Tageszusammenfassung - 07.10.2021

End-of-Day report

Timeframe: Mittwoch 06-10-2021 18:00 - Donnerstag 07-10-2021 18:00 Handler: Dimitri Robl Co-Handler: Wolfgang Menezes

News

Air-Gap-Hack: LAN-Kabel als Antenne nutzen, um Daten auszuleiten

Auch wenn ein Netzwerk nicht mit dem Internet verbunden ist, lassen sich Daten ausleiten. Dazu hat ein Forscher ein LAN-Kabel zur Antenne umfunktioniert.

https://www.golem.de/news/air-gap-hack-lan-kabel-als-antenne-nutzen-um-daten-auszuleiten-2110-160153-rss.html


Cisco schließt Root-Lücke in Intersight Virtual Appliance

Der Netzwerkausrüster Cisco hat für verschiedene Software wichtige Sicherheitsupdates veröffentlicht.

https://heise.de/-6211537


Neue Malware-Familie für Linux entdeckt

Die von ihren Entdeckern FontOnLake getaufte Malware-Familie aus trojanisierten Programmen, Backdoors und einem Rootkit eignet sich für gezielte Angriffe.

https://heise.de/-6211764


Tor Browser und Tails: Anonymisierender Browser & OS in abgesicherten Versionen

Etwas später als geplant ist eine neue Version der Linux-Distribution Tails erschienen. An Bord hat sie den ebenfalls taufrischen Tor Browser 10.5.8.

https://heise.de/-6211744


Hackers use stealthy ShellClient malware on aerospace, telco firms

Threat researchers investigating malware used to target companies in the aerospace and telecommunications sectors discovered a new threat actor that has been running cyber espionage campaigns since at least 2018.

https://www.bleepingcomputer.com/news/security/hackers-use-stealthy-shellclient-malware-on-aerospace-telco-firms/


Unpatched Dahua cams vulnerable to unauthenticated remote access

Unpatched Dahua cameras are prone to two authentication bypass vulnerabilities, and a proof of concept exploit that came out today makes the case of upgrading pressing.

https://www.bleepingcomputer.com/news/security/unpatched-dahua-cams-vulnerable-to-unauthenticated-remote-access/


MacOS Security: What Security Teams Should Know

As more macOS patches emerge and cybercriminals and nation-states take aim at the platform, experts discuss how macOS security has evolved and how businesses can protect employees.

https://www.darkreading.com/edge-articles/mac-attacks-how-secure-are-the-macs-in-your-enterprise


Ransomware in the CIS

Statistics on ransomware attacks in the CIS and technical descriptions of Trojans, including BigBobRoss/TheDMR, Crysis/Dharma, Phobos/Eking, Cryakl/CryLock, CryptConsole, Fonix/XINOF, Limbozar/VoidCrypt, Thanos/Hakbit and XMRLocker.

https://securelist.com/cis-ransomware/104452/


Apache HTTP Server CVE-2021-41773 Exploited in the Wild

On Monday, October 4, 2021, Apache published an advisory on CVE-2021-41773, an unauthenticated remote file disclosure vulnerability in HTTP Server version 2.4.49 (and only in 2.4.49). The vulnerability arises from the mishandling of URL-encoded path traversal characters in the HTTP GET request. Public proof-of-concept exploit code is widely available, and Apache and others have noted that this vulnerability is being exploited in the wild. While the original advisory indicated that CVE-2021-41773 was merely an information disclosure bug, both Rapid7 and community researchers have verified that the vulnerability can be used for remote code execution when mod_cgi is enabled.

https://www.rapid7.com/blog/post/2021/10/06/apache-http-server-cve-2021-41773-exploited-in-the-wild/


Medtronics Insulin Pump Controllers Are Vulnerable to Hackers

The company just expanded its recall of insulin pump remote controllers that can be hijacked to alter insulin amounts. Medical device maker Medtronic has expanded its recall of remote controllers for its MiniMed 508 and MiniMed Paradigm insulin pumps. The reason? The devices are a potential cybersecurity risk. According to the Food and Drug Administration, unauthorized people could hijack the devices to alter how much insulin is delivered to a patient.

