnahme erfolgt entweder durch die Kriminellen per Telefon oder die Opfer rufen aufgrund eines Pop-Ups selbst bei einer vermeintlichen Service-Stelle an. In beiden Fällen wird eine Fernwartungssoftware installiert, um Zugangsdaten zu erspähen, Schadsoftware zu installieren oder Daten zu löschen oder [...]
https://www.watchlist-internet.at/news/was-sind-tech-support-scams-und-wie-sie-sich-davor-schuetzen/
Vulnerabilities
Security Bulletins Posted
Adobe has published security bulletins for Adobe InDesign (APSB20-52), Adobe Framemaker (APSB20-54) and Adobe Experience Manager (APSB20-56). Adobe recommends users update their product installations to the latest versions using the instructions referenced in the bulletin.
https://blogs.adobe.com/psirt/?p=1916
Windows 10 Sandbox activation enables zero-day vulnerability
A reverse engineer discovered a new zero-day vulnerability in most Windows 10 editions that allows creating files in restricted areas of the operating system.
https://www.bleepingcomputer.com/news/security/windows-10-sandbox-activation-enables-zero-day-vulnerability/
Security updates for Tuesday
Security updates have been issued by Debian (imagemagick, lemonldap-ng, and zeromq3), Fedora (ark, cryptsetup, gnutls, kernel, kernel-headers, and kernel-tools), openSUSE (firefox, kernel, and thunderbird), Red Hat (cloud-init, go-toolset:rhel8, libcroco, librepo, php:7.3, postgresql:10, and thunderbird), SUSE (firefox and go1.14), and Ubuntu (linux, linux-aws, linux-aws-5.3, linux-aws-5.4, linux-aws-hwe, linux-azure, linux-azure-4.15, linux-azure-5.4, linux-gcp, linux-gcp-4.15, linux-gcp-5.4, [...]
https://lwn.net/Articles/830941/
SAP Patchday September 2020
Ein entfernter, authentisierter oder anonymer Angreifer kann mehrere Schwachstellen in SAP Produkten und Anwendungskomponenten ausnutzen, um die Vertraulichkeit, Verfügbarkeit und die Integrität der Anwendungen zu gefährden.
https://www.cert-bund.de/advisoryshort/CB-K20-0870
Citrix StoreFront Security Update
An issue has been discovered in Citrix StoreFront that, if exploited, would allow an attacker who is authenticated on the same Microsoft Active Directory domain as a Citrix StoreFront server to read arbitrary files from that server.
https://support.citrix.com/article/CTX277455
SSA-770698: User Information Disclosure Vulnerability in Siveillance Video Client
The Siveillance Video Client contains an information disclosure vulnerability that could allow an attacker to obtain valid adminstrator login names and use this information to launch further attacks.
https://cert-portal.siemens.com/productcert/txt/ssa-770698.txt
SSA-709003: Privilege Escalation Vulnerability in License Management Utility (LMU)
The latest update for the License Management Utility (LMU), which is used by multiple Siemens building technology products, fixes a vulnerability that could allow local users to escalate privileges and execute code as local SYSTEM user.
https://cert-portal.siemens.com/productcert/txt/ssa-709003.txt
SSA-568969: Insecure Storage of Sensitive Information in Spectrum Power- 4
Vulnerabilities in Spectrum Power- 4 could allow an unauthorized attacker to retrieve a list of software users, or in certain cases to list the contents of a directory.
https://cert-portal.siemens.com/productcert/txt/ssa-568969.txt
SSA-542525: Authentication Vulnerabilities in SIMATIC HMI Products
SIMATIC HMI Products are affected by two vulnerabilities that could allow a remote attacker to discover user passwords and obtain access to the Sm@rt Server via a brute-force attack.
https://cert-portal.siemens.com/productcert/txt/ssa-542525.txt
SSA-534763: Special Register Buffer Data Sampling (SRBDS) aka Crosstalk in Industrial Products
Security researchers published information on a vulnerability known as Crosstalk (INTEL-SA-00320). This vulnerability affects modern Intel processors to a varying degree.
