Tageszusammenfassung - 25.01.2021

End-of-Day report

Timeframe: Freitag 22-01-2021 18:00 - Montag 25-01-2021 18:00 Handler: Dimitri Robl Co-Handler: Robert Waldner

News

Security baseline for Microsoft Edge, version 88

We are pleased to announce the enterprise-ready release of the security baseline for Microsoft Edge version 88! We have reviewed the settings in Microsoft Edge version 88 and updated our guidance with the addition of one setting that we will explain below. A new Microsoft Edge security baseline package was just released to the Download Center. You can download the version 88 package from the Security Compliance Toolkit.

https://techcommunity.microsoft.com/t5/microsoft-security-baselines/security-baseline-for-microsoft-edge-version-88/ba-p/2094443


Video: Doc & RTF Malicious Document, (Sun, Jan 24th)

I made a video for my diary entry "Doc & RTF Malicious Document". And I show a new feature of my tool re-search.py, that helps with filtering URLs found in OOXML files.

https://isc.sans.edu/diary/rss/27022


Scanning for Accessible MS-RDPEUDP services

We have started daily IPv4 /0 scanning for exposed MS-RDPEUDP instances on port 3389/UDP. Aside from the usual risks associated with exposing RDP services to the Internet, this UDP extension of the popular RDP services has been found to be susceptible to amplification DDoS abuse with an amplification factor of over 84. Over 12 000 instances of MS-RDPEUDP have been found to be accessible on the IPv4 Internet.

https://www.shadowserver.org/news/scanning-for-accessible-ms-rdpeudp-services/


RIFT: Analysing a Lazarus Shellcode Execution Method

After analysing the macro document, and pivoting on the macro, NCC Group-s RIFT identified a number of other similar documents. In these documents we came across an interesting technique being used to execute shellcode from VBA without the use of common -suspicious- APIs, such as VirtualAlloc, WriteProcessMemory or CreateThread - which may be detected by end point protection solutions. Instead, the macro documents abuse -benign- Windows API features toachieve code-execution.

https://research.nccgroup.com/2021/01/23/rift-analysing-a-lazarus-shellcode-execution-method/


Firewall-Hersteller SonicWall untersucht mögliche Zero-Day-Lücken in Produkten

Angreifer haben bislang unbekannte Lücken in SonicWall-Produkten ausgenutzt, um ins System des Herstellers einzudringen.

https://heise.de/-5033933


Von niedrig bis kritisch: Schwachstellenbewertung mit CVSS

Das Common Vulnerability Scoring System hilft bei der Bewertung von Schwachstellen. Wir erklären Funktionsweise und Grenzen des Systems.

https://heise.de/-5031983


DNSpooq: Wie sehr spukts in Österreich?

Am 2021-01-19 veröffentlichte JSOF eine Reihe von Schwachstellen in dnsmasq, einer populären DNS-Resolver Software für kleine Netzwerke. Ihr Blogpost dazu fasst diese Lücken unter dem Namen -DNSpooq" zusammen und beschreibt zwei mögliche Angriffsszenarien: ...

https://cert.at/de/aktuelles/2021/1/dnspooq-wie-sehr-spukts-in-osterreich


Rückblick auf das letzte Drittel 2020

Vorfälle und Aussendungen: ZeroLogon, Emotet, Microsoft Exchange CVE-2020-0688, Windows Server ohne Support, Ungepatchte Sophos Firewall XG Instanzen, SonicOS DoS und RCE, cit0day Leak, Ein Leak kommt selten allein, ...

https://cert.at/de/blog/2021/1/ruckblick-auf-das-letzte-drittel-2020

Vulnerabilities

BlackBerry Powered by Android Security Bulletin - January 2021

This advisory is in response to the Android Security Bulletin (January 2021) and addresses issues in that Security Bulletin that affect BlackBerry powered by Android smartphones.

http://support.blackberry.com/kb/articleDetail?language=en_US&articleNumber=000073450


Security updates for Monday

Security updates have been issued by Debian (crmsh, debian-security-support, flatpak, gst-plugins-bad1.0, openvswitch, python-bottle, salt, tomcat9, and vlc), Fedora (chromium, python-pillow, sddm, and xen), Gentoo (chromium, dnsmasq, flatpak, glibc, kdeconnect, openjdk, python, thunderbird, virtualbox, and wireshark), Mageia (blosc, crmsh, glibc, perl-DBI, php-oojs-oojs-ui, python-pip, python-urllib3, and undertow), openSUSE (gdk-pixbuf, hawk2, ImageMagick, opera, python-autobahn, viewvc, wavpack, xstream), Red Hat (dnsmasq), Slackware (seamonkey), SUSE (ImageMagick, hawk2, mutt, permissions, stunnel) and Ubuntu (pound).

https://lwn.net/Articles/843855/


Cisco DNA Center Cross-Site Request Forgery Vulnerability

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-dnac-csrf-dC83cMcV


Synology-SA-21:01 DNSpooq

https://www.synology.com/en-global/support/security/Synology_SA_21_01