https://gizmodo.com/medtronics-insulin-pump-controllers-are-vulnerable-to-h-1847811273


Life is Pane: Persistence via Preview Handlers

[...] The preview pane allows users to have a quick peek at the content of a selected file without actually having to open it. This feature is disabled on default Windows 10 builds, but can be enabled in the Explorer menu under View-Preview pane. While this seems relatively simple at face value, it is anything but under the hood. For example, how does Windows know how to display the contents of certain filetypes but not others? Are the previews controlled by Explorer or is it done in another process? Are these handlers abusable? We spent a few days exploring preview handlers to gain a deeper understanding of how they work and answer these questions.

https://posts.specterops.io/life-is-pane-persistence-via-preview-handlers-3c0216c5ef9e


CVE-2021-26420: Remote Code Execution in SharePoint via Workflow Compilation

In June of 2021, Microsoft released a patch to correct CVE-2021-26420 - a remote code execution bug in the supported versions of Microsoft SharePoint Server. This bug was reported to the ZDI program by an anonymous researcher and is also known as ZDI-21-755. This blog takes a deeper look at the root cause of this vulnerability.

https://www.thezdi.com/blog/2021/10/5/cve-2021-26420-remote-code-execution-in-sharepoint-via-workflow-compilation

Vulnerabilities

Cisco Security Advisories

Cisco hat Security Advisories zu 16 Schwachstellen veröffentlicht. Keine davon wird als "Critical" eingestuft, sechs als "High".

https://tools.cisco.com/security/center/Search.x?publicationTypeIDs=1&firstPublishedStartDate=2021%2F10%2F06&firstPublishedEndDate=2021%2F10%2F07


IBM Security Bulletins 2021-10-07

IBM hat 21 Security Bulletins veröffentlicht.

https://www.ibm.com/blogs/psirt/


Advisory: Cisco ATA19X Privilege Escalation and RCE

1. Lack of User Privilege Separation Enforcement in Web Management Interface: The web management interface on the ATA191 does not necessarily prevent the -user- account from performing -admin--privileged actions. As such, a user who logs in with -user- privileges is able to perform actions that should only be performed by an -admin- user. 2. Post-Authentication Command Injection Remote Code Execution (CVE-2021-34710): The web management interface suffers [...]

https://www.iot-inspector.com/blog/advisory-cisco-ata19x-privilege-escalation-rce/


CVE-2021-33602: Denial-of-Service (DoS) Vulnerabilty

A vulnerability affecting the F-Secure antivirus engine was discovered when the engine tries to unpack a zip archive (LZW decompression method), and this can crash the scanning engine. The vulnerability can be exploited remotely by an attacker. A successful attack will result in denial-of-service of the antivirus engine.

https://www.f-secure.com/en/business/support-and-downloads/security-advisories/cve-2021-33602


Typo3: Neue Version schließt zwei Sicherheitslücken im CMS

Lücken im Content-Management-System hätten Angreifern schlimmstenfalls Admin-Rechte gewähren können. Die neue Typo3-Version 11.5 bannt die Gefahr.

https://heise.de/-6211486


High Severity Vulnerability Patched in Access Demo Importer Plugin

On August 9, 2021, the Wordfence Threat Intelligence team attempted to initiate the responsible disclosure process for a vulnerability that we discovered in Access Demo Importer, a WordPress plugin installed on over 20,000 [...]

https://www.wordfence.com/blog/2021/10/high-severity-vulnerability-patched-in-access-demo-importer-plugin/


Security updates for Thursday

Security updates have been issued by Debian (firefox-esr), Mageia (cockpit, fail2ban, libcryptopp, libss7, nodejs, opendmarc, and weechat), openSUSE (curl, ffmpeg, git, glibc, go1.16, libcryptopp, and nodejs8), SUSE (apache2, curl, ffmpeg, git, glibc, go1.16, grilo, libcryptopp, nodejs8, transfig, and webkit2gtk3), and Ubuntu (linux-oem-5.10 and python-bottle).

https://lwn.net/Articles/872154/


Apache OpenOffice: Mehrere Schwachstellen

https://www.cert-bund.de/advisoryshort/CB-K21-1041