End-of-Day report
Timeframe: Freitag 15-01-2021 18:00 - Montag 18-01-2021 18:00
Handler: Dimitri Robl
Co-Handler: Thomas Pribitzer
News
Antivirus: Das Jahr der unsicheren Sicherheitssoftware
Sicherheitssoftware soll uns eigentlich schützen, doch das vergangene Jahr hat erneut gezeigt: Statt Schutz gibt es Sicherheitsprobleme frei Haus.
https://www.golem.de/news/antivirus-das-jahr-der-unsicheren-sicherheitssoftware-2101-153432-rss.html
Medical Device Security: Diagnosis Critical
Medical-device security has long been a challenge, suffering the same uphill management battle that the entire sprawling mess of IoT gadgets has faced.
https://threatpost.com/medical-device-security/163127/
Obfuscated DNS Queries, (Fri, Jan 15th)
This week I started seeing some URL with /dns-query?dns in my honeypot. The queries obviously did not look like a standard DNS queries, this got me curious and then proceeded to investigate to determine what these DNS query were trying to resolve.
https://isc.sans.edu/diary/rss/26992
New Release of Sysmon Adding Detection for Process Tampering, (Sun, Jan 17th)
Version 13.01 of Sysmon was released, a Windows Sysinternals tool to monitor and log system activity.
https://isc.sans.edu/diary/rss/26994
Doc & RTF Malicious Document, (Mon, Jan 18th)
A reader pointed us to a malicious Word document.
https://isc.sans.edu/diary/rss/26996
NSA Releases Guidance on Encrypted DNS in Enterprise Environments
Original release date: January 15, 2021The National Security Agency (NSA) has released an information sheet with guidance on adopting encrypted Domain Name System (DNS) over Hypertext Transfer Protocol over Transport Layer Security (HTTPS), referred to as DNS over HTTPS (DoH). When configured appropriately, strong enterprise DNS controls can help prevent many initial access, command and control, and exfiltration techniques used by threat actors.
https://us-cert.cisa.gov/ncas/current-activity/2021/01/15/nsa-releases-guidance-encrypted-dns-enterprise-environments
Skimming: Schaden durch Datenklau an Geldautomaten auf Rekordtief
Experten halten den Datenklau an Geldautomaten in Deutschland für ein Auslaufmodell. Sowohl Zahl der Angriffe als auch Schäden sanken 2020 auf Rekordtief.
https://heise.de/-5026975
Vulnerabilities
ZDI-21-072: NETGEAR R7450 SOAP API RecoverAdminPassword Improper Access Control Information Disclosure Vulnerability
This vulnerability allows network-adjacent attackers to disclose sensitive information on affected installations of NETGEAR R7450 routers. Authentication is not required to exploit this vulnerability.
http://www.zerodayinitiative.com/advisories/ZDI-21-072/
ZDI-21-071: NETGEAR R7450 Password Recovery External Control of Critical State Data Authentication Bypass Vulnerability
This vulnerability allows network-adjacent attackers to bypass authentication on affected installations of NETGEAR R7450 routers. Authentication is not required to exploit this vulnerability.
http://www.zerodayinitiative.com/advisories/ZDI-21-071/
ZDI-21-070: Apple macOS CoreGraphics Image Parsing Out-Of-Bounds Read Information Disclosure Vulnerability
This vulnerability allows remote attackers to disclose sensitive information on affected installations of Apple macOS. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.
http://www.zerodayinitiative.com/advisories/ZDI-21-070/
ZDI-21-069: Apple macOS process_token_BlitLibSetup2D Out-Of-Bounds Write Privilege Escalation Vulnerability
This vulnerability allows local attackers to escalate privileges on affected installations of Apple macOS. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.
http://www.zerodayinitiative.com/advisories/ZDI-21-069/
Kritische Admin-Lücke in Wordpress-Plug-in Orbit Fox
Es gibt ein wichtiges Sicherheitsupdate für das Wordpress-Plug-in Orbit Fox.
https://heise.de/-5027252
Security updates for Friday
Security updates have been issued by Debian (flatpak, ruby-redcarpet, and wavpack), Fedora (dia, mingw-openjpeg2, and openjpeg2), Mageia (awstats, bison, cairo, kernel, kernel-linus, krb5, nvidia-current, nvidia390, php, and thunderbird), openSUSE (cobbler, firefox, kernel, libzypp, zypper, nodejs10, nodejs12, and nodejs14), Scientific Linux (thunderbird), Slackware (wavpack), SUSE (kernel, nodejs8, open-iscsi, openldap2, php7, php72, php74, slurm_20_02, and thunderbird), and Ubuntu (ampache,[...]
https://lwn.net/Articles/842834/
Security updates for Monday
Security updates have been issued by Arch Linux (atftp, coturn, gitlab, mdbook, mediawiki, nodejs, nodejs-lts-dubnium, nodejs-lts-erbium, nodejs-lts-fermium, nvidia-utils, opensmtpd, php, python-cairosvg, python-pillow, thunderbird, vivaldi, and wavpack), CentOS (firefox and thunderbird), Debian (chromium and snapd), Fedora (chromium, flatpak, glibc, kernel, kernel-headers, nodejs, php, and python-cairosvg), Mageia (bind, caribou, chromium-browser-stable, dom4j, edk2, opensc, p11-kit,[...]
https://lwn.net/Articles/843054/
Security Bulletin: Vulnerabilities in IBM Java Runtime affect IBM Integration Bus and IBM App Connect Enterpise v11 (CVE-2020-2590)
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-ibm-java-runtime-affect-ibm-integration-bus-and-ibm-app-connect-enterpise-v11-cve-2020-2590/
Security Bulletin: Websphere Hibernate Validator Vulnerability Affects IBM Control Center (CVE-2020-10693)
https://www.ibm.com/blogs/psirt/security-bulletin-websphere-hibernate-validator-vulnerability-affects-ibm-control-center-cve-2020-10693/
Security Bulletin: IBM Integration Bus & IBM App Connect Enterprise are affected by a Websphere Application Server Vulnerability (CVE-2020-4576)
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-integration-bus-ibm-app-connect-enterprise-are-affected-by-a-websphere-application-server-vulnerability-cve-2020-4576/
Security Bulletin: Apache ActiveMQ Vulnerability Affects IBM Control Center (CVE-2020-13920)
https://www.ibm.com/blogs/psirt/security-bulletin-apache-activemq-vulnerability-affects-ibm-control-center-cve-2020-13920/