https://cert-portal.siemens.com/productcert/txt/ssa-534763.txt
SSA-455843: WIBU Systems CodeMeter Runtime Vulnerabilities in Siemens and Siemens Energy Products
CISA and WIBU Systems disclosed six vulnerabilities in different versions of CodeMeter Runtime, a product provided by WIBU Systems and used in several Siemens and Siemens Energy products for license management.
https://cert-portal.siemens.com/productcert/txt/ssa-455843.txt
SSA-436520: XSS and CSRF Vulnerabilities in Polarion Subversion Webclient
Multiple cross-site scripting (XSS) vulnerabilities were found in the subversion webclient of Polarion. In addition, the webclient doesnt have any cross-site request forgery (CSRF) protection. An attacker could inject client side script to induce the victim to issue an HTTP request that would lead to a state changing operation.
https://cert-portal.siemens.com/productcert/txt/ssa-436520.txt
SSA-381684: Improper Password Protection during Authentication in SIMATIC S7-300 and S7-400 CPUs
A vulnerability has been identified in SIMATIC S7-300 and S7-400 CPU families, which could result in credential disclosure.
https://cert-portal.siemens.com/productcert/txt/ssa-381684.txt
SSA-251935: Multiple Privilege Escalation Vulnerabilities in SIMATIC RTLS Locating Manager
The latest update for SIMATIC RTLS Locating Manager fixes various vulnerabilities that could allow a low-privileged local user to escalate privileges.
https://cert-portal.siemens.com/productcert/txt/ssa-251935.txt
Red Hat Enterprise Linux: Mehrere Schwachstellen
https://www.cert-bund.de/advisoryshort/CB-K20-0871
Security Bulletin: Novalink is impacted by denial of service high vulnerability in WebSphere Application Server Liberty CVE-2019-4720
https://www.ibm.com/blogs/psirt/security-bulletin-novalink-is-impacted-by-denial-of-service-high-vulnerability-in-websphere-application-server-liberty-cve-2019-4720/
Security Bulletin: Publicly disclosed vulnerability from Kernel affects IBM Netezza Host Management
https://www.ibm.com/blogs/psirt/security-bulletin-publicly-disclosed-vulnerability-from-kernel-affects-ibm-netezza-host-management-6/
Security Bulletin: IBM SDK, Java Technology Edition Quarterly CPU - July 2020 - Includes Oracle July 2020 CPU affects IBM Tivoli Composite Application Manager for Transactions-Robotic Response Time
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sdk-java-technology-edition-quarterly-cpu-july-2020-includes-oracle-july-2020-cpu-affects-ibm-tivoli-composite-application-manager-for-transactions-robotic-response-time/
Security Bulletin: Vulnerability in IBM Java Runtime affecting Tivoli Netcool/OMNIbus (CVE-2020-2654)
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-ibm-java-runtime-affecting-tivoli-netcool-omnibus-cve-2020-2654/
Security Bulletin: Security Bulletin: Novalink is impacted by Publicly disclosed vulnerability in IBM Java SDK/JRE (CVE-2019-4732)
https://www.ibm.com/blogs/psirt/security-bulletin-security-bulletin-novalink-is-impacted-by-publicly-disclosed-vulnerability-in-ibm-java-sdk-jre-cve-2019-4732/
Security Bulletin: Novalink is impacted Apache CXF affects middle vulnerability in WebSphere Application Server Liberty (CVE-2019-12406)
https://www.ibm.com/blogs/psirt/security-bulletin-novalink-is-impacted-apache-cxf-affects-middle-vulnerability-in-websphere-application-server-liberty-cve-2019-12406/
Security Bulletin: Novalink is impacted by Apache CXF affects WebSphere Liberty JAX-WS middle vulnerability in WebSphere Application Server Liberty (CVE-2019-17573)
https://www.ibm.com/blogs/psirt/security-bulletin-novalink-is-impacted-by-apache-cxf-affects-websphere-liberty-jax-ws-middle-vulnerability-in-websphere-application-server-liberty-cve-2019-17573/
Security Bulletin: Vulnerability in Apache Ant affects IBM Platform Symphony and IBM Spectrum Symphony
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-ant-affects-ibm-platform-symphony-and-ibm-spectrum-symphony/